| Commit message (Collapse) | Author | Age | Files | Lines |
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For mysql ForeignKey constraints were removed but the fields stayed as indexes.
This migration drops them.
bp db-sync-models-with-migrations
Change-Id: I3baeac4047cd65ac5d7733ba909c45d0874f17d8
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Allow each of the extensions to have their own
sql migration repository instead of mixing them into
the common repo. db_sync must be called explicitly on the extension.
In the past, it was assumed that only migrations for backends backed in
sql would be run. In practice, however, all of the migrations were run
every time. The code has been modified to reflect this.
Adds parameter --extension to the cli for db_sync and db_version
to test out the migrations
bin/keystone-manage db_sync --extension example
will migrate to version 1 and
bin/keystone-manage db_sync --extension example 0
will migrate it back to 0
to check the version
bin/keystone-manage db_version --extension example
blueprint multiple-sql-migrate-repos
DocImpact
Change-Id: I6852d75bde6506c535fa3d74537e3c1bbd6578d8
|
|/
|
|
|
|
| |
Fixes bug 1206257
Change-Id: Ia522e023a2d66ec25bc909db12d358f7c0ee6952
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Credential table has foreign key constraint
referring to tenant table which is dropped.
Since sqlite does not support alter table
drop constraint, the foreign key constraint
was not dropped. When we try to load credential
table using sqlite backend it fails because tenant
table does not exist. Fix is provided such that
the credential table is recreated without foreign
key constraint and the data is moved from old
credential table to the new credential table.
Fixes Bug #1190383
Change-Id: I3afb04254f33e12fccb7da84c8674feba36622c8
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This extension allows for project roles to be optionally
inherited from the owning domain. The v3 grant APIs are extended
to take an inherited_to_projects flag. The GET role_assignments
API will also include these roles in its response, either showing them
as inherited roles assigned to the domain or, if the 'effective'
query parameter is set, will interpret the inheritance and reflect
those role assignments on the projects.
The inherited_to_projects flag is encoded in the role list in
the metadata of the relevant entries in the grant tables. The
'roles' key in the metadata is now a list of dicts, as opposed
to a simple list, where each dict is either
{'id': role_id} for a regular role, or
{'id': role_id, 'inherited_to': 'projects'} for an inherited role
Remember that a previous patch had rationalized the way metadata is
handled so that its structure is entirely hidden within the driver
layer.
The extension can be enabled/disabled via a config setting.
Limitations:
- The extension is not yet discoverable via url, this will be added
as a separate patch when the v3/extensions work is complete.
A separate issue has been discovered with the fact that the v2
calls of 'get_projects_for_user()' and 'list_user_projects()'
should be rationalized and also honor both group (and inherited)
role assignments. This is being raised as a separate bug.
DocImpact
Implements bp inherited-domain-roles
Change-Id: I35b57ce0df668f12462e96b3467cef0239594e97
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change adds a migration to convert any non-InnoDB tables to
InnoDB.
On some systems, the default engine is MyISAM, which doesn't
support features used by Keystone (foreign keys).
The approach is the same as what's used in Nova. A test is added
to ensure that all tables use InnoDB after migration. The test
passes when all the tables are mysql_engine='InnoDB'. This is
accomplished by adding a new migration that migrates all the
tables that aren't InnoDB to InnoDB.
Fixes bug 1191110.
Change-Id: I220f7642f5468c5cf4194f248210f90ff983b6e5
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DB2 will not allow you to rename a table if it's got a
constraint on it (a unique or foreign key constraint).
This fix changes the migrations so that the unique or FK
constraints are dropped from tables before renaming and then
restoring the unique FK constraints. This works for DB2 and
other DBMSs that support FK constraints such as MySQL with
InnoDB and PostgreSQL.
Also, for DB2, give a name to the unique constraints so that
they can be manipulated.
Fixes bug 1188785
Change-Id: I7cf6ab42084e43d827ed827c64025e61e72a4672
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The environment module will be configured once, during code initialization.
Subsequently all other possibly-evented modules will retrieve from
environment and transparently obtain either the eventlet or standard
library modules.
If eventlet, httplib, subprocess or other environment dependant module
is referenced outside of the environment module it should be considered
a bug.
The changes to tests are required to ensure that test is imported first
to setup the environment. Hopefully these can all be replaced with an
__init__.py in a post-nose keystone.
Implements: blueprint extract-eventlet
Change-Id: Icacd6f2ee0906ac5d303777c1f87a184f38283bf
|
|
|
|
|
|
|
|
|
| |
Make it possible to run the migration tests for the supported databases
without editing the config files.
