In Queens development cycle, openstack_auth code was merged
into the horizon repository.
blueprint merge-openstack-auth
Change-Id: I74b10a90fe79fc768cfb8de6f68d3cd2f4938e51
In Django 1.10 a new Form property was introduced, defaulting to True,
which enabled HTML form validation for fields marked "required" in
Django. This changed old behavior, which was that required fields were
only validated server-side. This patch restores old behavior by setting
use_required_attribute to False for the inherited AuthenticationForm.
This problem arose because when WebSSO is enabled and a
non-keystone-credentials authentication method is selected from the
dropdown list, the now-hidden username and password fields are still
marked "required" and still validated client-side, even though they are
invisible to the user and cannot be filled in. It would be nice to fix
the javascript to properly turn the "required" attribute on or off
depending on what authentication method is selected and whether the
"required" fields are even visible, but for now this just restores the
behavior we had before Djanto 1.10.
Change-Id: I3e798a2288d9c33396b40a86b07ea8c163d3b525
Closes-bug: #1703109
This change introduces the POLICY_DIRS setting which adds the ability
to define multiple policy directories per service.
Blueprint: policy-dirs
Change-Id: Ie42f1aa68539b7388661ddfe2c265255cd574736
In case DEFAULT_SERVICE_REGIONS setting in Horizon config is specified
(on a per-endpoint basis), use it instead of a value stored in
cookies. This value is still checked for sanity, i.e. it should be
present in Keystone service catalog.
Change-Id: Ia4787b56db7ce7787bd8aac21b5c0ec8a95a6f09
Related-Bug: #1506825
Closes-Bug: #1703390
Current hacking check actually does not check attribute-level
imports. We can safely drop import_exceptions from tox.ini.
Also drops noqa to guard import exceptions from the same reason.
Change-Id: I4e37931a7bfb0aa7867d027125ffcf66e414cf08
On clouds that use domain-specific Identity configuration[1], a user
must provide both their username and domain in order to log into
horizon. Without this patch, users must be aware of their domain's name
and enter it into a text box at login. This is sensible on public
clouds, because supplying potential domains to an unauthenticated user
exposes too much information about other customers and makes potential
attacks easier. On private clouds, however, it is a hinderance to
usability. For example, when migrating from a single-domain
configuration to a multi-domain configuration, users must now guess or
be informed of their domain in order to enter it in the text box. As
another example, when keystone domains are mapped to Active Directory
domains, the user may not be used to having to know their AD domains and
would prefer to select a likely one based on their geographical location
or department from a dropdown menu.
This patch adds support for a new config option,
"OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN" for enabling a dropdown menu
instead of a textbox when MULTIDOMAIN_SUPPORT is enabled. The dropdown
is disabled by default. If enabled, choices for domains to display and
submit are configured in "OPENSTACK_KEYSTONE_DOMAIN_CHOICES". It is not
possible to dynamically generate a list of domains before the user has
authenticated and this would be a huge security hole if this was
possible. Requiring the admin to statically set the domain list allows
them to hide private domains like the service users domain.
[1] https://docs.openstack.org/developer/keystone/configuration.html#domain-specific-drivers
Change-Id: Ie0a7e36b9975342fab81ddebb87880608d3ef187
Needed-By: I71d64182524d1f54745d9e42347b3a605fa2a920
* doc/source/conf.py: html_static_path pointed to nonexisting dir
* Fix indent error in python codes
* Insert blank lines before starting code block
* Enable warning-is-error in setup.cfg to prevent future warnings
* 'all_files' should be 'all-files' in setup.cfg
Change-Id: I7c5bc31be9c95ec78f18f895014a03cb003d7e04
A new attribute was added to keystone user response, that will allow
us to warn users if their passwords are about to expire.
This will be configured in the local_settings.py file
Implements blueprint: password-expires-validation
Change-Id: Id66aa1c9596f8db8d07f63f3feb5166cb723a8e1
The project domain ID is needed if a client needs to rescope a token
using the Identity V3 endpoint, so make it available.
Change-Id: I18a9d42906cb2116903600d47880ebdfff1e1ef9
Partial-bug: #1660436
As requested[1], this patch adds info logging when an unscoped token
cannot be scoped to a given project or domain returned by list_projects
or list_domains.
[1] https://review.openstack.org/#/c/389337/
Change-Id: I0cb4b7450528cd1e056b8a2af4f820a17914209c
When a federated user logs in, openstack_auth receives an unscoped
token and no user_domain_name parameter. Currently, if the federated
user has a role in one or more domains, but no roles in any projects,
openstack_auth prevents authorization and denies the user's login with
the error "You are not authorized for any projects or domains." This is
a problem because first, it's inaccurate, as the user is authorized for
at least one domain, and second, a keystone administrator may want to
give federated users access to a domain without any projects in it, for
example so delegate the creation of projects to the federated users
themselves. This patch allows federated users without project roles to
log in by looking up domains as well as projects when attempting to
scope the token. This lookup is skipped if the domain was passed as
part of the request.
This patch also slightly restructures the OpenStackAuthTestsWebSSO
and OpenStackAuthTestsV3 tests because mox needs to simulate only one instance
of the plugin but two instances of the client objects for every call to
authenticate().
Closes-bug: #1649101
Change-Id: I151218ff28c0728898ed5315d63dd8122ce3b166
Previously, the get_domain_scoped_auth plugin method caught any
exceptions found while trying to scope a token and logged the error
without addressing it. This was hiding an error that was occuring in
the unit tests, which was that some of the plugin calls were not being
mocked properly. This patch narrows down the exception handling to the
same exceptions handled in the project scoping case and adds the
necessary mocks to the tests.
Change-Id: I80a085ca731391b3f54a5ef999c92ab8ba3e69a0
This adds auth functionality to the Auth Drop down.
A new K2K django auth plugin has been added (With the intent
to do K2K at Login Time). Session variables have been
added so horizon can display the names of the Keystone Providers.
An endpoint was also added that allows the user to
switch keystone providers.
Change-Id: I75b1a10a3b40b5544b60f6fdc060e0070c585977
Implements: blueprint k2k-horizon
Discovering REMOTE_IP using headers variables and displaing on console
log.
The messages will be:
"Login successful for user "%(username)s", remote address %(remote_ip)s."
and
"Login failed for user "%(username)s", remote address %(remote_ip)s."
This patch was tested behind haproxy and nginx reverse proxy.
To set variable that want to use, must inform using settings
SECURE_PROXY_ADDR_HEADER variable. Whitout this setting the remote ip
will use REMOTE_ADDR header variable.
Change-Id: I977be6cb1d029048b9862cac4b6596fc2e2b3431
Closes-Bug: #1461266
The check() method was broken during a refactor and now only
checks the first result in the list and then returns that result.
This patch restores the AND functionality of check and only short
circuits on a failed result.
Closes-Bug: #1643082
Change-Id: I7d976299de2a35b81ced29d2c3f265da62f20eff
Akihiro Motoki