Keystone provided two in-tree catalog drivers, sql and templated.
However the templated driver hasn't been properly maintained.
The default template had not been updated for 8 years until it was
recently updated by [1].
This deprecates the driver assuming it's not widely used and sql driver
meets usual requirements.
This also restores the image service endpoints which were wrongly
removed by [1].
[1] c32bedb654
Related-Bug: #2013473
Change-Id: Iadb7bd5d7c4cf82aea2a7dbc1d8c4dbe53b9f763
Because these were removed by [1]. Also update the previous release
note to document the upgrade impact on catalog information (like
endpoint urls) including string interpolations requiring these removed
options.
[1] 2a3c73c49b
Change-Id: If78d0b93665410b86754ea35653ca9d4c15c81c5
The file has not been update and is horribly outdated. This updates
the file to adapt to recent API versions available.
Closes-Bug: #2013473
Change-Id: Ibb373f198b528a9aea3546f28545ee4470d9b37b
We've make all the default policies keystone supports better by
incorporating default roles and scope types. These changes have made
the ``policy.v3cloudsample.json`` file obsolete.
Let's simply things for users, operators, and develpers by removing
it.
A follow-on patch will remove the test_v3_protection.py file since
those behaviors are passing all the protection tests with the default
policies in code.
Related-Bug: 1805880
Closes-Bug: 1630434
Closes-Bug: 1806762
Change-Id: Ie45955f5cc54563cc9704d7cb2b656b5544ae030
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default limit
behavior by removing them.
Change-Id: Ie0f333a9e8b60154711a24ba7d9ade531217eb71
Closes-Bug: 1805880
This commit makes it so that project tags adhere to system-scope and
also incorporates default roles into the policy checks by default.
Change-Id: Ie36df5677a08d7d95f056f3ea00eda05e1315ea5
Closes-Bug: 1844194
Closes-Bug: 1844193
Related-Bug: 1806762
By relying on system-scope and default roles, these policies are now
obsolete.
Change-Id: Ie6be658a8e4dd028834a3fee956689f9513a37e9
Partial-Bug: #1806762
Closes-Bug: #1750678
By relying on system-scope and default roles, these policies are now
obsolete.
Change-Id: I21473f757611cfd3299d0227eddef89d4ef624ff
Partial-Bug: #1806762
Closes-Bug: #1805366
This commit also removes an obsolete test case from
test_v3_protection.py.
Co-Authored-By: Colleen Murphy <colleen@gazlene.net>
Change-Id: Ic0a654494f96d5dffa0c4d4d96766ab4a2e090b1
Related-Bug: 1806762
The roles API was partially converted to use default roles and system
scope but that work did not include converting the domain roles actions.
This commit completes the rest of the work and closes out the system
scope work for the roles API.
Change-Id: Iea5a1559e9bece2c0f310170f05260a978e27b47
Closes-bug: #1805400
Partial-bug: #1805880
By incorporating system scope and default roles into keystone's default
policies for implied roles, we've effectively made these policies
obsolete.
Change-Id: I75515d3491517ea6e6fa17473a7890ce4653b481
Partial-bug: #1806762
Closes-bug: #1805371
By relying on system-scope and default roles, these policies are now
obsolete.
Change-Id: Ib2aa3e9023194ee578c617cdf2d53c6264c0e785
Partial-Bug: #1806762
Closes-Bug: #1805409
The policies contained in policy.v3cloudsample.json pre-dated any of
the work to move policy defaults into code. Since deploying a policy
file is now optional, we can remove the redundant policies from this
file and make it more maintainable by not repeating ourselves and
violating the DRY principal.
The only policies left are ones that are testing workarounds for bug
968696. Meanwhile, we're pursuing fixes for scope types and default
roles:
http://tinyurl.com/y5kj6fn9
These fixes are specific to certain resources to make reviews more
understandable for reviewers. As fixes for those bugs land, we will
be removing the remaining checks in this file, since the behavior will
be captured in new default check strings or in code.
Eventually, we will delete this file entirely since we will have
defaults in code that work for `admins`, `members`, and `readers` on
projects, domains, and the deployment system.
Change-Id: Ibbabe8fdc7989f15aa0edda2bf7b550a0dc16f83
Partial-Bug: 1806762
By incorporating system and domain scope and default roles into
keystone's default policies for domains, we've effectively made these
policies obsolete. This change also removes the redundant group
management tests from the v3cloudsample tests.
