summaryrefslogtreecommitdiffstats
path: root/keystone/identity
Commit message (Collapse)AuthorAgeFilesLines
* Fix LDAP Identity get user with user_enabled_maskBrant Knudson2013-08-161-2/+3
| | | | | | | | | | | Fetching users using the LDAP Identity backend would fail with KeyError: 'enabled' from _ldap_res_to_model when user_enabled_mask is not 0. Change-Id: I39a9606ba7210f0fea064abd6adad379218b432b Closes-Bug: #1210175
* Fix LDAP Identity with non-zero user_enabled_defaultBrant Knudson2013-08-161-1/+1
| | | | | | | | | | | | The LDAP Identity backend was not properly using the user_enabled_default option as a string. This caused operations to fail with TypeError: unsupported operand type(s) for &: 'str' and 'int' Partial-Bug: #1210175 Change-Id: I54931e669186871d18dea088870945b9de40d573
* Merge "Implement domain specific Identity backends"Jenkins2013-08-166-51/+397
|\
| * Implement domain specific Identity backendsHenry Nash2013-08-156-51/+397
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A common scenario in shared clouds will be that a cloud provider will want to be able to offer larger customers the ability to interface to their chosen identity provider. In the base case, this might well be their own corporate LDAP/AD directory. A cloud provider might also want smaller customers to have their identity managed solely within the OpenStack cloud, perhaps in a shared SQL database. This patch allows domain specific backends for identity objects (namely user and groups), which are specified by creation of a domain configuration file for each domain that requires its own backend. A side benefit of this change is that it clearly separates the backends into those that are domain-aware and those that are not, allowing, for example, the removal of domain validation from the LDAP identity backend. Implements bp multiple-ldap-servers DocImpact Change-Id: I489e8e50035f88eca4235908ae8b1a532645daab
* | Increase length of username in DBAlvaro Lopez Garcia2013-08-151-1/+1
|/ | | | | | | | | Length of username in database may be too short for X.509 DNs and 255 seems a sane value for it. Fixes bug #1081932 Change-Id: Ie8f696845ea15d37cf13f3fe7978b22deac798b0
* Merge "Refactor Keystone to use unified logging from Oslo"Jenkins2013-08-153-4/+3
|\
| * Refactor Keystone to use unified logging from OsloLance Bragstad2013-08-153-4/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | Modifications to use log from /keystone/openstack/common/log.py instead of /keystone/common/logging.py. This change also includes some refactoring to remove the WriteableLogger class from common/wsgi.py since that is already included in the unified logging sync from Oslo. This also moves fail_gracefully from /keystone/common/logging.py to service.py as it is only used within that module. blueprint unified-logging-in-keystone Change-Id: I24b319bd6cfe5e345ea903196188f2394f4ef102
* | Revoke user tokens when disabling/delete a projectChmouel Boudjnah2013-08-151-0/+16
|/ | | | | | | | | | - Revoke tokens scoped to all users from a project when disabling or deleting the project. - Tests provided by Dolph. Closes-Bug: #1179955 Change-Id: I8ab4713d513b26ced6c37ed026cec9e2df78a5e9 Signed-off-by: Chmouel Boudjnah <chmouel@enovance.com>
* Abstract out attribute_ignore assigning in LDAP driverElena Ezhova2013-08-061-6/+0
| | | | | | | | | | This is used to avoid code duplication in keystone/identity/ backends/ldap.py. All changes are fully covered by test_*option_ name*_attribute_ignore() in test_backend_ldap.py. bp refactor-ldap-driver Change-Id: Ia0fc0b3d4a92416dcd65ddb49b3b0bf9a0777363
* Abstract out attribute_mapping filling in LDAP driver.Elena Ezhova2013-08-051-19/+8
| | | | | | bp refactor-ldap-driver Change-Id: I4b3bb2900b54f046b05d68f15fb6e35b324ca9f7
* Merge "V3 API need to check mandatory field when creating resources"Jenkins2013-08-021-0/+10
|\
| * V3 API need to check mandatory field when creating resourcesxingzhou2013-08-011-0/+10
| | | | | | | | | | | | | | | | | | When creating items like project, role through V3 API, if name field is missing, the server will return 500 internal error or 409 conflict error, shall return 400 bad request error instead Change-Id: I9deddcd4cf801306c16555b59bba7fdfab6556a7 Fixes: Bug 1136342
* | Merge "Use dependency injection for assignment and identity"Jenkins2013-08-023-6/+6
|\ \
| * | Use dependency injection for assignment and identityBrant Knudson2013-07-313-6/+6
