Resolve the following LegacyAPIWarning warning:
The Query.get() method is considered legacy as of the 1.x series of
SQLAlchemy and becomes a legacy construct in 2.0. The method is now
available as Session.get()
Change-Id: I30d0bccaddff6a1d91fcd5660f490f904e7c8965
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
During a trust deletion, the backend will fetch all trust by the same
trustor and look for redelegations to be deleted as well. If you have
a considerable amount of trusts that call becomes expensive. Just by
pushing this filter into the backend, the response time for the api call
just depends on the number of redelegations for that trust.
Change-Id: Id3a820fca0bb20561ba031797d2b0fb96ba1f78d
Closes-Bug: #1935840
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.
Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
The trust SQL backend uses the extras column to store the
redeletegated_trust_id and redelegation_count info. It's
better to make them first class citizens and give them
their own columns.
This change does not add redelegation_trust_id to the trust schema
because this value is set by the token context, not by the user. We also
remove it from the api-ref example to avoid confusion about this.
Co-Authored-By: David Stanek <dstanek@dstanek.com>
Co-Authored-By: Alexander Makarov <amakarov@mirantis.com>
Change-Id: If496152e40d2213a03faad5645667220fddfcf62
This is a follow-up patch to add an abstract
method for flush_expired_and_soft_deleted_trusts
in base.py to avoid any burst in case people
supplying their own backend.
Change-Id: Ib326abddce239e87cd4cd37d06fa3b55112ee134
Related-Patch: https://review.openstack.org/#/c/589378/
Related-Bug: #1473292
This patch adds functionality to purge
expired and soft-deleted trusts older
than the given date.
Change-Id: I0bd47e57f8650182e38b4f70e04cb53338fce474
Related-Bug: #1473292
This patch adds the functionality for purging both
expired trusts as well as non-expired soft-deleted
trusts, since those soft-deleted trusts are
as likely to bloat the database as expired trusts.
Related to patch-
https://review.openstack.org/#/c/589378/
Change-Id: I3c74f2345a944ce03a8189c4e66c3c37350cd34f
Related-Bug: #1473292
Basic conversion of Keystone's core application to flask framework.
This doesn't add much in the way of flask-specific-isms but should
get keystone running directly under flask. This implementation does
not use paste-deploy.
Change-Id: Ib4c1ed3f645dd55fbfb76395263ecdaf605caae7
Without this patch, the token formatter does not have enough data to
construct a token created with an application credential. This means
that if the token cache is disabled or expired, when keystone goes to
create the token it will not find any application credential information
and will not recreate the application_credential_restricted parameter in
the token data. This patch creates a new Payload class for application
credentials so that the application credential ID is properly persisted
in the msgpack'd payload. It also adds more data to the token data
object so that the application credential ID and name as well as its
restricted status is available when the token is queried.
Co-authored-by: Lance Bragstad <lbragstad@gmail.com>
Change-Id: I322a40404d8287748fe8c3a8d6dc1256d935d84a
Closes-bug: #1750415
Add an auth plugin for application credentials and update the common
auth utilities to understand an auth method of 'application_credential'
and validate and scope accordingly.
By default, application credentials should not be allowed to be used for
creating other application credentials or trusts. If a user creates an
application credential with flag `allow_application_credential_creation`
then that application should be allowed to be used for creating and
deleting other application credentials and trusts. Ensure a flag is set
in the token if this property is set to allow this behavior.
bp application-credentials
Change-Id: I15a03e79128a11314d06751b94343f22d533243a
Extract the expiration time parsing from the trusts controller to the
utils module. This will be useful to any API that needs to validate
user-inputted timestamps.
Change-Id: If99b2c456e61ae25123c5597e2788e667021cb2c
This change converts the usage of self.<provider_api> to
keystone.common.providers_api.ProviderAPIs.<provider_api> in manager
and controller logic. This is the correct way to reference
providers from other managers and controllers now that dependency
injection has been eliminated.
