This change adds access_rules as a parameter for creating application
credentials, and also adds the ability to list access rules and to
retrieve and delete individual rules. Directly creating an access rule
or updating one is not supported.
bp whitelist-extension-for-app-creds
Depends-On: https://review.opendev.org/671374
Change-Id: I490f1e6b421d4f36f588f83a511ce39b9b4204e2
This change add client support for creating, reading, updating, and
deleting registered limits.
A subsequent patch will do the same for project-specific limits.
bp unified-limits
Depends-On: https://review.openstack.org/#/c/569741/
Change-Id: I6b5d106d08af53c2ad41ed3f799e9e71d370c6dd
Add support for creating, reading, and deleting application credentials.
Application credentials do not support updating.
Keystoneclient does not handle authentication with application
credentials. This is done in keystoneauth. Additional work will be
needed in python-openstackclient to support both CRUD and auth for
application credentials.
bp application credentials
Change-Id: I21214238deac2c45f2f2d666287c2ae106955ab1
The following API calls are made available:
- POST /OS-EP-FILTER/endpoint_groups
- GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
- HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
- PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
- DELETE /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
- GET /OS-EP-FILTER/endpoint_groups
Partial-Bug: #1641674
Change-Id: I285eefe82152b178268f671e8800a0ff8c1511e4
- At least one API was not implemented (list_implied_roles)
- the tests were lacking assertions and proper mocked responses
- some of the functionality just didn't work (see bug)
- returning Role objects instead of InferenceRule objects
Related commits:
- I80a40e88b571fe9b0eca3af8b705ea79f28eb904
- I66e863fb83f8dfcca2c48116d4377df060f402c3
Closes-Bug: 1647934
Change-Id: I7b449a93d7d4d3eb9ca857f6c1f78f884bad2534
Provide support for the domain-specific configuration storage available
via the REST API.
Domain configs are JSON blobs and we have fine grained control on them
via the Identity API. This fine grained control is not defined yet in the
client, though - for now, we can manage everything like Python dictionaries
and use operations like "update" whenever we want to delete a specific group
or option. This approach is similar to what is done in the federation mapping
API to handle mapping rules.
Functional tests are also included, this is useful to check if the new
feature works in an integration environment.
Co-Auhtored-By: Henry Nash <henryn@linux.vnet.ibm.com>
Co-Authored-By: Rodrigo Duarte <rduartes@redhat.com>
Closes-Bug: 1433306
Partially Implements: blueprint domain-config-ext
Change-Id: Ie6795b8633fed38c58b79250c11c9a045b7f95a4
Currently tox ignores D204, D205, and D207.
D204: 1 blank required after class docstring.
D205: Blank line required between one-line summary and description.
D207: Docstring is under-indented.
This change removes D204, D205, and D207 ignores in tox and fix violations.
Change-Id: Id20d216fbd7647d468859b960088aac61c582d9b
Currently tox ignores D301.
D301: Use r”“” if any backslashes in adocstring.
This change removes D301 ignore and fix violations.
Change-Id: I9dbe2c9d59e2c2d8585a53840a579a9b9c57a09c
The docstring examples in the v2_0 and v3 Client classes showed
passing username and password. Passing username and password is
deprecated in favor of using keystoneauth session. The examples
shouldn't use deprecated behavior otherwise we'll never get
developers to stop using it.
Change-Id: Ia79ed7a02a48553eba8eb83a654c3c75601fa07d
Developers are probably going to want to know what the type of
the session argument is since other methods of constructing
v3.client.Client are deprecated.
Change-Id: Ifb94ef134b86980f88e7cf3c80344c458937d1ab
Developers using get_raw_token_from_identity_service are going to
want to know more info about the value returned, so provide them a
link to the class docs.
Change-Id: Ic1b100f1f362219b64c677dda90faaf51e93cc6a
This reverts commit d3b11d674d.
This is causing auth_token middleware tests to fail. The error is
like:
EndpointNotFound: public endpoint for identity service in east
region not found
So this is going to potentially affect customers.
