| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
Implements an OAuth 1.0a service provider.
blueprint: delegated-auth-via-oauth
DocImpact
SecurityImpact
Change-Id: Ib5561593ab608f3b22fbcd7196e2171f95b735e8
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
In file: keystone/contrib/access/core.py, webob module was never used
after imported in the module, removing it make codes more clean.
Change-Id: I00725e3408c743489693bf6de66254c790dddb24
|
|/
|
|
|
|
|
|
|
|
|
|
|
| |
Modifications to use log from /keystone/openstack/common/log.py instead
of /keystone/common/logging.py. This change also includes some
refactoring to remove the WriteableLogger class from common/wsgi.py
since that is already included in the unified logging sync from Oslo.
This also moves fail_gracefully from /keystone/common/logging.py to
service.py as it is only used within that module.
blueprint unified-logging-in-keystone
Change-Id: I24b319bd6cfe5e345ea903196188f2394f4ef102
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Allow each of the extensions to have their own
sql migration repository instead of mixing them into
the common repo. db_sync must be called explicitly on the extension.
In the past, it was assumed that only migrations for backends backed in
sql would be run. In practice, however, all of the migrations were run
every time. The code has been modified to reflect this.
Adds parameter --extension to the cli for db_sync and db_version
to test out the migrations
bin/keystone-manage db_sync --extension example
will migrate to version 1 and
bin/keystone-manage db_sync --extension example 0
will migrate it back to 0
to check the version
bin/keystone-manage db_version --extension example
blueprint multiple-sql-migrate-repos
DocImpact
Change-Id: I6852d75bde6506c535fa3d74537e3c1bbd6578d8
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the use of kwargs from manager calls where not
required. Dogpile.cache (the targeted caching library) does not
support kwargs out of the box with its cache-key-generator. This
change allows us to support the default cache-key-generator; while
it is possible to create a new cache-key-generator function, there
are many possible edge-cases to deal with when making cache
invalidation calls (ensuring the arguments are the same) as well as
possible performance implications (depending on the depth of method
introspection needed to determine how to invalidate the cache).
As an added bonus, this change brings the code touched more in-line
with the rest of keystone where most manager/driver calls do not
use kwargs unless absolutley required.
blueprint: caching-layer-for-driver-calls
Change-Id: I035c976314fb48f657661f681f7c1760d3c547a6
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch implemented V2 token provider.
Abstract token provider backend to make token provider pluggable. It enables
deployers to customize token management to add their own capabilities.
Token provider is responsible for issuing, checking, validating, and
revoking tokens. Note the distinction between token 'driver' and 'provider'.
Token 'driver' simply provides token CRUD. It does not issue or interpret
tokens.
Token provider is specified by the 'provider' property in the '[token]'
section of the Keystone configuration file.
Change-Id: Ic418ec433bd9e3f2f70fa31c90e570e32c1ca687
|
|/
|
|
|
|
|
|
|
|
| |
Extensions register themselves with keystone/common/extension.py
as either public, admin, or both, and they show up in the extensions
collection on http://<hostname>:<port>/v2.0/extensions/
Bug 1177531
Change-Id: Ic0b5c84e28342e96c3197c1b46f8b1656e2d7050
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently there is a mixture of strategies in the v2 and v3 controllers
for how to get the roles assigned for the scope of the requested
authentication. This duplicates code, is hard to maintain and in at
least once case (where your only roles on a project are due to a group
membership) is not actually correct (for v2 tokens).
This change does the following:
- Standardizes on using the 'get_roles_for_user_and_project()', and its
domain equivalent, for how roles are obtained to build a token. This
was already the case for v3 tokens. The controllers no longer need
to get metadata and extract the roles.
- Removes the driver level function to 'authorize_for_project' - this is
now handled wihin the controller. The driver simply supports the user
authentication.
A nice (and planned for) sideffect of the above is that we now hide
the schema of how we store roles within the driver layer - i.e.
nothing outside of the driver (other than any specific-to-implementation
tests) have to know about how roles are stored in the metadata. This paves
the way for a re-implementation of the grant tables in IceHouse.
This change also fills in missing function definitons in the assignment
driver.
Implements bp authenticate-role-rationalization
Change-Id: I75fc7f5f728649d40ab1c696b33bbcd88ea6edee
|
|
|
|
|
|
|
| |
We don't have a use case for passing the request context to the manager
layer, so this patch removes a bunch of cruft.
