| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In [0] the ``interface``option was added in order to allow the Identity
endpoint that is being used when validating tokens to be
configured by the deployer. Change the default to using the internal
endpoint, as that should be what most deployments will end up using.
[0] https://review.opendev.org/651790
Depends-On: https://review.opendev.org/651492
Closes-Bug: 1830002
Change-Id: I0ce8b6d8cd408c7fac8107972e7be70839e337fb
|
| | |
| |
| |
| |
| |
| |
| | |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I03d472ad957308f098363b3377a8794e9e3d437a
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* parallelizing building of documents
Update Sphinx version as well.
Remove the doc requirements from lower-constraints, they are not
needed during installation.
openstackdocstheme renames some variables, so follow the renames. A
couple of variables are also not needed anymore, remove them.
Set openstackdocs_pdf_link to link to PDF file.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Change-Id: Ic7c901ff19aa073b6e003ccb95aaf77886f20152
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add file to the reno documentation build to show release notes for
stable/ussuri.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/ussuri.
Change-Id: Iedcc2750dc0bdfdabb9d03a0b153aeeae6c0b58e
Sem-Ver: feature
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
OpenStack is dropping the py2.7 support in ussuri cycle.
keystonemiddleware is ready with python 3 and ok to drop the
python 2.7 support.
Complete discussion & schedule can be found in
- http://lists.openstack.org/pipermail/openstack-discuss/2019-October/010142.html
- https://etherpad.openstack.org/p/drop-python2-support
Ussuri Communtiy-wide goal:
https://governance.openstack.org/tc/goals/selected/ussuri/drop-py27.html
Change-Id: Ia6f0e14efd19b0b98227258e7264b4850a197f4f
|
| | |
| |
| |
| |
| |
| |
| | |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I4a5f9f48ae099291cf47f4d08c40535223761b1b
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add file to the reno documentation build to show release notes for
stable/train.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/train.
Change-Id: Id57d4939da1ea27351d5a5dc5542f24e0abea789
Sem-Ver: feature
|
| |\ \ \ |
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This change modifies any URLs specifying v2.0 to v3. This is part
of the effort to remove v2.0 functionality from keystonemiddleware.
Change-Id: I9cde8963333ea95b4ab05d9aea4d196ab4357763
Partial-Bug: #1829453
Partial-Bug: #1845539
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This change removes v2.0 functionality from
keystonemiddleware, as well as associated tests.
Partial-Bug: #1845539
Partial-Bug: #1777177
Change-Id: If47e90085d8a59c52fb23876dc329cd4f0b05ef0
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Some options are now automatically configured by the version 1.20:
- project
- html_last_updated_fmt
- latex_engine
- latex_elements
- version
- release.
Change-Id: I161a3983e23b0ae50c232eb63ca78f8fd230e91e
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit adds a validation step in the auth_token middleware to check
for the presence of an access_rules attribute in an application
credential token and to validate the request against the permissions
granted for that token. During token validation it sends a header to
keystone to indicate that it is capable of validating these access
rules, and not providing this header for a token like this would result
in the token failing validation. This disregards access rules for a
service request made by a service on behalf of a user, such as nova
making a request to glance, because such a request is not under the
control of the user and is not expected to be explicitly allowed in the
access rules.
bp whitelist-extension-for-app-creds
Depends-On: https://review.opendev.org/670377
Change-Id: I185e0541d5df538d74edadf9976b3034a2470c88
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Keystone server no longer supports PKI/PKIZ. This change removes
keystonemiddleware's support of PKI/PKIZ and associated code.
Change-Id: I9a6639a2aa3774be61972d57f38220f66fd5c0e8
closes-bug: #1649735
partial-bug: #1736985
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously the admin Identity endpoint was hardcoded to be used. Now
that keystone has dropped v2 support, deploying an admin Identity
endpoint is no longer useful, so allow this to be changed by the
deployer. Keep the default as using the `admin` endpoint, but create
a deprecation message so that we can change the default in the future.
Partial-Bug: 1830002
Change-Id: I993a45ccb1109d67e65bf32d1e134cc9bec2d88e
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
Add file to the reno documentation build to show release notes for
stable/stein.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/stein.
Change-Id: Ieb590fa57bd3af81dbb39ac9de1d55e34de5cf22
Sem-Ver: feature
|
| |
|
|
| |
Change-Id: I189738bb844828765bd95d8302a7654a12863a00
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently auth_token middleware does not concern identity endpoint
update since service catalog is not updated after service having
auth_token middleware started.