Change-Id: I5ad917e48c9b140709dd3bf95e89c07ea58d6a66
All of the other Openstack services have a 'public' default endpoint
type. Keystone has 'admin' default endpoint type. Why not make
Keystone compliant and change the default for Keystone v3 from 'admin'
to 'public'. Keystone v2 will remain the same with an 'admin' default.
Closes-Bug: #1457702
Change-Id: I515438477dba72c2a0c4595603000690511b5700
HTTPClient() tenant_id and tenant_name parameters weren't properly
deprecated since they were only mentioned in the docstring. Proper
deprecation requires use of warnings/debtcollector and documentation.
Also fixed a bunch of places in the tests where tenant_id and
tenant_name were still being used despite being deprecated.
bp deprecations
Change-Id: I9c4f596b8ff10aede6c417886638a942cb18044c
The keystone V3 API ships with EC2 in the pipeline by default. The CRUD
manager is available for the V2 API and we should also make it available
for v3.
Change-Id: I635a12b1647d5187ded7d0aea9c0277dfbb15eff
Closes-Bug: #1236326
The /auth routes are the preferred mechanism for listing the projects
and domains that the current token can be authenticated to as they
supports both federated and regular tokens.
Expose these routes via the client so that they can be consumed.
Change-Id: I9724a648ebd9d21edf8ffcc64f4cdb897a99101c
Apart from making keystoneclient follow the same patterns of using an
adapter that we are trying to push onto other clients this severs the
cyclical dependency between managers and the client object.
There are a few changes that have had to be rolled into one to make the
transition work. These can't be separated unfortunately as they are
interdependent.
* managers are now passed the adapter instead of the client. They
therefore don't have reference to the other managers on the client.
* The adapter has been subclassed to provide user_id as there are some
managers that require user_id be provided for changing passwords etc.
* client.auth_url has been replaced with a call to get_endpoint which is
supported by the adapter.
* management=True has been removed from all the managers and they now
correctly set the interface they want.
Change-Id: I49fbd50571f0c1484e1cbc3dcb2159d25b21b1bc
Keystoneclient didn't provide translated messages. With this
change, the messages are marked for translation.
DocImpact
Implements: blueprint keystoneclient-i18n
Change-Id: I85263a71671a1dffed524185266e6bb7ae559630
The argument to the :raises: directive is the class name. If the
class name is a valid reference it's rendered as a link to the
class. This change cleans up the :raises: directives to use the
reference correctly and use a valid class reference.
Change-Id: I84188b60de0ab4c6b5b2fb5a203c43bfde094707
Left timeutils and strutils in openstack/common since they are used in
openstack/common/apiclient and memorycache.
Change-Id: Idb5f09c159d907dfba84cd1f7501f650318af7d9
This adds the client library class for the endpoint policy extension.
Implements: bp endpoint-policy
Change-Id: I7153d7a093f4299d7f912b0b4a9a02ffacdb9e69
The keystoneclient docstrings should give guidance for an
application developer to actually use the library. Here's a start.
Partial-Bug: #1330769
Change-Id: I1a9434704d0cd6b58de76933ff78c8d5c0aa3e3b
This was a simple factory that would give compatibility for the existing
client to load up the appropriate auth plugin. A more robust plugin
loading mechanism is coming for this and having it available encourages
other auth plugins that they should be using that where they shouldn't.
Just remove it from the auth plugin class. It shouldn't be used by
anyone else so lets keep it on the client objects.
Blueprint: plugin-params
Change-Id: I0618b646f302300d41c7dd7153a1c0bdc237a745
This patch adds role assignments list support
to keystoneclient.
Created RoleAssignment resource and RoleAssignmentManager
classes. RoleAssignmentManager only implements the list()
method, the other inherited methods from base.CrudManager
raises a MethodNotImplemented error with customized messages.
