| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| |
| | |
stable/queens
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Keystone's update_user() method in the SQL driver processes a lot of
information about how to update users. This includes evaluating password
logic and authentication attempts for PSI-DSS. This logic is evaluated
after keystone pulls the user record from SQL and before it exits the
context manager, which performs the write.
When multiple clients are all updating the same user reference, it's
more likely they will see an HTTP 500 because of race conditions exiting
the context manager. The HTTP 500 is due to stale data when updating
password expiration for old passwords, which happens when setting a new
password for a user.
This commit attempts to handle that case more gracefully than throwing a
500 by detecting StaleDataErrors from sqlalchemy and retrying. The
identity sql backend will retry the request for clients that have
stale data change from underneath them.
Conflicts:
keystone/tests/unit/test_backend_sql.py due to import order
differences between train and ussuri. Also adjust the expected log
message since the method path is different compared to older
releases, which have the driver name in them (e.g., Identity).
Change-Id: I75590c20e90170ed862f46f0de7d61c7810b5c90
Closes-Bug: 1885753
(cherry picked from commit ceae3566e83b26fd6a1679154eae9b0cef29da64)
(cherry picked from commit f47e635b8041542faa05e64606e66d2fbbc5f284)
(cherry picked from commit 5b7d4c80d484262018f937083050844648f07a11)
(cherry picked from commit 07d3a3d3ff534a5295842d4f236042b30536cd82)
(cherry picked from commit d4f48fc4e53f71d653e133104854f064fbb1b25f)
(cherry picked from commit 328cf33aab61775301adbb4c1f6abaa2f331cd94)
(cherry picked from commit f36034c8a6530b16f6b6eb88ee97f540c974ba00)
(cherry picked from commit e828c6e3bb944721be26443f58074e096d96a651)
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
Keystone-tempest-plugins or tempest master version
cannot be used for the old stable rocky which are in
EM state. We have pinned the Tempest version also in devstack but
temepst plugins versions needs to be pinned on job side.
This commit use the py27 compatible version keystone-tempest-plugin
0.3.0 for the job running on stable/rocky to continue the testing.
Closes-Bug: #1928650
Change-Id: I67ce58f178873bc1bcbe70bb6545cacc9c93be2a
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
with many users and groups in a domain fetching all mappings (for both
users and groups) may become inefficient.
In an environment with approx 125k users and 150 groups in the mapping
table and SAML2+LDAP auth/backend, this patch reduced the time
for first (uncached) 'openstack token issue' command from 12 to 3 seconds.
Similar improvements were seen with time to login to Horizon as well.
Change-Id: Iccbef534ff7e723f8b1461bb1169e2da66cc1dea
Closes-Bug: #1775207
(cherry picked from commit 4abd9926ab7fb79bbe86a22657a2474790a8fcb8)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
added audit logging to credentials.
This backport is a bit different than the original patch,
since we don't have the adds caching of credentials
patch find on commit 479a2a0afaeb505c371ee97a1f2fbc1b11e3cef1
and we were not able to backport it.
Also, since there was no flask support on stable/queens we needed
to backport the audit initiator on keystone/api/credentials.py
stable/rocky: https://review.opendev.org/#/c/711547
stable/stein: https://review.opendev.org/#/c/711545
master: https://review.opendev.org/#/c/664618
Change-Id: I028a86f44e049bcc7c54e844bfc91aa0b11cd541
(cherry picked from commit abf5cb6a55b78afceade692dceba7542e06736b4)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change addresses several issues in the creation and use of EC2/S3
credentials with keystone tokens.
1. Disable altering credential owner attributes or metadata
Without this patch, an authenticated user can create an EC2 credential
for themself for a project they have a role on, then update the
credential to target a user and project completely unrelated to them. In
the worst case, this could be the admin user and a project the admin
user has a role assignment on. A token granted for an altered credential
like this would allow the user to masquerade as the victim user. This
patch ensures that when updating a credential, the new form of the
credential is one the acting user has access to: if the system admin
user is changing the credential, the new user ID or project ID could be
anything, but regular users may only change the credential to be one
that they still own.
Relatedly, when a user uses an application credential or a trust to
create an EC2 credential, keystone automatically adds the trust ID or
application credential ID as metadata in the EC2 access blob so that it
knows how the token can be scoped when it is used. Without this patch, a
user who has created a credential in this way can update the access blob
to remove or alter this metadata and escalate their privileges to be
fully authorized for the trustor's, application credential creator's, or
OAuth1 access token authorizor's privileges on the project. This patch
fixes the issue by simply disallowing updates to keystone-controlled
metadata in the credential.
