| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Keystone audit middleware requires to iterate req.context as dict,
but Glance requires to access req.context.read_only.
When glance enabled audit, they are conflict with each other.
This patch fix this issue by store audit context in
req.environ['audit.context']
Change-Id: Ib9a62a4cd0b7b9ffb9fa2d6440e8072d45ee0fee
Closes-Bug: #1809101
Signed-off-by: Leehom Li <feli5@cisco.com>
|
| |
| |
| |
| | |
Change-Id: I73e5ed94cdd786d392a6a6b61b8ef4f630715482
|
|/
|
|
|
|
|
|
|
| |
Pypi url changed from [1] to [2]
[1] https://pypi.python.org/pypi/<package>
[2] https://pypi.org/project/<package>
Change-Id: Ibb6247bfb2cfe1c77f6841be2773cbff9475e0c6
|
|\ |
|
| |
| |
| |
| |
| | |
Change-Id: I8d571d3414071c68b4fa565dec46cc2d2941331c
Closes-Bug: #1803940
|
| |
| |
| |
| |
| |
| | |
Mailinglists have been updated. Openstack-discuss replaces openstack-dev.
Change-Id: Ic98b7942c1f394a45958c86eb2d091490fc25b1f
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| | |
We already run python3.6 unit tests in CI. Add the py36 environment to
the tox file so that developers with python3.6 available locally can opt
into running that version too.
Change-Id: Ic7aad3d4adfafba226d3b1d1b2106d55135ce6ff
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With keystone's move to eliminating pki, pkiz, and uuid tokens the
revocation list is no longer generated. Keystonemiddleware no longer
needs to attempt to retrieve it and reference it.
Change-Id: Ief3bf1941e62f9136dbed11877bca81c4102041b
closes-bug: #1361743
partial-bug: #1649735
partial-bug: #1736985
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Made a small fix to the documentation - replacing
the current auth_url port number 35357, in the
configuration section of the [keystone_authtoken],
with 5000.
This was based on an online conversation with Colleen;
with the removal of the v2 API from keystone the project
now recommends use of port 5000 instead of the previous one.
Change-Id: I750a4d0e75e0b919fd00ddf21c0e7ce62d495f95
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The keystonemiddleware audit code would select the wrong OpenStack service
endpoint for a request if the cloud is not using unique TCP ports for each
service endpoint. As most services are no longer using a port per service,
but instead using unique paths, this caused the audit to select the wrong
target service. This leads to incorrect audit logging due to the wrong
audit map being used.
This patch checks the request to see if a TCP port was present in the request,
and if not, fall back to using the target_endpoint_type configured in the
audit map file.
Change-Id: Ie2e0bf74ecca485d599a4041bb770bd6e296bc99
Closes-bug: 1797584
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
When parsing the service catalog to find the source, audit middleware
should skip over the services which have no endpoints instead of
assuming they will have at least one endpoint.
Change-Id: I287873e99338d95baaf20d52ecb3a43763a401fc
Closes-Bug: #1800017
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The authtoken middleware has been printing warning log messages to
the API logs for all services, reporting unexpected conf keys. This
was traced back to paste.deploy adding 'here' and '__file__' and
both gnocchi and panko adding 'configkey' keys in wsgi apps though
these do not actually exist in the conf file. This change allows
for those keys without printing a warning that unnecessarily
confuses operators.
But it's kind of a hack, especially the configkey bit. We shouldn't
have to know about gnocchi/panko specifics like this. And it doesn't
address the comment in the bug about what is seen for ironic. So I
think there will still be more to do here.
Change-Id: I678482309c7dd35ce147bebf13ebefc84251fe91
Partial-Bug: 1722444
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The delay_auth_decision option has two main uses:
1. Allow a service to provide its own auth mechanism, separate from
auth tokens (like Swift's tempurl middleware).
2. Allow a service to integrate with multiple auth middlewares which
may want to use the same X-Auth-Token header.
