This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.
Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
This allows domain_ids to match across distinct Keystone
deployments The domain_id is used to create unique
identifiers with the mapping backend. When this
option is used, mapped user identifiers can be
consistant across different Keystone servers.
closes-bug: 1794527
Change-Id: I100bca162e71a9d394ed5787b976b13b1e57987f
This change makes the policy definitions for admin limit
operations consistent with the other limit
policies. Subsequent patches will incorporate:
- domain user test coverage
- project user test coverage
Change-Id: Id3f6159af505fbe81ff83cfaa346f2178f2d8e77
Closes-Bug: 1805372
Related-Bug: 1805880
A recent set of changes added a common role definition for system
administrators and system readers. Instead of rewriting the same thing
in each policy module, we can just reference a single consistent
string available in base.py.
Change-Id: I9de01478fe45a9935d901e4936f6c56bfceac6ae
The unit test uses sqlite for test which closes db foreign keys
function by default. This patch enabled the sqlite foreign keys
function for unit test by default.
The "project" table is a self referencing FK table(id <-> domain_id
column). So when the FK is enabled, there must exists a root record
before insert data to this table. It's <<keystone.domain.root>>.
Usually, the <<keystone.domain.root>> recored is inserted into the
table once operators run "keystone-manage db_sync" command when
deploy Keystone. But the unit test code doesn't run this command,
it initialise the db schema by reading sqlalchemy object model, so
the <<keystone.domain.root>> record is missed. Then we can't create
any project record, it'll raise FK error.
So in this patch, before creating any projects in the test, we must
ensure the <<keystone.domain.root>> record exists first.
Change-Id: I565d12395ca39a58ba90faf8641a9e02d986aeb9
Closes-Bug: #1744195
The method dict.get(key) will return None
in the following two cases:
A. if there is no key in the dictionary.
B. if the real value of the key is just None.
The above two cases will results in passing
the assertion which is not the expected
behaviour of the test.
Change-Id: Ib4a7f2d5beb1e4e9b4d8d9dd90de3f52a5c29e74
when a hierarchical limit enforcement model is deployed
by keystone, the project hierarchical depth should
not break the limit model as well.
This patch updated the project depth check function
to fix the problem.
bp: strict-two-level-model
Change-Id: I695fedcf83bdca2946a2c5d876052c02b0f63810
Add include_limits filter for get project to support
fetching project hierarchy limits.
This filter should be used together with "subtree_as_list"
or "parents_as_list" filter
bp: strict-two-level-model
Change-Id: Ib602887c92b89be0ffec1394a3076f5dd5671511
Without it, listing projects results were missing project on which the
user had an inherited role.
Change-Id: If8edb3d1d1d3a0dab691ab6c81dd4b42e3b10ab3
Closes-Bug: #1780159
If there are idps in a domain, when users try to delete the
domain, 500 interal error will raise.
This patch added a new callback event to clean up the related
idps.
Closes-bug: #1760809
Change-Id: I37c8745e4509f69aaa659b130ccbdfe51cf6a1b8
This patch changed the sql query for domain list
to ensure the return count is correct if list_limit
is set for resource.
Closes-bug: #1760521
Change-Id: I690a9815fe2c35e6191ab3ac789e34736e0d637c
The list_limit for domain list doesn't work
correctly. The return count will less than
list_limit if the sql query contains root domain
This patch expose this bug and it will be fixed
in the following patch.
Co-Authored-By: Lance Bragstad<lbragstad@gmail.com>
Partial-bug: #1760521
Change-Id: Ib28793c97f1b730cb3b83b046e653a7b660af875
Currently when using the "tags" filter to search projects by tag names,
the filter only matches projects that have an exact match. Projects that
contain the exact tags given, but with additional tags are excluded.
This behavior is not compatible with the use cases defined in both the
keystone[0] and api-wg[1] specs, notibly with the "tags" and "tags-any"
interaction.
