| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Change-Id: I4bc853f436d6a906175830e0d7000847becadd92
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A requestor asking for a key for a target identified as a group object
will receive a group_key ticket.
Group keys are temporary keys with a limited timelife and are released
together with a generation number. Multiple keys with different generation
numbers may exist at the same time.
When no valid keys are found or if the only valid key has less than 10 minutes
of lifetime a new key is generated using the next available generation number.
Generation numbers grow monotonically.
Group keys can be retrieved using the get_group_key call only by
requestors belonging to the group. A requestor is considered as belonging
to a group if the first part of the name is the same as the group.
Requestors must specify a valid generation number when requesting a group
key. The generation number is used to create the destination name by
postfixing it to the group name after a colon.
Example:
requestor: scheduler.xyz.example.com
destination: scheduler:123
The requestor is considered part of the scheduler group and asks for
a key of generation number 123. If that key exist it will be returned
encrypted with the requestor's key.
blueprint key-distribution-server
Change-Id: I013ae466d626c0a4737d475e1b42b183a88dbe83
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Key Distribution Service is used to register keys for services and
distribute tickets to contact othe services.
The KDS is used to digitally sign and optionally encrypt messages sent over the
message queue by the rpc modules.
It implements the service described in this document:
https://wiki.openstack.org/wiki/MessageSecurity#A_Key_Distribution_Server_in_Keystone
blueprint key-distribution-server
Change-Id: Ib47aca8f72623a07ff18f23d46d0af520e463fc9
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add support for doing language resolution for a request, based on the
Accept-Language HTTP header.
Using the lazy gettext functionality from oslo gettextutils, it is
possible to use the resolved language to translate an exception message
to the user requested language and return that translation from the API.
Co-authored-by: Luis A. Garcia <luis@linux.vnet.ibm.com>
Co-authored-by: Mathew Odden <mrodden@us.ibm.com>
Implements bp user-locale-api
Change-Id: Id8e92a42039d2f0b01d5c2dada733d068b2bdfeb
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Implements an OAuth 1.0a service provider.
blueprint: delegated-auth-via-oauth
DocImpact
SecurityImpact
Change-Id: Ib5561593ab608f3b22fbcd7196e2171f95b735e8
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fetching users using the LDAP Identity backend would fail with
KeyError: 'enabled'
from _ldap_res_to_model when user_enabled_mask is not 0.
Change-Id: I39a9606ba7210f0fea064abd6adad379218b432b
Closes-Bug: #1210175
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The LDAP Identity backend was not properly using the
user_enabled_default option as a string. This caused
operations to fail with
TypeError: unsupported operand type(s) for &: 'str' and 'int'
Partial-Bug: #1210175
Change-Id: I54931e669186871d18dea088870945b9de40d573
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| | |
Validate the enabled attribute returned by create_user, update_user.
Also, validate that the enabled attribute in the LDAP server is
set.
Change-Id: I78d194528ad4fd67fc35ca4d124f2e031d02d9cc
Related-Bug: #1210175
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
A common scenario in shared clouds will be that a cloud provider will
want to be able to offer larger customers the ability to interface to
their chosen identity provider. In the base case, this might well be
their own corporate LDAP/AD directory. A cloud provider might also
want smaller customers to have their identity managed solely
within the OpenStack cloud, perhaps in a shared SQL database.
This patch allows domain specific backends for identity objects
(namely user and groups), which are specified by creation of a domain
configuration file for each domain that requires its own backend.
A side benefit of this change is that it clearly separates the
backends into those that are domain-aware and those that are not,
allowing, for example, the removal of domain validation from the
LDAP identity backend.
Implements bp multiple-ldap-servers
DocImpact
Change-Id: I489e8e50035f88eca4235908ae8b1a532645daab
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The next patch syncs with global requirements, including an
update to hacking. These fixes align the codebase with those
new rules.
Change-Id: I16e5a4ffa877fb46d2fb28d881642185c801b628
|
| |\ \ \ \ |
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
There's no need for a logo in the README. Also, the instructions
for building the docs are just wrong.
Change-Id: I17e98d9b91af0695a8091efd2a8d11407559766b
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Non-string passwords from keystoneclient are converted but
we are not testing it so adding in a test case for this.
Co-authored-by: r-sekine <r-sekine@intellilink.co.jp>
Fixes: bug #1210099
Change-Id: I666e9e0b7ce10d6efed9d98aee0dac09cf2cd066
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Sets wsgi startup log to INFO so that it is
still visible when log level is raised above
DEBUG.
Co-authored-by: Kanami Akama <k-akama@intellilink.co.jp>
Fixes: bug #1208778
Change-Id: I977f4ac6fc5e11710922dc607d5ce23a0cc74237
|
| |\ \ \ \ |
|
| | | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | | |
In file: keystone/contrib/access/core.py, webob module was never used
after imported in the module, removing it make codes more clean.
