| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
In middleware/s3_token.py, here only use swift for a logger and path
split functionality. We should remove swift dependency by using new
codes.
fixes bug #1178738
Change-Id: Icc2648720e220a873d1fb8e9961d777ceabef70b
|
|
|
|
|
|
|
|
|
| |
Devstack is pulling s3_token into the swift pipeline and so depending on
keystone.environment is breaking devstack installs.
Fixes bug 1193112
Change-Id: Ifd89e542f79a2bee00113e7df676d30da0f05e59
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The environment module will be configured once, during code initialization.
Subsequently all other possibly-evented modules will retrieve from
environment and transparently obtain either the eventlet or standard
library modules.
If eventlet, httplib, subprocess or other environment dependant module
is referenced outside of the environment module it should be considered
a bug.
The changes to tests are required to ensure that test is imported first
to setup the environment. Hopefully these can all be replaced with an
__init__.py in a post-nose keystone.
Implements: blueprint extract-eventlet
Change-Id: Icacd6f2ee0906ac5d303777c1f87a184f38283bf
|
|
|
|
| |
Change-Id: I0fa6fc6bf9d51b60fa987a0040168f3f0ef78a4a
|
|
|
|
|
|
|
|
| |
- Removed unused imports
- Ignore wildcard and unused imports from core modules (and avoid
wildcard imports otherwise) to __init__ modules
Change-Id: Ie2e5f61ae37481f5d248788cfd83dc92ffddbd91
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
- Split between good and bad tests.
- Add more tests to get to 100% coverage.
Change-Id: Iffd00c2b557e54b122f29f8b0ec7f7ab7a92d16e
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This moves keystone.config to keystone.common.config, which requires
.configure() to be called manually in order for options to be
registered.
keystone.config preserves the existing behavior of automatically
registering options when imported.
keystone.middleware.auth_token and it's dependencies within keystone no
longer cause config options to be automatically registered.
This is an alternative to https://review.openstack.org/#/c/24251/
Change-Id: If9eb5799bf77595ecb71f2000f8b6d1610ea9700
|
|/
|
|
|
|
|
|
| |
Protected against XMLSyntaxError that can occur in from_xml. Return
a validation error (400) instead of an internal server error (500).
Change-Id: Ic5160f4f6c810e96b74dbf9563547ac739a54c5e
Fixes: bug #1101043
|
|
|
|
| |
Change-Id: I4408b3e6e0752ca75bc36399f5148890820e9a89
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also implemented the following:
blueprint pluggable-identity-authentication-handlers
blueprint stop-ids-in-uris
blueprint multi-factor-authn (just the plumbing)
What's missing?
* domain scoping (will be implemented by Henry?)
Change-Id: I191c0b2cb3367b2a5f8a2dc674c284bb13ea97e3
|
|
|
|
|
|
|
| |
git ls-files | misspellings -f -
Source: https://github.com/lyda/misspell-check
Change-Id: Icbd2412aa65bc8135e5dcd83ee69e94f5a42f7a2
|
|
|
|
| |
Change-Id: I50a5bbe4800fc88b631701a6be0a0f9feec597d0
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new RequestBodySizeLimiter middleware to guard against
really large HTTP requests. The default max request size is 112k
although this limit is configurable via the 'max_request_body_size'
config parameter.
Fixes LP Bug #1099025.
Change-Id: Id51be3d9a0d829d63d55a92dca61a39a17629785
|
|
|
|
|
|
| |
- This has been moved since last release to swift main repository.
Change-Id: I11fc4001fbc4a1d78823d41450cdfcc97677c420
|
|
|
|
|
|
|
|
|
| |
Although the master auth_token file is now in keystoneclient, it will take
some time to get all the paste files to point to it there rather than here.
Hence, we import it back here to provide backward compatibility for a release
or so, after which we will remove it from the server.
Change-Id: Iccdb7839a611cdda233e4ea96f68c64d6d82f49c
|
|
|
|
|
|
|
|
|
|
|
|
| |
This works around the following eventlet bug:
https://bitbucket.org/which_linden/eventlet/issue/92
by using the green version of Popen if os has been
monkeypatched. It also has the side effect of making the ssl
calls not block the reactor for workers that use eventlet.
