| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When setup AuthProtocol class, if the CONF object contains
deprecated options, An Error "dictionary changed size during
iteration" will raise when comparing the CONF content.
Changing "!=" to "is not" here to avoid compare the CONF
content anymore.
Change-Id: I820aa244160db4f81149d2576386c86b46de0084
Closes-bug: #1789351
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
DiscoveryFailures can happen for a variety of reasons, ranging
from service misconfiguration to a keystone outage to a transient
network failure. If we don't catch and handle the failure here,
it will almost certainly cause something further up the WSGI stack
to send a 500 Internal Error (and likely log a traceback).
A log line like
Unable to validate token: Could not find versioned identity
endpoints when attempting to authenticate. Please check that
your auth_url is correct. Unable to establish connection to
http://keystone:35357: HTTPConnectionPool(host='keystone',
port=35357): Max retries exceeded with url: / (Caused by
NewConnectionError('<urllib3.connection.HTTPConnection
object at 0x7fc53e22e050>: Failed to establish a new
connection: [Errno 111] ECONNREFUSED',))
should be plenty enough for an operator to assess the situation;
I don't need a 29-frame traceback.
Change-Id: I946388c09b2ca0230d2cef009c679a7ac7c8398f
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Keystonemiddleware's abstraction for the memcache pool was broken
when converting to use a queue.Queue. The logic that placed the
connection back into the pool was moved to .acquire and the reserve
method was not using acquire.
Change-Id: I0eda5981cbb661f63790258cf8e70c7340615159
Closes-Bug: #1782404
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Keystonemiddleware attempts to parse user/service tokens and populate
request headers for other services to consume. This information is
important for services looking to build oslo.context objects from
request environments.
Change-Id: I0717c2a5207a647999b4f9bcdf11f728984f0812
Closes-Bug: 1766731
|
|/ /
| |
| |
| |
| |
| |
| | |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I27a90c1f3132af5cbbeb18a6e59f88f5fe387a36
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Based on the RFCs[1], in http header, a string of text is parsed
as a single value if it is quoted using double-quote marks.
This patch change the single quote to double quote in the header
"WWW-Authenticate" which is returned when 401 error raises.
[1]: https://tools.ietf.org/html/rfc7230#section-3.2.6
https://tools.ietf.org/html/rfc7235#section-2.1
Change-Id: I524c93d30607ea6ab70de92ceea207ee77f34c25
Closes-bug: #1762362
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When handling timeouts talking to the keystone server, you may see log
messages like
authtoken: Bad response code while validating token: 408
authtoken: Token validation failure.
<traceback>
AttributeError: 'NoneType' object has no attribute 'text'
Since there's no response from the server when keystoneclient raises
RequestTimeout [1], the `response` attribute is understandably None.
Now, only log the response text if there's text to log. Additionally,
log the response message (as well as status code) to provide as much
context as we can for the error.
[1] https://github.com/openstack/python-keystoneclient/blob/3.15.0/keystoneclient/session.py#L469
Change-Id: Id400e4c38d07cbe7e1866dd572a17fc54c31e82a
|
|\ \ \ \
| |_|/ /
|/| | | |
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously, we'd set _http_request_max_retries to 0, but that attribute
was removed in 1.3.0. Now, test runs are several seconds faster when
tests are executed serially.
Related-Change: Id092e8f42f843dbfbc1c30589b50ba341ccf4aae
Change-Id: I61d9b9617b1118d0696435d028bbda7a6c119bf8
|
|\ \ \
| |/ /
|/| | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
kwargs_to_fetch_token was deprecated and should be
removed in Rocky now.
Change-Id: Ic247efb84c5133449ead6a9864bbd7748e5e74bd
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The memcache client class actually has no __exit__ function.
Remove the "with" usage to avoid the __exit__ error.
Change-Id: I15b3d08f4afae289e7eb0848ff1db08141196d3c
Closes-Bug: #1747565
|
|\ \ \ \
| |/ / / |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Now keystonemiddleware use oslo.cache to init the
MemcacheClientPool. The MemcacheClientPool in
Olso.cache needs (urls, arguments, **kwargs) parameter
to init, but keystonemiddleware passed only
(urls, **kwargs). Then it leads the error:
__init__() takes exactly 3 arguments (2 given)
This patch fixed this issue.
