| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We should sanitize the response body before logging to make sure we
aren't leaking through credentials like in the case of the response from
the os-initialize_connection volume API.
Closes-Bug: #1490693
NOTE(mriedem): The test is slightly different in kilo because the
_http_log_response method requires kwargs.
Change-Id: Ifd95d3fb624b4636fb72cc11762af62e00a026a0
(cherry picked from commit 3e26ff824801d5084791a52980021784e794e35f)
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Adds the error message to give a hint to the user about
what happened.
Change-Id: I9ca56de8592e65194062038c81b468be72ffb2d9
Closes-Bug: 1297280
|
| |/
|
|
|
|
|
|
|
|
| |
It can become difficult to trace the client that created HTTP requests
as the logging all goes through the keystoneclient.session logger. Allow
passing the logger through the request function and make it able to be
set via the adapter so it can be set once per client instantiation.
Change-Id: Id45c315bee9a56f1c241210d667470751bf689d5
Closes-Bug: #1421868
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is a utility function that is used for reducing the amount of data
that is logged. It shouldn't be a public function.
I think there is very little risk from this in terms of compatibility as
it was only added recently.
Change-Id: I003e9f11be478b1282ea9cf179f2dd13e1672a80
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
Operations could fail if the response was logged and had a 'token'
field that's not a dict. The fix is to ignore all errors when
trying to remove the service catalog from the response.
Also, enhanced the service catalog removal code to support V2
tokens.
Closes-Bug: 1420080
Change-Id: I35b971415744825e8e5f00f30dcf193d04ee699a
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The oslo.config libraries are moving away from oslo-namespaced
packages.
Note that his requires oslo.config>=1.6.0
bp drop-namespace-packages
Change-Id: Ic0d4053875da0628f2359c109f2779d12aadc3eb
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The oslo libraries are moving away from namespace packages.
bp drop-namespace-packages
Change-Id: I76dc9f733b222144f0274f8854877587c3501d1e
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
oslo_utils moved out of the oslo namespace.
bp drop-namespace-packages
Change-Id: I72e67dc1f649ba137dd06f5ab7133858c6abd67d
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The current scheme of having auth plugins only able to specify the
X-Auth-Token header via the get_token function is too limited for all
plugins. We need to allow both the case where the plugin wants to
control additional headers, or doesn't set the X-Auth-Token header at
all.
This deprecates the get_token interface in favour of the get_headers
interface. Whilst we should promote using get_headers it is likely that
plugins that only require setting the X-Auth-Token header will continue
to only support the get_token interface.
Change-Id: Ibd750d72acc3ba4fd8a880cad69173248ec4092f
blueprint: generic-plugins
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If the user creates a keystoneclient.session.Session without passing a
custom session, we will enable TCP Keep-Alive for the requests session
used by keystoneclient's Session.
novaclient and other clients can experience hung TCP connections. Most
clients use keystoneclient's session and will need this merged here
before they can make use of it in their projects.
Change-Id: Ib70a8b3270d2492596b9fb8981b8584b85567a9c
Closes-bug: 1323862
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
Having the user_id and project_id exposed in the plugin is a good first
step however we don't really expect the user to be interacting with the
plugins directly often - particularly as you need to pass session to the
methods.
Exposing get_user_id and get_project_id on the session and the adapter
in this way is very similar to the way we expose get_token and
get_endpoint on the session and adapter for use higher up.
Related-Bug: #1364724
Change-Id: If2f868c3ddc19133f18446e74f8e1b560a4798fa
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The whole service catalog is embedded in every token, and by default
all token responses are logged at DEBUG. This adds a huge amount of
basically const data into system logs, over and over and over again.
We should not log the service catalog by default on every token
response. The following replaces the service catalog with the token
<removed>.
This reduces the compressed logs of API services by about 1/3.
Change-Id: I95832d0f13ca93c4618784da9d1eb9ca166cae53
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
If you are using a custom CA bundle rather than the default OS one then
we should log that as part of the curl statement to make debugging
easier.
