| Commit message (Collapse) | Author | Age | Files | Lines |
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Do not iterate action.choices in the method add_arguments
in the class OpenStackHelpFormatter if action.choices is
not iterable because it is none.
Change-Id: Ie7110adb798326e5856fddfb6a7365c663b84998
Closes-Bug: #1372152
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running with a havana-level of oslo.config (<1.3.0),
applications with any config options in their api-paste.ini will
fail to start with an error like
'StrOpt' object has no attribute 'type'
This is because the config options didn't have a type attribute
until 1.3.0.
During the grenade test, the havana level of oslo.config is used,
while the master level of keystoneclient is used, and also in the
havana tests the services are still using the keystoneclient
auth_token middleware.
Change-Id: I745c3e04f18941a2d41e191d43f61b926522bb9d
Closes-Bug: #1372422
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the existing code, self.ssl_insecure is a string. If insecure
option is set in nova api-paste.ini, whatever it is 'true' or
'false', kwargs['verify'] will become False. This commit corrects
the condition expression. This patch is backported from
https://review.openstack.org/#/c/113191/
Change-Id: I91db8e1cb39c017167a4160079846ac7c0663b03
Closes-Bug: 1353315
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Authentication workflow for the Active Directory Federated Services
(ADFS) by Microsoft is different from 'standard' ECP based one.
This plugin allows for authentication and fetching security token with SAML2
assertion inside, sending to the Service Provide and retrieving an
unscoped token.
Change-Id: I588de1967a7fb92c5928686d092895847553923a
Implements: blueprint add-saml2-cli-authentication
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | | |
Change-Id: Ib2ab829ed777a4f2fb13ec7426dffef99a4118ab
|
|\ \ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
When calculating the AWS Signature Version 4, in the case of POST,
We need to set the CanonicalQueryString to an empty string. this
follows the implementation of the AWS and boto clients.
Change-Id: Iad4e392119067e246c7b77009da3fef48d251382
Closes-Bug: 1360892
|
| | | | |
| | | | |
| | | | |
| | | | | |
Change-Id: I67a599e362685f7990175fb5668e6909d670a225
|
| |/ / /
|/| | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This adds the client library class for the endpoint policy extension.
Implements: bp endpoint-policy
Change-Id: I7153d7a093f4299d7f912b0b4a9a02ffacdb9e69
|
|\ \ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Federated tokens don't include domains in the user object.
Keystoneclient should be able to estimate whether the token is a
federated one and, if so, don't expect user domain information.
In case of the federated token keystoneclient returns None in response
to user_domain_name and user_domain_id calls.
Co-Authored-By: Steve Martinelli <stevemar@ca.ibm.com>
Closes-Bug: #1346820
Change-Id: I3453275fa1b0a41b1c015b0c3a92895a77d69a41
|
|\ \ \ \ \ |
|
| |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Connection Errors can be transient and there are many clients (including
auth_token middleware) that allow retrying requests that fail.
We should support this in the session, disabled by default, rather than
have multiple implementations for it.
For the moment I have purposefully not added it as an option to
Session.__init__ though I can see arguments for it. This can be added
later if there becomes a particular need.
I have also purposefully distinguished between Connection Errors (and
connect_retries) and HTTP errors. I don't know a good way to generalize
retrying on HTTP errors and they can be added later if required.
Blueprint: session-retries
Change-Id: Ia219636663980433ddb9c00c6df7c8477df4ef99
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
To maintain compatibility we must allow people to specify a versioned
URL in the service catalog but allow the plugins to return a different
URL to users.
We need this to be a general approach as other services will likely have
a similar problem with their catalog.
The expectation here is that a client will register the catalog hack at
import time rather than for every request.
Closes-Bug: #1335726
Change-Id: I244f0ec3acca39fd1b2a2c5883abc06ec10eddc7
|
|\ \ \ \ |
|
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Last commit: 32e7f0b56f527427544050f251999f3de588ac93
This patch syncs the python-keystoneclient with olso-incubator as I
need this patch 4ef01931 which fixes a bug that's I am hitting in
another client which uses the keystoneclient.
Closes-bug: 1277565
Change-Id: I22f10f4fe27be16a6808b75c154ee342fea2bdda
|
|\ \ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Auth plugins must sometimes affect the Headers and other portions
of the network setup. Examples: Kerberos needs to set the
negotiate header. X509 to provide the client certificate.
This change makes that capability available to the Auth plugins.
Those plugins will live in separate repositories. There are no
dependent patches for it in this repository.
This was split out by Adam Young from the Kerberos Client patch
written by Jose Castro Leon
Change-Id: Iab7287888e4b3f199b9035c1a24ac43639b5027b
|
|\ \ \ \ \
| |_|_|/ /
|/| | | | |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Provide access to get_token, get_endpoint and invalidate to the adapter.
The adapter is essentially created per individual client and it can be
useful to know things like the endpoint that requests will be sent to
based on the parameters that are included in the endpoint_filter.
