Changes identity:get_identity_providers policy rule to
identity:get_identity_provider to match what is checked by the code.
Conflicts:
keystone/common/policies/identity_provider.py
There was a conflict backporting this change since the policy-in-code
work in new in Pike. The conflict was resolved by removing the
policy-in-code change and making it manually against the old
etc/policy.json file.
Change-Id: I0841abd30fd15c034b5836e42a18938634b509b1
Closes-Bug: #1703369
(cherry picked from commit b7119637a0)
A fix was merged for bug 1687593 but we forgot to add a release note.
Change-Id: Ib8571d155ca526b0b4fb536ceff7c3b5752281c6
(cherry picked from commit 5303ef6e88)
Change 461736 modifies the url passed to oauth signature verifier to
request url. But in some deployments, https endpoints are terminated
at haproxy and http request is sent to keystone. So request url will
have http as url scheme whereas the endpoint is registered with https
and signature at client is done with https url. This results in OAUTH
signature validation failure.
Update URL sent for OAUTH signature verification with the scheme of
the base url.
Change-Id: Iaba285985b616a35e3dfe33cdd45667174e7c69d
Partial-Bug: #1687593
(cherry picked from commit b7aece57d2)
OAUTH signature verification should happen with the same URL used for signing.
Typically at the user end it should be signed with the request URL and hence it
should be verified with the same.
Currently keystone uses public endpoint URL for signature verification.
Modified the URL passed to oauth signature verification to request URL.
Change-Id: I28059a43cb0088c2952c19f696042ebec54d26c9
Partial-Bug: #1687593
(cherry picked from commit 926685c5a4)
When a file-config-based domain-specific backend was loaded the
local config files from /etc/keystone/keystone.conf.d/ were also read. The
local config dir should not be used in this case.
Change-Id: Ib576c8f12a7cc4272e07bb057bf028d69649b65d
Related-Bug: #1489118
(cherry picked from commit 5e8e71fb16)
During a backport patch [0] for this fix
it was found some problems in the previous
approach like, It didn't enabled back the
session.autocommit. Another comment was we should
create a new session and commit on it instead of
disable/enable autocommit.
After this, we should backport this change in order
to fix the previous releases, instead of the other
one.
[0] https://review.openstack.org/#/c/469514
Change-Id: Ifc024ba0e86bb71f4ab8b019917782bc5bf3be7a
Closes-Bug: #1649616
(cherry picked from commit 0b5c5c03ec)
When keystone is using an external identity backend such as LDAP for
storing users and groups, but storing role assignments in the local db,
and a group that has role assignments is deleted out-of-band, its
assignments will still exist in the keystone database. If, after this,
a user attempts to list effective role assignments, keystone will try
to lookup the group and fail with NotFound.
This catches the NotFound exception of the list_users_in_group call and
returns an empty user list so that the effective assignments list does
not fail.
Closes-Bug: 1693510
Change-Id: Ie5f69b150d59287bd0bc68f1ce9eecfeab04c91a
(cherry picked from commit d09c337619)
Commit token flushes between batches in order to lower resource
consumption and make flushing more robust for replication
Change-Id: I9be37e420353a336a8acd820eadd47d4bcf7324f
Closes-Bug: #1649616
(cherry picked from commit dc7f810831)
Keystone can use an external identity store for the users, and
store assignments for these users in the SQL database that it
manages. When a user has been deleted directly in the external
identity store, these assignments will persist. Therefore when
listing role assignments and asking for names to be included,
keystone will try to get information of the user and fail with
NotFound.
This catches the NotFound exception of the get_user and get_group
calls and fills the user values with and empty string.
Change-Id: Iec3e12f6cd1402e1e3f192b0ede5d608bd41ca1d
Closes-Bug: 1684820
(cherry picked from commit 0392b36a0d)
Without the change, the method fetched all assignments for a project
or domain, regardless of who has the assignment, user or group. This
led to situation when federated user without groups could scope a token
with other user's rules.
Return empty list of assignments if no groups were passed.
Closes-Bug: 1677723
Change-Id: I65f5be915bef2f979e70b043bde27064e970349d
(cherry picked from commit 2139639eea)
Fixed issue with translation of keystone error messages which
was not happening in case of any error messages from identity API
with locale being set.
Change-Id: Idc73e86647f2adce9e39387b0c3124431dcac255
Closes-Bug: #1674415
(cherry picked from commit 2126bd5765)
These changes have already merged in master branch. However, cherry
pick failed because of merge conflict. So submit these changes again
in stable/ocata branch to revise releasenotes.
Change-Id: I1faa518e071558011fd0e2ad3a685174be7627ba
When a role on a group scoped to project/domain is revoked, it persists
revocation event in revoke_event table which is invalidating all tokens
created with same role in project/domain. Since token validations are happening
by populating role assignments at validation time, the need for persistence of
revocation events is no longer needed.
Change-Id: I112d5d4684f739d320606cea651e0a108f18d245
Closes-Bug: #1662514
(cherry picked from commit 2cb842cd64)
LDAP authentication was broken by the addition of MFA rule checking.
This patch fixes that.
Change-Id: I4efe4b1b90c93110509cd599f9dd047c313dade3
Closes-Bug: #1662762
(cherry picked from commit 4e0029455a)
When an SQL-config-based domain-specific backend was loaded the
local config dir (/etc/keystone/keystone.conf.d) is also read. The
local config files should not be used in this case.
This is a followup fix for Idd095b2df375329f579c164d00dfd50b41b0e96d
Related-Bug: #1489118
Change-Id: I14008656a538ca7641aefffe08b9d1c23b7b87d2
(cherry picked from commit ab3bfaf90f)
Add simple script to setup mysql and postgresql databases, this script
can be run by users during testing and will be run by CI systems for
specific setup before running unit tests.
This allows to change in project-config the python-db jobs to
python-jobs since python-jobs will call this script initially.
Update README for this.
See also
http://lists.openstack.org/pipermail/openstack-dev/2016-November/107784.html
Needed-By: Ic42f8d5392ab1d9b52c6c84c92dee0092bd2779a
Change-Id: I253726467151622e8aa3ff40bacc0b3f9903b342