| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Background:
As part of my work on reproducible builds for openSUSE, I check that software still gives identical build results in the future.
The usual offset is +15 years, because that is how long I expect some software will be used in some places.
This showed up failing tests in our package build.
See https://reproducible-builds.org/ for why this matters.
This makes it expire 1 year in the future to model realistic tokens.
Change-Id: I73bde68be53afff4e8dff12d756b8381f34b2adb
(cherry picked from commit 4a4c96ce9b28ed54f93a21ca405c5b34ef3c3429)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the URL to the upper-constraints file to point to the redirect
rule on releases.openstack.org so that anyone working on this branch
will switch to the correct upper-constraints list automatically when
the requirements repository branches.
Until the requirements repository has as stable/train branch, tests will
continue to use the upper-constraints list on master.
Change-Id: I4f8872e30d85de9a1ab9babe5ead73a65407e5d9
|
|
|
|
| |
Change-Id: I94130c964769e960459555ab433893643f4f1101
|
|
|
|
|
|
|
|
|
|
|
| |
Currently with sphinx 2.2.0 the docs job is throwing a warning
that the html_static_path entry does not exist. We treat warnings
as errors so this causes the job to fail.
This change comments the html_static_path entry in conf.py since
the path currently does not exist so it appears to be unused.
Change-Id: Ib2c74f4f37855cec250d09b23c45b5b7fde44c8d
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Some options are now automatically configured by the version 1.20:
- project
- html_last_updated_fmt
- latex_engine
- latex_elements
- version
- release.
Change-Id: I161a3983e23b0ae50c232eb63ca78f8fd230e91e
|
|/
|
|
|
|
| |
See https://github.com/sphinx-doc/sphinx/issues/6440 for upstream details
Change-Id: Ia166252623563438c42538320f6fbf7c74785520
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit adds a validation step in the auth_token middleware to check
for the presence of an access_rules attribute in an application
credential token and to validate the request against the permissions
granted for that token. During token validation it sends a header to
keystone to indicate that it is capable of validating these access
rules, and not providing this header for a token like this would result
in the token failing validation. This disregards access rules for a
service request made by a service on behalf of a user, such as nova
making a request to glance, because such a request is not under the
control of the user and is not expected to be explicitly allowed in the
access rules.
bp whitelist-extension-for-app-creds
Depends-On: https://review.opendev.org/670377
Change-Id: I185e0541d5df538d74edadf9976b3034a2470c88
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| | |
previously it will print auth version of _requested_auth_version
which will be none all the time. Change it to klass makes more sense.
Change-Id: I1cec8f163e808f03f15ef053e5768cf711238f0d
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is a mechanically generated patch to ensure unit testing is in place
for all of the Tested Runtimes for Train.
See the Train python3-updates goal document for details:
https://governance.openstack.org/tc/goals/train/python3-updates.html
Change-Id: Iae72e055b0f407c1643b6c6161af28b535712a7d
Story: #2005924
Task: #34215
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Keystone server no longer supports PKI/PKIZ. This change removes
keystonemiddleware's support of PKI/PKIZ and associated code.
Change-Id: I9a6639a2aa3774be61972d57f38220f66fd5c0e8
closes-bug: #1649735
partial-bug: #1736985
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We really don't care about Diablo compatibility any more. Clean up the
old cruft.
Change-Id: Ib1f628eb40ba0cb6334300cb6dca7dcdfcddba1b
|
|/ /
| |
| |
| |
| |
| |
| | |
Bandit is throwing warnings because we use 'token' in a couple of
variables.
Change-Id: I9fd21974027bc2bda6036c34fa587a044faaacae
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously the admin Identity endpoint was hardcoded to be used. Now
that keystone has dropped v2 support, deploying an admin Identity
endpoint is no longer useful, so allow this to be changed by the
deployer. Keep the default as using the `admin` endpoint, but create
a deprecation message so that we can change the default in the future.
Partial-Bug: 1830002
Change-Id: I993a45ccb1109d67e65bf32d1e134cc9bec2d88e
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| | |
The latest version of bandit has broken directory exclusion,
so multiple test files are getting flagged. This change
blocks version 1.6.0 while this issue is fixed for 1.6.1.
This change also caps sphinx at <2.0.0 for python version 2.7.
Change-Id: I5d32d835886360522af21f735c74b2f85036f7f1
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:
http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html
Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.
|
| |
| |
| |
| |
| |
| |
| | |
python-memcached==1.56 causes the unit tests to fail under python3.7, so
bump to the latest allowed by upper-constraints.
Change-Id: I22a596afcb6b7477f6753ea9896f7ac025be3a85
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add file to the reno documentation build to show release notes for
stable/stein.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/stein.
Change-Id: Ieb590fa57bd3af81dbb39ac9de1d55e34de5cf22
Sem-Ver: feature
|
| |/
|/|
| |
| |
| |
| |
| |
| | |
Attempt to escape quotes actually forgot one of the quotes, causing
"invalid escape sequence" warnings in the logs.
Change-Id: I843257ba5c26f7ba6c5cd3b1b7c53ed26cb9ee8d
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In Train, we will use python3.6 and 3.7 for
which the minimum tox version required is 2.5[1]
[1]https://tox.readthedocs.io/en/latest/changelog.html#v2-6-0-2017-02-04
Change-Id: I3110e024268ca989e5b09d3dc087087f2d1b1f6f
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit updates the version of python-keystoneclient to 3.10.0,
which has fixes to handle different openssl versions:
https://review.openstack.org/#/c/406175/2
Since we're bumping the minimum version of python-keystoneclient to
include that fix, we can safely run lower-constraints on Bionic
instead of Xenial.
