Commit Graph

99 Commits

Author SHA1 Message Date
OpenStack Release Bot b81c50fea9 reno: Update master for unmaintained/yoga
Update the yoga release notes configuration to build from
unmaintained/yoga.

Change-Id: I2ed11a848cce29e1d5142cac4359312d9fc03391
2024-02-06 15:50:41 +00:00
Zuul 9073ee4c34 Merge "Update master for stable/zed" 2023-11-21 12:09:26 +00:00
Zuul 4098a28c68 Merge "Update master for stable/2023.2" 2023-11-21 11:58:02 +00:00
OpenStack Release Bot f27c7be69a Update master for stable/zed
Add file to the reno documentation build to show release notes for
stable/zed.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.

Sem-Ver: feature
Change-Id: Iae839fd30f40c83709b4f8c9fe3dc5bedb7bcb8a
2023-11-21 20:44:36 +09:00
Zuul 9ade074c9b Merge "External OAuth2.0 Authorization Server Support" 2023-11-07 16:46:40 +00:00
Zuul e49893e598 Merge "External OAuth2.0 Authorization Server Support" 2023-09-13 18:32:57 +00:00
OpenStack Release Bot 6f55af4dab Update master for stable/2023.2
Add file to the reno documentation build to show release notes for
stable/2023.2.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.2.

Sem-Ver: feature
Change-Id: If95bbdba6a4302c8cad1e67e02e12e9fc9693396
2023-09-08 14:54:26 +00:00
Yusuke Niimi 53b4cb21ad External OAuth2.0 Authorization Server Support
Added the ability to authenticate using a system-scoped token and the
ability to authenticate using a cached token to the
external_oauth2_token filter.

Implements: blueprint enhance-oauth2-interoperability
Change-Id: I1fb4921faaafd5288d5909762ff5553e5e2475dc
2023-09-07 09:43:14 +00:00
sunyonggen de15a610e1 External OAuth2.0 Authorization Server Support
The external_oauth2_token filter has been added for accepting or denying
incoming requests containing OAuth 2.0 access tokens that are obtained
from an External Authentication Server.

Depends-On: https://review.opendev.org/c/openstack/keystoneauth/+/860614
Implements: blueprint enhance-oauth2-interoperability
Change-Id: I529c5b0c89933395b126e86651ef09368dd7e6b4
2023-08-30 13:30:32 +00:00
Sahid Orentino Ferdjaoui 70337682d9 auth_token: fix issue when data in cache gets corrupted
Previously token cache was not correctly handling the case when data
in memcached is un-decryptable.
The cache process was returning a null value that was not considered
resulting a python exception raised

The commit fixes the issue by adding a condition to validate the value
returned.

Closes-bug: #2023015
Change-Id: Ic48d20569980781febc194083651736bed446953
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
2023-08-14 14:42:50 +00:00
OpenStack Proposal Bot fe644edbc5 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I8016ba267c9c72132c49a07aa15f28d068ebebd1
2023-07-01 03:55:34 +00:00
Zuul 2ad28a3a14 Merge "Update master for stable/2023.1" 2023-05-26 15:01:29 +00:00
sunyonggen a59020fdab OAuth 2.0 Mutual-TLS Support
The oauth2_mtls_token filter has been added for accepting or denying
incoming requests containing OAuth 2.0 certificate-bound access
tokens that are obtained from keystone identity server by users
through their OAuth 2.0 credentials and Mutual-TLS certificates.

Co-Authored-By: Hiromu Asahina <hiromu.asahina.az@hco.ntt.co.jp>
Depends-On: https://review.opendev.org/c/openstack/keystoneauth/+/860614
Change-Id: I49127d845954ad6eab39e6e6305948ef0e4ed7b5
Implements: blueprint support-oauth2-mtls
2023-03-03 11:28:01 +09:00
OpenStack Release Bot 06bbdc8121 Update master for stable/2023.1
Add file to the reno documentation build to show release notes for
stable/2023.1.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.1.

Sem-Ver: feature
Change-Id: I8f97f3d30dde94ad512f75e0e2ff0718021dfde6
2023-02-24 15:10:44 +00:00
OpenStack Proposal Bot d2a3b53276 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I402897d72b841518308321832e5e00312598d74f
2022-09-06 04:09:33 +00:00
Yi Feng f7ac6a1b24 OAuth2.0 Client Credentials Grant Flow Support
The oauth2_token filter has been added for accepting or denying
incoming requests containing OAuth2.0 client credentials access tokens
that are obtained from keystone identity server by users through their
application credentials.