Add invalidation logic when EndpointNotfound exception occurs so
that auth_token middleware can be notified of sevice catalog update
without restart.
Change-Id: I631ee1538883d732fe3987b172d987f703dad5c0
Closes-Bug: #1813739
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Keystone audit middleware requires to iterate req.context as dict,
but Glance requires to access req.context.read_only.
When glance enabled audit, they are conflict with each other.
This patch fix this issue by store audit context in
req.environ['audit.context']
Change-Id: Ib9a62a4cd0b7b9ffb9fa2d6440e8072d45ee0fee
Closes-Bug: #1809101
Signed-off-by: Leehom Li <feli5@cisco.com>
|
| |
|
|
|
| |
Change-Id: I8d571d3414071c68b4fa565dec46cc2d2941331c
Closes-Bug: #1803940
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With keystone's move to eliminating pki, pkiz, and uuid tokens the
revocation list is no longer generated. Keystonemiddleware no longer
needs to attempt to retrieve it and reference it.
Change-Id: Ief3bf1941e62f9136dbed11877bca81c4102041b
closes-bug: #1361743
partial-bug: #1649735
partial-bug: #1736985
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The keystonemiddleware audit code would select the wrong OpenStack service
endpoint for a request if the cloud is not using unique TCP ports for each
service endpoint. As most services are no longer using a port per service,
but instead using unique paths, this caused the audit to select the wrong
target service. This leads to incorrect audit logging due to the wrong
audit map being used.
This patch checks the request to see if a TCP port was present in the request,
and if not, fall back to using the target_endpoint_type configured in the
audit map file.
Change-Id: Ie2e0bf74ecca485d599a4041bb770bd6e296bc99
Closes-bug: 1797584
|
| |/
|
|
|
|
|
|
|
| |
When parsing the service catalog to find the source, audit middleware
should skip over the services which have no endpoints instead of
assuming they will have at least one endpoint.
Change-Id: I287873e99338d95baaf20d52ecb3a43763a401fc
Closes-Bug: #1800017
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The delay_auth_decision option has two main uses:
1. Allow a service to provide its own auth mechanism, separate from
auth tokens (like Swift's tempurl middleware).
2. Allow a service to integrate with multiple auth middlewares which
may want to use the same X-Auth-Token header.
The first case works fine even when the service has trouble talking to
Keystone -- the client doesn't send an X-Auth-Token header, so we never
even attempt to contact Keystone.
The second case can be problematic, however. The client will provide
some token, and we don't know whether it's valid for Keystone, the other
auth system, or neither. We have to *try* contacting Keystone, but if
that was down we'd previously return a 503 without ever trying the other
auth system. As a result, a Keystone failure results in a total system
failure.
Now, when delay_auth_decision is True and we cannot determine whether a
token is valid or invalid, we'll instead declare the token invalid and
defer the rejection. As a result, Keystone failures only affect Keystone
users, and tokens issued by the other auth system may still be validated
and used.
Change-Id: Ie4b3319862ba7fbd329dc6883ce837e894d5270c
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When setup AuthProtocol class, if the CONF object contains
deprecated options, An Error "dictionary changed size during
iteration" will raise when comparing the CONF content.
Changing "!=" to "is not" here to avoid compare the CONF
content anymore.
Change-Id: I820aa244160db4f81149d2576386c86b46de0084
Closes-bug: #1789351
|
| |
|
|
| |
Change-Id: If387869339f5b1abd91ef73237c9ea48a6fdbf77
|
| |
|
|
|
|
|
|
|
|
| |
Keystonemiddleware's abstraction for the memcache pool was broken
when converting to use a queue.Queue. The logic that placed the
connection back into the pool was moved to .acquire and the reserve
method was not using acquire.
Change-Id: I0eda5981cbb661f63790258cf8e70c7340615159
Closes-Bug: #1782404
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Keystonemiddleware attempts to parse user/service tokens and populate
request headers for other services to consume. This information is
important for services looking to build oslo.context objects from
request environments.
Change-Id: I0717c2a5207a647999b4f9bcdf11f728984f0812
Closes-Bug: 1766731
|
| |/
|
|
|
|
|
| |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I27a90c1f3132af5cbbeb18a6e59f88f5fe387a36
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Based on the RFCs[1], in http header, a string of text is parsed
as a single value if it is quoted using double-quote marks.
