summaryrefslogtreecommitdiff
path: root/keystonemiddleware
Commit message (Collapse)AuthorAgeFilesLines
...
* | No need to compare CONF contentwangxiyuan2018-09-072-2/+14
| | | | | | | | | | | | | | | | | | | | | | | | When setup AuthProtocol class, if the CONF object contains deprecated options, An Error "dictionary changed size during iteration" will raise when comparing the CONF content. Changing "!=" to "is not" here to avoid compare the CONF content anymore. Change-Id: I820aa244160db4f81149d2576386c86b46de0084 Closes-bug: #1789351
* | Merge "Handle DiscoveryFailure errors"Zuul2018-08-282-0/+12
|\ \
| * | Handle DiscoveryFailure errorsTim Burke2018-08-012-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | DiscoveryFailures can happen for a variety of reasons, ranging from service misconfiguration to a keystone outage to a transient network failure. If we don't catch and handle the failure here, it will almost certainly cause something further up the WSGI stack to send a 500 Internal Error (and likely log a traceback). A log line like Unable to validate token: Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. Unable to establish connection to http://keystone:35357: HTTPConnectionPool(host='keystone', port=35357): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fc53e22e050>: Failed to establish a new connection: [Errno 111] ECONNREFUSED',)) should be plenty enough for an operator to assess the situation; I don't need a 29-frame traceback. Change-Id: I946388c09b2ca0230d2cef009c679a7ac7c8398f
* | | Fix KeystoneMiddleware memcachepool abstraction5.2.0Morgan Fainberg2018-07-182-1/+28
|/ / | | | | | | | | | | | | | | | | | | Keystonemiddleware's abstraction for the memcache pool was broken when converting to use a queue.Queue. The logic that placed the connection back into the pool was moved to .acquire and the reserve method was not using acquire. Change-Id: I0eda5981cbb661f63790258cf8e70c7340615159 Closes-Bug: #1782404
* | Merge "Introduce new header for system-scoped tokens"5.1.0Zuul2018-05-094-0/+41
|\ \
| * | Introduce new header for system-scoped tokensLance Bragstad2018-05-024-0/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Keystonemiddleware attempts to parse user/service tokens and populate request headers for other services to consume. This information is important for services looking to build oslo.context objects from request environments. Change-Id: I0717c2a5207a647999b4f9bcdf11f728984f0812 Closes-Bug: 1766731
* | | Imported Translations from ZanataOpenStack Proposal Bot2018-05-011-8/+1
|/ / | | | | | | | | | | | | For more information about this automatic import see: https://docs.openstack.org/i18n/latest/reviewing-translation-import.html Change-Id: I27a90c1f3132af5cbbeb18a6e59f88f5fe387a36
* | Merge "Double quote www_authenticate_uri"Zuul2018-04-212-10/+10
|\ \
| * | Double quote www_authenticate_uriwangxiyuan2018-04-122-10/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Based on the RFCs[1], in http header, a string of text is parsed as a single value if it is quoted using double-quote marks. This patch change the single quote to double quote in the header "WWW-Authenticate" which is returned when 401 error raises. [1]: https://tools.ietf.org/html/rfc7230#section-3.2.6 https://tools.ietf.org/html/rfc7235#section-2.1 Change-Id: I524c93d30607ea6ab70de92ceea207ee77f34c25 Closes-bug: #1762362
* | | Merge "Only include response body if there's a response"Zuul2018-04-202-3/+23
|\ \ \
| * | | Only include response body if there's a responseTim Burke2018-04-102-3/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When handling timeouts talking to the keystone server, you may see log messages like authtoken: Bad response code while validating token: 408 authtoken: Token validation failure. <traceback> AttributeError: 'NoneType' object has no attribute 'text' Since there's no response from the server when keystoneclient raises RequestTimeout [1], the `response` attribute is understandably None. Now, only log the response text if there's text to log. Additionally, log the response message (as well as status code) to provide as much context as we can for the error. [1] https://github.com/openstack/python-keystoneclient/blob/3.15.0/keystoneclient/session.py#L469 Change-Id: Id400e4c38d07cbe7e1866dd572a17fc54c31e82a
* | | | Merge "Properly zero out max_retries in test_http_error_not_cached_token"Zuul2018-04-201-1/+1
|\ \ \ \ | |_|/ / |/| | |
