summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Import LDAP job into projectocata-eolstable/ocataColleen Murphy2019-10-171-1/+11
| | | | | | | | | | | | | | | | | | | Import the legacy-tempest-dsvm-ldap-domain-specific-driver job[1] into the keystone repo and convert it to be Zuulv3 native. This cherry-pick removes the explicit use of python3 since it doesn't quite work on this old of a branch. [1] https://opendev.org/openstack/openstack-zuul-jobs/src/branch/master/playbooks/legacy/tempest-dsvm-ldap-domain-specific-driver Change-Id: Ie0b9f13d6fb06b776d6a58d5d1087c20df8a7cda Needed-by: https://review.opendev.org/687444 (cherry picked from commit 52ab0cf579445190483f3a6f0e3aa5db0a9ebdef) (cherry picked from commit 0f6c6061b3026dc7a33bffad20848ebd3341af4b) (cherry picked from commit 429923fbb3be7229b0c6c1b6136b230d86672bcf) (cherry picked from commit 2f7155065456a3142ea05317dd82b370c70a7fdf) (cherry picked from commit 8b8a8f2c54820e13403746784843df017812896f) (cherry picked from commit 45ef2b6700a640ec3a6350503d53587979d9e0a1)
* Blacklist bandit 1.6.0Jim Rollenhagen2019-05-091-1/+1
| | | | | | | | | | | | | | There's a regression[0] in bandit 1.6.0 which causes bandit to stop respecting excluded directories, and our tests throw a bunch of violations. Blacklist this version, but allow newer versions as there is already a pull request[1] to fix it, and I expect it will be included in the next release. [0] https://github.com/PyCQA/bandit/issues/488 [1] https://github.com/PyCQA/bandit/pull/489 Change-Id: Ie4dbfb3f54e4aac00e0537d5760b7a8fc81b35a2 (cherry picked from commit ebac8330d8ac81c491a1cb0e16eb23b93d7932ee)
* OpenDev Migration PatchOpenDev Sysadmins2019-04-191-1/+1
| | | | | | | | | | | | | | | This commit was bulk generated and pushed by the OpenDev sysadmins as a part of the Git hosting and code review systems migration detailed in these mailing list posts: http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html Attempts have been made to correct repository namespaces and hostnames based on simple pattern matching, but it's possible some were updated incorrectly or missed entirely. Please reach out to us via the contact information listed at https://opendev.org/ with any questions you may have.
* Remove publish-loci post jobColleen Murphy2019-03-121-3/+0
| | | | | | | | | | | | The publishing credentials for this job are misconfigured in Zuul and result in the whole post pipeline failing, which causes tarballs not to be updated on tarballs.openstack.org[1]. Remove the misconfigured job to get the post pipeline working again. [1] http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-release.2019-03-11 Change-Id: I4d94a433ba32bce7ee926cdde487eeec980c6b8b (cherry picked from commit f0c2e798f7e706acbaf600bd06521a0e4c514477)
* import zuul job settings from project-configDoug Hellmann2018-08-291-0/+90
| | | | | | | | | | | | | | | | | | | | This is a mechanically generated patch to complete step 1 of moving the zuul job settings out of project-config and into each project repository. Because there will be a separate patch on each branch, the branch specifiers for branch-specific jobs have been removed. Because this patch is generated by a script, there may be some cosmetic changes to the layout of the YAML file(s) as the contents are normalized. See the python3-first goal document for details: https://governance.openstack.org/tc/goals/stein/python3-first.html Change-Id: I32e3f3427dda03c898877e697aa50771ce10254b Story: #2002586 Task: #24304
* Reduce duplication in federated auth APIsocata-em11.0.4Lance Bragstad2018-07-252-15/+57