Change-Id: Ic6435782c4c9f32e38c7800172645cc1af23ea09
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If the admin_port string is a substring of public_port string, all the
requests would be stated as 'admin' either their real dest port is
admin_port or public_port. It's due to the incorrect logic in stat
middleware.
For example, if public_port = 35000, admin_port = 5000, the first
judgement branch: "if str(CONF.admin_port) in host" in
StatsMiddleware::_resolve_api() would always return "True" either the
host port number equal to 5000 or 35000, so that the following judgement
branches would be incorrectly ignored.
Fixes bug #1189121
Change-Id: I1086b7d11f83dd218d66376f79747a1f720eb807
|
|/
|
|
|
|
|
|
|
|
|
| |
If using load balancer before keystone and the port numbers was
different between load balancer and keystone, too many stat warning logs
could be found in logs. The root cause is the keystone servers' stat
logic getting the request host information which point to load balancer
ip address and port rather than the ips and ports of themselves.
Fixes bug #1189118
Change-Id: Ic837af77bc2509086c0e37194ba70b683f693ae5
|
|
|
|
|
|
|
|
|
| |
- docstring should not start with a space (flake8 H401)
- one line docstring needs punctuation (flake8 H402)
- multi line docstring end on new line (flake8 H403)
- multi line docstring should start with a summary (flake8 H404)
Change-Id: I69b414395930bda739aa01b785ac619fa8bb7d9b
|
|
|
|
| |
Change-Id: I0fa6fc6bf9d51b60fa987a0040168f3f0ef78a4a
|
|
|
|
|
|
|
|
| |
- Removed unused imports
- Ignore wildcard and unused imports from core modules (and avoid
wildcard imports otherwise) to __init__ modules
Change-Id: Ie2e5f61ae37481f5d248788cfd83dc92ffddbd91
|
|
|
|
|
|
|
|
|
|
| |
The Ec2Signer class has been moved to python-keystoneclient,
so we can remove the internal implementation and import the
keystoneclient version
blueprint ec2signer-to-keystoneclient
Change-Id: I19d8575ab8b972467ce280a6197ae762da1ce790
|
|
|
|
|
|
| |
Fixes bug 1121494.
Change-Id: If7277f0b4a55aa5be81b354cd4c7ed338a600a62
|
|
|
|
|
|
|
| |
git ls-files | misspellings -f -
Source: https://github.com/lyda/misspell-check
Change-Id: Icbd2412aa65bc8135e5dcd83ee69e94f5a42f7a2
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Taking advantage of this middleware either requires enabling
verbose/debug or utilizing an external logging.conf which configures an
'access' logger.
Example output:
127.0.0.1 - - [2013-01-29T17:15:02.752214] "GET http://localhost:5000/v3/projects HTTP/1.0" 200 16
This patch also revises etc/logging.conf.sample with some more practical
defaults (e.g. supporting externally-managed log rotations) in addition
to illustrating how to generate an 'access.log' file.
DocImpact
Change-Id: I2a6048fa5fbf8661a6859d9e3a259d4cfa5fc589
|
| |
| |
| |
| | |
Change-Id: I50a5bbe4800fc88b631701a6be0a0f9feec597d0
|
| |
| |
| |
| | |
Change-Id: I1f6fdf304ca3ff0b6e0e05a71fd944189105c5b6
|
|/
|
|
|
|
|
|
|
|
|
|
| |
A continuation of the process to convert the term tenant
to project. These changes should only be visible in the
error messages produced, but should otherwise be
undetectable by calling programs.
Removes the TenantNotFound exception which propagates changes through
the code that calls the backends as well
Change-Id: I998a44bfd6aa85f67d58904bd7af25a56c73d48a
|
|
|
|
| |
Change-Id: I5a527e0f5010171a202de5894d124d213d22a073
|
|
|
|
|
|
|
|
|
| |
Uses automatic dependency injection to provide controllers with driver
interfaces (identity_api, token_api, etc).
See tests/test_injection.py for a self-contained example.
Change-Id: I255087de534292fbf57a45b19f97488f831f607c
|
|
|
|
|
|
|
|
|
| |
Distributes the functionality of service.py into the modules.
Moves ComposableRouters into the modules.
The routers and controllers now have short names.
The controllers get their APIs via the base class.