Change-Id: I1a6ded02b75a3bc9b1ca880db8a9b9b460d36774
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
The online docs for the Session class are unusable because the
arguments to __init__ were not displayed.
This and other issues in the docstrings for the class are corrected.
Change-Id: Ia03b785f132f7d21ba576c0c8d634051d7127319
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The :returns: directive doesn't take an argument. To specify the
return type, use the :rtype: directive.
Change-Id: I3aaab824792333b3f75a10af92f5b712cc9b4ff6
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
python-keystoneclient displays curl statements for debugging/troubleshooting
purposes. For IPv6 URLs, curl requires --globoff to be passed in the
arguments. Since keystoneclient does not use curl directly, this patch
displays the curl commands with globoff option which works for both
IPv4 and IPv6 URLs.
Fix adapted from python-novaclient Ib7099e8e3bbc15f29bbaa1db37ef21e78a74e7bc
Closes-Bug: #1228744
Change-Id: Ia05e622dea653597d412ffe0987077616fbb18af
|
| |\ \ \ |
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The argument to the :raises: directive is the class name. If the
class name is a valid reference it's rendered as a link to the
class. This change cleans up the :raises: directives to use the
reference correctly and use a valid class reference.
Change-Id: I84188b60de0ab4c6b5b2fb5a203c43bfde094707
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Keystoneclient didn't provide translated messages. With this
change, the messages are marked for translation.
DocImpact
Implements: blueprint keystoneclient-i18n
Change-Id: I85263a71671a1dffed524185266e6bb7ae559630
|
| |/
|
|
|
|
|
| |
Left timeutils and strutils in openstack/common since they are used in
openstack/common/apiclient and memorycache.
Change-Id: Idb5f09c159d907dfba84cd1f7501f650318af7d9
|
| |
|
|
|
|
|
|
| |
By logging the sha1 hash of the token, it can be tracked through
different services.
Closes-bug: #1329301
Change-Id: I9c338f6a418ab8dd34dbaaf918b0ea6e9cbe79d7
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When you invoke any OpenStack API of any of the OpenStack services
e.g. glance, neutron, cinder, heat, ceilometer, nova, keystone
then it logs readable x-subject-token at the debug log level in the
respective log files.
Simply redacting the x-subject-token in keystone client response header
before logging it.
SecurityImpact
Closes-Bug: #1371355
Change-Id: Iac16c6358250677544761beea9f5c5d8ba29afac
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Connection Errors can be transient and there are many clients (including
auth_token middleware) that allow retrying requests that fail.
We should support this in the session, disabled by default, rather than
have multiple implementations for it.
For the moment I have purposefully not added it as an option to
Session.__init__ though I can see arguments for it. This can be added
later if there becomes a particular need.
I have also purposefully distinguished between Connection Errors (and
connect_retries) and HTTP errors. I don't know a good way to generalize
retrying on HTTP errors and they can be added later if required.
Blueprint: session-retries
Change-Id: Ia219636663980433ddb9c00c6df7c8477df4ef99
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As much as I'd prefer not to need this functionality there are plenty of
existing clients that we want to have use the adapter that can accept a
bypass argument such that it ignores the service catalog and uses that
URL for all requests.
We therefore need to be able to support similar functionality in our
adapter.
Change-Id: I206705241ff9b84967d0d9c089b4795bcc26b65e
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The fake session object is to prevent a cyclical dependency between
HTTPClient and the session from leaving hanging session objects around.
This is still necessary if you construct a client the old way however if
you are using the session properly then there is no cyclical dependency
and so we shouldn't prevent people using the connection pooling
advantages of the session.
Related-Bug: #1282089
Change-Id: Ifca2c7ddd95a81af01ee43246ecc8e74abf95602
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 68c2fad55a71ca511ff959e589aa0a3f3dbd4b78.
Looks like this broke the stable branches. :(
Change-Id: I9d190e211ecfa80d573a6c48c0b485f3506fe947
Closes-Bug: #1357652
|
| | |
| |
| |
| |
| |
| |
| | |
keystoneclient was using utility function from oslo-incubator
rather than oslo.utils.
