In Queens development cycle, openstack_auth code was merged
into the horizon repository.
blueprint merge-openstack-auth
Change-Id: I74b10a90fe79fc768cfb8de6f68d3cd2f4938e51
In case DEFAULT_SERVICE_REGIONS setting in Horizon config is specified
(on a per-endpoint basis), use it instead of a value stored in
cookies. This value is still checked for sanity, i.e. it should be
present in Keystone service catalog.
Change-Id: Ia4787b56db7ce7787bd8aac21b5c0ec8a95a6f09
Related-Bug: #1506825
Closes-Bug: #1703390
* doc/source/conf.py: html_static_path pointed to nonexisting dir
* Fix indent error in python codes
* Insert blank lines before starting code block
* Enable warning-is-error in setup.cfg to prevent future warnings
* 'all_files' should be 'all-files' in setup.cfg
Change-Id: I7c5bc31be9c95ec78f18f895014a03cb003d7e04
This adds auth functionality to the Auth Drop down.
A new K2K django auth plugin has been added (With the intent
to do K2K at Login Time). Session variables have been
added so horizon can display the names of the Keystone Providers.
An endpoint was also added that allows the user to
switch keystone providers.
Change-Id: I75b1a10a3b40b5544b60f6fdc060e0070c585977
Implements: blueprint k2k-horizon
Discovering REMOTE_IP using headers variables and displaing on console
log.
The messages will be:
"Login successful for user "%(username)s", remote address %(remote_ip)s."
and
"Login failed for user "%(username)s", remote address %(remote_ip)s."
This patch was tested behind haproxy and nginx reverse proxy.
To set variable that want to use, must inform using settings
SECURE_PROXY_ADDR_HEADER variable. Whitout this setting the remote ip
will use REMOTE_ADDR header variable.
Change-Id: I977be6cb1d029048b9862cac4b6596fc2e2b3431
Closes-Bug: #1461266
Keysonte is changing the nature of tokens, timeouts, and long
running tasks. In addition, horizon can also cause issues where
a user starts a long running tasks, logs out, and then the token
fails authenticaion. Just removing this problematic logic.
https://blueprints.launchpad.net/keystone/+spec/session-extendable-tokens
Closes-Bug: #1637460
Change-Id: I5eda08e95d8df72ba601181f02a72de37c5393fd
The variable should be an array but we used string, so it
lead to incorrect warning in the httpd log.
Change-Id: I7a233338306e51ba11f2d80acfc758700f6bddd2
Closes-Bug: 1621137
Add TOKEN_DELETE_DISABLED to the settings so when can customize
the revocation of tokens on user logout or switch. This solves an
issue when a user launches a long running operation and then logs off
resulting in an error if the operation tries to validate the token
Change-Id: Ic693c563e028081d87b6447b95ac94608da2dafb
Closes-Bug: 1599870
This makes sense because usually only the caller of
fix_auth_url_version() has enough context to decide what warning
message should be emitted (where did the wrong url come from? service
catalog or openstack_dashboard/settings.py?). This also will help to
reduce the number of redundant warnings, emitting them only when user
logs in or a value from service catalog was fixed.
The necessity of this change became obvious after discussion in
https://review.openstack.org/#/c/323786 comments.
Also a small refactoring was made to fix_auth_url_version() (which
previously was edited in haste) - to reuse existing helper functions,
this makes the code a bit cleaner.
Needed-By: I6c6a35b1c460e22dadf39634fce1bdfa257b8c63
Change-Id: I3a04d838a707465c8c6e81e0e6e2fcf918b7b059
Since the function emitting the warning now can be used both for
processing of Keystone URL from Horizon settings and for fixing
URLs from service catalog, the old warning messages becomes confusing.
The patch makes things clear again.
Change-Id: Id70b50e01fc9c3d59d5e41684759b5c8bd8abee9
There was a false assumption within utils.fix_auth_url_version()
routine that everything that goes after hostname:port part of Keystone
auth_url is could be only version suffix. Once '/identity' webpath was
enabled in Keystone Apache configuration in Devstack by default, the
falsehood was exposed and broken all integration tests. This is fixed.
While debugging fix_auth_url_version() I noticed another side-effect
of the fix: Horizon no longer needs to specify version suffix inside
OPENSTACK_KEYSTONE_URL setting, the fixed function works perfectly
without it. This will be mentioned in release notes for the dependent
Horizon patch.
Partial-Bug: #1585682
Needed-By: Icebfc291ec2b06ed84934c75cfd8c9d91cb2a895
Change-Id: Iea9b8e8378e6c5fb4c60df0073968d8caf7fbc5e
Change Ieff5a6cdd1ad352a9731d46785802e8c36adcdd1 introduced an
uncomplete fix when trying to fix the auth_url.
