In Queens development cycle, openstack_auth code was merged
into the horizon repository.
blueprint merge-openstack-auth
Change-Id: I74b10a90fe79fc768cfb8de6f68d3cd2f4938e51
Current hacking check actually does not check attribute-level
imports. We can safely drop import_exceptions from tox.ini.
Also drops noqa to guard import exceptions from the same reason.
Change-Id: I4e37931a7bfb0aa7867d027125ffcf66e414cf08
A new attribute was added to keystone user response, that will allow
us to warn users if their passwords are about to expire.
This will be configured in the local_settings.py file
Implements blueprint: password-expires-validation
Change-Id: Id66aa1c9596f8db8d07f63f3feb5166cb723a8e1
This adds auth functionality to the Auth Drop down.
A new K2K django auth plugin has been added (With the intent
to do K2K at Login Time). Session variables have been
added so horizon can display the names of the Keystone Providers.
An endpoint was also added that allows the user to
switch keystone providers.
Change-Id: I75b1a10a3b40b5544b60f6fdc060e0070c585977
Implements: blueprint k2k-horizon
Keysonte is changing the nature of tokens, timeouts, and long
running tasks. In addition, horizon can also cause issues where
a user starts a long running tasks, logs out, and then the token
fails authenticaion. Just removing this problematic logic.
https://blueprints.launchpad.net/keystone/+spec/session-extendable-tokens
Closes-Bug: #1637460
Change-Id: I5eda08e95d8df72ba601181f02a72de37c5393fd
Add TOKEN_DELETE_DISABLED to the settings so when can customize
the revocation of tokens on user logout or switch. This solves an
issue when a user launches a long running operation and then logs off
resulting in an error if the operation tries to validate the token
Change-Id: Ic693c563e028081d87b6447b95ac94608da2dafb
Closes-Bug: 1599870
This makes sense because usually only the caller of
fix_auth_url_version() has enough context to decide what warning
message should be emitted (where did the wrong url come from? service
catalog or openstack_dashboard/settings.py?). This also will help to
reduce the number of redundant warnings, emitting them only when user
logs in or a value from service catalog was fixed.
The necessity of this change became obvious after discussion in
https://review.openstack.org/#/c/323786 comments.
Also a small refactoring was made to fix_auth_url_version() (which
previously was edited in haste) - to reuse existing helper functions,
this makes the code a bit cleaner.
Needed-By: I6c6a35b1c460e22dadf39634fce1bdfa257b8c63
Change-Id: I3a04d838a707465c8c6e81e0e6e2fcf918b7b059
The endpoint defined in request.user.endpoint may differ from the
endpoint selected from Horizon's AVAILABLE_REGIONS. If so, this will
result in the region appearing as 'None' in Horizon.
This will use the login endpoint as the key for setting the region.
Change-Id: I02d8069d2c8dcb5c24950279b1e40469072bf3bd
Closes-Bug: 1494287
- Wrap the expected_url variable in a django 1.9 condition so that it
returns as expected.
- Use request.GET/request.POST instead of request.REQUEST
- Remove some conditional code required for old Django versions
This is the first step in getting Horizon to fully support Django 1.9.
It does *not* yet aim to offer full support, which is why the
requirements have not been bumped.
Change-Id: I7f8f3cde92cafdb5c9134baf75fc736cbf35ff6a
Partially-Implements: blueprint drop-dj17
Depends-On: Ia6cbbc281732e9c466edeaa76739122e006a997e
When using WebSSO, if the Keystone server has "auth" in
the hostname, the existing regular expression below is
problematic which causes a failed replacement.
Change-Id: I564d9af4be837f83f5ef1f8b00b794befafeeb7b
Closes-Bug: #1532032
Currently there is no default value for
domain field of login form.
This patch add saving last login domain
name into coookies and pre-filling
'Domain' field value on login with
this saved value from cookies.
Closes-Bug: #1523957
Change-Id: Idbbd741358ecabeb51de47cdece662b5019d2092
With the keystoneauth release, the authentication library
should move from keystoneclient to keystoneauth.
Co-Authored-By: Diego Adolfo <diegoado@gmail.com>
Change-Id: If880022f447255e7d943915087e229778cc6acf8
Implements: blueprint keystoneauth-update
In order to perform identity operations in keystone v3 when the v3
policy file is used, a domain scoped token is required. Adding the
domain scoped token to the session as it remains valid until the user
logs out.
