Convert S3 and EC2 auth to flask native dispatching.
Test changes required:
* Eliminate direct reference of the EC2 / S3 controllers, originally
this direct reference was to verify signature checking. Since
signature checking is an @staticmethod now, direct reference of
the API resources covers everything.
* Direct import of keystone.common.controller - due to an oddity in
how our WSGI code work(s) in test, if nothing imports the common
controller module, the tests fail using the oslo import_class
mechanism.
Change-Id: I06e95957b3ea3a55b0da28959548bd5eb628c70b
Partial-Bug: #1776504
Convert /v3/users to use flask native dispatching.
The following test changes were required:
* Application Credentials did not have the plural form
in the JSON Home document. The JSON Home document was
corrected both in code and in tests.
* Application Credentials "patch" test needed to be
refactored to look for METHOD_NOT_ALLOWED instead
of NOT FOUND for invalid/unimplemented methods.
The "assertValidErrorResponse" method was
insufficient and the test now uses the flask
test_client mechanism instead.
Change-Id: Iedaf405d11450b11e2d1fcdfae45ccb8eeb6f255
Partial-Bug: #1776504
Convert the /auth paths to flask native dispatching.
A minor change to additional_urls was implemented to ensure all
urls are added at once instead of individually (causing an over-
write issue within flask as a single resource may only have a
single set of URL mappings).
Alternate URLs now support adding alternate JSON Home rel links.
This is to support the case of OS-FEDERATION auth routes moving
to /auth. The old JSON Home entries must exist but reference
the new paths.
This port includes the following test changes (needed due to the
way flask handles requests and the way requests are passed through
the auth system):
* Implemented keystone.common.render_token (module)
containing render_token_response_from_model and use it instead
of keystone.common.controller.render_token_response_from_model.
Minor differences occur in render_token_response_from_model in
the keystone.common.render_token module, this is simply
for referencing data from flask instead of the request object.
* Test cases have been modified to no longer rely on the auth
controller(s) directly
* Test cases now use "make_request" as a context manager
since authenticate/authenticate_for_token directly
reference the flask contexts and must have an explicit
context pushed.
* Test cases no longer pass request objects into methods
such as authenticate/authenticate_for_token or similar
methods on the auth plugins
* Test cases for federation reference the token model now
where possible instead of the rendered token response.
Rendered token responses are generated where needed.
* Auth Plugin Configuration is done in test core as well.
This is because Auth controller does not exist.
NOTE: This is a massive change, but must of these changes
were now easily uncoupled because of how far reaching auth
is.
Change-Id: I636928102875760726cc3493775a2be48e774fd7
Partial-Bug: #1776504
Since we're no longer supporting persistent tokens in tree and we
removed the uuid token provider, it's the perfect time to clean up a
good amount of confusing technical debt.
The token provider API is historically known for being confusing.
This is mainly because the reference that is intended to be returned
to the user is modified all up and down the API. Different parts of
the API use the reference to invoke call hooks in other method making
the code hard to debug. In order to fully understand how tokens are
built, you need to understand where and how tokens are modified by
different layers of the API according to a specific contract of the
authentication API. Another big problem is that it couples the actual
reference of how a token looks too closely to the business logic for
tokens. Which means you have to write a ton of code if you ever want a
token to look differently, like you would if you wanted to support a
new API version.
A token should be an object that the managers and controllers can
query and reason about. From there they should be able to build token
responses accordingly. This will make the actual token provider API
much simpler because it needs to know less about API contracts that
are the responsibility of the controllers. This should lead to simpler
interfaces when new token providers are added, or maintained out of
tree. This also makes it less likely for APIs to behave differently
based on what token provider is configured by being explicitly
building the token reference in one place.
This commit ports the token business logic out of the
keystone.token.providers.common module and into a dedicated token
object, or model. This will result in a cleaner interface between the
token providers and the token provider API. A subsequent patch will
remove the unused code across the token provider API.
Partial-Bug: 1778945
Change-Id: If9ded94e65bacb0d06f5225bb36f659dc7bb8355
This patch removes the rest of the v2.0 specific code which was being
maintained exclusively due to a copy-paste issue with the deprecation
warning on the EC2 controller(s). With sign off from TC members
we have removed all of the bits except those exclusively tied to
the paste.deploy removal. All paste.deploy specific changes will
be removed in a future patch.
With the conversion to Flask, none of the v2.0 legacy controllers
left were wired up to routes that could be accessed.
Change-Id: I959dac0d0dd2e667982383e1e3d52ab28c4c1e2e
Basic conversion of Keystone's core application to flask framework.
This doesn't add much in the way of flask-specific-isms but should
get keystone running directly under flask. This implementation does
not use paste-deploy.
Change-Id: Ib4c1ed3f645dd55fbfb76395263ecdaf605caae7
The only API we're supporting on the v2.0 path until the T release is
the ec2tokens API. This commit removes all routers from the public
and admin v2.0 applications. This includes the extensions API. This
commit also removes unused v2.0 controller logic.
