We propose to extend Keystone identity provider (IdP) attribute mapping
schema to make Keystone honor the `domain` configuration that we have
on it.
Currently, that configuration is only used to define a default domain
for groups (and then each group there, could override it). It is
interesting to expand this configuration (as long as it is in the root
of the attribute mapping) to be also applied for users and projects.
Moreover, to facilitate the development and extension concerning
attribute mappings for IdPs, we changed the way the attribute mapping
schema is handled. We introduce a new configuration
`federation_attribute_mapping_schema_version`, which defaults to "1.0".
This attribute mapping schema version will then be used to control the
validation of attribute mapping, and also the rule processors used to
process the attributes that come from the IdP. So far, with this PR,
we introduce the attribute mapping schema "2.0", which enables
operators to also define a domain for the projects they want to assign
users. If no domain is defined either in the project or in the global
domain definition for the attribute mapping, we take the IdP domain
as the default.
Change-Id: Ia9583a254336fad7b302430a38b538c84338d13d
Implements: https://bugs.launchpad.net/keystone/+bug/1887515
Closes-Bug: #1887515
The eventlet server implementation was removed during Newton, and have
not been used by any other implementations for a while.
Change-Id: I01f9adfc3e610d820c1834209d36c10568cccf41
These options have had no effect and were formally deprecated during
Yoga cycle[1].
[1] 9a8686aee0
Related-Bug: #1941020
Change-Id: I9ac00109bd278bc4813a45358aeda848ab7318de
This patch adds new hashing alhorythm bcrypt_sha256, which is based on
the bcrypt but does not have limitations on the leght of the passwords,
since passwords are passed through HMAC-SHA2-256 first.
At accepts exactly same parameters as bcrypt does.
However, it prefix the hash using `prefix` attribute rather then
`indent_values` which are same as for bcrypt.
Change-Id: I5430ebf5a20142c1a9caab960ced9b3ee2e782c1
bcrypt hashing algorythm has a limitation on length of passwords it
can hash on 72 bytes. In [1] a password trimm to 54 symbols has been
implemented, which resulted in password being invalidated after the
keystone upgrade, since passwords are trimmed differently by bcrypt
itself, as well as len(str()) is not always equal to
len(str().encode()) as trimming should be done based on bytes and not
string itself.
With the change we return a byte object from
`verify_length_and_trunc_password`, so it does not need to
be encoded afterwards, since we need to strip based on bytes
rather then on length of the string.
[1] https://review.opendev.org/c/openstack/keystone/+/828595
Closes-Bug: #2028809
Related-Bug: #1901891
Change-Id: Iea95a3c2df041a0046647b3d3dadead1a6d054d1
The OAuth2.0 Access Token API is modified, support to get an OAuth2.0
certificate-bound access token from the keystone identity server with
OAuth 2.0 credentials and Mutual-TLS certificates.
Co-Authored-By: Hiromu Asahina <hiromu.asahina.az@hco.ntt.co.jp>
Change-Id: I885527bec61429b1437a046097a16491848b5a0a
Implements: blueprint support-oauth2-mtls
The bcrypt algorithm that we use for password hashing silently
length limits the size of the password that is hashed giving the
user a false sense of security [0]. This patch adds a check
in the verify_length_and_trunc_password function for the hash in
use and updates the max_length accordingly, this will override
the configured value and log a warning if the password is truncated.
[0]: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues
Closes-bug: #1901891
Change-Id: I8d0bb2438b23227b5a66b94af6f8e198084fcd8d
authenticate.failed in the list is not working as the correct
notification is authenticate.failure (see [0]), this way we keep the
default behaviour, and the users still have the ability to add their
events to this list at deployment time.
[0]https://github.com/openstack/pycadf/blob/stable/victoria/pycadf/cadftaxonomy.py#L76
Change-Id: If3d818dac220a105f4aba382537c09ab4ee1abd5
Closes-Bug: 1954665
Since LDAP is now readonly, the current behavior might be
unexpected. By randomizing the list, we assure a more gradual
failure scenario if the first server on the list (as specified
by the user) fails.
Change-Id: I23f31bd85443784013a6aa158d80c7aeeb343993
Closes-Bug: #1953622
Resolves: rhbz#2024602
Value of 0 causes the pool to fail before it attempts to connect
to ldap, raising MaxConnectionReachedError.
Change-Id: Ia8450dc45dad5ceb4661807f51de66b5d70a6207
These options were used by the memcache_pool backend for token
persistence, which was removed during Pike cycle.
Closes-Bug: #1941020
Change-Id: I2a0c2d46ebe81728f4ba0ff6d3072348e70f92dd
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:
1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.
2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.
Also replace policy.json to policy.yaml ref from doc and tests.
