This removes common.controller, common.extension, common.router, and
common.wsgi. Relevant code from common.wsgi (used by AuthContext) was
moved into keystone.server.flask.request_processing.middleware.auth_context.
keystone.api.discovery now uses keystone.flask.base_url
test_middleware and test_exception were modified to reflect the changes
to the remaining code from keystone.common.wsgi
keystone.common.authorization only holds a couple constants for auth
work now.
Routes is removed from requirements.txt
Release-Note for migration to flask added.
Change-Id: I81563b6a49c8f12ecade058a9483f3b6f070dc72
Closes-Bug: #1776504
Token bind operations were deprecated in Pike with UUID tokens and
staged for removal in Rocky.
https://review.openstack.org/#/c/428388/
This change does keep a configuration option around since it was not
officially deprecated with the rest of the token bind functionality.
The option is being officially deprecated in this commit and
additional context about the change was added to the help text for the
option.
bp removed-as-of-rocky
Change-Id: I7a42408893c782bcc20fb40ebba5f2d8af9da6a5
With the complete removal of the v2.0 API, keystone no longer
differentiates between admin and public endpoints. This change
deprecates the "admin_endpoint" configuration option and converts
keystone over to only using the public endpoint. The "admin" endpoint
was only used for unit testing purposes.
This change does not clean up all code related, it is aimed to make
the most minimal set of changes eliminating the use of the
"admin_endpoint" configuration option.
Partial-Bug: #1776504
Change-Id: I08f6f8ae078d65203bd95c43c80367dd3489be48
JSON Home Resources must be stored in a location other
than the router for Flask as we are not composing routers
in the same way as we used to with the home-grown webob
based WSGI setup.
Partial-Bug: #1776504
Closes-Bug: #1776506
Change-Id: I292ea9e923ff2f49041dfd417994bcdd797d0520
This patchset removes the lingering code that supported paste.deploy
that is obsolted by the loader wrapped around keystone's use of Flask.
* The keystone-paste.ini file has been removed.
* All options have been removed (without deprecation) as they are no
longer referenced.
* The TokenAuthMiddleware code (with deprecation warning) has been
removed as it was only provided to ensure compatibility with paste.ini
files that were not updated (ensuring not breaking a deployer that
did not update paste.ini file to remove it from the pipeline).
* Paste deploy entrypoints have been removed.
Change-Id: I35064a440ef718f50c7e644e8b2d56a99c3ec74f
Basic conversion of Keystone's core application to flask framework.
This doesn't add much in the way of flask-specific-isms but should
get keystone running directly under flask. This implementation does
not use paste-deploy.
Change-Id: Ib4c1ed3f645dd55fbfb76395263ecdaf605caae7
Currently when keystone throws a 500 Error, depending on the actual
exception type, it can log the message as an exception or as a warning.
Specifically, if the server throws an exception.UnexpectedError, it
does not log this as an exception; it simply logs it as a warning. This
patch set logs the error as an exception if exception.Error is an
exception.UnexpectedError.
Change-Id: Ia47cc11378ec64d59b7403cb8a284c764148d7a9
Co-Authored-By: Tin Lam <tin@irrational.io>
Closes-Bug: #1717962
V2Controller and V3Controller inherit from Application. Both depend on
the "policy_api", but neither need "assignment_api" or
"token_provider_api".
This commit removes "assignment_api" and "token_provider_api" as
required dependencies and move the required annotation of "policy_api"
to V2Controller and V3Controller class declaration.
Change-Id: I5f7d61a0003797ed1bf0c342fef170260d0503fd
Merged the decorator logic into a single function that
calls check_policy. Moved authorization logic in authorize.py
Prep for oslo-context fixes
Change-Id: Id1452db131740c68b3756a819792f9a60cff239c
This extends [0] to a few more locations in the code.
[0] Iaf2dd45fc86e3eb5e56be0a3e1582a6ddf960bc1
Change-Id: Ibee536d1da8962cf607f35ac308ba00dbb3b4db2
Adding the beginning implementation for registering and using
default policy rules in code. Rules are defined in the new
policies module and added to the return list __init__.py.
Default policies can now be maintained in code and registered
via listing mechanisms in the policies module. As we go, we
can remove the duplicated default policies from our policy.json
file.
This commit specifically:
- Creates a new module called `policies` to hold our in code defaults.
- Ensure we pass our in code policy list to our policy ENFORCER.
- Add base policy module for common policy rules.
- Add service default policy module for policy rules.
- Add endpoint default policy module for policy rules.
