| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Werkzeug is pickier about how Content-Type is handled in general.
In this case we are now explicitly checking for either Content-Type
being '' or being non-existant in addition to Content-Type being set
to json for decoding the body.
Change-Id: Ia5a7750cff833aa90f7fc446f396c270343fc590
(cherry picked from commit 3d31723b3bfdbb43037acf9e916740ba918e48e2)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This cause the sample generated policy file to alias the old name with
the new policy name, which isn't needed since we're not renaming these
policies at all and it was likely a typo.
Conflicts:
keystone/common/policies/identity_provider.py
In later releases the deprecation parameters were moved up to the
deprecated options and not in the DocumentedRule defaults.
Change-Id: Idfd9adbbe800bbc21814d94002a2b61524cce28a
(cherry picked from commit c10d5c88ef40e63d4dfefb792d6c3d68acd72dd9)
(cherry picked from commit bdd8f82f60d2e46e5f6951c4407366b89591cde5)
(cherry picked from commit f742fadef1718e070ff4e151d400a96dc6acf74e)
(cherry picked from commit 3fd71f5a933052b0a3fd4dadb3a754ac544348f3)
(cherry picked from commit db13e36e7f95c770f0a52c57e89fc54c72faf2eb)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Keystone's update_user() method in the SQL driver processes a lot of
information about how to update users. This includes evaluating password
logic and authentication attempts for PSI-DSS. This logic is evaluated
after keystone pulls the user record from SQL and before it exits the
context manager, which performs the write.
When multiple clients are all updating the same user reference, it's
more likely they will see an HTTP 500 because of race conditions exiting
the context manager. The HTTP 500 is due to stale data when updating
password expiration for old passwords, which happens when setting a new
password for a user.
This commit attempts to handle that case more gracefully than throwing a
500 by detecting StaleDataErrors from sqlalchemy and retrying. The
identity sql backend will retry the request for clients that have
stale data change from underneath them.
Conflicts:
keystone/tests/unit/test_backend_sql.py due to import order
differences between train and ussuri. Also adjust the expected log
message since the method path is different compared to older
releases, which have the driver name in them (e.g., Identity).
Change-Id: I75590c20e90170ed862f46f0de7d61c7810b5c90
Closes-Bug: 1885753
(cherry picked from commit ceae3566e83b26fd6a1679154eae9b0cef29da64)
(cherry picked from commit f47e635b8041542faa05e64606e66d2fbbc5f284)
(cherry picked from commit 5b7d4c80d484262018f937083050844648f07a11)
(cherry picked from commit 07d3a3d3ff534a5295842d4f236042b30536cd82)
(cherry picked from commit d4f48fc4e53f71d653e133104854f064fbb1b25f)
(cherry picked from commit 328cf33aab61775301adbb4c1f6abaa2f331cd94)
|
| |\ \
| | |
| | |
| | | |
stable/stein
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch ensures to delete the system role assignments from
all the assignment tables in keystone after deleting the role
user has over the system.
This also make sure of deleting stale role assignments before
deleting role for the deployments that are already in this state.
Closes-Bug: #1878938
Change-Id: I4df19c45c870ff3fb78578ca1fb7dd0d35da3c82
(cherry picked from commit c1dcbb05b4488f1fa3e7af4d9171d11702d94119)
(cherry picked from commit b83170a386ba8da2195c7494d04d832ce9b6d7b0)
(cherry picked from commit 6f93063ff95f3c65af106a09281427e411d01850)
(cherry picked from commit 7ac0891375656d156f1a9601e3520052dddb39d0)
(cherry picked from commit e8b477847cabe449be4d3b8a21d8236ddbd84064)
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If LDAP returns a UUID as an octet string the LDAP driver will fail to
convert it to something meaningful. The error usually looks something
like:
ID attribute objectGUID not found in LDAP object
Microsoft AD's `objectGUID` parameter is stored and transmitted as an
octet string [0]. If you attempt to use the `objectGUID` to generate
user or group IDs, you'll get an HTTP 404 because keystone can't decode
it properly. This is unfortunate because `objectGUID` are a fixed
length, UUID format, and ideal for generating IDs in keystone. As
opposed to using the object's CN, which is variable length, and can
generate hashes that are larger than keystone's database table limit for
user IDs.
