summaryrefslogtreecommitdiffstats
path: root/keystone/token
Commit message (Collapse)AuthorAgeFilesLines
* Add delegated_auth support for keystoneSteve Martinelli2013-08-165-14/+112
| | | | | | | | | | | Implements an OAuth 1.0a service provider. blueprint: delegated-auth-via-oauth DocImpact SecurityImpact Change-Id: Ib5561593ab608f3b22fbcd7196e2171f95b735e8
* Implement domain specific Identity backendsHenry Nash2013-08-152-3/+1
| | | | | | | | | | | | | | | | | | | | | | | | A common scenario in shared clouds will be that a cloud provider will want to be able to offer larger customers the ability to interface to their chosen identity provider. In the base case, this might well be their own corporate LDAP/AD directory. A cloud provider might also want smaller customers to have their identity managed solely within the OpenStack cloud, perhaps in a shared SQL database. This patch allows domain specific backends for identity objects (namely user and groups), which are specified by creation of a domain configuration file for each domain that requires its own backend. A side benefit of this change is that it clearly separates the backends into those that are domain-aware and those that are not, allowing, for example, the removal of domain validation from the LDAP identity backend. Implements bp multiple-ldap-servers DocImpact Change-Id: I489e8e50035f88eca4235908ae8b1a532645daab
* Refactor Keystone to use unified logging from OsloLance Bragstad2013-08-156-6/+6
| | | | | | | | | | | | | Modifications to use log from /keystone/openstack/common/log.py instead of /keystone/common/logging.py. This change also includes some refactoring to remove the WriteableLogger class from common/wsgi.py since that is already included in the unified logging sync from Oslo. This also moves fail_gracefully from /keystone/common/logging.py to service.py as it is only used within that module. blueprint unified-logging-in-keystone Change-Id: I24b319bd6cfe5e345ea903196188f2394f4ef102
* Merge "Sync models with migrations"Jenkins2013-08-121-3/+6
|\
| * Sync models with migrationsElena Ezhova2013-08-121-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch syncs models with migrations for: -Endpoint -CredentialModel -TokenModel -TrustModel No actual schema change is taking place, this patch just corrects errors in the model definitions. Made class Index avaliable in keystone.common.sql.core partially implements bp db-sync-models-with-migrations Change-Id: I52f5c455360b65a2d5d884bbbec078dca6d34451
* | Configurable max password length (bug 1175906)Dolph Mathews2013-08-081-5/+3
| | | | | | | | | | | | DocImpact Change-Id: I1b1de8f7e07afe8af8a5cbb83de7f935cea04670
* | Merge "Remove kwargs from manager calls where not needed."Jenkins2013-08-022-8/+6
|\ \ | |/ |/|
| * Remove kwargs from manager calls where not needed.Morgan Fainberg2013-08-012-8/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch removes the use of kwargs from manager calls where not required. Dogpile.cache (the targeted caching library) does not support kwargs out of the box with its cache-key-generator. This change allows us to support the default cache-key-generator; while it is possible to create a new cache-key-generator function, there are many possible edge-cases to deal with when making cache invalidation calls (ensuring the arguments are the same) as well as possible performance implications (depending on the depth of method introspection needed to determine how to invalidate the cache). As an added bonus, this change brings the code touched more in-line with the rest of keystone where most manager/driver calls do not use kwargs unless absolutley required. blueprint: caching-layer-for-driver-calls Change-Id: I035c976314fb48f657661f681f7c1760d3c547a6
* | default token format/provider handlingBrant Knudson2013-07-241-0/+4
|/ | | | | | | | | | | | The Keystone server would print a warning when both the token format and provider were set to the default. Also, the Keystone server would not start if the format was commented out and the provider was set to the uuid.Provider. Fixes: bug 1204314 Change-Id: Id7db33a1f27c4986af153efc73b22db8c6a8942e
* Deprecate kvs token backendJoe Gordon2013-07-221-0/+14
| | | | | | | | | | | | | This backend is not usable in any production environment. All OpenStack environments will already have a SQL DB, and if someone does not want to use the DB they can use the memcache backend. Fixes bug 1188301 and bug 1188370 DocImpact This backend should not be mentioned in documentation, as it is not production grade and is deprecated. Change-Id: I41b147bcc70b79b4fc6df50b242a73cfcad33114
