Added a new OAuth2mTlsClientCredential plugin, accessible via the
'v3oauth2mtlsclientcredential' entry point, making possible to
authenticate using an OAuth 2.0 Mutual-TLS client credentials.
Implements: blueprint support-oauth2-mtls
Change-Id: I4b85bcfbfad1e34624b48ecd6476d01a4adba9eb
This patch provides Keystoneauth documents for OAuth2.0 client
authorization. The specification about OAuth2.0 Client Credential Grant
is added to authentication plugins.
Implement: blueprint oauth2-client-credentials-ext
Change-Id: Iefaa997c1e561f51cb0e93d80106ccaa70932755
This authentication plugin isn't grouped with the other authentication
plugins, but it can be really useful for people writing proxies or
implementing service-to-service calls.
This commit just highlights the usefulness of this plugin with some
example usecases and a code snippet. The current documentation phrases
it such that it's only useful for testing.
Change-Id: I1de4959ccde3fdf8141d8f4949c73542c2200483
A new basic auth plugin is added which enables HTTP Basic
authentication for standalone services. Like the noauth plugin, the
endpoint needs to be specified explicitly, along with the
username and password.
An example of a standalone server implementing HTTP Basic can be seen
in Ironic change https://review.opendev.org/#/c/727467/
Change-Id: Ib3f0a9c518d031a67f9605cf64a8a9cc81131ed3
Story: 2007656
Task: 39741
This updates lower constraints to versions that will work with py38 so
that when we move to running on focal nodes, which has py38 as its
default py3 runtime, the lower-constraints job will continue to pass.
It also cleans out some secondary requirements that are no longer needed
due to our direct dependencies being updated.
Linters are removed that are kept in the global requirements blacklist
as those are not version tracked and are not relevant for our
lower-constraints unit test runs.
Change-Id: I228212d8347a33a6bc2735a8506acffe58bee2ec
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
Now that we no longer support py27, we can use the standard library
unittest.mock module instead of the third party mock lib.
Change-Id: I07d61e1a8f18d65acdf86cdd61f7d9e28157f1d7
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems
Update Sphinx version as well.
Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.
Disable openstackdocs_auto_name to use 'project' variable as name.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
Remove docs requirements from lower-constraints, they are not needed
during install or test but only for docs building.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Change-Id: I23798a960616d53d1cc54342640e670fc677738d
This repo is now testing only with Python 3, so let's make
a few cleanups:
- Remove python 2.7 stanza from setup.py
- Add requires on python >= 3.6 to setup.cfg so that pypi and pip
know about the requirement
- Remove obsolete sections from setup.cfg
- Update classifiers
- Update requirements, no need for python_version anymore
- Cleanup doc/source/conf.py to remove now obsolete content.
- Use newer openstackdocstheme and Sphinx versions
- Remove install_command from tox.ini, the default is fine
- Remove hacking from doc/requirements, we don't need to autodoc it.
- Remove Babel, this repo does not use it.
Change-Id: I8ad7b5e6ef11ea51c587ff58bfc54aee4fcda9da
Use sphinx-build instead of the pbr sphinx extention for building docs
as instructed by the PTI[1].
This requires using the sphinxcontrib-apidoc plugin rather than the
autodoc pbr extention. We also remove the reference to the ChangeLog
file that is usually generated by pbr and instead refer to the published
reno release notes. Also fixes the header formatting for the index page,
as the headers weren't rendering at all.
[1] https://governance.openstack.org/tc/reference/pti/python.html
Change-Id: Iec8b99fa89877e357cf2e754abad77c9032acad1
- new exception when an auth receipt is returned.
- a new method for auth receipt.
- support to existing v3 Auth plugins to add additional methods.
- Added a new MultiFactor plugin with loading support which
takes method names as strings.
Change-Id: Ie6601a50011118e3a07be9752f747c2298ff5230
Closes-Bug: #1839748
The latest version of bandit has broken directory
exclusion, so multiple test files are getting
flagged. This change blocks version 1.6.0 while
this issue is fixed for 1.6.1.
This change also caps sphinx at <2.0.0 for python version 2.7.
Change-Id: Id4db764200be068df0dbe96306c2d53f79b49af7
Sphinx 1.6 deprecated using the application object to perform logging
and it will be removed in the upcoming 2.0 release. This updates our
extensions to use the recommended sphinx.util.logging instead.
