| Commit message (Collapse) | Author | Age | Files | Lines |
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Change I00f66b0f3c8e9f688429ee78bd51608a4dcac140 added
oslo.serialization to requirements.txt on stable to unwedge the gate due
to keystone on stable testing against master level keystoneclient which
required oslo.serialization.
Later, change I079fa77501b8987a4724d03a792b084a6d853e21 fixed the
testing problem by running the tests in a venv, so we can just
remove oslo.serialization from keystone's requirements.txt now.
Closes-Bug: #1434152
Change-Id: I224a3652fba170da34da9935e6f8b4a161a856d2
|
|\ \ |
|
| |/
| |
| |
| | |
Change-Id: Ia664a97da02f5dfc9bce329beaecd42d135ee7ca
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since the backend_argument can potentially contain a password,
it should be marked secret to avoid leakage into the logs.
Closes-Bug: #1443598
Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d
(cherry picked from commit f9db1a65bd4d83d12c572ba4d5807845996ef410)
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
PEP-0476 introduced more thorough certificate chain verification
for HTTPS connectivity; this was introduced in Python 2.7.9, and
breaks a number of unit tests in the keystone codebase.
Disable certificate chain verification for keystone SSL tests
using the backwards compatible SSLContext provided for this
purpose.
Closes-Bug: #1403068
(cherry picked from commit 89aec92962a551dc06520e284dadc63a0a58ad2c)
Conflicts:
keystone/tests/test_ssl.py
Change-Id: I6b5e975ed4c9abf3571212ba0e172eb653bb9281
|
|\ \ |
|
| |/
| |
| |
| | |
Change-Id: Ic5bcdb94d2524ad022a454c2cdf6a8915101cfa7
|
|/
|
|
|
|
|
|
|
|
|
|
| |
pymongo 3.0 renamed mongos_enum to read_pref_mode_from_name which
was causing the unit tests to fail.
Conflicts:
keystone/common/cache/backends/mongo.py
Change-Id: Iaa7fd7221c2e6c865633ef342e6b83304a1de655
Closes-Bug: 1441393
(cherry picked from commit 7c3fe6acaef6fc283c383fb79f06e388df6e6926)
|
|
|
|
| |
Change-Id: I4fa7090317eb140b3f1e5e1fbc96096b90bcbc95
|
|
|
|
|
|
|
|
|
|
|
| |
oslo logging needs to be reconfigured after eventlet patching
This patch follows the approach suggested in change
I717ecfd1c0f9b791a57f69325365144692f1e0b6
Change-Id: I84cac685726bbcf1285c0f6d9172439aa186466a
Closes-Bug: 1420788
(cherry picked from commit 3db10d06828b39e7dbdb2938a581526a78d2957b)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Keystone has four API calls which may result in a user's password
changing.
1. Administrative password reset on v2:
POST /v2.0/users/{user_id}/OS-KSADM/password
2. Self-service password change on v2:
PATCH /v2.0/OS-KSCRUD/users/{user_id}
3. Administrative password reset on v3:
POST /v3/users/{user_id}
4. Self-service password change on v3:
POST /v3/users/{user_id}/password
This patch adds additional test coverage to *consistently* ensure that:
- Old passwords no longer work
- Old tokens no longer work
- The new password works
Change-Id: I2a296b7ed407c75018fff3b60bd13aaa4fa9a849
Closes-Bug: 1407105
(cherry picked from commit a22aa08bf2176ac2da75258223f58d70303259e4)
|
|
|
|
| |
Change-Id: I2035debc5973fbcf27d4b4fdbd451ad271fc85f2
|
|\ |
|
| |
| |
| |
| | |
Change-Id: I66320fbe09d57e4c8dfcc2c7c17e5c947e859c7c
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In add_user_to_project() it checks if the default role exists before
trying to add the role to the user and project. If it doesn't exist it
will attempt to create the role. However if 2 requests happen at
roughly the same time the 2 role creations will race causing one to
fail with a conflict error. This patch addresses this issue by catching
the conflict exception and treating it as the create succeeded (which it
did just elsewhere)
Conflicts:
keystone/assignment/core.py
Change-Id: Iab95ed8b3913c020eafa919231d764ba8b780571
Closes-Bug: #1419043
(cherry picked from commit 0b1027886ae6bc29abd86aa8ede499be5f5fc2ae)
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The keystoneclient tests were using the library installed from a
git clone. Rather than do a clone of master, the tests will now just
use the keystoneclient installed to the venv.
