summaryrefslogtreecommitdiffstats
path: root/keystone/contrib
Commit message (Collapse)AuthorAgeFilesLines
* Add delegated_auth support for keystoneSteve Martinelli2013-08-1611-0/+1440
| | | | | | | | | | | Implements an OAuth 1.0a service provider. blueprint: delegated-auth-via-oauth DocImpact SecurityImpact Change-Id: Ib5561593ab608f3b22fbcd7196e2171f95b735e8
* Merge "Remove unused import"Jenkins2013-08-161-1/+0
|\
| * Remove unused importWu Wenxiang2013-08-151-1/+0
| | | | | | | | | | | | | | In file: keystone/contrib/access/core.py, webob module was never used after imported in the module, removing it make codes more clean. Change-Id: I00725e3408c743489693bf6de66254c790dddb24
* | Refactor Keystone to use unified logging from OsloLance Bragstad2013-08-153-4/+4
|/ | | | | | | | | | | | | Modifications to use log from /keystone/openstack/common/log.py instead of /keystone/common/logging.py. This change also includes some refactoring to remove the WriteableLogger class from common/wsgi.py since that is already included in the unified logging sync from Oslo. This also moves fail_gracefully from /keystone/common/logging.py to service.py as it is only used within that module. blueprint unified-logging-in-keystone Change-Id: I24b319bd6cfe5e345ea903196188f2394f4ef102
* Merge "extension migrations"Jenkins2013-08-075-0/+70
|\
| * extension migrationsAdam Young2013-08-065-0/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow each of the extensions to have their own sql migration repository instead of mixing them into the common repo. db_sync must be called explicitly on the extension. In the past, it was assumed that only migrations for backends backed in sql would be run. In practice, however, all of the migrations were run every time. The code has been modified to reflect this. Adds parameter --extension to the cli for db_sync and db_version to test out the migrations bin/keystone-manage db_sync --extension example will migrate to version 1 and bin/keystone-manage db_sync --extension example 0 will migrate it back to 0 to check the version bin/keystone-manage db_version --extension example blueprint multiple-sql-migrate-repos DocImpact Change-Id: I6852d75bde6506c535fa3d74537e3c1bbd6578d8
* | Remove kwargs from manager calls where not needed.Morgan Fainberg2013-08-011-3/+1
|/ | | | | | | | | | | | | | | | | | | This patch removes the use of kwargs from manager calls where not required. Dogpile.cache (the targeted caching library) does not support kwargs out of the box with its cache-key-generator. This change allows us to support the default cache-key-generator; while it is possible to create a new cache-key-generator function, there are many possible edge-cases to deal with when making cache invalidation calls (ensuring the arguments are the same) as well as possible performance implications (depending on the depth of method introspection needed to determine how to invalidate the cache). As an added bonus, this change brings the code touched more in-line with the rest of keystone where most manager/driver calls do not use kwargs unless absolutley required. blueprint: caching-layer-for-driver-calls Change-Id: I035c976314fb48f657661f681f7c1760d3c547a6
* Merge "Implements Pluggable V2 Token Provider"Jenkins2013-07-161-12/+11
|\
| * Implements Pluggable V2 Token ProviderGuang Yee2013-07-151-12/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch implemented V2 token provider. Abstract token provider backend to make token provider pluggable. It enables deployers to customize token management to add their own capabilities. Token provider is responsible for issuing, checking, validating, and revoking tokens. Note the distinction between token 'driver' and 'provider'. Token 'driver' simply provides token CRUD. It does not issue or interpret tokens. Token provider is specified by the 'provider' property in the '[token]' section of the Keystone configuration file. Change-Id: Ic418ec433bd9e3f2f70fa31c90e570e32c1ca687
* | Register ExtensionsAdam Young2013-07-125-0/+97
