Commit Graph

9202 Commits

Author SHA1 Message Date
Zuul 4121cf6cb7 Merge "Add ability to create users and projects from keystone-manage" 2024-03-15 17:37:04 +00:00
Takashi Kajinami 307296af5e Deprecate templated catalog driver
Keystone provided two in-tree catalog drivers, sql and templated.
However the templated driver hasn't been properly maintained.
The default template had not been updated for 8 years until it was
recently updated by [1].

This deprecates the driver assuming it's not widely used and sql driver
meets usual requirements.

This also restores the image service endpoints which were wrongly
removed by [1].

[1] c32bedb654

Related-Bug: #2013473
Change-Id: Iadb7bd5d7c4cf82aea2a7dbc1d8c4dbe53b9f763
2024-03-13 22:09:30 +09:00
Zuul b08e5b5f63 Merge "Drop remaining references to eventlet options" 2024-03-12 17:22:44 +00:00
Zuul 0ba7fdbd15 Merge "Fix operation order in role deletion" 2024-03-12 17:22:35 +00:00
Zuul f3a3f8948a Merge "Fix federation mapping role jsonschema" 2024-03-12 17:07:39 +00:00
Zuul c5133e5ab8 Merge "Pass initiator to delete user" 2024-03-12 17:07:37 +00:00
Dave Wilde a8366c4827 Add ability to create users and projects from keystone-manage
This adds the ability to create users and projects directly from
keystone-manage.  We also add the ability to specify specific UUIDs
for both users and projects via the creation functions.

Change-Id: Icd193eff25556d21ec26bb29908b8ad6548fdc91
2024-03-12 08:06:35 -05:00
Zuul 8c2d5769a1 Merge "Dont enforce when HTTP GET on s3tokens and ec2tokens" 2024-03-08 17:05:42 +00:00
Zuul 57833a2e96 Merge "Allow assignment of domain specific role to federated users" 2024-03-08 16:43:09 +00:00
Zuul 2ac039b717 Merge "Add domain scoping to list_domains" 2024-03-01 18:12:37 +00:00
Boris Bobrov 63556be0e3 Fix operation order in role deletion
Deletion of a role leads to deletion of role assignments and entries in
the application credentials. However, deletion of the entries in
application credentials depends on the existence of the assignment, so
the order of deletion is important.

Delete the entries from application credentials first and then clean up
role assignment.

Closes-Bug: 2053137
Change-Id: Ibba9063c729961cd4155f8b55dbabd4789d7a438
2024-02-15 23:28:24 +01:00
Tobias Urdin 6096457d74 Dont enforce when HTTP GET on s3tokens and ec2tokens
When calling the s3tokens or ec2tokens API with a
HTTP GET we should get a 405 Method Not Allowed but
we get a 500 Internal Server Error because we enforce
that method.

Closes-Bug: #2052916
Change-Id: I5f60d10dc25551175cc73ca8f3f28b0b95ec9f99
Signed-off-by: Tobias Urdin <tobias.urdin@binero.se>
2024-02-12 08:41:39 +00:00
Douglas Mendizábal 7dc175a41f Normalize policy checks for domain-scoped tokens
This patch fixes an inconsistency in the policies for role_assignment
where the target object used for policy enforcement was being created
with different properties depending on the request query string.

This required policies to be written in two differnt ways to validate
domain IDs for domain-scoped requests.  e.g. checking for domain reader
was using both:

    role:reader and domain_id:%(target.domain_id)s

and

    role:reader and domain_id:%(target.project.domain_id)s

With the former only being populated for GET /v3/role_assignments and
the latter only being populated for GET
/v3/role_assignments?scope.project.id=SOME_ID

This patch fixes the target object so that only target.domain_id needs
to be checked for domain-scoped tokens.