- Add regions default policy module for policy rules.
partially-implements blueprint policy-in-code
Co-Authored-By: Richard Avelar csravelar@gmail.com
Change-Id: Ic47b1e8b0d479032d8a7b9891ed9800be7036d94
There is a catchall handler that doesn't provide helpful output
when there is a configuration problem.
Closes-Bug: #1641231
Change-Id: I28732a9737001182b867e66088dd13251e2aa03f
Add text to raised Unauthorized and Forbidden exception to show the client
what happened.
Change-Id: Id5de16d446cf4fdacfefdad0523e84821e4fd72c
Closes-Bug: 1625120
This function tries to determine the current trust_id by looking up the
auth_context's token model. If this information was available it would
have been put on the request.context object so we can use that instead.
Change-Id: I7ce33b30f220be619c638c77eeb76503f1af79a7
assert_admin is intended to check the roles of the current token to
ensure that there is the admin role. It is basically the v2 equivalent
of @protected for most operations. o
Because keystone requires the auth_context middleware be in the pipeline
we know for any authenticated call a request has passed through this
middleware and so the token bind has already been validated.
We can therefore remove this secondary call. We probably don't need to
worry about the assert_authenticated call however it will produce a
nicer error message if the middleware is not in place.
Change-Id: I2808f0ca9793e892026f083122d4f7266593c496
This patch makes two changes to the token binding validation code easier
to read and provide a better user experience.
Firstly, "if a != b" is used instead of "if not (a == b)" which is
easier to read.
Secondly, validation failures are included in 401 unauthorized responses
instead of the default 401 message. Because the Unauthorized class is
also a SecurityError, insecure_debug will need to be enabled in
keystone.conf in order to expose these details to the API. So, the user
experience for operators trying to debug their token binding
configuration will be improved, but security is not unnecessarily
weakened.
Change-Id: Icc78cacd39a31a33680f891cde1acf4ff41f6ae7
The oslo_context provides a standard is_admin property that should be
used instead of pushing one around in our unstructred context dict. This
is part of a trend to use more of the standard context object instead of
our own dict.
Change-Id: Ia7b35ba80f483ef0baa1ae416d670fd45349bd89
This patch swaps use of hardcoded int and strings for known http
status codes with the values from six.moves.http_client.
Change-Id: Iab83af97920b950d075036ff1499f388299588a0
There is some inconsistency in calls to the wsgi render_response
function. Sometimes the status tuple uses an int for the http
status code and other times a string. The Python 3.5 gate job
discovered the problem.
This patch normalizes all calls to use an int.
Change-Id: I136b01f755ff99dfba244e79068fdaae614b2091
Closes-Bug: #1599983
Push further into pushing a request object around, fix the v2
assert_admin method to work with a request.
Change-Id: I83063178b04c5e401d1f1a6bb9bce63a4a38910e
keystone.common.config is 1200+ lines of super dense, merge-conflict
prone, difficult to navigate, and finicky to maintain code. Let's follow
nova's lead and break it down into more manageable modules.
This patch creates a new Python package, keystone.conf, and moves all of
our configuration options into it, mirroring nova's nova.conf package.
There are a couple special modules in keystone.conf introduced here as
well:
- keystone.conf.__init__: This causes all of Keystone options to be
registered on import, so consumers of keystone.conf don't have
races with config initialization code while trying to use
oslo_config.cfg.CONF directly (keystone.conf replaces all uses for
oslo_config.cfg.CONF in keystone).
- keystone.conf.base: Keystone's [DEFAULT] group options. I'd prefer
this to be called 'default.py', but I'm just copying nova's lead here.
- keystone.conf.opts: The entry point for oslo.config itself.
- keystone.conf.constants: There are a few constants (deprecation
messages, default paths, etc) that are used by multiple configuration
modules, so they need to live in a common place.
Change-Id: Ia3daffe3fef111b42de203762e966cd14d8927e2
Donmain should be domain
prvider should be provider
boudary should be boundary
convesion should be conversion
inteface should be interface
projcets should be projects
sensistive should be sensitive
environemt should be environment
validaton shoud be validation
Closes-Bug: #1595778
Change-Id: I304d0de68aa096ea1c1a26c8712a2312578e9c30
Instead of the unformed context dictionary pass a full request object
with access to the context_dict so that existing functions still work.
After this we can replace smaller usages of the context dict with
functions and properties on the request directly.
Change-Id: Ibe822ed7c76a24a7d31d98ce62f873a01e5fb213
First step to using a sane request object everywhere is to make a
request that has the old context dict available. This way we can still
use the old context dict just refer to it via the request object.
