Commit Graph

54 Commits

Author SHA1 Message Date
Zuul 9ade074c9b Merge "External OAuth2.0 Authorization Server Support" 2023-11-07 16:46:40 +00:00
Zuul e49893e598 Merge "External OAuth2.0 Authorization Server Support" 2023-09-13 18:32:57 +00:00
Yusuke Niimi 53b4cb21ad External OAuth2.0 Authorization Server Support
Added the ability to authenticate using a system-scoped token and the
ability to authenticate using a cached token to the
external_oauth2_token filter.

Implements: blueprint enhance-oauth2-interoperability
Change-Id: I1fb4921faaafd5288d5909762ff5553e5e2475dc
2023-09-07 09:43:14 +00:00
sunyonggen de15a610e1 External OAuth2.0 Authorization Server Support
The external_oauth2_token filter has been added for accepting or denying
incoming requests containing OAuth 2.0 access tokens that are obtained
from an External Authentication Server.

Depends-On: https://review.opendev.org/c/openstack/keystoneauth/+/860614
Implements: blueprint enhance-oauth2-interoperability
Change-Id: I529c5b0c89933395b126e86651ef09368dd7e6b4
2023-08-30 13:30:32 +00:00
Sahid Orentino Ferdjaoui 70337682d9 auth_token: fix issue when data in cache gets corrupted
Previously token cache was not correctly handling the case when data
in memcached is un-decryptable.
The cache process was returning a null value that was not considered
resulting a python exception raised

The commit fixes the issue by adding a condition to validate the value
returned.

Closes-bug: #2023015
Change-Id: Ic48d20569980781febc194083651736bed446953
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
2023-08-14 14:42:50 +00:00
sunyonggen a59020fdab OAuth 2.0 Mutual-TLS Support
The oauth2_mtls_token filter has been added for accepting or denying
incoming requests containing OAuth 2.0 certificate-bound access
tokens that are obtained from keystone identity server by users
through their OAuth 2.0 credentials and Mutual-TLS certificates.

Co-Authored-By: Hiromu Asahina <hiromu.asahina.az@hco.ntt.co.jp>
Depends-On: https://review.opendev.org/c/openstack/keystoneauth/+/860614
Change-Id: I49127d845954ad6eab39e6e6305948ef0e4ed7b5
Implements: blueprint support-oauth2-mtls
2023-03-03 11:28:01 +09:00
Yi Feng f7ac6a1b24 OAuth2.0 Client Credentials Grant Flow Support
The oauth2_token filter has been added for accepting or denying
incoming requests containing OAuth2.0 client credentials access tokens
that are obtained from keystone identity server by users through their
application credentials.

Change-Id: I15e438681749ed2c2666804a9efd8d4712a7b01c
2022-08-23 09:39:18 +00:00
Takashi Kajinami 9e827f7781 Update python testing as per zed cycle teting runtime
In Zed cycle, we have dropped the python 3.6/3.7[1] testing
and its support. Add release notes and update the python
classifier for the same.

[1] https://governance.openstack.org/tc/reference/runtimes/zed.html

Co-Authored-By: Ghanshyam Mann <gmann@ghanshyammann.com>
Change-Id: I0b6a6b22ce7e9e2de4cf7eadd87699d7b26cdda6
2022-05-27 16:20:15 +00:00
Michal Arbet 788d3c4969 Switch to eventlet-safe oslo.cache's MemcacheClientPool
In past days there were discussions about various issues
with memcached connections [1][2][3].

After investigation it looks like common root cause for above
problems is keystonemiddleware. More precisely said the way
how keystonemiddleware is caching tokens.

Currently it's using some home-made CachePool with direct
usage of memcached library, moreover it looks like its
approach is not eventlet-safe.
Discussion can be mainly found in [4].

Fortunately keystonemiddleware can use "advanced cache pool",
which is oslo.cache's implementation and was added long time ago [5],
but it is turned on only if memcache_use_advanced_pool=True.

This patch is switching to more elaborated oslo.cache CachePool
and adding deprecation warning about eventlet-unsafe variant
of keystonemiddleware's memcache pool.