The first case works fine even when the service has trouble talking to
Keystone -- the client doesn't send an X-Auth-Token header, so we never
even attempt to contact Keystone.
The second case can be problematic, however. The client will provide
some token, and we don't know whether it's valid for Keystone, the other
auth system, or neither. We have to *try* contacting Keystone, but if
that was down we'd previously return a 503 without ever trying the other
auth system. As a result, a Keystone failure results in a total system
failure.
Now, when delay_auth_decision is True and we cannot determine whether a
token is valid or invalid, we'll instead declare the token invalid and
defer the rejection. As a result, Keystone failures only affect Keystone
users, and tokens issued by the other auth system may still be validated
and used.
Change-Id: Ie4b3319862ba7fbd329dc6883ce837e894d5270c
|
|\ \ \ |
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Use openstack-tox-cover template, this runs the cover job as
non-voting in the check queue only.
Use openstack-lower-constraints-jobs template
Remove jobs that are part of the templates.
Change-Id: I58f3bc27aab2885514b8c6a8379e1c2214bd1afd
|
|\ \ \
| |/ /
|/| | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
As part of removing reliance on the old and deprecated zuul-cloner, we
need to shift constraints declaration to the deps line. This means we
unfortunately have to duplicate the extras declarations into
test-requirements - because otherwise the contraints for
keystonemiddleware conflicts with the installation of itself.
Change-Id: I8dbb31d1c1fda6df386f456dcf1d8bbed6d168ce
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When setup AuthProtocol class, if the CONF object contains
deprecated options, An Error "dictionary changed size during
iteration" will raise when comparing the CONF content.
Changing "!=" to "is not" here to avoid compare the CONF
content anymore.
Change-Id: I820aa244160db4f81149d2576386c86b46de0084
Closes-bug: #1789351
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is a mechanically generated patch to add a functional test job
running under Python 3 as part of the python3-first goal.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Change-Id: If3765f1d4fa236e37c48a68bcd1093addfc751ff
Story: #2002586
Task: #24304
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is a mechanically generated patch to add a unit test job running
under Python 3.6 as part of the python3-first goal.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Change-Id: I3fcff11f87699cf36aabb37c7ccf9555280927a8
Story: #2002586
Task: #24304
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is a mechanically generated patch to switch the documentation
jobs to use the new PTI versions of the jobs as part of the
python3-first goal.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Change-Id: Iee42c4b458e8ae8694efbee7e176cd2f8e8d49cd
Story: #2002586
Task: #24304
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is a mechanically generated patch to complete step 1 of moving
the zuul job settings out of project-config and into each project
repository.
Because there will be a separate patch on each branch, the branch
specifiers for branch-specific jobs have been removed.
Because this patch is generated by a script, there may be some
cosmetic changes to the layout of the YAML file(s) as the contents are
normalized.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Change-Id: Idf1fdd88a3be46477804ad2fd961f7e1114b600b
Story: #2002586
Task: #24304
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
DiscoveryFailures can happen for a variety of reasons, ranging
from service misconfiguration to a keystone outage to a transient
network failure. If we don't catch and handle the failure here,
it will almost certainly cause something further up the WSGI stack
to send a 500 Internal Error (and likely log a traceback).
A log line like
Unable to validate token: Could not find versioned identity
endpoints when attempting to authenticate. Please check that
your auth_url is correct. Unable to establish connection to
http://keystone:35357: HTTPConnectionPool(host='keystone',
port=35357): Max retries exceeded with url: / (Caused by
NewConnectionError('<urllib3.connection.HTTPConnection
object at 0x7fc53e22e050>: Failed to establish a new
connection: [Errno 111] ECONNREFUSED',))
should be plenty enough for an operator to assess the situation;
I don't need a 29-frame traceback.
