| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add support for doing language resolution for a request, based on the
Accept-Language HTTP header.
Using the lazy gettext functionality from oslo gettextutils, it is
possible to use the resolved language to translate an exception message
to the user requested language and return that translation from the API.
Co-authored-by: Luis A. Garcia <luis@linux.vnet.ibm.com>
Co-authored-by: Mathew Odden <mrodden@us.ibm.com>
Implements bp user-locale-api
Change-Id: Id8e92a42039d2f0b01d5c2dada733d068b2bdfeb
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Implements an OAuth 1.0a service provider.
blueprint: delegated-auth-via-oauth
DocImpact
SecurityImpact
Change-Id: Ib5561593ab608f3b22fbcd7196e2171f95b735e8
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
A common scenario in shared clouds will be that a cloud provider will
want to be able to offer larger customers the ability to interface to
their chosen identity provider. In the base case, this might well be
their own corporate LDAP/AD directory. A cloud provider might also
want smaller customers to have their identity managed solely
within the OpenStack cloud, perhaps in a shared SQL database.
This patch allows domain specific backends for identity objects
(namely user and groups), which are specified by creation of a domain
configuration file for each domain that requires its own backend.
A side benefit of this change is that it clearly separates the
backends into those that are domain-aware and those that are not,
allowing, for example, the removal of domain validation from the
LDAP identity backend.
Implements bp multiple-ldap-servers
DocImpact
Change-Id: I489e8e50035f88eca4235908ae8b1a532645daab
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Sets wsgi startup log to INFO so that it is
still visible when log level is raised above
DEBUG.
Co-authored-by: Kanami Akama <k-akama@intellilink.co.jp>
Fixes: bug #1208778
Change-Id: I977f4ac6fc5e11710922dc607d5ce23a0cc74237
|
| | |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Length of username in database may be too short for X.509 DNs and 255
seems a sane value for it.
Fixes bug #1081932
Change-Id: Ie8f696845ea15d37cf13f3fe7978b22deac798b0
|
| |\ \ \ |
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Modifications to use log from /keystone/openstack/common/log.py instead
of /keystone/common/logging.py. This change also includes some
refactoring to remove the WriteableLogger class from common/wsgi.py
since that is already included in the unified logging sync from Oslo.
This also moves fail_gracefully from /keystone/common/logging.py to
service.py as it is only used within that module.
blueprint unified-logging-in-keystone
Change-Id: I24b319bd6cfe5e345ea903196188f2394f4ef102
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Revoke tokens scoped to all users from a project when disabling or
deleting the project.
- Tests provided by Dolph.
Closes-Bug: #1179955
Change-Id: I8ab4713d513b26ced6c37ed026cec9e2df78a5e9
Signed-off-by: Chmouel Boudjnah <chmouel@enovance.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is the base implementation of a unified logging solution for
Keystone from Oslo-incubator. More work is still needed to refactor the
rest of Keystone such that it is completely dependent on the
implementation from Oslo and not the older keystone/common/logging.py
implementation, this is also noted in keystone/common/config.py.
blueprint unified-logging-in-keystone
Change-Id: I711cbac8edd887c52114fb13327e37124ea86737
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Support for "default" in default_md was only added
in "recent" OpenSSL versions. Use sha1 (which is what
"default" maps to anyway) for older openssl versions.
Also sync the generated openssl config file with
the defaults from OpenSSL 1.0 and newer.
Fixes: LP Bug #1209249
Change-Id: I4ba79dbfdfc2df81cfb0f1edde23d3fbc1384637
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
For mysql ForeignKey constraints were removed but the fields stayed as indexes.
This migration drops them.
bp db-sync-models-with-migrations
Change-Id: I3baeac4047cd65ac5d7733ba909c45d0874f17d8
|
| |\| | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch syncs models with migrations for:
-Endpoint
-CredentialModel
-TokenModel
-TrustModel
No actual schema change is taking place, this patch just corrects errors
in the model definitions.
Made class Index avaliable in keystone.common.sql.core
partially implements bp db-sync-models-with-migrations
Change-Id: I52f5c455360b65a2d5d884bbbec078dca6d34451
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This is used to avoid code duplication in keystone/identity/
backends/ldap.py. All changes are fully covered by test_*option_
name*_attribute_ignore() in test_backend_ldap.py.
bp refactor-ldap-driver
Change-Id: Ia0fc0b3d4a92416dcd65ddb49b3b0bf9a0777363
|
| |\| | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
bp refactor-ldap-driver
Change-Id: I4b3bb2900b54f046b05d68f15fb6e35b324ca9f7
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
DocImpact
Change-Id: I1b1de8f7e07afe8af8a5cbb83de7f935cea04670
|
| |\ \ \ \ |
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
keystone.catalog.backends.sql.get_catalog() and get_v3_catalog() methods
generate N+1 select statements for each endpoint. Use sqlalchemy's
eager load to generate single select statement instead of generating N+1
select statents for each endpoint.
Given change does not modify DB schema and is runtime-only, since it's a
one-to-many relationship.
Change-Id: Ia72b8603fc13f01696771f6116b320364bd50f51
Fixes: bug #1206725
|
| |\ \ \ \
| |_|_|/
|/| | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Allow each of the extensions to have their own
sql migration repository instead of mixing them into
the common repo. db_sync must be called explicitly on the extension.
In the past, it was assumed that only migrations for backends backed in
sql would be run. In practice, however, all of the migrations were run
every time. The code has been modified to reflect this.
