Commit Graph

548 Commits

Author SHA1 Message Date
Boris Bobrov 63556be0e3 Fix operation order in role deletion
Deletion of a role leads to deletion of role assignments and entries in
the application credentials. However, deletion of the entries in
application credentials depends on the existence of the assignment, so
the order of deletion is important.

Delete the entries from application credentials first and then clean up
role assignment.

Closes-Bug: 2053137
Change-Id: Ibba9063c729961cd4155f8b55dbabd4789d7a438
2024-02-15 23:28:24 +01:00
Trent Lloyd 67b5cca032 Improve application credential validation speed
Validating an application credential token is very slow, taking at least
400ms+ in a simple devstack environment, 5-10x longer than validating a
user/password project token.

The primary bottleneck during a token validation request
(/v3/auth/tokens) is that token.roles is evaluated at least 5 times.
validate_token is called twice, first during RBAC to populate the
subject token context and again to actually validate the token. Each
call to validate_token then called token.roles twice because it first
checks if it is None, before calling it again to use the result. Lastly
token.roles is evaluated a fifth time during
render_token_response_from_model.

Each evaluation of token.roles calls through
_get_application_credential_roles into list_role_assignments which then
makes multiple round-trip SQL queries to the database.

Unlike the related get_roles_for_user_and_project function, none of
these calls are currently cached/memoized. We memoize
list_role_assignments to get the same-speedup.

Reduce the number of token.roles calls to only 3 by storing and re-using
the token.roles result in validate_token, then memoize
list_role_assignments so the 2nd and 3rd call fetch from the cache
instead of repeating many SQL queries.

This provides a substantial performance improvement bringing validation
time in-line with user/password tokens.

Change-Id: I8c45131b298ceae7b43b42e2c5df167607d18c48
2024-01-02 08:46:24 +00:00
Pete Zaitcev d2deab385b Stop pinning pep8 related packages
These practices cause conflicts periodically. Not right now:
the gate is okay with the current values, which this patch
deletes. However, like sun raising in the east it is sure
to happen again. This patch lets workarounds work that the
infra team puts in place. The downside is, we need to fix
the code once in a while as new checks get added.

Change-Id: Ia7a96fb4b6de4251862a8a96c995cefa94dbc271
2023-10-02 15:41:36 -05:00
Stephen Finucane 5d2ab6c63b db: Replace use of Query.get()
Resolve the following LegacyAPIWarning warning:

  The Query.get() method is considered legacy as of the 1.x series of
  SQLAlchemy and becomes a legacy construct in 2.0. The method is now
  available as Session.get()

Change-Id: I30d0bccaddff6a1d91fcd5660f490f904e7c8965
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
2023-02-28 17:26:39 +00:00
Zuul 07aad9418e Merge "Delete system role assignments from system_assignment table" 2020-10-30 21:16:38 +00:00
Vishakha Agarwal c1dcbb05b4 Delete system role assignments from system_assignment table
This patch ensures to delete the system role assignments from
all the assignment tables in keystone after deleting the role
user has over the system.

This also make sure of deleting stale role assignments before
deleting role for the deployments that are already in this state.

Closes-Bug: #1878938

Change-Id: I4df19c45c870ff3fb78578ca1fb7dd0d35da3c82
2020-07-29 09:10:01 +00:00
Vishakha Agarwal 28faa24e68 Remove an assignment from domain and project
When you setup a user with a role assignment on a domain
and then a role assignment on a project "acting as a domain",
you can't actually remove them. The database throws you the
error "Multiple rows were found for one()" since it gets two
results for "actor_id" with the same "target_id".

This patch fixes this problem by filtering the database query
by "type" field to determine whether it is a user domain relation
or a user project and then removing the assignment.

Change-Id: Ife92a3c9e0982baafb4224882681c0855f573580
Closes-Bug: #1754677
2020-06-22 14:43:22 +05:30
Vishakha Agarwal 4530041931 Remove six usage
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.

Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
2020-01-30 06:06:51 +00:00
Zuul 7bb26ffd15 Merge "Fix role_assignments role.id filter" 2020-01-27 20:00:05 +00:00
zhufl a4b7a6106e Fix duplicated words issue like "each each user_id"
This is to fix the duplicated words issue like
"one for each each user_id in the provided group_id".

Change-Id: Iacb8e713253288d203834355f1de12482c2c029e
2020-01-06 13:50:35 +08:00
Colleen Murphy c2d8830662 Fix role_assignments role.id filter
Without this patch, if there are multiple role assignments on the system
and they are not all the same role, querying for role assignments with
/v3/role_assignments?role.id={role_id} may leak some role assignments
that don't match the role_id, making the returned results incorrect.
This patch fixes the issue by using a list comprehension instead of a
for loop over a list that was being modified within the loop.

Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
Closes-bug: #1858012
2020-01-02 09:24:54 -08:00
morgan fainberg a38d4a650f Add immutable option for roles and projects
Add in support for immutable roles and projects (including domains).
If the immutable option is set for a role or a project that
resource may not:

* Be Deleted

* Be Updated, except to change the value of "immutable" from
  `True` to `False` or `None` (None explicitly unsets the
  resource option).

* For projects (and domains), project tags cannot be created,
  updated, or deleted.

The immutable check is performed at the manager layer allowing
for exceptional code-cases to work directly with the driver.

Change-Id: I2027b1235a260b7ae5d66cbd6c369773d9e99876
Partial-bug: #1823258
2019-09-10 00:03:16 -07:00
morgan fainberg b31ff3f991 Implement resource options for roles and projects
Add in support for resource options for roles and projects (including
domains). No options are currently implemented for roles or projects.
Scaffolding has been implemented so that adding options should be
straight forward. This will allow for implementing options such
as an immutable flag.

As a mechanism to isolate SQL Models from the Driver implementation
especially when adding in complexity of the resource options, the
models for the Resource backend and the Role Backend (SQL) have been
move to their own module.

Partial-Bug: #1807751
Depends-On:  https://review.opendev.org/678379
Required-By: https://review.opendev.org/678380
Change-Id: I456a7c19506d28d5846534f884b8abe0d3079c96
2019-09-09 22:07:30 +00:00
Zuul d2b5550214 Merge "Remove [token]/ infer_roles" 2019-05-23 07:30:46 +00:00
Vishakha Agarwal be36a939cf Remove [token]/ infer_roles
infer_roles in [token] is deprecated. This patch
removes the same.

Partial-Bug: #1829453
Change-Id: If77d73eeac6db215d7710b33c6dba926c14ae2b2
2019-05-22 09:23:11 +05:30
Jim Rollenhagen dc3175afb1 Revert "Blacklist bandit 1.6.0"
This reverts commit ebac8330d8.

Using the glob that I had not yet had enough coffee to do correctly is a
better solution, and allows us to fix new failures in 1.6.0 which would
break us again when 1.6.1 was released.

Change-Id: Ica473ba71b224cdc0acf815f82d534b6c70a7f54
2019-05-14 21:09:32 +00:00
Vishakha Agarwal 4c84739e26 Replace 'tenant_id' with 'project_id'
Since 'tenant_id' is deprecated in openstack.
Thus replacing it with 'project_id'.

Change-Id: I77e4222623eb3c91fd7d10c2cbb4d212af736814
2019-02-04 16:17:52 +01:00
zhufl 7368e5c678 Do not use self in classmethod
cls should be used in classmethod, instead of self.

Change-Id: I3b5bb805a79b25050ed459f85ad25681171aa743
2019-01-09 17:28:00 +08:00
Adam Young 78566e8286 Remove message about circular role inferences
While Cycles could be a problem, this code was detercting them even
when there were none.  If a role gets added twice, it was reporting
an error, but that is possible from the case where two distinct prior
add the same implied role.  Just move on quietly.

closes-bug 1803780

Change-Id: I804e5084f74ff4afdd582ece02ff2c833c5f6eb1
2018-12-11 21:22:51 -05:00
Zuul 4b41fa4c8b Merge "Add caching on trust role validation to improve performance" 2018-10-23 01:06:56 +00:00
Jose Castro Leon d465a58f02 Add caching on trust role validation to improve performance
In the token model, the trust roles are not cached. This behavior
impacts services that are using trusts heavily like heat or magnum.
It introduces new cache data to improve the performance on token
validation requests on trusts.

Change-Id: I974907b427c34fd5db3228b6139d93bbcdc38df5
Closes-Bug: #1796887
2018-10-19 11:03:09 +02:00
Harry Rybacki 46380baeb7 Convert projects API to Flask
Convert the projects API to Flask native dispatching.

Change-Id: I3406284acfb7950b701f6a98a3a173a427415f97
Co-Authored-By: Morgan Fainberg <morgan.fainberg@gmail.com>
Partial-Bug: #1776504
2018-10-11 15:27:46 -07:00
Morgan Fainberg 86f968163e Convert /v3/users to flask native dispatching
Convert /v3/users to use flask native dispatching.

The following test changes were required:

* Application Credentials did not have the plural form
  in the JSON Home document. The JSON Home document was
  corrected both in code and in tests.

* Application Credentials "patch" test needed to be
  refactored to look for METHOD_NOT_ALLOWED instead
  of NOT FOUND for invalid/unimplemented methods.
  The "assertValidErrorResponse" method was
  insufficient and the test now uses the flask
  test_client mechanism instead.