Change-Id: I15e438681749ed2c2666804a9efd8d4712a7b01c
2022-08-23 09:39:18 +00:00
OpenStack Proposal Bot 2bda844bb2 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I071933cb8a392b14a36940133880d5e777301d1f
2022-06-21 03:11:44 +00:00
Takashi Kajinami 9e827f7781 Update python testing as per zed cycle teting runtime
In Zed cycle, we have dropped the python 3.6/3.7[1] testing
and its support. Add release notes and update the python
classifier for the same.

[1] https://governance.openstack.org/tc/reference/runtimes/zed.html

Co-Authored-By: Ghanshyam Mann <gmann@ghanshyammann.com>
Change-Id: I0b6a6b22ce7e9e2de4cf7eadd87699d7b26cdda6
2022-05-27 16:20:15 +00:00
OpenStack Release Bot c4b78c71e5 Update master for stable/yoga
Add file to the reno documentation build to show release notes for
stable/yoga.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/yoga.

Sem-Ver: feature
Change-Id: If921b464cca97f9f99a45594ab37aed00e91fe77
2022-03-04 17:16:52 +00:00
OpenStack Release Bot 8a05709d69 Update master for stable/xena
Add file to the reno documentation build to show release notes for
stable/xena.

Change-Id: Ib64b3684d3fdaa3b9edb28a9c5d0f8487dffd912
2022-02-08 18:22:02 +01:00
OpenStack Release Bot 7edcd32483 Update master for stable/wallaby
Add file to the reno documentation build to show release notes for
stable/wallaby.

Co-authored-by: Kristi Nikolla <knikolla@bu.edu>

Change-Id: Ifa326381f0c901e712367d4d51218aef18eb26f2
2022-02-07 12:40:46 -05:00
Zuul e18d213add Merge "Update master for stable/victoria" 2022-02-07 17:23:18 +00:00
OpenStack Release Bot 220914527f Update master for stable/victoria
Add file to the reno documentation build to show release notes for
stable/victoria.

Change-Id: Id05ff8460cfa4f1762f2d0096088bc341e95c1da
2022-02-07 16:33:09 +00:00
OpenStack Proposal Bot 90df936708 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: Iaa7fbc7f8c6fdb33755d0d212dd4c710f40981c3
2021-03-03 07:00:01 +00:00
Michal Arbet 788d3c4969 Switch to eventlet-safe oslo.cache's MemcacheClientPool
In past days there were discussions about various issues
with memcached connections [1][2][3].

After investigation it looks like common root cause for above
problems is keystonemiddleware. More precisely said the way
how keystonemiddleware is caching tokens.

Currently it's using some home-made CachePool with direct
usage of memcached library, moreover it looks like its
approach is not eventlet-safe.
Discussion can be mainly found in [4].

Fortunately keystonemiddleware can use "advanced cache pool",
which is oslo.cache's implementation and was added long time ago [5],
but it is turned on only if memcache_use_advanced_pool=True.

This patch is switching to more elaborated oslo.cache CachePool
and adding deprecation warning about eventlet-unsafe variant
of keystonemiddleware's memcache pool.

How to reproduce ?

with memcache_use_advanced_pool=False

1. Build clean ENV of openstack
2. Deploy core projects (keystone,glance,nova,placement...)
3. Run while true; do COMMAND FOR SERVICE; done
   - several bashes, in parallel (5-7)

COMMAND FOR SERVICE:
- openstack network list
- openstack volume list
- openstack server list
- openstack image list

4. Check memcached connections (which will grow up):
    - ss | grep 11211 | wc -l   every second

How to fix and test it ?

Repeat above, to fix:
 - with memcache_use_advanced_pool=True
   OR
 - apply this patch

Compare measurements in graph.

[1] https://bugs.launchpad.net/keystonemiddleware/+bug/1892852
[2] https://bugs.launchpad.net/oslo.cache/+bug/1888394
[3] https://bugs.launchpad.net/keystonemiddleware/+bug/1883659

[4] https://review.opendev.org/c/openstack/oslo.cache/+/742193

[5] https://review.opendev.org/c/openstack/keystonemiddleware/+/268664

Closes-Bug: #1883659
Closes-Bug: #1892852
Closes-Bug: #1888394

Change-Id: I0e96334b65a0bf369ebf1d88651d13feb8d2ecac
2021-02-11 14:36:25 +00:00
Zuul 654d31a1bd Merge "Change the default Identity endpoint to internal" 2020-07-06 10:43:56 +00:00
OpenStack Proposal Bot 88ef8df023 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I03d472ad957308f098363b3377a8794e9e3d437a
2020-06-16 09:22:37 +00:00
Jens Harbott 8f9a596fff Change the default Identity endpoint to internal
In [0] the ``interface``option was added in order to allow the Identity
endpoint that is being used when validating tokens to be
configured by the deployer. Change the default to using the internal
endpoint, as that should be what most deployments will end up using.

