| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patchset adds an advanced eventlet safe pool of memcache clients. This
allows the deployer to configure auth_token middleware to utilize the new
pool by simply setting 'memcache_use_advanced_pool' to true. Optional
tunables for the memcache pool have also been added.
Co-Authored-By: Morgan Fainberg <morgan.fainberg@gmail.com>
Closes-bug: #1332058
Closes-bug: #1360446
Change-Id: I08082b46ce692cf4df449d48dac94718f1e98a6c
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| | |
Change-Id: I7761f978535d47e68994304fca4b300d02210ee8
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When running with a havana-level of oslo.config (<1.3.0),
applications with any config options in their api-paste.ini will
fail to start with an error like
'StrOpt' object has no attribute 'type'
This is because the config options didn't have a type attribute
until 1.3.0.
During the grenade test, the havana level of oslo.config is used.
Change-Id: I745c3e04f18941a2d41e191d43f61b926522bb9d
Closes-Bug: #1372422
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add support for composite authentication using a new 'service token'
in addition to the existing 'user token'.
If no service token is present there is no change in current behaviour.
If a service token is present and successfully validated then additional
wsgi environment variables are set which services may use to allow or
deny actions in conjunction with the existing environment variables.
For now delayed authentication is not supported for service tokens;
if a service token is present but invalid then HTTP Unauthorized (401)
will be returned.
Change-Id: Idb97c075a59d716af8bc56875785b825625bf0c9
Implements: bp service-tokens
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With the discovery hack, the test_auth_plugin is now trying to
query the unversioned endpoint from the catalog to discover what
versions it supports. Since that URL wasn't stubbed out with
httpretty it was causing a failure and then a different URL than
expected was returned by the plugin.
This change registers the discovery URL that's in the test token
so that fetching it doesn't fail but returns a normal version
response.
Related-Bug: #1335726
Closes-Bug: #1372190
Change-Id: I1ae41801ed44ec6a37d972f62fc853dfd609128f
|
| | |
| |
| |
| | |
Change-Id: Ifa619b1589942e4a81bd04c47ec8cfb239416a9f
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
With the latest version of oslotest, we can now take advantage
of a common oslo_debug_helper script.
We can now remove our own homebrewed version, minor changes to
tox.ini were needed.
Change-Id: I992244897eac7471c14988c34b8d140827fd65aa
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
We pass the service catalog and token data through to consumers via
headers, with the auth plugin work we can create clients that are
authenticated with the incoming token and service catalog.
DocImpact: A new environment option is passed out of auth_token
middleware called `token_auth` which is an authentication plugin that
can be used with a session in a service.
Implements: blueprint create-auth-plugin
Change-Id: I549a421fc73f00126f6ac5f4b5911de2e32de825
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If options are set in paste file e.g. api-paste.ini for nova, all
the option values passed into AuthProtocol.conf are string type.
So, we should convert the conf value into correct type.
Change-Id: I0367cd6b54ee49f5db6541840539e7700f241f87
Closes-Bug: #1353315
|
| |\ \ \ \ \ |
|
| | | |_|_|/
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
For those services that use delay_auth_decision we need to support
adding the keystone URI rejection headers to the response in a uniform
way. I feel this should be more generic and that every 401 response
should contain this header.
Create a WSGI wrapper so that if a 401 is ever returned through
auth_token middleware we can add an additional WWW-Authenticate header.
Closes-Bug: #1349364
Change-Id: Ib5231a09fd5c6cb6cd17f07c87e982d2e8fde2bf
|
| |\ \ \ \ \
| |_|_|_|/
|/| | | | |
|
| | | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Whilst the v2.Password plugin (which is used by default) will accept a
None value for username this is incorrect behaviour. We should always
provide at least a username so that the plugin can do sensible error
handling if it is not present.
Change-Id: Id790b52f3b06240923f605754c7ffcf4ff136062
Closes-Bug: #1361444
|
| | |/ /
|/| |
| | |
| | |
| | | |
Change-Id: I64ae9191863564e278a35d42ec9cd743a233028e
Closes-Bug: 1365061
|
| |\ \ \
| |/ /
|/| | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
auth_token handles tokens that are from its cache, uncached PKI
(compressed and ASN, "offline validation") and UUID/hashed tokens
("online" validation).