[0] https://docs.microsoft.com/en-us/windows/win32/ad/reading-an-objectampaposs-objectguid-and-creating-a-string-representation-of-the-guid
Conflicts:
keystone/identity/backends/ldap/common.py
Due to python2 -> python3 migration code.
Change-Id: Id80b17bdff015e10340e636102576b7435bd564f
Closes-Bug: 1889936
(cherry picked from commit 8bf222ac5d390e25d306d35f69bd958b18bee4d8)
(cherry picked from commit d5870f69c12c034dd97b164345e85e6259ee7abe)
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Newer versions of kombu rely on updated versions of amqp [0]. Keystone's
lower-constraints job is failing consistently across multiple branches
because it's referencing amqp 2.2.2 when we should be relying on a newer
version (5.0.0+).
You can verify this by using `pip3 check` with the lower-constraints tox
environment.
Without this patch, you'll likely see the test_notifications tests fail
with something like:
ModuleNotFoundError: No module named 'vine.five'
Which spirals into subsequent failures mocking messaging drivers.
This commit also fixes the lower-constraint for PyMySQL.
keystone does not have any lower constraint for PyMySQL so the
latest version 0.10.0 is picked by the job which is failing [1]
In OpenStack, PyMySQL's upper constraint is 0.9.3. Version 0.10.0 is
not tested [2]. Let's add PyMySQL lower constraint also so that we test
lower-constraint job with correct lower version.
Both of these fixes were proposed separate reviews in newer branches,
but due to a circular failure, they're being proposed together. The
amqp fix fails lower-constraints jobs because the PyMySQL issue and vice
versa.
[0] https://github.com/celery/celery/issues/3547
[1]https://zuul.opendev.org/t/openstack/build/3077d96f4fff4b7985cb763d0635d471/log/job-output.txt#621
[2]https://github.com/openstack/requirements/blob/master/upper-constraints.txt#L384
Change-Id: I3834b3b34641c006c70614d5331d292c41f8a346
Closes-Bug: #1888886
(cherry picked from commit c495defc2bd4f2ef5a38d2a9e4d5aac5653fb406)
(cherry picked from commit 12891a039fb1dae7ba22884cf78ad7d1faa8569d)
(cherry picked from commit b7c3458b6f11ade0ce54889ae5f782fbac4a9a2e)
(cherry picked from commit 255b6cdd70db654ce8112cef0b86361c34d9993b)
(cherry picked from commit 3de085b1eb9750cb0d0d25cb468250cf34804eaf)
(cherry picked from commit 300e79e93b9966e988ec92a74bf9b49b71d77d1b)
(cherry picked from commit fb7d54543fd69e046a5136ca4028f4e128b947c2)
(cherry picked from commit 32967a8105efd2a0934ab123eb10f33df7f581c5)
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This implements TODOs added in [1], as promised in [2].
The first TODO is realised only partially because most ldap code
actually relies on having two connections obtained from the pool.
This optimizes mixin code by removing extra ldap calls.
There is no change in the observed behaviour of integration.
This also removes some duplication and refactors names to avoid
some confusion related to dn/object_id.
Backport to: Train, Stein (with [1]&[3]), Rocky (with [1]&[3]),
Queens (with [1]&[3])
[1] c7fae97d873f72068ca65538ec5b5919c0ac7d5a
[2] https://review.opendev.org/683303
[3] 19d4831daa3991bed48fb364fa05927740c96445
Change-Id: I22f3bce647182996dfc06084ee6d4989449e3d2d
(cherry picked from commit a6bb81146ff2126f055834459f428cf97080466f)
|
| |\ \ \
| |/ / |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Applied when group config is to be honored
(i.e. set user_enabled_emulation_use_group_config).
Conditionals follow usage of group_members_are_ids.
Added new test for the case with ids.
It fails without fix.
The original test expanded to ensure the change did not
break its internals either.
It passes without fix as well.
Additionally some TODOs are added for observed potential issues.
Backport amended with [1] to pass CI.
