| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add simple script to setup mysql and postgresql databases, this script
can be run by users during testing and will be run by CI systems for
specific setup before running unit tests.
This allows to change in project-config the python-db jobs to
python-jobs since python-jobs will call this script initially.
Update README for this.
See also
http://lists.openstack.org/pipermail/openstack-dev/2016-November/107784.html
Needed-By: Ic42f8d5392ab1d9b52c6c84c92dee0092bd2779a
Change-Id: I253726467151622e8aa3ff40bacc0b3f9903b342
(cherry picked from commit 61933fef10a092b951aae440800531fd8b44c558)
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using the 'groups' keyword in a federation mapping, the value
passed in the assertion map be a simple string with a space. For
example, "ALL USERS". This results in ast.literal_eval() raising
a SyntaxError and not ValueError, which bubbles up to the API as
an uncaught 500 Internal Server Error.
Change-Id: I61f93a6c54b62ba8719d2603f93dc18c33b581ce
Closes-Bug: #1629446
(cherry picked from commit 9e1e2c2156f365078085db54dfbbfff50e2c2b84)
|
|
|
|
|
|
|
|
|
|
| |
A group must be reffered either with an ID, or the name _and_ the
domain. Change the JSON validation schema to check this.
Closes-Bug: #1657978
Change-Id: I213876e30fc0521195848479278080bdac8387de
(cherry picked from commit a9d79e098732445efcd58a6b03148fe6c62e044a)
|
|
|
|
|
|
|
| |
Increase the coverage of the mapping JSON schema tests.
Change-Id: I8a28d4b7059010fe99a596a1167da8742d586873
(cherry picked from commit 09d13cf1373990433068e5b348aa8e2967c183c9)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit makes `keystone-manage bootstrap` completely idempotent
when configuration values or environment variables haven't changed
between runs. If they have changed, then `bootstrap` shouldn't be
as idempotent becuase it's changing the state of the deployment.
This commit addresses these issues and adds tests to ensure the
proper behavior is tested.
Conflicts:
keystone/tests/unit/test_cli.py
As of Newton and newers releases, a context is no longer passed into
the controller, but a request object.
Change-Id: I053b27e881f5bb67db1ace01e6d06aead10b1e47
Closes-Bug: 1647800
(cherry picked from commit 90f2f96e69b8bfd5058628b50c9f0083e3f293e9)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During some upgrade testing I was doing locally, I noticed an issue
where `keystone-manage bootstrap` isn't completely idempotent. This
is because `bootstrap` has the ability to recover lost admin accounts
by reseting the admin user's enabled status and updating their
password, regardless of it being different. This creates a revocation
event and causes admin tokens to be invalid after bootstrap is run
for a second time, making it not as idempotent as we'd like.
This commit introduces a test that exposes this behavior.
Conflicts:
keystone/tests/unit/test_cli.py
In Newton and newer releases the context is no longer passed in
to the controller, but rather a request object.
Change-Id: I627255b2b5d6ec401af2c07c4018930fea206e4a
Partial-Bug: 1647800
(cherry picked from commit 2dae412940105c64c4ea1ed77e6a45793faa0efa)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a merge of two commits, the gate is wedged.
1. Constraints are ready to be used for tox.ini
Per email[1] from Andreas, we don't need to hack at install_command
any longer.
[1] http://openstack.markmail.org/thread/a4l7tokbotwqvuoh
2. Use constraints for coverage job
OpenStack CI supports now constraints in the coverage job - as a first
job to check that the recent changes for zuul-cloner work correctly.
Change-Id: I3812776ab228bf28df9934273df7fe8ee0880660
(cherry picked from commit a6c77639a1ecd5421eaf37b8775e2e44c0d80d38)
Change-Id: Ic224c1e20693410c485e45cab5bdaa5d96192f09
(cherry picked from commit 85ae2454c9eea8fa134df74527cbd1f2e910fe05)
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is one of the ways we can prevent race conditions with backends that round
datetime objects or strings before persisting them.