The domain scoped token is sizeable, so a check to make sure the
session backend used is not signed cookies, as this will overflow
the cookie.
Additionally, errors around getting and storing the domain scoped
token are logged, but doesn't block authentication, as it only blocks
identity operations.
A call to delete the domain token is made on logout.
Support for the case of a user with a domain role but no project roles
is now supported as well. That is a user can log in with only scoping
to a domain. This allows domain admins to be able to configure identity
without requiring a project role.
Implements: blueprint domain-scoped-tokens
Change-Id: I0ed1737cdd80dc143f1df94700e311351d5d3b24
The caching is done only per process, so the cleanup during logout
does not really work since the during could be handled by another
process. So the cache will just keep on growing.
This reverts commit bd9fd598e6.
Depends-On: I793fbee44eb5f9befc316efe6716971b0e32172b
Change-Id: If878d77533ea5fac86fbb73127f26908f1097091
Closes-Bug: #1451943
* Replace unicode() with six.text_type
* Replace basestring with six.string_types
* Add unit tests for User.has_perms()
This change is required to port Horizon to Python 3.
Partial-Implements: blueprint porting-python3
Change-Id: I028a37d51ba1eda69336d4c81a47606f7c66f83f
When we switch the project admin to demo there
is no message show althrough success, we can add
message show.
Closes-bug:#1436709
Change-Id: Ie06c2c955939f73d89583e40f03cca6428695a6e
Currently, ''.. param:' is being used. The correct format for sphinx is
':param <name>:'
The current format raises errors when building the docs. This patch
corrects the formatting and eliminates the errors.
Closes-Bug: #1474972
Change-Id: I924f860dfe91c4c785d9c656825c31038072dd07
This is a simple change that will support removal of the last activiy
session field within the horizon middleware. Whith this change, a bunch
of horizon code can be removed.
Change-Id: Ia1c9f116ce731b80fb66a191d937a5ef509c81e9
Partialy-Closes: #1450914
To enable websso, make sure you have your environment configured.
Then add following to Horizon settings:
WEBSSO_ENABLED=True
Also make sure your KEYSTONE is version 3+
Depends on:
https://review.openstack.org/#/c/136177/https://review.openstack.org/#/c/151842/
Co-Authored-By: Thai Tran <tqtran@us.ibm.com>
Co-Authored-By: Jose Castro Leon <jose.castro.leon@cern.ch>
Co-Authored-By: Marek Denis <marek.denis@cern.ch>
Co-Authored-By: Lin Hua Cheng <os.lcheng@gmail.com>
implements bp federated-identity
Change-Id: Ief74bece750ffe633d4323238cad89bad61496ed
Convert the existing DOA to using authentication plugins keeping as
close to the current code structure as possible.
This will allow us to add additional authentication plugins later and
to start changing horizon to use these plugins when talking to other
services rather than hacking tokens into the clients.
Change-Id: Idd9ad5044e998a6c514f6161f5159b44391a0849
Actually, the fix for CVE-2014-8124 included a regression, resulting
users had to log in a second time, after being logged out due to
inactivity.
Change-Id: If6a7f489058c80c969975dc0658e6f2ae979eca3
Closes-Bug: 1403037
The region from last login is used as the default selected
region when the Login page loads.
Change-Id: I3f431e8d2f89cd18ed873a54a1f4109ec95b9c11
Closes-Bug: #1392718
This change will make the region and project "sticky" in that whatever is selected
will remain selected. When users select other projects or login/logout the region will
stay what the user last selected, and users will try to be returned to the last used
project
Change-Id: I8b38ab2cb8b616ad6976aa8167b8209926054df4
Closes-Bug: 1357047
Closes-Bug: 1389401
Prevent logged-in users redirect in case 'login'
view is used for switching the regions via modal form.
Change-Id: I47f26eea19e577998c7e3906a51900b51024eb43
Related-Bug: #1381413
In order to sync global-requirements, this patch bumps
hacking to 0.9.x series.
H236, H305, H307 errors are fixed in this patch.
H307 and H904 are added to the ignore list.
