| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Import the legacy-tempest-dsvm-ldap-domain-specific-driver job[1] into the
keystone repo and convert it to be Zuulv3 native.
This cherry-pick removes the explicit use of python3 since it doesn't
quite work on this old of a branch.
[1] https://opendev.org/openstack/openstack-zuul-jobs/src/branch/master/playbooks/legacy/tempest-dsvm-ldap-domain-specific-driver
Change-Id: Ie0b9f13d6fb06b776d6a58d5d1087c20df8a7cda
Needed-by: https://review.opendev.org/687444
(cherry picked from commit 52ab0cf579445190483f3a6f0e3aa5db0a9ebdef)
(cherry picked from commit 0f6c6061b3026dc7a33bffad20848ebd3341af4b)
(cherry picked from commit 429923fbb3be7229b0c6c1b6136b230d86672bcf)
(cherry picked from commit 2f7155065456a3142ea05317dd82b370c70a7fdf)
(cherry picked from commit 8b8a8f2c54820e13403746784843df017812896f)
(cherry picked from commit 45ef2b6700a640ec3a6350503d53587979d9e0a1)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There's a regression[0] in bandit 1.6.0 which causes bandit to stop
respecting excluded directories, and our tests throw a bunch of
violations. Blacklist this version, but allow newer versions as there is
already a pull request[1] to fix it, and I expect it will be included in
the next release.
[0] https://github.com/PyCQA/bandit/issues/488
[1] https://github.com/PyCQA/bandit/pull/489
Change-Id: Ie4dbfb3f54e4aac00e0537d5760b7a8fc81b35a2
(cherry picked from commit ebac8330d8ac81c491a1cb0e16eb23b93d7932ee)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:
http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html
Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.
|
|
|
|
|
|
|
|
|
|
|
|
| |
The publishing credentials for this job are misconfigured in Zuul and
result in the whole post pipeline failing, which causes tarballs not to
be updated on tarballs.openstack.org[1]. Remove the misconfigured job to
get the post pipeline working again.
[1] http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-release.2019-03-11
Change-Id: I4d94a433ba32bce7ee926cdde487eeec980c6b8b
(cherry picked from commit f0c2e798f7e706acbaf600bd06521a0e4c514477)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a mechanically generated patch to complete step 1 of moving
the zuul job settings out of project-config and into each project
repository.
Because there will be a separate patch on each branch, the branch
specifiers for branch-specific jobs have been removed.
Because this patch is generated by a script, there may be some
cosmetic changes to the layout of the YAML file(s) as the contents are
normalized.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Change-Id: I32e3f3427dda03c898877e697aa50771ce10254b
Story: #2002586
Task: #24304
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The GET /v3/OS-FEDERATION/projects and GET /v3/OS-FEDERATION/domains
APIs were introduced to handle tokens from federated users, but now
that GET /v3/auth/projects and GET /v3/auth/domains know how to handle
federated tokens, they're just duplicate APIs.
In the past we deprecated these federated auth APIs, but they still
used separate code paths from GET /v3/auth/projects and GET
/v3/auth/domains. The two code paths are true duplication in that they
don't expect to differ over time and should provide the same user
experience.
Instead of running the risk that comes with two code paths that do the
same thing, we should consolidate them.
Conflicts:
keystone/federation/controllers.py due to the fact that pre-Queens
code used a different dependency framework. This was reworked in
the Queens release, causing a conflict with this patch since it
touches the same code.
keystone/tests/unit/test_v3_auth.py due to a couple test with
similar naming and placement within the same test module.
Co-Authored-By: Kristi Nikolla <kristi@nikolla.me>
Closes-Bug: 1779205
Change-Id: Ib906c42e1dd2c2408ccd2e256ffd876af02af3fe
(cherry picked from commit df5d75571ed274b2964ed52048768c6d9f24d138)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since the users table has a foreign key to the projects table[1], users
must be deleted before the domain can be deleted. However, the
notification emitted from the domain deletion comes too late, and
keystone runs into a foreign key reference error before it can delete
the users. This patch addresses the problem by adding a new internal
notification to alert the identity manager that users should be deleted.