| * | | Properly zero out max_retries in test_http_error_not_cached_tokenTim Burke2018-04-101-1/+1
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | Previously, we'd set _http_request_max_retries to 0, but that attribute was removed in 1.3.0. Now, test runs are several seconds faster when tests are executed serially. Related-Change: Id092e8f42f843dbfbc1c30589b50ba341ccf4aae Change-Id: I61d9b9617b1118d0696435d028bbda7a6c119bf8
* | | Merge "Remove kwargs_to_fetch_token"Zuul2018-04-042-19/+1
|\ \ \ | |/ / |/| |
| * | Remove kwargs_to_fetch_tokenwangxiyuan2018-02-222-19/+1
| | | | | | | | | | | | | | | | | | | | | kwargs_to_fetch_token was deprecated and should be removed in Rocky now. Change-Id: Ic247efb84c5133449ead6a9864bbd7748e5e74bd
* | | Merge "Fix the AttributeError: __exit__ error"Zuul2018-03-242-3/+8
|\ \ \
| * | | Fix the AttributeError: __exit__ errorwangxiyuan2018-02-222-3/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The memcache client class actually has no __exit__ function. Remove the "with" usage to avoid the __exit__ error. Change-Id: I15b3d08f4afae289e7eb0848ff1db08141196d3c Closes-Bug: #1747565
* | | | Merge "Add arguments for MemcacheClientPool init"Zuul2018-03-242-2/+18
|\ \ \ \ | |/ / /
| * | | Add arguments for MemcacheClientPool initwangxiyuan2018-02-222-2/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now keystonemiddleware use oslo.cache to init the MemcacheClientPool. The MemcacheClientPool in Olso.cache needs (urls, arguments, **kwargs) parameter to init, but keystonemiddleware passed only (urls, **kwargs). Then it leads the error: __init__() takes exactly 3 arguments (2 given) This patch fixed this issue. Please note that even this error is fixed, set "memcache_use_advanced_pool = True" will lead another error, see bug #1747565 for the detail. It will be fixed in the following patch. Closes-bug: #1748160 Change-Id: I642f959ab8b010207314312a6b6a06a6de23e92c
* | | | Imported Translations from ZanataOpenStack Proposal Bot2018-03-012-8/+8
|/ / / | | | | | | | | | | | | | | | | | | For more information about this automatic import see: https://docs.openstack.org/i18n/latest/reviewing-translation-import.html Change-Id: I6a01826b6e09db2374626ec55ed2477f9002f589
* | | Merge "Identify the keystone service when raising 503"Zuul2018-02-203-3/+10
|\ \ \
| * | | Identify the keystone service when raising 503Chris Dent2018-02-203-3/+10
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the keystonemiddleware is used directly in the WSGI stack of an application, the 503 that is raised when the keystone service errors or cannot be reached needs to identify that keystone is the service that has failed, otherwise it appears to the client that it is the service they are trying to access is down, which is misleading. This addresses the problem in the most straightforward way possible: the exception that causes the 503 is given a message including the word "Keystone". The call method in BaseAuthTokenTestCase gains an expected_body_string kwarg. If not None, the response body (as a six.text_type) is compared with the value. Change-Id: Idf211e7bc99139744af232f5ea3ecb4be41551ca Closes-Bug: #1747655 Closes-Bug: #1749797
* | | Add option to disable using oslo_message notifierStefan Nica2018-02-203-1/+19
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a configuration option, 'use_oslo_messaging', to indicate whether to use oslo_messaging notifier. It is set to true for backwards compatibility. We can't use audit middleware with services like Swift, which have no dependency on Oslo and does not work well with oslo_log. Swift uses rsyslog. Currently, audit middleware indiscriminately chooses oslo_messaging if the package is installed. This is problematic if Swift proxy is on the same controller as any service which consumes oslo_messaging. With this new option, Swift can now safely consume audit middleware by electing to use local log notifier instead of oslo_messaging. Change-Id: I87bf857c20e4b78e97d40dcc51a1b4ff0014abb2 Closes-Bug: #1695038
* | Merge "Log TokenNotFound at INFO level instead of WARNING"4.21.0Zuul2018-01-051-2/+2
|\ \