|/ | | | | | | | | | Extensions register themselves with keystone/common/extension.py as either public, admin, or both, and they show up in the extensions collection on http://<hostname>:<port>/v2.0/extensions/ Bug 1177531 Change-Id: Ic0b5c84e28342e96c3197c1b46f8b1656e2d7050
* Rationalize how we get roles after authentication in the controllersHenry Nash2013-07-102-7/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently there is a mixture of strategies in the v2 and v3 controllers for how to get the roles assigned for the scope of the requested authentication. This duplicates code, is hard to maintain and in at least once case (where your only roles on a project are due to a group membership) is not actually correct (for v2 tokens). This change does the following: - Standardizes on using the 'get_roles_for_user_and_project()', and its domain equivalent, for how roles are obtained to build a token. This was already the case for v3 tokens. The controllers no longer need to get metadata and extract the roles. - Removes the driver level function to 'authorize_for_project' - this is now handled wihin the controller. The driver simply supports the user authentication. A nice (and planned for) sideffect of the above is that we now hide the schema of how we store roles within the driver layer - i.e. nothing outside of the driver (other than any specific-to-implementation tests) have to know about how roles are stored in the metadata. This paves the way for a re-implementation of the grant tables in IceHouse. This change also fills in missing function definitons in the assignment driver. Implements bp authenticate-role-rationalization Change-Id: I75fc7f5f728649d40ab1c696b33bbcd88ea6edee
* Stop passing context to managers (bug 1194938)Dolph Mathews2013-06-283-58/+37
| | | | | | | We don't have a use case for passing the request context to the manager layer, so this patch removes a bunch of cruft. Change-Id: Ic6435782c4c9f32e38c7800172645cc1af23ea09
* Merge "Correct the resolving api logic in stat middleware"Jenkins2013-06-181-2/+2
|\
| * Correct the resolving api logic in stat middlewareWu Wenxiang2013-06-141-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the admin_port string is a substring of public_port string, all the requests would be stated as 'admin' either their real dest port is admin_port or public_port. It's due to the incorrect logic in stat middleware. For example, if public_port = 35000, admin_port = 5000, the first judgement branch: "if str(CONF.admin_port) in host" in StatsMiddleware::_resolve_api() would always return "True" either the host port number equal to 5000 or 35000, so that the following judgement branches would be incorrectly ignored. Fixes bug #1189121 Change-Id: I1086b7d11f83dd218d66376f79747a1f720eb807
* | Remove a stat warning logWu Wenxiang2013-06-141-3/+0
|/ | | | | | | | | | | If using load balancer before keystone and the port numbers was different between load balancer and keystone, too many stat warning logs could be found in logs. The root cause is the keystone servers' stat logic getting the request host information which point to load balancer ip address and port rather than the ips and ports of themselves. Fixes bug #1189118 Change-Id: Ic837af77bc2509086c0e37194ba70b683f693ae5
* Cleanup docstrings (flake8 H401, H402, H403, H404)Dolph Mathews2013-05-241-5/+1
| | | | | | | | | - docstring should not start with a space (flake8 H401) - one line docstring needs punctuation (flake8 H402) - multi line docstring end on new line (flake8 H403) - multi line docstring should start with a summary (flake8 H404) Change-Id: I69b414395930bda739aa01b785ac619fa8bb7d9b
* import only modules (flake8 H302)Dolph Mathews2013-05-241-3/+3
| | | | Change-Id: I0fa6fc6bf9d51b60fa987a0040168f3f0ef78a4a
* Satisfy flake8 import rules F401 and F403Dolph Mathews2013-05-236-0/+6
| | | | | | | | - Removed unused imports - Ignore wildcard and unused imports from core modules (and avoid wildcard imports otherwise) to __init__ modules Change-Id: Ie2e5f61ae37481f5d248788cfd83dc92ffddbd91
* keystone : Use Ec2Signer utility class from keystoneclientSteven Hardy2013-02-261-1/+3
