We are enthusiastic to announce the release of: keystone 10.0.0: OpenStack Identity This release is part of the newton release series. For more details, please see below. 10.0.0 ^^^^^^ Add "keystone-manage mapping_populate" command, which should be used when domain-specific LDAP backend is used. Tokens can now be cached when issued. New Features ************ * [blueprint domain-config-as-stable (https://blueprints.launchpad.net/keystone/+spec/domain-config-as- stable)] The domain config via API is now marked as stable. * [blueprint manage-migration (https://blueprints.launchpad.net/keystone/+spec/manage-migration)] Upgrading keystone to a new version can now be undertaken as a rolling upgrade using the *--expand*, *--migrate* and *--contract* options of the *keystone-manage db_sync* command. * OSprofiler support was added. This cross-project profiling library allows to trace various requests through all OpenStack services that support it. To initiate OpenStack request tracing *--profile <HMAC_KEY>* option needs to be added to the CLI command. Configuration and usage details can be foung in [OSProfiler documentation (http://docs.openstack.org/developer/osprofiler/api.html)] * Add "keystone-manage mapping_populate" command. This command will pre-populate a mapping table with all users from LDAP, in order to improve future query performance. It should be used when an LDAP is first configured, or after calling "keystone-manage mapping_purge", before any queries related to the domain are made. For more information see "keystone-manage mapping_populate --help" * Add "cache_on_issue" flag to "[token]" section that enables placing issued tokens to validation cache thus reducing the first validation time as if token is already validated and token data cached. Upgrade Notes ************* * We have added the "password_expires_at" attribute to the user response object. * The identity backend driver interface has changed. We've added a new "change_password()" method for self service password changes. If you have a custom implementation for the identity driver, you will need to implement this new method. * OSprofiler support was introduced. To allow its usage the keystone- paste.ini file needs to be modified to contain osprofiler middleware. * Fixes a bug related to the password create date. If you deployed master during Newton development, the password create date may be reset. This would only be apparent if you have security compliance features enabled. * In the policy.json file, we changed *identity:list_projects_for_groups* to *identity:list_projects_for_user*. Likewise, we changed *identity:list_domains_for_groups* to *identity:list_domains_for_user*. If you have customized the policy.json file, you will need to make these changes. This was done to better support new features around federation. * Keystone now supports encrypted credentials at rest. In order to upgrade successfully to Newton, deployers must encrypt all credentials currently stored before contracting the database. Deployers must run *keystone-manage credential_setup* in order to use the credential API within Newton, or finish the upgrade from Mitaka to Newton. This will result in a service outage for the credential API where credentials will be read-only for the duration of the upgrade process. Once the database is contracted credentials will be writeable again. Database contraction phases only apply to rolling upgrades. * Keystone now relies on pyldap instead of python-ldap. The pyldap library is a fork of python-ldap and is a drop-in replacement with modifications to be py3 compatible. Deprecation Notes ***************** * [blueprint domain-config-as-stable (https://blueprints.launchpad.net/keystone/+spec/domain-config-as- stable)] Deprecated "keystone-manage domain_config_upload". The keystone team recommends setting domain config options via the API instead. The "domain_config_upload" command line option may be removed in the 'P' release. * [blueprint deprecated-as-of-newton (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of- newton)] As of the Newton release, the class plugin *keystone.common.kvs.core.KeyValueStore* has been deprecated. It is recommended to use alternative backends instead. The "KeyValueStore" class will be removed in the 'P' release. Bug Fixes ********* * [bug 1590587 (https://bugs.launchpad.net/keystone/+bug/1590587)] When assigning Domain Specific Roles, the domain of the role and the domain of the project must match. This is now validated and the REST call will return a 403 Forbidden. * [bug 1594482 (https://bugs.launchpad.net/keystone/+bug/1594482)] When using list_limit config option, the GET /services?name={service_name} API was first truncating the list and afterwards filtering by name. The API was fixed to first filter by name and only afterwards truncate the result list to the desired limit. * [bug 1613466 (https://bugs.launchpad.net/keystone/+bug/1613466)] Credentials update to ec2 type originally accepted credentials with no project ID set, this would lead to an error when trying to use such credential. This behavior has been blocked, so creating a non- ec2 credential with no project ID and updating it to ec2 without providing a project ID will fail with a *400 Bad Request* error. Other Notes *********** * The response's content type for creating request token or access token is changed to *application/x-www-form-urlencoded*, the old value *application/x-www-urlformencoded* is invalid and will no longer be used. * Keystone now supports being run under Python 3. The Python 3 and Python 3.4 classifiers have been added. Changes in keystone 9.0.0.0rc1..10.0.0 -------------------------------------- 724ac7f Make returning is_domain conditional 4a60452 Validate password history for self-service password changes 6520523 Imported Translations from Zanata b3fae77 Fixes password created_at errors due to the server_default 6eeb354 Update UPPER_CONSTRAINTS_FILE for stable/newton af1c62e Update .gitreview for stable/newton 9640f50 Add unit tests for isotime() 6e2738c Remove unused _convert_to_integers() method 294c5a1 Remove unused read_cached_file method from utils 9bbb0ce Allow compatibility with keystonemiddleware 4.0.0 