How to reproduce ?

with memcache_use_advanced_pool=False

1. Build clean ENV of openstack
2. Deploy core projects (keystone,glance,nova,placement...)
3. Run while true; do COMMAND FOR SERVICE; done
   - several bashes, in parallel (5-7)

COMMAND FOR SERVICE:
- openstack network list
- openstack volume list
- openstack server list
- openstack image list

4. Check memcached connections (which will grow up):
    - ss | grep 11211 | wc -l   every second

How to fix and test it ?

Repeat above, to fix:
 - with memcache_use_advanced_pool=True
   OR
 - apply this patch

Compare measurements in graph.

[1] https://bugs.launchpad.net/keystonemiddleware/+bug/1892852
[2] https://bugs.launchpad.net/oslo.cache/+bug/1888394
[3] https://bugs.launchpad.net/keystonemiddleware/+bug/1883659

[4] https://review.opendev.org/c/openstack/oslo.cache/+/742193

[5] https://review.opendev.org/c/openstack/keystonemiddleware/+/268664

Closes-Bug: #1883659
Closes-Bug: #1892852
Closes-Bug: #1888394

Change-Id: I0e96334b65a0bf369ebf1d88651d13feb8d2ecac
2021-02-11 14:36:25 +00:00
Zuul 654d31a1bd Merge "Change the default Identity endpoint to internal" 2020-07-06 10:43:56 +00:00
Jens Harbott 8f9a596fff Change the default Identity endpoint to internal
In [0] the ``interface``option was added in order to allow the Identity
endpoint that is being used when validating tokens to be
configured by the deployer. Change the default to using the internal
endpoint, as that should be what most deployments will end up using.

[0] https://review.opendev.org/651790

Depends-On: https://review.opendev.org/651492
Closes-Bug: 1830002
Change-Id: I0ce8b6d8cd408c7fac8107972e7be70839e337fb
2020-06-14 16:20:05 +00:00
Vishakha Agarwal bf39733017 [ussuri][goal] Drop python 2.7 support and testing
OpenStack is dropping the py2.7 support in ussuri cycle.

keystonemiddleware is ready with python 3 and ok to drop the
python 2.7 support.

Complete discussion & schedule can be found in
- http://lists.openstack.org/pipermail/openstack-discuss/2019-October/010142.html
- https://etherpad.openstack.org/p/drop-python2-support

Ussuri Communtiy-wide goal:
https://governance.openstack.org/tc/goals/selected/ussuri/drop-py27.html

Change-Id: Ia6f0e14efd19b0b98227258e7264b4850a197f4f
2020-01-07 09:31:56 -05:00
Zuul 97350d16b1 Merge "Change ec2 URLs to v3" 2019-12-03 07:54:19 +00:00
Gage Hugo 09a33cce89 Change ec2 URLs to v3
This change modifies any URLs specifying v2.0 to v3. This is part
of the effort to remove v2.0 functionality from keystonemiddleware.

Change-Id: I9cde8963333ea95b4ab05d9aea4d196ab4357763
Partial-Bug: #1829453
Partial-Bug: #1845539
2019-11-29 04:20:14 +00:00
Gage Hugo a6a3edb80e Remove v2.0 functionality
This change removes v2.0 functionality from
keystonemiddleware, as well as associated tests.

Partial-Bug: #1845539
Partial-Bug: #1777177

Change-Id: If47e90085d8a59c52fb23876dc329cd4f0b05ef0
2019-11-27 10:52:23 -06:00
Colleen Murphy 5f093bf5ee Add validation of app cred access rules
This commit adds a validation step in the auth_token middleware to check
for the presence of an access_rules attribute in an application
credential token and to validate the request against the permissions
granted for that token. During token validation it sends a header to
keystone to indicate that it is capable of validating these access
rules, and not providing this header for a token like this would result
in the token failing validation. This disregards access rules for a
service request made by a service on behalf of a user, such as nova
making a request to glance, because such a request is not under the
control of the user and is not expected to be explicitly allowed in the
access rules.

bp whitelist-extension-for-app-creds

Depends-On: https://review.opendev.org/670377

Change-Id: I185e0541d5df538d74edadf9976b3034a2470c88
2019-07-15 16:05:59 -07:00
Morgan Fainberg b3e84aafc0 Remove PKI/PKIZ support
Keystone server no longer supports PKI/PKIZ. This change removes
keystonemiddleware's support of PKI/PKIZ and associated code.