This uses a new notification rather than the existing notification
because the existing one is used to alert listeners that the domain
deletion has been fully completed, whereas this one must happen in the
middle of the domain delete process.
The callback must also only try to delete SQL users. The LDAP driver
doesn't support deleting users, and we can't assume other drivers
support it either. Moreover, the foreign key reference is only a problem
for SQL users anyway.
Because our backend unit tests run with SQLite and foreign keys do not
work properly, we can't properly expose this bug in our unit tests, but
there is an accompanying tempest test[2][3] to validate this fix.
[1] https://github.com/openstack/keystone/blob/2bd88d3/keystone/common/sql/expand_repo/versions/014_expand_add_domain_id_to_user_table.py#L140-L141
[2] https://review.openstack.org/#/c/509610
[3] https://review.openstack.org/#/c/509947
Change-Id: If5bdb6f5eef80b50b000aed5188ce7da4dfd1083
Closes-bug: #1718747
(cherry picked from commit 62ee18b359cbb2e6a9469bdaac9057ef19de1bdf)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was broken when issue_v2_token was removed, and no one noticed
because there are no tests.
The good news is, Swift3 is content to move toward supporting the
v3 format, so just start inheriting from the v3 controller.
Change-Id: I5d0c18121ba4bf8e33209daa48b9d87864951362
Related-Change: I7d3b583cbec9a095ab8cc20c5d6c0a6127e37068
Related-Change: I747de516ab69a47622eecbf8ab3faa34444b3ad5
(cherry picked from commit 3ec1aa4c19c2256cc2db70dbbf9aed717e3d37e9)
|
|
|
|
|
|
|
|
|
|
|
| |
Since the last patch in the ocata release that removed the metadata_ref,
the ec2tokens api is broken due to unable to unpack the result of the
authenticate command (4 elements) while expecting to expand it into 5.
Change-Id: I71c4b51444ea9f7a3016b68d7dee9a4747e9c0fd
Closes-Bug: #1691111
Closes-Bug: #1635389
(cherry picked from commit 820d9d9a84f2a65677a2654b36a4677eaeba59fc)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All users and groups are required to have a name. Prior to this fix,
Keystone was not properly enforcing this for LDAP users and groups.
Keystone will now ignore users and groups that do not have a value for
the LDAP attribute which Keystone has been configured to use for that
entity's name.
Closes-Bug: #1704205
Change-Id: I424813785b7a355514ef42f1e4c6384b8a78b256
(cherry picked from commit bb2b215b539b56c01e9a0c7acd9fd62ed1529ebc)
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changes identity:get_identity_providers policy rule to
identity:get_identity_provider to match what is checked by the code.
Conflicts:
keystone/common/policies/identity_provider.py
There was a conflict backporting this change since the policy-in-code
work in new in Pike. The conflict was resolved by removing the
policy-in-code change and making it manually against the old
etc/policy.json file.
Change-Id: I0841abd30fd15c034b5836e42a18938634b509b1
Closes-Bug: #1703369
(cherry picked from commit b7119637a04d0a07fa6419a407f433c01bbd1db2)
|
|\ \
| |/
|/|
| | |
driver" into stable/ocata
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When a file-config-based domain-specific backend was loaded the
local config files from /etc/keystone/keystone.conf.d/ were also read. The
local config dir should not be used in this case.
Change-Id: Ib576c8f12a7cc4272e07bb057bf028d69649b65d
Related-Bug: #1489118
(cherry picked from commit 5e8e71fb16e8bc94c169bbaa8aaf6a7527f816c0)
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
During a backport patch [0] for this fix
it was found some problems in the previous
approach like, It didn't enabled back the
session.autocommit. Another comment was we should
create a new session and commit on it instead of
disable/enable autocommit.
After this, we should backport this change in order
to fix the previous releases, instead of the other
one.
