Commit Graph

151 Commits

Author SHA1 Message Date
Takashi Kajinami 5afd51e8cf Drop unused pymongodb from requirements
Keystone no longer depends on mongodb after cache implementation was
split to oslo.cache[1]. Also, bandit is not a runtime dependency but
a test dependency, so should live in test requirements.

[1] 4969f66fca

Change-Id: I85f376d0897dd6b4dba758f86882fae70511fb6a
2024-02-04 15:04:55 +00:00
Zuul 4b3efbc026 Merge "Remove babel.cfg" 2024-01-26 17:37:06 +00:00
Ghanshyam Mann 23fbdee5ea Update python classifier in setup.cfg
As per the current release tested runtime, we test
python version from 3.8 to 3.11 so updating the
same in python classifier in setup.cfg

Change-Id: I94d11b7fb1f7111549a16d70581658d8fa17ab62
2024-01-03 23:56:26 -08:00
Takashi Kajinami e3b3df7974 Remove babel.cfg
Remove babel.cfg and the translation bits from setup.cfg, those are not
needed anymore.

Change-Id: I6c44c8e0b8bf16af2e91ba26b2dbe37c06ea1048
2023-12-21 02:16:12 +09:00
Ghanshyam Mann 5a0fbe975d Update python testing as per zed cycle teting runtime
In Zed cycle, we have dropped the python 3.6/3.7[1] testing
and its support.

[1] https://governance.openstack.org/tc/reference/runtimes/zed.html

Change-Id: I817a4d1506fb7f15e72d37015ae0ba9547e2aa52
2022-05-10 19:30:04 -05:00
YuehuiLei 1703447131 setup.cfg: Replace dashes with underscores
Resolves warnings like the following:

  UserWarning: Usage of dash-separated 'description-file' will not be
  supported in future versions. Please use the underscore name
  'description_file' instead

Change-Id: I81c2a24fbf3341ad73a6f3057e3e47010f2663fa
2021-04-26 15:53:22 +08:00
Andreas Jaeger 35e83918f4 Cleanup py27 support
Make a few cleanups:
- Remove python 2.7 stanza from setup.py
- Add requires on python >= 3.6 to setup.cfg so that pypi and pip
  know about the requirement
- Remove obsolete sections from setup.cfg
- Update classifiers

Change-Id: Id04f2ca5b879ee1f37cd349ff85ebec01389213a
2020-04-08 08:37:30 +02:00
Zuul af1c1a822a Merge "Stop testing Python 2" 2019-11-14 10:28:52 +00:00
Arthur Dayne a92885a98b Stop testing Python 2
In Ussuri, Drop support for Python 2 according to [1] and [2]

[1] http://lists.openstack.org/pipermail/openstack-discuss/2019-October/010356.html
[2] https://governance.openstack.org/tc/resolutions/20180529-python2-deprecation-timeline.html

Change-Id: I35e871992dd21e96e7e812e440e6cafdb61d26ac
2019-11-01 08:57:08 +08:00
Colleen Murphy 9607ed3266 Revert "Resource backend is SQL only now"
This reverts commit 3d46c8a5d9.

In the last commit, the foreign key constraints between the project
table and other tables were dropped, which allows us to restore the
configurability of the resource driver.

Change-Id: Iba4951e2d3965be5acec705385967d312456f1c7
2019-10-11 14:13:04 -07:00
Colleen Murphy 7c42f1a7a8 Revert "Add JSON driver for access rules config"
This reverts commit f028ca4edd.

In the Train PTG[1] we agreed to defer this feature until we had some
kind of traceability or discoverability for APIs and that this wasn't
feasible or useful until then.

This change was merged to master but never released, so I submit that
it is safe to revert.

[1] https://etherpad.openstack.org/p/keystone-train-ptg-application-credentials

Change-Id: I8fc5fcb2b35431882f0d64866765d6b0cd31356f
2019-05-28 08:38:42 -07:00
Jim Rollenhagen dc3175afb1 Revert "Blacklist bandit 1.6.0"
This reverts commit ebac8330d8.

Using the glob that I had not yet had enough coffee to do correctly is a
better solution, and allows us to fix new failures in 1.6.0 which would
break us again when 1.6.1 was released.