Closes-Bug: 1622010
(cherry picked from commit 301b6a7bc770830485937f0b9927a26e2e5ec8c8)
Conflicts:
keystone/tests/unit/test_v3_auth.py: freezegun was added only in Newton
keystone/tests/unit/test_v3_os_revoke.py: minor conflict
In addition to cherry-pick, time.sleep() was added to several tests.
The tests assume that some time must pass between some operations.
In Newton and later this was done in other, unrelated commits and
freezegun was used. Freezegun cannot be used in Mitaka. Because of
that, time.sleep() was added at the same places where freezegun's
tick() is used in Newton.
Change-Id: I7c6d525dfb4ec13edb360a77b27422310d545305
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When create user using API it is possible to use a domain_id which
does match the created domain_id since mysql per default is not
case sensitive and returns the domain_id to be valid. In e.g.
liberty this breaks cli keystone v2 user list actions when a user
with a DEFaULt domain has been created.
With this change the domain_id is being validated with what provided
with the API call in get_domain.
cherry-picked from 7df92f7b624500e24b71c4b2d516604e0edb52f2
Change-Id: I028b2add3067e6fb9aa3f33eb8fe10d8ebace006
Closes-Bug: #1594284
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
dogpile.cache's region invalidation is not designed to work across
processes. This patch enables distributed invalidation of keys in a
region.
Instead of using a static cache key, we use the original cache key
and append a dynamic value to it. This value is looked up in
memcached using the region name as a key. So anytime the value of
the region key changes the cache keys in that region are
effectively invalidated.
Conflicts:
keystone/assignment/core.py: imports were fixed
keystone/catalog/core.py: imports were fixed
keystone/common/cache/core.py:
dogpile.cache doesn't have invalidation strategies
in 0.5.8. Because of that, call to
region.invalidate was redefined.
keystone/identity/core.py:
there is no per-region cache in id_mapping_api
in Mitaka
keystone/revoke/core.py:
there is no per-region cache in revocations
in Mitaka
keystone/server/backends.py:
removed configuration of regions which were added
only in Newton
keystone/tests/unit/test_v3_assignment.py:
conflict due to freezegun being used in Newton and
not used in Mitaka
keystone/token/provider.py:
there is no per-region cache in token providers
in Mitaka
Closes-Bug: #1590779
Change-Id: Ib80d41d43ef815b37282d72ad68e7aa8e1ff354e
(cherry picked from commit 42eda48c78f1153081b4c193dc13c88561409fd3)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When token caching is turned on, upgrading from stable/liberty to
stable/mitaka or master causes tokens to fail to be issued for the
time-to-live of the cache. This is because as part of the token
issuance the token's role is looked up, and the cached version of the
role immediately after upgrade does not have a domain_id field, even
though that column was successfully added to the role database. This
patch hacks around that by artificially adding a null domain_id value
to the role reference.
This must be done in the manager, as opposed to the driver, because it
is the manager that is caching the value and so modifying the value
returned by the driver has no effect.
Change-Id: I55c791486f2a26ae995f693370b016895176a16f
Closes-bug: #1592169
(cherry picked from commit bc99dc76775d22eca01b818f37de35a76ece9d72)
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently, in both unscoped and scoped federated tokens, the
username value in the token is equal to the userid and not to
the value of the username in the external identity provider.
This makes WebSSO login to show the userid of the logged-in
user in the Horizon dashboard, whereas before it was showing
the actual user name.
This patch fixes the value of the username in the federated
tokens, which will fix the WebSSO issue as well, since Horizon
looks at the username value and displays that as the logged-in user.
Closes-Bug: #1597101
Closes-Bug: #1482701
Change-Id: I33a0274641c4e6bc4e127f5206ba9bc7dbd8e5a8
(cherry picked from commit 2042c955c81929deb47bc8cc77082b085faaa47d)
|
|/
|
|
|
|
|
|
|
|
|
| |
This patch changes the LocalUser sql model to eager loading. Subquery
loading is eager loading as the parents are loaded, using one additional
SQL statement, which issues a JOIN to a subquery of the original
statement, for each collection requested.