This patch change the single quote to double quote in the header
"WWW-Authenticate" which is returned when 401 error raises.
[1]: https://tools.ietf.org/html/rfc7230#section-3.2.6
https://tools.ietf.org/html/rfc7235#section-2.1
Change-Id: I524c93d30607ea6ab70de92ceea207ee77f34c25
Closes-bug: #1762362
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| | |
kwargs_to_fetch_token was deprecated and should be
removed in Rocky now.
Change-Id: Ic247efb84c5133449ead6a9864bbd7748e5e74bd
|
| | |
| |
| |
| |
| |
| |
| | |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I6a01826b6e09db2374626ec55ed2477f9002f589
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When the keystonemiddleware is used directly in the WSGI stack of an
application, the 503 that is raised when the keystone service errors
or cannot be reached needs to identify that keystone is the service
that has failed, otherwise it appears to the client that it is the
service they are trying to access is down, which is misleading.
This addresses the problem in the most straightforward way possible:
the exception that causes the 503 is given a message including the
word "Keystone".
The call method in BaseAuthTokenTestCase gains an
expected_body_string kwarg. If not None, the response body (as
a six.text_type) is compared with the value.
Change-Id: Idf211e7bc99139744af232f5ea3ecb4be41551ca
Closes-Bug: #1747655
Closes-Bug: #1749797
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a configuration option, 'use_oslo_messaging', to indicate whether
to use oslo_messaging notifier. It is set to true for backwards
compatibility.
We can't use audit middleware with services like Swift, which have no
dependency on Oslo and does not work well with oslo_log. Swift uses rsyslog.
Currently, audit middleware indiscriminately chooses oslo_messaging if the
package is installed. This is problematic if Swift proxy is on the same
controller as any service which consumes oslo_messaging. With this new option,
Swift can now safely consume audit middleware by electing to use local
log notifier instead of oslo_messaging.
Change-Id: I87bf857c20e4b78e97d40dcc51a1b4ff0014abb2
Closes-Bug: #1695038
|
| | |
| |
| |
| |
| |
| |
| | |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I490c9d6e1304c11f18f9a217d53a056fbfc60816
|
| |/
|
|
| |
Change-Id: I5727e441a8e4ebae506e30abaee792bb2c040614
|
| |
|
|
|
|
|
| |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: If3dfc83d4620de66211f153b370d833454806b99
|
| |
|
|
|
|
|
| |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I1f6641f53d77b80ff467063a8f33a2b0e2b3c8af
|
| |
|
|
|
|
|
|
|
| |
cfg.CONF must not be used directly, Config().oslo_conf_obj must be used
instead.
Closes-bug: #1737119
Change-Id: I58ec9e25c7f04a8352535d8861e09c7e4c4c0a9d
|
| |
|
|
|
|
|
|
|
| |
In continuation of I00e953abb3e835a94353fe458100c96e8e9c095a,
this change adds the release note and documentation.
Related-bug #1737115
Change-Id: I456239842d139074cc38cfd620bb88561bb4d0d7
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Release notes are version independent, so remove version/release
values. We've found that projects now require the service package
to be installed in order to build release notes, and this is entirely
due to the current convention of pulling in the version information.
Release notes should not need installation in order to build, so this
unnecessary version setting needs to be removed.
This is needed for new release notes publishing, see
I56909152975f731a9d2c21b2825b972195e48ee8 and the discussion starting
at
http://lists.openstack.org/pipermail/openstack-dev/2017-November/124480.html
.
Change-Id: I8e769c1dd93bca6a14b6209615f83c09ceceed22
|
| |/
|
|
|
|
|
| |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I6f8b27486c14d2a92efad825e3d4050f0e66445b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The [keystone_authtoken]/auth_uri middleware parameter has been causing
extreme confusion amongst operators and developers ever since the
keystonemiddleware started accepting keystoneauth plugin parameters
including auth_url. The two parameters look identical and yet have
completely different meanings and are both required. This patch
deprecates auth_uri and renames it to www_authenticate_uri, which more
accurately describes the WWW-Authenticate header it is configuring and
is dissimilar to any other keystone_authtoken middleware parameter. This
also renames the internal variable names for consistency with the config
option.
Change-Id: I0cf11da3d395749df28077427689fdafc8a6b981
|