[1] 19d4831daa3991bed48fb364fa05927740c96445 (pep8)
Change-Id: I7874a70e6109219baee80309c3a27f8af9905a6d
Closes-Bug: #1839133
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
(cherry picked from commit c7fae97d873f72068ca65538ec5b5919c0ac7d5a)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pip doesn't have a dependency resolver. Instead, it "simply uses the
first specification it finds for a project." [1] In Train, keystone
switched from hacking 0.12.x/0.13.x to hacking 1.1.x [2]. That change
explicitly added a pycodestyle dependency for reasons that aren't
entirely clear to me, but pip's broken dependency resolution leads to
the below funkiness when trying to install the dependencies.
ERROR: flake8 2.6.2 has requirement pycodestyle<2.1,>=2.0, but you'll have pycodestyle 2.5.0 which is incompatible.
As seen below, this can be easily reproduced and seems to happen because
pip doesn't go further than one level of dependencies, meaning it knows
about the dependency on flake8<2.7.0,>=2.6.0 from hacking, but not the
dependency on pycodestyle<2.1,>=2.0 that this in-turn introduces.
$ virtualenv venv
$ source venv/bin/activate
$ (venv) cat requirements.txt
hacking>=1.1.0,<1.2.0 # Apache-2.0
pycodestyle>=2.0.0 # MIT License
$ pip install -r requirements-new.txt
Collecting hacking<1.2.0,>=1.1.0
Using cached ...
Collecting pycodestyle>=2.0.0
Using cached ...
Collecting six>=1.10.0
Using cached ...
Collecting flake8<2.7.0,>=2.6.0
Using cached ...
Collecting pbr!=2.1.0,>=2.0.0
Using cached ...
Collecting mccabe<0.6,>=0.2.1
Using cached ...
Collecting pyflakes!=1.2.0,!=1.2.1,!=1.2.2,<1.3,>=0.8.1
Using cached ...
ERROR: flake8 2.6.2 has requirement pycodestyle<2.1,>=2.0, but you'll have pycodestyle 2.5.0 which is incompatible.
Installing collected packages: six, pycodestyle, mccabe, pyflakes, flake8, pbr, hacking
Successfully installed flake8-2.6.2 hacking-1.1.0 mccabe-0.5.3 pbr-5.4.3 pycodestyle-2.5.0 pyflakes-1.2.3 six-1.12.0
The solution is simple: stop explicitly requiring this dependency and
instead rely on flake8 bringing it in.
[1] https://pip.pypa.io/en/stable/user_guide/#requirements-files
[2] I3fc591e09c1e25a3bd2a3922880772ea9617f1e3
This cherry-pick includes an update to setup.cfg to align the
python-memcached version with global requirements.
Also includes an update for doc/requirements.txt to facilitate
changes for global sphinx requirements.
Change-Id: Ic0991d3eeae018609be0ecbd43fa0b0b9f13d6ba
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
(cherry picked from commit 5c71ebd7a92d25df83e2e7cc5fad9990e9eebbf5)
(cherry picked from commit 7eeb144b7dbca29cb30cf65bb740227f4c4c7a55)
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This change addresses several issues in the creation and use of EC2/S3
credentials with keystone tokens.
1. Disable altering credential owner attributes or metadata
Without this patch, an authenticated user can create an EC2 credential
for themself for a project they have a role on, then update the
credential to target a user and project completely unrelated to them. In
the worst case, this could be the admin user and a project the admin
user has a role assignment on. A token granted for an altered credential
like this would allow the user to masquerade as the victim user. This
patch ensures that when updating a credential, the new form of the
credential is one the acting user has access to: if the system admin
user is changing the credential, the new user ID or project ID could be
anything, but regular users may only change the credential to be one
that they still own.
Relatedly, when a user uses an application credential or a trust to
create an EC2 credential, keystone automatically adds the trust ID or
application credential ID as metadata in the EC2 access blob so that it
knows how the token can be scoped when it is used. Without this patch, a
user who has created a credential in this way can update the access blob
to remove or alter this metadata and escalate their privileges to be
fully authorized for the trustor's, application credential creator's, or
OAuth1 access token authorizor's privileges on the project. This patch
fixes the issue by simply disallowing updates to keystone-controlled
metadata in the credential.