Change-Id: I3abce4e3c147befd0235820cb8850fe18f6dee42
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
Since we removed the keystoneauth example in the main docs in favor of
an openstackclient example[1] add an example of using the
Keystone2Keystone auth plugin.
[1] https://review.openstack.org/591587
Change-Id: I5815fecbfe53d8a191a8a64912dac17e66ca928a
Python logging is pretty amazingly flexible, and allows us to emit
to arbitrary logging domains so that a consumer can direct log output
with specificity.
Turning on HTTP debug logging currently produces an avalanche of output,
when sometimes just seeing that the requests were made and responded to
is perfectly fine.
Split the loggers used into four - one for request ids, one for request
commands, one for response headers and one for response body content.
Make them subloggers of keystoneauth.session so that if a user does nothing,
their existing logging config will be unchanged.
If someone passes in a logger, behave as before logging all things to
the provided logger.
While we're at it, document this in the using-sessions document, so that
people know that the loggers exist and what they do.
NOTE:
The tox (>=1.7.0) by default sets a random python hash seed which
causes ordering of dicts and sets to be different between tests runs.
Disabled the random python hash seed by setting PYTHONHASHSEED=0 to
fix the random failure of below test:
keystoneauth1.tests.unit.test_session.SessionAuthTests.
test_split_loggers
The PYTHONHASHSEED=0 is removed in the followup patch so that we can
separate the tracking down of ordering issues in tests from this patch.
Change-Id: Ide7dac8adf5c76c9019c35867cda632aff39770f
Now that we can authenticate with application credentials using ksa,
we should add some documentation and a release note for users.
bp application-credentials
Change-Id: I5584b93a987246f9d527e22a13fb1b13df701822
With the new way of generating docs in the gate[1] our autodoc builds
are slightly broken. Put the required dependencies for doc building and
autodoc generation into doc/requirements.txt. We can also now remove
docs-related requirements from test-requirements.txt.
[1] http://lists.openstack.org/pipermail/openstack-dev/2017-December/125710.html
Change-Id: I77a09349304451041491893466ca98ba6ebdf96b
The previous microversion patch had some review comments from samuel and
colleen that this addresses. Also, add a release note.
Change-Id: Id83643ee5a00abc5134a88dfa5bc8ddb4f5a247a
The user now has the ability to know what microversions are available,
but needs to be able to send a microversion header with their request.
Add a microversion parameter to Session that will construct and send the
header. The microversion header requires a service_type. One should be
available but it's possible for it to be missing if someone is using an
endpoint_override. Provide a parameter to let the user specify a
service_type for the microversion call in such cases.
Change-Id: I63cdd67701749630228f9496eda82b3c8747a608
In a previous change [0] when warning-is-error was added, the
sphinx todo extension was causing errors with duplicate
registration. However with the recent changes between pbr and
sphinx, this extension no longer throws a duplicate error when
using warning-is-error and we can add it back in.
[0] https://review.openstack.org/#/c/439797/
Change-Id: I2c3c44015f5b961c56360f44b52c56629760de43
The API-WG just approved the spec for version discovery documents to
optionally provide "next_min_version" and "not_before" information.
http://specs.openstack.org/openstack/api-wg/guidelines/microversion_specification.html#version-discovery
The intended use of these is to communicate that at a point in the
future the service plans to raise the minimum microversion. It can't say
when that will happen, as a service does not know when deployers will
decide to upgrade their services. But it can communicate the earliest
date it's possible to happen, which would be the first date the service
itself would raise the minimum.
This can be used to emit warnings to users who are using a microversion
less than the next_min_version and to tell them how long they have to
think about it.
Currently keystoneauth will not consume these for that purpose. This
patch is merely about collecting the information from the discovery
document if it is there so a consumer can take action on it if they
wish.
Change-Id: Ibc404ef55eeae721a0d1d16e4e3e51ad77b5a75c
get_endpoint_data on an adapater is intended to return the endpoint_data
for the endpoint the adapter is mounted to, so passing in additional
kwargs doesn't make any sense. What's more, the interaction between the
existing values and the passed in values is hard to reason about.
Update the docs on using get_endpoint_data to highlight this.
Change-Id: I851c615407bc3e22af4350a4facf8488fa9c7945
People get confused with major version discovery vs. microversion usage.
Try to make it very clear what's going on.
Change-Id: I2be8670998f531ee4777876413979a63279a59ab