2. Respect token roles when creating EC2 credentials
Without this patch, a trustee, an application credential user, or an
OAuth1 access token holder could create an EC2 credential or an
application credential using any roles the trustor, application
credential creator, or access token authorizor had on the project,
regardless of whether the creator had delegated only a limited subset of
roles. This was because the trust_id attribute of the EC2 access blob
was ignored, and no metadata for the application credential or access
token was recorded either. This change ensures that the access
delegation resource is recorded in the metadata of the EC2 credential
when created and passed to the token provider when used for
authentication so that the token provider can look up the correct roles
for the request.
Conflicts (six removal in e2d83ae9, pep8 fixes in e2d83ae9):
keystone/api/credentials.py
keystone/tests/unit/test_v3_application_credential.py
keystone/tests/unit/test_v3_credential.py
Conflicts due to flask reorg:
keystone/api/_shared/EC2_S3_Resource.py
keystone/api/credentials.py
keystone/api/users.py
keystone/tests/unit/test_v3_credential.py
Conflicts due to token provider refactor between Queens and Rocky. Also
conflicted due to changing method signature for _authenticate().
keystone/credential/controllers.py
keystone/contrib/ec2/controllers.py
keystone/application_credential/controllers.py
keystone/token/providers/common.py
Moved the test_update_credential_non_owner unit test to
CredentialSelfServiceTestCase since in this branch the default policies
are not affected by #1872733.
Change-Id: I39d0d705839fbe31ac518ac9a82959e108cb7c1d
Closes-bug: #1872733
Closes-bug: #1872755
Closes-bug: #1872735
(cherry picked from commit 37e9907a176dad6843819b1bec4946c3aecc4548)
(cherry picked from commit 2f2736ebb267c757ad77fcf25ee0aaeefab2a09d)
(cherry picked from commit 27caafe3daa552663719954f2cd6713dd4493178)
(cherry picked from commit bfba75fc3c5c8f119f74dbf31347e008824a2134)
(cherry picked from commit 53d1ccb8a1bdbb5aa0efaacf9739b1a6f436e191)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this patch, when an OAuth1 request token is authorized with a
limited set of roles, the roles for the access token are ignored when
the user uses it to request a keystone token. This means that user of an
access token can use it to escallate their role assignments beyond what
was authorized by the creator. This patch fixes the issue by ensuring
the token model accounts for an OAuth1-scoped token and correctly
populating the roles for it.
Modified to work with older test helper function:
keystone/tests/unit/test_v3_oauth1.py
Conflicts:
keystone/models/token_model.py
The keystone token model was refactored in the Rocky release. This
commit only backports the test so that we have test coverage against
the bug and proves there wasn't a regression in Queens. As such, the
code changes to token_model.py (where the bug was introduced) are not
applicable to Queens.
releasenotes/notes/bug-1873290-ff7f8e4cee15b75a.yaml
Removed the release note since there isn't anything to signal to
operators regarding a vulnerability. We're only adding test coverage
to prove that stable/queens isn't vulnerable.
Change-Id: I02f9836fbd4d7e629653977fc341476cfd89859e
Closes-bug: #1873290
(cherry picked from commit 6c73690f779a42a5c62914b6bc37f0ac2f41a3e3)
(cherry picked from commit ba89d27793c2d3a26ad95642660fa9bd820ed3be)
(cherry picked from commit 5ff52dbaa2082991d229d8557a8e4b65256d6c53)
(cherry picked from commit 2483a578a80a916d9f5acd672d85830385b236e2)
(cherry picked from commit 10bc689a6796f85c44d19e0c18f0e37b0a87474c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
EC2 token requests contain a signature that signs the entire request,
including the access timestamp. While the signature is checked, the
timestamp is not, and so these signed requests remain valid
indefinitely, leaving the token API vulnerable to replay attacks. This
change introduces a configurable TTL for signed token requests and
ensures that the timestamp is actually validated against it.
The check will work for either an AWS Signature v1/v2 'Timestamp'
parameter[1] or the AWS Signature v4 'X-Aws-Date' header or
parameter[2].
Although this technically adds a new feature and the default value of
the feature changes behavior, this change is required to protect
credential holders and therefore must be backported to all supported
branches.