Change-Id: I37c16ad67912dec8ce1562676ae0ebbfbe277d99
The django.contrib.auth.views login and logout views take usefull parameters
which where dropped by the openstack_auth.views methods.
Added a TOKEN_TIMEOUT_MARGIN which allows to check token expiration minus a
time margin in seconds. This is usefull if you know a process will take a
certain time, you want to have your token still valid all this time (e.g. the
time it can take to render a view).
This patch is required for https://review.openstack.org/88220
Change-Id: I7508c40d6f1eaa2bf1eef5cc762052b15d6d9273
Closes-Bug: 1308918
utils.py, views.py and backend.py were using .replace('v3', 'v2.0') and
.replace('v2.0', 'v3') methods on url strings.
This is BAD because if you have v3 in your url's domain it brakes it.
A new url_path_replace method now only performs the replaces in the url path
and leaves the domain unchanged.
Some checks where performed to test if a substring was in the url path but the
tests where performed on the whole url and could return a false positive if the
substring exists in the domain name or in the query string.
The new has_in_url_path method checks only if the substring is in the path of
the url.
Change-Id: I030d928d83e5c91cf26101221649a299d146747d
Closes-Bug: 1324948
Project list fetched for each request. The patches caches the
project list and uses the token as the key in the cache. When
the user logout or switch project, the project list is removed
from the cache.
Change-Id: I2386d7a342cf02a0252e97cc48c5349ccab8a9eb
Closes-bug: 1241838
Changing this breaks all older versions of Horizon. Adding it back
in to allow older versions to continue working.
Closes-Bug: #1332855
Change-Id: Icdb206d4095b1746eef9be02ca63f2aa9cfe1081
The expected behaviour is to redirect to the login page after a user
gets logged out. This was changed accidentally during a refactoring.
This will get rid of the following error 500 in Horizon when logging
out: TemplateDoesNotExist: registration/logged_out.html.
Change-Id: Id23666e84fce1e3a212b066fcdaf71a17e4898d9
Closes-Bug: #1332167
H301 one import per line |
H304 No relative imports
When checking imports DJANGO_SETTINGS_MODULE environment needs to
be set. Add the following to tox.ini testenv:pep8.
setenv = DJANGO_SETTINGS_MODULE=openstack_auth.tests.settings
A part of blueprint openstack-hacking-compliant
Change-Id: I65a23c1e9a5d7a5852d448651254b6a3866f1dd3
Similar to when the domain root url is accessed, if the user is
already logged in do not show them the login page nor ask for their
credentials. This avoids users being misled into thinking they can
open multiple sessions in parallel, and is in line with how most web
applications handle this.
Change-Id: Ibd37b9c488d65cf54b156f23db4fa04f019d8092
Closes-Bug: #1308637
Remove the following rules from ignore list
without any violations from these:
H201,H302,H303,H701,H702,H803
A part of blueprint openstack-hacking-compliant
Change-Id: I4e43e13234f7640ef216db168d873c4cc1198328
E502 the backslash is redundant between brackets
E501 line too long (XX > 79 characters)
F841 local variable 'XXX' is assigned to but never used
Remove F403 and F999 from ignore list because there is
no violations related to these.
The remaining are all from OpenStack Hacking (H***) rules.
A part of blueprint openstack-hacking-compliant
Change-Id: I0fb46309621c15dfe4363039bbe46669f1315dec
v2.0 of the keystone API was deprecated in icehouse-2, moving to
support v3 by default.
This also fixes a bug in Horizon where if you specify v3 for the
API version and v2.0 is still the auth url, login fails.
Implements blueprint keystone-v3-default
Partial-bug: #1267636
Change-Id: Ibc4872f24125fa74230eab781b002dffdba5f5da
The default session serializer switched to JSONSerializer in Django-1.6.
Unfortunately, it can't serialize arbitrary objects (such as datetime
instances), there we have to stay with PickleSerializer (compare with
https://docs.djangoproject.com/en/1.6/topics/http/sessions/#write-your-own-serializer).
Sets Django==1.4 for the py27dj14 tox testenv. Don't relax the version
requirements just yet.
Change-Id: Ifb5a68950fa6a4a652a0fb0cb81048d89763ec3f
Akihiro Motoki