c2fd1f6 Fix links on configure_federation documentation acde6ff Add edge case tests for disabling a trustee 36d7be0 Fix prameters name and response codes in Keystone API v2 4d4faab Tweak api-ref doc for services/endpoints 6e18511 Use issued_at in fernet token provider 3c5af9a Remove unused method from keystone.common.utils 408820c Use ConfigParser instead of SafeConfigParser 301b6a7 Consistently round down timestamps d907ad3 Remove the APIs from doc that is not supported yet 63b37b5 TrivialFix: Merge imports in code 17224c4 Fix the nit on how to deploy keystone with `mod_proxy_uwsgi` 830b01f Tweak api-ref doc for projects bf5711e Remove the dead link in schema migration doc e56dbe8 Updated from global requirements fe12aaf Fix order of arguments in assertIs 9418f26 New notes on advanced upgrade/fallback for cluster 06b050c standardize release note page ordering 77a002b [api-ref] Correct response code status e7b845c Replace six iteration methods with standard ones 3332edf Fixes a nit in a comment 85b2faa Updates configuration doc with latest changes 9059f2e Use freezegun for change password tests 9a559c7 Update sample keystone.conf for Newton 73bdbe1 Project domain must match role domain for assignment 407f08e Add docs for the null key 59f117f Log warning if null key is used for encryption e9b6437 Introduce null key for credential encryption 3c3df90 More nit doc fixes 2cf1b1e Keep the order of passwords in tests fb7be8c [api-ref] Stop supporting os-api-ref 1.0.0 a984bff Fix up some doc nits 83e3c00 Only cache callables in the base manager 5c9fa41 [api-ref] Correcting parameter's type 602cc57 Correct link type fbe462f Fix problems in service api doc 5a49379 Raise NotImplementedError instead of NotImplemented c7a5f41 Add the deprecated_since to deprecated options 33008ce Add doctor checks for credential fernet keys 32af31f Few new commands missing from docs 1de7224 Emit log message for fernet tokens only 0edf1fe Implement encryption of credentials at rest 409211d Typo: key_manger_factory to key_mangler_factory ffee044 Fixes spelling mistakes 2b70175 Fixes migration where password created_at is nullable 305cb8a Block global roles implying domain specific roles 05c5f0c Correct typo in mapping_populate command's help 7ba5370 Relax the requirement for mappings to result in group memberships 0e7ab57 Document credential encryption cc3e797 Update sample uwsgi config for lazy-apps ba98048 Add documentation on how to set a user's tenant. 7260b55 Pre-cache new tokens 2b6d04b Config logABug feature for Keystone api-ref 97da3a7 Fix nits in db migration dev docs 0ae6d09 Disallow new migrations in the legacy migration repository 7dd1ae4 Updated from global requirements 4f40cc3 Update developer docs for new rolling upgrade repos 2aee65c Add man page info for credential setup command 11848b2 Remove unnecessary try/except from token provider 3272623 Fixes small grammar mistake in docstring 428a6e0 Add a feature support matrix for identity sources c81b337 Fix wrong response codes in 'groups' APIs. 94b08af Make token_id a required parameter in v3_to_v2_token 42eda48 Distributed cache namespace to invalidate regions 618d9ca Fix formatting strings when using multiple variables ceec009 Add credential setup command a8dbe9b Add Response Example for 'Create credential' API e332a3a Add Response Example for 'Passwd auth with unscoped authorization' c613dd3 Remove mapping schema from the doc 5346dfa Impose a min and a max on time values in CONF.token 7678c40 Repair link in Keystone documentation 67cf54d Fix some typos in comments 3281e8f Cleaning imports in code 372c1bd Updated from global requirements c30fd01 TrivialFix: Remove logging import unused 0845df2 Removes old, unused code 6bde3f3 Reduce log level of Fernet key count message a9a2665 Updated from global requirements 3fad275 Adds password regular expression checks to doctor f66077f Let upgrade tests control all 4 repositories at once 64fabd7 Adds check that minimum password age is less than password expires days 3976e58 Remove unused global variable from unit tests 743e110 Modify sql banned operations for each of the new repos 3e29913 Use egg form of osprofiler in paste pipeline 17f96bb api-ref: Splitting status lines in API v3-ext. 43df612 api-ref: Splitting status lines in API v3. 4bf04ff Remove mox from test-requirements 80c56ba TrivialFix: Remove logging import unused 6ecc426 [api-ref]: Outdated link reference 020776b Remove unnecessary __init__ b1fdad9 Add mapping_populate command 5ae761e Doc fix: license rendered in published doc 52b2503 Doc fix: "keystone-manage upgrade" is not a thing 8144e28 Fix credential update to ec2 type 25d3591 Add key repository uniqueness check to doctor dd63146 Update `href` for keystone extensions 8114a07 Updated from global requirements 1531b3c Fix the wrong URI for the OAuth1 extension in api-ref. 70e6d58 Shadowing a nonlocal_user incorrectly creates a local_user fd2a4fa Add entrypoint for mapped auth method 80888cf Get ready for os-api-ref sphinx theme change a5e2906 Add rolling upgrade documentation a6d4512 Add create and update methods to credential Manager e10811c Create a fernet credential provider fab5f82 Make KeyRepository shareable bd80bb7 Add conf to support credential encryption e6a0fd0 Password expires ignore user list 96ec431 Add expand, data migration and contract logic to keystone-manage cb51cb4 [api] add relationship links to v3-ext ecbeae5 Removes use of freezegun in test_auth tests 25d2f8e Removes a redundant test from FernetAuthWithTrust b6744a6 api-ref: Fix parameters attributes 6749008 Set default value for [saml]/idp_contact_surname 850eace Tidy up for late-breaking review comments on keystone-manage b4ff783 PCI-DSS Minimum password age requirements 251cf10 api-ref: Document domain specific roles 32cf428 Revert "Add debug logging to revocation event checking" 72b274d Replace the content type with correct one 59a2351 Add credential encryption exception c2d8451 Pass key_repository and max_active_keys to FernetUtils bc95434 Make a FernetUtils class 4dafc37 Move fernet utils into keystone/common/ 4569d41 Add support for rolling upgrades to keystone-manage 3b86db4 api-ref: Document implied roles API 51cccd2 Support new