| |/ | | | | | | | | | | | | | | | | | | | | | | | | The assignment and identity backends don't use normal dependency injection because of a circular reference. Support for circular references was added, so these backends can now use normal dependency injection. Fixes: bug 1200769 Fixes: bug 1204605 Change-Id: I8716a65b984c26fcaaf2595463db09e1f02cb475
* / Remove passwords from LDAP queriesAdam Young2013-07-301-2/+6
|/ | | | | | Bug 1178032 Change-Id: Idca895b1d4d2e611fe834f49b436864a73f4006c
* Merge "sql.Driver:authenticate() signatures should match"Jenkins2013-07-305-5/+5
|\
| * sql.Driver:authenticate() signatures should matchBrant Knudson2013-07-175-5/+5
| | | | | | | | | | | | | | | | | | | | | | A method called authenticate_user was renamed in identity.backends.sql.Driver from authenticate_user to authenticate but the base class wasn't updated. Also, the user_id and password arguments to authenticate should NOT be optional. Change-Id: Ie6eb42f060e368ec99d5d8241a404cf7c70d48ae
* | Remove vestiges of Assignments from LDAP Identity BackendAdam Young2013-07-251-295/+0
| | | | | | | | | | | | Bug 1204995 Change-Id: Ife92041ffc386b8f9629096ebd65020f3cc7ae26
* | Merge "Use assignment_api rather than assignment"Jenkins2013-07-233-53/+55
|\ \
| * | Use assignment_api rather than assignmentBrant Knudson2013-07-223-53/+55
| |/ | | | | | | | | | | | | | | | | | | | | | | | | When normal dependency injection is used the variables are named like "xxx_api". This change makes it so that the identity backend and drivers use "assignment_api" rather than "assignment" so it will be easier to switch to normal dependency injection. Part of fix for bug 1200769 Change-Id: I7805b338c48d57ca1922bb622a3f474f2341f4ac
* / Return correct link for effective group roles in GET /role_assignmentsHenry Nash2013-07-171-13/+4
|/ | | | | | | | | | The assignment link returned for roles that are included by virtue of group membership should refer to the group assignment that led to this role, rather than a direct user assignment. Fixes bug 1201374 Change-Id: Ic649e7eb4633e258264f27280d938a08af380921
* Implement role assignment inheritance (OS-INHERIT extension)Henry Nash2013-07-173-33/+237
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This extension allows for project roles to be optionally inherited from the owning domain. The v3 grant APIs are extended to take an inherited_to_projects flag. The GET role_assignments API will also include these roles in its response, either showing them as inherited roles assigned to the domain or, if the 'effective' query parameter is set, will interpret the inheritance and reflect those role assignments on the projects. The inherited_to_projects flag is encoded in the role list in the metadata of the relevant entries in the grant tables. The 'roles' key in the metadata is now a list of dicts, as opposed to a simple list, where each dict is either {'id': role_id} for a regular role, or {'id': role_id, 'inherited_to': 'projects'} for an inherited role Remember that a previous patch had rationalized the way metadata is handled so that its structure is entirely hidden within the driver layer. The extension can be enabled/disabled via a config setting. Limitations: - The extension is not yet discoverable via url, this will be added as a separate patch when the v3/extensions work is complete. A separate issue has been discovered with the fact that the v2 calls of 'get_projects_for_user()' and 'list_user_projects()' should be rationalized and also honor both group (and inherited) role assignments. This is being raised as a separate bug. DocImpact Implements bp inherited-domain-roles Change-Id: I35b57ce0df668f12462e96b3467cef0239594e97
* Mixed LDAP/SQL Backend.Adam Young2013-07-122-14/+5
| | | | | | | | | Supports the configuration where LDAP is used for identity and SQL is used for assignment. blueprint split-identity Change-Id: Ib91b5d804282b7f78fc2458ff64653bbf2cf5d9e
* Rationalize how we get roles after authentication in the controllersHenry Nash2013-07-105-47/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently there is a mixture of strategies in the v2 and v3 controllers for how to get the roles assigned for the scope of the requested authentication. This duplicates code, is hard to maintain and in at least once case (where your only roles on a project are due to a group membership) is not actually correct (for v2 tokens). This change does the following: - Standardizes on using the 'get_roles_for_user_and_project()', and its domain equivalent, for how roles are obtained to build a token. This was already the case for v3 tokens. The controllers no