Closes-Bug: 1606426
Change-Id: I48965676ad6a796115caef5e90974cb617243223
(cherry-picked from: 4b9384dea36755c0dc0256f7392bf8c1e13f6632)
|
|\
| |
| |
| | |
stable/mitaka
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
One of the common use cases for the admin_token middleware was to
provide a recovery mechanism for cloud operators that had accidentally
disabled themselves or lost their password.
Instead of using bootstrap to create a second admin just to recover the
first, this change allows bootstrap to reset the user's credentials and
ensure that the account is enabled.
Change-Id: I82cafced67852335e9bb49035f13c993c7ccd2df
Closes-Bug: 1588860
(cherry picked from commit d6b016dd91c743a2f454a3b4f9d055510c2215ae)
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When using list_limit configuration option in Default section of
keystone.conf, the /services?name=<service_name> API fails to find
the service if list_limit value is smaller than the total number
of services and the searched service is not among the first
'list_limit' services. The API should first filter by name and
only afterwards truncate the result list.
Also, this patch fixes setting the 'truncated' attribute of the
driver's hint.limit object when truncating the list outside of
driver_hints.truncated decorator, problem exposed by fixing the
problem described in the first paragraph.
Closes-Bug: #1594482
(cherry picked from commit 6a9a9f002f44c15d40cf890eefd03a4ab6172b0b)
Conflicts:
keystone/tests/unit/test_v3_catalog.py
Change-Id: I832f542c3cb0faf94a1e5bce5a894f7f4d26a8de
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Using the templated backend for catalogs deleting a project
will currently work but it will return an error to the user
that is raised in the delete notification code handling.
Change-Id: Ie2ecb226389a7ee74dc64b28b0e08817e6375801
Closes-Bug: #1579604
(cherry picked from commit 8232f4f23c1c33a6e45073386f40e79139d9b980)
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The 'domain_id' and 'name' unique constraint was not properly dropped
in some cases because the unique constraint was not consistently
named. In all cases we must search for the constraint expected,
not assume the name of the constraint will be consistent
(especially from older installs that have been moved forward in
releases). This fix is modeled on the fix for a similair issue
authored by Morgan Fainberg & Matthew Thode for Bug #1562934
Migration 091:
Fix to broken migration to prevent failed migrations when database is
upgraded from Kilo (or below) to Mitaka
Migration 097:
Ensure that when Mitaka point release is applied the constraint and tables
have been dropped if migration 91 was previously worked around.
Migration 91 drops 3 columns from the user table after the code to disable
the constraint. I have included code in migrations 97 to also drop
those columns if they are still present in case they were missed when working
around Bug #1572341. This may be over kill.
The following file conflicted since Opportunistic DB testing was included
in the Newton release.
keystone/tests/unit/test_sql_upgrade.py
Note that migration 104 was removed since it does not exist in the Mitaka
release. The unit tests were also modified accordingly.
Change-Id: I076d7139b388e30be8826d0a4550256b5617d992
Closes-bug: #1572341
|
|\ \ |
|
| | |
| | |
| | |
| | | |
Change-Id: I7d9e0f182a32afab61deaeb359454c556f03a90e
|
|\ \ \
| |/ /
|/| | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fix GET /v3/groups?name=<name> to honor conf.ldap.group_filter.
The case where groups are listed for a specific user was already
honoring the filter, but the case where all groups are listed was not.
Moved the check into the get_all_filtered method that is shared by both
cases so that it is not duplicated.
Change-Id: I4a11394de2e6414ba936e01bcf2fcc523bab8ba5
Closes-Bug: #1588927
(cherry picked from commit 1c0e59dc9c0cd8bb4fd54f26d01986a53bcd148c)
|
|\ \ \
| |/ /
|/| | |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If a scoped-token was validated and the user didn't have any role assignment
on a project, keystone would return a 401 Unauthorized. This was the
case when the fernet token provider was enabled because the reference is
rebuilt on every request. The uuid token provider has a different behavior - if
the token isn't found in the backend a 404 Not Found is returned. Furthermore,
for persisted tokens, any validation error will result in 404, such as in the
case where user no longer have any roles assigned for the given scope.
