| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Update a couple DELETE operations within the test_sql_upgrade test
case to support the more strict dialect checking that occurs in
0.9.3 of SQLAlchemy for "additional arguments".
Closes-Bug: #1286717
Change-Id: I82b57257a8b49d798d813c65e76757021676ba90
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The PAM identity backend has not been maintained nor could it have
functioned since (at least) the grizzly release of OpenStack as the
signatures of the authenticate method (among other methods) do not
match the required signature for the rest of Keystone to utilize it.
With the code bit-rotting and unusable for over two releases it
appears that we could re-evaluate the need for a PAM backend and
implement an auth-plugin that would provide the same basic auth
functionality if there is a demand for it.
Change-Id: I667aa34e252588e7cc840ef765c5f65ebd7d5b62
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
Change-Id: I365261b4666c4dbe21218a2bb421273b5bdcdbb8
Implements: bp deprecated-as-of-icehouse
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
assertEqual method's arguments should be in
('expected', 'actual') order.
Partial-Bug: #1277104
Change-Id: I48d2220ebd39d72de071a4644b75182941bb5f4f
|
| |\ \ \ \ \ |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
o keystone/common/wsgi.py:_RE_PASS
= re.compile(r'([\'"].*?password[\'"]\s*:\s*u?[\'"]).*?([\'"])',
This variable was removed in the following commit.
commit d910f1ff593dbd66f5643901142f390d0de73bdc
Author: Brant Knudson <bknudson@us.ibm.com>
Date: Mon Dec 16 19:49:52 2013 -0600
Switch to oslo-incubator mask_password
Change-Id: I6236bdb34cfcddcb338bb066450f4e89c5447e24
|
| |\ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Replace assertEqual(None, *) with assertIsNone in keystone's tests
to havemore clear messages in case of failure.
Closes-Bug: #1280522
Change-Id: I5a857fcb3bfebc6ff14871df6b2cd1dee44596b2
|
| |\ \ \ \ \ \ \
| | |_|_|_|/ /
| |/| | | | | |
|
| | | |_|_|_|/
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Remove the "pam" configuration options that were only ever used for
testing purposes. Removes the test config file "backend_pam.conf"
by moving test_backend_pam.py to utilize proper configuration fixture
for identity driver. Since we no longer need the "pam.user" and
"pam.password" config options.
DocImpact
Related-Bug: #1229941
Change-Id: I3759ff7974948432900e3a73f3d87e5eed6e9828
|
| |\ \ \ \ \ \ |
|
| | | |_|_|/ /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
assertEqual method's arguments should be in
('expected', 'actual') order.
Partial-Bug: #1277104
Change-Id: I311590525bfebd3c587af6a94f6989df66dc2064
|
| |\ \ \ \ \ \ |
|
| | | |/ / / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
There's a default for paste_deploy, so it doesn't have to be set
in test_overrides.conf.
Change-Id: I6316eb113efbd16de91e16a3f5974005989d7dd8
|
| |\ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
This adds entries to policy.json for v3 region CRUD including a refactor
around the create_region* methods such that there only needs to be one
entry in policy.json for both API methods (POST /v3/regions and PUT
/v3/regions/{region_id} are both enforced by 'identity:create_region').
This also corrects the HTTP response code on create_region (from 200 OK
to 201 Created) by explicitly setting it and makes the tests a bit more
dynamic.
Closes-Bug: 1272496
Closes-Bug: 1272501
Change-Id: Icaa9b005788b50342d5fdb334055f5fad25436d9
|
| | |/ / / / /
|/| | | | |
| | | | | |
| | | | | | |
Change-Id: I6e618cf7535a6fa3464a533a659307beffe6fa27
|
| | |_|_|_|/
|/| | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The server would respond with a 404 Not Found if the client
requested a list of the users with a role on the project and any
of the users didn't exist in the identity backend. The user may
not exist because the server doesn't enforce that users exist when
granting roles (because of federation, the users may not exist in
the identity backend).
It's inappropriate to respond with a 404 Not Found for the
/v2.0/tenants/{tenant_id}/users resource because the resource
actually does exist.
The server will now respond with a 200 OK and will just not include
users that don't exist.
bp no-check-id
Change-Id: Idf95836bf54470d91032d2c3ace970ca471cf25d
|
| |\ \ \ \ \ |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Running keystone-manage db_sync --extension oauth1 would fail when
using DB2 with an error that the REQUESTED_ROLES column isn't
defined on the REQUEST_TOKEN table.
This problem is worked around by dropping the NULL constraint
first and then renaming the column.
Change-Id: I58438cad4d645c553da5710455e8a219b8fd3014
Closes-Bug: #1284740
|
| |\ \ \ \ \ \ |
|
| | | |_|_|_|/
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Implement an EC2 Controller that returns a V3 token when invoked
via the V3 pipeline. Moved all code except the `authenticate` method
into a common base class mixin. `authenticate()` has become an
abstract method. Shared code from `authenticate()` was moved into
`_authenticate()`.
V3 specific router definition added that makes use of the new V3
specific controller.
