| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | | |_|_|_|/
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
When running the unit tests, I'd get a warning message:
/opt/stack/keystone/tests/test_exception.py:151: DeprecationWarning: BaseException.message has been deprecated as of Python 2.6
We shouldn't be using deprecated functions.
This change makes it so the test doesn't use the deprecated member.
Also, test_unicode_message wasn't a test for security error
formatting so moved it to ExceptionTestCase.
Change-Id: I088bf94433baf0f00d3ff8ca63e5f74e9d300cd0
|
| |\ \ \ \ \ \ |
|
| | | |_|_|/ /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This change introduces the unit testing of the SQL models against
their expected schema.
Fixes bug 1196855
Change-Id: I3939e474aa6e8e5549b1d89725e988dd056400d9
|
| |\ \ \ \ \ \ |
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Use print in a style that looks as a print
function to Python 3.x.
Change-Id: I3c7a4e7a1b9a519cc1c369a9ec6a1e3da1211394
|
| |\ \ \ \ \ \ |
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Also removed wrong references to nova in docstrings.
This is related with bug 1190978
Change-Id: I1b945596d4ebe39d03069b590b7f1a444eaef72f
|
| |\ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Fixes Bug1200241
Changes variable value in keystone doc to proper a domain component and make it
consistent.
Change-Id: I0a9ac381d2da14c957df5aa50cb8f9dfadade1ac
|
| |\ \ \ \ \ \ \
| | |_|_|/ / /
| |/| | | | | |
|
| | | |_|_|/ /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Abstract V3 token provider backend to make token provider pluggable. It enables
deployers to customize token management to add their own capabilities.
Token provider is responsible for issuing, checking, validating, and
revoking tokens. Note the distinction between token 'driver' and 'provider'.
Token 'driver' simply provides token persistence. It does not issue or
interpret tokens.
Token provider is specified by the 'provider' property in the '[token]'
section of the Keystone configuration file.
Partially implemented blueprint pluggable-token-format.
This patch also fixes bug 1186061.
Change-Id: I755fb850765ea99e5237626a2e645e6ceb42a9d3
|
| |\ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
As a server project, keystone should list a version number in setup.cfg
so that the version numbers products in daily tarballs list the
pre-release alpha designation.
Change-Id: I1aff86b0890f2d215d00b0c1f19cca3798ae88ec
|
| |\ \ \ \ \ \ \ |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
blueprint key-distribution-server
Change-Id: Id57f25d4d0bb609046276cfb4df43bd3d29b4f23
|
| |\ \ \ \ \ \ \ \ |
|
| | | |_|_|/ / / /
| |/| | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Extensions register themselves with keystone/common/extension.py
as either public, admin, or both, and they show up in the extensions
collection on http://<hostname>:<port>/v2.0/extensions/
Bug 1177531
Change-Id: Ic0b5c84e28342e96c3197c1b46f8b1656e2d7050
|
| |\ \ \ \ \ \ \ \
| |_|_|_|/ / / /
|/| | | | | | | |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Supports the configuration where LDAP is used for identity and
SQL is used for assignment.
blueprint split-identity
Change-Id: Ib91b5d804282b7f78fc2458ff64653bbf2cf5d9e
|
| |\ \ \ \ \ \ \ \ |
|
| | | |/ / / / / /
| |/| | | | | |
| | | | | | | |
| | | | | | | | |
Change-Id: I4db62367802c9b2e8953ce5affd04c9ac20e7527
|
| |\ \ \ \ \ \ \ \
| |_|_|_|/ / / /
|/| | | | | | | |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
This change makes it so that the arguments for the session
creation function get_session() get passed on when it calls the
function to create the session.
Change-Id: I2f889ab36bd3aa3bf4441a13eb2b610b54349cbb
|
| |\ \ \ \ \ \ \ \ |
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Change-Id: I9ecacefeb772af7efe0345c3b2162295c4999cdd
|
| |\ \ \ \ \ \ \ \ \
| | |_|_|_|/ / / /
| |/| | | | | | | |
|
| | | |_|/ / / / /
| |/| | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
blueprint key-distribution-server
Change-Id: I5d025460ec75dd37a0fa0610c521ab5b49687745
|
| |\ \ \ \ \ \ \ \ |
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Add a new folder tests/tmp and move all temporary test artefacts like
sqlite dbs into the folder. This has a number of advantages:
- clean up .gitignore and tests folder.
- common/sql/util.py files didn't really belong in common as they were
test only.
- by doing ``sudo mount -t tmpfs -o size=16M tmpfs tests/tmp; sudo chown
$USER: tests/tmp`` tests speed up about 3x (ext4; credit ayoung's blog).
Change-Id: I9b02a5273dd27db963e9a26085b7456f4c5f6a41
|
| |\ \ \ \ \ \ \ \ \
| |_|/ / / / / / /
|/| | | | | | | | |
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
This change adds a migration to convert any non-InnoDB tables to
InnoDB.
On some systems, the default engine is MyISAM, which doesn't
support features used by Keystone (foreign keys).