This change makes it so that "tags" filtering will be performed by
matching a subset containing given tags against projects, rather than
exact matching. This allows the "tags" and "tags-any" filters to work as
described in both [0] and [1].
[0] https://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/project-tags.html
[1] https://specs.openstack.org/openstack/api-wg/guidelines/tags.html#filtering-and-searching-by-tags
Co-Authored By: Nicolas Helgeson <nh202b@att.com>
Closes-Bug: #1756190
Change-Id: I632efdf0af2969be0a59dc5928a6c036eeca6051
A previous change started remove the self magic:
Ic2094dca56158d8e4cd843eadff837f3a17ea38f
This commit finishes that work. A subsequent patch will remove the
self manager logic all together and we'll fix up any trivial test
infrastructure then.
Change-Id: Iedbde34ef5aa84905fd6b5f2297bf7f46dd7d278
"add_user_to_project" and "remove_user_from_project" are only
used for V2. This patch removed these two useless functions.
Change-Id: I94f7573997035c4395ec77eabe0d6e45ff9c3bf7
This just adds a test to make sure we always return the tags
attribute when listing projects. This was brought up in a tempest
review:
https://review.openstack.org/#/c/485344/7
This commit just adds the test coverage.
Change-Id: I4cc8a150d4b0823755804937e50220dfcfb2a750
This change adds the new API routes for project tags as well as
the controller methods for listening for /v3/project/[id]/tags.
Change-Id: Ic2e5874a427341f2edb6e9122386fb98af2c24ef
Partially-Implements: bp project-tags
Co-Authored-By: Jaewoo Park <jp655p@att.com>
Co-Authored-By: Nicolas Helgeson <nh202b@att.com>
Depends-On: I00f094a5584be40ab477cbf680a5f6d1afb4d21b
Depends-On: Ieb68bd2c9c216b25ad74d320a1c9a297d2b251e7
With the v2.0 resource API removal in Queens, these tests are no longer
required.
bp removed-as-of-queens
Change-Id: Ie84d1b2e54281f512ebffe8372dd56a77b34af13
This was originally staged to be removed in the T release.
Discussions from the Queens PTG resulted in the ability to remove it
sooner since everything else in v2.0 is gone except the ec2 APIs.
This patch just removes the v2.0 authentication API and the tests
that failed as a result. A subsequent patch will go through and start
removing all the plumbing, fixtures, and testing infrastructure that
is no longer needed.
bp removed-as-of-queens
Change-Id: I4c3e35f3565b4b60ae4d00cc2490bd04aba1a800
We deprecated this functionality during the Mitaka release and staged
it for removal in Ocata. Let's remove it!
A note for reviewers. Some of the logic for allowing projects to
update their domain_id was implemented in the resource Manager().
As a result, there were several tests that tested the manager
directly. Now that we're removing the logic for allowing
``domain_id`` to be update, we can rely solely on the
``_require_matching_domain_id()`` method in the
keystone.common.controller module. This short-circuit check will
return a 4XX response code for all requests attempting to update the
``domain_id`` of an entity. Since this is all completely isolated
in the controller layer, we can remove the logic from the resource
Manager specifically as well as the tests. This change looks like
we're removing a bunch of tests from
keystone.tests.unit.resource.test_backends but we're actually just
relying on more basic tests in test_v3_resource.
Change-Id: Iad0eba66e7ddc9497205af60671451a385d0de58
Closes-Bug: 1653472
This commit implements credential encryption through the following changes:
- additive schema change to store key hashes for credentials
- database migration to encrypt all pre-existing credentials
- contractive schema change to remove unencrypted credential column
- added code to the credential Manager to handle credential encryption
All credentials will be encrypted by default. There will not be a way to store
unencrypted credentials in keystone from this point forward.
Note that this implementation uses database triggers in the migration process.
If operators use the traditional offline migration method, it would be more
reliable if we didn't try to setup and tear down triggers, as they'll never be
used anyway. This makes it so that expand and contract migrations can skip
anything related to triggers.
