| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
PasteDeploy configuration contains class names which might change
between releases. Keeping it separate from user-configurable
parameters allows deployers to move paste-deploy ini file out of
configuration directory to a place where it can be safely overwritten
on updates e.g. under /usr/share/
DocImpact
Change-Id: I9292ca6226c8430b93565dedd45cc842742a23e2
|
|
|
|
|
|
|
|
|
| |
Make sure we pick up CONF.auth.methods from configuration
files. Added a test case to make sure the we don't regress
Fixes LP# 1157515
Change-Id: I70290c37b2a5378b5247a14e3bfa20d50bf8fe74
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This moves keystone.config to keystone.common.config, which requires
.configure() to be called manually in order for options to be
registered.
keystone.config preserves the existing behavior of automatically
registering options when imported.
keystone.middleware.auth_token and it's dependencies within keystone no
longer cause config options to be automatically registered.
This is an alternative to https://review.openstack.org/#/c/24251/
Change-Id: If9eb5799bf77595ecb71f2000f8b6d1610ea9700
|
|
|
|
|
|
|
|
| |
Also covers Domain CRUD.
Fixes Bug #1092187
Change-Id: If2266ed382edfedfad3eef450ce58640ca4b4657
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Consolidate the 'auth' method option registration
in config.py.
This makes it so we don't have to catch Exceptions when the
default 'auth' options are registered twice and avoids some
log WARNING messages as well.
Fixes LP Bug #1154406.
Change-Id: I301328ec3ec4823dd7fbec1e639e2841516352e5
|
|\ |
|
| |
| |
| |
| | |
Change-Id: I26c0481f1f8987f310e3c3710be49d541418e3fd
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Blueprint trusts
creates a trust. Using a trust, one user (the trustee), can then
create tokens with a subset of another user's (the trustor) roles and
projects.
If the impersonate flag in the trust is set, the token user_id is set
to the trustor's user ID
If the impersonate flag is not set, the token's user_is is set to the
trustee's user ID
check that both trustor and trustee are enabled prior to creating
the trust token.
sql and kvs backends
sql upgrade scripts
unit tests for backends, auth and v3 api
modifications to the trust controller for creating tokens
Authenticates that only user can be trustor in create
Deleting a trust invalidates all tokens created from that trust
Adds the trust id and the id of the trustee to the header of the token
policy rules for trust
This version has a workaround for testing against the KVS version
of the Service catalog
Change-Id: I5745f4d9a4180b59671a143a55ed87019e98ec76
|
|
|
|
|
|
| |
This fixes bug 1083463
Change-Id: Ie7ec7f2214b51766d3108a4557c096d9e6989b6b
|
|
|
|
|
|
|
|
|
|
| |
Also, as requested I put in this bug fix the related updates
to keystone.conf.sample
Fixes Bug1131443
Fixes Bug1131439
Change-Id: I3e973c8f8ad2783153a2ccb3d743b65eec47e749
|
|\ |
|
| |
| |
| |
| | |
Change-Id: I361ec7fde2dde8b9a2091446d4d9f3b95d98f306
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Also implemented the following:
blueprint pluggable-identity-authentication-handlers
blueprint stop-ids-in-uris
blueprint multi-factor-authn (just the plumbing)
What's missing?
* domain scoping (will be implemented by Henry?)
Change-Id: I191c0b2cb3367b2a5f8a2dc674c284bb13ea97e3
|
|\ \ \
| |/ /
|/| | |
|
| |/
| |
| |
| |
| |
| |
| | |
Fixes bug 1063858
Implementation works as described in the second comment.
Change-Id: Ib0aa85f05244044c9f40fa9634b5ed3e8afa1f37
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Get the DN from the LDAP server itself rather than hardcoding its format.
Fixes bug 1122181
Change-Id: I6f70c480b5c6f1b064e74d3cbd2cd8ca5ee82b0a
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The cfg API is now available via the oslo-config library, so switch to
it and remove the copied-and-pasted version.
Add the 2013.1b3 tarball to tools/pip-requires - this will be changed
to 'oslo-config>=2013.1' when oslo-config is published to pypi. This
will happen in time for grizzly final.
Remove the 'deps = pep8==1.3.3' from tox.ini as it means all the other
deps get installed with easy_install which can't install oslo-config
from the URL.
Change-Id: I4815aeb8a9341a31a250e920157f15ee15cfc5bc
|
|/
|
|
|
|
|
|
|
|
|
|
|
| |
Changes the relationship between users and projects.
There is no more direct membership in projects. Instead,
all membership is now done via roles.
A default role has been created called _member_ with a uuid (both
configurable) that will be added in place of the group membership
for databse upgrades.
DocImpact: https://bugs.launchpad.net/openstack-manuals/+bug/1087483
Change-Id: I2482f9ef7b838e5dade5096d6d00e81db71604d1
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Added a missing space: mayuse -> may use
- Removed default values from help messages, which were appearing as
None, and should be added by argparse anyway
- Updated man pages
Change-Id: I471a1aaff40398488e19f91a16bd91d2d17db61d
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
These changes lay the ground work for the implmentation of
domain-scoping, but are benign in that they don't change the token.
They include making domain_id a first-class attribute in the user
and project entity (i.e. move it out of the 'extra' attribute),
filling in domain grant and project support for the kvs backend and
fixing a series of issues in the mirgation to make it work for both
MySQL, Postgresql and sqlite.