* Deprecation warning for [signing] token_formatDolph Mathews2013-07-181-12/+20
| | | | | | This also adds i18n to a few related strings and updates doc. Change-Id: Icba582a085939f58581fa909b63a36cbad3b4e69
* Support token_format for backward compatibilityGuang Yee2013-07-181-10/+36
| | | | | | | | | | The provider property in the [token] section will be unset by default. If provider is not set, we will use token_format in the [signing] section to determine to provider. If provider is set, it must agree with the token_format. fixed bug 1202651 Change-Id: I15ff67490acbbacc9eefc7eee253400475704b04
* Merge "grammar fixes in error messages"Jenkins2013-07-171-3/+3
|\
| * grammar fixes in error messagesDolph Mathews2013-07-161-3/+3
| | | | | | | | Change-Id: Ie00e2e9040b6f71eff573b6f7d8dc12bd87b7c52
* | Implement Token Binding.Jamie Lennox2013-07-172-5/+26
| | | | | | | | | | | | | | | | | | | | | | Brings token binding to keystone server. There are a number of places where the location or hardcoding of binding checks are not optimal however fixing them will require having a proper authentication plugin scheme so just assume that they will be moved when that happens. DocImpact Implements: blueprint authentication-tied-to-token Change-Id: Ib34e5e0b6bd83837f6addbd45d4c5b828ce2f3bd
* | Implemented token creation without catalog response.Fabio Giannetti2013-07-171-4/+7
| | | | | | | | | | | | | | | | | | Modified the token_factory to create token responses with or without the catalog entry. blueprint catalog-optional Change-Id: Icdc4400f08f4619a19e44129c78240800a3a1e75
* | Fix XML rendering with empty auth payload.Jamie Lennox2013-07-171-0/+5
|/ | | | | | | | Just add some sensible defaults to places where XML parses for example an empty dictionary as an empty string. Also 'access' shouldn't be considered a plural. Change-Id: I9fb2c4f5c32ed8c2ce8ba4038caaae39590f8c1a
* Implements Pluggable V2 Token ProviderGuang Yee2013-07-153-216/+251
| | | | | | | | | | | | | | | | This patch implemented V2 token provider. Abstract token provider backend to make token provider pluggable. It enables deployers to customize token management to add their own capabilities. Token provider is responsible for issuing, checking, validating, and revoking tokens. Note the distinction between token 'driver' and 'provider'. Token 'driver' simply provides token CRUD. It does not issue or interpret tokens. Token provider is specified by the 'provider' property in the '[token]' section of the Keystone configuration file. Change-Id: Ic418ec433bd9e3f2f70fa31c90e570e32c1ca687
* Implements Pluggable V3 Token ProviderGuang Yee2013-07-129-26/+562
| | | | | | | | | | | | | | | | | | Abstract V3 token provider backend to make token provider pluggable. It enables deployers to customize token management to add their own capabilities. Token provider is responsible for issuing, checking, validating, and revoking tokens. Note the distinction between token 'driver' and 'provider'. Token 'driver' simply provides token persistence. It does not issue or interpret tokens. Token provider is specified by the 'provider' property in the '[token]' section of the Keystone configuration file. Partially implemented blueprint pluggable-token-format. This patch also fixes bug 1186061. Change-Id: I755fb850765ea99e5237626a2e645e6ceb42a9d3
* Rationalize how we get roles after authentication in the controllersHenry Nash2013-07-101-65/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently there is a mixture of strategies in the v2 and v3 controllers for how to get the roles assigned for the scope of the requested authentication. This duplicates code, is hard to maintain and in at least once case (where your only roles on a project are due to a group membership) is not actually correct (for v2 tokens). This change does the following: - Standardizes on using the 'get_roles_for_user_and_project()', and its domain equivalent, for how roles are obtained to build a token. This was already the case for v3 tokens. The controllers no longer need to get metadata and extract the roles. - Removes the driver level function to 'authorize_for_project' - this is now handled wihin the controller. The driver simply supports the user authentication. A nice (and planned for) sideffect of the above is that we now hide the schema of how we store roles within the driver layer - i.e. nothing outside of the driver (other than any specific-to-implementation tests) have to know about how roles are stored in the metadata. This paves the way for a re-implementation of the grant tables in IceHouse. This change also fills in missing function definitons in the assignment driver. Implements bp authenticate-role-rationalization Change-Id: I75fc7f5f728649d40ab1c696b33bbcd88ea6edee
