| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |_|/ / /
|/| | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The LDAP identity code had many circular dependecies between
data objects due to the need to look up DNs from ID. This change
pulls the lookups into the driver layer, and modifies most of the
data objects to take DNs in as their parameters instead. Only objects
that know how to look up their own DNs from thei IDs will continue to
take IDs in, to support the "get" methods.
Change-Id: I0bac360650ccbf72c7ca8317997031420f66e4f3
|
| |\ \ \ \ \ |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
The default ou name for projects/tenants should be Projects, as we normally
use in devstack and ldap live test. Since multiple LDAP objects can
use groupOfNames, setting projects group to Groups is vague.
Fixes Bug1191807
Change-Id: I1718c76320da51a58abf6558a9b8560e908773cb
|
| |\ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
The environment module will be configured once, during code initialization.
Subsequently all other possibly-evented modules will retrieve from
environment and transparently obtain either the eventlet or standard
library modules.
If eventlet, httplib, subprocess or other environment dependant module
is referenced outside of the environment module it should be considered
a bug.
The changes to tests are required to ensure that test is imported first
to setup the environment. Hopefully these can all be replaced with an
__init__.py in a post-nose keystone.
Implements: blueprint extract-eventlet
Change-Id: Icacd6f2ee0906ac5d303777c1f87a184f38283bf
|
| |\ \ \ \ \ \ \
| |/ / / / / /
|/| | | | | | |
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | | |
Change-Id: Ia5d0628dc4d1fef13fc2e798d64bc2ceabffa958
|
| |\ \ \ \ \ \
| | |_|_|/ /
| |/| | | | |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Adds tests for the version response when use
Accept: application/xml
To share code, moved assertEqualXML from test_serializer
to keystone.test.
Change-Id: I92e28a9167d0c77fc7efbd1eda2893ec1128354f
|
| |\ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
The fileds type's checking logic during creating and updating
users apply to all driver calls. It should be centralized in the
identity.Manager rather that continuing the trend of spreading them out
between controllers, managers and drivers.
This patch move the enable type checking logic to identity.Manager and
modify the related test cases in test_backend.py.
Change-Id: I37df56a61cd5ab332dcc9d74a7e99ee9041aa32e
|
| |\ \ \ \ \ \ \ |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
If the admin_port string is a substring of public_port string, all the
requests would be stated as 'admin' either their real dest port is
admin_port or public_port. It's due to the incorrect logic in stat
middleware.
For example, if public_port = 35000, admin_port = 5000, the first
judgement branch: "if str(CONF.admin_port) in host" in
StatsMiddleware::_resolve_api() would always return "True" either the
host port number equal to 5000 or 35000, so that the following judgement
branches would be incorrectly ignored.
Fixes bug #1189121
Change-Id: I1086b7d11f83dd218d66376f79747a1f720eb807
|
| |\ \ \ \ \ \ \ \ |
|
| | |/ / / / / / /
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
If using load balancer before keystone and the port numbers was
different between load balancer and keystone, too many stat warning logs
could be found in logs. The root cause is the keystone servers' stat
logic getting the request host information which point to load balancer
ip address and port rather than the ips and ports of themselves.
Fixes bug #1189118
Change-Id: Ic837af77bc2509086c0e37194ba70b683f693ae5
|
| |\ \ \ \ \ \ \ \
| |_|_|_|/ / / /
|/| | | | | | | |
|
| | | |/ / / / /
| |/| | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Having enabled="true" in json data when updating tenant will produce 500
When updating a project, no type check was performed on the enabled
attribute. Therefore, if enabled value in JSON/XML is not a boolean but
a string, keystone responds with an incorrect Http 500 error code and
the stacktrace.
The change introduces a type validation of the enabled attribute at
identity manager. If the type is not a boolean, keystone now returns an
appropriate Http 400 error code with a message pointing a bad format for
the attribute.
Test cases have been added to file test_backend and test_content_types
for testing the case when enabled attribute is a string or int when
updating project.
Fixes bug #1191384
Change-Id: I86dd7e71d4bac1e3fd6fcabaa1a2136a47722e5f
|
| |\ \ \ \ \ \ \ |
|
| | |/ / / / / /
| | | | | | |
| | | | | | |
| | | | | | | |
Change-Id: Idbe625a32001b08e4e2c125d65397ba61ff58589
|
| |\ \ \ \ \ \ \ |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Change-Id: I5364d9d930ca0871bd839917b23ef3199eff3340
|
| |\ \ \ \ \ \ \ \
| |_|/ / / / / /
|/| | | | | | | |
|
| | | |_|_|/ / /
| |/| | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Also with this fix no need to skip get_project_users for LDAP.