A further, separate, commit will actually provide the code to
update the actual tokens once the v3 token support has been added.
blueprint domain-scoping
blueprint default-domain
Change-Id: I55ab7947a6a1efbab003bd234856bd3805bb4a63
|
|/ /
| |
| |
| |
| |
| | |
Fix spelling issue from 8ec247b (security patch).
Change-Id: I16c048e40fd92c1978e93fe74a76b4303c253d65
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| | |
Fixes: bug 1119495
Change-Id: I13cdc212752f212ecf59a6a83f8f32c042ccf6e0
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In 49447c2 we broke keystone in that config.py no longer
provides the options it uses. This commit fixes that
by adding back in conf.log_format, conf.log_file, and conf.log_dir
... all of which are used and required by config.py.
Fixes LP Bug #1122403.
Change-Id: I5015315724eab511f6c570fdd5b9be357777b4a0
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changes include:
c5984ba Move logging config options into the log module
7cf016a Fixing the trim for ListOp when reading from config file
The most significant change is that cfg no longer provides logging
config options as these have been moved to the log module which
keystone does not yet use. Define these options in keystone.config
where they are used since pulling in oslo logging isn't appropriate
if we're not going to use it.
Change-Id: I3913ea54465658d93dc56e014dfe5d911b0541d6
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Updates token controller so that it explicitly checks the max
size of userId, username, tenantId, tenantname, token, and password
before continuing with a request.
Previously, when used with the SQL keystone backend an unauthenticated
user could send in *really* large requests which would ultimately log
large SQL exceptions and could thus fill up keystone logs on the
disk.
Change-Id: Ie7e3a958829f99f080e66582bdf558cded70248c
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This changes rewrites some of our migration history since the folsom
release so that we can create a default domain prior to creating
non-nullable foreignkey's in the user and project tables in migration
9 (numbered according to this change).
DocImpact
Change-Id: I807f7b1dca1d6a895f7417c316bcbce24ada61c0
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Today we can use these configuration values to avoid having to guess
keystone's own endpoint URL from the service catalog backend, which may
contain more than one identity endpoint.
This is also the first step towards adding self-relational links to the v3 API.
Change-Id: I375ac0d1f9581592e437c67c17bf32022f652f66
|
|/
|
|
|
|
|
|
|
|
|
| |
Adds a new RequestBodySizeLimiter middleware to guard against
really large HTTP requests. The default max request size is 112k
although this limit is configurable via the 'max_request_body_size'
config parameter.
Fixes LP Bug #1099025.
Change-Id: Id51be3d9a0d829d63d55a92dca61a39a17629785
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This implements the server side of groups of users. This
set of code provides all the crud functionality for groups as
well as the corresponding support for role assignments.
blueprint user-groups
The following deficiencies existing with the current version and
will be corrected ahead of the final Grizzly release:
1) There is only placeholder support for LDAP (Bug #1092187)
2) Domain role grants are accepted but not yet honored (Bug #1093248)
3) Token invalidation does not occur with group changes (Bug #1093493)
This update also fills in missing v3 grant unit testing and v3 grant
support within the kvs backend. In addition, there is a fix for
Bug #1092200 (uncaught exception when listing grants)
DocImpact
Change-Id: Ibd1783b04b2d7804eff90312e5ef591dca4d0695
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
That patch allows a developer to remotely run a pydev debugger and have the
keystone-all process connect back to it. Two command line options are
introduced:
--pydev-debug-host <host>
--pydev-debug-port <port>
both of the above options are required to enable this behavior.
This patch only enables this behavior when the service is started with
keystone-all. In the future parts of this patch can be used to enable
this behavior when running in Apache.
Change-Id: I92f99fa34112336a96e42e8261b7313f23ee994e
|
|
|
|
|
|
| |
internationalization.
Change-Id: I6b50abaa82effad8feaaac8d85086ca8b5d42590
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The fact that a cfg opt register using register_opt() is available via
the command line is actually a bug (see bug #1082279).
Also, using the _cli_values attribute is clearly poking into private
implementation details.
Fix both issues by registering the opt using register_cli_opt() and
accessing its value the normal way.
Change-Id: If170dcd96daae5b4c3d7cdebed914df417c2209b
|
|
|
|
| |
Change-Id: I03daf10aa4f689fe323e39537c312d1e783db313
|
|
|
|
|
|
|
|
| |
- v3 policy (bp rbac-keystone-api)
- v3 policy tests (bug 1023935)
- v3 policy implementation (bug 1023939)
Change-Id: I163fbb67726c295fe9ed09b68cd18d2273345d29
|
|
|
|
|
|
| |
DocImpact
Change-Id: I1ee9a1e2505cdd8c9ee8acba5c0e89a4f25c7262
|
|\ |
|
| |
| |
| |
| | |
Change-Id: I136a1ff1d9dc4bd6423522684123ce33dc695415
|
|/
|
|
| |
Change-Id: I128b0ccdb32694a4fc2f660e73c367aa8b01f257
|
|
|
|
| |
Change-Id: I004e569756698098bf073f5516945f356f88bfea
|
|\ |
|
| |
| |
| |
| | |
Change-Id: I5e2746827bd66c6c4aebc28da1b24933fdc261f7
|
|\ \
| | |
| | |
| | | |
1052929)"
|