Change-Id: I52fa44fe76590aced193618406ad30eb70d04f9d
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The openstack-lower-constraints-jobs was updated to run in Ubuntu
Bionic, but the underlying version of openssl changed, causing tests
in keystonemiddleware to fail with the current version of
python-keystoneclient:
https://review.openstack.org/#/c/406175/
Instead of bumping the version immediately, we can ensure the
lower-constraints job runs on Xenial for the time being, making it so
we can backport this fix to stable/stein. A subsequent patch will
update the job to use Bionic when we bump the minimum version of
python-keystoneclient.
Change-Id: I5a5ad8ad86df80755a304f70597578b7dfec2068
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Without this patch, inserting a breakpoint causes the debug tox
environment to hang for a long time until the testenv timeout is
reached. This patch modifies the testenv to use similar stdout/stderr
settings that we use in keystoneclient and keystoneauth, which seems to
fix the issue, and removes other unnecessary settings.
Change-Id: I2f2f8f4738f43648a6bda067efe605db5807eaff
|
|/
|
|
|
|
|
|
|
|
|
|
| |
Python 3.5 was the target runtime for the Rocky release.
The current target py3 runtime for Stein is Python 3.6,
so there is no reason to keep testing against the older version. Also
correct setup.cfg and tox.ini to reflect the current supported Python
versions.
https://governance.openstack.org/tc/reference/runtimes/stein.html#python-runtime-for-stein
Change-Id: I7304a04870bd5a41ae593d543291a25d73cabe60
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is a mechanically generated patch to add a unit test job running
under Python 3.7.
See ML discussion here [1] for context.
[1] http://lists.openstack.org/pipermail/openstack-dev/2018-October/135626.html
Change-Id: Ic446881e279447d988357021d6403eb20d60070e
Story: #2004073
Task: #27422
|
| |
| |
| |
| |
| |
| | |
The service_token_roles_required should be correct.
Change-Id: I009e3a495953d61fb0c29a8b629efa3322cb0ddd
|
|/
|
|
| |
Change-Id: I189738bb844828765bd95d8302a7654a12863a00
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently auth_token middleware does not concern identity endpoint
update since service catalog is not updated after service having
auth_token middleware started.
Add invalidation logic when EndpointNotfound exception occurs so
that auth_token middleware can be notified of sevice catalog update
without restart.
Change-Id: I631ee1538883d732fe3987b172d987f703dad5c0
Closes-Bug: #1813739
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Keystone audit middleware requires to iterate req.context as dict,
but Glance requires to access req.context.read_only.
When glance enabled audit, they are conflict with each other.
This patch fix this issue by store audit context in
req.environ['audit.context']
Change-Id: Ib9a62a4cd0b7b9ffb9fa2d6440e8072d45ee0fee
Closes-Bug: #1809101
Signed-off-by: Leehom Li <feli5@cisco.com>
|
| |
| |
| |
| | |
Change-Id: I73e5ed94cdd786d392a6a6b61b8ef4f630715482
|
|/
|
|
|
|
|
|
|
| |
Pypi url changed from [1] to [2]
[1] https://pypi.python.org/pypi/<package>
[2] https://pypi.org/project/<package>
Change-Id: Ibb6247bfb2cfe1c77f6841be2773cbff9475e0c6
|
|\ |
|
| |
| |
| |
| |
| | |
Change-Id: I8d571d3414071c68b4fa565dec46cc2d2941331c
Closes-Bug: #1803940
|
| |
| |
| |
| |
| |
| | |
Mailinglists have been updated. Openstack-discuss replaces openstack-dev.
Change-Id: Ic98b7942c1f394a45958c86eb2d091490fc25b1f
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| | |
We already run python3.6 unit tests in CI. Add the py36 environment to
the tox file so that developers with python3.6 available locally can opt
into running that version too.
Change-Id: Ic7aad3d4adfafba226d3b1d1b2106d55135ce6ff
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With keystone's move to eliminating pki, pkiz, and uuid tokens the
revocation list is no longer generated. Keystonemiddleware no longer
needs to attempt to retrieve it and reference it.
Change-Id: Ief3bf1941e62f9136dbed11877bca81c4102041b
closes-bug: #1361743
partial-bug: #1649735
partial-bug: #1736985
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Made a small fix to the documentation - replacing
the current auth_url port number 35357, in the
configuration section of the [keystone_authtoken],
with 5000.
This was based on an online conversation with Colleen;
with the removal of the v2 API from keystone the project
now recommends use of port 5000 instead of the previous one.
Change-Id: I750a4d0e75e0b919fd00ddf21c0e7ce62d495f95
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The keystonemiddleware audit code would select the wrong OpenStack service
endpoint for a request if the cloud is not using unique TCP ports for each
service endpoint. As most services are no longer using a port per service,
but instead using unique paths, this caused the audit to select the wrong
target service. This leads to incorrect audit logging due to the wrong
audit map being used.
This patch checks the request to see if a TCP port was present in the request,
and if not, fall back to using the target_endpoint_type configured in the
audit map file.
Change-Id: Ie2e0bf74ecca485d599a4041bb770bd6e296bc99
Closes-bug: 1797584
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
When parsing the service catalog to find the source, audit middleware
should skip over the services which have no endpoints instead of
assuming they will have at least one endpoint.
Change-Id: I287873e99338d95baaf20d52ecb3a43763a401fc
Closes-Bug: #1800017
|