Commit Graph

11446 Commits

Author SHA1 Message Date
OpenDev Sysadmins 29140ea2c3 OpenDev Migration Patch
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:

http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html

Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.
2019-04-19 19:40:52 +00:00
Jenkins 439872bc19 Merge "fix identity:get_identity_providers typo" into stable/ocata 2017-07-21 00:12:50 +00:00
Matthew Edmonds 6c96675d63 fix identity:get_identity_providers typo
Changes identity:get_identity_providers policy rule to
identity:get_identity_provider to match what is checked by the code.

Conflicts:
  keystone/common/policies/identity_provider.py

There was a conflict backporting this change since the policy-in-code
work in new in Pike. The conflict was resolved by removing the
policy-in-code change and making it manually against the old
etc/policy.json file.

Change-Id: I0841abd30fd15c034b5836e42a18938634b509b1
Closes-Bug: #1703369
(cherry picked from commit b7119637a0)
2017-07-20 18:20:36 +00:00
Jenkins fa76aa5f5d Merge "Stop reading local config dirs for domain-specific file config driver" into stable/ocata 2017-07-20 17:42:26 +00:00
Jenkins 18711961af Merge "Fixing flushing tokens workflow" into stable/ocata 2017-07-14 22:44:06 +00:00
Lance Bragstad b0414f4fe4 Add a release note for bug 1687593
A fix was merged for bug 1687593 but we forgot to add a release note.

Change-Id: Ib8571d155ca526b0b4fb536ceff7c3b5752281c6
(cherry picked from commit 5303ef6e88)
2017-07-13 22:45:46 +00:00
Hemanth Nakkina 215788d26d Change url scheme passed to oauth signature verifier
Change 461736 modifies the url passed to oauth signature verifier to
request url. But in some deployments, https endpoints are terminated
at haproxy and http request is sent to keystone. So request url will
have http as url scheme whereas the endpoint is registered with https
and signature at client is done with https url. This results in OAUTH
signature validation failure.

Update URL sent for OAUTH signature verification with the scheme of
the base url.

Change-Id: Iaba285985b616a35e3dfe33cdd45667174e7c69d
Partial-Bug: #1687593
(cherry picked from commit b7aece57d2)
2017-07-13 22:10:13 +00:00
Hemanth Nakkina 59e4b4923f Change url passed to oauth signature verifier to request url
OAUTH signature verification should happen with the same URL used for signing.
Typically at the user end it should be signed with the request URL and hence it
should be verified with the same.
Currently keystone uses public endpoint URL for signature verification.

Modified the URL passed to oauth signature verification to request URL.

Change-Id: I28059a43cb0088c2952c19f696042ebec54d26c9
Partial-Bug: #1687593
(cherry picked from commit 926685c5a4)
2017-07-13 22:10:09 +00:00
Thomas Bechtold 64e28ecba3 Stop reading local config dirs for domain-specific file config driver
When a file-config-based domain-specific backend was loaded the
local config files from /etc/keystone/keystone.conf.d/ were also read. The
local config dir should not be used in this case.

Change-Id: Ib576c8f12a7cc4272e07bb057bf028d69649b65d
Related-Bug: #1489118
(cherry picked from commit 5e8e71fb16)
2017-07-13 11:37:37 +00:00
Raildo Mascena 83fccfaf8d Fixing flushing tokens workflow
During a backport patch [0] for this fix
it was found some problems in the previous
approach like, It didn't enabled back the
session.autocommit. Another comment was we should
create a new session and commit on it instead of
disable/enable autocommit.

After this, we should backport this change in order
to fix the previous releases, instead of the other
one.

[0] https://review.openstack.org/#/c/469514

Change-Id: Ifc024ba0e86bb71f4ab8b019917782bc5bf3be7a
Closes-Bug: #1649616
(cherry picked from commit 0b5c5c03ec)
2017-07-11 15:28:06 +00:00
Jenkins 76bdca6498 Merge "Make flushing tokens more robust" into stable/ocata 2017-06-23 04:37:12 +00:00
prashkre 2fdf89554f Handle group NotFound in effective assignment list
When keystone is using an external identity backend such as LDAP for
storing users and groups, but storing role assignments in the local db,
and a group that has role assignments is deleted out-of-band, its
assignments will still exist in the keystone database. If, after this,
a user attempts to list effective role assignments, keystone will try
to lookup the group and fail with NotFound.

This catches the NotFound exception of the list_users_in_group call and
returns an empty user list so that the effective assignments list does
not fail.