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The GET /v3/OS-FEDERATION/projects and GET /v3/OS-FEDERATION/domains APIs were introduced to handle tokens from federated users, but now that GET /v3/auth/projects and GET /v3/auth/domains know how to handle federated tokens, they're just duplicate APIs. In the past we deprecated these federated auth APIs, but they still used separate code paths from GET /v3/auth/projects and GET /v3/auth/domains. The two code paths are true duplication in that they don't expect to differ over time and should provide the same user experience. Instead of running the risk that comes with two code paths that do the same thing, we should consolidate them. Conflicts: keystone/federation/controllers.py due to the fact that pre-Queens code used a different dependency framework. This was reworked in the Queens release, causing a conflict with this patch since it touches the same code. keystone/tests/unit/test_v3_auth.py due to a couple test with similar naming and placement within the same test module. Co-Authored-By: Kristi Nikolla <kristi@nikolla.me> Closes-Bug: 1779205 Change-Id: Ib906c42e1dd2c2408ccd2e256ffd876af02af3fe (cherry picked from commit df5d75571ed274b2964ed52048768c6d9f24d138)
* Delete SQL users before deleting domainColleen Murphy2018-02-124-6/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since the users table has a foreign key to the projects table[1], users must be deleted before the domain can be deleted. However, the notification emitted from the domain deletion comes too late, and keystone runs into a foreign key reference error before it can delete the users. This patch addresses the problem by adding a new internal notification to alert the identity manager that users should be deleted. This uses a new notification rather than the existing notification because the existing one is used to alert listeners that the domain deletion has been fully completed, whereas this one must happen in the middle of the domain delete process. The callback must also only try to delete SQL users. The LDAP driver doesn't support deleting users, and we can't assume other drivers support it either. Moreover, the foreign key reference is only a problem for SQL users anyway. Because our backend unit tests run with SQLite and foreign keys do not work properly, we can't properly expose this bug in our unit tests, but there is an accompanying tempest test[2][3] to validate this fix. [1] https://github.com/openstack/keystone/blob/2bd88d3/keystone/common/sql/expand_repo/versions/014_expand_add_domain_id_to_user_table.py#L140-L141 [2] https://review.openstack.org/#/c/509610 [3] https://review.openstack.org/#/c/509947 Change-Id: If5bdb6f5eef80b50b000aed5188ce7da4dfd1083 Closes-bug: #1718747 (cherry picked from commit 62ee18b359cbb2e6a9469bdaac9057ef19de1bdf)
* Fix the s3tokens endpointTim Burke2017-11-294-19/+83
| | | | | | | | | | | | | This was broken when issue_v2_token was removed, and no one noticed because there are no tests. The good news is, Swift3 is content to move toward supporting the v3 format, so just start inheriting from the v3 controller. Change-Id: I5d0c18121ba4bf8e33209daa48b9d87864951362 Related-Change: I7d3b583cbec9a095ab8cc20c5d6c0a6127e37068 Related-Change: I747de516ab69a47622eecbf8ab3faa34444b3ad5 (cherry picked from commit 3ec1aa4c19c2256cc2db70dbbf9aed717e3d37e9)
* Fix ec2tokens validation in v2 after regression in metadata_ref removalJose Castro Leon2017-09-262-16/+209
| | | | | | | | | | | Since the last patch in the ocata release that removed the metadata_ref, the ec2tokens api is broken due to unable to unpack the result of the authenticate command (4 elements) while expecting to expand it into 5. Change-Id: I71c4b51444ea9f7a3016b68d7dee9a4747e9c0fd Closes-Bug: #1691111 Closes-Bug: #1635389 (cherry picked from commit 820d9d9a84f2a65677a2654b36a4677eaeba59fc)
* Filter users and groups in ldapprashkre2017-08-022-14/+60
| | | | | | | | | | | | | All users and groups are required to have a name. Prior to this fix, Keystone was not properly enforcing this for LDAP users and groups. Keystone will now ignore users and groups that do not have a value for the LDAP attribute which Keystone has been configured to use for that entity's name. Closes-Bug: #1704205 Change-Id: I424813785b7a355514ef42f1e4c6384b8a78b256 (cherry picked from commit bb2b215b539b56c01e9a0c7acd9fd62ed1529ebc)
* Merge "fix identity:get_identity_providers typo" into stable/ocata11.0.3Jenkins2017-07-214-3/+14
|\