Fixes bug1190286
Change-Id: I6ab6b4179c36d49b8a2eab1ea67ce0d6339751f5
|
| |\ \ \ \ \ \ \ |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Fixes bug1172801
Change-Id: Id2cdc5775bd1b6da03da1e50e84cfe60ada00314
|
| |\ \ \ \ \ \ \ \ |
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Change-Id: I9f027065d4aeaa31fb45274d7664c3920ef40a13
|
| |\ \ \ \ \ \ \ \ \ |
|
| | | |_|/ / / / / /
| |/| | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
kvs driver for tokens is not a production quality storage method.
The shortcomings of using kvs as storage driver for tokens:
1. It requires load balancer to persist connections to a single
keystone server by token.
2. The memory will grow out of control until token_flush is run.
3. At some point kvs lookups get very slow because there are millions
of keys in the dict.
4. Process restart invalidates all tokens.
Fixes: bug #1188370
Change-Id: Ic726e12d798b843412158a7b92f5e3e3a654811f
|
| |\ \ \ \ \ \ \ \ \
| |_|/ / / / / / /
|/| | | | | | | | |
|
| | |/ / / / / / /
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
fixes: bug #1167593
Change-Id: Ie18fa17f16383f31d8aa083e69fa501d80eb4553
|
| |\ \ \ \ \ \ \ \ |
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
When issuing a new token, purge all expired tokens from the user's
token index list.
New Options:
* max_compare_and_set_retry:
The number of retries that will be attempted when performing
an update of the user_record or the revocation-list record.
This is relevant due to the use of CAS (compare and set)
function of the memcache client. This allows for multiple
keystone processes/wsgi/etc to run without worry of race
conditions clobbering the lists.
DocImpact - New Options.
Change-Id: I9441105b1e46982b0354bccbf8297daaaa1904b2
Fixes: bug #1171985
|
| |\ \ \ \ \ \ \ \ \ |
|
| | | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
- Give extensions access to request headers in app context.
- Implements: blueprint allow-access-to-headers-for-extension.
Change-Id: I22bba172a8ceaba9260487666172586c45aa95d4
|
| |\ \ \ \ \ \ \ \ \ \ |
|
| | | |_|_|/ / / / / /
| |/| | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Drop foreign keys that point to user and group tables from
other tables. This is required to be able to split up the backends.
Blueprint extract-projects-from-id
Change-Id: Iea78ddca4ef5ea5ca1bb542cba81da8aefa95b6b
|
| | | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Correct the wrong naming used for domain controller in the configuration doc.
Fixes Bug1190647
Change-Id: I10b138f319b309db7c2747920ab5bd9e727a4557
|
| | |_|_|/ / / / / /
|/| | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
The authentication code was using a common code path with
other LDAP code that got an LDAP connection. If the system
was configured to do Anonymous binding, users could by pass
the authentication check.
This patch forces the authentication code to do a simple_bind.
Change-Id: Id0c19f09d615446927db1ba074561b129329b5c8
|
| |\ \ \ \ \ \ \ \ \
| |_|_|_|_|_|_|_|/
|/| | | | | | | | |
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Change-Id: Id4a8f285b380478705e5518440b7ed602e7757d4
|
| |\ \ \ \ \ \ \ \ \
| |_|_|_|_|_|_|/ /
|/| | | | | | | | |
|
| | | |_|/ / / / /
| |/| | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
* tox.ini: Set the coverage html output dir to {toxinidir}/cover so that
Jenkins can find it and upload the coverage to the log server.
Change-Id: I231485ce46b1ef91eb219e63552203b86d6d65c2
|
| |\ \ \ \ \ \ \ \ |
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Some databases (e.g., DB2) would deadlock on migration 16 because a
lock was held on the domain table for an uncommitted alter and then
SQLAlchemy queried the domain table info in a separate transaction.
The fix is to commit the ALTER statements to release the lock so
that the domain table schema query will not block.
I've run this with sqlite, mysql, and postgresql and they all worked.
Part of fix for bug 1188785
Change-Id: Ic540a6cb09a0c525df7aaea55b64af96f0dd87c7
|
| |\ \ \ \ \ \ \ \ \ |
|
| | | |_|_|_|_|_|/ /
| |/| | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
this gives end-users a clue that they also have to set
ca_key for using ssl certificates other than the default
place /etc/ssl.
Change-Id: I41c4118d02723730c0ba183add866a0e0fa67e7b
Fixes: Bug #1188956
|
| |\ \ \ \ \ \ \ \ \
| |_|_|_|_|/ / / /
|/| | | | | | | | |
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
This module appears to be unused.
Change-Id: Ia4c7cd337e15dc58785282c5165ad2dab8e2fa60
|
| |\ \ \ \ \ \ \ \ \
| | |_|_|_|_|_|/ /
| |/| | | | | | | |
|