Change-Id: I87404b80ea9800d6792f97a7a3a64fe839065c1c
|
|
|
|
| |
Change-Id: Ie8277529185f645854e0aebaafa173c06a7c5164
|
|
|
|
|
|
|
|
| |
- Renamed identity.controllers.* and identity.routers.* since they
now occopy unique namespaces (thanks ayoung!)
- Moved catalog and policy controllers into their own respective modules
Change-Id: Ib9e277355e0eac15d4d218785c816b718b493b5b
|
|
|
|
|
|
|
|
|
|
|
|
| |
Users can now run keystone with debug = True to reveal detailed messages
about authentication/authorization failures. This is especially useful
for new users setting up OpenStack for the first time.
Example: http://paste.openstack.org/raw/26228/
DocImpact
Change-Id: I0d072d1f0147b53da90cd4214a1e843bf39ee8e4
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is possible that a user is no longer a member of a tenant when
they attempt to use an ec2 token. This checks to make sure that
the user still has at least one valid role in the tenant before
authenticating them. This should automatically work for the s3
version as well since it is a subclass.
Fixes bug 1064914
Change-Id: Ieb237bae936a7b00ce7ba4d4c59aec6c7a69ec21
|
|
|
|
|
|
|
| |
Removed unnecessary backslash continuations
Added backslash continuation rules to HACKING.rst
Change-Id: Id91da5b7e9be4d4587dded95fe7a0415240213ec
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes bug 996922
This commit adds a user_crud module that can be used in the public wsgi
pipeline, currently the only operation included allows a user to update
their own password.
In order to change their password a user should make a HTTP PATCH to
/v2.0/OS-KSCRUD/users/<userid>
with the json data fomated like this
{"user": {"password": "DCBA", "original_password": "ABCD"}}
in addition to changing the users password, all current tokens
will be cleared (for token backends that support listing) and
a new token id will be returned.
Change-Id: I0cbdafbb29a5b6531ad192f240efb9379f0efd2d
|
|\ |
|
| |
| |
| |
| | |
Change-Id: I7254a363a80248ecb6c2889968bc43ed44cd4383
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix bug 999567.
Just use the right method, to stop returning an internal server error
(500). We will return 501 instead, since we stopped supporting user
roles, but at least this is not crashing.
Change-Id: Ia2d6815e712daf146abba5089b79afc8aaddb2d2
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Attributes are tracked seperately per interface (public API vs admin API):
- Request method (GETs, POSTs, etc)
- Requested resources
- Number of requests per remote address
- Response status codes
Retrieve statistics report:
GET http://keystone:35357/v2.0/OS-STATS/stats
e.g. http://paste.openstack.org/raw/18528/
Reset statistics report:
DELETE http://keystone:35357/v2.0/OS-STATS/stats
Change-Id: Id21af755e5e25b8275dd55b7415bf4c421304807
|
|/
|
|
|
|
|
|
| |
Fixes bug #1013441
Sort imports by lexicographical order of full module path
Change-Id: I60231d87618466426dc7bfac7bb0644a0dbd079a
|
|
|
|
| |
Change-Id: I0989396691eb31d9008c016e64f2c197f8c7e48c
|
|
|
|
|
|
| |
- Document S3 functionality along the way.
Change-Id: I5525cd084aa16a33176c2ed0c3df53e9743072fc
|
|
|
|
|
|
| |
- Using flake8 so a bit more than that.
Change-Id: I63fa21f7d3d02f96c0c56804fdd56da37c952d7d
|
|\ |
|
| |
| |
| |
| | |
Change-Id: I22e3b6769c69ef5917028980007d3295fed99fb7
|
|/
|
|
|
|
|
|
|
| |
ec2-credential-create
ec2-credential-delete
ec2-credential-get
ec2-credential-list
Change-Id: If8bfb77017f55c24738baf18b937c78b179831e5
|
|
|
|
|
|
|
|
| |
- Add multiple check to methods to make sure we have a proper
tenant_id/user_id/credentials.
- Fixes bug 958135.
Change-Id: I4dd171e3db32d6ebdc70bb1a83492c8ecd09c21c
|
|
|
|
|
|
|
|
|
|
|
| |
- Replaced all webob.exc's (outside of middleware) with
keystone.exception's
- Raised 409 Conflict when creating/updating existing
user/tenant ID/names (bug 955464)
- Raised 501 Not Implemented for user-role-add w/o tenant_id
(bug 955548)
Change-Id: I9f16cac502c20dd35a6b8da778e85bf3d9cfae49
|