[0] https://review.opendev.org/651790

Depends-On: https://review.opendev.org/651492
Closes-Bug: 1830002
Change-Id: I0ce8b6d8cd408c7fac8107972e7be70839e337fb
2020-06-14 16:20:05 +00:00
Andreas Jaeger a9e9de2f21 Switch to newer openstackdocstheme and reno versions
Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* parallelizing building of documents

Update Sphinx version as well.

Remove the doc requirements from lower-constraints, they are not
needed during installation.

openstackdocstheme renames some variables, so follow the renames. A
couple of variables are also not needed anymore, remove them.

Set openstackdocs_pdf_link to link to PDF file.

Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.

See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html

Change-Id: Ic7c901ff19aa073b6e003ccb95aaf77886f20152
2020-05-21 13:43:00 +00:00
OpenStack Release Bot 825f026448 Update master for stable/ussuri
Add file to the reno documentation build to show release notes for
stable/ussuri.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/ussuri.

Change-Id: Iedcc2750dc0bdfdabb9d03a0b153aeeae6c0b58e
Sem-Ver: feature
2020-04-02 14:23:24 +00:00
Vishakha Agarwal bf39733017 [ussuri][goal] Drop python 2.7 support and testing
OpenStack is dropping the py2.7 support in ussuri cycle.

keystonemiddleware is ready with python 3 and ok to drop the
python 2.7 support.

Complete discussion & schedule can be found in
- http://lists.openstack.org/pipermail/openstack-discuss/2019-October/010142.html
- https://etherpad.openstack.org/p/drop-python2-support

Ussuri Communtiy-wide goal:
https://governance.openstack.org/tc/goals/selected/ussuri/drop-py27.html

Change-Id: Ia6f0e14efd19b0b98227258e7264b4850a197f4f
2020-01-07 09:31:56 -05:00
OpenStack Proposal Bot 62c3eaf093 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I4a5f9f48ae099291cf47f4d08c40535223761b1b
2019-12-22 07:08:56 +00:00
Zuul 7f006ec409 Merge "Update master for stable/train" 2019-12-10 19:48:49 +00:00
Zuul 97350d16b1 Merge "Change ec2 URLs to v3" 2019-12-03 07:54:19 +00:00
Gage Hugo 09a33cce89 Change ec2 URLs to v3
This change modifies any URLs specifying v2.0 to v3. This is part
of the effort to remove v2.0 functionality from keystonemiddleware.

Change-Id: I9cde8963333ea95b4ab05d9aea4d196ab4357763
Partial-Bug: #1829453
Partial-Bug: #1845539
2019-11-29 04:20:14 +00:00
Gage Hugo a6a3edb80e Remove v2.0 functionality
This change removes v2.0 functionality from
keystonemiddleware, as well as associated tests.

Partial-Bug: #1845539
Partial-Bug: #1777177

Change-Id: If47e90085d8a59c52fb23876dc329cd4f0b05ef0
2019-11-27 10:52:23 -06:00
OpenStack Release Bot fca18db585 Update master for stable/train
Add file to the reno documentation build to show release notes for
stable/train.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/train.

Change-Id: Id57d4939da1ea27351d5a5dc5542f24e0abea789
Sem-Ver: feature
2019-09-20 16:23:11 +00:00
pengyuesheng f7d8334829 Bump the openstackdocstheme extension to 1.20
Some options are now automatically configured by the version 1.20:
- project
- html_last_updated_fmt
- latex_engine
- latex_elements
- version
- release.

