summaryrefslogtreecommitdiffstats
path: root/keystone/auth
Commit message (Collapse)AuthorAgeFilesLines
* Add delegated_auth support for keystoneSteve Martinelli2013-08-163-3/+88
| | | | | | | | | | | Implements an OAuth 1.0a service provider. blueprint: delegated-auth-via-oauth DocImpact SecurityImpact Change-Id: Ib5561593ab608f3b22fbcd7196e2171f95b735e8
* Merge "Implement domain specific Identity backends"Jenkins2013-08-161-1/+3
|\
| * Implement domain specific Identity backendsHenry Nash2013-08-151-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A common scenario in shared clouds will be that a cloud provider will want to be able to offer larger customers the ability to interface to their chosen identity provider. In the base case, this might well be their own corporate LDAP/AD directory. A cloud provider might also want smaller customers to have their identity managed solely within the OpenStack cloud, perhaps in a shared SQL database. This patch allows domain specific backends for identity objects (namely user and groups), which are specified by creation of a domain configuration file for each domain that requires its own backend. A side benefit of this change is that it clearly separates the backends into those that are domain-aware and those that are not, allowing, for example, the removal of domain validation from the LDAP identity backend. Implements bp multiple-ldap-servers DocImpact Change-Id: I489e8e50035f88eca4235908ae8b1a532645daab
* | Merge "Cleaned up pluggable auth docs"Jenkins2013-08-152-34/+40
|\ \ | |/ |/|
| * Cleaned up pluggable auth docsJoe Duhamel2013-08-152-34/+40
| | | | | | | | Change-Id: Iee859f13078287348211b54e3aeda704be6d8f20
* | Refactor Keystone to use unified logging from OsloLance Bragstad2013-08-153-3/+3
|/ | | | | | | | | | | | | Modifications to use log from /keystone/openstack/common/log.py instead of /keystone/common/logging.py. This change also includes some refactoring to remove the WriteableLogger class from common/wsgi.py since that is already included in the unified logging sync from Oslo. This also moves fail_gracefully from /keystone/common/logging.py to service.py as it is only used within that module. blueprint unified-logging-in-keystone Change-Id: I24b319bd6cfe5e345ea903196188f2394f4ef102
* Implement Token Binding.Jamie Lennox2013-07-173-1/+10
| | | | | | | | | | | Brings token binding to keystone server. There are a number of places where the location or hardcoding of binding checks are not optimal however fixing them will require having a proper authentication plugin scheme so just assume that they will be moved when that happens. DocImpact Implements: blueprint authentication-tied-to-token Change-Id: Ib34e5e0b6bd83837f6addbd45d4c5b828ce2f3bd
* Implemented token creation without catalog response.Fabio Giannetti2013-07-171-1/+5
| | | | | | | | | Modified the token_factory to create token responses with or without the catalog entry. blueprint catalog-optional Change-Id: Icdc4400f08f4619a19e44129c78240800a3a1e75
* Fix XML rendering with empty auth payload.Jamie Lennox2013-07-171-1/+1
| | | | | | | | Just add some sensible defaults to places where XML parses for example an empty dictionary as an empty string. Also 'access' shouldn't be considered a plural. Change-Id: I9fb2c4f5c32ed8c2ce8ba4038caaae39590f8c1a
* Pluggable Remote UserAdam Young2013-07-172-20/+82
| | | | | | | | | | | | | | | | | | | Select the code to handle REMOTE_USER based on a config file option Fixes the REMOTE_USER logic to get the domain name from REALM, which is the least surprise option. Disregards the auth_data passed in, as we should be using REMOTE_USER to get the user name. External Plugin is now executed in conjunction with the auth methods, as opposed to in place of them. DocImpact blueprint pluggable-remote-user Change-Id: I9dda6dbe073f03806bdf539db6faa01644109f1c
* Implements Pluggable V3 Token ProviderGuang Yee2013-07-124-410/+58
| | | | | | | | | | | | | | | | | | Abstract V3 token provider backend to make token provider pluggable. It enables deployers to customize token management to add their own capabilities. Token provider is responsible for issuing, checking, validating, and revoking tokens. Note the distinction between token 'driver' and 'provider'. Token 'driver' simply provides token persistence. It does not issue or interpret tokens. Token provider is specified by the 'provider' property in the '[token]' section of the Keystone configuration file. Partially implemented blueprint pluggable-token-format. This patch also fixes bug 1186061. Change-Id: I755fb850765ea99e5237626a2e645e6ceb42a9d3
