| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
Brings token binding to keystone server. There are a number of places
where the location or hardcoding of binding checks are not optimal
however fixing them will require having a proper authentication plugin
scheme so just assume that they will be moved when that happens.
DocImpact
Implements: blueprint authentication-tied-to-token
Change-Id: Ib34e5e0b6bd83837f6addbd45d4c5b828ce2f3bd
|
|
|
|
|
|
|
|
|
| |
Modified the token_factory to create token responses with
or without the catalog entry.
blueprint catalog-optional
Change-Id: Icdc4400f08f4619a19e44129c78240800a3a1e75
|
|
|
|
|
|
|
|
| |
Just add some sensible defaults to places where XML parses for example
an empty dictionary as an empty string. Also 'access' shouldn't be
considered a plural.
Change-Id: I9fb2c4f5c32ed8c2ce8ba4038caaae39590f8c1a
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Select the code to handle REMOTE_USER based on a config file option
Fixes the REMOTE_USER logic to get the domain name from
REALM, which is the least surprise option.
Disregards the auth_data passed in, as we should be using REMOTE_USER
to get the user name.
External Plugin is now executed in conjunction with the auth methods,
as opposed to in place of them.
DocImpact
blueprint pluggable-remote-user
Change-Id: I9dda6dbe073f03806bdf539db6faa01644109f1c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Abstract V3 token provider backend to make token provider pluggable. It enables
deployers to customize token management to add their own capabilities.
Token provider is responsible for issuing, checking, validating, and
revoking tokens. Note the distinction between token 'driver' and 'provider'.
Token 'driver' simply provides token persistence. It does not issue or
interpret tokens.
Token provider is specified by the 'provider' property in the '[token]'
section of the Keystone configuration file.
Partially implemented blueprint pluggable-token-format.
This patch also fixes bug 1186061.
Change-Id: I755fb850765ea99e5237626a2e645e6ceb42a9d3
|
|
|
|
|
|
|
| |
We don't have a use case for passing the request context to the manager
layer, so this patch removes a bunch of cruft.
Change-Id: Ic6435782c4c9f32e38c7800172645cc1af23ea09
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Raising NEW exception is bad practice, because we lose TraceBack.
So all places like:
except SomeException as e:
raise e
should be replaced by
except SomeException:
raise
If we are doing some other actions before reraising we should
store information about exception then do all actions and then
reraise it. This is caused by eventlet bug. It lost information
about exception if it switch threads.
fixes bug 1191730
Change-Id: I8dffc36ba5780911dd57d7161d218d0324af60b3
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The environment module will be configured once, during code initialization.
Subsequently all other possibly-evented modules will retrieve from
environment and transparently obtain either the eventlet or standard
library modules.
If eventlet, httplib, subprocess or other environment dependant module
is referenced outside of the environment module it should be considered
a bug.
The changes to tests are required to ensure that test is imported first
to setup the environment. Hopefully these can all be replaced with an
__init__.py in a post-nose keystone.
Implements: blueprint extract-eventlet
Change-Id: Icacd6f2ee0906ac5d303777c1f87a184f38283bf
|
|
|
|
|
|
|
|
|
| |
- docstring should not start with a space (flake8 H401)
- one line docstring needs punctuation (flake8 H402)
- multi line docstring end on new line (flake8 H403)
- multi line docstring should start with a summary (flake8 H404)
Change-Id: I69b414395930bda739aa01b785ac619fa8bb7d9b
|
|
|
|
| |
Change-Id: I0f6c5fc27b0bb2da553e9345a8ac4949ce46e685
|
|
|
|
| |
Change-Id: Ic47bdd61d9818f203a88ae16f97c2b61b1c1bd8c
|
|
|
|
| |
Change-Id: I716a6b61c2b3faaa23cc79f58c6c6e01cfc232f2
|
|
|
|
|
|
|
|
| |
- Removed unused imports
- Ignore wildcard and unused imports from core modules (and avoid
wildcard imports otherwise) to __init__ modules
Change-Id: Ie2e5f61ae37481f5d248788cfd83dc92ffddbd91
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
keystone.auth.controllers.AuthInfo's get_method_data() referenced
a variable that was not defined.
Change-Id: I4171453d5e9843501052c9e395273976255342ad
|
| |
| |
| |
| | |
Change-Id: Ief6534ee25a83027979d92c9ce3a92e0ea28c07c
|
|/
|
|
|
|
|
|
|
| |
Make sure we pick up CONF.auth.methods from configuration
files. Added a test case to make sure the we don't regress
Fixes LP# 1157515
Change-Id: I70290c37b2a5378b5247a14e3bfa20d50bf8fe74
|
|
|
|
|
|
|
| |
related bug:
https://bugs.launchpad.net/keystone/+bug/1159987
Change-Id: I98e1b71d5b7de7867945294ebd569efd2cd7314b
|
|
|
|
|
|
|
|
|
|
|
| |
Change trust extension from RH-TRUST to OS-TRUST so that the namespace
being used is for OpenStack, as opposed to a contributing company. This
is also more consistent with namespacing used in other OpenStack APIs.