Change-Id: I2909a2150b9556e54ef88e72358fda1cf8b7cc1c
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Tokens shouldn't be logged since a token could be gathered from a
log file and used. The client was logging the X-Auth-Token and
X-Subject-Token request headers. With this change, the X-Auth-Token
and X-Subject-Token are shown as "TOKEN_REDACTED".
Also, the "Authentication" header is also redacted.
This is for security hardening.
SecurityImpact
Closes-Bug: #1004114
Closes-Bug: #1327019
Change-Id: I1edc3821ed028471102cc9b95eb9f3b54c9e2778
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the ability to turn off logging from the session object and then
handle logging of auth requests within their own sections. This is a
very simplistic ability to completely disable logging. Logging more
filtered debugging can be added later.
This new ability is utilized in this patch to prevent logging of
requests that include passwords. This covers authenticate, password
change, and user update requests that include passwords.
SecurityImpact
Change-Id: I3dabb94ab047e86b8730e73416c1a1c333688489
Closes-Bug: #1004114
Closes-Bug: #1327019
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To be able to create profiling traces for Keystone, client should be
able to send special HTTP header that contains trace info.
This patch is as well important to be able to make cross project
traces. (Typical case nova calls keystone via python client, if
profiler is initialized in nova, keystone client will add extra
header, that will be parsed by special osprofiler middleware in keystone
api)
Don't worry no security issue here, trace information is signed by HMAC
key that is setted in api-paste.ini. So only person that knows HMAC key
is able to send proper header.
Change-Id: Ide6fe268613bb0cc9d9ec6fae2957cc570e9f851
|
| | |
| |
| |
| |
| |
| |
| |
| | |
We will want this to standardize session loading amongst the various
CLIs.
Implements: blueprint standard-client-params
Change-Id: Icc740db6d471a0953b7946e00e6317802b6d2255
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
Allow loading session objects from oslo.config. We want a generic way to
do this for auth_token middleware and for servers creating session
objects for inter-service communication.
DocImpact: This is the first step in standardizing all the config
options across projects. There are no changes to the config options that
keystoneclient actually consumes in this review.
Implements: blueprint standard-client-params
Change-Id: I1e83280b2f76f16041ed8d5ed598db70210112bd
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
To allow session to re-fetch a token on an Unauthorized call we add an
invalidate method to auth plugins that is expected to flush all the
current authentication data from the plugin such that it will be
refreshed on next request.
This is then used to reissue requests from session when an Unauthorized
is called.
Change-Id: I98fa76fd67e97dc0a8c1ec0bf734792c337b5177
blueprint: keystoneclient-auth-token
|
| |
|
|
|
|
|
|
| |
The latest version of requests changes the type of a Response's history.
See https://github.com/kennethreitz/requests/commit/b8128d6
Closes-Bug: #1321042
Change-Id: Iba9fa20d22d878a4298a35e270338ee442031796
|
| |
|
|
|
|
| |
rules are avaialble at https://en.wikipedia.org/wiki/Wikipedia:AutoWikiBrowser/Typos
Change-Id: I67fb3e0d02c931cb7e605ac74ea8272956afa8e1
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Typically we want to have exceptions thrown when dealing with requests
that return an HTTP error. However when looking at integrating the
session object with other clients it becomes apparent that the exception
handling is sufficiently different that it is best for now to let the
existing error handling work.
Add an option to return the failed request rather than raise an
exception so existing clients can do there own error handling.
Blueprint: session-propagation
DocImpact: New session parameter.
Change-Id: I63ea034e7c6eaaf42d4329526a902677a8dd709d
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
With the move to the apiclient exceptions from oslo the basic HTTP error
class was renamed. This was not reflected in all places in the code.
It was also not picked up by the tests because the apiclient tests
weren't running due to a missing __init__.py file. Because this should
be backwards compatible it was added to the list in exceptions, the
check that this is available is in the (now running) apiclient tests.
Blueprint: common-client-library-2
Change-Id: I307c1083f29e3207cc86aa938043270e5c32b4bb
|
| |\ |
|
