In Queens development cycle, openstack_auth code was merged
into the horizon repository.
blueprint merge-openstack-auth
Change-Id: I74b10a90fe79fc768cfb8de6f68d3cd2f4938e51
Current hacking check actually does not check attribute-level
imports. We can safely drop import_exceptions from tox.ini.
Also drops noqa to guard import exceptions from the same reason.
Change-Id: I4e37931a7bfb0aa7867d027125ffcf66e414cf08
On clouds that use domain-specific Identity configuration[1], a user
must provide both their username and domain in order to log into
horizon. Without this patch, users must be aware of their domain's name
and enter it into a text box at login. This is sensible on public
clouds, because supplying potential domains to an unauthenticated user
exposes too much information about other customers and makes potential
attacks easier. On private clouds, however, it is a hinderance to
usability. For example, when migrating from a single-domain
configuration to a multi-domain configuration, users must now guess or
be informed of their domain in order to enter it in the text box. As
another example, when keystone domains are mapped to Active Directory
domains, the user may not be used to having to know their AD domains and
would prefer to select a likely one based on their geographical location
or department from a dropdown menu.
This patch adds support for a new config option,
"OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN" for enabling a dropdown menu
instead of a textbox when MULTIDOMAIN_SUPPORT is enabled. The dropdown
is disabled by default. If enabled, choices for domains to display and
submit are configured in "OPENSTACK_KEYSTONE_DOMAIN_CHOICES". It is not
possible to dynamically generate a list of domains before the user has
authenticated and this would be a huge security hole if this was
possible. Requiring the admin to statically set the domain list allows
them to hide private domains like the service users domain.
[1] https://docs.openstack.org/developer/keystone/configuration.html#domain-specific-drivers
Change-Id: Ie0a7e36b9975342fab81ddebb87880608d3ef187
Needed-By: I71d64182524d1f54745d9e42347b3a605fa2a920
When a federated user logs in, openstack_auth receives an unscoped
token and no user_domain_name parameter. Currently, if the federated
user has a role in one or more domains, but no roles in any projects,
openstack_auth prevents authorization and denies the user's login with
the error "You are not authorized for any projects or domains." This is
a problem because first, it's inaccurate, as the user is authorized for
at least one domain, and second, a keystone administrator may want to
give federated users access to a domain without any projects in it, for
example so delegate the creation of projects to the federated users
themselves. This patch allows federated users without project roles to
log in by looking up domains as well as projects when attempting to
scope the token. This lookup is skipped if the domain was passed as
part of the request.
This patch also slightly restructures the OpenStackAuthTestsWebSSO
and OpenStackAuthTestsV3 tests because mox needs to simulate only one instance
of the plugin but two instances of the client objects for every call to
authenticate().
Closes-bug: #1649101
Change-Id: I151218ff28c0728898ed5315d63dd8122ce3b166
Previously, the get_domain_scoped_auth plugin method caught any
exceptions found while trying to scope a token and logged the error
without addressing it. This was hiding an error that was occuring in
the unit tests, which was that some of the plugin calls were not being
mocked properly. This patch narrows down the exception handling to the
same exceptions handled in the project scoping case and adds the
necessary mocks to the tests.
Change-Id: I80a085ca731391b3f54a5ef999c92ab8ba3e69a0
This adds auth functionality to the Auth Drop down.
A new K2K django auth plugin has been added (With the intent
to do K2K at Login Time). Session variables have been
added so horizon can display the names of the Keystone Providers.
An endpoint was also added that allows the user to
switch keystone providers.
Change-Id: I75b1a10a3b40b5544b60f6fdc060e0070c585977
Implements: blueprint k2k-horizon
Discovering REMOTE_IP using headers variables and displaing on console
log.
The messages will be:
"Login successful for user "%(username)s", remote address %(remote_ip)s."
and
"Login failed for user "%(username)s", remote address %(remote_ip)s."
This patch was tested behind haproxy and nginx reverse proxy.
To set variable that want to use, must inform using settings
SECURE_PROXY_ADDR_HEADER variable. Whitout this setting the remote ip
will use REMOTE_ADDR header variable.
Change-Id: I977be6cb1d029048b9862cac4b6596fc2e2b3431
Closes-Bug: #1461266
Keysonte is changing the nature of tokens, timeouts, and long
running tasks. In addition, horizon can also cause issues where
a user starts a long running tasks, logs out, and then the token
fails authenticaion. Just removing this problematic logic.
https://blueprints.launchpad.net/keystone/+spec/session-extendable-tokens
Closes-Bug: #1637460
Change-Id: I5eda08e95d8df72ba601181f02a72de37c5393fd
This makes sense because usually only the caller of
fix_auth_url_version() has enough context to decide what warning
message should be emitted (where did the wrong url come from? service
catalog or openstack_dashboard/settings.py?). This also will help to
reduce the number of redundant warnings, emitting them only when user
logs in or a value from service catalog was fixed.