osprofiler API 729c989 api-ref: Correcting V3 OS-INHERIT APIs 8363ab2 Fix typo in the file d2ee07b Add debug logging to revocation event checking 963c23c Detail Federation Service Provider APIs in api-ref 5d2fd07 Detail Fed Projects and Domains APIs in api-ref 46b71ef add a header for the federation APIs 30ded50 Detail Federation Mapping APIs in api-ref docs b62acaa Detail Federation Auth APIs in api-ref docs ec5b0cb Detail Federation Assertion APIs in api-ref docs 9030e6e Move other-requirements.txt to bindep.txt 960967e Detail IdP APIs in api-ref docs 5289eef api-ref: Add default domain config documentation 85ae245 Constraints are ready to be used for tox.ini 0c78293 Updated from global requirements d36e555 [api] add relationship links to v3 e9b0f2f Refactor revoke matcher b9c6717 Document get auth/catalog,projects,domains e4a82b3 api-ref: Renaming parameters of V3-ext APIs 9241aeb api-ref: Correcting V3 Credentials APIs ceaa09d api-ref: Correcting V3 Policies APIs b3c8381 api-ref: Correcting V3 Authentication APIs 8d5926a api-ref: Correcting V3 Domain config APIs 8a069c0 Use international logging message 7f3ec14 Updates Development Environment Docs 5740a32 api-ref: Add query options to GET /projects API documentation 2398e5b Updated from global requirements 6db31c8 api-ref: Add missing parameter tables to tenant e1e7c7d Create unit tests for the policy drivers 6919253 api-ref: Correcting V3 Endpoints APIs 9a520bc api-ref: Correcting V3 Services APIs 82bf342 api-ref: Add "nocatalog" option to GET /v3/auth/tokens 6b52756 Fix warning when running tox -e api-ref ff00d33 Add basic upgrade documentation 8026a95 Document query option (is_domain) for projects 6c408a0 remove test utilities related to adding extensions b33512f Update etc/keystone.conf.sample 3de3d71 Make hash_algorithms order deterministic 041f53f PCI-DSS Password expires validation aa9fdfc Report v2.0 as deprecated in version discovery 50ff858 Update the api-ref to mark the v2 API as deprecated a5264d7 Add schema validation to create user v2 935530f Fix the spelling of a test name 141970f Remove mention of db_sync per backend 9838e54 Trust controller refactoring ffd2fea Use more specific asserts in tests 64e97a8 Updated from global requirements 4c351c5 Add debug logging for RevokeEvent deserialize problem 3efd271 Make all token provider behave the same with trusts bfa13b7 Clean up the introductory text in the docs e8022f3 Retry revocation on MySQL deadlock 5eedeaa Add schema validation to update user v2 0e2cc05 PCI-DSS Lockout requirements ebe1e83 Improve domain configuration API docs e420b16 Skip middleware request processing for admin token 8eb67a9 Move Assertion API to its own file 5a0987d Bump API version number and date 62d0175 Move Federation Auth API to its own file edd5827 Move List Projects and Domains API to its own file 34dd18c Move Service Provider API to its own file fc9cfb7 Move Mapping API to its own file 6f36a20 Use %()d for integer substitution 97a6341 Don't include openstack/common in flake8 exclude list 44ccc92 Added postgresql libs to developer docs f250fe4 Add schema validation to create service in v2 b26200b Remove the redundant verification in OAuth1 authorization dbf101f Add schema validation to v2 update tenant 85570dc refactor idp to its own file 629b2d0 Updated from global requirements 6bc3a74 PCI-DSS Password history requirements 0f6fa0e Move Identity Provider API to its own file bc99dc7 Add dummy domain_id column to cached role 6a94b28 Allow attributes other than `enabled` in schema 345d2a0 Remove the extensions repos 8cef848 Document the domain config API as stable fc924f8 Remove configuration references to eventlet a14add1 Adds a custom deepcopy handler 927b08b Add token feature support matrix to documentation 8246fc2 Test number of queries on list_users 295cfde No need the redundant validation in manager level f26b31a Add the missing testcases for `name` and `enabled` fd861dc Adds test for SecurityError's translation behavior b2cb4c4 TOTP auth not functional in python3 6ab4444 Invalid tls_req_cert constant as default 05f8578 Add schema validation to v2 create tenant 9c99641 Use quotes consistently in token controller 9d01162 Add performance tuning documentation 0b600ce Allow V2TestCase to be tested against fernet and uuid b77c5b7 Make AuthWithTrust testable against uuid and fernet ab7a745 Improve os-federation docs 62fb97f Fix v2-ext API enabled documentation dfd5d25 PCI-DSS Adds password_expires_at to API docs 5bbc78a Make it so federated tokens are validated on v2.0 cd26ae9 Use freezegun in AssignmentInheritanceTestCase f324506 Only run KvsTokenCacheInvalidation against uuid 3246732 Use freezegun in OSRevokeTests d6ac15c refactor: make TestFetchRevocationList test uuid 05ec032 refactor: make TestAuthExternalDefaultDomain test uuid/pki/pkiz 66f7b09 refactor: make TestAuthKerberos test pki/pkiz/uuid 80b4ffa Add schema validation to create role d0328e3 Replace OpenStack LLC with OpenStack Foundation e9fc581 refactor: inherit AuthWithRemoteUser for other providers 241d33d Run AuthWithToken against all token providers e8cd48f Don't run TokenCacheInvalidation with Fernet 12966b8 Refactor TestAuthExternalDomain to not inherit tests 6bcc03f Use freezegun to increment clock in test_v3_assignment 4adf01b Add schema for enabling a user 0b49d43 Fix up the api-ref request/response parameters for projects 0f13aed `password` is not required for updating a user 002de1b Clarify V2 API for enabling or disabling user 0e6752b Removed duplicate parameter in v2-admin api-ref e183c14 Fix the errors in params in api-ref for V3 region 14018e9 Fix the errors in params in api-ref for V3 user 53bb53a Added cache for id mapping manager b679f2b Updated from global requirements 3223360 Add Python 3.5 classifier 05b5dfe Handle Py35 fix of ast.node.col_offset bug 2293342 deprecate a few more LDAP config options e8eeb43 Clean up api-ref for domains 059f353 keystone-manage doctor 7f7cfe7 v2 api: add APIs for setting a user's password 74a8e5b Update os-inherit API reference b61b1c5 Updated from global requirements 72e6196 Run AuthTokenTests against fernet and uuid 7646e21 Use freezegun to increment the clock in test_v3_filters 29624d4 Prevent