| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a token is issued with an application credential we need to check
the expiration of the application credential to ensure that the token
does not outlive the application credential. This ensures that if the
token expiration is greaten than that of the application credential it
is reset to the expiration of the application credential and a warning
is logged. Please see CVE-2022-2447 for more information.
Closes-Bug: 1992183
Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2
(cherry picked from commit 8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1)
|
|\
| |
| |
| | |
max_token_size" into stable/xena
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, the fernet token provider would log warnings when a fernet
token exceeded 255 characters, which is common for LDAP-backed
deployments. The warning is always issued, even when operators configure
keystone's max_token_size to a higher value, causing confusion because
it appears the configuration value is silently ignored.
This commit fixes that issue by using the max_token_size configuration
parameter consistently in the fernet token provider.
Closes-Bug: 1926483
Change-Id: I4bb54aac9b950d59082a4468203a3249790839d7
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| | |
Move FIPS job to centos 9 and add new required nslookup_target variable.
Change-Id: Ifef262cfca4ecb8ad1222da3c43e5749f40c1f24
(cherry picked from commit 950dd5e5032afd73527c82c6ce63ee2ad94dc252)
(cherry picked from commit 1daa8e70c943d5b0723f5cf821db99539cef0a15)
|
|/
|
|
|
|
|
|
|
|
|
| |
When we check the EC2 signature without the port part of the host value
received, we should properly split host:port. Keep in mind the splitting
should work for values like [fc00::]:123 too.
Change-Id: I1d90dfcea3568e2a9b22069daa428ea6a2a38bd6
Closes-Bug: #1988168
(cherry picked from commit 6c35b366e3c8c6d7f47471b93f5315582301c5ef)
(cherry picked from commit d39790ac4e9dc25af09cdddc6217e36bacbc2bb1)
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Currently rpm based distributions all use python3-devel.
Tested this with centos7 rhel7 rhel8 fedora35.
Change-Id: I9a8e6285edbb3799cf552acf479598b3b6c63b99
(cherry picked from commit 0eba22f331f5e998d5cdee2039e8f14772e78e5e)
|
|\ \
| |/ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
We should use the template corresponding to the release. This change
replaces the wrong template(victoria template) by the appropriate one
(xena template).
Change-Id: I5a2ba6087f63ba20489a32d1afb194def4b0c70e
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Training-labs had been officially retired as no maintainer.
The information of training-labs has been deleting in the openstack
documentatioan. It is not appropriate to continue the presentation in
note form here.
[1] http://lists.openstack.org/pipermail/openstack-discuss/2021-October/025586.html
[2] https://opendev.org/openstack/training-labs/commit/e78d74f10558ab3e6a9a6fd7d45e617c15e9c3d8
Change-Id: I0ac3d05389041ac58fe2347171541ffaaf151fdf
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
| |
When connecting to some LDAP server software, the ldap client returns
bytes instances instead of the expected strings. This can result in
either being transparently converted to strings, when the data is
inserted via sqlalchemy into the database, or could be used as
input to other functions, and/or cached, which causes unexpected
results.
Closes-Bug: #1952458
Resolves: rhbz#1964872
Change-Id: I77148641715efe09e3adc2e9432e66e50fb444b4
(cherry picked from commit 1e0cd90191663c100c165d4c6a2b1ca796b5af25)
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There was a trailing s in two of these policies and it caused the policy
names to mismatch, which causes confusion with the rendered policy files
and potentially causes uses with deprecation logic.
Change-Id: I54021986d17c57d7733d53caa4032c2767eaf25e
(cherry picked from commit 82da8824df0f56ef4e137805bf32d647cef1ea59)
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We updated these policies when we introduces system scope and default
roles, but the policy names accidentally changed, which makes the policy
files render with an alias because oslo.policy thinks the names are
changing.
Change-Id: I1121f1abe769ee83ffc285103a95ee95540ce727
(cherry picked from commit 60e898c47038667e66a54e0a9a6cd7b91e115f55)
|
|/
|
|
|
|
|
|
|
| |
This cause the sample generated policy file to alias the old name with
the new policy name, which isn't needed since we're not renaming these
policies at all and it was likely a typo.
Change-Id: Idfd9adbbe800bbc21814d94002a2b61524cce28a
(cherry picked from commit c10d5c88ef40e63d4dfefb792d6c3d68acd72dd9)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the URL to the upper-constraints file to point to the redirect
rule on releases.openstack.org so that anyone working on this branch
will switch to the correct upper-constraints list automatically when
the requirements repository branches.
Until the requirements repository has as stable/xena branch, tests will
continue to use the upper-constraints list on master.
Change-Id: I84ba1238179ce08644f73d283d265b9f9237e941
|
|
|
|
| |
Change-Id: I408f6c327b179a9a883b4c221ad34fa1a0dc80ff
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
ABCs in collections should be imported from collections.abc and direct
import from collections is deprecated since Python 3.3.
Closes-Bug: #1936667
Change-Id: I12b570cd6d6abda17a68aac6a35ae8193d9c22b4
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This avoids the "String length exceeded." error, when using LDAP
domain specific backend in case the user uses a user id
attribute, which can exceed the previous constraint of 64 chars.