| | | | | | | | | | The Ec2Signer class has been moved to python-keystoneclient, so we can remove the internal implementation and import the keystoneclient version blueprint ec2signer-to-keystoneclient Change-Id: I19d8575ab8b972467ce280a6197ae762da1ce790
* Ensure user and tenant enabled in EC2Nathanael Burton2013-02-191-0/+3
| | | | | | Fixes bug 1121494. Change-Id: If7277f0b4a55aa5be81b354cd4c7ed338a600a62
* Fix spelling mistakesJoe Gordon2013-02-121-1/+1
| | | | | | | git ls-files | misspellings -f - Source: https://github.com/lyda/misspell-check Change-Id: Icbd2412aa65bc8135e5dcd83ee69e94f5a42f7a2
* Merge "Generate apache-style common access logs"Jenkins2013-02-122-0/+78
|\
| * Generate apache-style common access logsDolph Mathews2013-01-312-0/+78
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Taking advantage of this middleware either requires enabling verbose/debug or utilizing an external logging.conf which configures an 'access' logger. Example output: 127.0.0.1 - - [2013-01-29T17:15:02.752214] "GET http://localhost:5000/v3/projects HTTP/1.0" 200 16 This patch also revises etc/logging.conf.sample with some more practical defaults (e.g. supporting externally-managed log rotations) in addition to illustrating how to generate an 'access.log' file. DocImpact Change-Id: I2a6048fa5fbf8661a6859d9e3a259d4cfa5fc589
* | Fixes 'not in' operator usageZhongyue Luo2013-02-041-1/+1
| | | | | | | | Change-Id: I50a5bbe4800fc88b631701a6be0a0f9feec597d0
* | tenant to project in the apisAdam Young2013-01-282-10/+10
| | | | | | | | Change-Id: I1f6fdf304ca3ff0b6e0e05a71fd944189105c5b6
* | Tenant to Project in Back endsAdam Young2013-01-281-3/+3
|/ | | | | | | | | | | | A continuation of the process to convert the term tenant to project. These changes should only be visible in the error messages produced, but should otherwise be undetectable by calling programs. Removes the TenantNotFound exception which propagates changes through the code that calls the backends as well Change-Id: I998a44bfd6aa85f67d58904bd7af25a56c73d48a
* Fixes import order nitsZhongyue Luo2013-01-113-5/+5
| | | | Change-Id: I5a527e0f5010171a202de5894d124d213d22a073
* Driver registryDolph Mathews2012-12-213-34/+11
| | | | | | | | | Uses automatic dependency injection to provide controllers with driver interfaces (identity_api, token_api, etc). See tests/test_injection.py for a self-contained example. Change-Id: I255087de534292fbf57a45b19f97488f831f607c
* module refactoringAdam Young2012-12-172-16/+25
| | | | | | | | | Distributes the functionality of service.py into the modules. Moves ComposableRouters into the modules. The routers and controllers now have short names. The controllers get their APIs via the base class. Change-Id: I87404b80ea9800d6792f97a7a3a64fe839065c1c
* Move token controller into keystone.tokenDolph Mathews2012-12-121-4/+1
| | | | Change-Id: Ie8277529185f645854e0aebaafa173c06a7c5164
* Only 'import *' from 'core' modulesDolph Mathews2012-12-052-11/+10
| | | | | | | | - Renamed identity.controllers.* and identity.routers.* since they now occopy unique namespaces (thanks ayoung!) - Moved catalog and policy controllers into their own respective modules Change-Id: Ib9e277355e0eac15d4d218785c816b718b493b5b
* Expose auth failure details in debug modeDolph Mathews2012-11-203-10/+14
| | | | | | | | | | | | Users can now run keystone with debug = True to reveal detailed messages about authentication/authorization failures. This is especially useful for new users setting up OpenStack for the first time. Example: http://paste.openstack.org/raw/26228/ DocImpact Change-Id: I0d072d1f0147b53da90cd4214a1e843bf39ee8e4
* Ensures User is member of tenant in ec2 validationVishvananda Ishaya2012-11-131-7/+10
| | | | | | | | | | | | It is possible that a user is no longer a member of a tenant when they attempt to use an ec2 token. This checks to make sure that the user still has at least one valid role in the tenant before authenticating them. This should automatically work for the s3 version as well since it is a subclass. Fixes bug 1064914 Change-Id: Ieb237bae936a7b00ce7ba4d4c59aec6c7a69ec21