[1] https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html
[2] https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html
Conflicts due to six removal in e2d83ae9:
keystone/api/_shared/EC2_S3_Resource.py
keystone/tests/unit/test_contrib_ec2_core.py
Conflicts due to v2.0 API testing in stable/queens. The v2.0 tests were
removed in Rocky but in earlier releases we tested similar functionality
between v3 and v2.0. This conflict was resolved by porting the timestamp
to the v2.0 API test:
keystone/tests/unit/test_contrib_ec2_core.py
Conflicts due to flask reorg:
keystone/api/_shared/EC2_S3_Resource.py
Change-Id: Idb10267338b4204b435df233c636046a1ce5711f
Closes-bug: #1872737
(cherry picked from commit ab89ea749013e7f2c46260f68504f5687763e019)
(cherry picked from commit 8d5becbe4b463f6a5a24a1929dd0f48dab6ae027)
(cherry picked from commit e3f65d6fbcd18032a8ad3dfa3aaded264a282158)
(cherry picked from commit 1ef3828516c1b87a8ca84acca73ec593b0b8591d)
(cherry picked from commit 35f09e2b7c00e03cd1d52a2337b51be38dd79480)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The bootstrap logic doesn't take into consideration multiple roles
with the same name. If bootstrap is unable to determine which role to
use and accidentally uses a domain-specific role with the same name
as a default role, bootstrap will fail in unexpected ways.
This change deviates slightly from the upstream patches in that the
stable/queens test_cli.py module doesn't have a `self.bootstrap`
attribute. Instead, we just test with `bootstrap` in the test itself.
Otherwise, the test is functionally the same.
Conflicts:
keystone/cmd/bootstrap.py
Bootstrap code used to live in keystone/cmd/cli.py before it was
refactored into its own module, keystone/cmd/bootstrap.py. This
caused a conflict during backport where the file patched in later
releases because the file didn't exist. Instead, a functionally
equivalent change was proposed to keystone/cmd/cli.py.
Closes-Bug: 1856881
Change-Id: Iddc364d8c934b6e54d1e8c75b8b159faadbf865d
(cherry picked from commit 25cf359e5fb914b855922121f20e23bd14626b8e)
(cherry picked from commit 51ff7be731450c183b3e3eb6d34493e986cc2635)
(cherry picked from commit 1ba238e49195890c0232554005d4efa670467694)
(cherry picked from commit 2e4055e49b519a146902f0cf06740ec43231929b)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using role assignment through groups, the user cannot use
the application credentials created. This allows to look up
the membership by checking inherited and group assignments.
Conflicts:
This change conflicts with newer branches because most of the
logic in keystone/token/providers/common.py was refactored into
keystone/models/token_model.py during the Rocky release. This
refactor causes the stable/queens version to diverge from
stable/rocky, stable/stein, and stable/train patches, although it
is functionally equivalent to the approach used in later releases.
Change-Id: If1bf5bd785a494923303265797311d42018ba7af
Closes-Bug: #1773967
(cherry picked from commit 14b25bc5d18842210cfffe1afdca475e848b84aa)
(cherry picked from commit 933ea511d150ed2cbbd4265fc7513a9b3435baa2)
(cherry picked from commit cf83fc10569e7b52eeb52c0e164dfe36daeec309)
|
| |
|
|
|
|
|
|
|
|
| |
This reverts commit 79ed42ee67915383242541329dd5aa186f087ff2,
which shouldn't have been backported to stable/queens because the
following patch, which switched to bytes_mode=False, doesn't exist
in stable/queens: https://review.opendev.org/#/c/613648/.
Change-Id: I3c0fe74559f1bbf66f717fbaeb1e1dd435e7eb2c
Closes-Bug: #1850634
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When calling certain group or user APIs, keystone logic would attempt
to figure out the domain to scope responses to. This was specific to
enabling domain-specific driver support, where each domain is backed
by a different identity store. This functionality is turned off by
default. Since system-scoped tokens are not associated to a domain
(unlike project-scoped tokens or domain-scoped tokens), the logic to
determine a domain from a system-scoped token was breaking and
returning an erroneous HTTP 401 Unauthorized when system users
attempted to list users or groups.
This commit adds support for domain detection with system-scoped
tokens.
Conflicts:
keystone/server/flask/common.py
This backport has conflicts with keystone/server/flask/common.py due to
the ``token_ref`` variable being renamed to ``token``. This conflict is
resolved by continuing to use the old name, but the change is
functionally equivalent to what was proposed to all other branches.