This essentially allows us to emulate the management_url and auth_token
properties of the existing clients.
Change-Id: Ic01bc52bb38e8fb72e7a6d93bfd2944b11d0b070
|
|\ \ \ \ \ |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Change-Id: Ia850e62fe4c888365f5031cc8b7c7ad526600222
|
|\ \ \ \ \ \ |
|
| | |_|_|/ /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
A Framework for creating plugins that work across identity versions.
Upon creating a generic plugin the plugin will go and discover what
versions are available on the server and then attemp to construct a
suitable plugin.
Blueprint: version-independant-plugins
Change-Id: If7fed94aaf4636e80a9c3a834cf6c5430f20e489
|
|\ \ \ \ \ \ |
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
None must be an acceptable parameter for username in password due to
tests in other libraries, however we should still raise an error if
neither username or user_id is passed. Use and check a sentinel value
instead of None.
Change-Id: Id61cfd1423afa8f9dd964fda278f4fab40887512
Closes-Bug: #1361444
|
|\ \ \ \ \ \ \
| |_|_|_|_|/ /
|/| | | | | | |
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
When loading from config we need a way to determine if a plugin name was
specified incorrectly or was not specified at all. We need this to
determine if we need to load a fallback plugin.
This is much more in line with how CLI loading works and how it should
have worked initially.
Change-Id: I5547b6e169abc4f1850ff205a8f054a617785c2c
Closes-Bug: #1359618
|
|\ \ \ \ \ \ \
| | |_|_|_|/ /
| |/| | | | | |
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
The version parameter was left out of adapter previously because setting
a version number triggers discovery and I felt that it was not ready for
the other services.
However if it isn't set then it won't be used and we may as well
implement it here once rather than have the individual services that do
support it override it themselves.
Change-Id: I707380a01175dc19b59de32cbb8fd2bb123d7335
|
|\ \ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Returning a True from the invalidate() call means that something has
changed within the plugin and the session should reissue the request and
expect the plugin to authenticate itself.
This means we should only return True if something actually changed,
because re-issuing the request if there was no auth_ref will not change
the outcome.
Change-Id: I012dacc93b1fcaee31d31a49e95db5a38044f211
|
|\ \ \ \ \ \ \ \
| | |/ / / / / /
| |/| | | | / /
| |_|_|_|_|/ /
|/| | | | | | |
|
| | |_|_|/ /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
As much as I'd prefer not to need this functionality there are plenty of
existing clients that we want to have use the adapter that can accept a
bypass argument such that it ignores the service catalog and uses that
URL for all requests.
We therefore need to be able to support similar functionality in our
adapter.
Change-Id: I206705241ff9b84967d0d9c089b4795bcc26b65e
|
|\ \ \ \ \ \ |
|
| |/ / / / /
| | | | | |
| | | | | |
| | | | | | |
Change-Id: I4cdd32676de74c2628754a5df6d251605a25e1fb
|
|/ / / / /
| | | | |
| | | | |
| | | | |
| | | | | |
Change-Id: I64ae9191863564e278a35d42ec9cd743a233028e
Closes-Bug: 1365061
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
body= parameters are supposed to be io objects. This is obviously during
the conversion from HTTPretty.
Change-Id: Ia8ec9294e054e2231aa4a5e2633e2b7d5d15066a
Closes-Bug: #1363632
|
|\ \ \ \ \ |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
When settings tokens via the factory v2 and v3 work completely
differently. This is somewhat expected due to tokens working differently
but it makes it hard to work with.
For example, if i have a v3 token but not the requests.Response that
created it there is no way for me to set the token data on the
AccessInfo object via factory.
Also in the case of V2 CMS tokens the value at ['token']['id'] is a fake
so that the signing process will work.
Allow overriding the token value from the factory and force setting the
token id on the AccessInfo in a standard way.
Change-Id: I856096dc5fae2ab0d1bedbac3294dc4976c3f3ad
|
|\ \ \ \ \ \ |
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Allow users to specify a default value to loading auth plugins from the
CLI so that you can fallback to some default behaviour if the user
doesn't specify a plugin.
Change-Id: I44eb838f7ccc3b377dd1ba53dbb941e973e4a22e
|
|\ \ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
The fake session object is to prevent a cyclical dependency between
HTTPClient and the session from leaving hanging session objects around.
This is still necessary if you construct a client the old way however if
you are using the session properly then there is no cyclical dependency
and so we shouldn't prevent people using the connection pooling
advantages of the session.
Related-Bug: #1282089
Change-Id: Ifca2c7ddd95a81af01ee43246ecc8e74abf95602
|
|\ \ \ \ \ \ \ \
| |_|_|_|_|_|/ /
|/| | | | | | | |
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Only PKI (asn1) based tokens were checked for format and hashed
Closes-Bug: 1355125
SecurityImpact
Change-Id: Iefedde7f168e2ff1870905041fa95301934452e5
|