Please note that even this error is fixed, set
"memcache_use_advanced_pool = True" will lead another
error, see bug #1747565 for the detail. It will be
fixed in the following patch.
Closes-bug: #1748160
Change-Id: I642f959ab8b010207314312a6b6a06a6de23e92c
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | | |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I6a01826b6e09db2374626ec55ed2477f9002f589
|
|\ \ \ |
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When the keystonemiddleware is used directly in the WSGI stack of an
application, the 503 that is raised when the keystone service errors
or cannot be reached needs to identify that keystone is the service
that has failed, otherwise it appears to the client that it is the
service they are trying to access is down, which is misleading.
This addresses the problem in the most straightforward way possible:
the exception that causes the 503 is given a message including the
word "Keystone".
The call method in BaseAuthTokenTestCase gains an
expected_body_string kwarg. If not None, the response body (as
a six.text_type) is compared with the value.
Change-Id: Idf211e7bc99139744af232f5ea3ecb4be41551ca
Closes-Bug: #1747655
Closes-Bug: #1749797
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a configuration option, 'use_oslo_messaging', to indicate whether
to use oslo_messaging notifier. It is set to true for backwards
compatibility.
We can't use audit middleware with services like Swift, which have no
dependency on Oslo and does not work well with oslo_log. Swift uses rsyslog.
Currently, audit middleware indiscriminately chooses oslo_messaging if the
package is installed. This is problematic if Swift proxy is on the same
controller as any service which consumes oslo_messaging. With this new option,
Swift can now safely consume audit middleware by electing to use local
log notifier instead of oslo_messaging.
Change-Id: I87bf857c20e4b78e97d40dcc51a1b4ff0014abb2
Closes-Bug: #1695038
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Token expiration is normal, however the client logs fill up with these
ominous WARNING messages:
WARNING keystonemiddleware.auth_token [-] Authorization failed for token
WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "Could not find token: 24ffb14540c74a7c964f9627fe2af8fb", "code": 404, "title": "Not Found"}}
It seems more useful to log normal events at a level less than WARNING,
this would reduce the log size but more importantly it will help
elminate the concerns raised when logs are filled with WARNING messages
that are otherwise benign.
Change-Id: I54ad6b5530ee81616bd4a44f8295985f5d84c2ee
Closes-Bug: #1738300
Signed-off-by: John Dennis <jdennis@redhat.com>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| | |
cfg.CONF must not be used directly, Config().oslo_conf_obj must be used
instead.
Closes-bug: #1737119
Change-Id: I58ec9e25c7f04a8352535d8861e09c7e4c4c0a9d
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In continuation of I00e953abb3e835a94353fe458100c96e8e9c095a,
this change adds the release note and documentation.
Related-bug #1737115
Change-Id: I456239842d139074cc38cfd620bb88561bb4d0d7
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now, we depend on oslo.cache [1], and use the private/internal
memcache_pool code of the lib, making oslo.cache failing to import
instead of just log an error about missing requirement for selected
drivers at runtime.
This change restores the previous behavior by lazy loading the module.
[1] 9d8e2836fe7fca186e0380d8a532540ff5cc5215
Change-Id: I00e953abb3e835a94353fe458100c96e8e9c095a
Closes-bug: #1737115
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the new oslo.cache library instead of using memcached directly.
This keeps the old options around and will continue to use those in
preference to the oslo.config library as there is no way to test whether
oslo.cache was explicitly configured to use that in preference.
Currently there are no messages or anything to deprecate the old options
until we've had a chance to test it in production environments.
Closes-Bug: #1523375
Change-Id: Ifccacc5db311ad538ce60191cbe221644d1a5807
Co-Authored-By: Nicolas Helgeson <nh202b@att.com>
|
|
|
|
|
|
|
| |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I6f8b27486c14d2a92efad825e3d4050f0e66445b
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The [keystone_authtoken]/auth_uri middleware parameter has been causing
extreme confusion amongst operators and developers ever since the
keystonemiddleware started accepting keystoneauth plugin parameters
including auth_url. The two parameters look identical and yet have
completely different meanings and are both required. This patch
deprecates auth_uri and renames it to www_authenticate_uri, which more
accurately describes the WWW-Authenticate header it is configuring and
is dissimilar to any other keystone_authtoken middleware parameter. This
also renames the internal variable names for consistency with the config
option.