Given the case that a auth url already has a version included, an extra
version was added. This leads to messages in the keystone.log that
horizon is trying to authenticate with "POST /v3/v3/auth/tokens
HTTP/1.1".
Use urlparse correctly and also add a testcase for fix_auth_url_version().
Change-Id: I80fb310d95e8fdab1212fc5b092a37fd7b26a37a
Closes-Bug: 1508421
admin roles and admin permissions (like 'openstack.roles.xxxx')
depends on OPENSTACK_KEYSTONE_ADMIN_ROLES.
These information is needed with openstack_auth and Horizon at least
as common information.
So, this patch provide these methods as a convenient method at
openstack_auth.
Change-Id: Idad1860684b1e772fc31f16fc8c0263e49fc3919
Closes-Bug: #1536896
When using WebSSO, if the Keystone server has "auth" in
the hostname, the existing regular expression below is
problematic which causes a failed replacement.
Change-Id: I564d9af4be837f83f5ef1f8b00b794befafeeb7b
Closes-Bug: #1532032
The remove_project_cache method was removed because the underlying
functionality never really worked. Unfortunately, that method was
called directly from Horizon in the Liberty release. An empty
signature is being added back to fix backward compatibility.
Change-Id: I9ee475d94dee38e8a76b4aee371b962640f76f31
Closes-Bug: #1526572
This change adds the Keystone API version to the identity endpoint URL
retrieved from Keystone's endpoint list. This is neccessary in Kilo and
later, since identity endpoint URLs retrieved from Keystone no longer
contain the API version path they used to contain until Juno. See
https://bugs.launchpad.net/horizon/+bug/1508421 for a detailed analysis
of the problem.
Change-Id: Ieff5a6cdd1ad352a9731d46785802e8c36adcdd1
Closes-Bug: 1508421
With the keystoneauth release, the authentication library
should move from keystoneclient to keystoneauth.
Co-Authored-By: Diego Adolfo <diegoado@gmail.com>
Change-Id: If880022f447255e7d943915087e229778cc6acf8
Implements: blueprint keystoneauth-update
In order to perform identity operations in keystone v3 when the v3
policy file is used, a domain scoped token is required. Adding the
domain scoped token to the session as it remains valid until the user
logs out.
The domain scoped token is sizeable, so a check to make sure the
session backend used is not signed cookies, as this will overflow
the cookie.
Additionally, errors around getting and storing the domain scoped
token are logged, but doesn't block authentication, as it only blocks
identity operations.
A call to delete the domain token is made on logout.
Support for the case of a user with a domain role but no project roles
is now supported as well. That is a user can log in with only scoping
to a domain. This allows domain admins to be able to configure identity
without requiring a project role.
Implements: blueprint domain-scoped-tokens
Change-Id: I0ed1737cdd80dc143f1df94700e311351d5d3b24
The caching is done only per process, so the cleanup during logout
does not really work since the during could be handled by another
process. So the cache will just keep on growing.
This reverts commit bd9fd598e6.
Depends-On: I793fbee44eb5f9befc316efe6716971b0e32172b
Change-Id: If878d77533ea5fac86fbb73127f26908f1097091
Closes-Bug: #1451943
Currently, ''.. param:' is being used. The correct format for sphinx is
':param <name>:'
The current format raises errors when building the docs. This patch
corrects the formatting and eliminates the errors.
Closes-Bug: #1474972
Change-Id: I924f860dfe91c4c785d9c656825c31038072dd07
Don't assume that the service catalog is well-formed, added code
to safely parsing the catalog.
Parsing of region from service catalog has been fixed as well.
'region' has been deprecated in the Keystone V3 catalog in favor of
'region_id'. Fix how region is extracted by checking 'region_id' then
fallback to 'region'.
Change-Id: I7b649a8b90e20caa2d04fdd3f79b5b1ac775237c
Closes-Bug: #1424825
To enable websso, make sure you have your environment configured.
Then add following to Horizon settings:
WEBSSO_ENABLED=True
Also make sure your KEYSTONE is version 3+
Depends on:
https://review.openstack.org/#/c/136177/https://review.openstack.org/#/c/151842/
Co-Authored-By: Thai Tran <tqtran@us.ibm.com>
Co-Authored-By: Jose Castro Leon <jose.castro.leon@cern.ch>
Co-Authored-By: Marek Denis <marek.denis@cern.ch>
Co-Authored-By: Lin Hua Cheng <os.lcheng@gmail.com>
implements bp federated-identity
Change-Id: Ief74bece750ffe633d4323238cad89bad61496ed
With federated and kerberos logins coming we need an extensible way to
specify additional ways to fetch an unscoped token from keystone.