This bp is complimented with the OSC part:
https://blueprints.launchpad.net/python-openstackclient/+spec/roles-assignment-list
Change-Id: I164b58b67ff42320238e943ddfa9d0a8aadd0a6d
Implements: blueprint roles-assignment-support
Closes-Bug: #1246310
Add support for creating request and access tokens,
and to authorize request tokens. Also adding basic CRUD for
consumer entities.
DocImpact
Change-Id: Ib9d0b223f202a7e33cbad1602da5be7479cd3284
implements: bp add-oauth-support
The Domain Quota Management Driver uses the V3 Authentication Token.
Also, it tries to contact Keystone for getting list of projects in a
domain using V3 API like /v3/projects?domain_id=<id>. But the
keystone v3/client.py default uses V2 API and hence code changed
to convert V2 endpoints for V3 endpoints. This change is required
to implement blue print domain-quota-driver-api
Change-Id: If62ffc5e5252477bbe4d80f14c0a7653e11d5403
Closes-Bug: 1260916
In the future clients will simply pass the service they expect to talk
to and the path. This will prevent every service trying to get their own
base urls from the service catalog individually.
This can later be extended to have the auth plugin actually contact the
URL from the service catalog which will let us have unversioned
endpoints in the catalog handled from a single location.
Change-Id: I80f0b5b1dbb45565fec09d1cb2c0552cfb9a72f5
blueprint: auth-plugin-endpoints
This reverts commit 2e7bdb872e.
This commit I9137e3426c82c73855ae0e50317cfd6477195318 is the second
patch that broke stable/havana by introducing a dependency on oauthlib,
but oauthlib isn't in the stable/havana branch of global dependencies
(fix in progress Ib2e2aa2e75e7b7b43e0534eeb62e748d1edc0bc3). And we use
trunk clients in stable/havana gate jobs. So this patch broke both heat
and horizon, both of which import this file to support keystone's v3 API.
This is the final patch in reverting bp add-oauth-support.
Commit subject was (but exceeds maximum pep8 subject length):
Revert "Add request/access token and consumer support for keystoneclient"
Fixes-Bug: #1292797
Change-Id: Ib45fb39b01ddcf5c8fc0179811efded84c0cb908
Add support for creating request and access tokens,
and to authorize request tokens. Also adding basic CRUD for
consumer entities.
implements: bp add-oauth-support
Change-Id: I9137e3426c82c73855ae0e50317cfd6477195318
Privatize some of the automatic auth plugin construction work. At some
point we are going to need to have this pluggable and i'm not sure the
current methods will suffice. It's better to keep this private until we
are sure rather than be stuck with a public API.
Change-Id: I2a10a9b28bef6c094b1330a0524f1c516f5103fd
Closes-Bug: #1287488
Extract the authentication code from a v3 client and move it to a series
of auth plugins. As v3 authentication can contain multiple
authentication methods this concept is represented by an AuthMethod. An
auth plugin then is provided with multiple mechanisms to authenticate
with.
There is also some helper class for the standard case where you only
need to authenticate with one method.
When a v3 client wants to do authentication it will create a new v3 auth
plugin, do the authentication and then take that result for the client
to use.
Change-Id: I5fa6a6e1c2e114e1428e35b723700c63a3cbed44
blueprint: auth-plugins
When deprecating the use of management_url from service_catalog we
updated the management_url setter for the project scoped token, however
we missed the domain scoped token case.
There is actually nothing we can do here to test this scenario as the
backwards compatibility code that was installed handles this for us and
there is no problem, however we should not be internally relying on
deprecated code.
Change-Id: I59bac4d9d74f2eb8bc6edd40518c7cd5a4fe1343
This patch adjust import items and add missing blank lines acording
to http://docs.openstack.org/developer/hacking/#imports
{{stdlib imports in human alphabetical order}}
\n
{{third-party lib imports in human alphabetical order}}
\n
{{project imports in human alphabetical order}}
\n
\n
{{begin your code}}
hacking project also enforce some checks for import group.
Let make the change in keytoneclient
Change-Id: Ic83bd5ee426905588f4a2d555851a9a01fc69f02