| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
The use of "#flake8: noqa" disables hacking checks for the entire
file. Switched to use of "# noqa" and fixed hacking problems.
Change-Id: I18785fb18bdce88e61e2451960e55aed0863c285
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If you ask client if there is a service catalog when it is unauthorized
it tries to look up the service catalog on a None object. If the client
is unauthorized it should always return False as there cannot be a
service catalog.
Change-Id: I439f71e548b8230e7ce38d1a0e9d0d8f9b205d77
Closes-Bug: 1239219
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Because keystoneclient tries to figure out a management_url in all
contexts, it means that any end-user who uses any python-*client from
OpenStack that is using python-keystoneclient will always get a warning
about not being able to get a management token. This is, however, not
something that they need warning about, since there is no expectation
they'll have one. It's distressing to see it as part of normal
operation.
So just remove the warning.
Change-Id: Ia103a53c09c00fc09cef5fb24be546fc1da0684a
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The current way of using Popen does not close pipes properly,
and therefore long-running keystone processes, which depends on
keystoneclient.common.cms for data sigining, eventually hit
open file limit and stop working. Passing close_fds=True seems
to have solved the problem.
Change-Id: Ife452ab6843c1af5eb39debb8db453e45f78cba9
Closes-Bug: 1382906
|
|\ \ \
| |/ /
|/| | |
|
| |/
| |
| |
| |
| |
| |
| | |
Rules examples in ``create`` and ``update`` methods should be list of
rules, as this is what should be passed as an argument.
Change-Id: Ibebc28aa0697879b00437c5efe31e1c0d7c4c29d
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Running the tests with an old version of OpenSSL
results in many tests breaking without any hints
of the real cause. This handles that explictly,
stopping execution whenever the version is older
than 1.0 and exiting with an informative message.
Co-Authored-By: Rodrigo Duarte Sousa <rodrigods@lsd.ufcg.edu.br>
Closes-Bug: 1225084
Change-Id: I55e151d3fb4ddbe5ee4bf64bfdc597b4da73f6bb
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* keystoneclient/tests/v2_0/test_shell.py
(ShellTests.test_user_create_password_prompt): Remove the password
from the calling environment and fake out the check for an
interactive terminal session so that the code which implements
password prompting will actually be exercised.
Change-Id: I46f45553995316c7d006a83897413d57e127e48c
|
|\ \ \ \
| |/ / /
|/| | | |
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | | |
Left timeutils and strutils in openstack/common since they are used in
openstack/common/apiclient and memorycache.
Change-Id: Idb5f09c159d907dfba84cd1f7501f650318af7d9
|
|/ /
| |
| |
| |
| |
| |
| | |
Some of the docstrings have ``:return:`` instead of ``:returns:``
keyword. This patch fixes that and make it consistent.
Change-Id: I4321a63798ab9e2abdf0bbd716bf2b995be22ba3
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| | |
By logging the sha1 hash of the token, it can be tracked through
different services.
Closes-bug: #1329301
Change-Id: I9c338f6a418ab8dd34dbaaf918b0ea6e9cbe79d7
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| | |
Created a private method to build URL queries.
Change-Id: Iaa480443e34073fa39d13d2452cd13c267a2bdd5
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When you invoke any OpenStack API of any of the OpenStack services
e.g. glance, neutron, cinder, heat, ceilometer, nova, keystone
then it logs readable x-subject-token at the debug log level in the
respective log files.
Simply redacting the x-subject-token in keystone client response header
before logging it.
SecurityImpact
Closes-Bug: #1371355
Change-Id: Iac16c6358250677544761beea9f5c5d8ba29afac
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Address some issues that came up because of hacking upgrade.
But ignoring H904 since the slashes are valid, as they are in
comments, not code.
Change-Id: Ie8a94fc71632e4130c2ec663a5c6d3f2042f8263
Closes-Bug: #1328469
|
|\ \ \ |
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
cms_sign_data was not passing the md parameter to openssl, so it was
using the default digest of sha1. Some security standards require a
SHA2 algorithm for the digest.
This if for security hardening.
SecurityImpact
Change-Id: Iff063149e1f12df69bbf9015222d09d798980872
Closes-Bug: #1362343
|
|\ \ \
| |/ /
|/| | |
|
| | |
| | |
| | |
| | |
| | |
| | | |
Removal of a spelling error.
Change-Id: If59dec6c226e86177019b665a5f0a0e5d42e6316
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Creating a client with a session using an Unscoped tokens now sets auth
info in client. This Auth Info is necessary in order to enumerate
projects. This is the standard login path for Horizon.
