summaryrefslogtreecommitdiff
path: root/keystoneclient/session.py
Commit message (Collapse)AuthorAgeFilesLines
* Use oslo.utils and oslo.serializationSteve Martinelli2014-10-151-2/+2
| | | | | | | Left timeutils and strutils in openstack/common since they are used in openstack/common/apiclient and memorycache. Change-Id: Idb5f09c159d907dfba84cd1f7501f650318af7d9
* Log token with sha1Brant Knudson2014-10-021-1/+5
| | | | | | | | By logging the sha1 hash of the token, it can be tracked through different services. Closes-bug: #1329301 Change-Id: I9c338f6a418ab8dd34dbaaf918b0ea6e9cbe79d7
* Redact x-subject-token from response headersankitagrawal2014-09-241-9/+13
| | | | | | | | | | | | | | When you invoke any OpenStack API of any of the OpenStack services e.g. glance, neutron, cinder, heat, ceilometer, nova, keystone then it logs readable x-subject-token at the debug log level in the respective log files. Simply redacting the x-subject-token in keystone client response header before logging it. SecurityImpact Closes-Bug: #1371355 Change-Id: Iac16c6358250677544761beea9f5c5d8ba29afac
* Allow retrying some failed requestsJamie Lennox2014-09-161-17/+48
| | | | | | | | | | | | | | | | | | | Connection Errors can be transient and there are many clients (including auth_token middleware) that allow retrying requests that fail. We should support this in the session, disabled by default, rather than have multiple implementations for it. For the moment I have purposefully not added it as an option to Session.__init__ though I can see arguments for it. This can be added later if there becomes a particular need. I have also purposefully distinguished between Connection Errors (and connect_retries) and HTTP errors. I don't know a good way to generalize retrying on HTTP errors and they can be added later if required. Blueprint: session-retries Change-Id: Ia219636663980433ddb9c00c6df7c8477df4ef99
* Allow providing an endpoint_override to requestsJamie Lennox2014-09-011-4/+14
| | | | | | | | | | | | As much as I'd prefer not to need this functionality there are plenty of existing clients that we want to have use the adapter that can accept a bypass argument such that it ignores the service catalog and uses that URL for all requests. We therefore need to be able to support similar functionality in our adapter. Change-Id: I206705241ff9b84967d0d9c089b4795bcc26b65e
* Merge "Move fake session to HTTPClient"Jenkins2014-08-261-17/+1
|\
| * Move fake session to HTTPClientJamie Lennox2014-08-211-17/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | The fake session object is to prevent a cyclical dependency between HTTPClient and the session from leaving hanging session objects around. This is still necessary if you construct a client the old way however if you are using the session properly then there is no cyclical dependency and so we shouldn't prevent people using the connection pooling advantages of the session. Related-Bug: #1282089 Change-Id: Ifca2c7ddd95a81af01ee43246ecc8e74abf95602
* | Revert "Use oslo.utils"Matt Riedemann2014-08-171-1/+1
| | | | | | | | | | | | | | | | | | This reverts commit 68c2fad55a71ca511ff959e589aa0a3f3dbd4b78. Looks like this broke the stable branches. :( Change-Id: I9d190e211ecfa80d573a6c48c0b485f3506fe947 Closes-Bug: #1357652
* | Use oslo.utilsBrant Knudson2014-08-051-1/+1
| | | | | | | | | | | | | | keystoneclient was using utility function from oslo-incubator rather than oslo.utils. Change-Id: I2909a2150b9556e54ef88e72358fda1cf8b7cc1c
* | Redact tokens in request headersBrant Knudson2014-07-301-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Tokens shouldn't be logged since a token could be gathered from a log file and used. The client was logging the X-Auth-Token and X-Subject-Token request headers. With this change, the X-Auth-Token and X-Subject-Token are shown as "TOKEN_REDACTED". Also, the "Authentication" header is also redacted. This is for security hardening. SecurityImpact Closes-Bug: #1004114 Closes-Bug: #1327019 Change-Id: I1edc3821ed028471102cc9b95eb9f3b54c9e2778
* | Don't log sensitive auth dataJamie Lennox2014-07-241-29/+72