2. Respect token roles when creating EC2 credentials
Without this patch, a trustee, an application credential user, or an
OAuth1 access token holder could create an EC2 credential or an
application credential using any roles the trustor, application
credential creator, or access token authorizor had on the project,
regardless of whether the creator had delegated only a limited subset of
roles. This was because the trust_id attribute of the EC2 access blob
was ignored, and no metadata for the application credential or access
token was recorded either. This change ensures that the access
delegation resource is recorded in the metadata of the EC2 credential
when created and passed to the token provider when used for
authentication so that the token provider can look up the correct roles
for the request.
Conflicts (six removal in e2d83ae9, pep8 fixes in e2d83ae9):
keystone/api/credentials.py
keystone/tests/unit/test_v3_application_credential.py
keystone/tests/unit/test_v3_credential.py
Change-Id: I39d0d705839fbe31ac518ac9a82959e108cb7c1d
Closes-bug: #1872733
Closes-bug: #1872755
Closes-bug: #1872735
(cherry picked from commit 37e9907a176dad6843819b1bec4946c3aecc4548)
(cherry picked from commit 2f2736ebb267c757ad77fcf25ee0aaeefab2a09d)
(cherry picked from commit 27caafe3daa552663719954f2cd6713dd4493178)
|
| |\ \ \
| |/ / |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Without this patch, when an OAuth1 request token is authorized with a
limited set of roles, the roles for the access token are ignored when
the user uses it to request a keystone token. This means that user of an
access token can use it to escallate their role assignments beyond what
was authorized by the creator. This patch fixes the issue by ensuring
the token model accounts for an OAuth1-scoped token and correctly
populating the roles for it.
Change-Id: I02f9836fbd4d7e629653977fc341476cfd89859e
Closes-bug: #1873290
(cherry picked from commit 6c73690f779a42a5c62914b6bc37f0ac2f41a3e3)
(cherry picked from commit ba89d27793c2d3a26ad95642660fa9bd820ed3be)
(cherry picked from commit 5ff52dbaa2082991d229d8557a8e4b65256d6c53)
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The opensuse nodepool node is going through experimental changes that
are affecting devstack runs on stable branches[1]. This change
temporarily disables them so that we can get critical security bugfixes
through the gate. These tests are specific to keystone federation, not
general keystone or devstack functionality.
[1] https://zuul.opendev.org/t/openstack/build/61a6a3c542e54b3589b201c0d827f0fc
Change-Id: If9430fb854c9d14147f852883492cf8704cfade7
(cherry picked from commit 5c34cb6c7875e0332ccbb23e68457399a13530fc)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
EC2 token requests contain a signature that signs the entire request,
including the access timestamp. While the signature is checked, the
timestamp is not, and so these signed requests remain valid
indefinitely, leaving the token API vulnerable to replay attacks. This
change introduces a configurable TTL for signed token requests and
ensures that the timestamp is actually validated against it.
The check will work for either an AWS Signature v1/v2 'Timestamp'
parameter[1] or the AWS Signature v4 'X-Aws-Date' header or
parameter[2].
Although this technically adds a new feature and the default value of
the feature changes behavior, this change is required to protect
credential holders and therefore must be backported to all supported
branches.
[1] https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html
[2] https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html
Conflicts due to six removal in e2d83ae9:
keystone/api/_shared/EC2_S3_Resource.py
keystone/tests/unit/test_contrib_ec2_core.py
Change-Id: Idb10267338b4204b435df233c636046a1ce5711f
Closes-bug: #1872737
(cherry picked from commit ab89ea749013e7f2c46260f68504f5687763e019)
(cherry picked from commit 8d5becbe4b463f6a5a24a1929dd0f48dab6ae027)
(cherry picked from commit e3f65d6fbcd18032a8ad3dfa3aaded264a282158)
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
added audit logging to credentials.
This backport is a bit different than the original patch,
since we don't have the adds caching of credentials
patch find on commit 479a2a0afaeb505c371ee97a1f2fbc1b11e3cef1
and we were not able to backport it.