Co-Authored-By: Werner Mendizabal <nonameentername@gmail.com>
bp credential-encryption
Depends-On: I433da9a257daa21ec3b5996b2bca571211f1fbba
Depends-On: Id3e8922adc154cfec5f7a36613e22eb0b49eeffe
Change-Id: I31b7539db436ad270462cfaa3b14213e0ed1fc04
keystone.common.config is 1200+ lines of super dense, merge-conflict
prone, difficult to navigate, and finicky to maintain code. Let's follow
nova's lead and break it down into more manageable modules.
This patch creates a new Python package, keystone.conf, and moves all of
our configuration options into it, mirroring nova's nova.conf package.
There are a couple special modules in keystone.conf introduced here as
well:
- keystone.conf.__init__: This causes all of Keystone options to be
registered on import, so consumers of keystone.conf don't have
races with config initialization code while trying to use
oslo_config.cfg.CONF directly (keystone.conf replaces all uses for
oslo_config.cfg.CONF in keystone).
- keystone.conf.base: Keystone's [DEFAULT] group options. I'd prefer
this to be called 'default.py', but I'm just copying nova's lead here.
- keystone.conf.opts: The entry point for oslo.config itself.
- keystone.conf.constants: There are a few constants (deprecation
messages, default paths, etc) that are used by multiple configuration
modules, so they need to live in a common place.
Change-Id: Ia3daffe3fef111b42de203762e966cd14d8927e2
assertEqual expects that the arguments provided to it should be
(expected, observed). If a particluar order is kept as a convention,
then it helps to provide a cleaner message to the developer if Unit
Tests fail. The following patch fixes this issue.
Change-Id: I85628a1d60fa809f80d658ed7d66dbd5d7e03010
Closes-Bug: #1259292
Currently tox ignores D401.
D400: First line should end with a period.
This change removes it and make keystone docstring compliantwith it.
Change-Id: I9a9520e69701718ff471eebbcc52199dacdd9c68
Currently tox ignores D401 (401: First line should be in imperative mood).
This change removes it and make keystoneauth docstring compliantwith it.
Change-Id: I136cf810f47c4c19f29216907a63f226930b5082
Partial-Bug: 1570049
Implement the HEAD method for all get-one and list-all operations in the
v3 API (non-extended). While this may never be used by
python-openstackclient, it is useful to operators and application
developers for quickly obtaining metainformation about API resources,
and for "testing hypertext links for validity, accessibility, and
recent modification"[1].
[1] https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.4
Closes-bug: #1370335
Change-Id: Iae26ebea1aa40d3b5c6c676dabe4f60a86a4f99f
Moves all domain operations to project table, mapping domains
to projects that have the is_domain attribute set to True. Removes all
manager references to domain driver calls.
The V8 legacy wrapper ensures that manager calls for projects
acting as a domain end up calling the underlying driver domain
methods, so that older drivers are still be supported.
The domain driver methods and the domain table will be removed in
follow-up patches.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Rodrigo Duarte <rodrigods@lsd.ufcg.edu.br>
Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>
Co-Authored-By: Adam Young <ayoung@redhat.com>
Co-Authored-By: Henry Nash <henryn@linux.vnet.ibm.com>
Change-Id: Ib22a0f3007cb7ef6b4df6f48da5f4d018e905f55
Implements: bp reseller
Keystone's tox.ini contains an "ignore" entry for H405 violations:
multi line docstring summary not separated with an empty line.
All violations of H405 should be fixed so that H405 can be removed
from the ignore list.
Change-Id: I1b2aae0cabc20909cf3b0a405d5e31c5d91148b2
Closes-Bug: #1482773
In preparation for supporting projects acting as a domain, we
add filtering to the list_projects API, with a default of
is_domain=False. This ensures that the collection returned
from an unfiltered call at the API level will be unchanged
as compared to earlier releases.