Change-Id: Iffbe11c57c61bbd1b045a6567a9249c12dff403c
2024-02-09 11:33:51 -06:00
Markus Hentsch dd785ee692 Add domain scoping to list_domains
Introduces domain-scoped filtering of the response list of the
list_domains endpoint when the user is authenticated in domain scope
instead of returning all domains. This aligns the implementation with
other endpoints like list_projects or list_groups and allows for a
domain-scoped reader role.
Changes the default policy rule for identity:list_domains to
incorporate this new behavior for the reader role.

Closes-Bug: 2041611
Change-Id: I8ee50efc3b4850060cce840fc904bae17f1503a9
2024-02-08 13:55:44 +01:00
gtema 480ba29709 Fix federation mapping role jsonschema
additionalProperties attribute must be located on the level of "type"
and not inside "properties"
(https://json-schema.org/understanding-json-schema/reference/object#additional-properties).
Sadly this is not violating schema validation, but is wrong and hurts
any reasonable processing of the schema.

Change-Id: Ib537f1dd33dd3f3dc8909873dffc37980d04b4db
2024-02-07 08:49:45 +01:00
Pavlo Shchelokovskyy 2735a28fc5 Pass initiator to delete user
otherwise the initiator field is missing from the CADF payload,
which misses the point of audit and technically makes these notifications
not valid as CADF events (initiator field is requires by the
CADF spec).

Change-Id: Iae525ee13dec72af6a7d70db2bb59a77c682a177
2024-02-06 19:56:39 +00:00
Douglas Mendizábal 0340121042 Allow users with "admin" role to get projects
This patch modifies the policy for identity:get_project to allow a user
with the "admin" role to retrieve any project by project_id for Secure
RBAC (Phase 1)

Change-Id: I6442557701284572759da1354e6547f57186935f
2024-02-01 15:34:42 -05:00
Juan Pedro Torres 04fc88a56c Allow assignment of domain specific role to federated users
Ater the patch "Keystone to honor the "domain" attribute mapping rules."
It's not possible to assign domain specific roles to federated users
when the user domain is specify on the claim.

This patch aims to fix this, allowing to map non domain specific roles
and domain specific, if the domain is the specify on the claim.

Depends-on: https://review.opendev.org/#/c/739966/
related-Bug: #1887515
Change-Id: Ie3d7585cb9143686a93e4a19843698274475eaf6
Signed-off-by: Juan Pedro Torres Muñoz <juanp.95.torres@gmail.com>
2024-01-30 19:28:05 +01:00
Zuul 5a97b7d847 Merge "Fix policies for groups" 2024-01-29 17:59:54 +00:00
Takashi Kajinami 6c7020c51a Drop remaining references to eventlet options
Because these were removed by [1]. Also update the previous release
note to document the upgrade impact on catalog information (like
endpoint urls) including string interpolations requiring these removed
options.

[1] 2a3c73c49b

Change-Id: If78d0b93665410b86754ea35653ca9d4c15c81c5
2024-01-27 21:02:14 +09:00
Zuul 0608537f03 Merge "Check user existence before setting last_active_at" 2024-01-26 19:25:20 +00:00
Zuul 2d48ff27bb Merge "Propagate redirect exceptions to the client" 2024-01-26 17:37:22 +00:00
Zuul 406233f169 Merge "Clean up deprecated options for eventlet server" 2024-01-26 17:37:17 +00:00
Zuul 6c16f975d2 Merge "Improve application credential validation speed" 2024-01-26 17:37:13 +00:00
Zuul 993e589fa1 Merge "Keystone to honor the "domain" attribute mapping rules." 2024-01-26 17:37:09 +00:00
Zuul 44a5474148 Merge "Add a cache to check_revocation" 2024-01-26 17:37:01 +00:00
Zuul 31ea45d241 Merge "Revoke list_events: Add trust sql filter" 2024-01-26 17:36:59 +00:00
Zuul b15595746d Merge "Remove deprecated [memcache] options" 2024-01-26 17:36:56 +00:00
Douglas Mendizábal df8f8eed1e Fix policies for groups
This patch fixes a couple of broken policies in the groups resource.