Change-Id: I9a6639a2aa3774be61972d57f38220f66fd5c0e8
closes-bug: #1649735
partial-bug: #1736985
2019-06-19 12:16:47 -07:00
Jens Harbott f6037a3d50 Add a new option to choose the Identity endpoint
Previously the admin Identity endpoint was hardcoded to be used. Now
that keystone has dropped v2 support, deploying an admin Identity
endpoint is no longer useful, so allow this to be changed by the
deployer. Keep the default as using the `admin` endpoint, but create
a deprecation message so that we can change the default in the future.

Partial-Bug: 1830002
Change-Id: I993a45ccb1109d67e65bf32d1e134cc9bec2d88e
2019-06-03 10:34:25 +00:00
Lance Bragstad 1360bab808 trivial: fix convention in release note
Change-Id: I189738bb844828765bd95d8302a7654a12863a00
2019-02-12 18:31:16 +00:00
Yang Youseok 4e51cb8e6b Add auth invalidation in auth_token for identity endpoint update
Currently auth_token middleware does not concern identity endpoint
update since service catalog is not updated after service having
auth_token middleware started.

Add invalidation logic when EndpointNotfound exception occurs so
that auth_token middleware can be notified of sevice catalog update
without restart.

Change-Id: I631ee1538883d732fe3987b172d987f703dad5c0
Closes-Bug: #1813739
2019-02-07 12:14:51 +09:00
Leehom Li (feli5) 82707e15a5 Make sure audit middleware use own context
Keystone audit middleware requires to iterate req.context as dict,
but Glance requires to access req.context.read_only.
When glance enabled audit, they are conflict with each other.
This patch fix this issue by store audit context in
req.environ['audit.context']

Change-Id: Ib9a62a4cd0b7b9ffb9fa2d6440e8072d45ee0fee
Closes-Bug: #1809101
Signed-off-by: Leehom Li <feli5@cisco.com>
2018-12-24 02:02:17 +00:00
Artem Vasilyev f2f5820c5f Added request_id and global_request_id to CADF notifications
Change-Id: I8d571d3414071c68b4fa565dec46cc2d2941331c
Closes-Bug: #1803940
2018-11-19 11:49:24 +03:00
Zuul 899aa07a64 Merge "Stop supporting revocation list" 2018-11-07 10:09:35 +00:00
Morgan Fainberg 7e1b536259 Stop supporting revocation list
With keystone's move to eliminating pki, pkiz, and uuid tokens the
revocation list is no longer generated. Keystonemiddleware no longer
needs to attempt to retrieve it and reference it.

Change-Id: Ief3bf1941e62f9136dbed11877bca81c4102041b
closes-bug: #1361743
partial-bug: #1649735
partial-bug: #1736985
2018-10-30 19:36:51 +00:00
Michael Johnson 782729b6e9 Fix audit target service selection
The keystonemiddleware audit code would select the wrong OpenStack service
endpoint for a request if the cloud is not using unique TCP ports for each
service endpoint. As most services are no longer using a port per service,
but instead using unique paths, this caused the audit to select the wrong
target service. This leads to incorrect audit logging due to the wrong
audit map being used.

This patch checks the request to see if a TCP port was present in the request,
and if not, fall back to using the target_endpoint_type configured in the
audit map file.

Change-Id: Ie2e0bf74ecca485d599a4041bb770bd6e296bc99
Closes-bug: 1797584
2018-10-29 11:08:34 -07:00
Guang Yee 6779838a24 Skip the services with no endpoints when parsing service catalog
When parsing the service catalog to find the source, audit middleware
should skip over the services which have no endpoints instead of
assuming they will have at least one endpoint.