Change-Id: I946388c09b2ca0230d2cef009c679a7ac7c8398f
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | | |
Change-Id: Ie30c97327684934ac44d41883070ce22e8aa7a19
|
|/ / /
| | |
| | |
| | | |
Change-Id: If387869339f5b1abd91ef73237c9ea48a6fdbf77
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
With Keystone v3, the admin (35357) and public (5000) ports are
the same and use the same keystone code paths for authentication.
This patch set replace 35357 and only uses port 5000
Change-Id: I596e3a2b29b2954bf7caef6f9408d9b2b4e890ee
|
|\ \ \ |
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Keystonemiddleware's abstraction for the memcache pool was broken
when converting to use a queue.Queue. The logic that placed the
connection back into the pool was moved to .acquire and the reserve
method was not using acquire.
Change-Id: I0eda5981cbb661f63790258cf8e70c7340615159
Closes-Bug: #1782404
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
After some debugging following [0] to figure out why ksm was
not connecting to the specified auth_url, found out that
ksm connects to the identity server on the 'admin' interface
[1] after authenticating with auth_url and fetching the catalog if
keystoneauth is being used. Otherwise it connects on identity_uri
and disregards the service catalog [2]. This behavior was not
documented.
[0]. http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-09-19.log.html#t2017-09-19T17:50:06
[1]. https://github.com/openstack/keystonemiddleware/blob/d1b7a1f0922419f956001f4bf14ad3e77449c860/keystonemiddleware/auth_token/__init__.py#L936-L938
[2]. https://github.com/openstack/keystonemiddleware/blob/d1b7a1f0922419f956001f4bf14ad3e77449c860/keystonemiddleware/auth_token/_auth.py#L121-L130
Change-Id: Ide40835de856012ac4dd71975beac9d32771f356
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We want to default to running all tox environments under python 3, so
set the basepython value in each environment.
We do not want to specify a minor version number, because we do not
want to have to update the file every time we upgrade python.
We do not want to set the override once in testenv, because that
breaks the more specific versions used in default environments like
py35 and py36.
Change-Id: I21491f302cbc6ca7a9b5ac12c487cf214bf4866e
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
|
|\ \ \
| |/ /
|/| | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
For compliance with the Project Testing Interface as described in:
https://governance.openstack.org/tc/reference/project-testing-interface.html
http://lists.openstack.org/pipermail/openstack-dev/2017-December/125710.html
http://lists.openstack.org/pipermail/openstack-dev/2018-March/128594.html
Co-Authored-By: Nguyen Hai <nguyentrihai93@gmail.com>
Change-Id: Ia0a27229f09467980ff4af014001febb017bb36d
|
|\ \ \ |
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The ChangeLog file is generated when we run `python setup.py sdist`,
which doesn't naturally happen when we run `tox -edocs`, so on a fresh
clone the docs build will fail because it references the ChangeLog file
which isn't there. Since we don't rely on pbr any more for release notes
and we have a sophisticated release note management tool, point the docs
at the published release notes instead of the pbr ChangeLog.
Change-Id: I614091eae739154337795a8f120b68686ad0ed0a
|
|\ \ \ |
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We already switched the unit tests to follow the updated PTI
guidelines[1] but neglected to switch the coverage environment. Do that
now.
[1] https://governance.openstack.org/tc/reference/pti/python.html#python-test-running
Change-Id: Ie153516196f18c030ea58e76a0eac15c86169c6b
|
|/ /
| |
| |
| |
| |
| |
| | |
The titles in the index.rst can't be shown in the webpage.
This patch adds them back.
Change-Id: I56febf6cb137b7f6dbc05365d48159be36d18c13
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Keystonemiddleware attempts to parse user/service tokens and populate
request headers for other services to consume. This information is
important for services looking to build oslo.context objects from
request environments.
Change-Id: I0717c2a5207a647999b4f9bcdf11f728984f0812
Closes-Bug: 1766731
|
|/ /
| |
| |
| |
| |
| |
| | |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I27a90c1f3132af5cbbeb18a6e59f88f5fe387a36
|
|\ \ |
|