Change-Id: I523c1215899ac9ee605df6bf717643c0ba87c761
Closes-Bug: 1746798
Refactors all of keystone's dependency injection to maintain a
single centralized repository of instantiated objects. This
means that we are no longer having to resolve order. All
objects that need to reference the various manager APIs simply
do so via the __getattr__ built into the Manager common object
or the ProviderAPIMixin object.
This is also the first step towards correcting our tests to
where they cannot run "load_backends" multiple times.
This forces any/all managers to properly run super()
as the way to register the api is via __init__.
This eliminates all use of the @dependency.requires and
@dependency.provides decorators, simplifying the objects
all around.
Any instantiations of a Manager after keystone is running
will now generate an error, ensuring everything for keystone
is running before handling requests. An exception is for
CLI and CLI tests, as the CLI may directly instantiate
managers and will not lock the registry.
Change-Id: I4ba17855efd797c0db9f4824936b49e4bff54b6a
Since the last patch in the ocata release that removed the metadata_ref,
the ec2tokens api is broken due to unable to unpack the result of the
authenticate command (4 elements) while expecting to expand it into 5.
Change-Id: I71c4b51444ea9f7a3016b68d7dee9a4747e9c0fd
Closes-Bug: #1691111
Closes-Bug: #1635389
This commit makes it so all GET APIs within the ec2 API
support HEAD. This change doesn't include any tests because
the ec2 API is untested, see bug 1635389 for more details.
Change-Id: Iab7326d0758425f535c57c64f9cdca5f2e8d122b
Partial-Bug: 1696574
Merged the decorator logic into a single function that
calls check_policy. Moved authorization logic in authorize.py
Prep for oslo-context fixes
Change-Id: Id1452db131740c68b3756a819792f9a60cff239c
EndpointFilterCatalog was deprecated in Ocata in favor of
sql.Catalog.
Implements: bp removed-as-of-pike
Change-Id: I7f3eea85d4d8668e9e421b06a65086a736211106
This was broken when issue_v2_token was removed, and no one noticed
because there are no tests.
The good news is, Swift3 is content to move toward supporting the
v3 format, so just start inheriting from the v3 controller.
Change-Id: I5d0c18121ba4bf8e33209daa48b9d87864951362
Related-Change: I7d3b583cbec9a095ab8cc20c5d6c0a6127e37068
Related-Change: I747de516ab69a47622eecbf8ab3faa34444b3ad5
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.
Change-Id: I30a462e03d1fd7852511e22cac34c6bc0e8917f4
The metadata stuff in the token provider was there as a v2-ism.
This commit removes it from the token provider and leaves it's bits
in the v2.0 token controller.
Change-Id: I4b37289c06df2012ed4473227df5c309440af162
Since we don't have a reason to hold on to a version specific
token method name, we can rename it to be just issue_token.
Now the token provider interface has two intergral methods,
validate_token and issue_token. From a third-party perspective, this
makes it easier to maintain a proprietary token provider since it
eliminates a lot of version specific things from the provider
implementation. From a keystone perspective, we are isolating the
numerous token validation and issuance paths to a since route. This
will make understanding the code easier for other developers and
eventually easier to optimize.
Change-Id: I71a04b42e931338b8bd59e479636b6199c7c2d76
`endpoint_filter.sql` backend is the only left-over from
endpoint filter extension, all others has been moved into
keystone catalog dir.
This patch deprecate `endpoint_filter.sql` backend and
consolidate the backend with SQL backend.
This patch also update some related testcases to make sure
project id exists instead of some random uuids since original
logic from endpoint filter extension has the constraint and
this is make sense to inherent into SQL backend as well.
Partially implements: bp deprecated-as-of-ocata
Change-Id: I28b37fc98cf63da11c0dd200b5f657507c0bca6a
In the Mitaka release several extensions were moved out
of contrib and into keystone core, enabling them by
default.
This patch removes the deprecated portions from that move
and updates setup.cfg's entry points accordingly.
bp removed-as-of-ocata
Change-Id: Ib5edf7b54b877aaa049c67e6e6b5c1a7c0bcbfe2
All extension are now migrated into the keystone core and the
migrations in the old contrib folders just raise an error. Since
these can only be called from the now deprecated --extensions
options in keyston-manage, we might as well get rid of them all
and just raise the error in keystone manage. We can also clean
up the mirgation helpers accordingly
This clean up is useful ahead of layering on the rolling upgrade
support in keystone manage and the helpers.
Change-Id: I749dc7e13050e211df1f4fd144cb0479891e3e64
This function tries to determine the current trust_id by looking up the
auth_context's token model. If this information was available it would
have been put on the request.context object so we can use that instead.
Change-Id: I7ce33b30f220be619c638c77eeb76503f1af79a7
Pass the request object through to callbacks and policy enforcement.
This will let us move some more credential building work onto the
request in future.
Change-Id: I85db98430a10080b09a2135544733506071d1491
This patch swaps use of hardcoded int and strings for known http
status codes with the values from six.moves.http_client.
Change-Id: Iab83af97920b950d075036ff1499f388299588a0
Push further into pushing a request object around, fix the v2
assert_admin method to work with a request.