Change-Id: I26bdb8cc3707b294c79b098211debf65f88587f9
We've already converted Password objects to use the DateTimeInt format
for its datetime attributes[1]. This was necessary to cope with
differences in date storage formats between different DBMSs that was
causing intermittent test failures. While we're not experiencing those
CI problems any more, the DateTimeInt format is the way forward for
consistent datetime storage. This patch converts the trust table and
model to use the new format.
[1] https://review.openstack.org/#/c/493259/
Related-bug: #1702211
Change-Id: If524c743170924e5b8cfdafa862ed31b06db018c
Implement a convenience method in the role manager to look up a single role
by its name. This is useful for moving role-specific logic out of the
trust controller and will be useful again for application credentials
which will also need to look up roles by name.
Change-Id: I94083cd4e719f105b5555e4676e119a358d6b1c6
Refactors all of keystone's dependency injection to maintain a
single centralized repository of instantiated objects. This
means that we are no longer having to resolve order. All
objects that need to reference the various manager APIs simply
do so via the __getattr__ built into the Manager common object
or the ProviderAPIMixin object.
This is also the first step towards correcting our tests to
where they cannot run "load_backends" multiple times.
This forces any/all managers to properly run super()
as the way to register the api is via __init__.
This eliminates all use of the @dependency.requires and
@dependency.provides decorators, simplifying the objects
all around.
Any instantiations of a Manager after keystone is running
will now generate an error, ensuring everything for keystone
is running before handling requests. An exception is for
CLI and CLI tests, as the CLI may directly instantiate
managers and will not lock the registry.
Change-Id: I4ba17855efd797c0db9f4824936b49e4bff54b6a
Previously, we weren't doing any validation on the roles attribute of a
trust except to validate that it was an array. A hasty glance, however,
would lead you to believe that it was validating an array of
parameter_types.id_string[1] and so we translated that to the new role
object validation. However, id_string doesn't include some valid role
names like _member_. This patch updates the role name schema to match
parameter_types.name, which is the same as the schema for the main role
object.
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/trust/schema.py?id=62f9e57cd81dc98c5816da9fa483d385b4c1a66c#n41
Change-Id: I83aafc7a96e81a9b6b1056b39cd8c5d23676c014
Closes-bug: #1734871
When create trust with invalid role key(neither 'id' nor
'name'), Keystone should raise 400 BadRequest, instead of
500 Internal Error.
This patch removed the redundant loops in
_normalize_role_list as well.
Change-Id: I62bd201c1dda7b573e2ee8b97322c1f25275892c
Closes-bug: #1734244
_trustor_trustee_only has been called in function
TrustV3::get_trust. It is not necessary to be called again.
Change-Id: Ice93b826fef4616801fd02bcf8175b7c8dc11839
If a user is trying to create a trust by specifying roles by name
and the name is used by multiple roles, return a more descriptive
error message. Prior to this it was returning "role not found".
Change-Id: Ife437ac15774f546f551e191cd5e6fdde7c67d49
Partial-Bug: 1696111
This change replaces the use of DictBase with the ModelDictMixin
for any SQL models that do not contain an extra column and renames
the DictBase to a more descriptive name of ModelDictMixinWithExtras.
A Docstring has been added indicating the continued usage of
ModelDictMixinWithExtras should not be done for any "new"
models.
Change-Id: I9a4767cacf7620e878df70084060f3e43e1318df
Eventlet patched time.sleep. When time.sleep was called, eventlet
switched to another worker. The code being removed gave eventlet
a chance to switch to another worker if there was one.
Eventlet was removed a long time ago and the call being removed
is not needed any more.
Change-Id: I2d23f20f94c2f2e0917be9ea67e7e5edf3514aff
In review Id5de16d446cf4fdacfefdad0523e84821e4fd72c we decided that
ForbiddenAction should be used in place of Forbidden when extra context is
necessary. This is to allow the error message to contain the normal
"You are not authorized" messaging in addition to that extra context.
Change-Id: I2f9204602e95e45f6db1733c41984ae160745d37
Add text to raised Unauthorized and Forbidden exception to show the client
what happened.