* Stop passing context to managers (bug 1194938)Dolph Mathews2013-06-284-58/+38
| | | | | | | We don't have a use case for passing the request context to the manager layer, so this patch removes a bunch of cruft. Change-Id: Ic6435782c4c9f32e38c7800172645cc1af23ea09
* Do not raise NEW exceptionsSergey Vilgelm2013-06-241-4/+5
| | | | | | | | | | | | | | | | | | | | | | Raising NEW exception is bad practice, because we lose TraceBack. So all places like: except SomeException as e: raise e should be replaced by except SomeException: raise If we are doing some other actions before reraising we should store information about exception then do all actions and then reraise it. This is caused by eventlet bug. It lost information about exception if it switch threads. fixes bug 1191730 Change-Id: I8dffc36ba5780911dd57d7161d218d0324af60b3
* Isolate eventlet code into environment.Jamie Lennox2013-06-181-2/+2
| | | | | | | | | | | | | | | | | | The environment module will be configured once, during code initialization. Subsequently all other possibly-evented modules will retrieve from environment and transparently obtain either the eventlet or standard library modules. If eventlet, httplib, subprocess or other environment dependant module is referenced outside of the environment module it should be considered a bug. The changes to tests are required to ensure that test is imported first to setup the environment. Hopefully these can all be replaced with an __init__.py in a post-nose keystone. Implements: blueprint extract-eventlet Change-Id: Icacd6f2ee0906ac5d303777c1f87a184f38283bf
* Cleanup docstrings (flake8 H401, H402, H403, H404)Dolph Mathews2013-05-243-12/+12
| | | | | | | | | - docstring should not start with a space (flake8 H401) - one line docstring needs punctuation (flake8 H402) - multi line docstring end on new line (flake8 H403) - multi line docstring should start with a summary (flake8 H404) Change-Id: I69b414395930bda739aa01b785ac619fa8bb7d9b
* imports not in alphabetical order (flake8 H306)Dolph Mathews2013-05-245-10/+8
| | | | Change-Id: I0f6c5fc27b0bb2da553e9345a8ac4949ce46e685
* Use TODO(NAME) (flake8 H101)Dolph Mathews2013-05-233-4/+4
| | | | Change-Id: Ic47bdd61d9818f203a88ae16f97c2b61b1c1bd8c
* Remove unused variables (flake8 F841)Dolph Mathews2013-05-231-1/+1
| | | | Change-Id: I716a6b61c2b3faaa23cc79f58c6c6e01cfc232f2
* Satisfy flake8 import rules F401 and F403Dolph Mathews2013-05-231-1/+2
| | | | | | | | - Removed unused imports - Ignore wildcard and unused imports from core modules (and avoid wildcard imports otherwise) to __init__ modules Change-Id: Ie2e5f61ae37481f5d248788cfd83dc92ffddbd91
* Merge "clean up invalid variable reference"Jenkins2013-04-231-1/+1
|\
| * clean up invalid variable referenceBrant Knudson2013-04-081-1/+1
| | | | | | | | | | | | | | keystone.auth.controllers.AuthInfo's get_method_data() referenced a variable that was not defined. Change-Id: I4171453d5e9843501052c9e395273976255342ad
* | Removed unused importsDolph Mathews2013-04-162-2/+0
| | | | | | | | Change-Id: Ief6534ee25a83027979d92c9ce3a92e0ea28c07c
* | Fix for configuring non-default auth plugins properlyDavanum Srinivas2013-04-091-0/+1
|/ | | | | | | | | Make sure we pick up CONF.auth.methods from configuration files. Added a test case to make sure the we don't regress Fixes LP# 1157515 Change-Id: I70290c37b2a5378b5247a14e3bfa20d50bf8fe74
* use the roles in the token when recreatingtermie2013-03-251-10/+60
| | | | | | | related bug: https://bugs.launchpad.net/keystone/+bug/1159987 Change-Id: I98e1b71d5b7de7867945294ebd569efd2cd7314b
* Rename trust extension.Russell Bryant2013-03-222-5/+5
| | | | | | | | | | | Change trust extension from RH-TRUST to OS-TRUST so that the namespace being used is for OpenStack, as opposed to a contributing company. This is also more consistent with namespacing used in other OpenStack APIs. Some additional discussion about this is in this thread: http://lists.openstack.org/pipermail/openstack-dev/2013-March/006876.html Change-Id: I0fd869abe0f527c899808a4dde19dbd1fb6f32cd
* Move trusts to extensionDolph Mathews2013-03-212-5/+6
| | | | Change-Id: I32b32fc5df8d8483ae8e99067f0655c13c6f520b
* Allow trusts to be optionalDolph Mathews2013-03-202-9/+9
| | | | Change-Id: I76ab6ddac70cccece46bc36d7592d840599c893b
* Validate domains unconditionally (bug 1130236)Dolph Mathews2013-03-191-0/+3
| | | | | | | | | | | | | Ensure that we validate the domain status of user/project for a user authenticating via the v2 API. This patch builds on the initial functional change done by Dolph, and fixes up the tests that broke sure to domain being required in any tests that setup data directly in the backends. Fixes Bug #1130236 Change-Id: I66dfd453fb95fa4fa3fde713b663386a2c2ecdf8