Closes-Bug: 1693510
Change-Id: Ie5f69b150d59287bd0bc68f1ce9eecfeab04c91a
(cherry picked from commit d09c337619)
2017-05-31 12:23:02 +05:30
Peter Sabaini 6074166b29 Make flushing tokens more robust
Commit token flushes between batches in order to lower resource
consumption and make flushing more robust for replication

Change-Id: I9be37e420353a336a8acd820eadd47d4bcf7324f
Closes-Bug: #1649616
(cherry picked from commit dc7f810831)
2017-05-30 11:58:30 +00:00
OpenStack Proposal Bot 736149c0cd Updated from global requirements
Change-Id: I555be48088491822f90f7f8075033d7d7e6f004b
2017-05-22 19:57:28 +00:00
Kristi Nikolla e1ee00f1df Handle NotFound when listing role assignments for deleted users
Keystone can use an external identity store for the users, and
store assignments for these users in the SQL database that it
manages. When a user has been deleted directly in the external
identity store, these assignments will persist. Therefore when
listing role assignments and asking for names to be included,
keystone will try to get information of the user and fail with
NotFound.

This catches the NotFound exception of the get_user and get_group
calls and fills the user values with and empty string.

Change-Id: Iec3e12f6cd1402e1e3f192b0ede5d608bd41ca1d
Closes-Bug: 1684820
(cherry picked from commit 0392b36a0d)
2017-05-17 04:22:53 +00:00
Boris Bobrov 955fd6ca37 Do not fetch group assignments without groups
Without the change, the method fetched all assignments for a project
or domain, regardless of who has the assignment, user or group. This
led to situation when federated user without groups could scope a token
with other user's rules.

Return empty list of assignments if no groups were passed.

Closes-Bug: 1677723
Change-Id: I65f5be915bef2f979e70b043bde27064e970349d
(cherry picked from commit 2139639eea)
2017-04-25 14:36:12 +00:00
OpenStack Proposal Bot 02951abcd5 Imported Translations from Zanata
For more information about this automatic import see:
http://docs.openstack.org/developer/i18n/reviewing-translation-import.html

Change-Id: Ie11a20939d5070d0bc7d218b3007a96a07fd23b7
2017-04-08 07:35:01 +00:00
prashkre c541e1ec5c Error messages are not translating with locale.
Fixed issue with translation of keystone error messages which
was not happening in case of any error messages from identity API
with locale being set.

Change-Id: Idc73e86647f2adce9e39387b0c3124431dcac255
Closes-Bug: #1674415
(cherry picked from commit 2126bd5765)
2017-03-26 17:53:50 +00:00
Jenkins 1e7e2188c4 Merge "Updated from global requirements" into stable/ocata 2017-03-22 16:55:27 +00:00
Jenkins efbb8b6a8e Merge "Update releasenotes bp link" into stable/ocata 2017-03-22 16:55:20 +00:00
Jenkins f10bcf0b58 Merge "Fix some typo in releasenotes" into stable/ocata 2017-03-22 16:35:36 +00:00
OpenStack Proposal Bot 244c4cf26f Updated from global requirements
Change-Id: I9a1fe87be95fdf22c21daa8ed19dbad512dcdb38
2017-03-09 18:15:03 +00:00
jolie aa27b04c40 Revise conf param in releasenotes
Change-Id: Idd0dfc7e15f86651b8771610fdcdbdb07849bb6e
(cherry picked from commit d339e97bb5)
2017-03-07 06:19:20 +00:00
jolie 33cceb42f3 Fix some typo in releasenotes
These changes have already merged in master branch. However, cherry
pick failed because of merge conflict. So submit these changes again
in stable/ocata branch to revise releasenotes.

Change-Id: I1faa518e071558011fd0e2ad3a685174be7627ba
2017-03-07 10:24:32 +08:00
Jenkins b4379f0c51 Merge "Removing group role assignments results in overly broad revocation events" into stable/ocata 2017-03-03 23:12:38 +00:00
Jenkins dfe4de3a10 Merge "Stop reading local config dirs for domain-specific SQL config driver" into stable/ocata 2017-03-03 23:11:39 +00:00
prashkre 9a4391c49a Removing group role assignments results in overly broad revocation events
When a role on a group scoped to project/domain is revoked, it persists
revocation event in revoke_event table which is invalidating all tokens
created with same role in project/domain. Since token validations are happening
by populating role assignments at validation time, the need for persistence of
revocation events is no longer needed.

Change-Id: I112d5d4684f739d320606cea651e0a108f18d245
Closes-Bug: #1662514
(cherry picked from commit 2cb842cd64)
2017-03-03 03:38:17 +00:00
jolie d75fb65b0b Update releasenotes bp link
In Ocata Series Release Notes
<https://docs.openstack.org/releasenotes/keystone/ocata.html>,
the bp <shadow mapping> link is incorrect.