Co-Authored-By: Henrique Truta <henrique@lsd.ufcg.edu.br>
Co-Authored-By: Henry Nash <henryn@linux.vnet.ibm.com>
Partially-Implements: bp reseller
Change-Id: Ia53f73e578834c191d04ede2b76a104c29b14678
In subsequent patches projects will start acting as domains.
This patch adds REST level tests, protected by the wip decorator,
that will validate the external view of projects acting as domains.
This patch also modifies the unit.new_project_ref() test helper to
better represent that parent_id is an optional parameter for
1st level projects (since their parent is defined by their
domain_id). This will allow us to better test the various
mixtures of domain_id and parent_id in future patches. This
exposed a number of test cases which did not allow for the
fact that parent_id may not have been set by new_project_ref().
Co-Authored-By: Henrique Truta <henrique@lsd.ufcg.edu.br>
Co-Authored-By: Rodrigo Duarte <rodrigods@lsd.ufcg.edu.br>
Partially implements: blueprint reseller
Change-Id: Ibd4b6ca35746ad497523c01352b7b6b985ac8a7f
Building on the earlier patch that provdided the 'new' url name
restriction, this patch adds the 'strict' open that prevents
authenticating to projects and domains with unsafe names.
A release note and config documentation is also added that covers
both this and the earlier patch.
Partially Implements: blueprint url-safe-naming
Change-Id: Ie69025e7759bae1067e05d9190bede192a5e6830
Currently defualt can not be deleted through update API.
There are checks in update_domain to prevent this.
This change deletes all checks and related tests for deleting
the default domain, including new default domain and old
default domain tests.
Change-Id: I31a9cd7ac8c394b38038343f85f405080ca5f915
Closes-Bug: 1522616
This reverts commit c4723550aa.
This revert is being proposed as it breaks behavior that real-world
deployments rely on. The deployments requested the V2 token with
user_id and tenantId and then used the V2 token for the
non-default-domain user to access swift.
While the deployment is being encouraged to fix their code to use V3,
this is behavior that was supported and used.
This revert was done by hand due to the volume of change that has
occured to the tests since the original patch landed.
Conflicts (a lot of test refactoring):
keystone/tests/unit/test_v3_assignment.py
keystone/tests/unit/test_v3_auth.py
keystone/tests/unit/test_v3_identity.py
Change-Id: I4a303a5fcc8c2dacef5960e9e26ad9402f34a790
Closes-Bug: 1527759
The first phase of providing optional support for ensuring projects
and domains do not contain any reserved characters. Subsequent
patches will support the 'strict' option for such names.
A release note will be added at the end of the chain of patches,
once the full support has been implemented.
Partially Implements: blueprint url-safe-naming
Change-Id: I9b06cb5fa521d2cd3919c072a996c528d387dfe8
Standardize use of unit.new_credential_ref(). Remove methods in preference
for the common function.
Refactor the credential creation code to simplify and standardize the tests.
Change-Id: I4274ea9ae17ae7b8b18dc0c86c9f9496a0803c71
In test_v3_resource, some tests create local
entities scoped to the test class instance, as
opposed to scoped only to the test method.
This patch fixes such occurrences.
Change-Id: Ie4f1e2e61d89fa10a99c9bebd2b9bd06fccd7c6a
In test_v3_resource, a group and a credential
entities are created but only used by 2 methods.
This patch moves those entities from the setUp
method to the specific tests which need them.
Change-Id: Ib73cea79f2b0f4315022049a78c6b77550ea697a
As of Kilo release, the resource backend was
created from the assignment backend [1].
However, resource tests didn't follow that split.
This patch splits out resource tests from
test_v3_assignment.py to test_v3_resource.py.
[1] https://specs.openstack.org/openstack/keystone-specs/specs/kilo/pluggable_assignments.html
Co-Authored-By: Dave Chen <dave.jungler@gmail.com>
Partially Implements: bp pluggable-assignments
Change-Id: I9d639e892df021db93d10a9313c4f4d1df737fef