error when duplicate mapping is created 9df02bf Fix the wrong check condition e4c30cb Clean up the api-ref for groups 809a39a Updated from global requirements 20259d1 Improve introdcution to api-ref projects 53b5b99 Migrate OS-FEDERATION from specs repo 96852a0 v2 api: remove APIs for global roles e6da0ba v2 api: group and order the v2-ext APIs 05fb9cc v2 api: remove duplicated delete user API eb27807 v2 api: add missing /roles in role CRUD APIs 139dc8d v2 api: list user roles is defined twice b135c27 v2 api: add OS-KSADM to service API routes e00c89e v2 api: add tenant APIs 50c64f9 v2 api: delete user is defined twice 1963093 v2 api: change update user cab514d v2 api: correct user list 9c4ac4e Update Identity endpoint in v2 samples 0223d9a Fix up numerous errors in params in api-ref for roles 4979fbc Fix up the api-ref for role query paramaters 2042c95 Fix the username value in federated tokens 22ab8a8 Improve readability of the api-ref roles section a6c7763 Use constraints for coverage job 64fbbed clean up OAUTH API 534f57d Add relationship links to OAUTH APIs caa3a91 Remove `name` property from `endpoint` create/update API 5d42b3e Add v2.0 /endpoints/ api-ref 3c47ba4 Update identity endpoint in v3 and v3-ext samples 4a0970d Pass request to v2 token authenticate e39486a Remove unused context from AuthInfo 6ac478c Correct normal response codes for v2.0 extensions 21d8686 Improve user experience involving token flush 8517caa Add "v2 overview" docs to APIs 5fbb377 add OS-OAUTH1/authorize/{request_token_id} API ab252d5 Move OS-INHERIT api-ref from extensions to core db6a738 re-order the oauth APIs d8606ee Copy the preamble / summary of OAuth1 from the specs repo 985bcf0 Correct normal response codes in trust documentation caa7faf Add OS-EP-FILTER to api-ref 5d90bfa PCI-DSS Password strength requirements f8231b8 Variables in URL path should be required d23bfc0 Remove get_trust_id_for_request function b75562c Pass request to normalize_domain_id d1d72c3 Remove a validate_token_bind call b3e065e Remove get_user_id in trust controller 813536b Cleanup trusts controller c92f2d5 Trivial spacing and comma corrections 8a56b19 Add OS-KSCRUD api-ref 36394a6 Disable warnerrors in setup.cfg temporarily cd9fb2a Add is_domain to project example responses 003c68b Add is_domain to scope token response examples f48ab4f Improve keystone.conf [security_compliance] documentation 84aec99 Improve keystone.conf [signing] documentation 2f99a0b Correct normal response codes in OS-INHERIT docs db25452 Fix python{3,}-all-dev depends in deb based 0b15eea Correct normal status codes for v2.0 admin docs e5e8c55 Improve keystone.conf [shadow_users] documentation 7f869c2 Correct normal response codes for region docs 179f0fd Correct normal response codes for auth docs cab0b50 Correct normal response codes for credential docs f808dfa Correct normal response codes for project docs 08c6847 Correct normal response codes for policy docs f51b06a Correct normal response codes for v2.0 versions doc edc2cc1 Correct normal response codes in v2.0 versions doc b87b8f7 Correct normal response codes in v2.0 tenant docs a216ee3 Use URIOpt instead of StrOpt for SAML config ac3f9da Correct normal response codes for role docs c36fa2c Correct normal response codes in v2.0 token docs efcbc62 Correct normal response codes in service catalog doc 3c1cfac Correct normal response codes in oauth docs 7acd8d0 Correct normal response codes in v2.0 admin user docs b6c24de Improve keystone.conf [token] documentation 80df383 Correct normal response codes in endpoint policy docs 459dd8b Validate SAML keyfile & certfile options 88e26fd Improve keystone.conf [tokenless_auth] documentation 4876106 Complete OS-TRUST API documentation 5137b7e Fixes response codes in endpoint policy api-ref 1c3d1e9 List 20X status codes as Normal in domain docs f2911cb Improve the API documentation for groups 863b9da Create APIs for OS-REVOKE d90281e Clean up token binding validation code f20e6eb Reorder request params in endpoint policy api-ref 88b9b13 Adds missing parameter to endpoint policy api-ref 2e3e241 Adds missing docs to endpoint policy api-ref c29d65b Reorders API calls to match precedence rules dfac754 Improve keystone.conf [saml] documentation 9dc21e8 Handle more auth information via context 1d7c96d Require auth_context middleware in the pipeline 8a5a414 Updated from global requirements acf907b Improve keystone.conf [trust] documentation a288d5c5 Improve keystone.conf [role] documentation a88ee4f Improve keystone.conf [ldap] documentation 694ab49 Improve keystone.conf [os_inherit] documentation 70532b2 Improve keystone.conf [revoke] documentation 5cbb909 Improve keystone.conf [resource] documentation 511a860 Move logic for catalog driver differences to manager db7de89 Minor docstring cleanup for domain_id mapping 28688d1 Remove unnecessary stable attribute value for status 633532d Updated from global requirements a5c5f5b Mark the domain config via API as stable 172e8c5 Remove validated decorator 8ff6b0e Move request validation inline 81c9ddc Invalidate token cache on domain disablement abdc723 Isolate token caching into its own region 82c7b8b Doc update on enabled external auth and federation b278f03 keystone recommend deprecated memcache backend 187490f Use request object in policy enforcement e4ed9a4 Use the context's is_admin property 2ceeb92 Add the oslo_context to the environment and request af0b966 Use http_client constants instead of hardcoding b577af9 Increase test coverage for token APIs 88de82e Ensure status code is always passed as int d53db18 Fix fernet token validate for disabled domains/trusts 9f5ed12 Doc update for moving abstract base classes out of core e504e8a Fix _populate_token_dates method signature 5f1eae1 Move the trust abstract base class out of core 093f2c2 Move the credential abstract base class out of core 5d707d5 Move the auth plugins abstract base class out of core a7f059f Expose bug with Fernet tokens and trusts 8645d57 Remove last parts of query_string from context 3a19aa5 Remove get_auth_context 5f7377f Correct reraising of exception 3dd1750 Pass request to build_driver_hints b958a5f Remove headers from context f5b3296 Use request.environ through auth