longer need to get metadata and extract the roles. - Removes the driver level function to 'authorize_for_project' - this is now handled wihin the controller. The driver simply supports the user authentication. A nice (and planned for) sideffect of the above is that we now hide the schema of how we store roles within the driver layer - i.e. nothing outside of the driver (other than any specific-to-implementation tests) have to know about how roles are stored in the metadata. This paves the way for a re-implementation of the grant tables in IceHouse. This change also fills in missing function definitons in the assignment driver. Implements bp authenticate-role-rationalization Change-Id: I75fc7f5f728649d40ab1c696b33bbcd88ea6edee
* assignment backendAdam Young2013-07-094-1632/+146
| | | | | | | | | | | | | | | | | | | | Splits the assignments functions off of the identity api and manager, and moved them into their own backend. To prevent breaking existing code, this adds assignment delegation functions to Identity Manager. There is a circular dependency between ID and assignments. This code is mostly pure refactoring, with no changes to the unit tests. Existing behavior is maintained. In the future, we will add unit tests for mixing an LDAP identity provider with a SQL assignment backend. blueprint split-identity Change-Id: I6c180aa1ae626ace5b91e0bf1931bdaf2aa031d5
* Merge "Fix issue with v3 tokens and group membership roles"Jenkins2013-07-084-66/+71
|\
| * Fix issue with v3 tokens and group membership rolesHenry Nash2013-07-064-66/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The driver calls used by v3 token controllers to obtain roles for a user on both project and domain were incorrectly implemented, leading to roles being missed out of the token. v2 tokens are not affected, since they don't use the same driver calls. This fixes these functions and adds additonal tests to cover the cases (all of which would fail without this patch). As part of this fix, the implementation of "get_roles_for_user_and_project() is pulled up into the driver class (like the domain equivalent is already), since, for all implementations, it is independant of backend technology. Fixes bug 1197874 Change-Id: I59b6882d93bdc8372be03fed0b390b002a6d0320
* | Implement GET /role_assignment API callHenry Nash2013-07-035-0/+277
|/ | | | | | | | | | | | | | | | | | | | | | | | Add support for the GET /role_assignment call as a first step to making role_assignment a first class entity. This patch also enables v3 collection filtering to match against attributes of entities being returned in the list, using the same dot notation (e.g. user.id) that we already support for policy file checking against filters. Limitations: - The current implementation uses the standard v3 collections wrapper mechanism for filtering. Given the potential numbers of role assignments in a large system, this may have performance and resource impacts. A future improvement would pass the filters into the driver layer to keep the internal assignment processing to a minimum. - The LDAP backend is not currently supported Implements bp get-role-assignments Change-Id: I6ff2ea780e39d7097a88214fbb3ddee1b924c30c
* Stop passing context to managers (bug 1194938)Dolph Mathews2013-06-282-118/+104
| | | | | | | We don't have a use case for passing the request context to the manager layer, so this patch removes a bunch of cruft. Change-Id: Ic6435782c4c9f32e38c7800172645cc1af23ea09
* LDAP list group users not fail if user entry deletedBrant Knudson2013-06-251-8/+8
| | | | | | | | | | | | | | Using the LDAP identity backend, if a group member entry doesn't exist in the LDAP server anymore and the group's members are listed using GET /v3/groups/{groupId}/users, Keystone returns 404 Not Found. The server should return all the group members that do exist and ignore the missing members. Fixes bug 1174585 Change-Id: I97b53e3d5a5810aa0818b785e23a1948499b29e8
* Move identity ldap backend from directory to fileAdam Young2013-06-202-19/+1
| | | | | | | | | | | | The LDAP backend for identity was in a subdirectory as opposed to a file due to a clash between the name of the local package and the standard python package both being called ldap. This change makes the ldap backend look like the other backend. The mechanism that fixes it is: from __future__ import absolute_import Change-Id: Id9ee518238ae22e5128351094eb3764a831cc083
* Removing LDAP API ShimAdam Young2013-06-191-257/+184