Change-Id: I923a2a2a5e79c8f265ff436e96258288dddb867b
Closes-Bug: #1929066
Resolves: rhbz#1959345
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Since 3.7.0, oslo policy started the DeprecationWarning[1] if
deprecated_reason and deprecated_since param are not passed
in DeprecatedRule or they are passed in RuleDefault object.
These warnings are logged for every test which increase the
log size and sometime can full the log buffer and fail the
job.
[1] https://github.com/openstack/oslo.policy/blob/3.7.0/oslo_policy/policy.py#L1538
Change-Id: Id9d89a04b480cbdcefead93ce55a1f174f948f5d
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Testing a new FIPS enabled gate job here. This job will be
for Centos 8 with FIPS enabled. This will use a playbook in
the zuul-jobs repo to enable FIPS.
Depends-On: https://review.opendev.org/c/zuul/zuul-jobs/+/788778
Change-Id: I3187971a14b38c7ca3bb64bdd3d18c64709c466f
|
|\ \ \ |
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add file to the reno documentation build to show release notes for
stable/wallaby.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/wallaby.
Sem-Ver: feature
Change-Id: Iab1e95d50f731e1573844e559d06b134cc279f08
|
|\ \ \
| |/ /
|/| | |
|
| | |
| | |
| | |
| | | |
Change-Id: I3e4944d47ba8192b4a1f0350347e4dc68d811895
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
oslo.db 10.0.0 finally removes the deprecated '[database] idle_timeout'
option in favour of '[database] connection_recycle_time'. Update unit
tests to reflect this.
Change-Id: I3628f1cd438f3f2ca999ec89df4eef989c903b95
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| | |
This is failing because the docstring for this attribute that we're
inheriting from sqlalchemy refers to a 'ref' that doesn't exist in our
tree. The solution is to simply override the docstring.
Change-Id: I7210848d45fb8651db63f1be8a194ce0ffc2bfac
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
|
|\ \ |
|
| |/
| |
| |
| |
| | |
Change-Id: I25eae9e6de8534b40493caf23cc49602a44efd26
Closes-Bug: #1930908
|
|/
|
|
|
|
| |
There is a typo in the get_security_compliance_domain_config policy rule path, it should be '/v3/domains/{domain_id}/config/security_compliance/{option}'
Change-Id: I5d8d9d28d7c3b986b3022a33e890e7dd1e1e933d
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This change hides the AccountLocked exception from being returned
to the end user to hide sensitive information that a potential
malicious person could gain insight from.
The notification handler catches the AccountLocked exception as
before, but after sending the audit notification, it instead
bubbles up Unauthorized rather than AccountLocked.
Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>
Change-Id: Id51241989b22c52810391f3e8e1cadbf8613d873
Related-Bug: #1688137
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add file to the reno documentation build to show release notes for
stable/victoria.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/victoria.
Change-Id: Iab1cdb4952637d87055774e74c8015a1f302c7d0
Sem-Ver: feature
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Keystone's update_user() method in the SQL driver processes a lot of
information about how to update users. This includes evaluating password
logic and authentication attempts for PSI-DSS. This logic is evaluated
after keystone pulls the user record from SQL and before it exits the
context manager, which performs the write.
When multiple clients are all updating the same user reference, it's
more likely they will see an HTTP 500 because of race conditions exiting
the context manager. The HTTP 500 is due to stale data when updating
password expiration for old passwords, which happens when setting a new
password for a user.
This commit attempts to handle that case more gracefully than throwing a
500 by detecting StaleDataErrors from sqlalchemy and retrying. The
identity sql backend will retry the request for clients that have
stale data change from underneath them.
Change-Id: I75590c20e90170ed862f46f0de7d61c7810b5c90
Closes-Bug: 1885753
|
|/ /
| |
| |
| |
| |
| |
| | |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I2389bd16d4494db98db9450fc6c821d7b3410285
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This commit introduces a new check and gate job for keystone to use the
functional RBAC tests in keystone-tempest-plugin.
These tests were derived from keystone's original protection tests, but
they use tempest and they're re-useable for people looking to validate
secure RBAC functionality in their own deployments.
Depends-On: https://review.opendev.org/#/c/686305/
Change-Id: I813cff07c20fcba1aaec6a5e68014a2a9eb9462e
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | | |
Change-Id: I960379ceb435472cdc754b5f63243c70d552d9c3
|
|\ \ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
After reading through the documentation, I thought this sentence sounded
funny using 'within' and 'in' so close to each other. I updated it so
that it isn't quite so jarring.
Change-Id: I2619108216035a37823e53efb5a3f9fe6cfe5cbb
|
|\ \ \ \ \
| |/ / / / |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This commit updates the documentation for service api protection to
better describe the overall personas for system, domain, and project
users. It also adds some examples that show operators how to list users
with all role assignments on a particular target, which include a
superset of the existing examples.
Change-Id: I40dd33fc0afa0240c6b1cd48322fd988fc5524af
|