Change-Id: Ia47ecc71c04bcb50c2e0d677a99b3754ffbc1c04
2024-01-25 15:37:50 -05:00
Zuul c89655a6d1 Merge "Consistent and Secure RBAC (Phase 1)" 2024-01-23 17:04:15 +00:00
Douglas Mendizábal f2f1a5c388 Consistent and Secure RBAC (Phase 1)
This patch updates system-scoped policies to also accept project-admin
tokens so that operators can continue to use the "admin" role to access
system level APIs.

The protection test job is marked non-voting since tempest does not yet
expect these policy changes.  A follow-up patch will make it voting
again after the test changes have merged into tempest.

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1

Change-Id: I31b5a1f85d994a90578657bc77fa46ace0748582
2024-01-19 14:35:37 -05:00
Zuul bb4b7abc8d Merge "python 3.12: use raw string" 2024-01-19 17:03:25 +00:00
Zuul 21cc759c22 Merge "fix(federation): follow-up" 2024-01-19 16:51:41 +00:00
Rafael Weingärtner 14ac08431f Keystone to honor the "domain" attribute mapping rules.
We propose to extend Keystone identity provider (IdP) attribute mapping
schema to make Keystone honor the `domain` configuration that we have
on it.

Currently, that configuration is only used to define a default domain
for groups (and then each group there, could override it). It is
interesting to expand this configuration (as long as it is in the root
of the attribute mapping) to be also applied for users and projects.

Moreover, to facilitate the development and extension concerning
attribute mappings for IdPs, we changed the way the attribute mapping
schema is handled. We introduce a new configuration
`federation_attribute_mapping_schema_version`, which defaults to "1.0".
This attribute mapping schema version will then be used to control the
validation of attribute mapping, and also the rule processors used to
process the attributes that come from the IdP. So far, with this PR,
we introduce the attribute mapping schema "2.0", which enables
operators to also define a domain for the projects they want to assign
users. If no domain is defined either in the project or in the global
domain definition for the attribute mapping, we take the IdP domain
as the default.

Change-Id: Ia9583a254336fad7b302430a38b538c84338d13d
Implements: https://bugs.launchpad.net/keystone/+bug/1887515
Closes-Bug: #1887515
2024-01-16 08:54:56 -03:00
Trent Lloyd 67b5cca032 Improve application credential validation speed
Validating an application credential token is very slow, taking at least
400ms+ in a simple devstack environment, 5-10x longer than validating a
user/password project token.

The primary bottleneck during a token validation request
(/v3/auth/tokens) is that token.roles is evaluated at least 5 times.
validate_token is called twice, first during RBAC to populate the
subject token context and again to actually validate the token. Each
call to validate_token then called token.roles twice because it first
checks if it is None, before calling it again to use the result. Lastly
token.roles is evaluated a fifth time during
render_token_response_from_model.

Each evaluation of token.roles calls through
_get_application_credential_roles into list_role_assignments which then
makes multiple round-trip SQL queries to the database.

Unlike the related get_roles_for_user_and_project function, none of
these calls are currently cached/memoized. We memoize
list_role_assignments to get the same-speedup.

Reduce the number of token.roles calls to only 3 by storing and re-using
the token.roles result in validate_token, then memoize
list_role_assignments so the 2nd and 3rd call fetch from the cache
instead of repeating many SQL queries.

This provides a substantial performance improvement bringing validation
time in-line with user/password tokens.

Change-Id: I8c45131b298ceae7b43b42e2c5df167607d18c48
2024-01-02 08:46:24 +00:00
Thomas Goirand 45dde73ba3 python 3.12: use raw string
This fixes "SyntaxWarning: invalid escape sequence '\d'
when installing python3-keystone.

