| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
result3 does not invoke message.clean() when an exception is thrown
by `message.connection.result3()` call, causing pool connection
associated with the message to be marked active forever. This causes
a denial-of-service on ldappool.
The fix ensures message.clean() is invoked by wrapping the offending
call in try-except-finally and putting the message.clean() in finally
block.
Closes-Bug: #1998789
Change-Id: I59ebf0fa77391d49b2349e918fc55f96318c42a6
Signed-off-by: Mustafa Kemal Gilor <mustafa.gilor@canonical.com>
(cherry picked from commit ff632a81fb09e6d9f3298e494d53eb6df50269cf)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a token is issued with an application credential we need to check
the expiration of the application credential to ensure that the token
does not outlive the application credential. This ensures that if the
token expiration is greaten than that of the application credential it
is reset to the expiration of the application credential and a warning
is logged. Please see CVE-2022-2447 for more information.
Closes-Bug: 1992183
Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2
(cherry picked from commit 8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1)
|
|\
| |
| |
| | |
max_token_size" into stable/yoga
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, the fernet token provider would log warnings when a fernet
token exceeded 255 characters, which is common for LDAP-backed
deployments. The warning is always issued, even when operators configure
keystone's max_token_size to a higher value, causing confusion because
it appears the configuration value is silently ignored.
This commit fixes that issue by using the max_token_size configuration
parameter consistently in the fernet token provider.
Closes-Bug: 1926483
Change-Id: I4bb54aac9b950d59082a4468203a3249790839d7
(cherry picked from commit 68bfb685d12937dde11d1a335bd992203ec7c293)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When we check the EC2 signature without the port part of the host value
received, we should properly split host:port. Keep in mind the splitting
should work for values like [fc00::]:123 too.
Change-Id: I1d90dfcea3568e2a9b22069daa428ea6a2a38bd6
Closes-Bug: #1988168
(cherry picked from commit 6c35b366e3c8c6d7f47471b93f5315582301c5ef)
|
|/
|
|
|
|
|
| |
Move FIPS job to centos 9 and add new required nslookup_target variable.
Change-Id: Ifef262cfca4ecb8ad1222da3c43e5749f40c1f24
(cherry picked from commit 950dd5e5032afd73527c82c6ce63ee2ad94dc252)
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
We should use the template corresponding to the release. This change
replaces the wrong template(xena template) by the appropriate one(yoga
template).
Change-Id: I6e1330491bd67759f02231a244661628832b88d6
|
|/
|
|
|
|
|
|
|
|
|
|
| |
Training-labs had been officially retired as no maintainer.
The information of training-labs has been deleting in the openstack
documentatioan. It is not appropriate to continue the presentation in
note form here.
[1] http://lists.openstack.org/pipermail/openstack-discuss/2021-October/025586.html
[2] https://opendev.org/openstack/training-labs/commit/e78d74f10558ab3e6a9a6fd7d45e617c15e9c3d8
Change-Id: I0ac3d05389041ac58fe2347171541ffaaf151fdf
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the URL to the upper-constraints file to point to the redirect
rule on releases.openstack.org so that anyone working on this branch
will switch to the correct upper-constraints list automatically when
the requirements repository branches.
Until the requirements repository has as stable/yoga branch, tests will
continue to use the upper-constraints list on master.
Change-Id: Ic8efc084652559831be5f00710b7a7061872947f
|
|
|
|
| |
Change-Id: Icdf5101c4ecbeaab01444f17d5b08265a296a5f5
|
|
|
|
|
|
|
| |
Currently rpm based distributions all use python3-devel.
Tested this with centos7 rhel7 rhel8 fedora35.
Change-Id: I9a8e6285edbb3799cf552acf479598b3b6c63b99
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The FernetUtils object had kwargs for the key_repository,
max_active_keys, and the config_group. The credential API uses an
instance of the FernetUtils object to encrypt and decrypt credentials,
but the object wasn't instantiated with the config_group set. This
resulted in an error message like:
Either [None] key_repository does...
