This pylint check 'no-else-return' might be debatable.
but as far as I checked it works in most cases.
Change-Id: Ie8574d4a529454c6e050fa62a7a17ea097d00240
Kyestone V2 support was removed in Train, so it's safe to do such cleanup.
* Functions which just return horizon settings are dropped and
the settings are referred directly now.
* The service catalog in the sample test data is updated to match
the format of the keystone API v3.
* Related to the above change of the sample service catalog,
openstack_dashboard.test.unit.api.test_keystone.ServiceAPITests is
updated to specify the region name explicitly because 'RegionTwo'
endpoint is no longer the second entry of the endpoint list in the
keystone API v3.
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Change-Id: Ib60f360c96341fa5c618595f4a9bfdfe7ec5ae83
In Train cycle, we moved the definition of default values
to openstack_dashboard/defaults.py. The current code accesses
a dict member using []. It requires operators to define a dict
setting with a full member.
This commit allows to use dict-type settings with partial members.
A new function is introduced to retrieve a dict-type setting
considering default values defined in
{openstack_dashboard,horizon,openstack_auth}/defaults.py
Change-Id: I7ff0ad4bca698aef9c0eba370b0570200a14367a
Closes-Bug: #1843104
Unfortunately the only way we can know the user_id at this point is
by parsing the error message.
I also refactored the exceptions in openstack_auth to make them use
different classes (but one common superclass).
Partially implements blueprint: allow-users-change-expired-password
Change-Id: Ieceee09db21040b96577db19bd195dc3799e3892
Keystone V2 API was deprecated in Stein release in Horizon and
removed from Keystone in Queens release.
Change-Id: I917e273d3174adf0874e516b3d635ccb8ba58a27
Keystone's API for changing the user password doesn't require
authentication, so we can have a page that doesn't require it too.
In order to change the password, the user has to provide their old
password. This is needed for when the password is expired or when
it has to be changed on first use.
The next step will be adding a redirect to this page when a password
is expired or required to be changed.
Part of blueprint: allow-users-change-expired-password
Change-Id: I3b207ef6c5a3095022a2acb64d3988e127f0f49a
This commit also moves descriptions of settings defined in openstack_auth
from openstack_dashboard/settings.py and local_settings.py(.example)
to openstack_auth/settings.py.
Note that if openstack_dashboard has different default settings
from openstack_auth defaults, they are now moved to
openstack_dashboard/defaults.py.
Part of blueprint ini-based-configuration
Change-Id: I59eebc388de0bcbd4d1fe35c6138efbd3e04c5b8
This has been present since at least Django 1.6 [1], though the comment
on the removed function suggests it might have been earlier (pre-Git
days, perhaps?).
[1] https://github.com/django/django/commit/a2f2a399566
Change-Id: Ib6978ffa8d3962383fbc0a1c3cfd9da9e162f7dd
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
There are a lot of util funtions that are not used neither in Horizon,
nor in plugins. This patch removes them.
Change-Id: I987b39d620a037834cb2d05a234a1ad089276108
The "request" attribute is not available in
openstack_auth.backend.KeystoneBackend.get_user when session data is restored
and it's the first request to happen after a server restart.
As stated by the function document, the "request" attribute needs to be
monkey-patched by openstack_auth.utils.patch_middleware_get_user
for this function to work properly.
This should happen in openstack_auth.urls at import time. But there is nowhere
in Horizon where this module is imported at startup. It's only introspected
by openstack_dashboard.urls due to AUTHENTICATION_URLS setting.
Without this monkey-patching, the whole authentication mechanism falls back
to "AnonymousUser" and you will get redirected to the login page due
to horizon.exceptions.NotAuthenticated being raised by
horizon.decorators.require_auth as request.user.is_authenticated will be False.
But if a user requests a page under auth/, it will have the side-effect of
monkey-patching django.contrib.auth.middleware as expected. This means that
once this request is completed, all following requests to pages other than
the ones under auth/ will have there sessions properly restored and
you will be properly authenticated.
Therefore this change introduces a dummy middleware which sole purpose is
to perform this monkey-patching as early as possible.
There is also some cleanup to get rid of the previous attempts at
monkeypatching.
Closes-bug: #1764622
Change-Id: Ib9912090a87b716e7f5710f6f360b0df168ec2e3
Add a new optional WEBSSO_KEYSTONE_URL property to facilitate WEBSSO
deployments where network segmentation is used per security requirement.
In this case, the controllers are not reachable from public network.
Therefore, user's browser will not be able to reach OPENSTACK_KEYSTONE_URL
if it is set to the internal endpoint.
If WEBSSO_KEYSTONE_URL is set, it will be used instead of
OPENSTACK_KEYSTONE_URL.
Change-Id: I05ea4227aa4c2cb0a73015ed7fd29cf1a96e696a
Closes-bug: #1544703
In scenarios where the cloud operators have only a single Identity Provider,
we can have a default redirection to remove unnecessary user clicks and
improve user experience.
Closes-bug: #1784368
Change-Id: I251703dcaeac43174fbcba7e0658c6f92098b2e0
DEFAULT_SERVICE_REGIONS is cumbersome when you have
more than one keystone endpoint and all you want to do
is set a global default service region.
This adds '*' as an optional fallback key to mean global default.
If an endpoint matches it will take precedence over the '*' value.
This also fixes the precedence order for DEFAULT_SERVICE_REGIONS
so that a user controlled cookie is used instead when that cookie
is valid for the given catalog. This changes the way the setting
works, but retains the intended result the setting was originally
intended for.
Change-Id: Ieefbd642d853fcfcf22a17d9edcc7daae72790a4
blueprint: global-default-service-region
Closes-Bug: #1772345
Related-Bugs: #1359774#1703390
W503 line break before binary operator
Looking at the code base, it sounds okay to follow this check.
Change-Id: Id511e0104dc6de5b204021661d4a8776ca6d3658
- HORIZON_IMAGES_ALLOW_UPLOAD (deprecated in Newton)
- CUSTOM_THEME_PATH (deprecated in Mitaka)
- DEFAULT_THEME_PATH (deprecated in Mitaka)
- OPENSTACK_TOKEN_HASH_ENABLED (deprecated in Mitaka)
- TOKEN_DELETION_DISABLED
(not documented but it was marked as deprecated in Ocata
in django-openstack-auth commit 5810f9c6)
The related logics related to dropped deprecated settings
have been dropped too.
- custom_path and default_path of get_available_themes() were
dropped as they are no longer needed in favor of
the removal of CUSTOM_THEME_PATH and DEFAULT_THEME_PATH.
- Unused remove_project_cache(), is_token_deletion_disabled()
and delete_token() have been dropped.
Change-Id: Ic9406623cc092884c4136f78fb967b129bfda487
The keystone API version 3 has become the default API version
for a long time and our CI already uses keystone v3 API only.
In addition, our documentation recommended to use the cached session,
so switching the default API version to 3 does not hit the limitation
on the maximum size of session data when using the cookie-based
sessions.
This is based on django_opensatck_auth review
https://review.openstack.org/#/c/158384/
Implements blueprint: default-keystone-api-3
Change-Id: I79e9fbd3567cc69468694dbf043fecf422347c7e
Moves Django OpenStack Auth content to Horizon, since they are so
tightly coupled. This cleans up the development workflow and should
make keystone / auth related contributions easier.
Implements: blueprint merge-openstack-auth
Change-Id: Ia1cdc47bad1ca6e633073a9f9445b0c7f70d05bc
Radomir Dopieralski