| * | Log TokenNotFound at INFO level instead of WARNINGJohn Dennis2017-12-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Token expiration is normal, however the client logs fill up with these ominous WARNING messages: WARNING keystonemiddleware.auth_token [-] Authorization failed for token WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "Could not find token: 24ffb14540c74a7c964f9627fe2af8fb", "code": 404, "title": "Not Found"}} It seems more useful to log normal events at a level less than WARNING, this would reduce the log size but more importantly it will help elminate the concerns raised when logs are filled with WARNING messages that are otherwise benign. Change-Id: I54ad6b5530ee81616bd4a44f8295985f5d84c2ee Closes-Bug: #1738300 Signed-off-by: John Dennis <jdennis@redhat.com>
* | | cfg.CONF must not be used directlyMehdi Abaakouk2017-12-201-2/+3
|/ / | | | | | | | | | | | | | | | | cfg.CONF must not be used directly, Config().oslo_conf_obj must be used instead. Closes-bug: #1737119 Change-Id: I58ec9e25c7f04a8352535d8861e09c7e4c4c0a9d
* | rel-note and doc for lazy loading of oslo_cacheMehdi Abaakouk2017-12-131-0/+2
| | | | | | | | | | | | | | | | | | In continuation of I00e953abb3e835a94353fe458100c96e8e9c095a, this change adds the release note and documentation. Related-bug #1737115 Change-Id: I456239842d139074cc38cfd620bb88561bb4d0d7
* | lazy loading of oslo_cacheMehdi Abaakouk2017-12-121-3/+3
|/ | | | | | | | | | | | | | Now, we depend on oslo.cache [1], and use the private/internal memcache_pool code of the lib, making oslo.cache failing to import instead of just log an error about missing requirement for selected drivers at runtime. This change restores the previous behavior by lazy loading the module. [1] 9d8e2836fe7fca186e0380d8a532540ff5cc5215 Change-Id: I00e953abb3e835a94353fe458100c96e8e9c095a Closes-bug: #1737115
* Use oslo_cache in auth_token middlewareJamie Lennox2017-12-015-189/+32
| | | | | | | | | | | | | | Use the new oslo.cache library instead of using memcached directly. This keeps the old options around and will continue to use those in preference to the oslo.config library as there is no way to test whether oslo.cache was explicitly configured to use that in preference. Currently there are no messages or anything to deprecate the old options until we've had a chance to test it in production environments. Closes-Bug: #1523375 Change-Id: Ifccacc5db311ad538ce60191cbe221644d1a5807 Co-Authored-By: Nicolas Helgeson <nh202b@att.com>
* Imported Translations from ZanataOpenStack Proposal Bot2017-11-162-10/+86
| | | | | | | For more information about this automatic import see: https://docs.openstack.org/i18n/latest/reviewing-translation-import.html Change-Id: I6f8b27486c14d2a92efad825e3d4050f0e66445b
* Merge "Rename auth_uri to www_authenticate_uri"Zuul2017-10-209-36/+95
|\
| * Rename auth_uri to www_authenticate_uriColleen Murphy2017-10-119-36/+95
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The [keystone_authtoken]/auth_uri middleware parameter has been causing extreme confusion amongst operators and developers ever since the keystonemiddleware started accepting keystoneauth plugin parameters including auth_url. The two parameters look identical and yet have completely different meanings and are both required. This patch deprecates auth_uri and renames it to www_authenticate_uri, which more accurately describes the WWW-Authenticate header it is configuring and is dissimilar to any other keystone_authtoken middleware parameter. This also renames the internal variable names for consistency with the config option. Change-Id: I0cf11da3d395749df28077427689fdafc8a6b981
* | Fix py3 byte/string errorTin Lam2017-10-112-1/+17
| | | | | | | | | | | | | | | | | | | | | | | | This patch set corrects a problem when the keystonemiddleware is executed with memcache encryption enabled. Currently, the hmac.new() calls throw exceptions in python3 due to how py2 and py3 handles string vs. byte/bytearray. Co-Authored-By: Rohan Arora <ra271w@att.com> Closes-Bug: #1713574 Change-Id: I9bb291be48a094b9f266a8459a3f51ee163d33a3
* | Merge "Issue a deprecation warning for validating PKI tokens"Jenkins2017-10-061-0/+7
|\ \
| * | Issue a deprecation warning for validating PKI tokensJamie Lennox2017-10-031-0/+7
| |/ | | | | | | | | | | | | | | | | | | | | | | PKI tokens have been deprecated and removed from keystone server. To get them removed from auth_token middleware we need to deprecate it. We issue the warning when a successful validation has occurred as all incoming tokens get checked for if we think they are PKI and tried to decrypt. Change-Id: Ibc6e3378aa7c851335bcb9abbcc31572e6cef9e7 bp: deprecated-as-of-queens
* | Merge "Correct docs usage of keystoneauth1 session"Jenkins2017-10-051-1/+1
|\ \ | |/ |/|
| * Correct docs usage of keystoneauth1 sessionGage Hugo2017-09-121-1/+1