This backport modifies the unit test to use the pre-flask-compatible
self.admin_request method instead of flask's test_client() context
manager.
Change-Id: I8f0f7a623a1741f461493d872849fae7ef3e8077
Closes-Bug: 1843609
(cherry picked from commit 8f43b9cab00c86a455b2a9700b434e98b2e9c2d8)
(cherry picked from commit 417d2c0e6e6bef39f447681325ae5b0ba46b2e2c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change is being backported because it provides a helper method in
the unit tests that another change relies on.
If a user has a role assignment on the system, which implies another
role assignment, the system-scoped token response should include
both role assignments.
This patch exposes a bug in the system-scoped token implementation
where implied roles aren't expanded out before returning the
token response to the user.
Change-Id: I176bbbda9658a54f6873a4009938f140a5b1a33e
Related-Bug: 1788694
(cherry picked from commit 6d7cfdb4ba5b8ce81d656dd22316505af6d382b8)
(cherry picked from commit 1403a9645d3dca20a681e0ffee3f5ac3a36fe0c6)
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Adds oslo.db retry wrapper to delete_credential_for_user method.
Change-Id: Ib9e161411f0985785eec46c51d721ef7421ee090
Closes-Bug: #1840291
(cherry picked from commit e989bd0637629b0fb15976186b0941fec0f13b25)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Import the legacy-tempest-dsvm-ldap-domain-specific-driver job[1] into the
keystone repo and convert it to be Zuulv3 native.
This cherry-pick removes the explicit use of python3 since it doesn't
quite work on this old of a branch.
[1] https://opendev.org/openstack/openstack-zuul-jobs/src/branch/master/playbooks/legacy/tempest-dsvm-ldap-domain-specific-driver
Change-Id: Ie0b9f13d6fb06b776d6a58d5d1087c20df8a7cda
Needed-by: https://review.opendev.org/687444
(cherry picked from commit 52ab0cf579445190483f3a6f0e3aa5db0a9ebdef)
(cherry picked from commit 0f6c6061b3026dc7a33bffad20848ebd3341af4b)
(cherry picked from commit 429923fbb3be7229b0c6c1b6136b230d86672bcf)
(cherry picked from commit 2f7155065456a3142ea05317dd82b370c70a7fdf)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In Python 3, python-ldap no longer allows bytes for some fields (DNs,
RDNs, attribute names, queries). Instead, text values are represented
as str, the Unicode text type.
[1] More details about byte/str usage in python-ldap can be found at:
http://www.python-ldap.org/en/latest/bytes_mode.html#bytes-mode
Change-Id: I63e3715032cd8edb11fbff7651f5ba1af506dc9d
Related-Bug: #1798184
(cherry picked from commit 03531a56910b12922afde32b40e270b7d68a334b)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The more common scenario to return the uid as part of the RDN in a DN,
However, it's a valid case to not have the uid in the RDN, so we need to
search in the LDAP based on the DN and return the uid in the entire object.
Also, we do not support multivalued attribute id on DN, so the test case
covering this case, it was adjusted for raise NotFound.
Closes-Bug: 1782922
Change-Id: I87a3bfa94b5907ce4c6b4eb8e124ec948b390bf2
(cherry picked from commit a1dc21f3d34ae34bc6a5c9acebc0eb752495ae7a)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
The openSUSE 42.3 distribution is eol, remove this experimental job so
that the job can be removed from Zuul.
Note that master has job for newer openSUSE running.
Change-Id: Icd25b8695816f4d89a7aa00a9b9e9387866438f3
|
| |/
|
|
|
|
|
| |
Bandit is a linter, let's cap the version in a stable branch
so that new versions of bandit do not introduce pepe8 failures.
Change-Id: Idd2b6254bb4fcf4b168cd35a1a27a9da2ca2280d
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
There's a regression[0] in bandit 1.6.0 which causes bandit to stop
respecting excluded directories, and our tests throw a bunch of
violations. Blacklist this version, but allow newer versions as there is
already a pull request[1] to fix it, and I expect it will be included in
the next release.
[0] https://github.com/PyCQA/bandit/issues/488
[1] https://github.com/PyCQA/bandit/pull/489
Change-Id: Ie4dbfb3f54e4aac00e0537d5760b7a8fc81b35a2
(cherry picked from commit ebac8330d8ac81c491a1cb0e16eb23b93d7932ee)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:
http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html
Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Without this change, when an admin tries to delete an LDAP-backed
domain, it fails due to the foreign key relationship in the users table.