Create a plugin model that when authenticate is called a series of
plugins can be queried for a token depending on the information
provided.
Closes-Bug: #1433389
Change-Id: Ifbd7077173844a8eb3400799fd512b62a5dc7dcc
Convert the existing DOA to using authentication plugins keeping as
close to the current code structure as possible.
This will allow us to add additional authentication plugins later and
to start changing horizon to use these plugins when talking to other
services rather than hacking tokens into the clients.
Change-Id: Idd9ad5044e998a6c514f6161f5159b44391a0849
This change will make the region and project "sticky" in that whatever is selected
will remain selected. When users select other projects or login/logout the region will
stay what the user last selected, and users will try to be returned to the last used
project
Change-Id: I8b38ab2cb8b616ad6976aa8167b8209926054df4
Closes-Bug: 1357047
Closes-Bug: 1389401
In order to sync global-requirements, this patch bumps
hacking to 0.9.x series.
H236, H305, H307 errors are fixed in this patch.
H307 and H904 are added to the ignore list.
Change-Id: I37c16ad67912dec8ce1562676ae0ebbfbe277d99
The django.contrib.auth.views login and logout views take usefull parameters
which where dropped by the openstack_auth.views methods.
Added a TOKEN_TIMEOUT_MARGIN which allows to check token expiration minus a
time margin in seconds. This is usefull if you know a process will take a
certain time, you want to have your token still valid all this time (e.g. the
time it can take to render a view).
This patch is required for https://review.openstack.org/88220
Change-Id: I7508c40d6f1eaa2bf1eef5cc762052b15d6d9273
Closes-Bug: 1308918
utils.py, views.py and backend.py were using .replace('v3', 'v2.0') and
.replace('v2.0', 'v3') methods on url strings.
This is BAD because if you have v3 in your url's domain it brakes it.
A new url_path_replace method now only performs the replaces in the url path
and leaves the domain unchanged.
Some checks where performed to test if a substring was in the url path but the
tests where performed on the whole url and could return a false positive if the
substring exists in the domain name or in the query string.
The new has_in_url_path method checks only if the substring is in the path of
the url.
Change-Id: I030d928d83e5c91cf26101221649a299d146747d
Closes-Bug: 1324948
Project list fetched for each request. The patches caches the
project list and uses the token as the key in the cache. When
the user logout or switch project, the project list is removed
from the cache.
Change-Id: I2386d7a342cf02a0252e97cc48c5349ccab8a9eb
Closes-bug: 1241838
Instead of exclusively hashing the token id based on if the token is
ASN1, hash the id if it exceeds the maximum size allowed within the
session. Keystone has allowed more than simple PKI and UUID tokens so
the is_asn1_token check will not catch all cases.
Closes-Bug: 1331406
Change-Id: I7891eb3fb35a10926ac16829eed0ff8c306f2661
H301 one import per line |
H304 No relative imports
When checking imports DJANGO_SETTINGS_MODULE environment needs to
be set. Add the following to tox.ini testenv:pep8.
setenv = DJANGO_SETTINGS_MODULE=openstack_auth.tests.settings
A part of blueprint openstack-hacking-compliant
Change-Id: I65a23c1e9a5d7a5852d448651254b6a3866f1dd3
Remove the following rules from ignore list
without any violations from these:
H201,H302,H303,H701,H702,H803
A part of blueprint openstack-hacking-compliant
Change-Id: I4e43e13234f7640ef216db168d873c4cc1198328
Although keystone v2 has been deprecated, no services use v3 for
authorization. So passing a v3 token_id to other services results
in authorization errors. If the user logs into a domain other than
"default" the user see only unauthorized errors. Currently, when
logging into the "default" domain these authorization errors do not
occur merely because of a bug in keystone that does not validate
the token version. This will likely change some time in the
non-distant future.
Setting the keystone API version to v2.0 is the safest path for now.
Not doing a full revert because the rest of the fixes the previous
patch were valid and required.
Closes-Bug: #1294396
Change-Id: I3583e729b5a006f9b7f5cbbe3388908c15de39ae
v2.0 of the keystone API was deprecated in icehouse-2, moving to
support v3 by default.
This also fixes a bug in Horizon where if you specify v3 for the
API version and v2.0 is still the auth url, login fails.
Implements blueprint keystone-v3-default
Partial-bug: #1267636
Change-Id: Ibc4872f24125fa74230eab781b002dffdba5f5da
Akihiro Motoki