These two behaviors should be consistent regardless of the token provider.
This problem was not fixed entirely with https://review.openstack.org/#/c/277436/
because of token caching in devstack which masks the wrong error code for the
period of time the token is cached. Therefore, in order to test this in devstack
you need to take into account the caching time after un-assigning the role on
a project and while using the same fernet token.
Closes-Bug: #1541621
Change-Id: I9d36c5c73d5a832cd04dd4c1368b8d769e0acc4c
(cherry picked from commit fde57f68e290575e874234fc751d2380637a07f5)
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In Liberty we used to cache the whole token at the provider manager
validate token call. However, in Mitaka we changed this, for
non-persistent tokens (e.g. fernet), to instead attempt to cache
the individual components that make up the token. This change caused
validating a fernet token to become 5 times slower than the same
operation in Liberty (as well as UUID in both releases).
This patches re-instates full-token caching for fernet. This should be
considered somewhat of a bandaid to redress the performance
degredation, while we work to restructure our token issuance
and validation to simplify the multiple code paths.
In terms of invalidation of such a cache, this change effectively
reverts to the Liberty approach where anything logged to the
revokation manager will still cause validaiton of the token to fail
(this is checked for all token types). However, the alternate (and
confusingly additonal) "direct" invalidation of the cache via
the pesistance manager will, like in Liberty, not have any
effect with cached fernet tokens. As far as I can tell, all
situations where we currently want a token revoked will send
this information to both the revoke and persistance managers,
hence this change should not result in any tokens remaining
valid when they shouldn't.
Closes-Bug: #1590179
Change-Id: I80371746735edac075eec9986e89b54b66bc47cb
(cherry picked from commit 9c89e07b11afa2e12c97d0af514ce5fcc04e2ac3)
|
|
|
|
|
|
|
|
| |
Fix GET /v3/users?name=<name> to honor conf.ldap.user_filter.
Change-Id: I65cacc04c218a7c87855a305c7e0088ac5860cc8
(cherry picked from commit 322a744ba852a5a4e59c713a52168fa8db2552ca)
Closes-Bug: #1577804
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The tox venv environment is run during post jobs and thus cannot use
constraints.
See:
http://logs.openstack.org/db/db7bdf9aa0cb0ba5fbae5ae07ecdb9f024213deb/post/keystone-docs/92d1e87/
http://logs.openstack.org/db/db7bdf9aa0cb0ba5fbae5ae07ecdb9f024213deb/post/keystone-branch-tarball/eb685ad/
We run for docs jobs:
"tox -e venv python setup.py build_sphinx"
thus, the docs environment is not used.
For branch tarball, the infra scripts use:
"tox -e venv python setup.py sdist"
And infra does not setup constraints for post jobs currently as this is
not working with current tools
Fix tox.ini for this
Change-Id: I048368981e4be739c66073fdd9bc8a9663498a80
(cherry picked from commit 2535f22e6123bd8b7ae1304b31f6748e631d8e61)
|
|
|
|
| |
Change-Id: I83803044e751f26243c99347b2c0bdb148095915
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This test is validating internal behavior of the oslo.policy
library. Since oslo.policy already has tests for this
function, we don't have to test it in keystone.
As of commit 83d209e in oslo.policy the test fails because
oslo.policy has been enhanced to support YAML and the test is
using valid YAML.
An alternative is to change the test to have a file that's
invalid YAML (remove the ']'), but then it might break again.
An alternative is to change the test to mock out the behavior,
but then the test would just be showing that if we mock out
rules.enforce to raise ValueError it does that.
Change-Id: I4ead61566000aedf62c9c48b0702ea30472c9925
(cherry picked from commit 8eb7960e0f31c2624230b88d17933b3f48a17eaa)
|
|
|
|
|
|
|
|
|
| |
The JSON schema missed the domain property for the local group
description, but it is requested by the code explicitly.
