This commit adds a validation step in the auth_token middleware to check
for the presence of an access_rules attribute in an application
credential token and to validate the request against the permissions
granted for that token. During token validation it sends a header to
keystone to indicate that it is capable of validating these access
rules, and not providing this header for a token like this would result
in the token failing validation. This disregards access rules for a
service request made by a service on behalf of a user, such as nova
making a request to glance, because such a request is not under the
control of the user and is not expected to be explicitly allowed in the
access rules.
bp whitelist-extension-for-app-creds
Depends-On: https://review.opendev.org/670377
Change-Id: I185e0541d5df538d74edadf9976b3034a2470c88
Keystone server no longer supports PKI/PKIZ. This change removes
keystonemiddleware's support of PKI/PKIZ and associated code.
Change-Id: I9a6639a2aa3774be61972d57f38220f66fd5c0e8
closes-bug: #1649735
partial-bug: #1736985
Previously the admin Identity endpoint was hardcoded to be used. Now
that keystone has dropped v2 support, deploying an admin Identity
endpoint is no longer useful, so allow this to be changed by the
deployer. Keep the default as using the `admin` endpoint, but create
a deprecation message so that we can change the default in the future.
Partial-Bug: 1830002
Change-Id: I993a45ccb1109d67e65bf32d1e134cc9bec2d88e
With keystone's move to eliminating pki, pkiz, and uuid tokens the
revocation list is no longer generated. Keystonemiddleware no longer
needs to attempt to retrieve it and reference it.
Change-Id: Ief3bf1941e62f9136dbed11877bca81c4102041b
closes-bug: #1361743
partial-bug: #1649735
partial-bug: #1736985
The [keystone_authtoken]/auth_uri middleware parameter has been causing
extreme confusion amongst operators and developers ever since the
keystonemiddleware started accepting keystoneauth plugin parameters
including auth_url. The two parameters look identical and yet have
completely different meanings and are both required. This patch
deprecates auth_uri and renames it to www_authenticate_uri, which more
accurately describes the WWW-Authenticate header it is configuring and
is dissimilar to any other keystone_authtoken middleware parameter. This
also renames the internal variable names for consistency with the config
option.
Change-Id: I0cf11da3d395749df28077427689fdafc8a6b981
When a service token is present we should bypass the expiry checks and
pass the allow_expired flag to the server. This will let the server
return expired tokens.
This has a very basic policy enforcement that is not backwards
compatible with the current (sensible) default. We will need to discuss
how we can make this work.
Implements bp: allow-expired
Change-Id: If3583ac08e33380f1c52ad50d7d5c74194393480
The intent of providing the list_auth_token_opts function was to provide
the oslo_config sample config file generator a list of options to
include in its sample files. However, services like zaqar have come to
rely on the list_auth_token_opts to list all the options that may be
consumed by auth_token middleware so that they can register them against
a non-global oslo_config object.
By removing deprecated options from the list_auth_token_opts we remove
these options from the config objects that the services use, however by
keeping them we will forever have deprecated options in sample config
files.
To split these two functionalities create a new function that lists the
options available for sample config files and update the entrypoint to
reflect this. This function is currently private because it should only
need to be accessed via entrypoint. The old deprecated options are then
added back to the original list_auth_token_opts function.
Closes-Bug: #1533932
Change-Id: I2aae5483c9309ab75985298c8de5b6f24cbc0f0d
The oslo config generator uses the list_auth_token_opts function to
determine what options should be included in the sample config files of
other services.
This should not include options that have been deprecated so remove them
from the list.
Closes-Bug: #1523311
Change-Id: I261d29f2a3fcbe846e129140fe97e6cd8b4acd58
With the release of keystoneauth we should use that instead of
keystoneclient in auth_token middleware.
Change-Id: Id0876e90a1373ba31e4ec23d5275618149ca36d1
Add the common auth plugin options to the list of options used to
generate sample config files.
Closes-Bug: #1497082
Change-Id: I22d704ebee18b6e9208126812e41aee6cc8331ef
The keystone that is used to validate tokens is determined from the
service catalog. If you have multiple identity entries in your service
catalog then you need to specify the region to use.
Add a region_name option.
Change-Id: I512dbcdc7031f476d691b7ce09b7c6411900ea9e
Closes-Bug: #1405717
If the loop exits "successfully" without finding auth_token, scope fall
through would result in 'extension' containing the last iteration of the
'for' loop.
This change results in that behavior explicitly failing with better
error feedback.
Change-Id: Ifa63a78d267e810fcf4adb40524613d7d8f3b5b7
The list_opts entrypoint test failed unnecessarily when the
dependencies in the packages were inconsistent. This test doesn't
need to verify that the dependencies are consistent, only that the
entrypoint is available and provides the expected function.
Change-Id: I857222e0637b09f45352d9cabbdc5cac8e4fd562
keystonemiddleware should get functional testing eventually like
the other keystone repos, so move the existing (unit) tests to
keystonemiddelware.tests.unit.
Change-Id: I7d5b1120fc5dc225fdd037b592a7914bde3f1ac2
Colleen Murphy