Resolve the following LegacyAPIWarning warning:
The Query.get() method is considered legacy as of the 1.x series of
SQLAlchemy and becomes a legacy construct in 2.0. The method is now
available as Session.get()
Change-Id: I30d0bccaddff6a1d91fcd5660f490f904e7c8965
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
During a trust deletion, the backend will fetch all trust by the same
trustor and look for redelegations to be deleted as well. If you have
a considerable amount of trusts that call becomes expensive. Just by
pushing this filter into the backend, the response time for the api call
just depends on the number of redelegations for that trust.
Change-Id: Id3a820fca0bb20561ba031797d2b0fb96ba1f78d
Closes-Bug: #1935840
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.
Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
The trust SQL backend uses the extras column to store the
redeletegated_trust_id and redelegation_count info. It's
better to make them first class citizens and give them
their own columns.
This change does not add redelegation_trust_id to the trust schema
because this value is set by the token context, not by the user. We also
remove it from the api-ref example to avoid confusion about this.
Co-Authored-By: David Stanek <dstanek@dstanek.com>
Co-Authored-By: Alexander Makarov <amakarov@mirantis.com>
Change-Id: If496152e40d2213a03faad5645667220fddfcf62
This patch adds functionality to purge
expired and soft-deleted trusts older
than the given date.
Change-Id: I0bd47e57f8650182e38b4f70e04cb53338fce474
Related-Bug: #1473292
This patch adds the functionality for purging both
expired trusts as well as non-expired soft-deleted
trusts, since those soft-deleted trusts are
as likely to bloat the database as expired trusts.
Related to patch-
https://review.openstack.org/#/c/589378/
Change-Id: I3c74f2345a944ce03a8189c4e66c3c37350cd34f
Related-Bug: #1473292
We've already converted Password objects to use the DateTimeInt format
for its datetime attributes[1]. This was necessary to cope with
differences in date storage formats between different DBMSs that was
causing intermittent test failures. While we're not experiencing those
CI problems any more, the DateTimeInt format is the way forward for
consistent datetime storage. This patch converts the trust table and
model to use the new format.
[1] https://review.openstack.org/#/c/493259/
Related-bug: #1702211
Change-Id: If524c743170924e5b8cfdafa862ed31b06db018c
This change replaces the use of DictBase with the ModelDictMixin
for any SQL models that do not contain an extra column and renames
the DictBase to a more descriptive name of ModelDictMixinWithExtras.
A Docstring has been added indicating the continued usage of
ModelDictMixinWithExtras should not be done for any "new"
models.
Change-Id: I9a4767cacf7620e878df70084060f3e43e1318df
Eventlet patched time.sleep. When time.sleep was called, eventlet
switched to another worker. The code being removed gave eventlet
a chance to switch to another worker if there was one.
Eventlet was removed a long time ago and the call being removed
is not needed any more.
Change-Id: I2d23f20f94c2f2e0917be9ea67e7e5edf3514aff
The trust without a valid project is useless and will no longer
be active since the id of project is a random number and only
assigned when it created.
The patch invalidate the trust if the related project is deleted.
Change-Id: I51214c46ef5332c159b1e18bbd7046d12aba4a65
Closes-Bug: #1622310
There is no need and should not any conflicts or integrity
exception for the list something from DB.
Change-Id: I9f999a204ee7ef9e51384e6e032257aae7794e5e
This patch moves the trust abstract base class out of core and
into backends/base.py
This removes dependencies where backend code references code in the
core. The reasoning being that the core should know about the backend
interface, but the backends should not know anything about the core
(separation of concerns). And part of the risk here is a potential for
circular dependencies.
Partial-Bug: #1563101
Change-Id: Ibe9203635ee4ad5d1afee3ad751f04de6ef66f94
EngineFacade is deprecated. This partially switches keystone to
use oslo.db.sqlalchemy.enginefacade. 'get_session' and 'get_engine'
methods are still used in sql migrations and related tests.
Change-Id: I221232d50821fe2adb9881f237f06714003ce79d
Partial-Bug: #1490571
For now, effectively there could be multiple trusts with the same
project, trustor, trustee, expiry date, impersonation. The same
combination can have multiple trusts assigned with different roles
or not.
Patch fixes this issue by adding unique constraint to the trusts
database model. If two requests create trusts with the same
trustor, trustee, project, expiry, impersonation, then the second
request would bring up an exception saying there's a conflict.
This can help to improve specific trusts identification and
improve user experience.
Change-Id: I1a681b13cfbef40bf6c21271fb80966517fb1ec5
Closes-Bug: #1475091
Extended support for versioned driver classes to the rest of the
backends based on the design of the initial support for catalog backend @
https://review.openstack.org/#/c/218481/
partially Implements bp stable-driver-interfaces
Change-Id: I0078f6dc32932beb6db534ecf22b160097c5a090
Some of the builtins (like map) have changed in Python3 in a way that
can lead to broken Python2 code.
bp python3
Change-Id: I632d857bd29a23db61538755f09da68f0cf7b723
Instead of duplicating the check for Trust existence in the
controller, move the check to the driver.
Change-Id: Id576ebe9922a70047b8276f372854e086295b6c4
Closes-Bug: #1443721
Most of changes are just replacing
from keystone.openstack.common import log
with
from oslo_log import log
There are some other specific changes that had to be made
* Initialize logger in keystone/config.py
Change-Id: I859edb71c434051ffe7f34c16018b738ddb71e3b
The oslo libraries are moving away from namespace packages.
A hacking check is added to enforce use of the new location.
bp drop-namespace-packages
Change-Id: I9b4b1ff0abde2084d3645825d08dab5670ae7979
The oslo libraries are moving away from namespace packages.
A hacking check is added to enforce use of the new location.
bp drop-namespace-packages
Change-Id: I4ece3ad26c1888388a4a8839f7acf260228a9c71
The trust_api and controllers no longer directly depend on the
token_api. The `validate_token` call on the `token_provider_api`
is now used to retrieve token data.
The token_provider_api listens for trust deletion events to clean
up the token persistence backend. In support of this callback, it
is now possible to perform a .get_trust() and specifically request
deleted / expired / fully consumed trusts. This is done by passing
the kwarg 'deleted' with a value of 'True' to the `get_trust`
method.
This change is to ensure interactions with the token persistence
are consistent so that it is possible to support toggling
persistence of tokens.
Change-Id: Ifc7174d6473dfa279b3dc706a59bc58c812332b3
bp: non-persistent-tokens
Keystone was using functions in oslo-incubator that have been
graduated into oslo.utils. This changes the function calls to use
the functions in oslo.utils.
Change-Id: I39365042de913e1b3edaf849e3f5578cef0b7b02
Due to the lack of support of `SELECT .. FOR UPDATE` call in
MySQL + Galera, the use of `with_lockmode('update')` needs to be
removed from the Trust SQL backend when utilizing the MySQL
dialect.
Instead of the pessimistic locking method (row lock, table lock),
use optimistic locking. The consume_use method now attempts to
update the remaining_uses column for the trust in question only
if the remaining_uses equal the same number as on the initial
query. This is done in a loop with a 10-iteration failsafe to
prevent endless looping.
Change-Id: I1b8af6ce5709f829f345cd351ec9242d0217e743
Closes-Bug: #1325143
Convert the explicit common.sql.get_session() and subsequent
session.begin() to the transaction context manager for Trust
SQL backend.
Change-Id: I52745118782301ef26452063628e16e92e8ee276
Automatic enforcement of this rule is added in:
https://review.openstack.org/78119
bp more-code-style-automation
Change-Id: I167d8e2e648eaf553c586f225939daddfaeddda6
This change sync's oslo-incubator's db module from commit hash
6ba44fd7f9d39a7930defb4e14c37b8b1046cbcb
$ python update.py --nodeps --base keystone \
--dest-dir ../keystone \
--modules db,db.sqlalchemy,gettextutils
- Config options were moved from db.sqlalchemy.session to db.options
- db.sqlalchemy.session doesn't provide get_session, get_engine, or
cleanup functions.
- db.sqlalchemy.migration.db_version() requires an engine parameter
Closes-Bug: #1227321
Change-Id: I742cef9dab68d9eed977df0039736cfe67ca493c
Trusts now have a "remaining_uses" field that tracks how many times
a trust can still issue a token. It is decremented by 1 each time a
trust related authentication occurs (call to /auth/tokens), until it
reaches 0 and no token can be issued through this trust anymore. If
set to null (default value), trusts can be used indefinitely to
authenticate.
Closes-Bug: #1250617
Implements: bp trusts-chained-delegation
DocImpact
Co-Authored-By: Florent Flament <florent.flament-ext@cloudwatt.com>
Change-Id: I2c80b6d548a6715da0366c6f64ee58fbce514adb
With the change to use oslo's db.sqlalchemy.sessions, the
sql.Base class isn't doing enough to justify its continued
existence.
This change removes sql.Base.
Part of bp use-common-oslo-db-code
Change-Id: I2fec97187bdca920757585994810f6a8065be4c4
We don't need vim modelines in each source file, it can be set in
user's vimrc.
Change-Id: Ie51ad62946afdf39eadcd59edaf8134ec10265c6
Closes-Bug: #1229324
With the change to use oslo's db.sqlalchemy.sessions, the
sql.Base class isn't doing enough to justify its continued
existence.
This change is removing the get_session member, which was just
a new name for openstack.common.db.sqlalchemy.session.get_session() .
Part of bp use-common-oslo-db-code
Change-Id: I083ecd54200dcd6cae7248d1a6ef4fcec64e6589
Within the scope of a single method, keeping all the reads and writes within
the context managed by a single session. In this way, the session's __exit__
handler will take care of calling flush() and commit() for you.
If using this approach, you should not explicitly call flush() or commit().
See http://docs.sqlalchemy.org/en/rel_0_7/orm/session.html#committing
Closes-Bug: #1258044
Change-Id: I1125c72712203f1594ef245761dbfc25ed31eab2
This patch syncs models with migrations for:
-Endpoint
-CredentialModel
-TokenModel
-TrustModel
No actual schema change is taking place, this patch just corrects errors
in the model definitions.
Made class Index avaliable in keystone.common.sql.core
partially implements bp db-sync-models-with-migrations
Change-Id: I52f5c455360b65a2d5d884bbbec078dca6d34451
modify "expires" to "expires_at", most of the changes were
already done by Guang-yee, added a pki-token-id test
Change-Id: Ib3f39620db18aaea6b0cb5d0ae9c290afd870605
Blueprint trusts
creates a trust. Using a trust, one user (the trustee), can then
create tokens with a subset of another user's (the trustor) roles and
projects.
If the impersonate flag in the trust is set, the token user_id is set
to the trustor's user ID
If the impersonate flag is not set, the token's user_is is set to the
trustee's user ID
check that both trustor and trustee are enabled prior to creating
the trust token.
sql and kvs backends
sql upgrade scripts
unit tests for backends, auth and v3 api
modifications to the trust controller for creating tokens
Authenticates that only user can be trustor in create
Deleting a trust invalidates all tokens created from that trust
Adds the trust id and the id of the trustee to the header of the token
policy rules for trust
This version has a workaround for testing against the KVS version
of the Service catalog
Change-Id: I5745f4d9a4180b59671a143a55ed87019e98ec76