Doing a `git clone` causes problems on any system without reliable
Internet access, and since the keystoneclient tests have changed to
being for functional tests rather than for verifying
backwards-compatibility of the client, this will make things easier.
Conflicts:
.testr.conf
keystone/tests/core.py
keystone/tests/test_keystoneclient.py
keystone/tests/test_keystoneclient_sql.py
test-requirements-py3.txt
test-requirements.txt
Change-Id: I079fa77501b8987a4724d03a792b084a6d853e21
(cherry picked from commit 0c407c5f8d1f3654585add3334e535ec0c1b7c28)
(cherry picked from commit 7a613ae4f14d30fbe4452f2cc8bc2a657d41ffd4)
|
|\
| |
| |
| | |
into stable/icehouse
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Addresses the problem where we check for the validity of the scoped project,
we did not subsequently making sure its domain is also enabled.
Change-Id: I24e539aea9bb0ef0a22727fd9c1fb5d9d2ad1353
Closes-Bug: 1315556
(cherry picked from commit 5db0ce63f33f6d4aec43143ae6e6fa62ad5c9025)
|
| |
| |
| |
| | |
Change-Id: Ie64bd740f55b89e992724aa195841b07d7b66dbc
|
| |
| |
| |
| | |
Change-Id: I976df860e7bcd7f0f61fc6a2175e2afd4c204dca
|
| |
| |
| |
| | |
Change-Id: I3e0f1c2d9a859f276f74cb1d1477f92fe8a7524e
|
|\ \ |
|
| |/
| |
| |
| | |
Change-Id: Ic29db344446467080977f3aca13e0a65d767ca84
|
|/
|
|
|
|
|
|
|
|
|
|
| |
The keystone.tests.test_token_provider.TestTokenProvider.
test_provider_token_expiration_validation test would fail if the
tests weren't run before the expiration period passed. This could
happen if the system was slow and the previous tests took a long
time causing a potential transient failure.
Change-Id: I123aadd55770002fe1c9ed9b17669d5212198aa3
Closes-Bug: #1278550
(cherry picked from commit 170faf1468647e9a8246e6f7f157c7e5fd475ed5)
|
|
|
|
|
|
|
| |
Keystone tests run against keystoneclient master which added
a new dependecy on oslo.serialization
Change-Id: I00f66b0f3c8e9f688429ee78bd51608a4dcac140
|
|
|
|
| |
Change-Id: I1b2e9b58d2eccbe4e7a00b1549adcdcea5845afb
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were tests that verified that the PKI token body could be
encrypted with CMS and compared to the token ID in the response.
This test isn't safe because the token body may be different than
the token encrypted with CMS since the order of items in the dict
can change.
The fix is to change the test to decode the PKI token ID and
compare that to the response body JSON instead.
Conflicts:
keystone/tests/test_v3_auth.py
Change-Id: Icc649b96071ff084d5c76f2ea2bcf3ecb08a0351
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The correct module is 'dogpile.cache.memcached' and not
'dogpile.cache.memcache'.
It's important to backport this to Icehouse as all Juno
docs use the icehouse sample at this point. For example:
http://docs.openstack.org/trunk/config-reference/content/section_keystone.conf.html
Change-Id: Ie452c95dab4fcd04f65f6378c735490ee8cf4c70
(cherry picked from commit b8bbab790227445d90e4e9201127413bc85c1649)
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There were cases where a number of the API managers were being
instantiated more than one time. This could cause a number of
odd edge cases where the managers would have different
configurations and/or different dependency injection results.
The managers should now be properly instantiated only once
unless explicitly required (e.g. testing the token provider
manager raises an exception in badly configured states).
Conflicts:
keystone/auth/plugins/token.py
Closes-Bug: #1294994
Change-Id: I1babb065065cb5b06899f59568020a1c38f1156c
(cherry-picked from commit 0a1cb0e20247a3c7856b409452b01ad6db8069f0)
|
|\ \ |
|
| | |
| | |
| | |
| | | |
Change-Id: I59350ae2e7bc421fa736b8419f39c740af2ce80c
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Due to the lack of support of `SELECT .. FOR UPDATE` call in
MySQL + Galera, the use of `with_lockmode('update')` needs to be
removed from the Trust SQL backend when utilizing the MySQL
dialect.