and federation a624c9f Remove accept_header from context 08096a3 Fixed a Typo 6ad13d1 Docs: Fix the query params in role_assignments example e37db54 [doc/api]Remove space within word 6e6230f Remove unused LOG b66693e Make assert_admin work with a request ebccd23 Add missing preamble for v3 and v3-ext e55dfe4 move OAUTH1 API to extensions 4f18372 generate separate index files for each api-ref 11d6b32 Migrate identity /v2-admin docs from api-ref repo e7fc093 Use request instead of context in v2 auth 8232f4f Handle catalog backends that don't support all functions. b425379 Refactoring: remove the duplicate method 25e5227 Return `revoked_at` for list revoke events 4bbb151 Use skip_test_overrides everywhere we feature skip d122e9b Improve keystone.conf [fernet_tokens] documentation 85be70c Improve keystone.conf [catalog] documentation c987d4d Refactor: [ldap] suffix should not be an instance attribute f4e9489 Grammar fix: will -> can cd343ef Fixes hacking's handling of log hints fc4e3f5 Improve keystone.conf [paste_deploy] documentation f93dc19 Improve keystone.conf [kvs] documentation a6c6271 Improve keystone.conf [identity] documentation bcbc43e Improve keystone.conf [endpoint_filter] documentation e5347b6 Improve keystone.conf [oauth1] documentation 7df92f7 Verify domain_id when get_domain is being called 960ef1e Updated from global requirements 67a50b5 Include doc directory in pep8 checks 81a1cd7 Do not register options on import 70a06c8 Improve keystone.conf [policy] documentation ddd21de Improve keystone.conf [memcache] documentation a59aa8b Use min to avoid checking < 1 max fernet keys 2917c4d Improve keystone.conf [identity_mapping] documentation cc05f80 Improve keystone.conf [federation] documentation 97e15b7 Updated tests that claimed to be blocked by bugs 4d87d58 Use skip_test_overrides in test_backend_ldap 6c6484f Adds a skip method to identify useless skips d18bb02 Update the nosetests test regex for legacy tests 1b0a553 update a config option deprecation message 70f275c Improve keystone.conf [eventlet_server] documentation 32ab235 Improve keystone.conf [endpoint_policy] documentation dbbf061 Improve keystone.conf [credential] documentation 34736ec Improve keystone.conf [domain_config] documentation e104838 Rename [DEFAULT] keystone.conf module to keystone.conf.default 4eb93c0 Improve keystone.conf [DEFAULT] documentation 61d896f Remove test_backend_ldap skips for missing tests 40bb21b Removes duplicate ldap test setup 56dd227 Extracted common ldap setup and use in the filter tests 40c67ae Reduce domain specific config setup duplication 4db7651 API Change Tutorial doc code modify 54328aa Update other-requirements for Xenial eed233c Concrete role assignments for federated users e3a5b61 PCI-DSS Disable inactive users requirements 038c0e3 Migrate identity /v3-ext docs from api-ref repo 1ee8252 Migrate identity /v2-ext docs from api-ref repo 3bfb08e Migrate identity /v2 docs from api-ref repo ef70f52 Use request.params instead of context['query_string'] 9c460e2 Config: no need to set default=None ba1a07f Do not spam the log with uncritical stacktraces 71be9f5 Improve keystone.conf [auth] documentation 4187ae1 Improve keystone.conf [assignment] documentation 0651a23 Group test_backend_ldap skips for readability e03cfcd Adds a backend test fixture c524254 Remove unused test code 4ab4265 Moves auth plugin test setup closer to its use 2641a40 Add security_compliance group back to config 7b809fb Fix nits related to the new keystone.conf package e04c561 Fixes failure when password is null 5dfa16a Allow auth plugins to be setup more than once dc81d28 Removes outdate comment from a test d9c6b50 Replace keystone.common.config with keystone.conf package 113b00d Updated from global requirements 3f78996 Fix a few spelling mistakes c990ec5 Allow user to get themself and their domain 498ea91 PCI-DSS Password SQL model changes 2410ff0 Fix argument order for assertEqual to (expected, observed) d0de3f5 Use the ldap fixture to simplify tests cc4de19 Change the remaining conf setup to use the fixture 6872f85 Reduce setup overhead in auth_plugin tests 6a9a9f0 /services?name=<name> API fails when using list_limit 2787e2f Updated from global requirements 48ccf75 Make sure to use InnoDB as the DB engine e8d980d Remove TestAuth 3d51061 Move last few TestAuth tests to TokenAPITests 4d0a7f1 Move external auth and bind test to TokenAPITests 38fc7f4 Refactor test_validate_v2_scoped_token_with_v3_api 29557cb Remove test_validate_v2_unscoped_token_with_v3_api 005f887 Move more project scoped token behavior to TokenAPITests 89d5135 Validate impersonation in trust redelegation 8c2412a Correct domain_id and name constraint dropping 76e9209 Integration tests cleanup 8b5c095 Use http_proxy_to_wsgi from oslo.middleware 23936d3 Use request object in auth plugins 9c395cf Move cross domain/group/project auth tests ca0b99a Move negative token tests to TokenAPITests 7b2b21f Move unscoped token test to TokenAPITests 3814111 Move negative domain scope test to TokenAPITests d941ccd Consolidate domain token tests into TokenAPITests 46efe4b Move more project scoped behavior tests to TokenAPITests 694b930 Move project scoped catalog tests to TokenAPITests e8a3d9c Update driver versioning documentation b04da90 Move project scoped tests to TokenAPITests 129ad39 Move TestAuth unscoped token tests to TokenAPITests a00d703 Add cache invalidation for service providers dae2e92 Updated from global requirements 248f027 Add 'links' to implied roles response 3ff204a Updated from global requirements 907ee2d fix ldap delete_user group member cleanup c3baa83 exception sensitive cache/audit changes 380514b Fix TOTP transient test failure 4b9384d Change LocalUser sql model to eager loading a272c8b Shadow LDAP and custom driver users d7849bd Refactor shadow users 7a4cbc4 Fix ValidationError exception name in docstring e66ea23 Add docstring to delete_project 03091c8 Updated from global requirements 9c89e07 Revert to caching fernet tokens the same way we do UUID 1c0e59d Honor ldap_filter on filtered group list da6ea7e Pass a request to controllers instead of a context 6bc084d Update the keystone-manage man page options 05f35bf clean up test_resource_uuid fde57f6 