tag 10.0.0.0rc2

Tagger: OpenStack Release Bot <infra-root@openstack.org>
 Date:   Mon Sep 26 18:30:07 2016 +0000
 
 retag 10.0.0_rc2 of keystone 10.0.0.0rc2 release candidate
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJX817TAAoJENQWrRWsa0P+WsgQAIsrIErmhV1LrifAdbJ7+HZy
 BccGsXVsv6Bbk7YTjMCkYQSoP9YikAG0/24lzCwN9nqxdd3TGYrvEbc7+C/Y7BAe
 t/YJMNk0WuWqB2F0fkEv7B6lRhDEaJxVw3oT7asQ2r2oz4xRcS+XaJjyi8BWoONG
 RML/xVnA+hdpTvb3EROFd3+sLEkAuKlvxf4GI8R/P7KOxdPMdI+fhN8ms5E1Rj/w
 793LiDkuy5b/QvXwIFRZzDmZPZ8WwTWo6ztUfGng/cbRzcpe7mgpYWoMDWsJyWfj
 /ditxkGemZEjWfl0XzOMgJNpdc5KZL/GbHQNNu4RwDgVmCMfbeQJxeZy0Qdg2P4u
 qUflCptqTl5qKdR4XvzE3LinYnJ6VXfmMceqHUHwg3w4hC0ckScNtGZKI3G4VL2/
 keJIdDAFQw/roDD5PN7j2RJMCkKi5Q5T8oC0tUwXOCFuD60o9li29O9oDdbiCv02
 TlsLOf/aY69gUrXYpowi4ztc4bzvsx3UZnZkSmzsjm9Ng6Pic5lKLwFFYutd8Ute
 HrZde3us9ShBWVxwiuPrzREz99Oy5kgYRFj5yDWKb10K+VLFTW82fz1v4hMvXqPs
 LPAWekzhWeHsP9OCPCabnB1z1mTNQZM3fgrZTCLppFQeB8+V/HBE9AesrIb0CFVA
 UjTIOioUZw4nnwofLOdH
 =ofpo
 -----END PGP SIGNATURE-----

Merge tag '10.0.0_rc2' into debian/newton

tag 10.0.0.0rc2
Tagger: OpenStack Release Bot <infra-root@openstack.org>
Date:   Mon Sep 26 18:30:07 2016 +0000

retag 10.0.0_rc2 of keystone 10.0.0.0rc2 release candidate

  * New upstream release.
  * Uploading to unstable.

Change-Id: I20f69e60cbfb4f4cc1df4231f6149ee7a921e471

debian/changelog

@@ -1,14 +1,16 @@
-keystone (2:10.0.0~rc1-2) UNRELEASED; urgency=medium
+keystone (2:10.0.0~rc2-1) unstable; urgency=medium
 
   [ Ondřej Nový ]
   * d/s/options: extend-diff-ignore of .gitreview
   * d/control: Use correct branch in Vcs-* fields
 
   [ Thomas Goirand ]
+  * New upstream release.
+  * Uploading to unstable.
   * Build-Depends on openstack-pkg-tools >= 53~.
   * Fixed oslotest EPOCH.
 
- -- Thomas Goirand <zigo@debian.org>  Wed, 28 Sep 2016 09:53:05 +0200
+ -- Thomas Goirand <zigo@debian.org>  Tue, 04 Oct 2016 09:49:06 +0200
 
 keystone (2:10.0.0~rc1-1) experimental; urgency=medium
 

keystone/common/sql/contract_repo/versions/004_reset_password_created_at.py

@@ -0,0 +1,37 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import datetime
+
+import sqlalchemy as sql
+import sqlalchemy.sql.expression as expression
+
+
+def upgrade(migrate_engine):
+    meta = sql.MetaData()
+    meta.bind = migrate_engine
+
+    password = sql.Table('password', meta, autoload=True)
+    # reset created_at column
+    password.c.created_at.drop()
+    created_at = sql.Column('created_at', sql.DateTime(),
+                            nullable=True,
+                            default=datetime.datetime.utcnow)
+    password.create_column(created_at)
+    # update created_at value
+    now = datetime.datetime.utcnow()
+    values = {'created_at': now}
+    stmt = password.update().where(
+        password.c.created_at == expression.null()).values(values)
+    stmt.execute()
+    # set not nullable
+    password.c.created_at.alter(nullable=False)

keystone/common/sql/data_migration_repo/versions/004_reset_password_created_at.py