Change-Id: I1457237f52310f0536fbcdcaa42174b17e8edbf5
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
updated diablo token based on output from diablo/stable keystone
added expiry to example tokens for test_auth_middleware
added a stack based HTTP response to test_auth_middleware to verify
sequencing
Change-Id: I738b0e9c1a0e62ad86adb95ec0b73f621513f7d4
|
| |
| |
| |
| | |
Change-Id: I8301043965e08ffdec63441e612628d9a60876b7
|
|/
|
|
|
|
|
|
|
| |
key PKI tokens on hash in memcached when accessed by auth_token
middelware
Bug 1073343
Change-Id: I32e5481f82fd110c855d7e1138c3d43c73099bbb
|
|
|
|
|
|
| |
keystone.common.wsgi
Change-Id: Idc4f6765cba20e7baadb61e355076695f36d66ea
|
|
|
|
|
|
| |
1060389)
Change-Id: I68b0e4126f2e339c04271fd982f5f5dab198c630
|
|
|
|
|
|
|
| |
Removed unnecessary backslash continuations
Added backslash continuation rules to HACKING.rst
Change-Id: Id91da5b7e9be4d4587dded95fe7a0415240213ec
|
|
|
|
| |
Change-Id: Id2ac85d4ac61713c0ca8e2c10e68cbdeeadff4cb
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make the revocation list into a JSON document and get the Vary header.
This will also allow the revocation list to carry additional
information in the future, to include sufficient information for the
calling application to figure out how to get the certificates it
requires.
Bug 1038309
Change-Id: I4a41cbd8a7352e5b5f951027d6f2063b169bce89
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From markmc's proposal:
http://lists.openstack.org/pipermail/openstack-dev/2012-July/000277.html
For backward compatiblity, configuration from paste-deploy INI is used
if it exists. If not, section [keystone_authtoken] in global
configuration is expected, with the same parameter names.
Requires application using global cfg.CONF object (nova and glance since
folsom-2) and before there's openstack.common library, attempts to use
copy/pasted <application>.openstack.common.cfg
DocImpact
Change-Id: If6aa22280f4ce2cc698d99a130b5792dab808363
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Co-authored-by: Adam Young <ayoung@redhat.com>
Token revocations are captured in the backends,
During upgrade, all previous tickets are defaulted to valid.
Revocation list returned as a signed document and can be fetched in an admin context via HTTP
Change config values for enable diable PKI
In the auth_token middleware, the revocation list is fetched prior
to validating tokens. Any tokens that are on the revocation list
will be treated as invalid.
Added in PKI token tests that check the same logic as the UUID tests.
Sample data for the tests is read out of the signing directory.
dropped number on sql scripts to pass tests.
Also fixes 1031373
Bug 1037683
Change-Id: Icef2f173e50fe3cce4273c161f69d41259bf5d23
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a better and safer default, as it and minimizes the
possibility that the cache directory will be prepopulated or
unwritable, while still providing a reasonable value for the
individual developer
Creates a better exception for failure to create the cache
dir
Logs the name of the cache dir actually used.
Bug 1031022
Change-Id: Ia3718107e436ceb034e3a89318ac05265d66d6f1
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updates the Keystone auth_token middleware so that it sets the
default signing_dir name base on the OS username obtained
from the environment. This should help resolve potential permissions
issues which can occur when multiple OpenStack services attempt
to use the same signing directory name.
Fixes LP Bug #1031022.
Change-Id: I53bceed27f60721b8f61ffec2d1e91ec2ea464ed
|
|
|
|
|
|
|
|
| |
Fixes a typo in checking if cert file exists.
Bug 1030912
Change-Id: Iea783aaa6bc425a17799d40cd6b378d90ebe6faf
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Uses CMS to create tokens that can be verified without network calls.
Tokens encapsulate authorization information.
This includes user name and roles in JSON.
The JSON document info is cryptographically signed with a private key
from Keystone, in accordance with the Cryptographic Message Syntax (CMS)
in DER format and then Base64 encoded. The header, footer, and line breaks
are stripped to minimize the size, and slashes which are invalid in Base64
are converted to hyphens.
Since signed tokens are not validated against the Keystone server, they
continue to be valid until the expiration time. This means that even if a user
has their roles revoked or their account disabled, those changes will not take
effect until their token times out. The prototype for this is Kerberos, which
has the same limitation, and has funtioned sucessfully with it for decades. It
is possible to set the token time out for much shorter than the default of 8
hours, but that may mean that users tokens will time out prior to completion
of long running tasks.
This should be a drop in replacement for the current token production code.
Although the signed token is longer than the older format, the token is still
a unique stream of Alpha-Numeric characters.
The auth token middle_ware is capable of handling both uuid and signed tokens.
To start with, the PKI functionality is disabled. This will keep from breaking
the existing deployments. However, it can be enabled with the config value:
[signing]
disable_pki = False
The 'id_hash' column is added to the SQL schema because SQL alchemy insists on
each table having a primary key. However primary keys are limited to roughly
250 Characters (768 Bytes, but there is more than 1 varchar per byte) so the
ID field cannot be used as the primary key anymore. id_hash is a hash of the
id column, and should be used for lookups as it is indexed.
middleware/auth_token.py needs to stand alone in the other services, and uses
keystone.common.cms in order to verify tokens.