Change-Id: I688a27cd0e7c98e7cf899ac65bb593a85171813f
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Do not iterate action.choices in the method add_arguments
in the class OpenStackHelpFormatter if action.choices is
not iterable because it is none.
Change-Id: Ie7110adb798326e5856fddfb6a7365c663b84998
Closes-Bug: #1372152
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When running with a havana-level of oslo.config (<1.3.0),
applications with any config options in their api-paste.ini will
fail to start with an error like
'StrOpt' object has no attribute 'type'
This is because the config options didn't have a type attribute
until 1.3.0.
During the grenade test, the havana level of oslo.config is used,
while the master level of keystoneclient is used, and also in the
havana tests the services are still using the keystoneclient
auth_token middleware.
Change-Id: I745c3e04f18941a2d41e191d43f61b926522bb9d
Closes-Bug: #1372422
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
In the existing code, self.ssl_insecure is a string. If insecure
option is set in nova api-paste.ini, whatever it is 'true' or
'false', kwargs['verify'] will become False. This commit corrects
the condition expression. This patch is backported from
https://review.openstack.org/#/c/113191/
Change-Id: I91db8e1cb39c017167a4160079846ac7c0663b03
Closes-Bug: 1353315
|
|\ \ \ \
| |_|_|/
|/| | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Authentication workflow for the Active Directory Federated Services
(ADFS) by Microsoft is different from 'standard' ECP based one.
This plugin allows for authentication and fetching security token with SAML2
assertion inside, sending to the Service Provide and retrieving an
unscoped token.
Change-Id: I588de1967a7fb92c5928686d092895847553923a
Implements: blueprint add-saml2-cli-authentication
|
|\ \ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | | |
Change-Id: Ib2ab829ed777a4f2fb13ec7426dffef99a4118ab
|
|\ \ \ \ \ |
|
| | |_|_|/
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
When calculating the AWS Signature Version 4, in the case of POST,
We need to set the CanonicalQueryString to an empty string. this
follows the implementation of the AWS and boto clients.
Change-Id: Iad4e392119067e246c7b77009da3fef48d251382
Closes-Bug: 1360892
|
| |/ / /
|/| | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This adds the client library class for the endpoint policy extension.
Implements: bp endpoint-policy
Change-Id: I7153d7a093f4299d7f912b0b4a9a02ffacdb9e69
|
|\ \ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Federated tokens don't include domains in the user object.
Keystoneclient should be able to estimate whether the token is a
federated one and, if so, don't expect user domain information.
In case of the federated token keystoneclient returns None in response
to user_domain_name and user_domain_id calls.
Co-Authored-By: Steve Martinelli <stevemar@ca.ibm.com>
Closes-Bug: #1346820
Change-Id: I3453275fa1b0a41b1c015b0c3a92895a77d69a41
|
|\ \ \ \ \ |
|
| |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Connection Errors can be transient and there are many clients (including
auth_token middleware) that allow retrying requests that fail.
We should support this in the session, disabled by default, rather than
have multiple implementations for it.
For the moment I have purposefully not added it as an option to
Session.__init__ though I can see arguments for it. This can be added
later if there becomes a particular need.
I have also purposefully distinguished between Connection Errors (and
connect_retries) and HTTP errors. I don't know a good way to generalize
retrying on HTTP errors and they can be added later if required.
Blueprint: session-retries
Change-Id: Ia219636663980433ddb9c00c6df7c8477df4ef99
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
To maintain compatibility we must allow people to specify a versioned
URL in the service catalog but allow the plugins to return a different
URL to users.
We need this to be a general approach as other services will likely have
a similar problem with their catalog.
The expectation here is that a client will register the catalog hack at
import time rather than for every request.
Closes-Bug: #1335726
Change-Id: I244f0ec3acca39fd1b2a2c5883abc06ec10eddc7
|
|\ \ \ \ |
|
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Last commit: 32e7f0b56f527427544050f251999f3de588ac93
This patch syncs the python-keystoneclient with olso-incubator as I
need this patch 4ef01931 which fixes a bug that's I am hitting in
another client which uses the keystoneclient.
Closes-bug: 1277565
Change-Id: I22f10f4fe27be16a6808b75c154ee342fea2bdda
|
|\ \ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Auth plugins must sometimes affect the Headers and other portions
of the network setup. Examples: Kerberos needs to set the
negotiate header. X509 to provide the client certificate.
This change makes that capability available to the Auth plugins.
Those plugins will live in separate repositories. There are no
dependent patches for it in this repository.
This was split out by Adam Young from the Kerberos Client patch
written by Jose Castro Leon
Change-Id: Iab7287888e4b3f199b9035c1a24ac43639b5027b
|