Change-Id: I4e3b19f9cc025a472fb27a33955856c2cd17fd1d
Partial-Bug: #1806762
This commit removes user policies from policy.v3cloudsample.json. By
incorporating system-scope, domain-scope, project-scope, and default
roles, we've effectively made these policies obsolete. We can simplify
what we maintain and provide a more consistent, unified view of
default user behavior by removing them.
This commit also adds an important filter to the GET /v3/users API by
making sure the users in the response are filtered properly if the API
was called with a domain-scoped token. This is needed in case domain
configuration isn't setup and short-circuits normalization of the
domain ID, which sometimes comes from the token if it is
domain-scoped. Regardless of domain configuration being used, we
should protect against cases where data leaks across domains in the
name of security.
Finally, this commit moves a couple of tests from test_v3_protection
to test_users protection tests that ensures we do reasonable filtering
while normalizing domain IDs. The remaining tests from
test_v3_protection have been removed because they are no longer
applicable. These tests were testing an HTTP 403 was returned when a
domain users attempted to filter users for domains they didn't have
authorization on. We don't use this approach consistently in keystone.
Most other places where filtering is implemented, we ignore invalid
filters and instead return an empty list. For domain users attempting
to fish information out of another domain, they will receive an empty
list to be consistent with other parts of the API.
Change-Id: I60b2e2b8af172c369eab0eb2c29f056f5c98ad16
Parial-Bug: 1806762
By incorporating system-scope and default roles, we've
effectively made these policies obsolete. We can simplify
what we maintain and provide a more consistent, unified
view of default service behavior by removing them.
This commit also removes some redundant tests in test_v3_protection
or corrects them.
Partial-Bug: 1806762
Change-Id: I008aed9c01b9e834a197444ff2dc1f6eb1ba25b1
By relying on system-scope and default roles, these policies are now
obsolete.
Change-Id: I7a17c2baa6e23b6a5d8fe21668a66ea8c8a89232
Partial-Bug: 1806762
By incorporating system-scope, domain-scope, project-scope, and
default roles, we've effectively made these policies obsolete. We can
simplify what we maintain and provide a more consistent, unified view
of default project behavior by removing them.
Change-Id: I80221b72ce0f234440e6d6aaea51869bd5f1c6e7
Related-Bug: 1806762
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default service behavior by
removing them.
Change-Id: Ifa2282481ee3fc544c1d50ac8e8972b0d3a5332e
Closes-Bug: 1804462
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default protocol
behavior by removing them.
Related-Bug: 1806762
Closes-Bug: 1804518
Change-Id: Ia839555d8211596213311c4246135cdae4f46ab2
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default role behavior by
removing them.
Note that these changes are slightly different from the
policy.v3cloudsample.json role policies, hence the removed tests. In
policy.v3cloudsample.json, domain users were allowed to get and list
global roles. So were project users. This behavior is changing because
global roles are considered global resources of the deployment, and
they should be managed by system users. Domain users should be able to
add and remove domain specific roles, which will come in a subsequent
series of patches. This approach is being taken because it is a safer
default for a system level resource (global roles) and still allows
the same functionality for domain users through domain-specific roles.
Change-Id: Iddaa59024a1dcefd4d791b95413602865888c1ff
Closes-Bug: 1806713
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default endpoint behavior
by removing them.
Change-Id: I423e54c359b787efdda70f5d141f21e9103f3524
Closes-Bug: 1804482
By incorporating system scope and default roles into keystone's
default policies for domains, we've effectively made these policies
obsolete.
Related-Bug: 1806762
Change-Id: I96079b15c980de6a4ba71f49d7b39790c1115767
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default idp behavior
by removing them.
Change-Id: I6091d1cdbc4e1fa3a3d5f83a707f003416a43ea0
Closes-Bug: 1804517
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default mapping
behavior by removing them.
Change-Id: Ie01b5a79aaf363b3783c92578f56654b993b5e76
Closes-Bug: 1804519
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default region behavior
by removing them.
Change-Id: I0f982d71fc4a5d33ed66cb34d7388f3c4655e3ef
Closes-Bug: 1804292
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default service provider
behavior by removing them.
Change-Id: I01b0e7152ae282c49644b3bad1bcb2c8119aed58
Closes-Bug: 1804520
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default registered limit
behavior by removing them.
Change-Id: I1ee7fb53a71361966584363687051615dc832329
Related-Bug: 1805880
The policy.v3cloudsample.json policy file attempted to solve
admin-ness issues with elaborate policy checks. These checks are no
longer needed with advent of system scope and incorporating system
scope into keystone APIs.