Token needs to have all of the data from the original authenticate code
contained in the signed document, as the authenticate RPC will no longer
be called in mand cases.
The datetime of expiry is signed in the token.
The certificates are accessible via web APIs. On the remote service side,
certificates needed to authenitcate tokens are stored in /tmp/keystone-signing
by default. Remote systems use Paste API to read configuration values.
Certificates are retrieved only if they are not on the local system.
When authenticating in Keystone systems, it still does the Database checks for
token presence. This allows Keystone to continue to enforce Timeout and
disabled users.
The service catalog has been added to the signed token. Although this greatly
increases the size of the token, it makes it consistant with what is fetched
during the token authenticate checks
This change also fixes time variations in expiry test. Although unrelated to
the above changes, it was making testing very frustrating.
For the database Upgrade scripts, we now only bring 'token' up to V1 in 001
script. This makes it possible to use the same 002 script for both upgrade
and initializing a new database.
Upon upgrade, the current UUID tokens are retained in the id_hash and id fields.
The mechanisms to verify uuid tokens work the same as before. On downgrade,
token_ids are dropped.
Takes into account changes for "Raise unauthorized if tenant disabled"
Bug 1003962
Change-Id: I89b5aa609143bbe09a36bfaf64758c5306e86de7
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Allows the prepending of a prefix to the URI used for admin tasks. This allows URIs like
https://hostname/keystone/main/v2.0
PEP8 fix
Added To Unit test to ensure auth_prefix is checked
Bug: 994860
Change-Id: I851e059e8b17c1bc02ab93d8b09a3fb47b9d3fee
|
|/
|
|
|
|
|
|
|
|
|
|
|
| |
Updates the auth_token middleware to explicitly prevent
X-Service-Catalog headers from being injected into responses.
In general Keystone would override these with its own service
catalog... however since X-Service-Catalog is optional and
not all implementations/calls return it is good to be safe and
just remove incoming X-Service-Catalog headers if they are set.
Fixes LP Bug #1023998.
Change-Id: I9497937abd1b434b42b40bc943a508dd7f1a3585
|
|
|
|
|
|
|
|
|
|
|
| |
Implements blueprint use-common-jsonutils
1. Edit openstack-common.conf and import keystone/openstack/common/jsonutils.py
2. Remove json package imports and replace with jsonutils
Client code in vendor/ hasn't been changed
Change-Id: I57c670fde9f2c2241eddab1b012e8d5e6a72deb7
|
|
|
|
| |
Change-Id: I9fec34122ca28ac9d2d9866cfe6ab203998d177d
|
|
|
|
|
|
|
|
| |
Fixes bug #1013441
Sort imports by lexicographical order of full module path
Change-Id: I60231d87618466426dc7bfac7bb0644a0dbd079a
|
|
|
|
|
|
|
| |
* This will allow for chained requests (novaclient -> nova -> cinder)
* Fixes bug 1010237
Change-Id: Iab126cb1f2fb01ca7da24fa9fe97ec81ee96e455
|
|
|
|
|
|
|
|
|
|
| |
Unrecognized content type:
http://paste.openstack.org/raw/18537/
Malformed JSON:
http://paste.openstack.org/raw/18536/
Change-Id: I76afbf9300bcb1c11bed74eddbe4972c451c5877
|
|
|
|
| |
Change-Id: I0989396691eb31d9008c016e64f2c197f8c7e48c
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* keystone/middleware/auth_token.py: Catch the
correct exception so that the memcache and iso8601
modules can be optional as intended.
* tests/test_auth_token_middleware.py: Test
the ImportError path
* keystone/test.py: Add a new mixin class to
support disabling importing of a module.
Bug: 1003715
Change-Id: I87cc2f3bc79b17a52ea672bac7e0ebcf9e1fce57
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
- Don't use deprecated headers X_USER and X_ROLE but the newest one
X_USER_NAME and X_ROLES.
- Fixes bug 999447.
Change-Id: I12752c7668863cbb47ee4b6e484cc494133443e8
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| | |
- Make it consistent between the source documentation and the rst
documentation.
- Note about the default being https.
Change-Id: Ic78ef79198eee9b514bb52fce12d7224e9ab65ae
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes bug 999998.
Swift auth middleware uses a new format for expressing
a container ACL for a user: <tenant_name>:<user>. This
fix add supports for checking ACL using the old format
of <tenant_id>:<user>.
Change-Id: I44985b191afb174605c35041741056ae1e78fa77
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Fixes bug 995222.
- Documentation had already a false which is correct, updating the bug.
Change-Id: I08625d8fa07c05b25c851c1df327cbdf660bd614
|