The eventlet server implementation was removed during Newton, and have
not been used by any other implementations for a while.
Change-Id: I01f9adfc3e610d820c1834209d36c10568cccf41
The mTLS OAuth2.0 in Keystone uses a parameter that is only availble on
cryptography 36.0.0 or later. Users may have to upgrade cryptography
which is already installed, which can be unreasonably hassle. This
patch introduces an alternative for that parameter.
[1] https://cryptography.io/en/latest/changelog/#v36-0-0
Closes-bug: 2009600
Change-Id: Idffe269b62797bb2935429f4069e878a177db04f
The OAuth2.0 Access Token API is modified, support to get an OAuth2.0
certificate-bound access token from the keystone identity server with
OAuth 2.0 credentials and Mutual-TLS certificates.
Co-Authored-By: Hiromu Asahina <hiromu.asahina.az@hco.ntt.co.jp>
Change-Id: I885527bec61429b1437a046097a16491848b5a0a
Implements: blueprint support-oauth2-mtls
This is deprecated and will be removed in a future release of oslo.db.
Even without that stick to prod us, we're going to need to use some of
the sqlalchemy-migrate APIs and it's simpler to talk to this for
everything rather than using oslo.db for some stuff and
sqlalchemy-migrate for the remainder.
Change-Id: Ib25c75a99794a04b6549e6b5184a2029955befc1
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
ABCs in collections should be imported from collections.abc and direct
import from collections is deprecated since Python 3.3.
Closes-Bug: #1936667
Change-Id: I12b570cd6d6abda17a68aac6a35ae8193d9c22b4
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.
Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
If we do not pass kwargs to exception, the parameter will be deemed
as message and will be displayed directly. This is to pass kwargs to
InvalidOperatorError and URLValidationError, to get better format of
error message.
Change-Id: I5220d7af077a6c2eb1fe49cbbd7421169fa5b015
There is a useful method in the fernet_utils.py module for creating
directories. We can reuse this for the jwt provider implementation.
This commit generalizes the logic and moves it into a common place
for fernet_utils to use. A subsequent patch introducing JWT
functionality will use the same utils.
bp json-web-tokens
Change-Id: I0e322a745683c43e8329110a165f54d2e998e0c7
The utils.py was using obj.iteritems,
which has been removed in python 3 [1].
This replaces that with obj.items.
[1] https://wiki.python.org/moin/Python3.0#Built-In_Changes
Change-Id: I7cc501b4c3e3c661a06450f382b6640755db1c92
With the recent change to federation API[0], this utility function
is no longer used. This change removes it as well as the
associated test.
[0] https://review.openstack.org/#/c/585782/
Change-Id: I69a6c6c2ed9dad7e48c11312a3b2f9a2edca9ef4
With the complete removal of the v2.0 API, keystone no longer
differentiates between admin and public endpoints. This change
deprecates the "admin_endpoint" configuration option and converts
keystone over to only using the public endpoint. The "admin" endpoint
was only used for unit testing purposes.
This change does not clean up all code related, it is aimed to make
the most minimal set of changes eliminating the use of the
"admin_endpoint" configuration option.
Partial-Bug: #1776504
Change-Id: I08f6f8ae078d65203bd95c43c80367dd3489be48
Some functions in common/utils is useless for more than 3
releases. This patch removed them.
Change-Id: I328b2fcf99590417e9813d7d95a2df9c0615d488
bp: removed-as-of-rocky
The iso8601 lib introduced a change such that if running on python
3.2 or later it internally uses the python timezone information
instead of its own implementation. This does not change direct
date handling, but when converting this value there is a slight
difference where now python 2.x will show UTC times as "UTC",
but on python 3 they will end up with "UTC+00:00".
The to_primitive call for DateTime fields was doing an exact match
on "UTC" to determine whether to include "Z" in the resulting string.
This updates that handling to recognize either of the new values
Closes-bug: #1744160
Change-Id: I505434facc7adc4a479f67eeedb31cf7b4bf7caf
Extract the expiration time parsing from the trusts controller to the
utils module. This will be useful to any API that needs to validate
user-inputted timestamps.
Change-Id: If99b2c456e61ae25123c5597e2788e667021cb2c
This change creates a new utility function for removing duplicate
resource dictionaries by comparing ids. This was to take into
account projects containing a list of tags, which cannot be
hashed using the current implementation in order to determine
duplicates.