@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+def upgrade(migrate_engine):
+    pass

keystone/common/sql/expand_repo/versions/004_reset_password_created_at.py

@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+def upgrade(migrate_engine):
+    pass

keystone/identity/backends/sql_model.py

@@ -234,7 +234,7 @@ class Password(sql.ModelBase, sql.DictBase):
                                ondelete='CASCADE'))
     password = sql.Column(sql.String(128), nullable=True)
     # created_at default set here to safe guard in case it gets missed
-    created_at = sql.Column(sql.TIMESTAMP, nullable=False,
+    created_at = sql.Column(sql.DateTime, nullable=False,
                             default=datetime.datetime.utcnow)
     expires_at = sql.Column(sql.DateTime, nullable=True)
     self_service = sql.Column(sql.Boolean, default=False, nullable=False,

keystone/tests/unit/test_backend_sql.py

@@ -152,7 +152,7 @@ class SqlModels(SqlTests):
         cols = (('id', sql.Integer, None),
                 ('local_user_id', sql.Integer, None),
                 ('password', sql.String, 128),
-                ('created_at', sql.TIMESTAMP, None),
+                ('created_at', sql.DateTime, None),
                 ('expires_at', sql.DateTime, None),
                 ('self_service', sql.Boolean, False))
         self.assertExpectedSchema('password', cols)

keystone/tests/unit/test_sql_banned_operations.py

@@ -236,7 +236,12 @@ class TestKeystoneExpandSchemaMigrations(
         # to make `blob` nullable. This allows the triggers added in 003 to
         # catch writes when the `blob` attribute isn't populated. We do this so
         # that the triggers aren't aware of the encryption implementation.
-        3
+        3,
+        # Migration 004 changes the password created_at column type, from
+        # timestamp to datetime and updates the initial value in the contract
+        # phase. Adding an exception here to pass expand banned tests,
+        # otherwise fails.
+        4
     ]
 
     def setUp(self):
@@ -271,7 +276,12 @@ class TestKeystoneDataMigrations(
         # Migration 002 changes the column type, from datetime to timestamp in
         # the contract phase. Adding exception here to pass banned data
         # migration tests. Fails otherwise.
-        2
+        2,
+        # Migration 004 changes the password created_at column type, from
+        # timestamp to datetime and updates the initial value in the contract
+        # phase. Adding an exception here to pass data migrations banned tests,
+        # otherwise fails.
+        4
     ]
 
     def setUp(self):
@@ -315,7 +325,16 @@ class TestKeystoneContractSchemaMigrations(
         # Migration 002 changes the column type, from datetime to timestamp.
         # To do this, the column is first dropped and recreated. This should
         # not have any negative impact on a rolling upgrade deployment.
-        2
+        2,
+        # Migration 004 changes the password created_at column type, from
+        # timestamp to datetime and updates the created_at value. This is
+        # likely not going to impact a rolling upgrade as the contract repo is
+        # executed once the code has been updated; thus the created_at column
+        # would be populated for any password changes. That being said, there
+        # could be a performance issue for existing large password tables, as
+        # the migration is not batched. However, it's a compromise and not
+        # likely going to be a problem for operators.
+        4
     ]
 
     def setUp(self):

keystone/tests/unit/test_sql_upgrade.py

@@ -1767,6 +1767,28 @@ class FullMigration(SqlMigrateBase, unit.TestCase):
                       'type': 'cert'}
         self.insert_dict(session, credential_table_name, credential)
 
+    def test_migration_004_reset_password_created_at(self):
+        # upgrade each repository to 003 and test
+        self.expand(3)
+        self.migrate(3)
+        self.contract(3)
+        password = sqlalchemy.Table('password', self.metadata, autoload=True)
+        # postgresql returns 'TIMESTAMP WITHOUT TIME ZONE'
+        self.assertTrue(
+            str(password.c.created_at.type).startswith('TIMESTAMP'))
+        # upgrade each repository to 004 and test
+        self.expand(4)
+        self.migrate(4)
+        self.contract(4)
+        password = sqlalchemy.Table('password', self.metadata, autoload=True)
+        # type would still be TIMESTAMP with postgresql
+        if self.engine.name == 'postgresql':
+            self.assertTrue(
+                str(password.c.created_at.type).startswith('TIMESTAMP'))
+        else:
+            self.assertEqual('DATETIME', str(password.c.created_at.type))
+        self.assertFalse(password.c.created_at.nullable)
+
 
 class MySQLOpportunisticFullMigration(FullMigration):
     FIXTURE = test_base.MySQLOpportunisticFixture

tox.ini

@@ -5,7 +5,7 @@ envlist = py34,py27,pep8,api-ref,docs,genconfig,releasenotes
 
 [testenv]
 usedevelop = True
-install_command = pip install -c{env:UPPER_CONSTRAINTS_FILE:https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt} {opts} {packages}
+install_command = pip install -c{env:UPPER_CONSTRAINTS_FILE:https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt?h=stable/newton} {opts} {packages}
 setenv = VIRTUAL_ENV={envdir}
 deps = -r{toxinidir}/test-requirements.txt
        .[ldap,memcache,mongodb]