| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Replaced `raise nose.exc.SkipTest()` statement to self.skipTest().
Removed unused nose.exc imports.
Fixes bug 1172794
Change-Id: Ieb353864acadef43508d185156c7fa1667baa845
|
| |
|
|
|
|
|
|
|
|
|
| |
Brings token binding to keystone server. There are a number of places
where the location or hardcoding of binding checks are not optimal
however fixing them will require having a proper authentication plugin
scheme so just assume that they will be moved when that happens.
DocImpact
Implements: blueprint authentication-tied-to-token
Change-Id: Ib34e5e0b6bd83837f6addbd45d4c5b828ce2f3bd
|
| |
|
|
|
|
|
|
|
| |
Modified the token_factory to create token responses with
or without the catalog entry.
blueprint catalog-optional
Change-Id: Icdc4400f08f4619a19e44129c78240800a3a1e75
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Select the code to handle REMOTE_USER based on a config file option
Fixes the REMOTE_USER logic to get the domain name from
REALM, which is the least surprise option.
Disregards the auth_data passed in, as we should be using REMOTE_USER
to get the user name.
External Plugin is now executed in conjunction with the auth methods,
as opposed to in place of them.
DocImpact
blueprint pluggable-remote-user
Change-Id: I9dda6dbe073f03806bdf539db6faa01644109f1c
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Abstract V3 token provider backend to make token provider pluggable. It enables
deployers to customize token management to add their own capabilities.
Token provider is responsible for issuing, checking, validating, and
revoking tokens. Note the distinction between token 'driver' and 'provider'.
Token 'driver' simply provides token persistence. It does not issue or
interpret tokens.
Token provider is specified by the 'provider' property in the '[token]'
section of the Keystone configuration file.
Partially implemented blueprint pluggable-token-format.
This patch also fixes bug 1186061.
Change-Id: I755fb850765ea99e5237626a2e645e6ceb42a9d3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The driver calls used by v3 token controllers to obtain roles
for a user on both project and domain were incorrectly implemented,
leading to roles being missed out of the token. v2 tokens are not
affected, since they don't use the same driver calls.
This fixes these functions and adds additonal tests to cover the
cases (all of which would fail without this patch). As part of this
fix, the implementation of "get_roles_for_user_and_project() is
pulled up into the driver class (like the domain equivalent is already),
since, for all implementations, it is independant of backend technology.
Fixes bug 1197874
Change-Id: I59b6882d93bdc8372be03fed0b390b002a6d0320
|
| |\ |
|
| | |
| |
| |
| | |
Change-Id: I2333404991114e6985f3f2c4de4fb30dc3195b2d
|
| |/
|
|
| |
Change-Id: Iacd2d9e09be4ab3d6a3c5acf4074e4af7e300602
|
| |
|
|
|
|
|
|
|
| |
- docstring should not start with a space (flake8 H401)
- one line docstring needs punctuation (flake8 H402)
- multi line docstring end on new line (flake8 H403)
- multi line docstring should start with a summary (flake8 H404)
Change-Id: I69b414395930bda739aa01b785ac619fa8bb7d9b
|
| |
|
|
| |
Change-Id: I0f6c5fc27b0bb2da553e9345a8ac4949ce46e685
|
| |
|
|
| |
Change-Id: I716a6b61c2b3faaa23cc79f58c6c6e01cfc232f2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The intention is to remain as close as possible to the original
implementation and so leaves a number of easy cleanups and optimisations
until a later patch.
In writing tests their are a number of changes for API tests that are a
result of webob/webtest restrictions:
* response.body is now the string body and response.result is the parsed
dictionary.
* response.status is now a string eg. '200 OK', use
response.status_code to get the integer
* response.getheader no longer exists. response.headers is a dictionary
like object that can be accessed (case independently) with [] or
.get()
Working towards: blueprint extract-eventlet
Change-Id: I393b4bad2fd6eacc0b8ae98fc204d1323014b5e4
|
| |
|
|
|
|
|
| |
keystone.auth.controllers.AuthInfo's get_method_data() referenced
a variable that was not defined.
Change-Id: I4171453d5e9843501052c9e395273976255342ad
|
| |
|
|
|
|
|
|
|
|
|
| |
Change trust extension from RH-TRUST to OS-TRUST so that the namespace
being used is for OpenStack, as opposed to a contributing company. This
is also more consistent with namespacing used in other OpenStack APIs.