The necessity of this change became obvious after discussion in
https://review.openstack.org/#/c/323786 comments.
Also a small refactoring was made to fix_auth_url_version() (which
previously was edited in haste) - to reuse existing helper functions,
this makes the code a bit cleaner.
Needed-By: I6c6a35b1c460e22dadf39634fce1bdfa257b8c63
Change-Id: I3a04d838a707465c8c6e81e0e6e2fcf918b7b059
There was a false assumption within utils.fix_auth_url_version()
routine that everything that goes after hostname:port part of Keystone
auth_url is could be only version suffix. Once '/identity' webpath was
enabled in Keystone Apache configuration in Devstack by default, the
falsehood was exposed and broken all integration tests. This is fixed.
While debugging fix_auth_url_version() I noticed another side-effect
of the fix: Horizon no longer needs to specify version suffix inside
OPENSTACK_KEYSTONE_URL setting, the fixed function works perfectly
without it. This will be mentioned in release notes for the dependent
Horizon patch.
Partial-Bug: #1585682
Needed-By: Icebfc291ec2b06ed84934c75cfd8c9d91cb2a895
Change-Id: Iea9b8e8378e6c5fb4c60df0073968d8caf7fbc5e
With python 3, hasher.update() must be called with byte encoding.
Hashing without encoding first in python 3 results in this error:
TypeError: Unicode-objects must be encoded before hashing
Using byte encoding also works with python 2.7, so convert tokens
to bytes before hashing regardless of python version.
Change-Id: I837566c669565ed8c11dacbefc273dae3ff580bb
Closes-Bug: #1552443
There are certain cases the user.Token constructor is called with
the default unscoped_token value of None. When this happens using
PKI, an unexpected error occurs. If the token is None, we know it's
not pki and should not make an extra call to the Keystone client to
check.
A test is provided to demonstrate the issue, and the test fails
without the included code change.
Change-Id: Ie8e93eda4cf8e8285785335126624781470be19c
Closes-Bug: #1551977
Change Ieff5a6cdd1ad352a9731d46785802e8c36adcdd1 introduced an
uncomplete fix when trying to fix the auth_url.
Given the case that a auth url already has a version included, an extra
version was added. This leads to messages in the keystone.log that
horizon is trying to authenticate with "POST /v3/v3/auth/tokens
HTTP/1.1".
Use urlparse correctly and also add a testcase for fix_auth_url_version().
Change-Id: I80fb310d95e8fdab1212fc5b092a37fd7b26a37a
Closes-Bug: 1508421
admin roles and admin permissions (like 'openstack.roles.xxxx')
depends on OPENSTACK_KEYSTONE_ADMIN_ROLES.
These information is needed with openstack_auth and Horizon at least
as common information.
So, this patch provide these methods as a convenient method at
openstack_auth.
Change-Id: Idad1860684b1e772fc31f16fc8c0263e49fc3919
Closes-Bug: #1536896
- Wrap the expected_url variable in a django 1.9 condition so that it
returns as expected.
- Use request.GET/request.POST instead of request.REQUEST
- Remove some conditional code required for old Django versions
This is the first step in getting Horizon to fully support Django 1.9.
It does *not* yet aim to offer full support, which is why the
requirements have not been bumped.
Change-Id: I7f8f3cde92cafdb5c9134baf75fc736cbf35ff6a
Partially-Implements: blueprint drop-dj17
Depends-On: Ia6cbbc281732e9c466edeaa76739122e006a997e
When using WebSSO, if the Keystone server has "auth" in
the hostname, the existing regular expression below is
problematic which causes a failed replacement.
Change-Id: I564d9af4be837f83f5ef1f8b00b794befafeeb7b
Closes-Bug: #1532032
With the keystoneauth release, the authentication library
should move from keystoneclient to keystoneauth.
Co-Authored-By: Diego Adolfo <diegoado@gmail.com>
Change-Id: If880022f447255e7d943915087e229778cc6acf8
Implements: blueprint keystoneauth-update
This allows Domain Admin to also have a role on a Project(s).
Supersedes: 196068
Partially Implements: blueprint domain-scoped-tokens
Change-Id: Ia81e15a465117acf173c6459cec92838c825c460
In order to perform identity operations in keystone v3 when the v3
policy file is used, a domain scoped token is required. Adding the
domain scoped token to the session as it remains valid until the user
logs out.
The domain scoped token is sizeable, so a check to make sure the
session backend used is not signed cookies, as this will overflow
the cookie.
Additionally, errors around getting and storing the domain scoped
token are logged, but doesn't block authentication, as it only blocks
identity operations.
A call to delete the domain token is made on logout.
Support for the case of a user with a domain role but no project roles
is now supported as well. That is a user can log in with only scoping
to a domain. This allows domain admins to be able to configure identity
without requiring a project role.
Implements: blueprint domain-scoped-tokens
Change-Id: I0ed1737cdd80dc143f1df94700e311351d5d3b24
The caching is done only per process, so the cleanup during logout
does not really work since the during could be handled by another
process. So the cache will just keep on growing.
