| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The doc string in exception.py of Keystone will be
returned with __doc__ method, but cannot realize the
internationalization.Change exception module to enable
i18n support.
Changes in the patch are:
1, useing class variable msg_fmt to replace class __doc__
2, modify wsgi.render_exception function using unicode
function to replace str function
3, modify/add UT test cases
Fixes: bug # 1179425
Change-Id: I75c1229c905a2625d2f6961d1a8dd3958eac51a5
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Raising NEW exception is bad practice, because we lose TraceBack.
So all places like:
except SomeException as e:
raise e
should be replaced by
except SomeException:
raise
If we are doing some other actions before reraising we should
store information about exception then do all actions and then
reraise it. This is caused by eventlet bug. It lost information
about exception if it switch threads.
fixes bug 1191730
Change-Id: I8dffc36ba5780911dd57d7161d218d0324af60b3
|
|
|
|
|
|
|
|
|
|
|
|
| |
PasteDeploy configuration contains class names which might change
between releases. Keeping it separate from user-configurable
parameters allows deployers to move paste-deploy ini file out of
configuration directory to a place where it can be safely overwritten
on updates e.g. under /usr/share/
DocImpact
Change-Id: I9292ca6226c8430b93565dedd45cc842742a23e2
|
|
|
|
|
|
|
|
|
| |
- docstring should not start with a space (flake8 H401)
- one line docstring needs punctuation (flake8 H402)
- multi line docstring end on new line (flake8 H403)
- multi line docstring should start with a summary (flake8 H404)
Change-Id: I69b414395930bda739aa01b785ac619fa8bb7d9b
|
|\ |
|
| |
| |
| |
| |
| |
| | |
Fixes Bug1153082
Change-Id: I1305d885751d4fa746e49cd5a76100c1900a9a53
|
|/
|
|
|
|
|
|
|
|
|
|
| |
Keystone exceptions could only take byte string message as the
message arguments to construct exception instances because of
the way its super class StandardError implements __unicode__.
This patch can also make sure it would not unintentionally remove
line breaks and indentation in a explicitly given message argument.
Fixs bug #1168879
Change-Id: I7916efc87845cfc4dba705e9474125b275affc13
|
|
|
|
|
|
| |
Fixes Bug1153718
Change-Id: I18adefdc9cf6cadee6006e9352e872dfb4de7e1d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updates to make our versions controller a bit smarter so
that it only returns information on API versions which are
actually running.
With these changes a user can disable the v2.0 or v3 API
versions in their pipeline, restart keystone, and then have
versions return information only for the versions which
are actually running.
This is important because auth_token now uses info from the
keystone versions controller (in some cases) to dynamically
select an API version.
Fixes LP Bug #1158470.
Change-Id: I0fa8a82f08e7247c44fb7f4ff8dbb7d4ad58b9cc
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This moves keystone.config to keystone.common.config, which requires
.configure() to be called manually in order for options to be
registered.
keystone.config preserves the existing behavior of automatically
registering options when imported.
keystone.middleware.auth_token and it's dependencies within keystone no
longer cause config options to be automatically registered.
This is an alternative to https://review.openstack.org/#/c/24251/
Change-Id: If9eb5799bf77595ecb71f2000f8b6d1610ea9700
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Deleting a domain should delete all Users, Groups and Projects
that are owned by that domain. This is intertwined with making sure
that deleting Users/Projects clean up their relevant Tokens and
Credentials (raised as a separate bug, bug fixed here).
To help avoid inadvertent deletion, we insist that a domain must
be disabled before it can be deleted.
In implementing this change, it was discovered that the exception
CredentialNotFound is referenced in the identity backend, but
never defined - this was needed here for the unit tests. This is raised
as a separate bug, and fixed here. A further bug has been raised
that this indicates we are lacking in negative testing for
Credentials (not fixed in this change)
Fixes Bug #1097995
Fixes Bug #1155921
Fixes Bug #1155924
Change-Id: Ibc926f8212fb9bd4426088339a21002a07c86984
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Blueprint trusts
creates a trust. Using a trust, one user (the trustee), can then
create tokens with a subset of another user's (the trustor) roles and
projects.
If the impersonate flag in the trust is set, the token user_id is set
to the trustor's user ID
If the impersonate flag is not set, the token's user_is is set to the
trustee's user ID
check that both trustor and trustee are enabled prior to creating
the trust token.
sql and kvs backends
sql upgrade scripts
unit tests for backends, auth and v3 api
modifications to the trust controller for creating tokens
Authenticates that only user can be trustor in create
Deleting a trust invalidates all tokens created from that trust
Adds the trust id and the id of the trustee to the header of the token
policy rules for trust
This version has a workaround for testing against the KVS version
of the Service catalog
Change-Id: I5745f4d9a4180b59671a143a55ed87019e98ec76
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also implemented the following:
blueprint pluggable-identity-authentication-handlers
blueprint stop-ids-in-uris
blueprint multi-factor-authn (just the plumbing)
What's missing?
* domain scoping (will be implemented by Henry?)
Change-Id: I191c0b2cb3367b2a5f8a2dc674c284bb13ea97e3
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updates token controller so that it explicitly checks the max
size of userId, username, tenantId, tenantname, token, and password
before continuing with a request.
Previously, when used with the SQL keystone backend an unauthenticated
user could send in *really* large requests which would ultimately log
large SQL exceptions and could thus fill up keystone logs on the
disk.
Change-Id: Ie7e3a958829f99f080e66582bdf558cded70248c
|
|
|
|
|
|
|
|
|
|
|
|
| |
A continuation of the process to convert the term tenant
to project. These changes should only be visible in the
error messages produced, but should otherwise be
undetectable by calling programs.