So, there are sense on keep the invalidate cache calls in the
original bits.
Closes-bug: #1831918
Change-Id: I028a86f44e049bcc7c54e844bfc91aa0b11cd541
(cherry picked from commit 579cc19857048a8710a9f173c602f51a2fcabba1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch was adopted from Idd56c3f37d5786daae7181c36d38d267cbf1885c
Original description:
When reno 3.x runs under setuptools, it scans all of the branches it can
find, including any that look like they're closed and have an -eol tag.
The old kilo branch in this repository has a jumbled history that
somehow makes it look like it should include tags that it doesn't. We
know that there are no release notes in that branch, because reno wasn't
adopted while it was open. The releasenotes/source/index.rst links to
separate release notes in the wiki.
This patch tells reno to ignore that branch so that it doesn't throw an
exception when it gets confused about the old tag.
Change-Id: I28fd0fd499c40e33ff164fd643dadd6ac9009b17
Co-Authored-By: Doug Hellmann <doug@doughellmann.com>
Co-Authored-By: Sean McGinnis <sean.mcginnis@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current initiator object for CADF notifications does not include
the username of the user who initiated the action, which leads to
issues when using an LDAP backend and not having a direct way to
map a username to a user id.
This change makes it so that the initiator object for CADF
notifications always contains the username for a user as well
as the user id. This follows along with the CADF standard
for OpenStack[0].
[0] https://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.1.0.pdf#page=12
Closes-Bug: #1856904
Change-Id: I833e6e0d7792acf49f816050ad7a63e8ea4f702f
(cherry picked from commit 95edaaab06c6da761411ef97bc2545d86d579215)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this patch, new library releases (even if not specifically
related to sphinx or docs) can break the docs build. For example, the
latest Werkzeug release is breaking the docs for the stable/stein branch
due to an import error that was fixed in later branches. We shouldn't be
letting new library releases affect the docs environment for the same
reason we want to control the other tox environments. This change adds
-c to the docs tox environment so ensure that all libraries installed in
this environment are known good versions.
Manual port of 13410383cf55699f756c6ce01301d7e67c65b575 edited to
reference stein instead of master.
Change-Id: Ieeb198b32a791ebf0218897b63086e04ccd34fd3
|
| |
|
|
|
|
|
|
|
|
|
|
| |
With the addition of K2K-specific tests in the tempest plugin and a
config toggle in the plugin to disable use of the external IdP, we can
safely add a voting federation job. This also fixes the devstack plugin
to install the xmlsec1 tool which is needed for K2K.
Change-Id: I9dc634e073657ff337751ec67363a57bd10e20d4
Depends-on: https://review.opendev.org/689222
(cherry picked from commit fb0be8e59917b5b637926d9526a64676af07ebf0)
(cherry picked from commit ac74320876ac6c771d69b85ebb30058fe4eb3692)
|
| |
|
|
|
|
|
|
|
| |
Devstack, alongside samltest, will now setup keystone as an idp.
bp devstack-plugin
Change-Id: I55b4e727404d910aa9b5a07b49b783799bc5f098
(cherry picked from commit 1e0a9684937038df59931363c4e1560edc176473)
|
| |\
| |
| |
| | |
stable/stein
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The bootstrap logic doesn't take into consideration multiple roles
with the same name. If bootstrap is unable to determine which role to
use and accidentally uses a domain-specific role with the same name
as a default role, bootstrap will fail in unexpected ways.
Conflicts:
keystone/tests/unit/test_cli.py
Conflict exists because stable/stein doesn't have
https://review.opendev.org/#/c/675228/ but it's unrelated to this
specific bug fix.
Closes-Bug: 1856881
Change-Id: Iddc364d8c934b6e54d1e8c75b8b159faadbf865d
(cherry picked from commit 25cf359e5fb914b855922121f20e23bd14626b8e)
(cherry picked from commit 51ff7be731450c183b3e3eb6d34493e986cc2635)
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this patch, if there are multiple role assignments on the system
and they are not all the same role, querying for role assignments with
/v3/role_assignments?role.id={role_id} may leak some role assignments
that don't match the role_id, making the returned results incorrect.
