diff options
-rw-r--r-- | .zuul.yaml | 6 | ||||
-rw-r--r-- | api-ref/source/v3/roles.inc | 2 | ||||
-rw-r--r-- | keystone/locale/zh_CN/LC_MESSAGES/keystone.po | 18 | ||||
-rw-r--r-- | keystone/tests/unit/token/test_fernet_provider.py | 56 | ||||
-rw-r--r-- | keystone/token/token_formatters.py | 9 | ||||
-rw-r--r-- | releasenotes/notes/bug-1926483-a77ab887e0e7f5c9.yaml | 7 | ||||
-rw-r--r-- | releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po | 96 |
7 files changed, 181 insertions, 13 deletions
diff --git a/.zuul.yaml b/.zuul.yaml index 1ccf8741c..ef9782f4c 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -35,10 +35,12 @@ - job: name: keystone-dsvm-py3-functional-fips parent: keystone-dsvm-py3-functional - nodeset: devstack-single-node-centos-8-stream + nodeset: devstack-single-node-centos-9-stream description: | - Functional testing for a FIPS enabled Centos 8 system + Functional testing for a FIPS enabled Centos 9 system pre-run: playbooks/enable-fips.yaml + vars: + nslookup_target: 'opendev.org' - job: name: keystone-dsvm-functional-federation-opensuse15 diff --git a/api-ref/source/v3/roles.inc b/api-ref/source/v3/roles.inc index 3073e241d..80092ec82 100644 --- a/api-ref/source/v3/roles.inc +++ b/api-ref/source/v3/roles.inc @@ -1002,7 +1002,7 @@ Status Codes .. rest_status_code:: success status.yaml - - 201 + - 204 .. rest_status_code:: error status.yaml diff --git a/keystone/locale/zh_CN/LC_MESSAGES/keystone.po b/keystone/locale/zh_CN/LC_MESSAGES/keystone.po index 8c471382f..cb194dc71 100644 --- a/keystone/locale/zh_CN/LC_MESSAGES/keystone.po +++ b/keystone/locale/zh_CN/LC_MESSAGES/keystone.po @@ -11,16 +11,18 @@ # 颜海峰 <yanheven@gmail.com>, 2014 # Andreas Jaeger <jaegerandi@gmail.com>, 2016. #zanata # Eric Lei <1165970798@qq.com>, 2016. #zanata +# Research and Development Center UnitedStack <dev@unitedstack.com>, 2022. #zanata msgid "" msgstr "" "Project-Id-Version: keystone VERSION\n" "Report-Msgid-Bugs-To: https://bugs.launchpad.net/openstack-i18n/\n" -"POT-Creation-Date: 2022-05-20 04:41+0000\n" +"POT-Creation-Date: 2022-07-01 18:11+0000\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"PO-Revision-Date: 2016-09-28 03:23+0000\n" -"Last-Translator: Eric Lei <1165970798@qq.com>\n" +"PO-Revision-Date: 2022-06-14 12:29+0000\n" +"Last-Translator: Research and Development Center UnitedStack " +"<dev@unitedstack.com>\n" "Language: zh_CN\n" "Plural-Forms: nplurals=1; plural=0;\n" "Generated-By: Babel 2.0\n" @@ -729,6 +731,14 @@ msgstr "用户类型 %s 不受支持" msgid "You are not authorized to perform the requested action." msgstr "您没有授权完成所请求的操作。" +msgid "" +"You cannot change your password at this time due to password policy " +"disallowing password changes. Please contact your administrator to reset " +"your password." +msgstr "" +"因为密码策略被设置为禁止修改密码,目前您不能更改密码。请联系管理员重置您的密" +"码。" + #, python-format msgid "" "You cannot change your password at this time due to the minimum password " @@ -737,7 +747,7 @@ msgid "" "contact your administrator to reset your password." msgstr "" "没有达到密码最小使用时长,目前您不能更改密码。一旦您修改了密码,在下次可被修" -"改前该密码必须使用%(min_age_days)d天.请在%(days_left)d天后重试,或者联系管理" +"改前该密码必须使用%(min_age_days)d天。请在%(days_left)d天后重试,或者联系管理" "员重置您的密码。" msgid "" diff --git a/keystone/tests/unit/token/test_fernet_provider.py b/keystone/tests/unit/token/test_fernet_provider.py index cc2a49d0b..997b5e6f7 100644 --- a/keystone/tests/unit/token/test_fernet_provider.py +++ b/keystone/tests/unit/token/test_fernet_provider.py @@ -17,6 +17,8 @@ import os from unittest import mock import uuid +import fixtures +from oslo_log import log from oslo_utils import timeutils from keystone import auth @@ -26,6 +28,7 @@ from keystone.common import utils import keystone.conf from keystone import exception from keystone.federation import constants as federation_constants +from keystone.models import token_model from keystone.tests import unit from keystone.tests.unit import default_fixtures from keystone.tests.unit import ksfixtures @@ -51,6 +54,59 @@ class TestFernetTokenProvider(unit.TestCase): self.provider.validate_token, token_id) + def test_log_warning_when_token_exceeds_max_token_size_default(self): + self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO)) + + token = token_model.TokenModel() + token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.expires_at = utils.isotime( + provider.default_expire_time(), subsecond=True) + token.methods = ['password'] + token.audit_id = provider.random_urlsafe_str() + token_id, issued_at = self.provider.generate_id_and_issued_at(token) + expected_output = ( + f'Fernet token created with length of {len(token_id)} characters, ' + 'which exceeds 255 characters' + ) + self.assertIn(expected_output, self.logging.output) + + def test_log_warning_when_token_exceeds_max_token_size_override(self): + self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO)) + self.config_fixture.config(max_token_size=250) + + token = token_model.TokenModel() + token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.expires_at = utils.isotime( + provider.default_expire_time(), subsecond=True) + token.methods = ['password'] + token.audit_id = provider.random_urlsafe_str() + token_id, issued_at = self.provider.generate_id_and_issued_at(token) + expected_output = ( + f'Fernet token created with length of {len(token_id)} characters, ' + 'which exceeds 250 characters' + ) + self.assertIn(expected_output, self.logging.output) + + def test_no_warning_when_token_does_not_exceed_max_token_size(self): + self.config_fixture.config(max_token_size=300) + self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO)) + + token = token_model.TokenModel() + token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.expires_at = utils.isotime( + provider.default_expire_time(), subsecond=True) + token.methods = ['password'] + token.audit_id = provider.random_urlsafe_str() + token_id, issued_at = self.provider.generate_id_and_issued_at(token) + expected_output = ( + f'Fernet token created with length of {len(token_id)} characters, ' + 'which exceeds 255 characters' + ) + self.assertNotIn(expected_output, self.logging.output) + class TestValidate(unit.TestCase): def setUp(self): diff --git a/keystone/token/token_formatters.py b/keystone/token/token_formatters.py index bb407ab09..76220b0ef 100644 --- a/keystone/token/token_formatters.py +++ b/keystone/token/token_formatters.py @@ -156,10 +156,11 @@ class TokenFormatter(object): # characters. Even though Keystone isn't storing a Fernet token # anywhere, we can't say it isn't being stored somewhere else with # those kind of backend constraints. - if len(token) > 255: - LOG.info('Fernet token created with length of %d ' - 'characters, which exceeds 255 characters', - len(token)) + if len(token) > CONF.max_token_size: + LOG.info( + f'Fernet token created with length of {len(token)} ' + f'characters, which exceeds {CONF.max_token_size} characters', + ) return token diff --git a/releasenotes/notes/bug-1926483-a77ab887e0e7f5c9.yaml b/releasenotes/notes/bug-1926483-a77ab887e0e7f5c9.yaml new file mode 100644 index 000000000..040811b79 --- /dev/null +++ b/releasenotes/notes/bug-1926483-a77ab887e0e7f5c9.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + [`bug 1926483 <https://bugs.launchpad.net/keystone/+bug/1926483>`_] + Keystone will only log warnings about token length for Fernet tokens when + the token length exceeds the value of `keystone.conf [DEFAULT] + max_token_size`. diff --git a/releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po b/releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po index 150a23c39..713bd7089 100644 --- a/releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po +++ b/releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po @@ -1,15 +1,16 @@ # Andi Chandler <andi@gowling.com>, 2017. #zanata # Andi Chandler <andi@gowling.com>, 2018. #zanata # Andi Chandler <andi@gowling.com>, 2020. #zanata +# Andi Chandler <andi@gowling.com>, 2022. #zanata msgid "" msgstr "" "Project-Id-Version: Keystone Release Notes\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2022-05-20 04:40+0000\n" +"POT-Creation-Date: 2022-07-01 18:09+0000\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"PO-Revision-Date: 2020-12-19 01:35+0000\n" +"PO-Revision-Date: 2022-06-20 11:10+0000\n" "Last-Translator: Andi Chandler <andi@gowling.com>\n" "Language-Team: English (United Kingdom)\n" "Language: en_GB\n" @@ -81,6 +82,9 @@ msgstr "13.0.2" msgid "13.0.3" msgstr "13.0.3" +msgid "13.0.4-9" +msgstr "13.0.4-9" + msgid "14.0.0" msgstr "14.0.0" @@ -93,21 +97,51 @@ msgstr "14.1.0" msgid "14.2.0" msgstr "14.2.0" +msgid "14.2.0-7" +msgstr "14.2.0-7" + msgid "15.0.0" msgstr "15.0.0" msgid "15.0.1" msgstr "15.0.1" +msgid "15.0.1-9" +msgstr "15.0.1-9" + msgid "16.0.0" msgstr "16.0.0" msgid "16.0.1" msgstr "16.0.1" +msgid "16.0.2" +msgstr "16.0.2" + msgid "17.0.0" msgstr "17.0.0" +msgid "17.0.1" +msgstr "17.0.1" + +msgid "18.0.0" +msgstr "18.0.0" + +msgid "18.1.0" +msgstr "18.1.0" + +msgid "19.0.0" +msgstr "19.0.0" + +msgid "19.0.0-8" +msgstr "19.0.0-8" + +msgid "20.0.0" +msgstr "20.0.0" + +msgid "21.0.0" +msgstr "21.0.0" + msgid "8.0.1" msgstr "8.0.1" @@ -291,6 +325,15 @@ msgstr "" "Certain variables in ``keystone.conf`` now have options, which determine if " "the user's setting is valid." +msgid "" +"Change the min value of pool_retry_max to 1. Setting this value to 0 caused " +"the pool to fail before connecting to ldap, always raising " +"MaxConnectionReachedError." +msgstr "" +"Change the min value of pool_retry_max to 1. Setting this value to 0 caused " +"the pool to fail before connecting to ldap, always raising " +"MaxConnectionReachedError." + msgid "Configuring per-Identity Provider WebSSO is now supported." msgstr "Configuring per-Identity Provider WebSSO is now supported." @@ -457,6 +500,24 @@ msgstr "" "this option is set back to `False`." msgid "" +"If you are affected by this bug, a fix in the keystone database will be " +"needed so we recommend to dump the users' tables before doing this process:" +msgstr "" +"If you are affected by this bug, a fix in the keystone database will be " +"needed so we recommend to dump the users' tables before doing this process:" + +msgid "" +"If you are affected by this bug, you must remove stale role assignments " +"manually. The following is an example SQL statement you can use to fix the " +"issue, but you should verify it's applicability to your deployment's SQL " +"implementation and version." +msgstr "" +"If you are affected by this bug, you must remove stale role assignments " +"manually. The following is an example SQL statement you can use to fix the " +"issue, but you should verify it's applicability to your deployment's SQL " +"implementation and version." + +msgid "" "In ``keystone-paste.ini``, using ``paste.filter_factory`` is deprecated in " "favor of the \"use\" directive, specifying an entrypoint." msgstr "" @@ -675,6 +736,9 @@ msgstr "" msgid "Queens Series Release Notes" msgstr "Queens Series Release Notes" +msgid "Rocky Series Release Notes" +msgstr "Rocky Series Release Notes" + msgid "" "Routes and SQL backends for the contrib extensions have been removed, they " "have been incorporated into keystone and are no longer optional. This " @@ -766,6 +830,9 @@ msgstr "" "``validate_token(self, token_ref)``. If using a custom token provider, " "update the custom provider accordingly." +msgid "Stein Series Release Notes" +msgstr "Stein Series Release Notes" + msgid "" "Support for writing to LDAP has been removed. See ``Other Notes`` for more " "details." @@ -1392,6 +1459,9 @@ msgstr "" msgid "Tokens can now be cached when issued." msgstr "Tokens can now be cached when issued." +msgid "Train Series Release Notes" +msgstr "Train Series Release Notes" + msgid "" "UUID token provider ``[token] provider=uuid`` has been deprecated in favor " "of Fernet tokens ``[token] provider=fernet``. With Fernet tokens becoming " @@ -1427,6 +1497,15 @@ msgstr "" "Using the full path to the driver class is deprecated in favour of using the " "entrypoint. In the Mitaka release, the entrypoint must be used." +msgid "Ussuri Series Release Notes" +msgstr "Ussuri Series Release Notes" + +msgid "Victoria Series Release Notes" +msgstr "Victoria Series Release Notes" + +msgid "Wallaby Series Release Notes" +msgstr "Wallaby Series Release Notes" + msgid "" "We have added the ``password_expires_at`` attribute to the user response " "object." @@ -1448,6 +1527,12 @@ msgstr "" "Write support for the LDAP has been removed in favour of read-only support. " "The following operations are no longer supported for LDAP:" +msgid "Xena Series Release Notes" +msgstr "Xena Series Release Notes" + +msgid "Yoga Series Release Notes" +msgstr "Yoga Series Release Notes" + msgid "" "[`Bug 1645487 <https://bugs.launchpad.net/keystone/+bug/1645487>`_] Added a " "new PCI-DSS feature that will require users to immediately change their " @@ -1786,6 +1871,13 @@ msgstr "lt - password expires before the timestamp" msgid "lte - password expires at or before timestamp" msgstr "lte - password expires at or before timestamp" +msgid "" +"mysqldump -h <mysql host> -p -P <mysql port> -u keystone keystone " +"federated_user local_user user > user_tables.sql" +msgstr "" +"mysqldump -h <mysql host> -p -P <mysql port> -u keystone keystone " +"federated_user local_user user > user_tables.sql" + msgid "neq - password expires not at the timestamp" msgstr "neq - password expires not at the timestamp" |