Some additional discussion about this is in this thread:
http://lists.openstack.org/pipermail/openstack-dev/2013-March/006876.html
Change-Id: I0fd869abe0f527c899808a4dde19dbd1fb6f32cd
|
| |
|
|
| |
Change-Id: I32b32fc5df8d8483ae8e99067f0655c13c6f520b
|
| |
|
|
| |
Change-Id: I76ab6ddac70cccece46bc36d7592d840599c893b
|
| |\
| |
| |
| | |
1157430)"
|
| | |
| |
| |
| | |
Change-Id: Ibe9019684b45651a9679311a3bacdad41b4116f5
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
Ensure that we validate the domain status of user/project for
a user authenticating via the v2 API.
This patch builds on the initial functional change done by Dolph,
and fixes up the tests that broke sure to domain being required in
any tests that setup data directly in the backends.
Fixes Bug #1130236
Change-Id: I66dfd453fb95fa4fa3fde713b663386a2c2ecdf8
|
| |
|
|
|
|
| |
Make sure we check for tenant_ref before referencing it.
Change-Id: If7918c0a9b2e99f8555e902e89166c6542105209
|
| |
|
|
| |
Change-Id: I14361812980e27b6d3365055586c264e48a25a3b
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
These fields are used for queries, and may need to be indexed
Also moves the delete token for... functions into the base class
for controllers.
Removed the token API revoke token call as that needed access to other
APIs. Logic was moved into the controller.
Bug 1152801
Change-Id: I59c360fe5aef905dfa30cb55ee54ff1fbe64dc58
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A number of the v3 apis were not yet revoking tokens that would
be invalidated by their actions, including:
- grant/revoke role
- delete group
- add/remove user to group
A seperate bug has been rasied with regard to revoking tokens when
a role is deleted, since this needs much more plumbing to implement.
Fixes Bug #1093493
Change-Id: Icf0792821829045d5bdecf686ec470ce54f9c9af
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fills out some more tests for both these areas. To make it easier for
any v3 tests to do their own authentication, moved the auth builder
utility functions from test_v3_auth into test_v3.RestfulTestCase.
Also fixed an issue that meant the api filtering on a boolean
would not work.
Fixes Bug #1132080
Fixes Bug #1132372
Change-Id: I7bb7b5ba61adfc6a9c496a5547a0ca3fcfbab209
|
| |
|
|
|
|
| |
This reverts commit d8599dcda06514a9687af3f714e55ff7580af9db.
Change-Id: Iddb881070a91b9761a567a7d3b6d906e228af9f6
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| | |
modify "expires" to "expires_at", most of the changes were
already done by Guang-yee, added a pki-token-id test
Change-Id: Ib3f39620db18aaea6b0cb5d0ae9c290afd870605
|
| |/
|
|
|
|
|
|
|
| |
Makes the resolution of local imports work
when running individual tests.
Bug 1152326
Change-Id: I72f54bdbb60a6d7acf32bdbdc02d7bce69add84e
|
| |
|
|
| |
Change-Id: Ie697e19c2fa0e4ac203ff24aa9efa23c25ea6ccd
|
| |
|
|
|
|
|
| |
Notice we have to use fraction of second precision to prevent PKI token ID
overlap.
Change-Id: Icfc192c08ab5b4db02547ef6f077fa7f32210835
|
| |
|
|
| |
Change-Id: I4408b3e6e0752ca75bc36399f5148890820e9a89
|
| |
|
|
|
|
|
| |
- Fixes bug 1131292: catalog returned with unscoped tokens
- Fixes bug 1131294: X-Subject-Token not returned on token validation
Change-Id: I1808613f276354e2a37cf8c154b55509a2888d89
|
| |
|
|
|
|
| |
Implement domain-scoping functionality for v3 auth API
Change-Id: Id5e935735a43fefee10a36d9d691578871ba7fcb
|
|
|
Also implemented the following:
blueprint pluggable-identity-authentication-handlers
blueprint stop-ids-in-uris
blueprint multi-factor-authn (just the plumbing)
What's missing?
* domain scoping (will be implemented by Henry?)
Change-Id: I191c0b2cb3367b2a5f8a2dc674c284bb13ea97e3
|