Change-Id: Iee22be887130dd171ae8038f5ed3bb365e2b3ade
2023-12-23 13:02:00 +01:00
Zuul 9e4a3157dd Merge "Fix typo in cmd/status.py" 2023-12-13 18:56:13 +00:00
ferag 1c106f48b0 Propagate redirect exceptions to the client
When a developer is implementing an Authentication plugin, in some cases
(like an OpenID Connect plugin) it is needed to perform a redirect to
the provider to complete the flow. This was possible in the past (before
moving to Flask) by raising an exception with the proper HTTP code set,
but the framework change made this possibility not available anymore.

Closes-Bug: #1854041
Co-authored-by: Alvaro Lopez Garcia <aloga@ifca.unican.es>
Change-Id: I333eb15c66f37207e6937d0cb3a80f26cf9bebfc
2023-12-07 18:14:03 +01:00
Takashi Kajinami 2a3c73c49b Clean up deprecated options for eventlet server
The eventlet server implementation was removed during Newton, and have
not been used by any other implementations for a while.

Change-Id: I01f9adfc3e610d820c1834209d36c10568cccf41
2023-12-07 10:40:11 +09:00
Takashi Kajinami 1a41ed0999 Remove deprecated [memcache] options
These options have had no effect and were formally deprecated during
Yoga cycle[1].

[1] 9a8686aee0

Related-Bug: #1941020
Change-Id: I9ac00109bd278bc4813a45358aeda848ab7318de
2023-12-06 02:09:02 +09:00
Zuul 262d763f79 Merge "Remove unnecessary shebang" 2023-12-02 19:46:57 +00:00
Zuul c57c6c2aa2 Merge "Drop compatibility code for Python 2.y" 2023-12-02 14:38:53 +00:00
Zuul bd681f379b Merge "Fix bindep.txt for python 3.11 job(Debian Bookworm)" 2023-11-29 16:35:53 +00:00
Takashi Kajinami 6458a8f815 Drop compatibility code for Python 2.y
The inspect.getfullargspec method is available since Python 3.0.

Change-Id: I163f0327ede2a720c3b800dc4757d4791ed47d00
2023-11-29 03:43:14 +00:00
Takashi Kajinami 24b77bb643 Fix bindep.txt for python 3.11 job(Debian Bookworm)
Python 3.11 job now run on Debian Bookwarm which does not provide
some of the packages in bindep. This fixes the bindep file so that
it pulls packages actually available.

This also updates a few assertions of log records in unit tests to make
these robust for any warning logs.

Change-Id: Iae3f4da24418530b61b9a0b64390160d194da05b
2023-11-29 12:41:29 +09:00
Boris Bobrov 26c8812b4c Check user existence before setting last_active_at
A situation might arise, when the user does not exist any more and we
are attempting to set last_active_at on them. This results in keystone
raising AttributeError.

Check for user existense before addressing the attribute

Closes-Bug: 2044624
Change-Id: I3eb5890fb6d52a222b7caa4a52effc06774c0542
2023-11-26 00:49:59 +01:00
Takashi Kajinami 54f55fe821 Remove unnecessary shebang
The current shebang requires python 2 instead of python 3. Because
the shebang is not really requires this removes it instead of fixing
it.

Change-Id: I4c82281a67de53c6c8d788000b695a22360c3dd6
2023-10-18 00:29:09 +09:00
Pete Zaitcev 80c6ecc421 fix(federation): follow-up
This mainly was intended to clean up confusing comments, and
to add @staticmethod since we're at it.

Related-Change-Id: I665b7e0234650ba07e0d030a2d442d6599d0888a
Change-Id: I7cd62cdd188da77367820317f4875b48a247ff00
2023-10-12 09:18:23 -05:00
Zuul 8b8c025fc3 Merge "Stop pinning pep8 related packages" 2023-10-06 15:32:22 +00:00
Zuul be05fb3f11 Merge "Add support for bcrypt_sha256 hasher" 2023-10-04 21:11:33 +00:00