Change-Id: I83063178b04c5e401d1f1a6bb9bce63a4a38910e
keystone.common.config is 1200+ lines of super dense, merge-conflict
prone, difficult to navigate, and finicky to maintain code. Let's follow
nova's lead and break it down into more manageable modules.
This patch creates a new Python package, keystone.conf, and moves all of
our configuration options into it, mirroring nova's nova.conf package.
There are a couple special modules in keystone.conf introduced here as
well:
- keystone.conf.__init__: This causes all of Keystone options to be
registered on import, so consumers of keystone.conf don't have
races with config initialization code while trying to use
oslo_config.cfg.CONF directly (keystone.conf replaces all uses for
oslo_config.cfg.CONF in keystone).
- keystone.conf.base: Keystone's [DEFAULT] group options. I'd prefer
this to be called 'default.py', but I'm just copying nova's lead here.
- keystone.conf.opts: The entry point for oslo.config itself.
- keystone.conf.constants: There are a few constants (deprecation
messages, default paths, etc) that are used by multiple configuration
modules, so they need to live in a common place.
Change-Id: Ia3daffe3fef111b42de203762e966cd14d8927e2
Instead of the unformed context dictionary pass a full request object
with access to the context_dict so that existing functions still work.
After this we can replace smaller usages of the context dict with
functions and properties on the request directly.
Change-Id: Ibe822ed7c76a24a7d31d98ce62f873a01e5fb213
This patch moves the catalog abstract base class and common code
out of core, and into backends/base.py
This removes dependencies where backend code references code in the
core. The reasoning being that the core should know about the backend
interface, but the backends should not know anything about the core
(separation of concerns). And part of the risk here is a potential for
circular dependencies.
Change-Id: I87edf8cf660fabbc7253e6b1abc7354eef34151d
Partial-Bug: #1563101
Currently tox ignores D401 (401: First line should be in imperative mood).
This change removes it and make keystoneauth docstring compliantwith it.
Change-Id: I136cf810f47c4c19f29216907a63f226930b5082
Partial-Bug: 1570049
this has been deprecated for 2 releases and can now be removed.
implements bp: removed-as-of-newton
Change-Id: I9a7b225d15953cec3f597a04c45020aff0bd60a8
We allowed 'tenant_id' in catalog substitutions. The 'tenant' term is
deprecated in favor of 'project'. Also allow 'project_id' so that
users can stop using the deprecated term in one more place.
Change-Id: I4bcfbda1b542f09172f5b53185f063c6bea27205
EndpointFilterCatalog should return a catalog consistent with the normal
v3 catalog. This means that a service will return the 'region' property
(same as 'region_id') for backwards compatibility. In addition each
endpoint will return its name.
Change-Id: I0f1a337dae1ee2f910d34c14624854a3c9f06358
Closes-Bug: 1532768
Updated the relevant config options for Token signing
and deprecated the simple_signing_cert extension that
is only used for support of the PKI/PKIz providers.
This patch makes the public facing Router used in
the PASTE-INI emit a deprecation warning and moves
the login into the token subsection and always
attaches it to the V3 Service object this is part
of the effort to move all extensions (deprecated
or not) into core.
Change-Id: I15a58c07d769045ad61e9d600dbf943987993353
bp: deprecated-as-of-mitaka
when the revoke extension was moved out to the top level, a
reference to already deprecated KVS backend was kept.
the reference in contrib was also deprecated, but since we're
removing the one it points to, there is no need to keep it
around.
bp removed-as-of-mitaka
Change-Id: Ib917b2daff70bd942a8f9786998ca0ed743c28d3
Keystone team decided to deprecate v2.0 on Mitaka.
DocImpact: The keystone team recommends using v3 of our Identity API, so we
decided to formally deprecate API v2.0 on Mitaka. Authentication
routes and EC2 routes will not be deprecated for now, they will be kept
around indefinitely.
Partially implements: bp deprecated-as-of-mitaka
Co-Authored-By: Steve Martinelli <stevemar@ca.ibm.com>
Change-Id: Ie3e484f08edd5acd3c89e76ba6a5c24d660a116d
When getting, or operating on a credential, EC2 controller needs to
specify it's a ec2 credential, avoiding conflicts with other type of
credentials.
Closes-Bug: #1506473
Change-Id: Id92fc87bf1be5448aa929224bbce4d3f7f4359b6
Extensions links are out-of-date. They are either
invalid or pointing to an old repository [1].
This patch fixes such links.
[1] https://github.com/openstack/identity-api
Change-Id: I6cd461b3ba24a042fd188d6398212ded582eb365
There are TODO notes asking for a description in
the following extensions: ec2, s3, user_crud and
endpoint_filter. However, the descriptions
already exist.
This change remove those notes.
Change-Id: I1d2c42b471030d61b6bb1be5d240253eb00767f6
This patch move some logic to manager layer, so that endpoints
filtered by endpoint_group project association will be included
in catalog when issue a project scoped token and using
`endpoint_filter.sql` as catalog's backend driver.
This make sure that call `list_endpoints_for_project` API has
the same endpoints with that in catalog returned for project
scoped token.
Change-Id: I56f4eb6fc524650677b627295dd4338d55164c39
Closes-Bug: #1516469
Morgan Fainberg