|/ | | | | | | | | | | | | | | | Add the ability to turn off logging from the session object and then handle logging of auth requests within their own sections. This is a very simplistic ability to completely disable logging. Logging more filtered debugging can be added later. This new ability is utilized in this patch to prevent logging of requests that include passwords. This covers authenticate, password change, and user update requests that include passwords. SecurityImpact Change-Id: I3dabb94ab047e86b8730e73416c1a1c333688489 Closes-Bug: #1004114 Closes-Bug: #1327019
* Merge "Add profiling support to keystoneclient"Jenkins2014-07-041-0/+5
|\
| * Add profiling support to keystoneclientBoris Pavlovic2014-07-041-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To be able to create profiling traces for Keystone, client should be able to send special HTTP header that contains trace info. This patch is as well important to be able to make cross project traces. (Typical case nova calls keystone via python client, if profiler is initialized in nova, keystone client will add extra header, that will be parsed by special osprofiler middleware in keystone api) Don't worry no security issue here, trace information is signed by HMAC key that is setted in api-paste.ini. So only person that knows HMAC key is able to send proper header. Change-Id: Ide6fe268613bb0cc9d9ec6fae2957cc570e9f851
* | Session loading from CLI optionsJamie Lennox2014-07-021-0/+72
| | | | | | | | | | | | | | | | We will want this to standardize session loading amongst the various CLIs. Implements: blueprint standard-client-params Change-Id: Icc740db6d471a0953b7946e00e6317802b6d2255
* | Session loading from confJamie Lennox2014-07-021-10/+124
|/ | | | | | | | | | | | | Allow loading session objects from oslo.config. We want a generic way to do this for auth_token middleware and for servers creating session objects for inter-service communication. DocImpact: This is the first step in standardizing all the config options across projects. There are no changes to the config options that keystoneclient actually consumes in this review. Implements: blueprint standard-client-params Change-Id: I1e83280b2f76f16041ed8d5ed598db70210112bd
* Auth Plugin invalidationJamie Lennox2014-05-231-1/+25
| | | | | | | | | | | | | To allow session to re-fetch a token on an Unauthorized call we add an invalidate method to auth plugins that is expected to flush all the current authentication data from the plugin such that it will be refreshed on next request. This is then used to reissue requests from session when an Unauthorized is called. Change-Id: I98fa76fd67e97dc0a8c1ec0bf734792c337b5177 blueprint: keystoneclient-auth-token
* Fixes an erroneous type check in a testDavid Stanek2014-05-201-4/+0
| | | | | | | | The latest version of requests changes the type of a Response's history. See https://github.com/kennethreitz/requests/commit/b8128d6 Closes-Bug: #1321042 Change-Id: Iba9fa20d22d878a4298a35e270338ee442031796
* fixed typos found by RETF rulesChristian Berendt2014-05-031-2/+2
| | | | | | rules are avaialble at https://en.wikipedia.org/wiki/Wikipedia:AutoWikiBrowser/Typos Change-Id: I67fb3e0d02c931cb7e605ac74ea8272956afa8e1
* Merge "Allow session to return an error response object"Jenkins2014-04-171-2/+6
|\
| * Allow session to return an error response objectJamie Lennox2014-04-141-2/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Typically we want to have exceptions thrown when dealing with requests that return an HTTP error. However when looking at integrating the session object with other clients it becomes apparent that the exception handling is sufficiently different that it is best for now to let the existing error handling work. Add an option to return the failed request rather than raise an exception so existing clients can do there own error handling. Blueprint: session-propagation DocImpact: New session parameter. Change-Id: I63ea034e7c6eaaf42d4329526a902677a8dd709d
* | Rename HTTPError -> HttpErrorJamie Lennox2014-04-151-1/+1
|/ | | | | | | | | | | | | With the move to the apiclient exceptions from oslo the basic HTTP error class was renamed. This was not reflected in all places in the code. It was also not picked up by the tests because the apiclient tests weren't running due to a missing __init__.py file. Because this should be backwards compatible it was added to the list in exceptions, the check that this is available is in the (now running) apiclient tests. Blueprint: common-client-library-2 Change-Id: I307c1083f29e3207cc86aa938043270e5c32b4bb