| | | | | | | | | | | The LDAP identity code had many circular dependecies between data objects due to the need to look up DNs from ID. This change pulls the lookups into the driver layer, and modifies most of the data objects to take DNs in as their parameters instead. Only objects that know how to look up their own DNs from thei IDs will continue to take IDs in, to support the "get" methods. Change-Id: I0bac360650ccbf72c7ca8317997031420f66e4f3
* Merge "Set default 'ou' name for LDAP projects to Projects"Jenkins2013-06-191-1/+1
|\
| * Set default 'ou' name for LDAP projects to ProjectsSahdev Zala2013-06-171-1/+1
| | | | | | | | | | | | | | | | | | | | The default ou name for projects/tenants should be Projects, as we normally use in devstack and ldap live test. Since multiple LDAP objects can use groupOfNames, setting projects group to Groups is vague. Fixes Bug1191807 Change-Id: I1718c76320da51a58abf6558a9b8560e908773cb
* | Merge "Move user fileds type check to identity.Manager"Jenkins2013-06-184-21/+11
|\ \
| * | Move user fileds type check to identity.ManagerWu Wenxiang2013-06-164-21/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The fileds type's checking logic during creating and updating users apply to all driver calls. It should be centralized in the identity.Manager rather that continuing the trend of spreading them out between controllers, managers and drivers. This patch move the enable type checking logic to identity.Manager and modify the related test cases in test_backend.py. Change-Id: I37df56a61cd5ab332dcc9d74a7e99ee9041aa32e
* | | Merge "Http 400 when project enabled is not a boolean"Jenkins2013-06-171-0/+6
|\ \ \ | |_|/ |/| |
| * | Http 400 when project enabled is not a booleanWu Wenxiang2013-06-161-0/+6
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Having enabled="true" in json data when updating tenant will produce 500 When updating a project, no type check was performed on the enabled attribute. Therefore, if enabled value in JSON/XML is not a boolean but a string, keystone responds with an incorrect Http 500 error code and the stacktrace. The change introduces a type validation of the enabled attribute at identity manager. If the type is not a boolean, keystone now returns an appropriate Http 400 error code with a message pointing a bad format for the attribute. Test cases have been added to file test_backend and test_content_types for testing the case when enabled attribute is a string or int when updating project. Fixes bug #1191384 Change-Id: I86dd7e71d4bac1e3fd6fcabaa1a2136a47722e5f
* | Merge "LDAP get_project_users should not return password"Jenkins2013-06-171-1/+5
|\ \ | |/ |/|
| * LDAP get_project_users should not return passwordSahdev Zala2013-06-121-1/+5
| | | | | | | | | | | | | | | | Also with this fix no need to skip get_project_users for LDAP. Fixes bug1190286 Change-Id: I6ab6b4179c36d49b8a2eab1ea67ce0d6339751f5
* | Merge "Correct the default name attribute for role"Jenkins2013-06-151-1/+1
|\ \
| * | Correct the default name attribute for roleSahdev Zala2013-06-101-1/+1
| |/ | | | | | | | | | | Fixes bug1172801 Change-Id: Id2cdc5775bd1b6da03da1e50e84cfe60ada00314
* | Merge "Add checks to test if enabled is bool"Jenkins2013-06-141-4/+5
|\ \
| * | Add checks to test if enabled is boolgalstrom212013-06-121-4/+5
| |/ | | | | | | | | | | fixes: bug #1167593 Change-Id: Ie18fa17f16383f31d8aa083e69fa501d80eb4553
* | Merge "drop user and group constraints"Jenkins2013-06-141-8/+15
|\ \
| * | drop user and group constraintsAdam Young2013-06-101-8/+15
| |/ | | | | | | | | | | | | | | | | Drop foreign keys that point to user and group tables from other tables. This is required to be able to split up the backends. Blueprint extract-projects-from-id Change-Id: Iea78ddca4ef5ea5ca1bb542cba81da8aefa95b6b
* / Force simple Bind for authenticationJose Castro Leon2013-06-131-13/+2
|/ | | | | | | | | | | The authentication code was using a common code path with other LDAP code that got an LDAP connection. If the system was configured to do Anonymous binding, users could by pass the authentication check. This patch forces the authentication code to do a simple_bind. Change-Id: Id0c19f09d615446927db1ba074561b129329b5c8
* Merge "remove_role_from_user_and_project affecting all users (bug 1170649)"Jenkins2013-06-051-0/+1
|\
| * remove_role_from_user_and_project affecting all users (bug 1170649)Dolph Mathews2013-06-031-0/+1
| | | | | | | | Change-Id: I2333404991114e6985f3f2c4de4fb30dc3195b2d
* | Merge "split authenticate call"Jenkins2013-06-055-47/+49
|\ \
generated by cgit (git 2.34.1) at 2026-01-05 22:56:40 +0000