Blueprint live-sql-gate
Change-Id: Iaf14ad42333b0a0cd1f7d0fb37f135a8bf7af14a
|
|
|
|
| |
Change-Id: Ic47bdd61d9818f203a88ae16f97c2b61b1c1bd8c
|
|
|
|
|
|
|
|
| |
Add some session commits to prevent database deadlocks.
Force close all open sessions before performing tear down.
Use escaped parameter handling for raw sql statements.
Change-Id: I0ef670ddc416a02e78570ab6ebed2b4bf2a8635b
|
|
|
|
| |
Change-Id: Iddc10167c94deacec07cab7ec9316849263fb462
|
|
|
|
|
|
|
|
| |
This column was created in migration 11 but isn't used because it wasn't
added to the model definition. Attempting to store data here ended up
putting it into 'extra'.
Change-Id: I02680b5213f09fe3cddcf5365104554d3e6d6b8a
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These fields are used for queries, and may need to be indexed
Also moves the delete token for... functions into the base class
for controllers.
Removed the token API revoke token call as that needed access to other
APIs. Logic was moved into the controller.
Bug 1152801
Change-Id: I59c360fe5aef905dfa30cb55ee54ff1fbe64dc58
|
|
|
|
|
|
|
|
|
|
|
| |
migration 017 did not migrate existing roles from the metadata table
that was created in 001. Adding a migration (20) that compares the roles
in the metadata table (if any) and joins them to the new
user_project_metadata role that matches the user and tenant from the old
table. Also adding subsequent tests to check both of the issues above.
bug 1131087
Change-Id: I00ea6043d949c9c358827e25f05c63515fe5dea8
|
|
|
|
|
|
| |
This reverts commit d8599dcda06514a9687af3f714e55ff7580af9db.
Change-Id: Iddb881070a91b9761a567a7d3b6d906e228af9f6
|
|\ |
|
| |
| |
| |
| | |
Change-Id: Id7e5b3354d9139afa0a69b283924f363847cef56
|
|/
|
|
|
|
|
|
|
| |
Makes the resolution of local imports work
when running individual tests.
Bug 1152326
Change-Id: I72f54bdbb60a6d7acf32bdbdc02d7bce69add84e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Blueprint trusts
creates a trust. Using a trust, one user (the trustee), can then
create tokens with a subset of another user's (the trustor) roles and
projects.
If the impersonate flag in the trust is set, the token user_id is set
to the trustor's user ID
If the impersonate flag is not set, the token's user_is is set to the
trustee's user ID
check that both trustor and trustee are enabled prior to creating
the trust token.
sql and kvs backends
sql upgrade scripts
unit tests for backends, auth and v3 api
modifications to the trust controller for creating tokens
Authenticates that only user can be trustor in create
Deleting a trust invalidates all tokens created from that trust
Adds the trust id and the id of the trustee to the header of the token
policy rules for trust
This version has a workaround for testing against the KVS version
of the Service catalog
Change-Id: I5745f4d9a4180b59671a143a55ed87019e98ec76
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Creates a separate name space for each domain for the name attribute of
user, groups and projects - meaning that the names of these entities
only have to be unique within that domain.
Implementation of this within the SQL backends is handled by simply
changing the uniqueness constraints on the relevant attributes. KVS
and LDAP backends do not yet support domain separation (blocked by
existing restrictions, already raised as bugs).
An issue exists for the downward migration with this change in that
if the database has been used and populated with the name space in place
then the downward migration may fail due to clashing names when you
try and revert to a global name space (raised as a separate bug)
This patch also improves the group support in the KVS backend and
cleans up string quoting in the 016 migration fucntions, and fixes an
issue where the SQL update_project was not updating a change in domain_id.
Change-Id: I8f0df0e1bf84bfd26b8ef5505fe5fafd930dc78b
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes the relationship between users and projects.
There is no more direct membership in projects. Instead,
all membership is now done via roles.
A default role has been created called _member_ with a uuid (both
configurable) that will be added in place of the group membership
for databse upgrades.
DocImpact: https://bugs.launchpad.net/openstack-manuals/+bug/1087483
Change-Id: I2482f9ef7b838e5dade5096d6d00e81db71604d1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These changes lay the ground work for the implmentation of
domain-scoping, but are benign in that they don't change the token.
They include making domain_id a first-class attribute in the user
and project entity (i.e. move it out of the 'extra' attribute),
filling in domain grant and project support for the kvs backend and
fixing a series of issues in the mirgation to make it work for both
MySQL, Postgresql and sqlite.
A further, separate, commit will actually provide the code to
update the actual tokens once the v3 token support has been added.
blueprint domain-scoping
blueprint default-domain
Change-Id: I55ab7947a6a1efbab003bd234856bd3805bb4a63
|
|
|
|
| |
Change-Id: Idf374a748f8ed2add5310b504806ffabfa64bed9
|
|
|
|
|
|
|
|
|
|
|
| |
This changes rewrites some of our migration history since the folsom
release so that we can create a default domain prior to creating
non-nullable foreignkey's in the user and project tables in migration
9 (numbered according to this change).