* Backslash continuation cleanupZhongyue Luo2012-09-191-6/+8
| | | | | | | Removed unnecessary backslash continuations Added backslash continuation rules to HACKING.rst Change-Id: Id91da5b7e9be4d4587dded95fe7a0415240213ec
* Adding user password setting api callDerek Higgins2012-07-102-0/+105
| | | | | | | | | | | | | | | | | | | Fixes bug 996922 This commit adds a user_crud module that can be used in the public wsgi pipeline, currently the only operation included allows a user to update their own password. In order to change their password a user should make a HTTP PATCH to /v2.0/OS-KSCRUD/users/<userid> with the json data fomated like this {"user": {"password": "DCBA", "original_password": "ABCD"}} in addition to changing the users password, all current tokens will be cleared (for token backends that support listing) and a new token id will be returned. Change-Id: I0cbdafbb29a5b6531ad192f240efb9379f0efd2d
* Merge "pep8 v1.3.3 compliance (bug 1019498)"Jenkins2012-07-031-7/+12
|\
| * pep8 v1.3.3 compliance (bug 1019498)Dolph Mathews2012-07-021-7/+12
| | | | | | | | Change-Id: I7254a363a80248ecb6c2889968bc43ed44cd4383
* | Merge "Do not crash when trying to remove a user role (without a tenant)"Jenkins2012-07-031-1/+1
|\ \ | |/ |/|
| * Do not crash when trying to remove a user role (without a tenant)Vincent Untz2012-06-281-1/+1
| | | | | | | | | | | | | | | | | | | | Fix bug 999567. Just use the right method, to stop returning an internal server error (500). We will return 501 instead, since we stopped supporting user roles, but at least this is not crashing. Change-Id: Ia2d6815e712daf146abba5089b79afc8aaddb2d2
* | Merge "Basic request stats monitoring & reporting"Jenkins2012-06-284-0/+195
|\ \ | |/ |/|
| * Basic request stats monitoring & reportingDolph Mathews2012-06-194-0/+195
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Attributes are tracked seperately per interface (public API vs admin API): - Request method (GETs, POSTs, etc) - Requested resources - Number of requests per remote address - Response status codes Retrieve statistics report: GET http://keystone:35357/v2.0/OS-STATS/stats e.g. http://paste.openstack.org/raw/18528/ Reset statistics report: DELETE http://keystone:35357/v2.0/OS-STATS/stats Change-Id: Id21af755e5e25b8275dd55b7415bf4c421304807
* | Reorder imports by full module pathZhongyue Luo2012-06-203-6/+6
|/ | | | | | | | Fixes bug #1013441 Sort imports by lexicographical order of full module path Change-Id: I60231d87618466426dc7bfac7bb0644a0dbd079a
* PEP8 fixesDolph Mathews2012-06-182-151/+194
| | | | Change-Id: I0989396691eb31d9008c016e64f2c197f8c7e48c
* Add s3 extension in keystone.conf sample.Chmouel Boudjnah2012-06-081-1/+5
| | | | | | - Document S3 functionality along the way. Change-Id: I5525cd084aa16a33176c2ed0c3df53e9743072fc
* Fixes some pep8 warning/errors.Chmouel Boudjnah2012-05-242-2/+2
| | | | | | - Using flake8 so a bit more than that. Change-Id: I63fa21f7d3d02f96c0c56804fdd56da37c952d7d
* Merge "Raise keystone.exception for HTTP 401 (bug 962563)"Jenkins2012-03-301-1/+2
|\
| * Raise keystone.exception for HTTP 401 (bug 962563)Dolph Mathews2012-03-271-1/+2
| | | | | | | | Change-Id: I22e3b6769c69ef5917028980007d3295fed99fb7
* | ec2-credential-crud 404 (bug 963056)Dolph Mathews2012-03-271-0/+2
|/ | | | | | | | | ec2-credential-create ec2-credential-delete ec2-credential-get ec2-credential-list Change-Id: If8bfb77017f55c24738baf18b937c78b179831e5
* Check values for EC2.Chmouel Boudjnah2012-03-231-6/+55
| | | | | | | | - Add multiple check to methods to make sure we have a proper tenant_id/user_id/credentials. - Fixes bug 958135. Change-Id: I4dd171e3db32d6ebdc70bb1a83492c8ecd09c21c
* Wrapped unexpected exceptions (bug 955411)Dolph Mathews2012-03-201-13/+7
| | | | | | | | | | | - Replaced all webob.exc's (outside of middleware) with keystone.exception's - Raised 409 Conflict when creating/updating existing user/tenant ID/names (bug 955464) - Raised 501 Not Implemented for user-role-add w/o tenant_id (bug 955548) Change-Id: I9f16cac502c20dd35a6b8da778e85bf3d9cfae49
generated by cgit (git 2.34.1) at 2024-06-18 13:21:31 +0000