Change-Id: Ia23b8846fc2f272cc5ac11cf3ab54c98647220a1
Partially-Implements: bp project-tags
Support bcrypt, pbkdf2_sha512, or scrypt in password hashing for
passwords managed within keystone. sha512_crypt is insufficient to
hash passwords in a secure way for storage in the DB. Keystone defaults
now to using bcrypt but can handle scrypt and pbkdf2_sha512 with a number
of tuning options if desired.
Closes-bug: #1543048
Closes-bug: #1668503
Change-Id: Id05026720839d94de26d0e44631deb34bcc0e610
Merged the decorator logic into a single function that
calls check_policy. Moved authorization logic in authorize.py
Prep for oslo-context fixes
Change-Id: Id1452db131740c68b3756a819792f9a60cff239c
There are multiple tracebacks and warnings being thrown whenever
the keystone docs are built due to documents being moved/deleted as
well as formatting issues in a couple places.
This fixes a few of the warnings due to broken links and fixes a few
of the method docs.
Master: http://paste.openstack.org/show/591730/
This Patch: http://paste.openstack.org/show/591735/
Change-Id: I11cbbc7a10fa24dcbf67c76e3061a39a58529c06
Partial-Bug: #1602422
Now that we have switched to passlib 1.7.0, remove the temporary
workaround and use the new function.
Change-Id: Id574221f65d72a763b8205df0891b6e300856230
Depends-On: I6525dc8cf305ae03b81a53ac7fd06bf63d4a6d48
Closes-Bug: 1644263
A new release of passlib 1.7.0 has deprecated the encrypt() method in
favor of using hash() instead. This commit updates our usage to use
the recommended way by passlib.
Change-Id: I69262f2793bfa0c284868a3e6d4aba71ad622ca0
Partial-Bug: 1644263
Add text to raised Unauthorized and Forbidden exception to show the client
what happened.
Change-Id: Id5de16d446cf4fdacfefdad0523e84821e4fd72c
Closes-Bug: 1625120
This is the first step of several to remove PKI token support in
keystone. A large issue in removing PKI support is support for the
revocation list must be maintained.
This patch removes support for the token format, it's surrounding tests
and examples that are generated. Additionally, some wording has been
changed around the CLI and config options to make the distinction
between keys and certs used for PKI tokens and those used for getting
the revocation list (a list of tokens that are revoked, which is signed).
Future patches will:
- Remove the keystone-manage commands for generating certs
- Modify the revocation list (at /auth/tokens/OS-PKI/revoked) to return
a 403 if pki is not configured (instead of raising a 500). We cannot
remove the API as that would break an API contract.
- Options to configure PKI will be marked as deprecated
- If PKI is configured a normal signed list will be returned (same
behavior as today)
- Follow up patch to keystonemiddleware will make sure auth_token does
not rely on the revocation api at all.
Related-Bug: 1626778
Related-Bug: 1626779
Co-Authored-By: Boris Bobrov <bbobrov@mirantis.com>
bp removed-as-of-ocata
Change-Id: Icf1ebced44a675c88fb66a6c0431208ff5181574
I wasn't able to find any existing unit tests for the function we use
to generate time strings. This commit adds unit tests to make sure
we don't unexpectedly change behavior.
This commit also addresses a couple comments from
Iaee0ec8c7acd512b9d93096ce8306a2952061c7a.
Change-Id: I383ac9ca97300cc37a994eccf43438c51b5030ba
The read_cached_file() method in keystone.common.utils isn't being
used anywhere in keystone and it isn't tested. Let's remove it.
Change-Id: Iafba37114957c5270351aafd25538c6085c07805
This is one of the ways we can prevent race conditions with backends that round
datetime objects or strings before persisting them.
Change-Id: Iaee0ec8c7acd512b9d93096ce8306a2952061c7a
Closes-Bug: 1622010
keystone.common.config is 1200+ lines of super dense, merge-conflict
prone, difficult to navigate, and finicky to maintain code. Let's follow
nova's lead and break it down into more manageable modules.
This patch creates a new Python package, keystone.conf, and moves all of
our configuration options into it, mirroring nova's nova.conf package.