* assignment backendAdam Young2013-07-091-2/+0
| | | | | | | | | | | | | | | | | | | | Splits the assignments functions off of the identity api and manager, and moved them into their own backend. To prevent breaking existing code, this adds assignment delegation functions to Identity Manager. There is a circular dependency between ID and assignments. This code is mostly pure refactoring, with no changes to the unit tests. Existing behavior is maintained. In the future, we will add unit tests for mixing an LDAP identity provider with a SQL assignment backend. blueprint split-identity Change-Id: I6c180aa1ae626ace5b91e0bf1931bdaf2aa031d5
* Stop passing context to managers (bug 1194938)Dolph Mathews2013-06-282-73/+54
| | | | | | | We don't have a use case for passing the request context to the manager layer, so this patch removes a bunch of cruft. Change-Id: Ic6435782c4c9f32e38c7800172645cc1af23ea09
* Do not raise NEW exceptionsSergey Vilgelm2013-06-241-4/+5
| | | | | | | | | | | | | | | | | | | | | | Raising NEW exception is bad practice, because we lose TraceBack. So all places like: except SomeException as e: raise e should be replaced by except SomeException: raise If we are doing some other actions before reraising we should store information about exception then do all actions and then reraise it. This is caused by eventlet bug. It lost information about exception if it switch threads. fixes bug 1191730 Change-Id: I8dffc36ba5780911dd57d7161d218d0324af60b3
* Isolate eventlet code into environment.Jamie Lennox2013-06-181-2/+2
| | | | | | | | | | | | | | | | | | The environment module will be configured once, during code initialization. Subsequently all other possibly-evented modules will retrieve from environment and transparently obtain either the eventlet or standard library modules. If eventlet, httplib, subprocess or other environment dependant module is referenced outside of the environment module it should be considered a bug. The changes to tests are required to ensure that test is imported first to setup the environment. Hopefully these can all be replaced with an __init__.py in a post-nose keystone. Implements: blueprint extract-eventlet Change-Id: Icacd6f2ee0906ac5d303777c1f87a184f38283bf
* Fix token purging for memcache for user token index.Morgan Fainberg2013-06-101-6/+85
| | | | | | | | | | | | | | | | | | | When issuing a new token, purge all expired tokens from the user's token index list. New Options: * max_compare_and_set_retry: The number of retries that will be attempted when performing an update of the user_record or the revocation-list record. This is relevant due to the use of CAS (compare and set) function of the memcache client. This allows for multiple keystone processes/wsgi/etc to run without worry of race conditions clobbering the lists. DocImpact - New Options. Change-Id: I9441105b1e46982b0354bccbf8297daaaa1904b2 Fixes: bug #1171985
* Fixes a typoBrant Knudson2013-05-301-1/+1
| | | | Change-Id: Ie5c5fd482312e44b4253076e9d8ebfe75abed378
* Improve the performance of tokens deletion for usergengjh2013-05-302-6/+61
| | | | | | | | | | Provide new delete the tokens api 'delete_tokens' to support delete all the tokens for user in one session in the sql backend. For the kvs and memcache, I also provide the corresponding implementation. Fix bug 1178063 Change-Id: I986a583e5900ea04e26cbdb7c49638a33818bca7
* Merge "Move auth_token middleware from admin user to an RBAC policy"Jenkins2013-05-301-5/+3
|\
| * Move auth_token middleware from admin user to an RBAC policyJoe Gordon2013-05-161-5/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before this patch auth_token middleware required admin user credentials stored in assorted config files. With this patch only non-admin user credentials are needed. The revocation_list and validate_token commands use an policy.json rule, to only allow these commands if you are in have the service role. Rule used: "service_role": [["role:service"]], "service_or_admin": [["rule:admin_required"], ["rule:service_role"]], Added the policy wrapper on the validate functions. Fixes bug 1153789 Change-Id: I43986e26b16aa5213ad2536a0d07d942bf3dbbbb
* | Cleanup docstrings (flake8 H401, H402, H403, H404)Dolph Mathews2013-05-241-8/+9
