Resolve the following LegacyAPIWarning warning:
The Query.get() method is considered legacy as of the 1.x series of
SQLAlchemy and becomes a legacy construct in 2.0. The method is now
available as Session.get()
Change-Id: I30d0bccaddff6a1d91fcd5660f490f904e7c8965
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.
Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
Create the base implementation of the RBAC enforcer with compat code
for the legacy mechanism via @protected decorators.
Change-Id: I80662d9b23e706b720d56670cb849318e951a3b4
Parital-Bug: #1776504
Basic conversion of Keystone's core application to flask framework.
This doesn't add much in the way of flask-specific-isms but should
get keystone running directly under flask. This implementation does
not use paste-deploy.
Change-Id: Ib4c1ed3f645dd55fbfb76395263ecdaf605caae7
This change converts the usage of self.<provider_api> to
keystone.common.providers_api.ProviderAPIs.<provider_api> in manager
and controller logic. This is the correct way to reference
providers from other managers and controllers now that dependency
injection has been eliminated.
Change-Id: Ieea66d86d6d28ac105c4c39bdea1d05aec8e0c46
Refactors all of keystone's dependency injection to maintain a
single centralized repository of instantiated objects. This
means that we are no longer having to resolve order. All
objects that need to reference the various manager APIs simply
do so via the __getattr__ built into the Manager common object
or the ProviderAPIMixin object.
This is also the first step towards correcting our tests to
where they cannot run "load_backends" multiple times.
This forces any/all managers to properly run super()
as the way to register the api is via __init__.
This eliminates all use of the @dependency.requires and
@dependency.provides decorators, simplifying the objects
all around.
Any instantiations of a Manager after keystone is running
will now generate an error, ensuring everything for keystone
is running before handling requests. An exception is for
CLI and CLI tests, as the CLI may directly instantiate
managers and will not lock the registry.
Change-Id: I4ba17855efd797c0db9f4824936b49e4bff54b6a
The policies API should never be used. This marks it deprecated in
the API reference so that operators do not waste time looking at it.
It also logs a deprecation warning if the API is called.
Change-Id: I816997826e931a253777145e2c5f894e39182a8f
When fail to query policy information by policy_id(in
policy\backends\sql.py Policy::_get_policy function), it will raise
'exception.PolicyNotFound(policy_id=policy_id)', the deleted code is
redundant if all it does is catch the same exception
and then re-throw it.
Change-Id: I3d4f7175764798449a3efe787af58dc2ea99fc1f
Adding the beginning implementation for registering and using
default policy rules in code. Rules are defined in the new
policies module and added to the return list __init__.py.
Default policies can now be maintained in code and registered
via listing mechanisms in the policies module. As we go, we
can remove the duplicated default policies from our policy.json
file.
This commit specifically:
- Creates a new module called `policies` to hold our in code defaults.
- Ensure we pass our in code policy list to our policy ENFORCER.
- Add base policy module for common policy rules.
- Add service default policy module for policy rules.
- Add endpoint default policy module for policy rules.
- Add regions default policy module for policy rules.
partially-implements blueprint policy-in-code
Co-Authored-By: Richard Avelar csravelar@gmail.com
Change-Id: Ic47b1e8b0d479032d8a7b9891ed9800be7036d94
This change replaces the use of DictBase with the ModelDictMixin
for any SQL models that do not contain an extra column and renames
the DictBase to a more descriptive name of ModelDictMixinWithExtras.
A Docstring has been added indicating the continued usage of
ModelDictMixinWithExtras should not be done for any "new"
models.
Change-Id: I9a4767cacf7620e878df70084060f3e43e1318df
Keystone's various Manager classes typically handle the sending of
a notification. In order to send the notification an `initiator` is
needed. All Manager CRUD methods typically ask for this as a kwarg
since it's not required in all cases.
Most of the controller layers pass the initiator value as a
positional argument. This commit makes it so the controller passes it
as a kwarg since that's how the Manager class method signature
describes it.
Change-Id: Ic805f6ea2767c9c5cf01aa04ad554773b9cc8c39
The audit initiator is basically a context with all the information
about the current operation available. This information is all gathered
from the request and context so we can simplify its generation by moving
it onto the request object.
Change-Id: If91eacd3e07e0d9cd825f92b06c0ac819b3daf8c
This commit moves all the decorated call to validate request inline with the
method. This is one way we can lazily validate requests - which allows us to
pick validation configuration options specifed in config.
Change-Id: Iee71fb3c34d296427cd485180dacb6bf02581845
Pass the request object through to the build_driver_hints function so
that it can use request.params instead of context.query_string.
This shows the problem with the domain_id filter in list roles. For
whatever reason the driver doesn't filter on domain_id=None by default
so we need to add this filter manually. Because we can no longer
influence the query string we add it to the hints object directly if the
param is not set.
Change-Id: I732c603a24f6b884820ee6837d4c0f752d77987d
keystone.common.config is 1200+ lines of super dense, merge-conflict
prone, difficult to navigate, and finicky to maintain code. Let's follow
nova's lead and break it down into more manageable modules.
This patch creates a new Python package, keystone.conf, and moves all of
our configuration options into it, mirroring nova's nova.conf package.
There are a couple special modules in keystone.conf introduced here as
well:
- keystone.conf.__init__: This causes all of Keystone options to be
registered on import, so consumers of keystone.conf don't have
races with config initialization code while trying to use
oslo_config.cfg.CONF directly (keystone.conf replaces all uses for
oslo_config.cfg.CONF in keystone).
- keystone.conf.base: Keystone's [DEFAULT] group options. I'd prefer
this to be called 'default.py', but I'm just copying nova's lead here.