Some additional discussion about this is in this thread:
http://lists.openstack.org/pipermail/openstack-dev/2013-March/006876.html
Change-Id: I0fd869abe0f527c899808a4dde19dbd1fb6f32cd
|
|
|
|
| |
Change-Id: I32b32fc5df8d8483ae8e99067f0655c13c6f520b
|
|
|
|
| |
Change-Id: I76ab6ddac70cccece46bc36d7592d840599c893b
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ensure that we validate the domain status of user/project for
a user authenticating via the v2 API.
This patch builds on the initial functional change done by Dolph,
and fixes up the tests that broke sure to domain being required in
any tests that setup data directly in the backends.
Fixes Bug #1130236
Change-Id: I66dfd453fb95fa4fa3fde713b663386a2c2ecdf8
|
|
|
|
|
|
| |
Make sure we check for tenant_ref before referencing it.
Change-Id: If7918c0a9b2e99f8555e902e89166c6542105209
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These fields are used for queries, and may need to be indexed
Also moves the delete token for... functions into the base class
for controllers.
Removed the token API revoke token call as that needed access to other
APIs. Logic was moved into the controller.
Bug 1152801
Change-Id: I59c360fe5aef905dfa30cb55ee54ff1fbe64dc58
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Consolidate the 'auth' method option registration
in config.py.
This makes it so we don't have to catch Exceptions when the
default 'auth' options are registered twice and avoids some
log WARNING messages as well.
Fixes LP Bug #1154406.
Change-Id: I301328ec3ec4823dd7fbec1e639e2841516352e5
|
|/
|
|
| |
Change-Id: I60b3555e032a126554a57bf5ef7a2e636cf9f5db
|
|\ |
|
| |
| |
| |
| | |
Change-Id: I1eff618d1e6cef2eb10ae7e737b0ca0beaca1d4d
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If openssl returns with a command line error (3), we assume
the PKI certificate is not properly installed. Added
'try ... except' blocks to cms_sign_text and cms_sign_token
calls.
Fixes: bug #1103569
Change-Id: Iad98738e990d3ab1ec0d0015840d76cf948ae560
|
| |
| |
| |
| |
| |
| |
| | |
correct status code from 200 Ok to 201 Created for v3 POST requests.
Fixes: bug #1131119
Change-Id: Iabeb6daf677e0f34defdef5e58d87229fc90346f
|
|/
|
|
| |
Change-Id: I8c72ee99695b0c039a91f807a13a832ce2c3ff74
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Blueprint trusts
creates a trust. Using a trust, one user (the trustee), can then
create tokens with a subset of another user's (the trustor) roles and
projects.
If the impersonate flag in the trust is set, the token user_id is set
to the trustor's user ID
If the impersonate flag is not set, the token's user_is is set to the
trustee's user ID
check that both trustor and trustee are enabled prior to creating
the trust token.
sql and kvs backends
sql upgrade scripts
unit tests for backends, auth and v3 api
modifications to the trust controller for creating tokens
Authenticates that only user can be trustor in create
Deleting a trust invalidates all tokens created from that trust
Adds the trust id and the id of the trustee to the header of the token
policy rules for trust
This version has a workaround for testing against the KVS version
of the Service catalog
Change-Id: I5745f4d9a4180b59671a143a55ed87019e98ec76
|
|
|
|
|
|
|
| |
Notice we have to use fraction of second precision to prevent PKI token ID
overlap.
Change-Id: Icfc192c08ab5b4db02547ef6f077fa7f32210835
|
|
|
|
| |
Change-Id: I4408b3e6e0752ca75bc36399f5148890820e9a89
|
|
|
|
|
|
|
| |
- Fixes bug 1131292: catalog returned with unscoped tokens
- Fixes bug 1131294: X-Subject-Token not returned on token validation
Change-Id: I1808613f276354e2a37cf8c154b55509a2888d89
|
|
|
|
|
|
| |
Implement domain-scoping functionality for v3 auth API
Change-Id: Id5e935735a43fefee10a36d9d691578871ba7fcb
|
|
Also implemented the following:
blueprint pluggable-identity-authentication-handlers
blueprint stop-ids-in-uris
blueprint multi-factor-authn (just the plumbing)
What's missing?
* domain scoping (will be implemented by Henry?)
Change-Id: I191c0b2cb3367b2a5f8a2dc674c284bb13ea97e3
|