* Merge "Allow passing auth plugin as a parameter"Jenkins2014-04-081-11/+41
|\
| * Allow passing auth plugin as a parameterJamie Lennox2014-04-081-11/+41
| | | | | | | | | | | | | | | | | | | | | | | | This further separates the concept of session and auth plugin so that the session can be a completely standalone transport layer. This is similar to how requests handles things. You can install an auth plugin on the session object and then everything that works through the session will be authenticated or you can specify the auth plugin per request and only authenticate that request. Change-Id: If4ed5af831cc35e259d9f963062261819f08a9d5
* | Reuse module `exceptions` from OsloAndrey Kurilin2014-04-011-2/+2
|/ | | | | | | | | | | | | | | | | | The exception module in oslo common code and in keystoneclient are similar. In case of unification openstack clients, we should use modules from Oslo. Changes of this patch: - imported exceptions from common code instead of `apiclient.exception` - added aliases for exceptions which was renamed (reason: backwards compatibility) - moved exceptions `EmptyCatalog` from `apiclient.exception` to `exceptions` - cleaned `apiclient.exception` from duplicated exceptions - `apiclient.__init__` and `apiclient.exceptions` are kept and labeled as 'deprecated'(reason: backwards compatibility) bp common-client-library-2 Change-Id: Iedf4e5d753d4278d81751ba0f55fdef3566b56de
* Merge "Handle URLs via the session and auth_plugins"Jenkins2014-03-251-2/+33
|\
| * Handle URLs via the session and auth_pluginsJamie Lennox2014-03-251-2/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | In the future clients will simply pass the service they expect to talk to and the path. This will prevent every service trying to get their own base urls from the service catalog individually. This can later be extended to have the auth plugin actually contact the URL from the service catalog which will let us have unversioned endpoints in the catalog handled from a single location. Change-Id: I80f0b5b1dbb45565fec09d1cb2c0552cfb9a72f5 blueprint: auth-plugin-endpoints
* | Start using positional decoratorJamie Lennox2014-03-251-0/+3
|/ | | | | | | | | Apply the positional decorator to functions. It has been added as I think best practice would dictate, though in some places it has been added in a way that doesn't break existing tests. Closes-Bug: #1295881 Change-Id: I4f7ddbede4cba4ab79d144ad1f9dc83ea76f204a
* Don't use a connection pool unless providedJamie Lennox2014-03-211-1/+17
| | | | | | | | | | | | To prevent left over TCP connections from keystoneclient not correctly cleaning up we shouldn't use a connection pool. This is not ideal but it was a relatively new addition so shouldn't affect performance. When we are able to find a long term solution to keystoneclient's other problems we can move back to using a connection pool. Change-Id: I45678ef89b88eea90ea04de1e3170f584b51fd8f Closes-Bug: #1282089
* Create V2 Auth PluginsJamie Lennox2014-02-211-2/+11
| | | | | | | | | | | | | | Extract the authentication code from a v2 client and move it to a series of auth plugins. Auth plugins each represent one method of authenticating with a server and there is a factory method on the base class to select the appropriate plugin from a group of arguments. When a v2 client wants to do authentication it will create a new v2 auth plugin, do the authentication and then take that result for the client to use. Change-Id: I4dd7474643ed5c2a3204ea2ec56029f926010c2c blueprint: auth-plugins
* Merge "Remove vim header"Jenkins2014-02-131-2/+0
|\
| * Remove vim headerEric Guo2014-02-081-2/+0
| | | | | | | | | | | | | | | | We don't need vim modelines in each source file, it can be set in user's vimrc. Change-Id: Ic7a61430a0a320ce6b0c4518d9f5d988e35f8aae Closes-Bug: #1229324
* | Merge "Fix debug curl commands for included data"Jenkins2014-02-121-4/+5
|\ \
| * | Fix debug curl commands for included dataJamie Lennox2014-02-041-4/+5
| | | | | | | | | | | | | | | | | | | | | | | | Include the submitted data in the curl debug statement. Initially fixed in: https://review.openstack.org/#/c/53501 Change-Id: I4e3e9e4799a508666fb37fafe864eea25b676836 Closes-Bug: #1249891