Change-Id: Iedaf405d11450b11e2d1fcdfae45ccb8eeb6f255
Partial-Bug: #1776504
2018-10-11 15:27:45 -07:00
Zuul 27f226554a Merge "Convert domains api to flask" 2018-09-15 00:15:36 +00:00
Zuul 95f11874dd Merge "Convert OS-INHERIT API to flask native dispatching" 2018-09-15 00:15:32 +00:00
Zuul 785ec01833 Merge "Added support for a ``description`` attribute for Identity Roles" 2018-09-12 17:56:20 +00:00
Gage Hugo 296f20f0a7 Convert domains api to flask
Convert domains api to flask native dispatching.

Change-Id: I974ab112986e6c242a139f7d7dc14fd54a48ee42
Partial-Bug: #1776504
2018-09-12 15:26:37 +00:00
Morgan Fainberg 8c397fa727 Convert OS-INHERIT API to flask native dispatching
Convert OS-INHERIT API to flask native dispatching.

NOTE: A minor test change was needed, the test was mis-constructing the
URI with multiple slashes. The test now properly constructs the URI
using an lstrip when combining the direct_url bits.

Change-Id: I0907eb00cdfb9849342220f9b528f94175e71545
Partial-Bug: #1776504
2018-09-10 20:37:27 +00:00
M V P Nitesh 430d7f765a Added support for a ``description`` attribute for Identity Roles
Now user can add the description to the role when user creates the role.
Added support for a ``description`` attribute for V3 Identity Roles.

Co-Authored-By: wangxiyuan<wangxiyuan@huawei.com>
Co-Authored-By: Deepak Mourya<deepakmoriya7@gmail.com>
Change-Id: I230af9cc833af13064636b5d9a7ce6334c3f6e9a
Closes-Bug: #1669080
2018-09-06 05:09:10 +00:00
wangxiyuan c838d93c35 Remove member_role_id/name
Remove depepated ``member_role_id`` and ``member_role_name``
config options.

Change-Id: I4a29d52da8a7b97baa0cbc52b011b3225fe6ab54
bp: removed-as-of-stein
2018-08-31 15:22:48 +08:00
Morgan Fainberg 180f2ce5e6 Convert system (role) api to flask native dispatching
Convert the /system API (used for granting roles to the system scope) to
Flask native dispatching.

Change-Id: I48b04f2d0e9d858b0c709687beee27227e516843
Partial-Bug: #1776504
2018-08-16 20:48:25 +00:00
Morgan Fainberg 665d5beda7 Convert role_assignments API to flask native dispatching
Convert the role_assignments API to flask native dispatching.

Change-Id: I77f64f025d8dbc42e829bae626aace7deb2e7c6e
Partial-Bug: #1776504
2018-08-16 18:58:03 +00:00
Morgan Fainberg 0f5300ddb3 Convert role_inferences API to flask native dispatching
Convert /v3/role_inferences API to flask native dispatching.

Change-Id: I4a2719f27bb31437cbb0dea9f1379c9b3542c393
Partial-Bug: #1776504
2018-08-13 20:06:35 +00:00
Morgan Fainberg cfc5a730b7 Convert Roles API to flask native dispatching
Convert Roles and Implied Roles (all paths under /v3/roles) to
flask native dispatching. This change does not convert
/v3/role_inferences to flask native dispatching.

Change-Id: I114380e96c6a2b3c167676fa1525e4470560b541
Partial-Bug: #1776504
2018-08-13 20:06:26 +00:00
Morgan Fainberg 4ec6bc5a44 Convert Keystone to use Flask
Basic conversion of Keystone's core application to flask framework.

This doesn't add much in the way of flask-specific-isms but should
get keystone running directly under flask. This implementation does
not use paste-deploy.

Change-Id: Ib4c1ed3f645dd55fbfb76395263ecdaf605caae7
2018-06-04 20:14:41 -07:00
Jose Castro Leon 1ab693ced8 Allow cleaning up non-existant group assignments
If a group gets deleted out-of-band in an LDAP environment, the role
assignments cannot be cleaned as it checks the existence of the group
before triggering the deletion. This fix adds the ability to ignore
non-existant group and clean up stale role assignments. We take the
same approach with user assignments.

Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>

Change-Id: I975c8325f50b412c3aa256e1940a27082c009cce
Closes-Bug: #1751045
2018-04-09 16:08:34 +00:00
Lance Bragstad 07a66b9c2e Mark the implied role API as stable
This API has been in keystone for a long time and we never updated it
to stable, yet we treat it like a stable API. This change updates the
JSON home document to reflect that. This is also consistent with
discussions during the Rocky PTG:

  https://etherpad.openstack.org/p/keystone-rocky-ptg-json-home

Change-Id: I0b5aef233d9e51799595802d0812015866727987
2018-03-16 16:04:27 +00:00
Lance Bragstad c7658abfd6 Simplify token persistence callbacks
The INVALIDATE_USER_TOKEN_PERSISTENCE and
INVALIDATE_USER_PROJECT_TOKEN_PERSISTENCE callbacks were meant to
clean up invalid tokens from the token storage layer. Now that the
sql token driver has been removed, we don't need them any more. This
commit removes those notifications and refactors the places where
notifications are still needed, making them more specific and not
eluding to token persistence.

This commit also removes a significant amount of logic from the
assignment API that used to notify the token API when assignments
were deleted. This made sense when tokens were written to disk
because there was an opportunity to invalidate them when users were
removed from projects. This is no longer needed since we do
validation online and we don't persist tokens anymore.

Change-Id: I100b7416e8ba61eb4ea2c2eb4962e952a53ea388
2018-02-16 21:40:07 +00:00
Zuul 14626a8fb1 Merge "Delete system role assignments when deleting groups" 2018-02-14 09:08:17 +00:00
Zuul 3376bf8fda Merge "Fix querying role_assignment with system roles" 2018-02-14 06:55:50 +00:00
Lance Bragstad 8748e729b2 Fix querying role_assignment with system roles
This commit removes system role assignments when querying keystone
for a list of assignments pertaining to a specific role. For example,
`GET /v3/role_assignments?role.id={role_id}`, now returns assignments
only for that role. Previously, the list contained false positives
because some system role assignments weren't being removed. This
was introduced in queens with the system scope work.

Change-Id: Iab35ae01bb715da5813e62cd09900de555dceaaa
Closes-Bug: 1748970
2018-02-13 21:37:15 +00:00
Lance Bragstad 5a24b96d95 Delete system role assignments when deleting groups
Keystone removes role assignments that groups have on projects and
domains when deleting groups. This should apply to system role
assignments, too.

Change-Id: Iebedfcae0b77e350e5359b97fa87894af3f1c8ba
Closes-Bug: 1749267
2018-02-13 20:47:54 +00:00
Lance Bragstad 3a3b3c5b5a Delete system role assignments when deleting users
Keystone removes role assignments that users have on projects and
domains when deleting users. This should also apply to system role
assignments, too.

Change-Id: Ied51b9c3b58714b2d5dbcb933eca1839d1351fc7
Closes-Bug: 1749264
2018-02-13 20:24:10 +00:00
Lance Bragstad d5e9c0b4fe Remove all v2.0 APIs except the ec2tokens API
The only API we're supporting on the v2.0 path until the T release is
the ec2tokens API. This commit removes all routers from the public
and admin v2.0 applications. This includes the extensions API. This
commit also removes unused v2.0 controller logic.

Change-Id: I523c1215899ac9ee605df6bf717643c0ba87c761
Closes-Bug: 1746798
2018-02-06 23:12:55 +01:00
Lance Bragstad 5d6f4bb1ee Implement system-scoped tokens
This commit exposes the necessary bits to expose system-scoped
token authenticate and validation via the API

bp system-scope

Change-Id: I572a8e48953f493d521fd2aa00007df46e562e2e
2018-01-23 23:33:43 +00:00
Zuul 613c8f9778 Merge "remove _append_null_domain_id decorator" 2018-01-19 17:49:35 +00:00
Lance Bragstad 0bc28e8278 Add ability to list all system role assignments
This commit makes it so users can query the /role_assignments API
with ?scope.system=all.

bp system-scope

Change-Id: I1476c8da8ace1d60a832dfc3197c147e92f63837
2018-01-17 23:53:24 +00:00
wangxiyuan 76bcc16754 remove _append_null_domain_id decorator
This decorator is only useful when upgrade Keystone form Liberty
to higher release. I don't think any deployments will upgrade
from Liberty to Queens directly. And Liberty is eol already. So
it's safe engouth to remove it.

Change-Id: I891b0d3e87e8c011a2db758fc84dbd4590f78c96
2018-01-17 10:08:37 +08:00
Lance Bragstad 086dd2738b Implement controller logic for system group assignments
This commit wires up the remaining bits to expose system role
assignments for groups via the assignment API.

bp system-scope

Change-Id: I5051aa97dbecb88ee706749b26a4140f9798e084
2018-01-12 16:25:03 +00:00
Lance Bragstad 410a8f691f Implement controller logic for system user assignments
This commit wires up the remaining bits to expose system role
assignments via the assignment API.

bp system-scope

Change-Id: Ie17a473c12c9a67bbc5b26f18d8b29e8ad4529d2
2018-01-10 21:54:56 +00:00