The approach is the same as what's used in Nova. A test is added
to ensure that all tables use InnoDB after migration. The test
passes when all the tables are mysql_engine='InnoDB'. This is
accomplished by adding a new migration that migrates all the
tables that aren't InnoDB to InnoDB.
Fixes bug 1191110.
Change-Id: I220f7642f5468c5cf4194f248210f90ff983b6e5
|
| |\ \ \ \ \ \ \ \ \ |
|
| | | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Seems like this was missed when 34752 was checked in.
Just removing the context from get_token for the token_api
in the normalize_domain_id function
Change-Id: Id505632f04c2769bc1131c486d42921d351dbbd0
|
| |\ \ \ \ \ \ \ \ \ \
| |_|_|/ / / / / / /
|/| | | | | | | | | |
|
| | |/ / / / / / / /
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Since we do not support multiple domains in LDAP, creating Domains sub tree is
unnecessary and confusing.
Fixes Bug1194204
Change-Id: Ie340fe00bd57675afda58318d858ad2089a17a29
|
| |\ \ \ \ \ \ \ \ \
| |_|/ / / / / / /
|/| | | | / / / /
| | |_|_|/ / / /
| |/| | | | | | |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Currently there is a mixture of strategies in the v2 and v3 controllers
for how to get the roles assigned for the scope of the requested
authentication. This duplicates code, is hard to maintain and in at
least once case (where your only roles on a project are due to a group
membership) is not actually correct (for v2 tokens).
This change does the following:
- Standardizes on using the 'get_roles_for_user_and_project()', and its
domain equivalent, for how roles are obtained to build a token. This
was already the case for v3 tokens. The controllers no longer need
to get metadata and extract the roles.
- Removes the driver level function to 'authorize_for_project' - this is
now handled wihin the controller. The driver simply supports the user
authentication.
A nice (and planned for) sideffect of the above is that we now hide
the schema of how we store roles within the driver layer - i.e.
nothing outside of the driver (other than any specific-to-implementation
tests) have to know about how roles are stored in the metadata. This paves
the way for a re-implementation of the grant tables in IceHouse.
This change also fills in missing function definitons in the assignment
driver.
Implements bp authenticate-role-rationalization
Change-Id: I75fc7f5f728649d40ab1c696b33bbcd88ea6edee
|
| |\ \ \ \ \ \ \ \
| |/ / / / / / /
|/| | | | | | | |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Modify tests/test_backend.py, remove the useless arg ("start index" = 0)
since its default value is 0.
Change-Id: Ia88c538a6dfe751e94fdb7f465ab87ce72cfa108
|
| | |_|_|_|/ / /
|/| | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Splits the assignments functions off of the identity api
and manager, and moved them into their own backend.
To prevent breaking existing code, this adds assignment delegation
functions to Identity Manager.
There is a circular dependency between ID and assignments.
This code is mostly pure refactoring, with no changes to the
unit tests. Existing behavior is maintained.
In the future, we will add unit tests for mixing an LDAP
identity provider with a SQL assignment backend.
blueprint split-identity
Change-Id: I6c180aa1ae626ace5b91e0bf1931bdaf2aa031d5
|
| |\ \ \ \ \ \ \ |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Comments on a separate line can be preserved by a
requirements/update.py run.
Change-Id: Ie7c167eea59cf1293fbd4bf4b5e3e71864c080e3
|
| |\ \ \ \ \ \ \ \ |
|
| | | |_|_|_|_|/ /
| |/| | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Requests would fail with a 500 Internal Server Error if the
admin_token_auth middleware was removed from the paste pipeline.
The requests would fail because the code assumed that the context
contained an 'is_admin' element, but that element was only in
the context if the admin_token_auth middleware was in the
pipeline.
This change makes it so that if the admin_token_auth middleware
isn't in the paste pipeline requests will not fail with a
500 Internal Server Error.
Change-Id: Ic064785226ee70ee475d8f72fea3c2ae6971a07f
Fixes: bug 1190708
|
| |\ \ \ \ \ \ \ \ |
|
| | |/ / / / / / /
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
This adds functionality where a class can monitor for the global
engine changing.
This is useful for a class that caches the global engine and
wants to know when its cached global engine isn't valid anymore.
Part of fix for bug 1179259
Change-Id: I5736a05308c63de9fccb8af7720ddd70530f4270
|
| |\ \ \ \ \ \ \ \ |
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Change-Id: Id111bde13b52804813994a6a23f639fb1e959b9c
|
| |\ \ \ \ \ \ \ \ \
| |/ / / / / / / /
|/| | | | | | | | |
|
| | | |_|_|/ / / /
| |/| | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
The driver calls used by v3 token controllers to obtain roles
for a user on both project and domain were incorrectly implemented,
leading to roles being missed out of the token. v2 tokens are not
affected, since they don't use the same driver calls.
This fixes these functions and adds additonal tests to cover the
cases (all of which would fail without this patch). As part of this
fix, the implementation of "get_roles_for_user_and_project() is
pulled up into the driver class (like the domain equivalent is already),
since, for all implementations, it is independant of backend technology.
Fixes bug 1197874
Change-Id: I59b6882d93bdc8372be03fed0b390b002a6d0320
|