Adds parameter --extension to the cli for db_sync and db_version
to test out the migrations
bin/keystone-manage db_sync --extension example
will migrate to version 1 and
bin/keystone-manage db_sync --extension example 0
will migrate it back to 0
to check the version
bin/keystone-manage db_version --extension example
blueprint multiple-sql-migrate-repos
DocImpact
Change-Id: I6852d75bde6506c535fa3d74537e3c1bbd6578d8
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
- Fixes bug: #1190149
Change-Id: Icdf56d65b9c5caa46571320f02233ac4a8a2e171
|
| |\ \ \ \ \
| |_|_|/ /
|/| | | | |
|
| | | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | | |
Fixes bug 1206257
Change-Id: Ia522e023a2d66ec25bc909db12d358f7c0ee6952
|
| |\ \ \ \
| |_|_|/
|/| | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This patch removes the use of kwargs from manager calls where not
required. Dogpile.cache (the targeted caching library) does not
support kwargs out of the box with its cache-key-generator. This
change allows us to support the default cache-key-generator; while
it is possible to create a new cache-key-generator function, there
are many possible edge-cases to deal with when making cache
invalidation calls (ensuring the arguments are the same) as well as
possible performance implications (depending on the depth of method
introspection needed to determine how to invalidate the cache).
As an added bonus, this change brings the code touched more in-line
with the rest of keystone where most manager/driver calls do not
use kwargs unless absolutley required.
blueprint: caching-layer-for-driver-calls
Change-Id: I035c976314fb48f657661f681f7c1760d3c547a6
|
| |\ \ \ \ |
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
We need log traceback message sometime, but people who ignore 'exc_info'
argument would import traceback for getting traceback message. This work
is already done by 'exc_info' in logging module. For example:
logger.error('msg', exc_info=True)
# exc_info evaluate as true and log
message from sys.exc_info()
logger.debug('msg', exc_info=(type, value, traceback))
# exc_info evaluate as an exception
tuple and log message from this
tuple
logger.exception('msg')
# exception add exc_info=1 automatically
Change-Id: I9e1caf05fcf06bb977597076ebe278b593d70bf4
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The dependency injection code doesn't handle circular
dependencies. This change makes it so that the
dependency injection code allows circular dependencies.
Part of fix for bug 1204605
Change-Id: I8de166a352ac727c7ddf27bae420b7c7ab22415f
|
| |\| | | | |
|
| | | |/ /
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
As part of the process during several tests setUp
where the backends are reloaded, automatic dependency
injection takes place. The REGISTRY is being updated
with new providers and it's also looking up the
required dependencies. Some of the providers for the
requirements may not have been updated yet with the
new provider object, so it loads an object that
was created from a previous test run rather than the
current one. This can cause tests to
fail when one class gets a ref to the old one
(it depends on the order that the tests are run).
This change clears out the registry of providers before
loading backends. It only affects testing.
Part of fix for bug 1204605
Change-Id: Ib845493fa13531225e4be7e3b6cc315b9d19a0f4
|
| |\ \ \ \
| |/ / /
|/| | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Keystone defines a custom Request class that's used in many
places (middleware, etc.). BaseApplication says that subclasses
should typically set Request as the custom RequestClass,
but for some reason it's not used in keystone.wsgi.Application.
This doesn't cause any problems at this point because Keystone's
custom Request is the same as webob.Request. bp user-locale-api
requires the custom Request to implement calculating the requested
locale, and if Application doesn't set this custom RequestClass then
most requests don't using the custom Request.
Part of changes for bp user-locale-api
Change-Id: If20ee9000aba89a5a2c94ed8a3dda7382142038e
|
| |\ \ \ \
| |/ / /
|/| | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The Keystone server would print a warning when both the token
format and provider were set to the default.
Also, the Keystone server would not start if the format was
commented out and the provider was set to the uuid.Provider.
Fixes: bug 1204314
Change-Id: Id7db33a1f27c4986af153efc73b22db8c6a8942e
|
| |\ \ \ \ |
|
| | | |/ /
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The doc string in exception.py of Keystone will be
returned with __doc__ method, but cannot realize the
internationalization.Change exception module to enable
i18n support.
Changes in the patch are:
1, useing class variable msg_fmt to replace class __doc__
2, modify wsgi.render_exception function using unicode
function to replace str function
3, modify/add UT test cases
Fixes: bug # 1179425
Change-Id: I75c1229c905a2625d2f6961d1a8dd3958eac51a5
|
| |\ \ \ \
| |/ / /
|/| | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The keystone.common.sql.core.Base class cached the global database
engine when get_session() was called. When the global database engine
changed to a new instance, the cached copy was used in subsequent
calls to get_session(), leading to using the old engine and tests
failing to run by themselves.
This change makes it so that when the global database engine is
changed, Base will use the new engine rather than the invalid one.
Change-Id: I75aa3c230d9b4fd666ab8d478c9e9a27669905e8
Fixes: Bug #1179259
|
| | |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Credential table has foreign key constraint
referring to tenant table which is dropped.
Since sqlite does not support alter table
drop constraint, the foreign key constraint
was not dropped. When we try to load credential
table using sqlite backend it fails because tenant
table does not exist. Fix is provided such that
the credential table is recreated without foreign
key constraint and the data is moved from old
credential table to the new credential table.
Fixes Bug #1190383
Change-Id: I3afb04254f33e12fccb7da84c8674feba36622c8
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The provider property in the [token] section will be unset by default. If
provider is not set, we will use token_format in the [signing] section to
determine to provider. If provider is set, it must agree with the token_format.
fixed bug 1202651
Change-Id: I15ff67490acbbacc9eefc7eee253400475704b04
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Brings token binding to keystone server. There are a number of places
where the location or hardcoding of binding checks are not optimal
however fixing them will require having a proper authentication plugin
scheme so just assume that they will be moved when that happens.
DocImpact
Implements: blueprint authentication-tied-to-token
Change-Id: Ib34e5e0b6bd83837f6addbd45d4c5b828ce2f3bd
|