Change-Id: Ica473ba71b224cdc0acf815f82d534b6c70a7f54
2019-05-14 21:09:32 +00:00
Jim Rollenhagen ebac8330d8 Blacklist bandit 1.6.0
There's a regression[0] in bandit 1.6.0 which causes bandit to stop
respecting excluded directories, and our tests throw a bunch of
violations. Blacklist this version, but allow newer versions as there is
already a pull request[1] to fix it, and I expect it will be included in
the next release.

[0] https://github.com/PyCQA/bandit/issues/488
[1] https://github.com/PyCQA/bandit/pull/489

Change-Id: Ie4dbfb3f54e4aac00e0537d5760b7a8fc81b35a2
2019-05-09 14:27:19 +00:00
Zuul ed45883380 Merge "Add JSON driver for access rules config" 2019-03-07 09:43:33 +00:00
Vishakha Agarwal a022e27307 Drop py35 jobs
Python 3.5 was the target runtime for the Rocky release.
The current target py3 runtime for Stein is Python 3.6,
so there is no reason to keep testing against the older
version.

https://governance.openstack.org/tc/reference/runtimes/stein.html#python-runtime-for-stein

Change-Id: I618c0d263d4c0f497aef59f24215b60169948ea9
2019-03-05 10:56:57 +05:30
Colleen Murphy f028ca4edd Add JSON driver for access rules config
The access rules config driver will read a JSON file that represents
rules for accessing service APIs. This is to support application
credential access rules, which will be checked against the configured
rules upon creation. The name for this new API is borrowed from Istio's
near identical concept[1].

[1] https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1/#AccessRule

bp whitelist-extension-for-app-creds

Change-Id: If8b9c1e9df55874052dfd9b99fbcea6e06c1ca35
2019-03-03 18:33:11 +01:00
Lance Bragstad 96adccd0ec Implement JWS token provider
This commit introduces a class that implements the JWS token provider
functionality.

bp json-web-tokens

Change-Id: Ie16110894348a83e3a80cba4649e6cccdc3c84b1
2019-02-07 23:04:39 +00:00
Corey Bryant eca0829c4c PY3: switch to using unicode text values
In Python 3, python-ldap no longer allows bytes for some fields (DNs,
RDNs, attribute names, queries). Instead, text values are represented
as str, the Unicode text type. Compatibility support is provided for
Python 2 by setting bytes_mode=False [1].

Update the keystone LDAP backend to adhere to this behavior by using
bytes_mode=False for Python 2 and dropping UTF-8 encoding and decoding
fields that are now represented as text in python-ldap.

[1] More details about byte/str usage in python-ldap can be found at:
http://www.python-ldap.org/en/latest/bytes_mode.html#bytes-mode

Note that at a minimum python-ldappool 2.3.1 is required. For more
details see Depends-On's below.

Change-Id: Ifdd0644cd7042407a008c85c0b2c40a971c90bc3
Closes-Bug: #1798184
Depends-On: https://review.openstack.org/611401
Depends-On: https://review.openstack.org/613632
Depends-On: https://review.openstack.org/614052
2019-01-14 14:25:39 -05:00
ZhongShengping 6469f5c316 Change openstack-dev to openstack-discuss
Mailinglists have been updated. Openstack-discuss replaces openstack-dev.

Change-Id: I447cca1b13c8da7a1ff362274b3e3f75cd6b9e48
2018-12-04 10:00:29 +08:00
Adrian Turjak d9e6c1d4dd Implement auth receipts spec
Adds a new model and provider for receipts which are
very similar to tokens (fernet based), and share the
same fernet mechanisms.

Adds changes to the auth layer to handle the creation,
validation, and consumptions of receipts as part of
the auth process.

Change-Id: Iccb6e6fc7aee57c58a53f90c1d671402b8efcdbb
bp: mfa-auth-receipt
2018-11-02 15:06:19 +01:00
Zuul d04bb1e7e6 Merge "Remove paste-ini" 2018-10-24 08:29:22 +00:00
Zuul 41078e422e Merge "Internally defined middleware don't use stevedore" 2018-10-19 23:33:03 +00:00
Zuul f8becfb448 Merge "Implement scaffolding for upgrade checks" 2018-10-19 17:20:55 +00:00
Lance Bragstad 6369796ebe Implement scaffolding for upgrade checks
One of the community goals for Stein is to implement a command-line
tool for operators that runs programmable checks that might impact
upgradability.