Return 404 instead of 401 for tokens w/o roles 4bba482 Updating sample configuration file 4db2047 Revert "Install necessary files in etc/" d03ed96 Keystone uwsgi performance tuning fc7666f Add caching config for federation d205900 Updated from global requirements 346e7f2 Updating sample configuration file 1ed56a3 Updating sample configuration file d6b016d Bootstrap: enable and reset password for existing users 81e5d8e PEP257: Ignore D203 because it was deprecated 54da44b Cache service providers on token validation 510f00f Refactor revoke_model to remove circular dependency b2ee4a2 Update man page for Newton release 671cb9c Move stray notification options into config module 5c87422 Adding role assignment lists unit tests b7b4aaa Add protocols integration tests 28f7788 Add mapping rules integration tests 23c23fc Add service providers integration tests 1548fcf Imported Translations from Zanata a0bd19a Updated from global requirements 7f3725f Simplify & fix configuration file copy in setup.cfg f99552a Config settings to support PCI-DSS b4bfc54 Fix credentials_factory method call 9e7f24c Allow domain admins to list users in groups with v3 policy 9f4943c Updating sample configuration file ae8cdbf Updated from global requirements 322a744 Honor ldap_filter on filtered user list 5486f0a Install necessary files in etc/ 75abc21 Replace revoke tree with linear search 9a5395f Migrate identity /v3 docs from api-ref repo 991979e Updated from global requirements e386e84 Add new functionality to @wip 3965fbe remove deprecated revoke_by_expiration function d5cca09 Isolate common ldap code to the identity backend cbe0a1e Updated from global requirements 94391a3 Remove helper script for py34 e26b806 Include project_id in the validation error on default project is domain 4025cb6 Add python 3 release note. a0dc2f2 Add comment to test case helper function a12c254 Add Python 3 classification. ee0a294 Py3 oauth tests 68473b2 Enable py3 tests for test_v3_auth 8a7133f make sure default_project_id is not domain on user creation and update 16d0cdb Let setup.py compile_catalog process all language files 293c891 Fix broken link of federation docs ba3dd94 Add new line in keystone/common/request.py fb3bc6c Move identity.backends.sql model code to sql_model.py d87a098 Add .mo files to MANIFEST.in fcd6644 Replace context building with a request object e8f6584 Enable py3 testing for Fernet token provider e518535 Enable py3 for credential tests 363920b reorganize mitaka release notes 465c3e4 enable ldap tests for py3 7463a0c Updated from global requirements fe3b4c0 Add the validation rules when create token f6fdda6 Use PyLDAP instead of python-ldap 80d7bee Fix config path for running wsgi in developer mode 47529d0 Move the revoke abstract base class out of core d6dd7e1 Updated from global requirements 97eec19 Port test_v2 unit test to Python 3 a9d2daa Move the oauth1 abstract base class out of core 978faba Drop the (unused) domain table e61e4da Don't set None for ldap.OPT_X_TLS_CACERTFILE de2f2b0 Add API Change Tutorial 108310b Deprecate keystone.common.kvs d84195b Updating sample configuration file c1d0959 Add is_domain in token response d03aeff Switch to use `new_domain_ref` for testcases bdeee9c Move the assignment abstract base class out of core 8d90866 Add identity providers integration tests f6ac066 Update documentation to remove keystone-all 7c3497c Updating sample configuration file cb4c2b1 Updated from global requirements 7539942 replace logging with oslo.log 86d037f Move the federation abstract base class out of core 88713cc Separate protocol schema b85e2a2 Updated from global requirements 2963dc1 Move the catalog abstract base class and common code out of core a9d79e0 Enhance federation group mapping validation 09d13cf Add mapping validation tests 70b7986 Fixes example in the mapping combinations docs 2183b47 do not search file on real environment 7567c5e Allow 'domain' property for local.group bfcbb3c Add conflict validation for idp update ed634e8 Always add is_admin_project if admin project defined 971ba5f Make keystone exit when fernet keys don't exist 0d37602 Fix fernet audit ids for v2.0 7be1ede Revert "Revert "Unit test for checking cross-version migrations compatibility"" 36da34f Make all fixture project_ids into uuids ce574c3 Fixing D105, D203, and D205 PEP257 8eb7960 Remove test_invalid_policy_raises_error ade1308 switch to tempest instead of deprecated tempest-lib d1591b5 Move the resource abstract base class out of core cafbe1b Correct RST syntax for a code block 92ece11 Restructure policy abstract driver f2b71ab Updated from global requirements 37afc8e Add test for authentication when project and domain name clash 5cd8356 Fix doc build if git is absent a4a2ab6 Restructure endpoint policy abstract driver cfb983a Clean up test_receive_identityId 47e7acf Fix typos 61ae6d7 Fixes incorrect deprecation warning for IdentityDriverV8 6d8c504 Add other-requirements.txt 2c4f948 Fix D400 PEP257 5962c2c Imported Translations from Zanata 3c4fe62 Updating sample configuration file c7cb72b Customize config file location when run as wsgi app. 40ed477 Updated from global requirements b6cab8b Updating sample configuration file a607ccc Updated from global requirements a596865 Bump the required tox version to 2.3.1 8e2e80c Add set_config_defaults() call to tests 8851966 update deprecation warning for falling back to default domain 08dc3ce Tests clean up global ldap settings 3956163 Define identity interface - easy cases ee2da37 add missing deprecation reason for eventlet option 3588402 Remove comments mentioning eventlet 20b851b Remove support for generating ssl certs e380a3c Updating sample configuration file ac03941 Remove eventlet support cec8bbb Default caching to on for request-local caching. e641f79 Typo in sysctl command example Edit c08884d Typo fix in tests 32203d4 Add logging to cli if keystone.conf is not found 2535f22 Fix post jobs 4e0fdfa Refactor domain config upload db7bdf9 Keystone jobs should honor upper-constraints.txt e23ef5b Fix confusing naming in ldap EnableEmuMixin. c382857 Updating sample configuration file d8084e3 Deprecation reason for domain_id_immutable a1cb55b Test list project hierarchy is correct for a large tree aabc213 Fix D401 PEP8 violation. 