Change-Id: I287873e99338d95baaf20d52ecb3a43763a401fc
Closes-Bug: #1800017
2018-10-26 08:13:39 -07:00
Tim Burke da5932affc Respect delay_auth_decision when Keystone is unavailable
The delay_auth_decision option has two main uses:

  1. Allow a service to provide its own auth mechanism, separate from
     auth tokens (like Swift's tempurl middleware).
  2. Allow a service to integrate with multiple auth middlewares which
     may want to use the same X-Auth-Token header.

The first case works fine even when the service has trouble talking to
Keystone -- the client doesn't send an X-Auth-Token header, so we never
even attempt to contact Keystone.

The second case can be problematic, however. The client will provide
some token, and we don't know whether it's valid for Keystone, the other
auth system, or neither. We have to *try* contacting Keystone, but if
that was down we'd previously return a 503 without ever trying the other
auth system. As a result, a Keystone failure results in a total system
failure.

Now, when delay_auth_decision is True and we cannot determine whether a
token is valid or invalid, we'll instead declare the token invalid and
defer the rejection. As a result, Keystone failures only affect Keystone
users, and tokens issued by the other auth system may still be validated
and used.

Change-Id: Ie4b3319862ba7fbd329dc6883ce837e894d5270c
2018-09-11 07:54:43 -06:00
wangxiyuan 4fb7fef1ea No need to compare CONF content
When setup AuthProtocol class, if the CONF object contains
deprecated options, An Error "dictionary changed size during
iteration" will raise when comparing the CONF content.

Changing "!=" to "is not" here to avoid compare the CONF
content anymore.

Change-Id: I820aa244160db4f81149d2576386c86b46de0084
Closes-bug: #1789351
2018-09-07 10:38:14 +08:00
Morgan Fainberg c46f29278d Fix KeystoneMiddleware memcachepool abstraction
Keystonemiddleware's abstraction for the memcache pool was broken
when converting to use a queue.Queue. The logic that placed the
connection back into the pool was moved to .acquire and the reserve
method was not using acquire.

Change-Id: I0eda5981cbb661f63790258cf8e70c7340615159
Closes-Bug: #1782404
2018-07-18 11:56:43 -07:00
Lance Bragstad 245c91f2e3 Introduce new header for system-scoped tokens
Keystonemiddleware attempts to parse user/service tokens and populate
request headers for other services to consume. This information is
important for services looking to build oslo.context objects from
request environments.

Change-Id: I0717c2a5207a647999b4f9bcdf11f728984f0812
Closes-Bug: 1766731
2018-05-02 19:15:16 +00:00
wangxiyuan a78a25ea23 Double quote www_authenticate_uri
Based on the RFCs[1], in http header, a string of text is parsed
as a single value if it is quoted using double-quote marks.

This patch change the single quote to double quote in the header
"WWW-Authenticate" which is returned when 401 error raises.

[1]: https://tools.ietf.org/html/rfc7230#section-3.2.6
     https://tools.ietf.org/html/rfc7235#section-2.1

Change-Id: I524c93d30607ea6ab70de92ceea207ee77f34c25
Closes-bug: #1762362
2018-04-12 12:05:38 +08:00
Zuul 0b02fe90c6 Merge "Remove kwargs_to_fetch_token" 2018-04-04 19:05:55 +00:00
wangxiyuan 8e9255d56d Remove kwargs_to_fetch_token
kwargs_to_fetch_token was deprecated and should be
removed in Rocky now.

Change-Id: Ic247efb84c5133449ead6a9864bbd7748e5e74bd
2018-02-22 02:19:06 +00:00
Zuul 2a6a905949 Merge "Identify the keystone service when raising 503" 2018-02-20 19:13:08 +00:00
Chris Dent d3352ff422 Identify the keystone service when raising 503
When the keystonemiddleware is used directly in the WSGI stack of an
application, the 503 that is raised when the keystone service errors
or cannot be reached needs to identify that keystone is the service
that has failed, otherwise it appears to the client that it is the
service they are trying to access is down, which is misleading.