This patch fixes the issue by using a list comprehension instead of a
for loop over a list that was being modified within the loop.
Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
Closes-bug: #1858012
(cherry picked from commit c2d88306621f890a857acd6831ea8bf073f55537)
(cherry picked from commit 4d413f1eba2d1e6b16ecd57fa27de528dd0f67cb)
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This backport squashes f10f95b and the correction 4ed39d5.
Our tools noticed that keystone links to
https://docs.openstack.org/keystone/latest/admin/identity-domain-specific-config.html
which does not exist anymore.
The page was removed but the link to it was not changed. Replace this
and similar links with internal links that will work even if files are
moved - and can be verified, thus sphinx will error in case of broken
targets.
These changes include a few other fixes for broken keystone links, e.g.
to renamed anchors.
For the include files in admin/configuration.rst and
admin/federation/configure_federation.rst: Rename them to *inc.
The files were
published twice (as separate files and on this page) and thus
referencing failed. Renaming avoids this.
Also, put doctree outside of html tree so that it does not get
published.
(cherry picked from commit f10f95b455806ce28b112827a794618957e1f829)
Fix relative links
Fix minor errors introduced in f10f95b4.
(cherry picked from commit 4ed39d530f5589aabd880de7917424cca700650f)
Change-Id: I3d07637b0046cc88a66bcb51a0a4fe7c146c1549
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Without this patch, project members and readers can list any credentials
with the /v3/credentials API when enforce_scope is false. enforce_scope
is only applicable to project admins due to the admin-ness problem[1],
and this policy is not meant to allow project admins any access to users'
credentials (only system admins should be able to access them). However,
when enforce_scope is false, we need to preserve the old behavior of
project admins being able to list all credentials. This change mitigates
the problem by running the identity:get_credential policy check to
filter out credentials the user does not have access to. This will
impact performance.
Closes-bug: #1855080
[1] https://bugs.launchpad.net/keystone/+bug/968696
Change-Id: I5dd85a6b8368373a27aef2942a64499d020662ef
(cherry picked from commit 17c337dbdbfb9d548ad531c2ad0483c9bce5b98f)
(cherry picked from commit bd3f63787151183f4daa43578aa491856fefae5b)
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Ensure that any binary types unpacked from message payloads
are correctly converted from binary to text type.
Under Python 3 msgpack returns the serialized input as a
byte string. Similar to other msgpack'd values in the payload,
we need to explicitly decode it to a string value.
This is specifically more of an issue under Python 3; however
the decode operation is safe back to Python 2 so there is no
need to limit the decode codepath to just Python 3.
Conflicts:
keystone/token/token_formatters.py
Note: the file conflict is caused by patch
I9529d6bee3e5bb1f618f40f225f69e2ad7e3f64a which is only present in
stable/train.
Change-Id: Ib1073acf5677a60714d0a386de3bcd14ce6cd134
Closes-Bug: 1832265
(cherry picked from commit ffa0918f5a92fd18c86703916d768012b0bea61b)
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
We are trying to deprecate the opensuse-150 label type in favor of the
opensuse-15 label. The reason for this is opensuse 15, like centos,
doesn't support its older point releases and instead expects users to
keep up to date on its minor updates. This allows us to carry one fewer
image in opendev and ensures we are testing supported releases.
Change-Id: Ifa3e79514f52bc78dbaf6496188075c24366d86c
|
| |\ \ \ \
| |/ / /
|/| | | |
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
opensuse-150 nodeset is referring to openSUSE 15.0, which is still in
maintenance but openSUSE 15.1 has been released already. "opensuse-15"
is going to refer to the "latest openSUSE 15.x" build released and
working for OpenStack going forward, so add this nodeset and use
it by default going forward.
The new job tempest-full-py3-opensuse15 use the opensuse-15 nodeset,
change tempest-full-py3-opensuse150 to tempest-full-py3-opensuse15.