This commit lays down the basic structure for the upgrade checks and
ties it up to `keystone-status` command.

Story: 2003657
Task: 26135
Change-Id: I6586827104156ac549217967a1b9171f1a3b32e4
2018-10-17 16:54:53 -04:00
Morgan Fainberg ea6755a825 Remove paste-ini
Remove the paste-ini for Stein release. It has not been used since
Rocky and was maintained for simplicity of deployment projects.

Change-Id: Iec0c204e8521694e4d48dbef03a72ecdb173e435
2018-10-15 17:57:59 +00:00
Morgan Fainberg 18d597f8e8 Internally defined middleware don't use stevedore
For internally defined middleware (URL Normalizer and AuthContext)
Do not use stevedore to load, apply directly. This also cleans up
a lingering entry in the setup.cfg for token_auth.

Test Changes:

* entry points test no longer looks for url_normalize and
build_auth_context

Change-Id: I58d3c23ad4f70668ada4eae94a94d3f5fe750b3b
Partial-Bug: #1776504
2018-10-11 15:27:46 -07:00
Morgan Fainberg ee9b035cf1 Replace JSON Body middleware with flask-native func
Replace the JSON Body middleware with flask-native before-request
function.

The body filtering and storing data in
request.environ['openstack.params'] was not used in the code base and
has been dropped.

Test Changes:

* JSON Body middleware has been removed, no testing of the removed code

* JSON Body Before Request Method has been implemented and associated
  testing (mirroring the JSON Body middleware code).

* Test entry points no longer looks for JSON Body middleware.

Change-Id: I84491865870b6bf2b8f094b524ee8b77510f0054
Partial-Bug: #1776504
2018-10-11 15:27:46 -07:00
Zuul 199e9b5238 Merge "Switch to python-ldap" 2018-07-18 17:44:25 +00:00
wangxiyuan 4b4835a01c Strict two level limit model
This patch introduced the hierarchical limit structure
into Keystone.

The strict two level enforcement model is added as well.

Change-Id: Ic80e435a14ad7d6d4eccd4cd6365fb2d99fd26c1
bp: strict-two-level-model
2018-07-17 11:59:58 +08:00
Dirk Mueller 0fa6f97891 Switch to python-ldap
pyldap is deprecated and merged with python-ldap, so we should depend
on it directly instead of the deprecated wrapper. For details see
https://pypi.org/project/pyldap/

Change-Id: I2c8ee2c792a476fe12c234a55af24144e6b511cd
Depends-On: https://review.openstack.org/#/c/582973/
2018-07-16 17:33:38 +02:00
Morgan Fainberg bb3b15bbf0 Implement base for new RBAC Enforcer
Create the base implementation of the RBAC enforcer with compat code
for the legacy mechanism via @protected decorators.

Change-Id: I80662d9b23e706b720d56670cb849318e951a3b4
Parital-Bug: #1776504
2018-06-27 22:38:06 +00:00
Morgan Fainberg 8bf335bb01 Remove pastedeploy
This patchset removes the lingering code that supported paste.deploy
that is obsolted by the loader wrapped around keystone's use of Flask.

 * The keystone-paste.ini file has been removed.

 * All options have been removed (without deprecation) as they are no
   longer referenced.

 * The TokenAuthMiddleware code (with deprecation warning) has been
   removed as it was only provided to ensure compatibility with paste.ini
   files that were not updated (ensuring not breaking a deployer that
   did not update paste.ini file to remove it from the pipeline).

 * Paste deploy entrypoints have been removed.

Change-Id: I35064a440ef718f50c7e644e8b2d56a99c3ec74f
2018-06-06 19:30:26 +00:00
Morgan Fainberg a11d6ca0eb Flaskification cleanup
Cleaning up 2 minor changes that were missed in the initial
flaskification change.