DocImpact
Change-Id: I807f7b1dca1d6a895f7417c316bcbce24ada61c0
|
|
|
|
|
|
|
|
| |
Disabling an individual domain denies auth to users and projects owned by
that domain, and revokes all associated tokens. Re-enabling the domain
does not re-enable tokens.
Change-Id: Ic64f59be4f39317f4c365bec185408e79d18c45f
|
|
|
|
|
|
|
|
|
| |
Change is motivated by the need to do an incremental conversion from using
tenant to using project as the name. The database is isolated from the API
and can be modified without breaking integrations. ADditional work wil be required
to get the API to meet the V3 spec without breaking the V2 spec
Change-Id: I7cf7695354071f0ea6252be4730ceec3af0a2f35
|
|\ |
|
| |
| |
| |
| | |
Change-Id: I72e2b979a8692657c225102f2562e1b1fbb3f67d
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Reordered the tables in the domain downgrade script to avoid breaking the integrity constraints
To run the test:
./run_tests.sh -N test_sql_upgrade
This version removed all of the code specific to running against a live DB and merged it into the
standard tests.
Fixed a couple downgrade functions that were failing. They had not
been tested
Change-Id: Ie1214e5543bd08fde95652af2464cc9c80db449d
|
|\|
| |
| |
| | |
sqlite is supported, too"
|
| |
| |
| |
| |
| |
| | |
normalized tables downgraded such that sqlite is supported, too
Change-Id: I93ed4589cbe7fd3aee16e42489c322ae903bdac7
|
|/
|
|
| |
Change-Id: I56b1d6ded61ad430929d0275ab384ff464faa53c
|
|
|
|
| |
Change-Id: I5a527e0f5010171a202de5894d124d213d22a073
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This implements the server side of groups of users. This
set of code provides all the crud functionality for groups as
well as the corresponding support for role assignments.
blueprint user-groups
The following deficiencies existing with the current version and
will be corrected ahead of the final Grizzly release:
1) There is only placeholder support for LDAP (Bug #1092187)
2) Domain role grants are accepted but not yet honored (Bug #1093248)
3) Token invalidation does not occur with group changes (Bug #1093493)
This update also fills in missing v3 grant unit testing and v3 grant
support within the kvs backend. In addition, there is a fix for
Bug #1092200 (uncaught exception when listing grants)
DocImpact
Change-Id: Ibd1783b04b2d7804eff90312e5ef591dca4d0695
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This migrates the SQL backend such that v2 endpoints containing up to 3
URL's (public, internal and admin) stored in 'extra' are split into
unique endpoints.
Because legacy "endpoints" (each having publicUrl, internalUrl and
adminUrl) are no longer conceptually identical to v3's "endpoints" (each
having an interface and a url), new ID's are assigned to each entity and
each API continues to operate using with independent sets of endpoint
ID's.
Endpoints created on the v3 API are not exposed on the v2 API.
Change-Id: I2ba59d55907313ae65e908585fc49be0c4ce899a
|
|
|
|
|
|
|
|
| |
Also updated test_sql_upgrade to check the actions from 007_add_domain_tables.
Fixes: bug #1081167
Change-Id: I194c7de9ae8a3bb8f2f9f37d3a91f4fac2fe2913
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
modify tables by adding columns, and modify entities
by adding attributes for password, description and enabled
update tests to deal with change from 'False' and 'True' to the
python values False and True
Added a Text type from SQL Alchemy
Bug 1070351
Bug 1023544
Change-Id: I066c788b5d08a8f42a9b5412ea9e29e4fe9ba205
|
|
|
|
|
|
|
|
| |
- v3 policy (bp rbac-keystone-api)
- v3 policy tests (bug 1023935)
- v3 policy implementation (bug 1023939)
Change-Id: I163fbb67726c295fe9ed09b68cd18d2273345d29
|
|\ |
|
| |
| |
| |
| | |
Change-Id: If82979923ba5c0193beeb1896ea5b4777dec735d
|
|/
|
|
|
|
| |
~35% performance improvement vs an SSD on test_keystoneclient_sql
Change-Id: Ie8c9cc0c3c56f784140998a625d943be528d5089
|
|
|
|
| |
Change-Id: Iace6a88ddfbdefe97e0ea205cda4b10c04bca0dc
|
|
Tests upgrade to version 1.
Confirms all of the identity tables layout.
blueprint: normalize-sql
Change-Id: If66250af068b396fc55f38c66f789b9447353bda
|