Change-Id: If74aaf07b77399f1648843280153c7523de5eb38
Closes-Bug: 1575057
(cherry picked from commit 7567c5edf214bfbbee6d6acf7c130cd857324fc0)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remote IDs conflicts can happen during an identity provider
update (similar to what happens during create).
This patch adds the same conflict handling, so a 500 is not
returned by keystone.
Change-Id: I1f093dad0b9427027edf4dc1a9f563e99aedad0c
Closes-Bug: 1558670
(cherry picked from commit bfcbb3cd7679dd13d5ededd2f3b765d40e0bca7d)
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The fernet token provider was doing some weird things with audit ids that
caused token rescoping to not work because audit ids were never pulled from the
original token. This commit also enables some tests for v2.0 authentication
with the Fernet as the token provider.
Closes-Bug: 1577558
Change-Id: Iffbaf505ef50a6c6d97c5340645acb2f6fda7e0e
(cherry picked from commit 0d376025bae61bf5ee19d992c7f336b99ac69240)
|
|\ \
| |/ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The Fernet tests for Python 3.4 fail if they are given
project_ids that are not uuids. Since all issued
project IDs in a live deployment are UUIDs, it is more
correct to fix the tests than to change the formatter.
Change-Id: I485c02cbb6484e52b4bb4563e2842c45a34e66eb
(cherry picked from commit 36da34f02ff921584524108a34c11568bc406c10)
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| | |
For more information about this automatic import see:
https://wiki.openstack.org/wiki/Translations/Infrastructure
Change-Id: If9ecf2e20ac94540494485befe4adbde00c7c447
|
|\ \
| |/
|/| |
|
| |
| |
| |
| | |
Change-Id: Ibe9f30a66fdbdce1087388085da228f01d1d12f6
|
|/
|
|
|
|
|
|
|
| |
Some targets don't respect upper-constraints like
cover and releasenotes, so make sure don't use
the same install_command for those jobs.
Change-Id: I8636e7c86c6c5c608429fab88e181108ae615db9
(cherry picked from commit db7bdf9aa0cb0ba5fbae5ae07ecdb9f024213deb)
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When a user attempts to rename a project via the PATCH
v3/projects/{project_id} API, and the new name is already in-use, rather
than return a nice error explaining that the name is in use, keystone
blows up and raises `KeyError: 'is_domain'` in
_generate_project_name_conflict_msg.
Change-Id: I56fcd8fe1258e2d1de3e541144649ef619f86a7b
Closes-bug: #1565108
(cherry picked from commit c1be6883f250e6bc0ad1b43eb516186f74a477f1)
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Instead of only using the request_local_cache when an explicit set
occurs, make sure we always set the value for the request_local_cache
when we have to reach for the proxied backend.
The Context Local cache was being used previously when we were seeing
a mix of cache misses and hits. This change ensures we now always
set the value(s) as expected:
Change-Id: I4857cfe1e62d54c3c89a0206ffc895c4cf681ce5
Closes-Bug: #1567403
(cherry picked from commit 9b9bc7767fad36da1c764add842f85efdc48807b)
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
For more information about this automatic import see:
https://wiki.openstack.org/wiki/Translations/Infrastructure
Change-Id: I7496e2f22aa63cb16c6ab0357ba31ff91b648c7c
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| | |
The test_with_multiple_users test would fail if the time happened to
roll over to the next chunk for the totp generator. The fix is to
control the clock in the test to this can't happen.
Change-Id: I2b92a0cc08ba8e36edc87cb76960a46746895458
(cherry picked from commit 3eaea2fdf417a03aeb539cd35ab28f01de5886af)
|
|/
|
|
|
|
|
|
|
|
|
|
| |
When shadowing a federated user, if the display name is changed, it
should get updated and returned in the user name attribute. This patch
fixes a bug where the display_name was getting updated, but not the old
display_name was being returned.
Closes-Bug: #1566494
Change-Id: I155d3a9e4c90a3d22d0b30e35276c9ddbb65ae6d
(cherry picked from commit 562b81dd4a94d5a219b7cf1ff2f82288add10046)
|