| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The v3/credentials API specifies the blob response to be json, but
due to bug #1259584, any credentials stored via the ec2tokens extension
will incorrectly return a dict. This makes it hard for clients (and
in particular users migrating from ec2tokens to v3/credentials) to
handle the blob data consistently, so add a workaround to ensure the
response is always serialized as json if the existing DB contents is
a dict instead of a json string.
Change-Id: I340cdf4e565fdadacb41b39acace3948aafb9b92
Related-Bug: #1259584
Closes-Bug: #1269637
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For compatibility with the v3/credentials API, the blob dict should
be stored serialized as json. To maintain backwards compatibility
with existing DB contents stored via the ec2tokens interface, we
fall back to the previous behavior if we fail to load the blob.
Change-Id: I21f068c308df5aa6a818031d3bc86a81b2bd25f4
Closes-Bug: #1259584
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To fix bug #1259584 without re-opening the vulnerablility fixed in
bug #1242597, we need to store the trust_id in the data blob when
storing an ec2 keypair via the v3/credentials API. This is already
done when keypairs are created/stored via the ec2tokens interface,
so this aligns the behavior when the credentials are created via
v3/credentials.
Change-Id: I8443d30dffed4201b46d10cef6a0bb43ccdcddc1
Partial-Bug: #1259584
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Move the ec2 controller check for a trust_id in the token
specified in the request context, renaming it to match the
existing convention in the controller base classes.
This function can be used by both v2 and v3 controllers
hence putting it into the common Application base class.
Test coverage for this is provided via existing tests in
test_keystoneclient_sql.py
Change-Id: I6028a2cfa0e9e2e16acc99b5a0a027cd6cc42ada
Partial-Bug: #1259584
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The addCleanup call for the temporary paste config file was separated
from where it was needed because the function that required it
was outside the TestNoAdminTokenAuth class. This moves the
function to be a member and moves the addCleanup call in the
member function right where it's needed.
It's better to put the addCleanup code close to where it's needed
because then it will be called even if an exception occurs.
Change-Id: I50c97a3229958f4d15c7cd68ffa2a9d45914d1db
|
| |\ \ \ |
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Subclasses of TestCase were unnecessarily resetting the config on
cleanup. This is unnecessary because TestCase resets the config
already.
This takes care of some TODOs in the code.
Change-Id: I4350efb03a40616e6a9e7fb6ee7cc507f4709f00
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The sample config file documented the incorrect default for the
[auth].external value as defined in keystone.common.config.
Change-Id: I6f9454f35eaade5fa35738a9ba3f74a388bf5099
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
There was no documentation in "Developing with Keystone" that
makes it obvious that you can use "tox -e debug" to run with pdb
breakpoints.
Change-Id: I82cc827d076a4d95ab6a2f903ceb0cde34005bc3
|
| |\ \ \ \ \ |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Remove unused variables in keystone/tests/test_v3_identity.py
Change-Id: Ia70242aa6ceaebfe8380f3de879b5b7885ca80d5
Closes-Bug: #1268094
|
| |\ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
The LDAP assignment backend is missing support for several of the v3
APIs. This patch implements Role Grant CRUD for V3 Assignment API:
- Role Grant CRUD
+ create_grant
+ get_grant
+ delete_grant
+ update_grant
- GET /role_assignments
+ list_role_assignments
Closes-Bug: #1248952
Partial-Bug: #1101287
Partial-Bug: #1221805
Change-Id: I1fb247b538e6a11085a18f0103cb8508d58e664f
|
| |\ \ \ \ \ \ \
| |/ / / / / / |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Change-Id: I77def7f99b1e9c29649afb74e76948e375fa2980
|
| |\ \ \ \ \ \ \
| |/ / / / / / |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Our tests have been growing the smarts to cleanup after themselves. This
feature is no longer needed.
Change-Id: I5ecdb0b286c31fd9b787055b77e47061c2f3bc5a
|
| |\ \ \ \ \ \ \
| |/ / / / / / |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Change-Id: Iab37535f8f9166ba231401c270a94b041c4c20f5
|
| |\ \ \ \ \ \ \
| | |_|/ / / /
| |/| | | | | |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
The "Developing with Keystone" file was incorrectly structured.
1) The "Building the Documentation" section was under the
"dogpile.cache based Key-Value-Store (KVS)" section, which it's
got nothing to do with.
2) The "Running Tests" section was under the "Initial Sample Data"
section, which it's got nothing to do with.
3) Several testing-related sections could be put under their own
"Testing" section to keep them together.
Change-Id: Icb0c63385d9ccc24b91d17e057e60346ce1a648e
|
| |\ \ \ \ \ \ \ |
|
| | | |_|_|_|_|/
| |/| | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Keystone subsystems (extensions or other modules) can now
subscribe to Create, Update, and Delete events. This allows any
subscribed system to act upon the event and perform actions (such
as cleanup on delete).