This reverts commit bd9fd598e6.
Depends-On: I793fbee44eb5f9befc316efe6716971b0e32172b
Change-Id: If878d77533ea5fac86fbb73127f26908f1097091
Closes-Bug: #1451943
* Replace unicode() with six.text_type
* Replace basestring with six.string_types
* Add unit tests for User.has_perms()
This change is required to port Horizon to Python 3.
Partial-Implements: blueprint porting-python3
Change-Id: I028a37d51ba1eda69336d4c81a47606f7c66f83f
When authenticating a user in v3, always request
for an unscoped token. Otherwise it would automatically
default to the default project.
Change-Id: I9e1d9129e2fb35933c803096fca9f1236affc27f
Closes-Bug: #1474893
To enable websso, make sure you have your environment configured.
Then add following to Horizon settings:
WEBSSO_ENABLED=True
Also make sure your KEYSTONE is version 3+
Depends on:
https://review.openstack.org/#/c/136177/https://review.openstack.org/#/c/151842/
Co-Authored-By: Thai Tran <tqtran@us.ibm.com>
Co-Authored-By: Jose Castro Leon <jose.castro.leon@cern.ch>
Co-Authored-By: Marek Denis <marek.denis@cern.ch>
Co-Authored-By: Lin Hua Cheng <os.lcheng@gmail.com>
implements bp federated-identity
Change-Id: Ief74bece750ffe633d4323238cad89bad61496ed
Address the comments made in the original authentication plugins patch.
* Add some additional logging to the standard username and password
plugin.
* Change the login error message to reflect additional authentication
mechanisms.
* Log a warning if no suitable authentication plugin is found. Given
the way horizon relies solely upon DOA the only real way this should
happen is a configuration error.
Change-Id: Ib827f26da793ef2e43b8f5a0f194293f442b3341
In order to eventually consilidate the two ways of checking
authorization, moving the importing the policy engine into
this repo. This move requires adding code from oslo incubator.
Additionally, the tests have been added to this repo and slightly
altered to handle differences in the test setup facilities.
Example policy files have been added to the tests directory to
facilitate testing. The intention for application use is that
the django application will point to the runtime policy.json files
in the settings file.
Moving policy tests to use mock rather than mox as well.
Partially Implements: blueprint move-policy-engine
Change-Id: I9728dff4799c868dbc5da2b0042716467de1864b
Convert the existing DOA to using authentication plugins keeping as
close to the current code structure as possible.
This will allow us to add additional authentication plugins later and
to start changing horizon to use these plugins when talking to other
services rather than hacking tokens into the clients.
Change-Id: Idd9ad5044e998a6c514f6161f5159b44391a0849
Filter out the disabled projects from the list of projects that
authentication backend will attempt to scope to.
Tests has been updated, the backend will no longer attempts to
scope to disabled projects.
Change-Id: I0fcdcd2ce72cd6580a2985d637c4bbabc60e4377
Closes-Bug: #1223079
Use the standard testscenarios library that we use throughout OpenStack
to do multiple similar test runs rather than use a custom metaclass
based mechanism.
Change-Id: Idcda852a7497a72b96aed75d344ea9c1154dfc48
This change will make the region and project "sticky" in that whatever is selected
will remain selected. When users select other projects or login/logout the region will
stay what the user last selected, and users will try to be returned to the last used
project
Change-Id: I8b38ab2cb8b616ad6976aa8167b8209926054df4
Closes-Bug: 1357047
Closes-Bug: 1389401
In order to sync global-requirements, this patch bumps
hacking to 0.9.x series.
H236, H305, H307 errors are fixed in this patch.
H307 and H904 are added to the ignore list.
Change-Id: I37c16ad67912dec8ce1562676ae0ebbfbe277d99
Pulls the common code for Version specific tests into a mixing
class, reducing code duplication significantly.
Change-Id: I4136b866700a74aa93e38363fdcb29fe6c5ed65c
Project list fetched for each request. The patches caches the
project list and uses the token as the key in the cache. When
the user logout or switch project, the project list is removed
from the cache.
Change-Id: I2386d7a342cf02a0252e97cc48c5349ccab8a9eb
Closes-bug: 1241838
H301 one import per line |
H304 No relative imports
When checking imports DJANGO_SETTINGS_MODULE environment needs to
be set. Add the following to tox.ini testenv:pep8.
setenv = DJANGO_SETTINGS_MODULE=openstack_auth.tests.settings
A part of blueprint openstack-hacking-compliant
Change-Id: I65a23c1e9a5d7a5852d448651254b6a3866f1dd3
Similar to when the domain root url is accessed, if the user is
already logged in do not show them the login page nor ask for their
credentials. This avoids users being misled into thinking they can
open multiple sessions in parallel, and is in line with how most web
applications handle this.
Change-Id: Ibd37b9c488d65cf54b156f23db4fa04f019d8092
Closes-Bug: #1308637