* V2, V3 token intermix for unscoped tokens (bug 1156913)Guang Yee2013-03-181-1/+1
| | | | | | Make sure we check for tenant_ref before referencing it. Change-Id: If7918c0a9b2e99f8555e902e89166c6542105209
* extracting user and trust ids into normalized fieldsAdam Young2013-03-151-1/+2
| | | | | | | | | | | | | These fields are used for queries, and may need to be indexed Also moves the delete token for... functions into the base class for controllers. Removed the token API revoke token call as that needed access to other APIs. Logic was moved into the controller. Bug 1152801 Change-Id: I59c360fe5aef905dfa30cb55ee54ff1fbe64dc58
* Merge "Remove duplicate password/token opts."Jenkins2013-03-151-9/+0
|\
| * Remove duplicate password/token opts.Dan Prince2013-03-141-9/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | Consolidate the 'auth' method option registration in config.py. This makes it so we don't have to catch Exceptions when the default 'auth' options are registered twice and avoids some log WARNING messages as well. Fixes LP Bug #1154406. Change-Id: I301328ec3ec4823dd7fbec1e639e2841516352e5
* | No parent exception to wrapAdam Young2013-03-151-1/+1
|/ | | | Change-Id: I60b3555e032a126554a57bf5ef7a2e636cf9f5db
* Merge "cleanup trusts in controllers"Jenkins2013-03-121-2/+2
|\
| * cleanup trusts in controllersAdam Young2013-03-061-2/+2
| | | | | | | | Change-Id: I1eff618d1e6cef2eb10ae7e737b0ca0beaca1d4d
* | Merge "unable to load certificate should abort request"Jenkins2013-03-081-5/+10
|\ \
| * | unable to load certificate should abort requestDavid Höppner2013-03-061-5/+10
| |/ | | | | | | | | | | | | | | | | | | If openssl returns with a command line error (3), we assume the PKI certificate is not properly installed. Added 'try ... except' blocks to cms_sign_text and cms_sign_token calls. Fixes: bug #1103569 Change-Id: Iad98738e990d3ab1ec0d0015840d76cf948ae560
* | return 201 Created on POST request (bug1131119)Gordon Chung2013-03-072-4/+9
| | | | | | | | | | | | | | correct status code from 200 Ok to 201 Created for v3 POST requests. Fixes: bug #1131119 Change-Id: Iabeb6daf677e0f34defdef5e58d87229fc90346f
* | Move auth plugins to 'keystone.auth.plugins' (bug 1136967)Dolph Mathews2013-03-063-0/+0
|/ | | | Change-Id: I8c72ee99695b0c039a91f807a13a832ce2c3ff74
* TrustsAdam Young2013-03-053-47/+131
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Blueprint trusts creates a trust. Using a trust, one user (the trustee), can then create tokens with a subset of another user's (the trustor) roles and projects. If the impersonate flag in the trust is set, the token user_id is set to the trustor's user ID If the impersonate flag is not set, the token's user_is is set to the trustee's user ID check that both trustor and trustee are enabled prior to creating the trust token. sql and kvs backends sql upgrade scripts unit tests for backends, auth and v3 api modifications to the trust controller for creating tokens Authenticates that only user can be trustor in create Deleting a trust invalidates all tokens created from that trust Adds the trust id and the id of the trustee to the header of the token policy rules for trust This version has a workaround for testing against the KVS version of the Service catalog Change-Id: I5745f4d9a4180b59671a143a55ed87019e98ec76
* bug 1134802: fix inconsistent format for expires_at and issued_atGuang Yee2013-03-052-15/+20
| | | | | | | Notice we have to use fraction of second precision to prevent PKI token ID overlap. Change-Id: Icfc192c08ab5b4db02547ef6f077fa7f32210835
* bug 1131840: fix auth and token data for XML translationGuang Yee2013-02-264-40/+42
| | | | Change-Id: I4408b3e6e0752ca75bc36399f5148890820e9a89
* Tests for domain-scoped tokensDolph Mathews2013-02-212-10/+12
| | | | | | | - Fixes bug 1131292: catalog returned with unscoped tokens - Fixes bug 1131294: X-Subject-Token not returned on token validation Change-Id: I1808613f276354e2a37cf8c154b55509a2888d89
* domain-scopingGuang Yee2013-02-201-2/+16
| | | | | | Implement domain-scoping functionality for v3 auth API Change-Id: Id5e935735a43fefee10a36d9d691578871ba7fcb
* v3 token APIGuang Yee2013-02-208-0/+934
Also implemented the following: blueprint pluggable-identity-authentication-handlers blueprint stop-ids-in-uris blueprint multi-factor-authn (just the plumbing) What's missing? * domain scoping (will be implemented by Henry?) Change-Id: I191c0b2cb3367b2a5f8a2dc674c284bb13ea97e3
generated by cgit (git 2.34.1) at 2024-06-16 20:37:00 +0000