For upgrade purposes:
* The paste.ini for keystone will need to be modified to include
the new V3 ec2credentials in the pipeline as is documented in
the updated sample paste.ini.
* Policy.json updated to provide rules for the new V3 EC2credential
CRUD as show in the updated sample policy.json and
policy.v3cloudsample.json
For authentication that occurs via the V3 ec2credential system,
the response auth_method (encoded in the token) will be
"ec2credential". This should have no impact on using
or consuming the token itself but can be used to identify if
the token was issued via the Ec2ControllerV3.authenticate
method.
The V2 version of ec2credential controller has been marked
as deprecated to keep in line with the rest of the V2 API
being deprecated (slated for removal in K).
DocImpact
UpgradeImpact
Change-Id: Iaf1e05a1beef481385c6eb19d7f54cdc84b5b5df
Closes-Bug: #1269947
bp: deprecated-as-of-icehouse
|
| |\ \ \ \ \ \ |
|
| | | |_|_|_|/
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This patch will support authentication via SAML 2.0 assertions.
A new authentication plugin will allow external users to authenticate
with keystone, provided the incoming assertion is valid.
The file keystone/contrib/federation/controllers.py was extended with two
new controllers.V3Controller classes:
*) DomainV3 which handles /v3/OS-FEDERATION/domains API call and returns
list of domains a user can access based on the provided list of groups.
*) ProjectV3 which handles /v3/OS-FEDERATION/projects API call and returns
list of project a user can access based on the provided list of groups.
Change-Id: I89f70e3a24e825e21580772c088c6fd5c44f3b63
Implements: blueprint saml-id
|
| |\ \ \ \ \ \ |
|
| | | |_|_|_|/
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
assertEqual method's arguments should be in
('expected', 'actual') order.
Change-Id: I771c0356518eceded52b045cba2177ab5dd7f4b1
Partial-Bug: #1277104
|
| |\ \ \ \ \ \
| |_|_|/ / /
|/| | | | | |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
There was an assertion that group_domain__metadata didn't exist.
The table is called group_domain_metadata so this wasn't asserting
anything useful.
Change-Id: I27e64a2d29ad51b24d42f2dfc9c2143506917410
|
| |\ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Cleanup and add expanded helpstrings for the auto generated sample
config.
Change-Id: I2106d8efee9934e6a48e5d0184c5a63754816a74
|
| |\ \ \ \ \ \ \
| |_|/ / / / /
|/| | | | | | |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
The assignment backend already has a call ready and waiting for this, so
it is just a matter of calling it.
Fixes bug 1276244
Change-Id: Ibff49202c8ca17df0344e48813916936edd3aa62
|
| |\ \ \ \ \ \ \
| |_|/ / / / /
|/| | | | | | |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
There are two changes:
- Commit changes to the grant tables after each update to ensure MySQL
doesn't get confused when there are multiple assignments for a given
actor/target (Postgresql doesn't have this issue)
- Close any sessions in test_sql_upgarde before we call the migrations,
to ensure table dropping won't be blocked
Fixes bug 1284700
Change-Id: I81704b17ea9c11be926018df125fcfdb79ee6271
|
| | |/ / / / /
|/| | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
With this new optional caching backend, MongoDB can be used for caching data.
Change-Id: I25ba1cac9456d5e125a5eac99d42330507d4e329
Blueprint: mongodb-dogpile-caching-backend
|
| |\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
|
| | | |_|/ /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Co-Authored-By: David Stanek (dstanek@dstanek.com)
Until recently, the Unit tests for the Keystone client meant that
we could not use the most recent version of the client code inside
the server. That lead to code duplication between client and server
for new features. Now, we are only running unit tests against the
master branch of the client. More and more common code can be moved
to the client without duplication.
cms was duplicated between the server and client.
Use the version from the client.
Tests for error handling problems in cms
Change-Id: Ieed0ba29f55216c5a6819bab7d9b862f2aebbeb0
|
| |\ \ \ \ \
| |/ / / /
|/| | | | |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Configuring keystone on V3 with LDAP configured for Assignment and
Identity. When you try to obtain the token (using CURL ie), the keystone
server raises an unimplemented exception. You can see how to reproduce
this on the description's bug.
This is caused because, when you make logging on keystone it assign to
the validate user the 'default' domain (thats because LDAP is
single-domain backend). In the LDAP backend, one of the functions
involved on this workflow is not implemented.
Change-Id: I04faddf888f66978bfe5a330140f8fac9b961a5a
Closes-Bug: #1277463
|
| |\ \ \ \ \ |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
The default value for dict.get is None, no need to specify again.
Change-Id: I3c894bb3449551c639094bf020277706000c3d60
|
| |\ \ \ \ \ \
| |_|/ / / /
|/| | | | | |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | | |
Change-Id: I8cba8f894f7967bb908fe2443946c28f1803c1d3
|
| |\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
assertValidErrorResponse wasn't used in the test_catalog module
anymore; it's used in the rest module.
Change-Id: I0442e1e07b6c5693ebed29a57dbe8e070b367c44
|
| |\ \ \ \ \ \ |
|