Previously, we were assuming that LDAP users existed solely in the LDAP
directory, but this is not true with shadow users. This patch fixes the
logic to delete the shadow users upon domain deletion.
Change-Id: I12a08001e3aa08e4db9438cae425ad1a0a8070f7
Closes-bug: #1801873
(cherry picked from commit 1b16725d066f71a833ca74656c0c3dfe5f815e98)
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a mechanically generated change to replace openstack.org
git:// URLs with https:// equivalents.
This is in aid of a planned future move of the git hosting
infrastructure to a self-hosted instance of gitea (https://gitea.io),
which does not support the git wire protocol at this stage.
This update should result in no functional change.
For more information see the thread at
http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003825.html
Change-Id: Ic2b1eefa4fa5ae2fb96b56e5814fb053be7b618d
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change sets the initiator id as the user_id for
authentication events. The notificiation initiator id would
be set to a random UUID by default, which makes auditing the
identity of the user who is authenticating difficult. This
also adds the user_id as well for auth events for consistency.
Also removes the WIP unit-test header to verify that this
change works as intended.
Change-Id: I511a03eada22c66847bd1502b16cbd2c34b1b35d
Closes-Bug: #1780503
(cherry picked from commit fd8b5f3206392f210a7240af5b52358791a1df87)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The publishing credentials for this job are misconfigured in Zuul and
result in the whole post pipeline failing, which causes tarballs not to
be updated on tarballs.openstack.org[1]. Remove the misconfigured job to
get the post pipeline working again.
[1] http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-release.2019-03-11
Change-Id: I4d94a433ba32bce7ee926cdde487eeec980c6b8b
(cherry picked from commit f0c2e798f7e706acbaf600bd06521a0e4c514477)
|
| |
|
|
|
|
|
|
| |
This makes the RDO guide consistent with the Ubuntu and SLES guides.
Closes-Bug: #1781536
Change-Id: Ic935e5335378246b3363f7fd96e958388aa98b50
(cherry picked from commit 38d25b7b5f57c5ef349c26395134c3e1ea180721)
|
| |
|
|
|
|
|
|
|
| |
Invalidate the application credential after deletion, not before.
This prevents timing issues where an app_cred could remain active
after deletion.
Change-Id: I14748bf2399e5da4ee360f451a8050f25dd90803
(cherry picked from commit 906a1d3f689b9226cb949153fc9b07d287e7ff75)
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The issue occurs if a user has a group that
does not map to a project in OpenStack. At
which point an exception is raised and the
websso login blows up with a 500 message.
This is because of the exception being raised
when the group name not matches thus replacing
that with a log.
Change-Id: Ia7321705db118af28f3dc6e01d5b18e8650aa633
Closes-Bug: #1789450
(cherry picked from commit ee46f735359cb5381024a7dfa3f2b297badc6247)
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
keystone was not able to find any users while
the LDAP user name attribute was configured to
"samaccountname", but could find users when
reconfigured to use "sAMAccountName". LDAP is
not supposed to be case-sensitive, so either
should work.
This patch addresses the above problem by making
both the attributes into lower case. Also updated
the ldap_result example supporting python3.
Change-Id: I51813ac41489baed04f3cadbccd748e03025313e
Closes-Bug: #1753585
(cherry picked from commit 816b472a9d20e4e7cfe33f2f40ef5daae590795e)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a mechanically generated patch to complete step 1 of moving
the zuul job settings out of project-config and into each project
repository.
Because there will be a separate patch on each branch, the branch
specifiers for branch-specific jobs have been removed.
Because this patch is generated by a script, there may be some
cosmetic changes to the layout of the YAML file(s) as the contents are
normalized.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Change-Id: I55e36398f51acc1d9faf546101e2a4dffa7277ce
Story: #2002586
Task: #24304
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The GET /v3/OS-FEDERATION/projects and GET /v3/OS-FEDERATION/domains
APIs were introduced to handle tokens from federated users, but now
that GET /v3/auth/projects and GET /v3/auth/domains know how to handle
federated tokens, they're just duplicate APIs.
In the past we deprecated these federated auth APIs, but they still
used separate code paths from GET /v3/auth/projects and GET
/v3/auth/domains. The two code paths are true duplication in that they
don't expect to differ over time and should provide the same user
experience.