Instead of the pessimistic locking method (row lock, table lock),
use optimistic locking. The consume_use method now attempts to
update the remaining_uses column for the trust in question only
if the remaining_uses equal the same number as on the initial
query. This is done in a loop with a 10-iteration failsafe to
prevent endless looping.
Conflicts:
keystone/trust/backends/sql.py
Minor changes to the sql.py driver over the course of Juno
caused the conflict. The resulting code for consume has
not changed.
Change-Id: I1b8af6ce5709f829f345cd351ec9242d0217e743
Closes-Bug: #1325143
(cherry-picked from commit 0724fc4d27c90461de3310b3b2cb7387e6c92bba)
|
|\ \ \ \ |
|
| | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The default get_v3_catalog method in the catalog driver would just
raise NotImplemented. This method is given a default implementation
that generates the v3 catalog by translating the v2 catalog.
With this change, the templated and kvs catalog backends can
generate a v3 catalog.
(cherry picked from commit 8b9580456aa4223184f612330c31077624dbf0ff)
Closes-Bug: #1313458
Change-Id: I1646c7dcab90f2e0e9e370f48f7ee3643bd2fe3d
|
|\ \ \ \
| | | | |
| | | | |
| | | | | |
stable/icehouse
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
We currently only set the LDAP library certificate trust options
when TLS is being used (via startTLS). If regular LDAPS is being
used, the certificate trust options that are defined in Keystone's
configuration file are never actually set.
This patch sets the certificate trust options for both LDAPS and
TLS cases.
Conflicts:
keystone/common/ldap/core.py
keystone/tests/unit/common/test_ldap.py
Closes-bug: #1209343
Change-Id: Ieb94b732f623695920feb34995bb863175ddf27a
(cherry picked from commit ca50b6315909faf92db9eaf2981782bcd80cfab8)
|
|\ \ \ \ \
| |/ / / /
|/| | | | |
|
| | |/ /
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The matcher implementation would fail to match two documents that are
semantically equivalent, but sibling elements appear in different
document order.
Change-Id: I99dc6401e73be4c61bb265c3258b6245f2e7bb34
Closes-bug: #1347891
|
| | | |
| | | |
| | | |
| | | |
| | | | |
Change-Id: If02327d70d0143d805969fe927898f08eb84c4c2
Closes-Bug: #1354208
|
|\ \ \ \
| |_|_|/
|/| | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
A few of the LDAP searches performed in the identity and assignment
LDAP drivers do not specify the list of attributes to return, which
causes all attributes present in the LDAP entry to be returned. We
attempt to convery these values from utf8 to unicode, which fails
when we encounter a binary value. This patch addresses this problem
in two ways.
The first is to only request the attributes that we actually need
returned from the LDAP server. This avoids potential binary values
that we do not even need to be concerned with.
The second thing this patch does is to make our conversion code
more tolerant by ignoring attributes that contain binary values. If
a binary value is present, we simply skip over that attribute in
the conversion and log a debug message. We should not be encounting
binary values in a typical Keystone deployment, but this gives us
some protection just in case we do encounter a binary value.
Conflicts:
keystone/assignment/backends/ldap.py
keystone/identity/backends/ldap.py
Closes-bug: #1355489
Change-Id: I62325ab9c75bac67cca329fb7bd3c74aea7d2867
(cherry picked from commit 940551c6bdd1477574c1dee165efe75366343bd7)
|
|\ \ \ \
| |/ / /
|/| | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
As specified in the bug description, the listing of users by using the
email attribute as a filter would cause an exception. This is because
the email is not a first class attribute, yet it was considered so in
the filters. Thus, this fix will prevent the exception while also
preventing the filtering by email.
Change-Id: Ibf4b51a91c1e47e8197af49855307460559a7fc9
Closes-Bug: #1306835
(cherry picked from commit 75cca803739a5b4ef197666589582802c7391e17)
|
| |_|/
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Token is passed as a header from wsgi to HTTPD
If that token is unicode, it triggers an exception in mod_wsgi
Closes-Bug: 1312971
Change-Id: I4bb6ef6c98fbcd35435956d701f1ee3281e9935a
(cherry picked from commit ba1bba8257716c2f5aa668e496173e96a80f0e43)
|