When the credential key repository wasn't configured. We should be
setting the config_group so that we provide a more useful error
message instead of a random `None`.
All of the arguments are now made mandatory, since this is how
they are called in all but this one place.
Co-Authored-By: Grzegorz Grasza <xek@redhat.com>
Change-Id: Ia32cc12121ee243a003e5eb2fc832cc6a33ef499
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for xena.
See also the PTI in governance [1].
[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html
Change-Id: I8e2babbd4d75bd2dc3e8451e5e2604bfe98668a7
|
|\ \ \
| |/ / |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for wallaby.
See also the PTI in governance [1].
[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html
Change-Id: I4170f4cc381d497a12796120b143f65a1894a301
|
|\ \ \
| | | |
| | | |
| | | | |
os.urandom"
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
token_bytes is an standard library secrets function ,we can get the information from link https://www.python.org/dev/peps/pep-0506/
Change-Id: I7e6b1df5eac59bac33674934d7b3e8cdd16cea27
|
|\ \ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
GET /limits-model => GET /limits/model
Change-Id: Ib832a8a9257ecdc7bffcc81ee003d1f5a37588e0
|
|\ \ \ \ \ |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Nothing functional here. We simply switch from using "repo_name"
terminology and move/rename some helper functions. Branches aren't
really a SQLAlchemy-Migrate thing but it's close enough to do.
Change-Id: I005d20ef21b6c8122be90e8afb38abd902fdfc6e
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
|
|\ \ \ \ \ \
| |/ / / / / |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
'assertTableCountsMatch' should have been removed in change
I41584c652ab34a267009136ee2a2e159ee2f2a6e ("sql: Squash mitaka
migrations")
'does_constraint_exist' should have been removed in change
Ic499a996e1b9c6f0a9d885b4a9e655008002d49f ("sql: Squash queens
migrations")
'does_pk_exist' should have been removed in change
I6beb8c9c827546757f2d7673a917b98f8b917012 ("sql: Squash rocky
migrations")
'assertTableExists' should have been removed in change
I58e4b6833036a25ea8a1202c87ceebdbe932b447 ("sql: Squash stein
migrations")
'insert_dict', 'does_index_exist', and 'does_unique_constraint_exist'
should have been removed in change
Ifc71efb8609bc26ce998a9fa48b207abf8b9a38b ("sql: Squash train
migrations")
'does_fk_exist' should have been removed in change
Ia1495cd4683d6631be2691e816734d01b03037a3 ("sql: Squash ussuri
migrations")
Change-Id: Id3d2769af6004bd4d4792c4488ac5eba94a5a776
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
|
|\ \ \ \ \ \
| |/ / / / / |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This adds initial no-op migrations for the Yoga release and is modeled
on neutron changes I3823900bc5aaf7757c37edb804027cf4d9c757ab (which
created the '$RELEASE/expand' and '${RELEASE}/contract' directory
structure) and Ie4b727e55a0b1ecb12e915a0037094a928d8f975 (which created
the 'EXPAND_HEAD' and 'CONTRACT_HEAD' files.
Change-Id: If71cb5f1323762c7e2110942e9558f9c69e3bcb2
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
|
|\ \ \ \ \ \
| |/ / / / / |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
By which we mean 079, which changed the size of the 'local_id' column in
the 'id_mapping' table.
This is kept separate to make diffing the original migration somewhat
simpler. It's okay to do this because no one is using these yet.
Change-Id: Ib3c4c36755d9d48ec9e9b759f394b5e429a0907b
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
|
|\ \ \ \ \ \
| |/ / / / / |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Change-Id: Ie58eb1712399500cc0ef37144f4d6338a5bccc88
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
|
|\ \ \ \ \ \
| |/ / / / / |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Also remove more dead code.