[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: Ic65d2fd6ce7215b4a47a6fb41b9cbf991f27773b
This patch allows adds new config option 'user_limit'
to credentials to set maximum number of credentials a
user is permitted to create.
Closes-Bug: #1872732
Change-Id: Ic9dc9a4a9ec1ecbf01842c865e19a7a100e5041d
EC2 token requests contain a signature that signs the entire request,
including the access timestamp. While the signature is checked, the
timestamp is not, and so these signed requests remain valid
indefinitely, leaving the token API vulnerable to replay attacks. This
change introduces a configurable TTL for signed token requests and
ensures that the timestamp is actually validated against it.
The check will work for either an AWS Signature v1/v2 'Timestamp'
parameter[1] or the AWS Signature v4 'X-Aws-Date' header or
parameter[2].
Although this technically adds a new feature and the default value of
the feature changes behavior, this change is required to protect
credential holders and therefore must be backported to all supported
branches.
[1] https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html
[2] https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html
Change-Id: Idb10267338b4204b435df233c636046a1ce5711f
Closes-bug: #1872737
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found.
Update local hacking checks for new flake8.
Change-Id: Ic440219814ee0c2b98217e9a821f38f5baf482ec
A code related to UUID tokens was removed from keystone during
Rocky developepment cycle. Change-Id:
I76d5c29f6b1572ee3ec7f2b1af63ff31572de2ce
This patch removes a small note related to UUID tokens from
keystone example configuration file.
Change-Id: I40782c4f41b1a0a7bd285b53b60cd8aca000ede0
Creates the model and migration for the expiring user group
membership table.
Change-Id: I48093403539918f81e6a174bdfa7b6497dd307fb
Partial-Bug: 1809116
In 09088690 we mistakenly added E501 to the flake8 ignore list. Since
then, many new violations have been introduced. This patch re-enables
the check and corrects all violations, except in some cases like unit
test names where the subunit output would suffer if we attempted to
shorten the function name.
This may appear to be a pointless no-op that messes with
git-blameability, and it is, but the reason to do this is that if PEP8
violations are introduced in master and then backported to a stable
branch, most stable branches will fail the pep8 job since the flake8
ignore list is correct for those branches. Rather than loosening the
check in older branches or requiring those backports to fix the linter
errors independently of what's been merged in master, we should fix it
now so that we don't introduce more errors in the future and patches can
more easily be backported.
Change-Id: I9f71926105eb448bb0200201d1838b67d4963cd6
This reverts commit 3d46c8a5d9.
In the last commit, the foreign key constraints between the project
table and other tables were dropped, which allows us to restore the
configurability of the resource driver.
Change-Id: Iba4951e2d3965be5acec705385967d312456f1c7
Update the TOTP auth plugin so that it can be configured
to allow a passcode from a given number of windows back to
still work.
This gives TOTP some slighly better UX so by default at least
one passcode back will still work. Can be disabled, or more
windows added for clouds less worried about security and more
about clock drift.
Change-Id: I8ba4127a365392f0d0e9de5fd9c979750c354dc7
Closes-Bug: #1839577
Since pki-setup was removed in pike.This
patch removes the config options that were
left for backward compatibility, as PKI is
not supported.
Partial-Bug: #1829453
Change-Id: I83cd08e57fbc046ad69bd42eb2e5fa1ace6e8a28
Modify the FederationProtocolModel class and add the
remote_id_atributte to the federation_protocol table.
Add the respective migration and tests files. And
also modify the schema to expect a remote_id_attribute
property.
Closes-bug: #1724645
Co-authored-by: Colleen Murphy<colleen@gazlene.net>
Change-Id: I9802c8a5c187bae16de89893ca8639b01cd7cb1b
Prior to introducing per idp domains, all ephemeral users lived
in the Federated domain. That is not the case anymore, since they
now live in the domain of the idp.
Change-Id: Ife501adf7b122d2c987e132dbfafe0717760c1bb
Partial-Bug: 1754048
Partial-Bug: 1829454
This reverts commit f028ca4edd.
In the Train PTG[1] we agreed to defer this feature until we had some
kind of traceability or discoverability for APIs and that this wasn't
feasible or useful until then.
This change was merged to master but never released, so I submit that
it is safe to revert.
[1] https://etherpad.openstack.org/p/keystone-train-ptg-application-credentials
Change-Id: I8fc5fcb2b35431882f0d64866765d6b0cd31356f
This reverts commit 02540b7de6.
In the Train PTG[1] we agreed to defer this feature until we had some
kind of traceability or discoverability for APIs and that this wasn't
feasible or useful until then.
This change was merged to master but never released, so I submit that
it is safe to revert.
[1] https://etherpad.openstack.org/p/keystone-train-ptg-application-credentials
Change-Id: Ieec91dc4739d7ac78f3ff8b8918f4a7a5381ab82