| * fix identity:get_identity_providers typoMatthew Edmonds2017-07-204-3/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes identity:get_identity_providers policy rule to identity:get_identity_provider to match what is checked by the code. Conflicts: keystone/common/policies/identity_provider.py There was a conflict backporting this change since the policy-in-code work in new in Pike. The conflict was resolved by removing the policy-in-code change and making it manually against the old etc/policy.json file. Change-Id: I0841abd30fd15c034b5836e42a18938634b509b1 Closes-Bug: #1703369 (cherry picked from commit b7119637a04d0a07fa6419a407f433c01bbd1db2)
* | Merge "Stop reading local config dirs for domain-specific file config ↵Jenkins2017-07-201-1/+2
|\ \ | |/ |/| | | driver" into stable/ocata
| * Stop reading local config dirs for domain-specific file config driverThomas Bechtold2017-07-131-1/+2
| | | | | | | | | | | | | | | | | | | | When a file-config-based domain-specific backend was loaded the local config files from /etc/keystone/keystone.conf.d/ were also read. The local config dir should not be used in this case. Change-Id: Ib576c8f12a7cc4272e07bb057bf028d69649b65d Related-Bug: #1489118 (cherry picked from commit 5e8e71fb16e8bc94c169bbaa8aaf6a7527f816c0)
* | Merge "Fixing flushing tokens workflow" into stable/ocataJenkins2017-07-142-4/+18
|\ \
| * | Fixing flushing tokens workflowRaildo Mascena2017-07-112-4/+18
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | During a backport patch [0] for this fix it was found some problems in the previous approach like, It didn't enabled back the session.autocommit. Another comment was we should create a new session and commit on it instead of disable/enable autocommit. After this, we should backport this change in order to fix the previous releases, instead of the other one. [0] https://review.openstack.org/#/c/469514 Change-Id: Ifc024ba0e86bb71f4ab8b019917782bc5bf3be7a Closes-Bug: #1649616 (cherry picked from commit 0b5c5c03ecb6cd261ec06b4e2465c8d88b8c1725)
* | Add a release note for bug 1687593Lance Bragstad2017-07-131-0/+6
| | | | | | | | | | | | | | A fix was merged for bug 1687593 but we forgot to add a release note. Change-Id: Ib8571d155ca526b0b4fb536ceff7c3b5752281c6 (cherry picked from commit 5303ef6e8876e78a9dfeb8b0eb69bd3b71d0e397)
* | Change url scheme passed to oauth signature verifierHemanth Nakkina2017-07-132-6/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Change 461736 modifies the url passed to oauth signature verifier to request url. But in some deployments, https endpoints are terminated at haproxy and http request is sent to keystone. So request url will have http as url scheme whereas the endpoint is registered with https and signature at client is done with https url. This results in OAUTH signature validation failure. Update URL sent for OAUTH signature verification with the scheme of the base url. Change-Id: Iaba285985b616a35e3dfe33cdd45667174e7c69d Partial-Bug: #1687593 (cherry picked from commit b7aece57d2845fcfa45a84e6d21a6188ddd192cc)
* | Change url passed to oauth signature verifier to request urlHemanth Nakkina2017-07-132-14/+36
|/ | | | | | | | | | | | | OAUTH signature verification should happen with the same URL used for signing. Typically at the user end it should be signed with the request URL and hence it should be verified with the same. Currently keystone uses public endpoint URL for signature verification. Modified the URL passed to oauth signature verification to request URL. Change-Id: I28059a43cb0088c2952c19f696042ebec54d26c9 Partial-Bug: #1687593 (cherry picked from commit 926685c5a4823d7e3ab3879bae1529052fff7d68)
* Merge "Make flushing tokens more robust" into stable/ocataJenkins2017-06-231-0/+6
|\
| * Make flushing tokens more robustPeter Sabaini2017-05-301-0/+6
| | | | | | | | | | | | | | | | | | Commit token flushes between batches in order to lower resource consumption and make flushing more robust for replication Change-Id: I9be37e420353a336a8acd820eadd47d4bcf7324f Closes-Bug: #1649616 (cherry picked from commit dc7f81083180eeb5233f7007e3d2514cc0d7c6d3)
* | Handle group NotFound in effective assignment listprashkre2017-05-313-8/+72