This addresses the problem in the most straightforward way possible:
the exception that causes the 503 is given a message including the
word "Keystone".

The call method in BaseAuthTokenTestCase gains an
expected_body_string kwarg. If not None, the response body (as
a six.text_type) is compared with the value.

Change-Id: Idf211e7bc99139744af232f5ea3ecb4be41551ca
Closes-Bug: #1747655
Closes-Bug: #1749797
2018-02-20 17:32:41 +01:00
Stefan Nica e83bd0bc3c Add option to disable using oslo_message notifier
Add a configuration option, 'use_oslo_messaging', to indicate whether
to use oslo_messaging notifier. It is set to true for backwards
compatibility.
We can't use audit middleware with services like Swift, which have no
dependency on Oslo and does not work well with oslo_log. Swift uses rsyslog.
Currently, audit middleware indiscriminately chooses oslo_messaging if the
package is installed. This is problematic if Swift proxy is on the same
controller as any service which consumes oslo_messaging. With this new option,
Swift can now safely consume audit middleware by electing to use local
log notifier instead of oslo_messaging.

Change-Id: I87bf857c20e4b78e97d40dcc51a1b4ff0014abb2
Closes-Bug: #1695038
2018-02-20 11:26:22 +01:00
Mehdi Abaakouk 4531809d60 cfg.CONF must not be used directly
cfg.CONF must not be used directly, Config().oslo_conf_obj must be used
instead.

Closes-bug: #1737119

Change-Id: I58ec9e25c7f04a8352535d8861e09c7e4c4c0a9d
2017-12-20 15:07:57 +00:00
Mehdi Abaakouk a08bc44e04 rel-note and doc for lazy loading of oslo_cache
In continuation of I00e953abb3e835a94353fe458100c96e8e9c095a,
this change adds the release note and documentation.

Related-bug #1737115

Change-Id: I456239842d139074cc38cfd620bb88561bb4d0d7
2017-12-13 11:57:54 +01:00
Colleen Murphy 409b482253 Rename auth_uri to www_authenticate_uri
The [keystone_authtoken]/auth_uri middleware parameter has been causing
extreme confusion amongst operators and developers ever since the
keystonemiddleware started accepting keystoneauth plugin parameters
including auth_url. The two parameters look identical and yet have
completely different meanings and are both required. This patch
deprecates auth_uri and renames it to www_authenticate_uri, which more
accurately describes the WWW-Authenticate header it is configuring and
is dissimilar to any other keystone_authtoken middleware parameter. This
also renames the internal variable names for consistency with the config
option.

Change-Id: I0cf11da3d395749df28077427689fdafc8a6b981
2017-10-11 14:00:49 +02:00
Tin Lam e23cb36ac0 Replace pycrypto with cryptography
The pycrypto library is unmaintained, and keystonemiddleware currently
uses pycrypto to encrypt and decrpyt things before caching them.
This patch set removes the pycrypto dependency and updates the code
to use the cryptography library.  See [1].  Replacing the cryptographic
library is backward compatible.  See [2].

[1] http://lists.openstack.org/pipermail/openstack-dev/2017-March/113568.html
[2] http://paste.openstack.org/show/610186/

Change-Id: Iced7f5115e49ccf4f7f5bf6813cb5988b95c248b
Closes-Bug: #1677308
2017-05-22 16:52:37 -05:00
Jamie Lennox 4c6282ff70 Pass ?allow_expired
When a service token is present we should bypass the expiry checks and
pass the allow_expired flag to the server. This will let the server
return expired tokens.

This has a very basic policy enforcement that is not backwards
compatible with the current (sensible) default. We will need to discuss
how we can make this work.