This commit removes the credential policies from the
policy.v3cloudsample.conf policy file since the new defaults introduce
more flexibility by consuming scope, rendering the policies in
policy.v3cloudsample.conf obsolete. More specific test coverage has
also been added for each new case in
keystone.tests.unit.protection.v3.test_credentials.
Change-Id: I6c74f40640da23375574f4a26ee60779ef08d120
Related-Bug: 1788415
Remove the paste-ini for Stein release. It has not been used since
Rocky and was maintained for simplicity of deployment projects.
Change-Id: Iec0c204e8521694e4d48dbef03a72ecdb173e435
We plan to expose the enforcement model a deployment is using via
the limit API. This commit prepares for that implementation by
introducing the policy for it.
Change-Id: I03c9cec3646ee354ebcdd4ddc1168e00d611171b
Related-Bug: 1765193
According to the API-WG's suggestion, the update registered
limit/project limit APIs should be refactored as:
1. Change PUT to PATCH
2. Remove batch update limits support for PATCH
Closes-Bug: #1754184
Change-Id: I1102166ab425a55d8eaf85c75d8fd3a7dfbaceb6
This patchset removes the lingering code that supported paste.deploy
that is obsolted by the loader wrapped around keystone's use of Flask.
* The keystone-paste.ini file has been removed.
* All options have been removed (without deprecation) as they are no
longer referenced.
* The TokenAuthMiddleware code (with deprecation warning) has been
removed as it was only provided to ensure compatibility with paste.ini
files that were not updated (ensuring not breaking a deployer that
did not update paste.ini file to remove it from the pipeline).
* Paste deploy entrypoints have been removed.
Change-Id: I35064a440ef718f50c7e644e8b2d56a99c3ec74f
The entire purpose of this confusingly named middleware is to take token
values out of headers and put them into a dictionary. There's no point
in this, we have a request class that can abstract this for us.
Deprecate the middleware, it's unnecessary.
bp: deprecated-as-of-rocky
Change-Id: I09310bab6bd728127288ba4c3cf8f884a31e2b98
The sample configuration file is almost never up to date as it has to
be updated by a person submitting a patch.
The implementation of published autogenerated sample config files in
documentation was done in I88a2429dd3cacd1d014b5b441b98fbfee7e1e208
and in If00cd3bcc654a45944c0bc8b3f146c75bd970f9a. These generate
sample configuration files and publish them in the documentation on
every commit, ensuring that they are always up to date, and not
requiring human intervention to be updated.
As has been done with nova (in Mitaka), cinder (in Newton), and
neutron (in Newton) this patch removes the sample config file from the
git tree and replaces it with a README file explaining how to generate
them, or where to find the latest published versions in the online
documentation.
This commit also breaks a related testcase into two distinct tests for
easier readability, making it clearer what the behavior is through one
assertion/concept per test.
Depends-On: https://review.openstack.org/#/c/562007/
Change-Id: Ic4d6a98035f59b6ebe48d9c85af50fc9408fc3ab
This patch was generated using the tox environment for generating
sample configuration files:
tox -e genconfig
Change-Id: I225432d54b28ed5e83de7f33adee38b07e0fa6e3
Add the controller, router, schema, and policies for application
credentials. If a secret is not provided, one is generated at the
controller layer.
bp application-credentials
Depends-on: Id26a2790acae25f80bd28a8cb121c80cb5064645
Depends-on: Icbd58464182b082854fb5d73ccc93c900ede020c
Change-Id: I7a371d59c19a11e55f17baf12d92327c1258533d
This commit lays down the policies needed to protect the unified limit
API. A subsequent patch will expose the implementation.
bp unified-limits
Change-Id: I952fe6213adce86a92d7d607c9b639076b279f6c
Keystone has APIs for retrieving projects and domains based on the
role assignments a user has on projects and domains. We should
introduce similar functionality for system assignments. This will
make discovering system access for users and client easier.
bp system-scope
Change-Id: Iab577fcd1b57b8b5593c3f9d50a772466383a999
This commit introduces new policies that control RBAC for assigning
groups roles on the system. Since the management of system roles is a
system-level operation, each policy has `system` set for scope_types.
bp system-scope
Change-Id: Ide491be9563f74f758c5de55990916292228e0d9
This commit introduces new policies that control RBAC for assigning
users roles on the system. Since the management of system roles is a
system-level operation, each policy has `system` set as scope_types.
bp system-scope
Change-Id: Ie606e769427a5ca422997efe92402e712f3cf45f
Takashi Kajinami