|/ | | | | | | | | | | | | | | | | When keystone is using an external identity backend such as LDAP for storing users and groups, but storing role assignments in the local db, and a group that has role assignments is deleted out-of-band, its assignments will still exist in the keystone database. If, after this, a user attempts to list effective role assignments, keystone will try to lookup the group and fail with NotFound. This catches the NotFound exception of the list_users_in_group call and returns an empty user list so that the effective assignments list does not fail. Closes-Bug: 1693510 Change-Id: Ie5f69b150d59287bd0bc68f1ce9eecfeab04c91a (cherry picked from commit d09c337619fed8664272848abb3a1351dd5e4c85)
* Updated from global requirements11.0.2OpenStack Proposal Bot2017-05-221-1/+1
| | | | Change-Id: I555be48088491822f90f7f8075033d7d7e6f004b
* Handle NotFound when listing role assignments for deleted usersKristi Nikolla2017-05-172-12/+82
| | | | | | | | | | | | | | | | | Keystone can use an external identity store for the users, and store assignments for these users in the SQL database that it manages. When a user has been deleted directly in the external identity store, these assignments will persist. Therefore when listing role assignments and asking for names to be included, keystone will try to get information of the user and fail with NotFound. This catches the NotFound exception of the get_user and get_group calls and fills the user values with and empty string. Change-Id: Iec3e12f6cd1402e1e3f192b0ede5d608bd41ca1d Closes-Bug: 1684820 (cherry picked from commit 0392b36a0d7d3e7cc479b357245da04c949924de)
* Do not fetch group assignments without groups11.0.1Boris Bobrov2017-04-252-0/+63
| | | | | | | | | | | | | Without the change, the method fetched all assignments for a project or domain, regardless of who has the assignment, user or group. This led to situation when federated user without groups could scope a token with other user's rules. Return empty list of assignments if no groups were passed. Closes-Bug: 1677723 Change-Id: I65f5be915bef2f979e70b043bde27064e970349d (cherry picked from commit 2139639eeabc8f6941f4461fc87d609cde3118c2)
* Imported Translations from ZanataOpenStack Proposal Bot2017-04-0811-3685/+55
| | | | | | | For more information about this automatic import see: http://docs.openstack.org/developer/i18n/reviewing-translation-import.html Change-Id: Ie11a20939d5070d0bc7d218b3007a96a07fd23b7
* Error messages are not translating with locale.prashkre2017-03-262-6/+10
| | | | | | | | | | Fixed issue with translation of keystone error messages which was not happening in case of any error messages from identity API with locale being set. Change-Id: Idc73e86647f2adce9e39387b0c3124431dcac255 Closes-Bug: #1674415 (cherry picked from commit 2126bd576550a68284e05fc8eadedce072531563)
* Merge "Updated from global requirements" into stable/ocataJenkins2017-03-221-1/+1
|\
| * Updated from global requirementsOpenStack Proposal Bot2017-03-091-1/+1
| | | | | | | | Change-Id: I9a1fe87be95fdf22c21daa8ed19dbad512dcdb38
* | Merge "Update releasenotes bp link" into stable/ocataJenkins2017-03-221-1/+1
|\ \
| * | Update releasenotes bp linkjolie2017-03-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | In Ocata Series Release Notes <https://docs.openstack.org/releasenotes/keystone/ocata.html>, the bp <shadow mapping> link is incorrect. Change-Id: I2dd5f9f9513d8c4cb48ac833f0ebac4db68339b2 Clouse-Bug:#1668173
* | | Merge "Fix some typo in releasenotes" into stable/ocataJenkins2017-03-224-5/+5
|\ \ \ | |_|/ |/| |
| * | Fix some typo in releasenotesjolie2017-03-074-5/+5
| |/ | | | | | | | | | | | | | | These changes have already merged in master branch. However, cherry pick failed because of merge conflict. So submit these changes again in stable/ocata branch to revise releasenotes. Change-Id: I1faa518e071558011fd0e2ad3a685174be7627ba
* | Revise conf param in releasenotesjolie2017-03-071-1/+1
| | | | | | | | | | Change-Id: Idd0dfc7e15f86651b8771610fdcdbdb07849bb6e (cherry picked from commit d339e97bb5f52c50a5d7b96a513e6cdb01058b3d)