Change-Id: I00725e3408c743489693bf6de66254c790dddb24
|
| |\ \ \ \ |
|
| | | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Length of username in database may be too short for X.509 DNs and 255
seems a sane value for it.
Fixes bug #1081932
Change-Id: Ie8f696845ea15d37cf13f3fe7978b22deac798b0
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Update usage info for pep8 options
Fixes bug #1210049
Change-Id: I8895550f204bd8b37d3c035221b7554761debf85
|
| |\ \ \ \ \
| |_|/ / /
|/| | | | |
|
| | | | | |
| | | | |
| | | | |
| | | | | |
Change-Id: Iee859f13078287348211b54e3aeda704be6d8f20
|
| |\ \ \ \ \
| |/ / / /
|/| | | | |
|
| | | |/ /
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Modifications to use log from /keystone/openstack/common/log.py instead
of /keystone/common/logging.py. This change also includes some
refactoring to remove the WriteableLogger class from common/wsgi.py
since that is already included in the unified logging sync from Oslo.
This also moves fail_gracefully from /keystone/common/logging.py to
service.py as it is only used within that module.
blueprint unified-logging-in-keystone
Change-Id: I24b319bd6cfe5e345ea903196188f2394f4ef102
|
| |\ \ \ \ |
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
- Revoke tokens scoped to all users from a project when disabling or
deleting the project.
- Tests provided by Dolph.
Closes-Bug: #1179955
Change-Id: I8ab4713d513b26ced6c37ed026cec9e2df78a5e9
Signed-off-by: Chmouel Boudjnah <chmouel@enovance.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
test_user_enable_attribute_mask wasn't actually testing
user_enable_attribute_mask because it didn't reload the backend
after changing the config value.
Change-Id: I9fa6bebe0c4b3d2afc1eb53867cf217b046b0210
Related-Bug: #1210175
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This test is usable with OpenLDAP and is useful for validation.
Change-Id: Ie4da746a17d2ca545eb1125c1e7249620f0efbc0
Related-Bug: #1210175
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Live LDAP tests were not passing because this test doesn't work.
This is being addressed with a different bug.
Change-Id: Ic01aa505d867c1de30e2a1ed7c79ff1478e213ef
Related-Bug: #1172106
Related-Bug: #1210175
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Similar to a range of other components (e.g. glance,nova,...) and recent
reviews by Monty.
Running individual tests can be done like this:
./run_tests.sh keystone.tests.test_drivers
Change-Id: I2482a48322150e5eb09b703326a94d8283f1c75b
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Pull in the common notifier from Oslo-incubator into Keystone. This only
introduces the notifier module and it's dependencies. This change is
standalone and doesn't contain any code to implementation notifications,
just the initial sync.
blueprint notifications
Change-Id: If62d6012a92e944f3196dd20e6cdd3236e7ecae2
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is the base implementation of a unified logging solution for
Keystone from Oslo-incubator. More work is still needed to refactor the
rest of Keystone such that it is completely dependent on the
implementation from Oslo and not the older keystone/common/logging.py
implementation, this is also noted in keystone/common/config.py.
blueprint unified-logging-in-keystone
Change-Id: I711cbac8edd887c52114fb13327e37124ea86737
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Recent changes added an undeclared dependency on babel in
keystone.openstack.common.gettextutils.
Change-Id: I045195e056c555a293371b50cfc3d7ec0c110ba7
Fixes: bug #1211270
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Bug 1170455
Change-Id: Id2fc4f14d0c880160c2b6ef6c9922e23fb1cb8a6
|
| |\ \ \ \ \
| |_|_|/ /
|/| | | | |
|
| | | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Support for "default" in default_md was only added
in "recent" OpenSSL versions. Use sha1 (which is what
"default" maps to anyway) for older openssl versions.
Also sync the generated openssl config file with
the defaults from OpenSSL 1.0 and newer.
Fixes: LP Bug #1209249
Change-Id: I4ba79dbfdfc2df81cfb0f1edde23d3fbc1384637
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
For mysql ForeignKey constraints were removed but the fields stayed as indexes.
This migration drops them.
bp db-sync-models-with-migrations
Change-Id: I3baeac4047cd65ac5d7733ba909c45d0874f17d8
|
| |\| | | |
| |_|_|/
|/| | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This patch syncs models with migrations for:
-Endpoint
-CredentialModel
-TokenModel
-TrustModel
No actual schema change is taking place, this patch just corrects errors
in the model definitions.
Made class Index avaliable in keystone.common.sql.core
partially implements bp db-sync-models-with-migrations
Change-Id: I52f5c455360b65a2d5d884bbbec078dca6d34451
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The test_mask_password test doesn't have to run 4 times.
Change-Id: If82e8f22d2594dbdf237e9cbe9eba5b944fb2663
|