| | | | | | | | | | | | | | | | keystoneclient.session has been long deprecated in favor of keystoneauth1.session. This change corrects entries in the documentation to use the correct library's session. Change-Id: I16c9cd9a63c584c032ba9b3958014a4abaa99ca0
* | Fix gate error caused by mocked URLsTin Lam2017-09-252-3/+3
|/ | | | | | | | | | | | | | | | | | | | | | | In keystoneauth a workaround was implemented for when the discovery document has an invalid scheme and host for its URLs[1]. This broke keystonemiddleware's tests, revealing that keystonemiddleware was, in one case, validating the wrong URL, and in another mocking the wrong one. This patch updates the tests so that they are more accurately representing how keystoneauth works. Why should we change it here instead of reverting the keystoneauth change? The URLs in the discovery document aren't validated in real life, so the only URLs that can be trusted are the ones the user has accessed, such as the auth URL. Keystoneauth is right to fix the URLs, and the bad mocks in keystonemiddleware are only evidence that the tests were wrong, not that the mocked URLs would have worked in real life. [1] https://review.openstack.org/#/c/494194 Closes-Bug: Closes-bug: #1718945 Co-Authored-By: Colleen Murphy <colleen@gazlene.net> Change-Id: I94d6dd1839bd1f662e70c5fb739695685e839a82
* Remove use of positional decoratorMorgan Fainberg2017-08-071-3/+0
| | | | | | | | | The positional decorator results in poorly maintainable code in a misguided effort to emulate python3's key-word-arg only notation and functionality. This patch removes keystonemiddleware's dependance on the positional decorator. Change-Id: I1be3b19d08daf18babac66f274787862c6d77a93
* strip whitespace from tokenMatthew Edmonds2017-07-312-2/+13
| | | | | | | | This change strips whitespace from incoming tokens to prevent errors that are difficult for a caller to root cause. Change-Id: I4b3fd18314c3ca94beb3b0c8c17280451d6c8755 Closes-Bug: #1689468
* Update comment about fetch token kwargsLance Bragstad2017-07-211-3/+3
| | | | | | | | | Jamie had a comment explain the requirement of fetching tokens with kwargs and the token. This was suppose to be required in Pike but it was missed. This commit updates the comment to be relevant for the Queens release instead. Change-Id: Iaa2c3fb02e76a87865a4ae7f06c4e86cc5b9b991
* Update URLs in documentation4.17.0Hangdong Zhang2017-07-203-3/+3
| | | | | | Update URLs according to OpenStack document migration. Change-Id: Icb4232fcce79bb1ea121489122e578e3109b5e90
* Merge "Redundant adminURL in test_gives_v2_catalog"Jenkins2017-07-171-1/+1
|\
| * Redundant adminURL in test_gives_v2_catalogzlyqqq2017-07-011-1/+1
| | | | | | | | Change-Id: I9a08443cb83a8bc73590683488fe7c3307cdc7f3
* | Merge "Using assertFalse(A) instead of assertEqual(False, A)"Jenkins2017-07-161-1/+1
|\ \
| * | Using assertFalse(A) instead of assertEqual(False, A)Van Hung Pham2017-06-231-1/+1
| |/ | | | | | | | | | | | | | | This patch is to replace assertEqual(False, A) with assertFalse(A), which the latter is more straightforward and easier to understand. Similar to a merged patch https://review.openstack.org/#/c/473749/ Change-Id: I899fe822e4a37dda8e14b9c1dfd31c07b7d24000
* | Replace six.iteritems() with .items()Van Hung Pham2017-07-128-16/+10
|/ | | | | | | | | | | | | | 1.As mentioned in [1], we should avoid using six.iteritems to achieve iterators. We can use dict.items instead, as it will return iterators in PY3 as well. And dict.items/keys will more readable. 2.In py2, the performance about list should be negligible, as link [2]. [1] https://wiki.openstack.org/wiki/Python3 [2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html Change-Id: Id1cab2190424f1ac8b48cae43e4006f1d720be0c
* Removing double spacesTin Lam2017-06-151-5/+5
| | | | | | | | | | | When user generate config using oslo genconfig, the comments in the keystone middleware section contains double spaces between some words. This patch set removes the extra spaces in the help comment for auth_uri. TrivialFix Change-Id: I4ac514df6d2d229de1b04557771ddb0253c5baa0
* Merge "add a log when the option in conf can't be identitied"Jenkins2017-06-052-2/+12
|\
| * add a log when the option in conf can't be identitiedxuhaigang2017-06-042-2/+12
| | | | | | | | | | | | | | When the option is unknown to auth_token and it's value can't be converted, this patch adds a warning log. Change-Id: I818708cc19488030b80daa2b01b9f8622632f7eb
View Lorry Controller Status