Instead of running the risk that comes with two code paths that do the
same thing, we should consolidate them.
Co-Authored-By: Kristi Nikolla <kristi@nikolla.me>
Closes-Bug: 1779205
Change-Id: Ib906c42e1dd2c2408ccd2e256ffd876af02af3fe
(cherry picked from commit df5d75571ed274b2964ed52048768c6d9f24d138)
|
| |
|
|
|
|
|
|
|
| |
Bring the RDO install guide into alignment with the Ubuntu and SUSE
guides by removing references to the admin port 35357 that was used for
the keystone v2 API.
Change-Id: Ic2c5452dae0c142ce3311f6b5e6d9590d618fc22
(cherry picked from commit 27762c822067c383d543d06ad39a3c0ad4375b45)
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The function __str__ of class subprocess.CalledProcessError
is different between py3.6 and lower python version.
py3.6: Command '%s' returned non-zero exit status %d.
lower version: Command '%s' returned non-zero exit status %d
There is a . in py3.6.
This patch fix the assert error under py3.6
Change-Id: I19ae5711ed7440791583940fa4a8fb770dcdc933
Closes-bug: #1751551
(cherry picked from commit 4a1df081fd3868a75bfabe8099025069eb42248f)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The JSON Schema validation implementation of nullable(), which makes
values possible to be null was not adding None to the enum if it exists.
This causes validation to fail on ``None`` especially in the case of
keystone's boolean parameter_type implementation. ``nullable()`` now
adds ``None`` to the enum if the enum exists.
Closes-Bug: #1763824
Change-Id: I176fa90df63049661413c445554dba9b7d87272a
(cherry picked from commit 78adf4b40fb88e371101ed065ac1d15063d8d86e)
|
| |/
|
|
|
|
|
| |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: Ifaf8681333a807c7c8ed1c8e2ba1eab1e6faf81c
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This change makes tags a property of Project instead of a hybrid_property
since we will always have a Project contain some list of tags.
Change-Id: I1033321132cb3ec71bf94b8293cef91dfc6b8272
Co-Authored-By: Morgan Fainberg <morgan.fainberg@gmail.com>
Closes-Bug: #1752301
|
| |/
|
|
|
|
|
|
|
|
|
| |
It is possible that some users might be slightly affected by this
change. Add a release note about the removal of keystone v2 in queens.
Since Queens already went out the door, this change is being proposed
only to the stable/queens branch so that it is properly rendered in the
Queens release notes page.
Change-Id: I9aaf7c9eff9000401bca9d4884675f0b1d9aeb3e
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
In queens the v2.0 APIs were removed. This commit removes the
leftover v2.0 policies documented in the sample policy file.
Change-Id: Ibb841bcbc12d0be365ddb2681310a0eee6724782
(cherry picked from commit 8948050c03252853d406ddea157633550cb639e4)
|
| |/
|
|
|
|
|
|
|
| |
This should have been done before the queens release. I noticed it
when looking at the API reference and only seeing application
credentials listed under 3.10 information.
Change-Id: I6f2d9551d15061dbe99e9228c097e735910a41db
(cherry picked from commit 1175a356fc71036b38c41025f5a90e16f91bbc98)
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Keystone removes role assignments that groups have on projects and
domains when deleting groups. This should apply to system role
assignments, too.
Change-Id: Iebedfcae0b77e350e5359b97fa87894af3f1c8ba
Closes-Bug: 1749267
(cherry picked from commit 5a24b96d951537fb12deb7050eb2e7dd7d40fc81)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Without this patch, the token formatter does not have enough data to
construct a token created with an application credential. This means
that if the token cache is disabled or expired, when keystone goes to
create the token it will not find any application credential information
and will not recreate the application_credential_restricted parameter in
the token data. This patch creates a new Payload class for application
credentials so that the application credential ID is properly persisted
in the msgpack'd payload. It also adds more data to the token data
object so that the application credential ID and name as well as its
restricted status is available when the token is queried.
Co-authored-by: Lance Bragstad <lbragstad@gmail.com>
Change-Id: I322a40404d8287748fe8c3a8d6dc1256d935d84a
Closes-bug: #1750415
(cherry picked from commit 796198f19670e3eb899ca3b1db5d2a21a4127a30)
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| | |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: Ie25eaa64c109e7d964cd38602c68f1c55e584d59
|