Change-Id: I2dd5f9f9513d8c4cb48ac833f0ebac4db68339b2
Clouse-Bug:#1668173
2017-03-01 08:04:39 +00:00
Matthew Edmonds 95160d1812 Fix MFA rule checks for LDAP auth
LDAP authentication was broken by the addition of MFA rule checking.
This patch fixes that.

Change-Id: I4efe4b1b90c93110509cd599f9dd047c313dade3
Closes-Bug: #1662762
(cherry picked from commit 4e0029455a)
2017-02-24 12:02:09 -05:00
Dirk Mueller 56f69b0477 Stop reading local config dirs for domain-specific SQL config driver
When an SQL-config-based domain-specific backend was loaded the
local config dir (/etc/keystone/keystone.conf.d) is also read. The
local config files should not be used in this case.

This is a followup fix for Idd095b2df375329f579c164d00dfd50b41b0e96d

Related-Bug: #1489118

Change-Id: I14008656a538ca7641aefffe08b9d1c23b7b87d2
(cherry picked from commit ab3bfaf90f)
2017-02-22 14:21:16 +01:00
OpenStack Release Bot defa49dcd3 Update UPPER_CONSTRAINTS_FILE for stable/ocata
Change-Id: Ie706d348c15f6ce641d1b969a82f80a312a5c1ca
2017-02-02 21:47:59 +00:00
OpenStack Release Bot 6b5067d96e Update .gitreview for stable/ocata
Change-Id: I01feb7b5dbdc132ea510cb489ecc14edd5e5a757
2017-02-02 21:47:58 +00:00
Jenkins 78adc33858 Merge "Prepare for using standard python tests" 2017-02-02 17:35:46 +00:00
Jenkins 1efe517bf6 Merge "Modify the spelling mistakes" 2017-02-02 17:33:33 +00:00
wanghongtaozz 9aa0f313d7 Modify the spelling mistakes
the "recieve" change to "receive".

Change-Id: I8d762243460d76750ab1df94f27b2c48d378928d
2017-02-02 14:23:21 +00:00
Andreas Jaeger 6603d40e0b Prepare for using standard python tests
Add simple script to setup mysql and postgresql databases, this script
can be run by users during testing and will be run by CI systems for
specific setup before running unit tests.

This allows to change in project-config the python-db jobs to
python-jobs since python-jobs will call this script initially.

Update README for this.

See also
http://lists.openstack.org/pipermail/openstack-dev/2016-November/107784.html

Needed-By: Ic42f8d5392ab1d9b52c6c84c92dee0092bd2779a
Change-Id: I253726467151622e8aa3ff40bacc0b3f9903b342
2017-02-02 12:13:12 +00:00
Jenkins 4c83fb0f13 Merge "Add MFA Rules Release Note" 2017-02-01 20:51:25 +00:00
Jenkins 8938ec4492 Merge "Remove de-dupe for MFA Rule parsing." 2017-02-01 20:51:18 +00:00
Jenkins 3ace96b96f Merge "Add validation that token method isn't needed in MFARules" 2017-02-01 20:16:21 +00:00
Jenkins 1c44a3a1af Merge "No need to enable infer_roles setting" 2017-02-01 16:36:51 +00:00
Jenkins 8dad51e903 Merge "Use https for docs.openstack.org references" 2017-02-01 16:36:44 +00:00
Jenkins 4869a403a7 Merge "Add comment to clarify resource-options jsonschema" 2017-02-01 13:54:23 +00:00
Jenkins 4181981459 Merge "update keystone.conf.sample for ocata-rc" 2017-02-01 08:25:38 +00:00
Jenkins fe04d283f2 Merge "Update PCI documenation" 2017-02-01 02:47:28 +00:00
Jenkins 52804d2d83 Merge "Add validation for mfa rule validator (storage)" 2017-02-01 02:43:00 +00:00
Jenkins 285d6e408a Merge "Cleanup TODO, AuthContext and AuthInfo to auth.core" 2017-02-01 02:42:53 +00:00
Jenkins 4175529274 Merge "Cleanup TODO about auth.controller code moved to core" 2017-02-01 02:41:46 +00:00
Jenkins e048d8895b Merge "Process and validate auth methods against MFA rules" 2017-02-01 02:34:24 +00:00
Jenkins 287984c90a Merge "Fix bad error message from FernetUtils" 2017-02-01 02:33:47 +00:00
Steve Martinelli 63ab7b8c75 update keystone.conf.sample for ocata-rc
Change-Id: Ic184d77df10bb0c335efddd92a1d35402c4bb7be
2017-01-31 14:10:01 -08:00