- keystone.conf.opts: The entry point for oslo.config itself.
- keystone.conf.constants: There are a few constants (deprecation
messages, default paths, etc) that are used by multiple configuration
modules, so they need to live in a common place.
Change-Id: Ia3daffe3fef111b42de203762e966cd14d8927e2
Instead of the unformed context dictionary pass a full request object
with access to the context_dict so that existing functions still work.
After this we can replace smaller usages of the context dict with
functions and properties on the request directly.
Change-Id: Ibe822ed7c76a24a7d31d98ce62f873a01e5fb213
Change I5ff9c4e4b6d64750f5db2a73cc4317358aea0649 restructured the
identity subsystem. As part of the change, the abstract driver
was extracted to identity/backends/base.py
This change does the same for the policy subsystem.
Partial-Bug: 1563101
Change-Id: Id2a6e9d43724a7ffe95f097a9876b2320f8f01f8
Currently tox ignores D401.
D400: First line should end with a period.
This change removes it and make keystone docstring compliantwith it.
Change-Id: I9a9520e69701718ff471eebbcc52199dacdd9c68
Currently tox ignores D401 (401: First line should be in imperative mood).
This change removes it and make keystoneauth docstring compliantwith it.
Change-Id: I136cf810f47c4c19f29216907a63f226930b5082
Partial-Bug: 1570049
EngineFacade is deprecated. This partially switches keystone to
use oslo.db.sqlalchemy.enginefacade. 'get_session' and 'get_engine'
methods are still used in sql migrations and related tests.
Change-Id: I221232d50821fe2adb9881f237f06714003ce79d
Partial-Bug: #1490571
Keystone API routers are exposed at their package
level (in __init__.py files). This causes them to
be unnecessarily executed each time something
whithin that package is used.
For example, simply importing
keystone.federation.constants would make the
federation routers code to be executed.
This patch remove routers exposure from package
level and import them directly in services.py,
which is the single place that needs them.
Change-Id: If68184c871ac77659ad2e64aa5f0aafac7a4bf70
There are several issues in the docstring, the format is not
correct, not using the full path of class etc.
This patch corrects all of them, so the docstring will be rendered
correctly.
Change-Id: I04d5818f38b5e75b6f6197ef5e13dcd64ed91bf4
Extended support for versioned driver classes to the rest of the
backends based on the design of the initial support for catalog backend @
https://review.openstack.org/#/c/218481/
partially Implements bp stable-driver-interfaces
Change-Id: I0078f6dc32932beb6db534ecf22b160097c5a090
The Stevedore library is used for loading backend drivers rather
than using importutils. This provides a level of indirection for
deployers/packagers.
The importutils method of loading drivers is still supported, but
it's deprecated.
bp stevedore
Change-Id: Id77ebf7056987ff1d3b9f62fab411845e63c86c3
* pull in oslo.policy
* account for changes to Enforcer initialization
* account for changes to config options
partially implements bp graduate-policy
Change-Id: Ia23afda5acf92cdc4578ec4c85821603c56d3097
Using the WSGI context that is available at the manager layer,
we can get the Initiator content we need and forward it to the manager
classes.
Co-Authored-By: Morgan Fainberg <morgan.fainberg@gmail.com>
partially implements bp: cadf-everywhere
Change-Id: I6b7885d29cd733c5040bea6003dd93607cb5821e
Keystone modules used different sources of the CONF global so were
inconsistent. All modules should use CONF from oslo_config.cfg.
Change-Id: I60c8d2c577d37b9b8a367b46596154ce6c49fff4
Start publicizing events for on create/update/delete events
for region/endpoint/policy/service. There was no reason to
not publicize them.
partially implements bp: cadf-everywhere
Change-Id: I7498824d0f67e752b48808d279e4faee6f914253
Most of changes are just replacing
from keystone.openstack.common import log
with
from oslo_log import log
There are some other specific changes that had to be made
* Initialize logger in keystone/config.py
Change-Id: I859edb71c434051ffe7f34c16018b738ddb71e3b
When parsing the policy.json file we should provide a message that helps
the user or deployer understand there was an issue with the policy file,
and that they should make sure the policy.json file is valid JSON.
Change-Id: I63bdb6d8f03a0510e34b7e10cec25263e7c6c63c
Closes-Bug: #1177623
The endpoint policy extension will need to ensure stale
associations are removed on deletion of these entities. Delete
events are already generated for endpoints. For completeness,
create and update notifcations for these entities have also
been implemented.
Partially implements: bp endpoint-policy
Change-Id: I5de15459f5b577955056ecc166b450963e85bbc9
The V3 routes were being added by the append_v3_routers function in
each controller package, so the only way state could be stored is in
a global variable which makes unit testing difficult. With this
change, the append_v3_routers functions are put into a class in each
package. This will eventually be used to store JSON Home data.
bp json-home
Change-Id: I744a4c82dc84bb1a8d29d0314e3c51cc43c077a2
Since the unimplemented methods for abstract classes are not meant to be
actually used, they shouldn't be included in the code coverage
calculation. Thus, to address this I introduced the pragma "no cover" to
these classes.
Change-Id: Id239a2eb42d8288764b8f374d5d13ebd37af5a7d
In reviewing https://review.openstack.org/79211 we discovered that none
of the db_sync methods are called anymore.
Change-Id: Ie9714822efd06ba51654ac3aa3b93886cae24d6f
"# flake8: noqa" was used in several files. This causes the
entire file to not be checked by flake8. This is unsafe, and
"# noqa" should be used only on those lines that require it.
E712 doesn't honor #noqa, so work around it by assigning True to a
variable.
Change-Id: I1ddd1c4f4230793f0560241e4559095cb4183d71