Removes the TenantNotFound exception which propagates changes through
the code that calls the backends as well
Change-Id: I998a44bfd6aa85f67d58904bd7af25a56c73d48a
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new RequestBodySizeLimiter middleware to guard against
really large HTTP requests. The default max request size is 112k
although this limit is configurable via the 'max_request_body_size'
config parameter.
Fixes LP Bug #1099025.
Change-Id: Id51be3d9a0d829d63d55a92dca61a39a17629785
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
Added database string field length check, so when insert to a table, if the length of string field exceed the limit of column when, it will return a 400 error instead of truncating the string.
Change-Id: I7216fe736ea6e5a23b5647b107fcb2699f1fa99d
Fixes: bug #1090247
|
| |
| |
| |
| |
| |
| |
| |
| | |
Add a new global variable to control when exception format errors
are fatal. The goal is to be able to use this at test time to detect
incorrectly formatted exceptions.
Change-Id: Ia015bc27a445757cb1d574cadc35698cca0de086
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This implements the server side of groups of users. This
set of code provides all the crud functionality for groups as
well as the corresponding support for role assignments.
blueprint user-groups
The following deficiencies existing with the current version and
will be corrected ahead of the final Grizzly release:
1) There is only placeholder support for LDAP (Bug #1092187)
2) Domain role grants are accepted but not yet honored (Bug #1093248)
3) Token invalidation does not occur with group changes (Bug #1093493)
This update also fills in missing v3 grant unit testing and v3 grant
support within the kvs backend. In addition, there is a fix for
Bug #1092200 (uncaught exception when listing grants)
DocImpact
Change-Id: Ibd1783b04b2d7804eff90312e5ef591dca4d0695
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This allows us to raise exceptions with very specific messages:
raise Unauthorized('User name not recognized')
In debug mode, this feedback would be exposed to the API user; without
debug mode, these details are suppressed.
Change-Id: I05c5dce3b1e2ba1123450b302e10b8ba3c265557
|
|/
|
|
|
|
|
| |
- v3 identity tests (bug 1023930)
- v3 identity implementation (bug 1023937)
Change-Id: Ic46575afe9760d9da85e262d0cf063ea002d9dcd
|
|\
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
keystone/catalog/core.py
keystone/identity/core.py
Change-Id: Id47b9dd9c4da811d13454b539f78b751d40ed87d
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Provides configuration to deploy the v3 API identically across both:
http://[...]:5000/v3/
http://[...]:35357/v3/
Change-Id: I97c5a2f7a84e3fca0adaea020697f958e04f5753
|
|/
|
|
|
|
| |
fixes bug #1058494
Change-Id: Id89c530e2f4e7dcf0db03515afb8b2a85fbf8077
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The goal is to move the responsibility of reference checks away from
controllers and into the underlying managers & drivers, which can
handle the task with equal or greater efficiency.
- Tenant references from create_user/update_user are NOT tested
due to inconsistencies between backends
- Additional test coverage improvements
Also fixes bug 999209, bug 999608, bug 1006029, bug 1006055, bug 1006287,
bug 1006334, and bug 1006344.
Change-Id: I7de592e7dd4518038436b9a9fdaab559b00a0537
|
|
|
|
|
|
|
| |
- exception.NotImplemented 'action' should have been 'title'
- Automated test coverage of exceptions to catch this in the future
Change-Id: I238e6bc8426ae009f570f0a04d2ea28501ae23fc
|
|
|
|
|
|
|
| |
endpoint-create
endpoint-delete
Change-Id: I70ae14ca385a0ed2d3438b8dc2f7ba93b91f400b
|
|
|
|
|
|
|
|
|
|
|
| |
- Replaced all webob.exc's (outside of middleware) with
keystone.exception's
- Raised 409 Conflict when creating/updating existing
user/tenant ID/names (bug 955464)
- Raised 501 Not Implemented for user-role-add w/o tenant_id
(bug 955548)
Change-Id: I9f16cac502c20dd35a6b8da778e85bf3d9cfae49
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Adds missing test cases for the TemplatedCatalog
* Adds a base CatalogTest that different backends
can use
* Updates kvs.Catalog to raise ServiceNotFound where
appropriate
* Updates the tests.test_keystoneclient_sql to actually
test the SQL catalog backend
* Removes old test for incorrect endpoints listing
* Removes the keystone.catalog.core.Driver.service_exists
method since it was only implemented in the SQL driver
and wasn't required now that get_service and delete_service
properly raise ServiceNotFound exception.
Change-Id: I35690cc147e56007be27bacf94eeff360e727e5d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similar to the other APIs, this creates a Driver class that describes
expected functionality of the catalog driver and raises NotImplemented
accordingly. NotImplementedError()'s are caught and returned as proper
501s instead of AttributeErrors.
Also fixes some inconsistent paramters names in the sql backend.
Fixes bug 954087
Update: Convert usage of NotImplementedError() to new
keystone.exception.NotImplemented() for all
unimplemented driver actions.
Change-Id: I69d8e21a6f651e69b724ec5ed5784645bad80c00
|
|
|
|
|
|
| |
Fixes bug 932819
Change-Id: I58e0c2ad704e2e8ff1924a01791694a5e02a154b
|
|
|
|
|
|
| |
* raise TokenNotFound from token backends on get/delete when token doesn't exist
Change-Id: Ic9aba7911088c30c20fe62501a05d75232f2d8b9
|
|
Example http://pastie.org/3338663
Change-Id: I26f53488c062ebfb6e49cfcf82e0b8179a683ea8
|