There are a couple special modules in keystone.conf introduced here as
well:
- keystone.conf.__init__: This causes all of Keystone options to be
registered on import, so consumers of keystone.conf don't have
races with config initialization code while trying to use
oslo_config.cfg.CONF directly (keystone.conf replaces all uses for
oslo_config.cfg.CONF in keystone).
- keystone.conf.base: Keystone's [DEFAULT] group options. I'd prefer
this to be called 'default.py', but I'm just copying nova's lead here.
- keystone.conf.opts: The entry point for oslo.config itself.
- keystone.conf.constants: There are a few constants (deprecation
messages, default paths, etc) that are used by multiple configuration
modules, so they need to live in a common place.
Change-Id: Ia3daffe3fef111b42de203762e966cd14d8927e2
This patch moves the catalog abstract base class and common code
out of core, and into backends/base.py
This removes dependencies where backend code references code in the
core. The reasoning being that the core should know about the backend
interface, but the backends should not know anything about the core
(separation of concerns). And part of the risk here is a potential for
circular dependencies.
Change-Id: I87edf8cf660fabbc7253e6b1abc7354eef34151d
Partial-Bug: #1563101
Currently tox ignores D105, D203, and D205.
D105: Missing docstring in magic method.
D203: 1 blank required before class docstring.
D205: Blank line required between one-line summary and description.
This change removes it and make keystone docstring compliant with it.
Change-Id: Id916612dd246e02159907d286e448545120f3655
Currently tox ignores D401.
D400: First line should end with a period.
This change removes it and make keystone docstring compliantwith it.
Change-Id: I9a9520e69701718ff471eebbcc52199dacdd9c68
Currently tox ignores D401 (401: First line should be in imperative mood).
This change removes it and make keystoneauth docstring compliantwith it.
Change-Id: I136cf810f47c4c19f29216907a63f226930b5082
Partial-Bug: 1570049
local user ids that are returned from the mapping_id backend are
in unicode. this causes an issue when attempting to transform
the value into uuid5.
Change-Id: I87745944a3eb606fdd435ae983e5de602d08bd0d
closes-bug: 1545960
The current wsgi.Application.base_url() function does not work correctly
if Keystone runs on something like "http://1.2.3.4/identity" which is now
a default in devstack.
This patch fixes that by using wsgiref.util to parse environment
variable set in WSGI mode to find the real base url and returns the
correct URL. The following environment variables will be used to
produce the effective base url:
HTTP_HOST
SERVER_NAME
SERVER_PORT
SCRIPT_NAME
Closes-Bug: #1381961
Change-Id: I111c206a8a751ed117c6869f55f8236b29ab88a2
test_credential.py was failing on python34 with two different errors.
1. Should encode unicode into byte before hashing on python3
...
hash_.update(access)
TypeError: Unicode-objects must be encoded before hashing
2. Request body should be always bytes on python3, use `dump_as_bytes`
to covert the body to bytes.
...
File "/opt/stack/keystone/.tox/py34/lib/python3.4/site-packages/
webob/request.py",
line 710, in _body__set % type(value))
TypeError: You can only set Request.body to bytes (not <class 'str'>)
bp python3
Change-Id: I82e731ea5e517e030db55cf01cc86db9684f4622
Ensure the hostname in the trusted_dashboard config is lowercase
to prevent failures when comparing against the origin query URL.
Closes-Bug: #1538754
Change-Id: I807a567e7d93c09c5c370065509c106b7d1c973b
The oslo.utils reflection module/code handles more variations
of where a class name may come from (on python 2 and python 3)
so its usage allows getting more accurate class names so we might
as well use it.
Change-Id: I94a1f522755ec76b9b48b881c42b65a7c4c3860f
pycadf now has more strict validation for IDs, specifically, it tests to
make sure they are UUIDs. In a multi-domain configuration this fails
since the public ID that is generated by keystone is not an actual UUID.
Change-Id: I1fd13bd7a7fe037bd0e1b7d6fb0214460ff7c963
Closes-Bug: 1521844
Co-Authored-By: Steve Martinelli <stevemar@ca.ibm.com>
The first phase of providing optional support for ensuring projects
and domains do not contain any reserved characters. Subsequent
patches will support the 'strict' option for such names.
A release note will be added at the end of the chain of patches,
once the full support has been implemented.
Partially Implements: blueprint url-safe-naming
Change-Id: I9b06cb5fa521d2cd3919c072a996c528d387dfe8