| | | | | | | | | | | | | | | | | | - docstring should not start with a space (flake8 H401) - one line docstring needs punctuation (flake8 H402) - multi line docstring end on new line (flake8 H403) - multi line docstring should start with a summary (flake8 H404) Change-Id: I69b414395930bda739aa01b785ac619fa8bb7d9b
* | use the 'not in' operator (flake8 H902)Dolph Mathews2013-05-231-1/+1
| | | | | | | | | | | | ... when evaluating membership in a collection. Change-Id: I3fd3d5b5d5ea505833be50193b8969f8c4feb135
* | Use TODO(NAME) (flake8 H101)Dolph Mathews2013-05-231-6/+6
| | | | | | | | Change-Id: Ic47bdd61d9818f203a88ae16f97c2b61b1c1bd8c
* | Remove unused variables (flake8 F841)Dolph Mathews2013-05-232-2/+1
| | | | | | | | Change-Id: I716a6b61c2b3faaa23cc79f58c6c6e01cfc232f2
* | Satisfy flake8 import rules F401 and F403Dolph Mathews2013-05-231-0/+1
| | | | | | | | | | | | | | | | - Removed unused imports - Ignore wildcard and unused imports from core modules (and avoid wildcard imports otherwise) to __init__ modules Change-Id: Ie2e5f61ae37481f5d248788cfd83dc92ffddbd91
* | Implement Token Flush via keystone-manage.Jamie Lennox2013-05-213-0/+20
| | | | | | | | | | | | | | | | Creates a cli entry 'token_flush' which removes all expired tokens. Fixes: bug 1032633 Implements: blueprint keystone-manage-token-flush Change-Id: I47eab99b577ff9e9ee74fee08e18fd07c4af5aad
* | get SQL refs from session (bp sql-query-get)Dolph Mathews2013-05-201-7/+4
| | | | | | | | Change-Id: I2200e33868d50bb69089f3108a5a4c061afccd6e
* | Allow backend & client SQL tests on mysql and pg.Jamie Lennox2013-05-101-0/+1
|/ | | | | | | | | | | | | | Currently the tables are not created which means that it isn't possible for these tests to run on anything other than sqlite. Fix test issues where the token id that is used to create the token is not the same as the id that the token is saved with. Fix a number of foreign key constraints issues. Bug 1178041 Change-Id: Ib67eb97836e4224940abdeae4bba66748bfe4ca5
* Delete extra dict in token controller.You Ji2013-04-191-4/+4
| | | | | Change-Id: Ieb88d50f378b46cb0e91a84142cbaf07c3f3defb Signed-off-by: You Ji <jiyou09@gmail.com>
* What is this for?Dolph Mathews2013-04-161-4/+0
| | | | Change-Id: I11c413e04647db4d3f3fa003fb340d445e0f8a03
* Fix token ids for memcachedAdam Young2013-04-121-5/+5
| | | | | | Bug 1119641 Change-Id: Ia22764acc69a272b37364193d10c553a48679b9a
* Allow trusts to be optionalDolph Mathews2013-03-201-4/+6
| | | | Change-Id: I76ab6ddac70cccece46bc36d7592d840599c893b
* Merge "Prohibit V3 V2 token intermix for resource in non-default domain (bug ↵Jenkins2013-03-201-1/+44
|\ | | | | | | 1157430)"
| * Prohibit V3 V2 token intermix for resource in non-default domain (bug 1157430)Guang Yee2013-03-191-1/+44
| | | | | | | | Change-Id: Ibe9019684b45651a9679311a3bacdad41b4116f5
* | Validate domains unconditionally (bug 1130236)Dolph Mathews2013-03-192-22/+16
|/ | | | | | | | | | | | | Ensure that we validate the domain status of user/project for a user authenticating via the v2 API. This patch builds on the initial functional change done by Dolph, and fixes up the tests that broke sure to domain being required in any tests that setup data directly in the backends. Fixes Bug #1130236 Change-Id: I66dfd453fb95fa4fa3fde713b663386a2c2ecdf8
* extracting user and trust ids into normalized fieldsAdam Young2013-03-154-33/+17
| | | | | | | | | | | | | These fields are used for queries, and may need to be indexed Also moves the delete token for... functions into the base class for controllers. Removed the token API revoke token call as that needed access to other APIs. Logic was moved into the controller. Bug 1152801 Change-Id: I59c360fe5aef905dfa30cb55ee54ff1fbe64dc58
* add belongs_to checkAdam Young2013-03-111-3/+10
| | | | | | | | | Bug 1081943 The belongs_to check was lost as part of the v3 API work. It looks like it was broken to begin with. Fixed Change-Id: I4e40758fa9136b76b515100b461a36d6c31b578e
* Merge "Change exception raised to Forbidden on trust_id"Jenkins2013-03-111-3/+2
|\
| * Change exception raised to Forbidden on trust_idAdam Young2013-03-061-3/+2
| | | | | | | | Change-Id: I30f89d52ade45335d2f29b8454438d0dd3b20a97
* | Merge "unable to load certificate should abort request"Jenkins2013-03-081-5/+10
|\ \
| * | unable to load certificate should abort requestDavid Höppner2013-03-061-5/+10
| |/ | | | | | | | | | | | | | | | | | | If openssl returns with a command line error (3), we assume the PKI certificate is not properly installed. Added 'try ... except' blocks to cms_sign_text and cms_sign_token calls. Fixes: bug #1103569 Change-Id: Iad98738e990d3ab1ec0d0015840d76cf948ae560
generated by cgit (git 2.34.1) at 2025-10-02 09:28:47 +0000