[0] https://review.openstack.org/#/c/469514
Change-Id: Ifc024ba0e86bb71f4ab8b019917782bc5bf3be7a
Closes-Bug: #1649616
(cherry picked from commit 0b5c5c03ecb6cd261ec06b4e2465c8d88b8c1725)
|
| |
| |
| |
| |
| |
| |
| | |
A fix was merged for bug 1687593 but we forgot to add a release note.
Change-Id: Ib8571d155ca526b0b4fb536ceff7c3b5752281c6
(cherry picked from commit 5303ef6e8876e78a9dfeb8b0eb69bd3b71d0e397)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Change 461736 modifies the url passed to oauth signature verifier to
request url. But in some deployments, https endpoints are terminated
at haproxy and http request is sent to keystone. So request url will
have http as url scheme whereas the endpoint is registered with https
and signature at client is done with https url. This results in OAUTH
signature validation failure.
Update URL sent for OAUTH signature verification with the scheme of
the base url.
Change-Id: Iaba285985b616a35e3dfe33cdd45667174e7c69d
Partial-Bug: #1687593
(cherry picked from commit b7aece57d2845fcfa45a84e6d21a6188ddd192cc)
|
|/
|
|
|
|
|
|
|
|
|
|
|
| |
OAUTH signature verification should happen with the same URL used for signing.
Typically at the user end it should be signed with the request URL and hence it
should be verified with the same.
Currently keystone uses public endpoint URL for signature verification.
Modified the URL passed to oauth signature verification to request URL.
Change-Id: I28059a43cb0088c2952c19f696042ebec54d26c9
Partial-Bug: #1687593
(cherry picked from commit 926685c5a4823d7e3ab3879bae1529052fff7d68)
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Commit token flushes between batches in order to lower resource
consumption and make flushing more robust for replication
Change-Id: I9be37e420353a336a8acd820eadd47d4bcf7324f
Closes-Bug: #1649616
(cherry picked from commit dc7f81083180eeb5233f7007e3d2514cc0d7c6d3)
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When keystone is using an external identity backend such as LDAP for
storing users and groups, but storing role assignments in the local db,
and a group that has role assignments is deleted out-of-band, its
assignments will still exist in the keystone database. If, after this,
a user attempts to list effective role assignments, keystone will try
to lookup the group and fail with NotFound.
This catches the NotFound exception of the list_users_in_group call and
returns an empty user list so that the effective assignments list does
not fail.
Closes-Bug: 1693510
Change-Id: Ie5f69b150d59287bd0bc68f1ce9eecfeab04c91a
(cherry picked from commit d09c337619fed8664272848abb3a1351dd5e4c85)
|
|
|
|
| |
Change-Id: I555be48088491822f90f7f8075033d7d7e6f004b
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Keystone can use an external identity store for the users, and
store assignments for these users in the SQL database that it
manages. When a user has been deleted directly in the external
identity store, these assignments will persist. Therefore when
listing role assignments and asking for names to be included,
keystone will try to get information of the user and fail with
NotFound.
This catches the NotFound exception of the get_user and get_group
calls and fills the user values with and empty string.
Change-Id: Iec3e12f6cd1402e1e3f192b0ede5d608bd41ca1d
Closes-Bug: 1684820
(cherry picked from commit 0392b36a0d7d3e7cc479b357245da04c949924de)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without the change, the method fetched all assignments for a project
or domain, regardless of who has the assignment, user or group. This
led to situation when federated user without groups could scope a token
with other user's rules.
Return empty list of assignments if no groups were passed.
Closes-Bug: 1677723
Change-Id: I65f5be915bef2f979e70b043bde27064e970349d
(cherry picked from commit 2139639eeabc8f6941f4461fc87d609cde3118c2)
|
|
|
|
|
|
|
| |
For more information about this automatic import see:
http://docs.openstack.org/developer/i18n/reviewing-translation-import.html
Change-Id: Ie11a20939d5070d0bc7d218b3007a96a07fd23b7
|
|
|
|
|
|
|
|
|
|
| |
Fixed issue with translation of keystone error messages which
was not happening in case of any error messages from identity API
with locale being set.