* | Merge "Removing group role assignments results in overly broad revocation ↵Jenkins2017-03-034-43/+56
|\ \ | | | | | | | | | events" into stable/ocata
| * | Removing group role assignments results in overly broad revocation eventsprashkre2017-03-034-43/+56
| |/ | | | | | | | | | | | | | | | | | | | | | | When a role on a group scoped to project/domain is revoked, it persists revocation event in revoke_event table which is invalidating all tokens created with same role in project/domain. Since token validations are happening by populating role assignments at validation time, the need for persistence of revocation events is no longer needed. Change-Id: I112d5d4684f739d320606cea651e0a108f18d245 Closes-Bug: #1662514 (cherry picked from commit 2cb842cd645cbfcad4ccd62200340ce4616a8aa7)
* | Merge "Stop reading local config dirs for domain-specific SQL config driver" ↵Jenkins2017-03-031-1/+2
|\ \ | |/ |/| | | into stable/ocata
| * Stop reading local config dirs for domain-specific SQL config driverDirk Mueller2017-02-221-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | When an SQL-config-based domain-specific backend was loaded the local config dir (/etc/keystone/keystone.conf.d) is also read. The local config files should not be used in this case. This is a followup fix for Idd095b2df375329f579c164d00dfd50b41b0e96d Related-Bug: #1489118 Change-Id: I14008656a538ca7641aefffe08b9d1c23b7b87d2 (cherry picked from commit ab3bfaf90f17582783382519ace28dfdea1fddf8)
* | Fix MFA rule checks for LDAP authMatthew Edmonds2017-02-243-1/+37
|/ | | | | | | | | LDAP authentication was broken by the addition of MFA rule checking. This patch fixes that. Change-Id: I4efe4b1b90c93110509cd599f9dd047c313dade3 Closes-Bug: #1662762 (cherry picked from commit 4e0029455ab45e3b9a15fe9fc151c14c502b7bdd)
* Update UPPER_CONSTRAINTS_FILE for stable/ocataOpenStack Release Bot2017-02-021-1/+1
| | | | Change-Id: Ie706d348c15f6ce641d1b969a82f80a312a5c1ca
* Update .gitreview for stable/ocataOpenStack Release Bot2017-02-021-0/+1
| | | | Change-Id: I01feb7b5dbdc132ea510cb489ecc14edd5e5a757
* Merge "Prepare for using standard python tests"11.0.0.0rc111.0.0Jenkins2017-02-022-0/+63
|\
| * Prepare for using standard python testsAndreas Jaeger2017-02-022-0/+63
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add simple script to setup mysql and postgresql databases, this script can be run by users during testing and will be run by CI systems for specific setup before running unit tests. This allows to change in project-config the python-db jobs to python-jobs since python-jobs will call this script initially. Update README for this. See also http://lists.openstack.org/pipermail/openstack-dev/2016-November/107784.html Needed-By: Ic42f8d5392ab1d9b52c6c84c92dee0092bd2779a Change-Id: I253726467151622e8aa3ff40bacc0b3f9903b342
* | Merge "Modify the spelling mistakes"Jenkins2017-02-021-1/+1
|\ \
| * | Modify the spelling mistakeswanghongtaozz2017-02-021-1/+1
| | | | | | | | | | | | | | | | | | the "recieve" change to "receive". Change-Id: I8d762243460d76750ab1df94f27b2c48d378928d
* | | Merge "Add MFA Rules Release Note"Jenkins2017-02-011-0/+64
|\ \ \
| * | | Add MFA Rules Release NoteMorgan Fainberg2017-01-311-0/+64
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Add the release note for MFA Rules. Change-Id: Id4aff9ba57d5b60110df1a7c752950d022ed58ec bp: per-user-auth-plugin-reqs
* | | | Merge "Remove de-dupe for MFA Rule parsing."Jenkins2017-02-011-5/+17
|\ \ \ \
| * | | | Remove de-dupe for MFA Rule parsing.Morgan Fainberg2017-01-311-5/+17
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The de-duplication was over optimisation and not of value it is less expensive to have 1 or 2 (at most) rules loaded form storage (which is already protected against having multiple rules stored both via json schema and the data storage bits itself) than to join the strings and sort them just to eliminate another iteration. Change-Id: I88b3ab0e956e32be91f87d85cb4e19069dd3d08c
* | | | Merge "Add validation that token method isn't needed in MFARules"Jenkins2017-02-011-13/+52
|\ \ \ \ | |/ / / | | | / | |_|/ |/| |
View Lorry Controller Status