Change-Id: I161a3983e23b0ae50c232eb63ca78f8fd230e91e
2019-08-02 15:11:07 +08:00
Colleen Murphy 5f093bf5ee Add validation of app cred access rules
This commit adds a validation step in the auth_token middleware to check
for the presence of an access_rules attribute in an application
credential token and to validate the request against the permissions
granted for that token. During token validation it sends a header to
keystone to indicate that it is capable of validating these access
rules, and not providing this header for a token like this would result
in the token failing validation. This disregards access rules for a
service request made by a service on behalf of a user, such as nova
making a request to glance, because such a request is not under the
control of the user and is not expected to be explicitly allowed in the
access rules.

bp whitelist-extension-for-app-creds

Depends-On: https://review.opendev.org/670377

Change-Id: I185e0541d5df538d74edadf9976b3034a2470c88
2019-07-15 16:05:59 -07:00
Morgan Fainberg b3e84aafc0 Remove PKI/PKIZ support
Keystone server no longer supports PKI/PKIZ. This change removes
keystonemiddleware's support of PKI/PKIZ and associated code.

Change-Id: I9a6639a2aa3774be61972d57f38220f66fd5c0e8
closes-bug: #1649735
partial-bug: #1736985
2019-06-19 12:16:47 -07:00
Zuul 3e62d25dac Merge "Add a new option to choose the Identity endpoint" 2019-06-12 15:47:50 +00:00
Jens Harbott f6037a3d50 Add a new option to choose the Identity endpoint
Previously the admin Identity endpoint was hardcoded to be used. Now
that keystone has dropped v2 support, deploying an admin Identity
endpoint is no longer useful, so allow this to be changed by the
deployer. Keep the default as using the `admin` endpoint, but create
a deprecation message so that we can change the default in the future.

Partial-Bug: 1830002
Change-Id: I993a45ccb1109d67e65bf32d1e134cc9bec2d88e
2019-06-03 10:34:25 +00:00
OpenStack Release Bot c321f1ec51 Update master for stable/stein
Add file to the reno documentation build to show release notes for
stable/stein.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/stein.

Change-Id: Ieb590fa57bd3af81dbb39ac9de1d55e34de5cf22
Sem-Ver: feature
2019-03-18 14:39:58 +00:00
Lance Bragstad 1360bab808 trivial: fix convention in release note
Change-Id: I189738bb844828765bd95d8302a7654a12863a00
2019-02-12 18:31:16 +00:00
Yang Youseok 4e51cb8e6b Add auth invalidation in auth_token for identity endpoint update
Currently auth_token middleware does not concern identity endpoint
update since service catalog is not updated after service having
auth_token middleware started.

Add invalidation logic when EndpointNotfound exception occurs so
that auth_token middleware can be notified of sevice catalog update
without restart.

Change-Id: I631ee1538883d732fe3987b172d987f703dad5c0
Closes-Bug: #1813739
2019-02-07 12:14:51 +09:00
Leehom Li (feli5) 82707e15a5 Make sure audit middleware use own context
Keystone audit middleware requires to iterate req.context as dict,
but Glance requires to access req.context.read_only.
When glance enabled audit, they are conflict with each other.
This patch fix this issue by store audit context in
req.environ['audit.context']

Change-Id: Ib9a62a4cd0b7b9ffb9fa2d6440e8072d45ee0fee
Closes-Bug: #1809101
Signed-off-by: Leehom Li <feli5@cisco.com>
2018-12-24 02:02:17 +00:00
Artem Vasilyev f2f5820c5f Added request_id and global_request_id to CADF notifications
Change-Id: I8d571d3414071c68b4fa565dec46cc2d2941331c
Closes-Bug: #1803940
2018-11-19 11:49:24 +03:00
Zuul 899aa07a64 Merge "Stop supporting revocation list" 2018-11-07 10:09:35 +00:00
Morgan Fainberg 7e1b536259 Stop supporting revocation list
With keystone's move to eliminating pki, pkiz, and uuid tokens the
revocation list is no longer generated. Keystonemiddleware no longer
needs to attempt to retrieve it and reference it.

Change-Id: Ief3bf1941e62f9136dbed11877bca81c4102041b
closes-bug: #1361743
partial-bug: #1649735
partial-bug: #1736985
2018-10-30 19:36:51 +00:00
Michael Johnson 782729b6e9 Fix audit target service selection
The keystonemiddleware audit code would select the wrong OpenStack service
endpoint for a request if the cloud is not using unique TCP ports for each
service endpoint. As most services are no longer using a port per service,
but instead using unique paths, this caused the audit to select the wrong
target service. This leads to incorrect audit logging due to the wrong
audit map being used.

This patch checks the request to see if a TCP port was present in the request,
and if not, fall back to using the target_endpoint_type configured in the
audit map file.

Change-Id: Ie2e0bf74ecca485d599a4041bb770bd6e296bc99
Closes-bug: 1797584
2018-10-29 11:08:34 -07:00