Added the ability to authenticate using a system-scoped token and the
ability to authenticate using a cached token to the
external_oauth2_token filter.
Implements: blueprint enhance-oauth2-interoperability
Change-Id: I1fb4921faaafd5288d5909762ff5553e5e2475dc
We literally say in (the rendered version of) the same doc:
# Authentication type to load (string value)
# Deprecated group/name - [keystone_authtoken]/auth_plugin
#auth_type = <None>
Looks like auth_plugin has been deprecated for quite some time:
https://opendev.org/openstack/keystoneauth/commit/a56ed4218
Change-Id: I2dafa0cb28f017667497e0a6585d96a8cd090d5f
Previously the admin Identity endpoint was hardcoded to be used. Now
that keystone has dropped v2 support, deploying an admin Identity
endpoint is no longer useful, so allow this to be changed by the
deployer. Keep the default as using the `admin` endpoint, but create
a deprecation message so that we can change the default in the future.
Partial-Bug: 1830002
Change-Id: I993a45ccb1109d67e65bf32d1e134cc9bec2d88e
With Keystone v3, the admin (35357) and public (5000) ports are
the same and use the same keystone code paths for authentication.
This patch set replace 35357 and only uses port 5000
Change-Id: I596e3a2b29b2954bf7caef6f9408d9b2b4e890ee
The [keystone_authtoken]/auth_uri middleware parameter has been causing
extreme confusion amongst operators and developers ever since the
keystonemiddleware started accepting keystoneauth plugin parameters
including auth_url. The two parameters look identical and yet have
completely different meanings and are both required. This patch
deprecates auth_uri and renames it to www_authenticate_uri, which more
accurately describes the WWW-Authenticate header it is configuring and
is dissimilar to any other keystone_authtoken middleware parameter. This
also renames the internal variable names for consistency with the config
option.
Change-Id: I0cf11da3d395749df28077427689fdafc8a6b981
Changed the keystone_authtoken part of the config docs so that it
advertises the use of identity_uri over the deprecated auth_protocol,
auth_port, auth_host
Change-Id: Ia1351a83abed30f2680c2ce3a074028bd95158fb
Closes-Bug: 1679238
doc8 is a linter for documents and used in openstack-manuals.
It is better to enforce document linters for simple checking.
This change is to add doc8 in tox file and fix line too long
in some files.
The current rules are as bellow:
- invalid rst format - D000
- lines should not be longer than 79 characters - D001
- RST exception: line with no whitespace except in the beginning
- RST exception: lines with http or https urls
- RST exception: literal blocks
- RST exception: rst target directives
- no trailing whitespace - D002
- no tabulation for indentation - D003
- no carriage returns (use unix newlines) - D004
- no newline at end of file - D005
Change-Id: I01b11619b42eebf13cb17e1b4a2e8464a8ccc797
Keystone used to require that the memcached and keystone servers both
use UTC, but this was fixed[1]. Keeping the notice in the
keystonemiddleware documentation is confusing. This patch removes the
note.
[1] https://bugs.launchpad.net/keystone/+bug/1221087
Change-Id: Iae2dc43ea3f0270246acd3184b7bb0c5778dcc7c
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.
Change-Id: I8521461203fe40e4576f4de7cfb500bd64027d6d
This commit attempts to clean up and shuffle some of the keystonemiddleware
architecture document around to read a little easier.
Change-Id: Icb0ad50ac67a35a50e5c2dd39324aa3e169e9dc9
Let's use sphinx extensions to generate the config options instead of
updating them manually.
The following options will no longer appear since we use auth plugins
now:
auth_admin_prefix
auth_url
auth_host
auth_port
auth_protocol
identity_uri
admin_token
admin_user
admin_password
admin_tenant_name
Change-Id: I0a6eac26f93bfb1c2cbba17a98629108915f78c6
The config options in the architecture page needed to be updated. This
includes new values and correct text for old values. We also note in the
code that the revocation event list is only valid for PKI tokens.
Change-Id: Ib98d3de771d88feea72ea9598d094b77cde6093e
Part of configuration options have been deprecated, the doc need sync
with this change, this patch also add the configuration option
`identity_uri` and `auth_url` in the example.
Change-Id: I1994d899c4dae47412983781647ed5865bdaf6eb
Closes-Bug: #1422432
The patch primarily adds some info about the auth_plugin, since
loading the plugin in the old way has been deprecated but no
information on how to use the `auth_plugin`.
This patch also take the chance to fix some typos and improve the
doc format.
Co-Authored-By: Brant Knudson <bknudson@us.ibm.com>
Change-Id: I931de73a97fa20eedc777a6ff41cf740e4a32584
Closes-Bug: #1490834
If an application doesn't use a global configuration object and load
the middleware with api paste, they are no ways to read the
configuration options from the application configuration file.
This change fixes that, the api paste config will looks like:
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
oslo_config_project = aodh
With this, the keystonemiddleware will automatically load
the configuration of the project aodh with a local oslo.config object
instead of the global one.
This allows application to not rely of the global oslo.config object
and continue to use paste and keystonemiddleware.
Closes-bug: #1482078
Related-bug: #1406218
Change-Id: I48c3d6a6a5486c9c035a15a75c025be7f5abaab4
This patch modifies AuthProtocol to defer authentication
to a downstream service if an invalid service token is found
and delay_auth_decision is True. This makes the behavior for
an invalid service token similar to that for an invalid user
token.
This is required by Swift because multiple auth middlewares
may co-exist, and auth_token will currently deny a request
on detecting an invalid service token when that service token
is in fact intended to be validated by another downstream auth
middleware. This is precisely the configuration used in
devstack which configures both authtoken and tempauth in
the Swift proxy pipeline [1].
Swift support for service tokens is currently in review [2]
and functional tests will not pass using devstack without the
change proposed here.
[1] https://github.com/openstack-dev/devstack/blob/master/lib/swift#L396
[2] change I6072b4efb3a479a8e0cc2d9c11ffda5764b55e30
DocImpact
SecurityImpact
Closes-Bug: #1422389
Change-Id: Ic9402ef35ce3dd7c905d868a9eff7db5f3a4a40b
Since Memcached is not used by the majority of deployments, its
dependencies are not included by default in the requirements.txt
file. This patch adds the documentation about the need to
manually install those dependencies.
Change-Id: Ic6252b1e00168fa2236f8a892212084da6cfdd64
Closes-Bug: 1392264
This case can be handled by default/design by using a v3 authentication
plugin. The values also don't make sense for v2 authentication.
Having them here means extra values to support in the default case.
There has not been a release with this patch.
This reverts commit bb00caf15b.
Related-bug: #1372142
Change-Id: I690f39284010906a0171178511729749ccc566b8
The domain for the service user and project couldn't be configured,
so the auth_token middleware always used the v2 API and the default
domain. With this change, the deployer can configure the domain for
the service user and project and the auth_token middleware will then
use the v3 API to get the service token.
DocImpact
Closes-Bug: #1372142
Change-Id: I4f65adb523a591816a6cd807070d92ce6e414a1b
Yusuke Niimi