Change-Id: Ibcd64791ba52c550b555a007feb847a068da2299
Currently tox ignores D401.
D400: First line should end with a period.
This change removes it and make keystone docstring compliantwith it.
Change-Id: I9a9520e69701718ff471eebbcc52199dacdd9c68
Currently tox ignores D401 (401: First line should be in imperative mood).
This change removes it and make keystoneauth docstring compliantwith it.
Change-Id: I136cf810f47c4c19f29216907a63f226930b5082
Partial-Bug: 1570049
Reuse the validation logic that is already present in auth_token
middleware. Once this is present keystone can start to reuse the same
helpers that are created from auth_token middleware that the other
services rely on.
For now there is still some redundancy, like for example bind checking
is now enforced in auth_token middleware and in keystone. These can be
removed in later commits because they will require test changes.
My intention after this is to start to more directly integrate this with
oslo.policy and start to standardize the way auth is handled from
auth_token middleware to enforcement. Doing this work here means that we
get keystone to try out policy changes first.
Change-Id: I6592ea2865863c9ace1304b06d73a917c3a1b114
The WSGI spec says that the body of a response needs to be bytes. This
ensures that we are using bytes in both Python2 and Python3.
bp python3
Change-Id: I40148c2e2e1e517358b64028d335ac27d17323a3
Since secure_proxy_ssl_header has a default, the code using it can
be simplified since there's no need to check if it's not set
anymore.
Also, corrected the " to ' since OpenStack guideline is to prefer '.
Change-Id: I494354062fce99375c38ef3ce710459423bc5ec4
Keystone's tox.ini contains an "ignore" entry for H405 violations:
multi line docstring summary not separated with an empty line.
All violations of H405 should be fixed so that H405 can be removed
from the ignore list.
Change-Id: I1b2aae0cabc20909cf3b0a405d5e31c5d91148b2
Closes-Bug: #1482773
The current wsgi.Application.base_url() function does not work correctly
if Keystone runs on something like "http://1.2.3.4/identity" which is now
a default in devstack.
This patch fixes that by using wsgiref.util to parse environment
variable set in WSGI mode to find the real base url and returns the
correct URL. The following environment variables will be used to
produce the effective base url:
HTTP_HOST
SERVER_NAME
SERVER_PORT
SCRIPT_NAME
Closes-Bug: #1381961
Change-Id: I111c206a8a751ed117c6869f55f8236b29ab88a2
Some changes were made to fix fernet padding for python3 [1],
fernet payload is decoded to str after encryption when
creating a fernet token. But it will be unicode string on
python27 and this is not compatible with `mod_wsgi`.
`mod_wsgi` needs the value in the response headers is binary(str)
type on python2, and unicode(str) type on python3. This patch
does this translation accordingly to make keystone works with
`mod_wsgi`.
[1] https://review.openstack.org/#/c/231711/
Closes-Bug: #1528981
Change-Id: I0217ac10d20c51a9c17bed566f326eb6db6ed949
Since keystone's paste.deploy configuration file has been separated
from the main keystone configuration file (keystone.conf), all
local configuration or driver-specific configuration parameters
must be in the main keystone configuration file instead of PasteDeploy
conf file.
This patch changes to log a warning if there's any local_conf defined in
PasteDeploy INI and remove `local_config` argument from wsgi middleware
since it doesn't work.
DocImpact
Closes-Bug: #1369388
Change-Id: Iaf6ad869b61e4330a4ea48e606fd9eda69b9cd12
The /OS-FEDERATION/projects and /OS-FEDERATION/domains are
deprecated and are replaced by /auth/projects and /auth/domains.
The JSON Home document should reference the new paths.
Change-Id: I1998d748948d0e11f0b94cb0b9f7ebbfecd2342a
An exception occurs in the WebOb library when it tries to decode a
parameter that is not valid UTF8. To avoid this let's wrap the section
using the WebOb code and raise a ValidationError so the user gets
proper feedback instead of a UnknownError and a server 500 response.
Change-Id: I6781770a6c5b317eaef84064ef61b9c838d22bc2
Closes-Bug: 1485694
All keystone middleware components should reuse the auth context prepared
by AuthContextMiddleware. Note that AuthContextMiddleware is listed in
etc/keystone-paste.ini as one of the earliest middleware components in the
keystone pipeline. This means that almost all other middleware components
can depend on the auth context being available for use.
Also added a test to check that a trust cannot be retrived in case of a
missing auth context. Such a request should throw Forbidden exception.
Change-Id: I1c08976cf4d175fa2cfe2e39fe55811f04f13243
Closes-Bug: #1433211