Implements bp: allow-expired
Change-Id: If3583ac08e33380f1c52ad50d7d5c74194393480
2016-12-15 16:15:35 +00:00
Steve Martinelli ef29dfce89 Use extras for oslo.messaging dependency
Install the oslo.messaging optional dependency by doing:

  keystonemiddleware[audit_notifications]

pbr documentation:

  http://docs.openstack.org/developer/pbr/#environment-markers

Partial-Bug: 1540115

Change-Id: I59eea1f7eb0e770ac4fe30211eff49ae76fb2550
2016-06-28 23:56:47 +00:00
guang-yee 8859345f3b use local config options if available in audit middleware
Some services such as Swift does not use Oslo (global) config. In that
case, make sure we can pass the options via local config instead. This is
consistent with how auth_token middleware handle global and local
config options.

Change-Id: Ica7f1a4de2676549b2b65cca0181f2a911156ee6
Closes-Bug: 1583702
2016-06-24 13:47:16 +00:00
bhagyashris adb59a79e9 Fix typo 'olso' to 'oslo'
TrivialFix

Change-Id: I644bc36e3bf804c7546034ec8788671bd7cd01e6
2016-06-23 12:45:42 +05:30
Jamie Lennox 0562670d4e Pass X_IS_ADMIN_PROJECT header from auth_token
To do policy enforcement around admin projects we need for auth_token
middleware to pass this information down to context objects.

Closes-Bug: #1577996
Change-Id: Ic680e6eaa683926914cf4b2152ec3bb67c6601ff
2016-06-21 12:09:12 +10:00
Guang Yee d8cb5a3e93 Make sure audit can handle API requests which does not require a token
Some service APIs such as Swift list public containers does not require
a token. Therefore, there will be no identity or service catalog information
available. In these cases, audit should fill in the default
(i.e. taxonomy.UNKNOWN) for both initiator and target instead of raising an
exception.

Change-Id: I3f3c12d5e8c0fa176fb7f0218c368971e0a9d0b5
Closes-Bug: 1583699
2016-05-31 00:16:35 +00:00
guang-yee 619dbf3786 Determine project name from oslo_config or local config
For services such as Swift, which may not be utilizing oslo_config, we need
to be able to determine the project name from local config. If project name
is specified in both local config and oslo_config, the one in local config will
be used instead.

In case project is undetermined (i.e. not set), we use taxonomy.UNKNOWN
as an indicator so operators can take corrective actions.

Change-Id: Ia95cbc9974d0c39c6b77d966cffdef2885350d77
Closes-Bug: 1583690
2016-05-24 16:41:23 -07:00
Arun Kant c813c35214 Adding audit middleware specific notification driver conf
Now oslo messaging notifier can use driver information from audit
middleware specific conf section. This allows audit to have different
driver and transport usage from existing standard oslo messaging
configuration. If audit middleware section is not defined, then existing
logic is used which identifies driver from shared common oslo messaging
notification conf section.

Adjusted code and tests to recent oslo messaging notifier topic to
topics arg change. And recent request.context change.

Change-Id: Ia9ce654d3903efd0fd7893347e44ee27a765c745
Closes-Bug: 1544840
2016-05-13 11:24:03 -07:00
Brant Knudson 8dee7458e3 s3token config with auth URI
s3token middleware only allows configuring host and port for the
auth URI. This doesn't allow the auth server to be on a path.

A new auth_uri config option is added that allows the deployer to
specify the full URL for auth. This overrides auth_host, auth_port,
and auth_protocol. auth_host, auth_port, and auth_protocol are
deprecated.

DocImpact

Change-Id: I1fe13f0365ca4704717fe680a0c8f54c64a9f06c
2016-05-03 16:31:17 -05:00
Chris Dent dc22e9fd30 Remove clobbering of passed oslo_config_config
Calling a ConfigOpts instance with new args will implicitly reset
the config values in the instance. This means that in the previous
revision of the code, any assignment of oslo_config_config to
self._local_oslo_config would be instantly clobbered by calling
self._local_oslo_config() to read from default_config_files.

Now, if oslo_config_config is set to a non-None value it will be
left unmolested. This is useful because oslo_config_config turns out
to be the ideal way to pass config to AuthProtocol when the caller
already has access to the project config object and neither global
conf nor paste is being used.

Change-Id: I0beb809bc5ace609561f10dc52800a8a6e03f7e6
Closes-Bug: #1540022
2016-02-06 13:21:56 +00:00