Change-Id: Iad00d202c41e6c06fe81eb60e0bfe7296ae91888
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
|
|\ \ \ \ \ \
| |/ / / / / |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This is deprecated and will be removed in a future release of oslo.db.
Even without that stick to prod us, we're going to need to use some of
the sqlalchemy-migrate APIs and it's simpler to talk to this for
everything rather than using oslo.db for some stuff and
sqlalchemy-migrate for the remainder.
Change-Id: Ib25c75a99794a04b6549e6b5184a2029955befc1
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
|
|\ \ \ \ \ \
| |/ / / / / |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
We're going to add new alembic-based migrations shortly. These will live
in the 'keystone.common.sql.migrations' module. Prepare for this by
moving the existing migrations from ''keystone.common.sql' into a common
'keystone.common.sql.legacy_migrations' module.
Change-Id: I5ab7b010b21268977f73738e895bbd21442e9455
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
|
|\ \ \ \ \ \
| |/ / / / / |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Change I41584c652ab34a267009136ee2a2e159ee2f2a6e ("sql: Squash mitaka
migrations") removed the final users of the 'get_constraints_names',
'add_constraints' and 'remove_constraints' functions.
Change I96cab42cfcfd3e86b53f25abf4cf4043af3b5667 ("sql: Squash ocata
migrations") removed the final use of the 'USE_TRIGGERS' constant.
Change I59882d88fe593ec1ae37415b2157584f7f3c85f8 ("sql: Remove legacy
'migrate_repo' migration repo") removed the final use of
'_assert_not_schema_downgrade' function.
Change-Id: I8aa811ea336e9f613300bc21125e7582010cf5a5
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
|
|\ \ \ \ \ \
| |/ / / / / |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Remove option from 'db sync' and 'db version' commands of
'keystone-manage'. We also remove handling code for providing '--expand'
and '--migrate' in the same invocation, which isn't possible since
they're in a mutually exclusive group. Finally, we clean some formatting
things up in preparation for the alembic integration.
Change-Id: I198822d6f55353f1adeea9024db67abb24be54c7
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
|
|\ \ \ \ \ \
| |/ / / / / |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This is effectively the output of 'alembic init' with a few tweaks to
keep pep8 happy and make things more grokable. There will be a great
deal more changes down the line.
Change-Id: Id22aa60e2243b5ce1f3055429ba1ba71a0816f39
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
|
|\ \ \ \ \ \
| |/ / / / / |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Order tables in a rough alphabetical order, with tables without foreign
keys first, followed by those with them later. This will make life
easier when we get to migrating to alembic.
Change-Id: I3b3cbc2dc827a05ec03edb2e7d60befa89524f1b
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
|
|\ \ \ \ \ \
| |/ / / / / |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Make the following changes to the new "initial" migrations.
- Drop foreign key constraints on 'domain_id' columns of 'user' and
'identity_provider' tables (072)
- Add 'authorization_ttl' column to 'identity_provider' table (073)
- Add 'expiring_user_group_membership' table (073)
This concludes our squashing. We won't squash the 079 migrations, added in
Xena, since this would break fast forward upgrades. Future changes will instead
(finally) focus on the switch to alembic.
Change-Id: Ia1495cd4683d6631be2691e816734d01b03037a3
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
|
|\ \ \ \ \ \
| |/ / / / / |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Make the following changes to the new "initial" migrations.
- Add 'redelegated_trust_id' and 'redelegation_count' columns to
'trust' table (062)
- Drop 'service_id', 'region_id', and 'resource_name' columns from
'limit' table (063)
- Add 'remote_id_attribute' column to 'federation_protocol' table (064)
- Add 'external_id' and 'user_id' columns to 'access_rule' table (065)
- Add 'role_option' and 'project_option' tables (066)
Change-Id: Ifc71efb8609bc26ce998a9fa48b207abf8b9a38b
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
|