For all of these cases, the auth_token middleware was doing
1) expiration check
2) confirm token bind
3) store in cache
In some cases, some of these steps aren't necessary.
When getting the token from the cache
1) no expiration check is needed because the expiration time is
stored as cache data and the token would be rejected during
_cache_get.
2) Storing in the cache is unnecessary because the token is
already in the cache.
When doing online validation, it's not necessary to do the
expiration check because the identity server would have rejected
the token if it was expired.
Closes-Bug: #1289075
Change-Id: I6afa98504215521538434f1f8a2d97585ce35de5
|
| |\ \ \
| |/ / |
|
| | |/
| |
| |
| |
| |
| |
| |
| | |
There was no test that showed that when a token was in the cache
and a request is made to validate it again, it gets cached again.
Change-Id: I1992fa6b5ddc0792dfd1ce90fb888c365ecb1612
Partial-Bug: #1289075
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There are no intersphinx mappings used within the documentation so we
should remove the links so that they don't try to download.
Related-Bug: #1353817
Change-Id: I24edc4d88e9badd2b92ea124ebe960abc7d2d51c
|
| | | |
| | |
| | |
| | | |
Change-Id: Idb5cb2ede20c95ee266ab4ef24b2654f172d2003
|
| |\ \ \ |
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Only PKI (asn1) based tokens were checked for format and hashed
Closes-Bug: 1355125
SecurityImpact
Change-Id: I24cb09edd9a6c9e99e48042a623c7818321f2ead
|
| |/ /
| |
| |
| | |
Change-Id: Ie301346cda80246edf6516a83ff6618613011eaa
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| | |
Start using oslosphinx to generate the themes and static content,
rather than hosting our own copies.
Change-Id: I014ef5f974835d52dbb4598c7d357ecafa1da8a2
|
| |\ \ |
|
| | |/
| |
| |
| | |
Change-Id: Ie60d1878d5ee3f40e9be7c22d845bd2e50cdef30
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With this patch, session objects will be used for requests
and token management.
It is no longer permissable to specify both a username/password
and a admin_token. This used to work but now you get one plugin
or the other.
There is one test removed in this patch which was to do with having the
auth token refreshed if it was stale. This is no longer handled by the
middleware but expected to be managed by the auth plugin.
This fixes the existing behaviour that if an admin_token was given and
was marked invalid then the middleware would fallback to using the
username and password provided. If an authentication method fails then
this is something that should be addressed not compensated for.
Co-authored-by: Harry Rybacki <hrybacki@redhat.com>
Change-Id: Ib52beaaa1e01875cceaae78dc879a6399ccefa36
Closes-Bug: #1307252
|
| | |
| |
| |
| | |
Change-Id: I88db5273d3ec0f70cf2eac3003c8753f2f6be8b2
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
This seems to have been inherited rather than ever actually used. We
should only be using mock for testing.
Change-Id: Ib37bf796560138077c96458dbcd9886dcacebd2e
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Convert the static tokens in auth_token middleware tests to use
keystoneclient fixture generators.
We still have fairly static entries for the values in the tokens because
of the way the tests work.
Change-Id: Id6ee0389e063d6476d9c33c3d955926655c8ca75
|
| |\ \ \ \ |
|
| | |/ / /
| | | |
| | | |
| | | | |
Change-Id: I7b2869edcd7a6018f72a718d042231094ed40686
|
| |\ \ \ \
| |_|/ /
|/| | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Keystonemiddleware is pure python and is version agnostic.
It should be marked as a universal wheel as it can be installed
anywhere by pip (see the documentation on python packaging and
wheels). This mirrors python-keystoneclient's marking as a
universal wheel (as most of the code in keystonemiddleware
originated from python-keystoneclient).
Change-Id: I3e25578e6fc7a30b5eb7544d85a7ef39e711bd34
|
| |\ \ \ \ |
|
| | | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | | |
python-keystoneclient uses this, but nothing in middleware uses it
directly.
Change-Id: I1fcd29daf6afef5e4db81bf73e7d8bf3851ed8b0
|
| |\ \ \ \ |
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This is going to be used by python-keystoneclient, but not by the
middleware directly.
Change-Id: Ia4dca0b81d36dd958f89bf0a487a84497c3ef0c6
|
| |\ \ \ \ |
|