Change-Id: I27e7a506a9fd03fd1fb9efd8666d187cba965769
2018-06-06 19:30:20 +00:00
Morgan Fainberg 4ec6bc5a44 Convert Keystone to use Flask
Basic conversion of Keystone's core application to flask framework.

This doesn't add much in the way of flask-specific-isms but should
get keystone running directly under flask. This implementation does
not use paste-deploy.

Change-Id: Ib4c1ed3f645dd55fbfb76395263ecdaf605caae7
2018-06-04 20:14:41 -07:00
Nguyen Hai a04a1dc782 Follow the new PTI for document build
- Follow new PTI for docs build
- Add sphinxcontrib.apidoc to replace pbr autodoc

REF:
https://governance.openstack.org/tc/reference/project-testing-interface.html
http://lists.openstack.org/pipermail/openstack-dev/2017-December/125710.html
http://lists.openstack.org/pipermail/openstack-dev/2018-March/128594.html

Depends-On: https://review.openstack.org/#/c/559334/
Change-Id: I1d5f01cf49f36567f5a891c69c7269d3e966b9c5
2018-04-09 01:13:58 +09:00
Zuul 3eeb4901b3 Merge "Remove domains *-log-* from compile_catalog" 2018-02-14 21:41:08 +00:00
Lance Bragstad 032dd49db2 Remove the sql token driver and uuid token provider
Both of these drivers were staged for removal in Rocky. Now that
Rocky is open for development we can remove them. This commit removes
just the bare-bones aspects of each. Subsequent patches will do the
following:

  - Remove test class that were only meant for sql or uuid scenarios
  - Refactor the notification framework to not hint at token storage
  - Refactor the token provider API interfaces to be simpler and
    cleaner
  - Remove the needs_persistence property from the token provider API
    and document the ability to push that logic into individual
    providers that require it
  - Return 403 Forbidden for all requests to fetch a revocation list
  - Remove the signing directory configuration options

These changes will result in simpler interfaces which will be
important for people implementing their own token providers and
storage layers.

bp removed-as-of-rocky

Change-Id: I76d5c29f6b1572ee3ec7f2b1af63ff31572de2ce
2018-02-12 17:32:47 +00:00
Colleen Murphy 29280b1f68 Add application credential auth plugin
Add an auth plugin for application credentials and update the common
auth utilities to understand an auth method of 'application_credential'
and validate and scope accordingly.

By default, application credentials should not be allowed to be used for
creating other application credentials or trusts. If a user creates an
application credential with flag `allow_application_credential_creation`
then that application should be allowed to be used for creating and
deleting other application credentials and trusts. Ensure a flag is set
in the token if this property is set to allow this behavior.

bp application-credentials

Change-Id: I15a03e79128a11314d06751b94343f22d533243a
2018-01-27 12:00:19 +01:00
wangxiyuan 0b241dcea5 Add limit provider
This patch adds the registered limit and project limit provider
Class.

Change-Id: I636cd9555ae6434b0e6dec958ae41ef852a48285
bp: unified-limits
2018-01-25 15:45:44 +08:00
Colleen Murphy 52a32aa583 Add application credentials driver
Add a sql model and driver for application credential CRUD operations
and authentication.

bp application-credentials

Change-Id: I192052434c0b0d49d1612824aec1034507dfd233
2018-01-17 20:56:53 +01:00
Lance Bragstad 85c957c503 Expose a get_enforcer method for oslo.policy scripts
Because we have policy in code, we should be able to use the
oslo.policy CLI scripts to produce sample policy files and render
complete policies based on overrides on disk. This was broken
because keystone wasn't removing unexpected commandline arguments
before passing them to oslo.config to parse. This prevented
people from generating complete policy files like they would for
horizon.

This commit exposes a get_enforcer() that substitutes an empty list
in place of arguments passed in through the system. This makes it
so that oslo.config doesn't choke when processing configuration
values.

Change-Id: I22583258eac5b3a64208355d18ccfa62dba1871d
Closes-Bug: 1740951
2018-01-03 20:47:56 +00:00
wangqiangbj 4fc045f820 remove "admin_token_auth" related content"
as "admin_token_auth" is removed from paste file. some related contents
are useless and shoud be removed also.