Change-Id: Id5de16d446cf4fdacfefdad0523e84821e4fd72c
Closes-Bug: 1625120
The trust without a valid project is useless and will no longer
be active since the id of project is a random number and only
assigned when it created.
The patch invalidate the trust if the related project is deleted.
Change-Id: I51214c46ef5332c159b1e18bbd7046d12aba4a65
Closes-Bug: #1622310
The trust without a valid trustee, trustor is useless and will
no longer be active since the id of user is a random number and
only assigned when it created.
The patch delete trust if the related trustee or trustor is
deleted if the user is maintained by keystone.
Change-Id: I67dac6b7bac8cb94575ceda4a3277847a2bcc2d8
Partial-Bug: #1622310
There is no need and should not any conflicts or integrity
exception for the list something from DB.
Change-Id: I9f999a204ee7ef9e51384e6e032257aae7794e5e
Keystone's various Manager classes typically handle the sending of
a notification. In order to send the notification an `initiator` is
needed. All Manager CRUD methods typically ask for this as a kwarg
since it's not required in all cases.
Most of the controller layers pass the initiator value as a
positional argument. This commit makes it so the controller passes it
as a kwarg since that's how the Manager class method signature
describes it.
Change-Id: Ic805f6ea2767c9c5cf01aa04ad554773b9cc8c39
The audit initiator is basically a context with all the information
about the current operation available. This information is all gathered
from the request and context so we can simplify its generation by moving
it onto the request object.
Change-Id: If91eacd3e07e0d9cd825f92b06c0ac819b3daf8c
In lieu of new more complicated role system role collections tend to grow,
so extracting all roles to normalize/populate trust scope should be more
granular. This patch is a rework of role treating logic in trust controller.
Change-Id: Id6945ff9be23250d72909beceaa9cd73eebde04f
The get_user_id function relied on the token model in auth_context -
which amongst other things means it would fail with a tokenless auth
context. This can be replaced with user_id from the request.context.
Normally I try not to mix in cleanups, but whilst doing this and
changing variables in list_trusts a small reshuffle and some whitespace
just made the whole thing actually readable.
Change-Id: I5b64210fc797961b422a0ab9a1b4cee078fe6a0f
One or two line functions that are only used once make it harder to read
because you need to jump around and see what the function is doing. Just
bring this code in to where it is actually used.
Change-Id: I741271bea9c44d96bc6d98f92660f52fdbbdb534
Add more information from the auth_context dict to the request context
object and start the process of converting code over to using the
context instead.
Change-Id: I3a5d8af30834873dfc7a10464a22355f379ebbcf
This commit moves all the decorated call to validate request inline with the
method. This is one way we can lazily validate requests - which allows us to
pick validation configuration options specifed in config.
Change-Id: Iee71fb3c34d296427cd485180dacb6bf02581845
The oslo_context provides a standard is_admin property that should be
used instead of pushing one around in our unstructred context dict. This
is part of a trend to use more of the standard context object instead of
our own dict.
Change-Id: Ia7b35ba80f483ef0baa1ae416d670fd45349bd89
This patch moves the trust abstract base class out of core and
into backends/base.py
This removes dependencies where backend code references code in the
core. The reasoning being that the core should know about the backend
interface, but the backends should not know anything about the core
(separation of concerns). And part of the risk here is a potential for
circular dependencies.
Partial-Bug: #1563101
Change-Id: Ibe9203635ee4ad5d1afee3ad751f04de6ef66f94
The controller get_auth_context method simply fetches a dict from the
environment. We can simply put this method on the request now.
Change-Id: Icba3a0286e5af440108c27f41f54de64c922f29a
Push further into pushing a request object around, fix the v2
assert_admin method to work with a request.
Change-Id: I83063178b04c5e401d1f1a6bb9bce63a4a38910e
The context['query_string'] is just a dictionary copy of the original
params object that comes from a request. Just use the existing params
instead.
Change-Id: I0ecd7a09e36b39a105c150b3affcbbcd26a544c2
Stephen Finucane