Change-Id: I03017b6595199e4af2f6e568ab58089517d689fe
(cherry picked from commit acfb602492037a34d9b0ef3a1af8706a57d11220)
|
| |\ \ \
| |_|/
|/| | |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When calling certain group or user APIs, keystone logic would attempt
to figure out the domain to scope responses to. This was specific to
enabling domain-specific driver support, where each domain is backed
by a different identity store. This functionality is turned off by
default. Since system-scoped tokens are not associated to a domain
(unlike project-scoped tokens or domain-scoped tokens), the logic to
determine a domain from a system-scoped token was breaking and
returning an erroneous HTTP 401 Unauthorized when system users
attempted to list users or groups.
This commit adds support for domain detection with system-scoped
tokens.
Change-Id: I8f0f7a623a1741f461493d872849fae7ef3e8077
Closes-Bug: 1843609
(cherry picked from commit 8f43b9cab00c86a455b2a9700b434e98b2e9c2d8)
|
| |\ \
| |/
|/|
| | |
stable/stein
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When using role assignment through groups, the user cannot use
the application credentials created. This allows to look up
the membership by checking inherited and group assignments.
Change-Id: If1bf5bd785a494923303265797311d42018ba7af
Closes-Bug: #1773967
(cherry picked from commit 14b25bc5d18842210cfffe1afdca475e848b84aa)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Import the legacy-tempest-dsvm-ldap-domain-specific-driver job[1] into the
keystone repo and convert it to be Zuulv3 native.
[1] https://opendev.org/openstack/openstack-zuul-jobs/src/branch/master/playbooks/legacy/tempest-dsvm-ldap-domain-specific-driver
Change-Id: Ie0b9f13d6fb06b776d6a58d5d1087c20df8a7cda
Needed-by: https://review.opendev.org/687444
(cherry picked from commit 52ab0cf579445190483f3a6f0e3aa5db0a9ebdef)
(cherry picked from commit 0f6c6061b3026dc7a33bffad20848ebd3341af4b)
|
| |\ \ |
|
| | |/
| |
| |
| |
| | |
Change-Id: If0eb5fe8eddc5ee32395fb34a7896efdcf0aaea3
(cherry picked from commit 3b0b392972bed152ac7170e0def0968ae1c21bdf)
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| | |
Adds oslo.db retry wrapper to delete_credential_for_user method.
Change-Id: Ib9e161411f0985785eec46c51d721ef7421ee090
Closes-Bug: #1840291
(cherry picked from commit e989bd0637629b0fb15976186b0941fec0f13b25)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In Python 3, python-ldap no longer allows bytes for some fields (DNs,
RDNs, attribute names, queries). Instead, text values are represented
as str, the Unicode text type.
[1] More details about byte/str usage in python-ldap can be found at:
http://www.python-ldap.org/en/latest/bytes_mode.html#bytes-mode
Change-Id: I63e3715032cd8edb11fbff7651f5ba1af506dc9d
Related-Bug: #1798184
(cherry picked from commit 03531a56910b12922afde32b40e270b7d68a334b)
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
The more common scenario to return the uid as part of the RDN in a DN,
However, it's a valid case to not have the uid in the RDN, so we need to
search in the LDAP based on the DN and return the uid in the entire object.
Also, we do not support multivalued attribute id on DN, so the test case
covering this case, it was adjusted for raise NotFound.
Closes-Bug: 1782922
Change-Id: I87a3bfa94b5907ce4c6b4eb8e124ec948b390bf2
(cherry picked from commit a1dc21f3d34ae34bc6a5c9acebc0eb752495ae7a)
|
| |\
| |
| |
| | |
stable/stein
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
keystone package depends already on apache2 and wsgi package:
keystone
Depends: adduser
|Depends: apache2
Depends: <httpd>
tntnet
aolserver4-core
aolserver4-daemon
apache2
ebhttpd
lighttpd
micro-httpd
mini-httpd
nginx-core
nginx-extras
nginx-full
nginx-light
webfs
yaws
Depends: libapache2-mod-wsgi-py3
Depends: python3-keystone
Depends: ssl-cert
[...]
Change-Id: I1332df34dd6ee59537d35d93d5c35c2fe96561b2
Related-Bug: #1825111
(cherry picked from commit 0f2b36b2ad50694efa92a39649b778546cca3b31)
|