* | | Merge "Add back --insecure option to CURL debug"Jenkins2014-02-121-1/+7
|\ \ \ | |/ / | | / | |/ |/|
| * Add back --insecure option to CURL debugJamie Lennox2014-02-041-1/+7
| | | | | | | | | | | | | | | | This was added in review: https://review.openstack.org/#/c/53500 but lost in the conversion to using session. Add it back again. Change-Id: Ia063eb018d3a7da706a02d60df63bfa1be21d147 Related-Bug: #1249891
* | Create Authentication PluginsJamie Lennox2014-02-041-3/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Provides the framework for creating authentication plugins and using them from a session object. To allow this system to co-exist with the original client there is a bit of a hack. The client object itself is now also an authentication plugin, that supports the original client pattern. If a client is created without a session object then that session object uses the client as it's authentication plugin. Change-Id: I682c8dcd3705148aaa804a91f4ed48a5b74bdc12 blueprint: auth-plugins
* | Provide a conversion function for creating sessionJamie Lennox2014-02-031-0/+37
|/ | | | | | | | | | | | | | Session.construct will create a session based upon the kwargs that used to be passed to a client __init__ function. This will allow clients an easy path to providing compatibility with deprecated arguments. Make use of the function throughout discovery. Discovery was initially released prior to the session object being completed and was therefore handled with the same arguments as a client. Instead we should use a session object so use the conversion function to convert those kwargs into a session object if one is not provided. Change-Id: I8dc1e0810ea6ebc6ea648ec37d7881825c566676
* Adjust import items according to hacking import ruleEric Guo2014-01-171-0/+1
| | | | | | | | | | | | | | | | | | This patch adjust import items and add missing blank lines acording to http://docs.openstack.org/developer/hacking/#imports {{stdlib imports in human alphabetical order}} \n {{third-party lib imports in human alphabetical order}} \n {{project imports in human alphabetical order}} \n \n {{begin your code}} hacking project also enforce some checks for import group. Let make the change in keytoneclient Change-Id: Ic83bd5ee426905588f4a2d555851a9a01fc69f02
* Merge "Saner debug log message generation"Jenkins2014-01-151-4/+4
|\
| * Saner debug log message generationJamie Lennox2014-01-091-4/+4
| | | | | | | | | | | | | | | | For some reason building the debug log would include spaces in the message elements and join on the empty string. It makes much more sense to just build the list and join on the space. Change-Id: Idd82787b87518c56122d0b13551f84529306337c
* | Controllable redirect handlingJamie Lennox2014-01-091-17/+61
|/ | | | | | | | | | The requests library handles redirects as a browser would, which has the problem that forwarding a POST will convert it to a GET. This is not necessarily intuitive for an API. Handle all redirection manually and provide some control over how far redirection can go. Closes-Bug: 1267286 Change-Id: I24596a9c39cc29db28a66c3053ef3954b33abf90
* Move redirect handling to sessionJamie Lennox2013-12-201-4/+20
| | | | | | | | Particularly 305 is expected to be handled by the tests so we need to handle this centrally if we want to have session and non-session clients to work the same way. Change-Id: Id4ec35ddd8b8304d24df9e6cd2ab995d123ef125
* Remove debug specific handlingJamie Lennox2013-12-201-29/+18
| | | | | | | | | | | | | | | | I think debug handling was initially done this way for CLI handling where we wanted to make sure only the correct information was printed to the console. However as logging.basicConfig sets up a stream handler on the root logging object I can't see any purpose to the debug handling in the actual HTTPClient. Further than this it is completely wrong that a client library is messing with it's logging level, this should be handled by an application. The debug flag is maintained and deprecated in HTTPClient and removed from the session object. There has been no release since the addition of session so there is no problem with compatibility. Change-Id: Ib00f3d93d099ed1a9dd25f17121610a7289f0061
* Extract a base Session objectJamie Lennox2013-11-281-0/+201
A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins