| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |\ \ \ \ \ \ \ \ |
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
The backends should be loaded before the app is deployed for
the client tests, otherwise the wrong backends may be loaded
when the app is deployed.
Part of fix for bug 1204605
Change-Id: I70680c3daea3a863bcbde07b1ee7e062cd150e51
|
| |\ \ \ \ \ \ \ \ \
| |_|_|/ / / / / /
|/| | | | | | | | |
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
This change makes it so that the SQL Ec2Credential unit tests
can be run individually. It does this by making sure the
credential table model is available before the tables are
created.
Before this change, you couldn't run these tests individually
and would get an error that the ec2_credential table doesn't
exist.
Part of fix for bug 1179259
Change-Id: I68c8b91b18ac0065628c979e5bcc56152ae14916
|
| |\ \ \ \ \ \ \ \ \
| |_|_|_|_|/ / / /
|/| | | | | | | | |
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
A method called authenticate_user was renamed in
identity.backends.sql.Driver from authenticate_user
to authenticate but the base class wasn't updated.
Also, the user_id and password arguments to authenticate
should NOT be optional.
Change-Id: Ie6eb42f060e368ec99d5d8241a404cf7c70d48ae
|
| |\ \ \ \ \ \ \ \ \
| |_|_|_|/ / / / /
|/| | | | | | | | |
|
| | | |_|_|_|_|_|/
| |/| | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
The Keystone server would print a warning when both the token
format and provider were set to the default.
Also, the Keystone server would not start if the format was
commented out and the provider was set to the uuid.Provider.
Fixes: bug 1204314
Change-Id: Id7db33a1f27c4986af153efc73b22db8c6a8942e
|
| |\ \ \ \ \ \ \ \ |
|
| | | |_|_|/ / / /
| |/| | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
The doc string in exception.py of Keystone will be
returned with __doc__ method, but cannot realize the
internationalization.Change exception module to enable
i18n support.
Changes in the patch are:
1, useing class variable msg_fmt to replace class __doc__
2, modify wsgi.render_exception function using unicode
function to replace str function
3, modify/add UT test cases
Fixes: bug # 1179425
Change-Id: I75c1229c905a2625d2f6961d1a8dd3958eac51a5
|
| |\ \ \ \ \ \ \ \
| |_|_|_|_|/ / /
|/| | | | | | | |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
The keystone.common.sql.core.Base class cached the global database
engine when get_session() was called. When the global database engine
changed to a new instance, the cached copy was used in subsequent
calls to get_session(), leading to using the old engine and tests
failing to run by themselves.
This change makes it so that when the global database engine is
changed, Base will use the new engine rather than the invalid one.
Change-Id: I75aa3c230d9b4fd666ab8d478c9e9a27669905e8
Fixes: Bug #1179259
|
| |\ \ \ \ \ \ \ \ |
|
| | | |/ / / / / /
| |/| | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Replaced `raise nose.exc.SkipTest()` statement to self.skipTest().
Removed unused nose.exc imports.
Fixes bug 1172794
Change-Id: Ieb353864acadef43508d185156c7fa1667baa845
|
| |/ / / / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Bug 1204995
Change-Id: Ife92041ffc386b8f9629096ebd65020f3cc7ae26
|
| | |/ / / / /
|/| | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Credential table has foreign key constraint
referring to tenant table which is dropped.
Since sqlite does not support alter table
drop constraint, the foreign key constraint
was not dropped. When we try to load credential
table using sqlite backend it fails because tenant
table does not exist. Fix is provided such that
the credential table is recreated without foreign
key constraint and the data is moved from old
credential table to the new credential table.
Fixes Bug #1190383
Change-Id: I3afb04254f33e12fccb7da84c8674feba36622c8
|
| |\ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
When normal dependency injection is used the variables
are named like "xxx_api".
This change makes it so that the identity backend and
drivers use "assignment_api" rather than "assignment"
so it will be easier to switch to normal dependency
injection.
Part of fix for bug 1200769
Change-Id: I7805b338c48d57ca1922bb622a3f474f2341f4ac
|
| |\ \ \ \ \ \ \ |
|
| | |/ / / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
When you load an old version of keystoneclient doing legacy tests and
then start the test app the ec2 work that depends on keystoneclient sees
the recently loaded legacy one which doesn't have the required modules
in it.
If we load the app first the ec2 modules are resolved and finds the
original keystone client. The ec2 module then uses
'from keystoneclient.contrib.ec2 import utils as ec2_utils' so the
ec2_utils reference is kept in the file scope so isn't affected by the
tests changing keystoneclient.
It is not a long term fix for bug 1178532 but it solves the immediate
symptoms when running client tests independently.
Change-Id: I7267ca0d4740f037884fae95f8a6562ee86584b9
|
| | |_|_|/ / /
|/| | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This backend is not usable in any production environment. All OpenStack
environments will already have a SQL DB, and if someone does not want to
use the DB they can use the memcache backend.
Fixes bug 1188301 and bug 1188370
DocImpact This backend should not be mentioned in documentation, as it
is not production grade and is deprecated.
Change-Id: I41b147bcc70b79b4fc6df50b242a73cfcad33114
|
| |\ \ \ \ \ \ |
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Modified one spelling mistake in tests/test_middleware
Change-Id: I4beffa77c38321a44b44d1893d2335319c23b5a5
|
| |\ \ \ \ \ \ |
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Refactor tests/test_backend.py, remove a useless enumerate call in
for loop.
Change-Id: I5d1914ae3490f715437711d594ec903a2c6632f5
|
| |\ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
There's a new config option [assignment].driver that wasn't included
in the sample config file. This makes it more difficult than necessary
for deployers to configure.
Fixes bug 1202778
Change-Id: I04b09c214b9ea997d8f540a72978ce9b19b4138d
|
| |\ \ \ \ \ \ \ |
|
| | |/ / / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
This also adds i18n to a few related strings and updates doc.
Change-Id: Icba582a085939f58581fa909b63a36cbad3b4e69
|
| |\ \ \ \ \ \ \ |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
The assignment link returned for roles that are included by virtue of
group membership should refer to the group assignment that led to this
role, rather than a direct user assignment.
Fixes bug 1201374
Change-Id: Ic649e7eb4633e258264f27280d938a08af380921
|
| |\ \ \ \ \ \ \ \
| |_|_|/ / / / /
|/| | | | | | | |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
In https://review.openstack.org/#/c/31374/ the PKI defaults
were changed but the example PKI not updated. Update it now.
Change-Id: Ie65f27ab586e05a3c43a589499c115b56e734e07
|
| |\ \ \ \ \ \ \ \
| |_|_|/ / / / /
|/| | | | | | | |
|
| | | |_|/ / / /
| |/| | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Introduce py33 to tox.ini to make testing with
python3 easier.
Change-Id: I9865a244281def963ab425537f5400f883054319
Signed-off-by: Chuck Short <chuck.short@canonical.com>
|
| | |_|_|/ / /
|/| | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
The provider property in the [token] section will be unset by default. If
provider is not set, we will use token_format in the [signing] section to
determine to provider. If provider is set, it must agree with the token_format.
fixed bug 1202651
Change-Id: I15ff67490acbbacc9eefc7eee253400475704b04
|
| |\ \ \ \ \ \ |
|
| | | |_|/ / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
OpenStack clients requirements should not have an upper bound
as that has implications for testing in the gate.
ref: https://github.com/openstack/requirements
fixes bug #1200214
Change-Id: I45c8e94ede892a4d5412ac43aae9c4e131907c89
|
| |\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | | |
Change-Id: Ie00e2e9040b6f71eff573b6f7d8dc12bd87b7c52
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Brings token binding to keystone server. There are a number of places
where the location or hardcoding of binding checks are not optimal
however fixing them will require having a proper authentication plugin
scheme so just assume that they will be moved when that happens.
DocImpact
Implements: blueprint authentication-tied-to-token
Change-Id: Ib34e5e0b6bd83837f6addbd45d4c5b828ce2f3bd
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Modified the token_factory to create token responses with
or without the catalog entry.
blueprint catalog-optional
Change-Id: Icdc4400f08f4619a19e44129c78240800a3a1e75
|
| |\ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Just add some sensible defaults to places where XML parses for example
an empty dictionary as an empty string. Also 'access' shouldn't be
considered a plural.
Change-Id: I9fb2c4f5c32ed8c2ce8ba4038caaae39590f8c1a
|
| |\| | | | | | |
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Select the code to handle REMOTE_USER based on a config file option
Fixes the REMOTE_USER logic to get the domain name from
REALM, which is the least surprise option.
Disregards the auth_data passed in, as we should be using REMOTE_USER
to get the user name.
External Plugin is now executed in conjunction with the auth methods,
as opposed to in place of them.
DocImpact
blueprint pluggable-remote-user
Change-Id: I9dda6dbe073f03806bdf539db6faa01644109f1c
|
| |/ / / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This extension allows for project roles to be optionally
inherited from the owning domain. The v3 grant APIs are extended
to take an inherited_to_projects flag. The GET role_assignments
API will also include these roles in its response, either showing them
as inherited roles assigned to the domain or, if the 'effective'
query parameter is set, will interpret the inheritance and reflect
those role assignments on the projects.
The inherited_to_projects flag is encoded in the role list in
the metadata of the relevant entries in the grant tables. The
'roles' key in the metadata is now a list of dicts, as opposed
to a simple list, where each dict is either
{'id': role_id} for a regular role, or
{'id': role_id, 'inherited_to': 'projects'} for an inherited role
Remember that a previous patch had rationalized the way metadata is
handled so that its structure is entirely hidden within the driver
layer.
The extension can be enabled/disabled via a config setting.
Limitations:
- The extension is not yet discoverable via url, this will be added
as a separate patch when the v3/extensions work is complete.
A separate issue has been discovered with the fact that the v2
calls of 'get_projects_for_user()' and 'list_user_projects()'
should be rationalized and also honor both group (and inherited)
role assignments. This is being raised as a separate bug.
DocImpact
Implements bp inherited-domain-roles
Change-Id: I35b57ce0df668f12462e96b3467cef0239594e97
|
| |\ \ \ \ \ |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This patch implemented V2 token provider.
Abstract token provider backend to make token provider pluggable. It enables
deployers to customize token management to add their own capabilities.
Token provider is responsible for issuing, checking, validating, and
revoking tokens. Note the distinction between token 'driver' and 'provider'.
Token 'driver' simply provides token CRUD. It does not issue or interpret
tokens.
Token provider is specified by the 'provider' property in the '[token]'
section of the Keystone configuration file.
Change-Id: Ic418ec433bd9e3f2f70fa31c90e570e32c1ca687
|
| |\ \ \ \ \ \ |
|