Co-Authored-By: Guang Yee <guang.yee@hp.com>
Co-Authored-By: Morgan Fainberg <m@metacloud.com>
bp: internal-callbacks
Change-Id: I03713b7f1f94480f76e0121eb6184226062af1a6
|
| |\ \ \ \ \ \ \ |
|
| | |/ / / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
This patch replaces the old, unmaintained python-oauth2 library
by the better suited oauthlib in keystone oAuth modules.
The library switch comes with two notable changes in terms of use:
* the client must set the callback uri to 'oob' (out-of-band)
explicitly when requesting a Request Token
* the requested_project_id header is not included in the signature
anymore, in compliance with the oAuth1 spec.
Closes-Bug: 1240382
Change-Id: Ie553830cc80075aa818e719604e6bc4c754d2ae3
|
| |\ \ \ \ \ \ \ |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Keystone's gettextutils package was behind oslo-incubator's
version. This syncronizes gettextutils from oslo-incubator commit
997ab277 .
bp user-locale-api
Change-Id: If9cf0c83df6d6c8db844a30c605f60e907abcbdd
|
| |\ \ \ \ \ \ \ \
| |/ / / / / / /
| | | | / / / /
| |_|_|/ / / /
|/| | | | | | |
|
| | | |/ / / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Some code was appending to translated messages using +, which
oslo-incubator's new gettextutils doesn't support.
The code was changed to use a substitution value in the message
instead.
Part of bp user-locale-api
Change-Id: If2bc1821d0057c4cd53ead7eac1712284464b9bf
|
| |\ \ \ \ \ \ |
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
It turns out that when the Python test framework runs it will create an
instance of TestCase (actually the subclass containing our tests) of
each test in the TestCase. These instances don't get cleaned up until
the very end of the test run. This means that if there are lots of tests
and/or lots of instance variables created in the setUp() you use lots of
memory.
Change-Id: Ie9451feafd47d4a4b9a0ff6d8459b45a1645d1ee
|
| |\ \ \ \ \ \
| |_|/ / / /
|/| | | | | |
|
| | |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Adds CRUD implementation in SQL and KVS catalog drivers
for hierarchical regions support. The SQL driver implements
the region hierarchy using a simple adjacency list model
since it is expected that typical deployments will only
have a handful of regions, and the current regions API does
not offer any complex hierarchy querying that would make
a nested set model more appropriate.
Implements: blueprint first-class-regions
Change-Id: I2d4cca19008b92ef5758181b1792726834db7f7a
|
| |\ \ \ \ \
| |/ / / /
|/| | | | |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
- reduces number of active tokens that have to be persisted, especially
where clients are needlessly regenerating tokens
- reduces the window of publishing token revocation events (you only
have to publish events from the last hour)
- reduces the window of the token revocation list (similar to the above)
DocImpact
UpgradeImpact
Implements: bp reduce-default-token-duration
Change-Id: Ia548f7e981690edab56c51fdcab9102245aced3e
|
| |\ \ \ \ \ |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Several warnings and errors were reported when building
documentation. This makes it difficult for developers to
validate that new changes to don't have problems.
Most of the warnings and errors are fixed with this change.
Change-Id: Ifb9edffce66dde27fbe72bb1ce1b997b041786ae
|
| | |/ / / /
|/| | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This patchset converts the current token KVS backend to the new
dogpile.cache based KeyValueStore implementation. The changeset
provides the same public interface as the previous KVS driver but
drastically reworks the internal mechanisms to be more similar to
the memcache based driver so that direct access to the in-mem db
is not required to effectively use the KeyValueStore.
KVS token backend is not deprecated anymore. However, it is still
inadvisable to use the basic-inmemory KVS backend for anything
outside of testing.
DocImpact
bp: dogpile-kvs-backends
Change-Id: Ib278636d4ffa3f7152287a48d02be598c50f698a
|
| |\ \ \ \ \
| |_|_|/ /
|/| | | | |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
When there is a very large number of expired tokens to be flushed,
keystone-manage token_flush will fail with DB2 because it fills
the transaction log. This fix causes tokens to be flushed with DB2 in
batches of 100 at a time to prevent the transaction log from
filling up.
Closes-Bug: #1257323
Change-Id: Ic57d8795a995462fc277ec9655eca9b460ffcbee
|
| |\ \ \ \ \ |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Within the scope of a single method, keeping all the reads and writes within
the context managed by a single session. In this way, the session's __exit__
handler will take care of calling flush() and commit() for you.
If using this approach, you should not explicitly call flush() or commit().
See http://docs.sqlalchemy.org/en/rel_0_7/orm/session.html#committing
Closes-Bug: #1258044
Change-Id: I1125c72712203f1594ef245761dbfc25ed31eab2
|
| |\ \ \ \ \ \ |
|