Change-Id: Ia2263eda93559603a31d9a492e5501424613188e
bp: removed-as-of-queens
2017-12-18 17:02:34 +08:00
Jesse Pretorius 0502d749a6 Add default configuration files to data_files
In order to make it simpler to use the default
configuration files when deploying services
from source, the files are added to pbr's
data_files section so that the files are
included in the built wheels and therefore
deployed with the code. Packaging and deployment
tools can then more easily use the default files
if they wish to.

This pattern is already established with similar
files for neutron and the glance metadefs as has
been mentioned in the related bug report.

Change-Id: I505a2cdff3ec699dcb4a37106765ef889872d367
Closes-Bug: #1718356
2017-09-21 13:53:41 +01:00
Morgan Fainberg 3d46c8a5d9 Resource backend is SQL only now
This change has been implemented to avoid the need to backport
signficantly impactful Foreign Key dropping backports.

Resource is highly relational data and it makes sense to allow the
use of FKs from other subsystems to project/domains.

Change-Id: Ic3831d1c7ae41fe4d406d60a013770cc1258584f
2017-08-14 19:01:02 +00:00
Samriddhi Jain 82785553dd Updated URLs in docs
With the docs migration and re-arrangement, some docs
have been shifted to new places, however the referenced
links are still old. Some of them give 404 error or
just point to the home page. This patch fixes those URLs.

Change-Id: Ie6b18ab3d4aa346dac8436dd426277fee4f07fcd
2017-08-09 23:46:33 +05:30
Colleen Murphy e08e7ccad7 Fix man page builds
Since Sphinx 1.6 released, pbr's build_sphinx extension has been broken.
Specifically, pbr's [build_sphinx]/builders option is ignored. Luckily,
sphinx itself ipmlemented the feature but called it just 'builder'[1].
This patch fixes the config setting name and then cleans up a Sphinx
extension inclusion that is now automatically included.

[1] http://lists.openstack.org/pipermail/openstack-dev/2017-July/119396.html

Change-Id: I5da6a996ed442524ddb108a890df2d024ee07c4d
2017-08-06 16:05:03 +02:00
Chandan Kumar 1f44f5f307 Remove keystone_tempest_plugin from setup.cfg
Since keystone_tempest_plugin is moved to a seperate repo, but we
have not remove its entry from packages section in setup.cfg. On
Installing keystone, It also installs keystone_tempest_plugin in
python sitelib directly which contains README.rst file only. which
does not addes value. So it is better to remove that entry.

Change-Id: I832600d841e9a84c3dfee7b5c3e8893ece1ae902
2017-06-28 23:55:30 +05:30
Colleen Murphy 6f4e37e9e6 Remove the local tempest plugin
The plugin has been split into its own repository[1] in accordance with
Queens Goal "Split Tempest Plugins into Separate Repos/Projects[2]".
This patch removes the local copy as well as the setuptools entry point.
We can also now remove the autodoc_tree_excludes pbr option since
there's no more plugin to exclude and it defaults to [setup.py].

[1] http://git.openstack.org/cgit/openstack/keystone-tempest-plugin
[2] https://governance.openstack.org/tc/goals/queens/split-tempest-plugins.html

Depends-On: I47f59505126509b6b52cf04b8f7501e8ef4041b7
Change-Id: I1805b196b42b6a76c56e129a316e170e767455c1
2017-06-06 11:48:37 +00:00
Stephen Finucane c40d37c317 Explicitly set 'builders' option
An upcoming release of pbr will require explicitly stating which
builders are requested, rather than defaulting to html and man. Head off
any potential impact this may cause by explicitly setting this
configuration now.

Change-Id: I6983a5a988d8a595f2ab75580147da2e920ae030
2017-04-19 10:35:49 +01:00
Anthony Washington 9bb1556817 Add policy sample generation
This adds the entry point and config file necessary for using the
oslo.policy sample generation script. It also adds a tox target to
simplify the usage of it.

Change-Id: I7feb522b2ea5f56e48982169c7ebbb2ec2ef2cb3
Partially-Implements: bp policy-in-code
2017-03-29 15:48:57 +00:00