Change-Id: I0cf11da3d395749df28077427689fdafc8a6b981
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch set corrects a problem when the keystonemiddleware is
executed with memcache encryption enabled. Currently, the
hmac.new() calls throw exceptions in python3 due to how py2 and py3
handles string vs. byte/bytearray.
Co-Authored-By: Rohan Arora <ra271w@att.com>
Closes-Bug: #1713574
Change-Id: I9bb291be48a094b9f266a8459a3f51ee163d33a3
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
PKI tokens have been deprecated and removed from keystone server. To get
them removed from auth_token middleware we need to deprecate it.
We issue the warning when a successful validation has occurred as all
incoming tokens get checked for if we think they are PKI and tried to
decrypt.
Change-Id: Ibc6e3378aa7c851335bcb9abbcc31572e6cef9e7
bp: deprecated-as-of-queens
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| | |
keystoneclient.session has been long deprecated in favor of
keystoneauth1.session. This change corrects entries in the
documentation to use the correct library's session.
Change-Id: I16c9cd9a63c584c032ba9b3958014a4abaa99ca0
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In keystoneauth a workaround was implemented for when the discovery
document has an invalid scheme and host for its URLs[1]. This broke
keystonemiddleware's tests, revealing that keystonemiddleware was, in
one case, validating the wrong URL, and in another mocking the wrong
one. This patch updates the tests so that they are more accurately
representing how keystoneauth works.
Why should we change it here instead of reverting the keystoneauth
change? The URLs in the discovery document aren't validated in real
life, so the only URLs that can be trusted are the ones the user has
accessed, such as the auth URL. Keystoneauth is right to fix the URLs,
and the bad mocks in keystonemiddleware are only evidence that the tests
were wrong, not that the mocked URLs would have worked in real life.
[1] https://review.openstack.org/#/c/494194
Closes-Bug: Closes-bug: #1718945
Co-Authored-By: Colleen Murphy <colleen@gazlene.net>
Change-Id: I94d6dd1839bd1f662e70c5fb739695685e839a82
|
|
|
|
|
|
|
|
|
| |
The positional decorator results in poorly maintainable code in
a misguided effort to emulate python3's key-word-arg only notation
and functionality. This patch removes keystonemiddleware's dependance
on the positional decorator.
Change-Id: I1be3b19d08daf18babac66f274787862c6d77a93
|
|
|
|
|
|
|
|
| |
This change strips whitespace from incoming tokens to prevent errors
that are difficult for a caller to root cause.
Change-Id: I4b3fd18314c3ca94beb3b0c8c17280451d6c8755
Closes-Bug: #1689468
|
|
|
|
|
|
|
|
|
| |
Jamie had a comment explain the requirement of fetching tokens
with kwargs and the token. This was suppose to be required in Pike
but it was missed. This commit updates the comment to be relevant for
the Queens release instead.
Change-Id: Iaa2c3fb02e76a87865a4ae7f06c4e86cc5b9b991
|
|
|
|
|
|
| |
Update URLs according to OpenStack document migration.
Change-Id: Icb4232fcce79bb1ea121489122e578e3109b5e90
|
|\ |
|
| |
| |
| |
| | |
Change-Id: I9a08443cb83a8bc73590683488fe7c3307cdc7f3
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| | |
This patch is to replace assertEqual(False, A) with assertFalse(A), which
the latter is more straightforward and easier to understand.
Similar to a merged patch https://review.openstack.org/#/c/473749/
Change-Id: I899fe822e4a37dda8e14b9c1dfd31c07b7d24000
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
| |
1.As mentioned in [1], we should avoid using
six.iteritems to achieve iterators.
We can use dict.items instead, as it will return
iterators in PY3 as well. And dict.items/keys will more readable.
2.In py2, the performance about list should be negligible, as link [2].
[1] https://wiki.openstack.org/wiki/Python3
[2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html
Change-Id: Id1cab2190424f1ac8b48cae43e4006f1d720be0c
|
|
|
|
|
|
|
|
|
|
|
| |
When user generate config using oslo genconfig, the comments in the
keystone middleware section contains double spaces between some words.
This patch set removes the extra spaces in the help comment for
auth_uri.
TrivialFix
Change-Id: I4ac514df6d2d229de1b04557771ddb0253c5baa0
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
When the option is unknown to auth_token and it's value can't be
converted, this patch adds a warning log.
Change-Id: I818708cc19488030b80daa2b01b9f8622632f7eb
|