Change-Id: Idc73e86647f2adce9e39387b0c3124431dcac255
Closes-Bug: #1674415
(cherry picked from commit 2126bd576550a68284e05fc8eadedce072531563)
|
|\ |
|
| |
| |
| |
| | |
Change-Id: I9a1fe87be95fdf22c21daa8ed19dbad512dcdb38
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In Ocata Series Release Notes
<https://docs.openstack.org/releasenotes/keystone/ocata.html>,
the bp <shadow mapping> link is incorrect.
Change-Id: I2dd5f9f9513d8c4cb48ac833f0ebac4db68339b2
Clouse-Bug:#1668173
|
|\ \ \
| |_|/
|/| | |
|
| |/
| |
| |
| |
| |
| |
| |
| | |
These changes have already merged in master branch. However, cherry
pick failed because of merge conflict. So submit these changes again
in stable/ocata branch to revise releasenotes.
Change-Id: I1faa518e071558011fd0e2ad3a685174be7627ba
|
| |
| |
| |
| |
| | |
Change-Id: Idd0dfc7e15f86651b8771610fdcdbdb07849bb6e
(cherry picked from commit d339e97bb5f52c50a5d7b96a513e6cdb01058b3d)
|
|\ \
| | |
| | |
| | | |
events" into stable/ocata
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When a role on a group scoped to project/domain is revoked, it persists
revocation event in revoke_event table which is invalidating all tokens
created with same role in project/domain. Since token validations are happening
by populating role assignments at validation time, the need for persistence of
revocation events is no longer needed.
Change-Id: I112d5d4684f739d320606cea651e0a108f18d245
Closes-Bug: #1662514
(cherry picked from commit 2cb842cd645cbfcad4ccd62200340ce4616a8aa7)
|
|\ \
| |/
|/|
| | |
into stable/ocata
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When an SQL-config-based domain-specific backend was loaded the
local config dir (/etc/keystone/keystone.conf.d) is also read. The
local config files should not be used in this case.
This is a followup fix for Idd095b2df375329f579c164d00dfd50b41b0e96d
Related-Bug: #1489118
Change-Id: I14008656a538ca7641aefffe08b9d1c23b7b87d2
(cherry picked from commit ab3bfaf90f17582783382519ace28dfdea1fddf8)
|
|/
|
|
|
|
|
|
|
| |
LDAP authentication was broken by the addition of MFA rule checking.
This patch fixes that.
Change-Id: I4efe4b1b90c93110509cd599f9dd047c313dade3
Closes-Bug: #1662762
(cherry picked from commit 4e0029455ab45e3b9a15fe9fc151c14c502b7bdd)
|
|
|
|
| |
Change-Id: Ie706d348c15f6ce641d1b969a82f80a312a5c1ca
|
|
|
|
| |
Change-Id: I01feb7b5dbdc132ea510cb489ecc14edd5e5a757
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add simple script to setup mysql and postgresql databases, this script
can be run by users during testing and will be run by CI systems for
specific setup before running unit tests.
This allows to change in project-config the python-db jobs to
python-jobs since python-jobs will call this script initially.
Update README for this.
See also
http://lists.openstack.org/pipermail/openstack-dev/2016-November/107784.html
Needed-By: Ic42f8d5392ab1d9b52c6c84c92dee0092bd2779a
Change-Id: I253726467151622e8aa3ff40bacc0b3f9903b342
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | | |
the "recieve" change to "receive".
Change-Id: I8d762243460d76750ab1df94f27b2c48d378928d
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add the release note for MFA Rules.
Change-Id: Id4aff9ba57d5b60110df1a7c752950d022ed58ec
bp: per-user-auth-plugin-reqs
|
|\ \ \ \ |
|
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The de-duplication was over optimisation and not of value it is
less expensive to have 1 or 2 (at most) rules loaded form storage
(which is already protected against having multiple rules stored
both via json schema and the data storage bits itself) than to
join the strings and sort them just to eliminate another iteration.
Change-Id: I88b3ab0e956e32be91f87d85cb4e19069dd3d08c
|
|\ \ \ \
| |/ / /
| | | /
| |_|/
|/| | |
|