3306dc2 OSprofiler release notes 99e74ad Updating sample configuration file f309a7a Updated from global requirements 3ff7f13 Add keystone service ID to observer audit e082c72 group federated identity docs together abce49b Change Role/Region to role/region in keystone-manage bootstrap f7c4e96 Use mockpatch fixtures from fixtures 9b9bc77 Set the values for the request_local_cache 324f4b5 Add missing backslash to keystone-manage bootstrap command in documentation cd3ef89 fix typo c1be688 Fix KeyError when rename to a name is already in use ff9e257 Improve project name conflict message 2995748 Imported Translations from Zanata 14e1ae2 Updating sample configuration file b316b14 Dev doc update for moving abstract base classes out of core 4872f9a Simplify chained comparison 840a714 Update the description of the role driver option 639e36a Integrate OSprofiler in Keystone f0000bf Update the Administrator guide link 744aed7 Clean up test case for shadow users 562b81d Fixes bug where the updated federated display_name is not returned be55871 Make AuthContext depend on auth_token middleware 3eaea2f Fix totp test fails randomly 3e5fca0 Update federated user display name with shadow_users_api 7ad4f87 Update federated user display name with shadow_users_api 4a8023a Remove comment from D202 rule 5107da7 Remove backend interface and common code out of identity.core 8b7bfb4 Use messaging notifications transport instead of default 6dd8e61 Run federation tests under Python 3 8ab2a19 Bandit test results 7f42e1d create a new `advanced topics` section in the docs dba04cd Correct `role_name` constraint dropping 9e81843 Correct `role_name` constraint dropping 088393d Base for keystone tempest plugin 96c9da2 Random project should return positive numbers cf1fd9d Imported Translations from Zanata 815a924 Improve error message for schema validation c4b08ed Imported Translations from Zanata f5a0e2f The name can be just white character except project and user d5bbc6e Fix typos in Keystone files 9a92c47 Add `patch_cover` to keystone dd38543 Fix keystone-manage config file path 93aff6e Cleanup LDAP models 685116d Correct test to support changing N release name 4625557 Correct _populate_default_domain in tests aa53ad9 Imported Translations from Zanata c78e8f4 Removing redundant words ae068b1 Imported Translations from Zanata 8556437 Correct test to support changing N release name 139f892 Fix keystone-manage config file path 5f45541 Opportunistic testing with different DBs 3bf13c1 Correct test_implied_roles_fk_on_delete_cascade 379e369 Fix table row counting SQL for MySQL and Postgresql 92749e4 Switch migration tests to oslo.db DbTestCase 1f675cf Correct test_migrate_data_to_local_user_and_password_tables dadf12a Fix test_add_int_pkey_to_revocation_event_table for MySQL 8177acd Imported Translations from Zanata 1d087af Implement HEAD method for all v3 GET actions 771eeb3 Avoid name repetition in equality comparisons d14fba6 Simplify repetitive unequal checks e4c8600 Imported Translations from Zanata 1ed8d3a Add test for domains list filtering and limiting 02817c5 Imported Translations from Zanata 00bfbb9 remove endpoint_policy from contrib 6088320 Moved name formatting (clean) out of the driver 6bd2da1 Add py3 debugging ff01c0e Add release note for list_limit support 1041d33 Add release note for list_limit support be0aeed Cleanup migration tests f7197c7 Imported Translations from Zanata 9e9dc6a Imported Translations from Zanata f7983d4 Update dev docs and sample script for v3/bootstrap b4e8584 add placeholder migrations for mitaka 85590e6 Enables the notification tests in py3 50ffcbf Update reno for stable/mitaka 9692d40 Update .gitreview for stable/mitaka 691d497 Move region configuration to a critical section 8ce8c99 Make modifications to domain config atomic 6a3c21c Expose not clearing of user default project on project delete Diffstat (except docs and test files) ------------------------------------- .gitignore | 1 + .gitreview | 1 + MANIFEST.in | 2 +- api-ref/source/conf.py | 220 + api-ref/source/index.rst | 27 + api-ref/source/v2-admin/admin-endpoints.inc | 78 + .../v2-admin/admin-endpoints_parameters.yaml | 71 + api-ref/source/v2-admin/admin-tenants.inc | 268 + api-ref/source/v2-admin/admin-tokens.inc | 167 + api-ref/source/v2-admin/admin-users.inc | 229 + api-ref/source/v2-admin/admin-versions.inc | 29 + api-ref/source/v2-admin/index.rst | 13 + api-ref/source/v2-admin/parameters.yaml | 287 + .../samples/admin/endpoint-create-request.json | 9 + .../samples/admin/endpoint-create-response.json | 9 + .../samples/admin/endpoint-list-response.json | 18 + .../samples/admin/roles-list-response.json | 10 + .../samples/admin/tenant-show-response.json | 8 + .../samples/admin/tenant-update-request.json | 8 + .../admin/tenantwithoutid-create-request.json | 7 + .../admin/token-endpoints-list-response.json | 122 + .../samples/admin/token-validate-response.json | 28 + .../samples/admin/user-create-request.json | 9 + .../v2-admin/samples/admin/user-show-response.json | 9 + .../samples/admin/user-update-request.json | 6 + .../samples/admin/user-update-response.json | 10 + .../samples/admin/users-list-response.json | 19 + api-ref/source/v2-ext/index.rst | 11 + api-ref/source/v2-ext/ksadm-admin.inc | 441 ++ api-ref/source/v2-ext/kscrud.inc | 26 + api-ref/source/v2-ext/ksec2-admin.inc | 122 + api-ref/source/v2-ext/parameters.yaml | 195 + .../OS-KSADM/credentials-show-response.json | 11 + .../samples/OS-KSADM/role-create-request.json | 7 + .../samples/OS-KSADM/role-show-response.json | 7 + .../samples/OS-KSADM/roles-list-response.json | 10 + .../samples/OS-KSADM/service-create-request.json | 8 + .../samples/OS-KSADM/service-show-response.json | 8 + .../samples/OS-KSADM/services-list-response.json | 17 + .../samples/OS-KSADM/user-set-enabled-request.json | 5 + .../OS-KSADM/user-set-password-request.json | 5 + .../samples/OS-KSADM/user-show-response.json | 10 + .../OS-KSADM/user-update-tenant-request.json | 5 + .../OS-KSEC2/credentialswithec2-list-response.json | 18 + .../OS-KSEC2/ec2Credentials-create-request.json | 7 + .../OS-KSEC2/ec2Credentials-show-response.json | 7 + api-ref/source/v2/identity-api-extensions.inc | 70 + api-ref/source/v2/identity-auth.inc | 122 + api-ref/source/v2/index.rst | 12 + api-ref/source/v2/overview.inc | 272 + api-ref/source/v2/parameters.yaml | 256 + .../samples/admin/UserUpdatePasswordRequest.json | 6 + .../admin/authenticate-credentials-request.json | 9 + .../v2/samples/admin/authenticate-response.json | 184 + .../samples/admin/authenticate-token-request.json | 8 + .../v2/samples/admin/extension-show-response.json | 16 + .../v2/samples/admin/extensions-list-response.json | 118 + .../v2/samples/admin/tenants-list-request-JSON.txt | 5 + .../v2/samples/admin/tenants-list-response.json | 17 + .../v2/samples/admin/user-create-response.json | 10 + .../v2/samples/admin/user-update-response.json | 9 + .../v2/samples/admin/users-list-response.json | 88 + .../v2/samples/admin/version-show-response.json | 24 + .../v2/samples/admin/versions-list-response.json | 45 + .../client/authenticate-credentials-request.json | 9 + .../v2/samples/client/authenticate-response.json | 184 + api-ref/source/v2/versions.inc | 39 + api-ref/source/v3-ext/endpoint-policy.inc | 348 ++ api-ref/source/v3-ext/ep-filter.inc | 524 ++ api-ref/source/v3-ext/federation.inc | 309 + .../v3-ext/federation/assertion/assertion.inc | 134 + .../v3-ext/federation/assertion/parameters.yaml | 35 + .../samples/ecp-saml-assertion-request.json | 17 + .../samples/ecp-saml-assertion-response.xml | 82 + .../assertion/samples/metadata-response.xml | 29 + .../assertion/samples/saml-assertion-request.json | 17 + .../assertion/samples/saml-assertion-response.xml | 69 + api-ref/source/v3-ext/federation/auth/auth.inc | 127 + .../source/v3-ext/federation/auth/parameters.yaml | 43 + .../auth/samples/scoped-token-request.json | 17 + .../auth/samples/scoped-token-response.json | 71 + .../auth/samples/unscoped-token-response.json | 22 + .../v3-ext/federation/identity-provider/idp.inc | 331 ++ .../federation/identity-provider/parameters.yaml | 97 + .../samples/add-protocol-request.json | 5 + .../samples/add-protocol-response.json | 10 + .../samples/get-protocol-response.json | 10 + .../identity-provider/samples/get-response.json | 12 + .../samples/list-protocol-response.json | 17 + .../identity-provider/samples/list-response.json | 29 + .../samples/register-request.json | 7 + .../samples/register-response.json | 12 + .../samples/update-protocol-request.json | 5 + .../samples/update-protocol-response.json | 10 + .../identity-provider/samples/update-request.json | 6 + .../identity-provider/samples/update-response.json | 12 + .../source/v3-ext/federation/mapping/mapping.inc | 151 + .../v3-ext/federation/mapping/parameters.yaml | 49 + .../federation/mapping/samples/create-request.json | 32 + .../mapping/samples/create-response.json | 36 + .../federation/mapping/samples/get-response.json | 36 + .../federation/mapping/samples/list-response.json | 43 + .../federation/mapping/samples/update-request.json | 32 + .../mapping/samples/update-response.json | 36 + .../federation/projects-domains/parameters.yaml | 35 + .../projects-domains/projects-domains.inc | 67 + .../samples/domain-list-response.json | 18 + .../samples/project-list-response.json | 27 + .../federation/service-provider/parameters.yaml | 77 + .../service-provider/samples/get-response.json | 13 + .../service-provider/samples/list-response.json | 31 + .../service-provider/samples/register-request.json | 8 + .../samples/register-response.json | 13 + .../service-provider/samples/update-request.json | 8 + .../service-provider/samples/update-response.json | 13 + .../v3-ext/federation/service-provider/sp.inc | 173 + api-ref/source/v3-ext/index.rst | 23 + api-ref/source/v3-ext/oauth.inc | 468 ++ api-ref/source/v3-ext/parameters.yaml | 550 ++ api-ref/source/v3-ext/revoke.inc | 75 + ...policy-endpoint-associations-list-response.json | 29 + .../OS-ENDPOINT-POLICY/policy-show-response.json | 14 + .../create-endpoint-group-request.json | 10 + .../OS-EP-FILTER/endpoint-group-response.json | 14 + .../OS-EP-FILTER/endpoint-groups-response.json | 36 + .../OS-EP-FILTER/endpoint-project-response.json | 12 + .../OS-EP-FILTER/get-projects-response.json | 29 + .../OS-EP-FILTER/list-endpoints-response.json | 29 + .../OS-EP-FILTER/list-service-endpoints.json | 45 + .../OS-OAUTH1/access-token-create-response.txt | 1 + .../OS-OAUTH1/access-token-show-response.json | 13 + .../OS-OAUTH1/access-tokens-list-response.json | 20 + .../OS-OAUTH1/authorize-request-token-request.json | 10 + .../authorize-request-token-response.json | 5 + .../samples/OS-OAUTH1/consumer-create-request.json | 5 + .../OS-OAUTH1/consumer-create-response.json | 10 + .../samples/OS-OAUTH1/consumer-show-response.json | 9 + .../samples/OS-OAUTH1/consumer-update-request.json | 5 + .../OS-OAUTH1/consumer-update-response.json | 9 + .../samples/OS-OAUTH1/consumers-list-response.json | 22 + .../OS-OAUTH1/request-token-create-response.txt | 1 + .../samples/OS-REVOKE/list-revoke-response.json | 22 + .../OS-TRUST/trust-auth-redelegated-response.json | 45 + .../samples/OS-TRUST/trust-auth-request.json | 17 + .../OS-TRUST/trust-auth-trust-response.json | 43 + .../samples/OS-TRUST/trust-create-request.json | 15 + .../samples/OS-TRUST/trust-create-response.json | 29 + .../samples/OS-TRUST/trust-get-response.json | 27 + .../trust-get-role-delegated-response.json | 9 + .../samples/OS-TRUST/trust-list-response.json | 25 + .../trust-list-roles-delegated-response.json | 18 + api-ref/source/v3-ext/trust.inc | 382 ++ api-ref/source/v3/authenticate-v3.inc | 603 ++ api-ref/source/v3/credentials.inc | 225 + api-ref/source/v3/domains-config-v3.inc | 559 ++ api-ref/source/v3/domains.inc | 224 + api-ref/source/v3/groups.inc | 313 + api-ref/source/v3/index.rst | 54 + api-ref/source/v3/inherit.inc | 508 ++ api-ref/source/v3/parameters.yaml | 1698 ++++++ api-ref/source/v3/policies.inc | 218 + api-ref/source/v3/projects.inc | 311 + api-ref/source/v3/regions-v3.inc | 227 + api-ref/source/v3/roles.inc | 922 +++ .../auth-password-explicit-unscoped-request.json | 16 + .../auth-password-explicit-unscoped-response.json | 21 + .../auth-password-project-scoped-request.json | 20 + .../auth-password-project-scoped-response.json | 402 ++ ...auth-password-unscoped-request-with-domain.json | 18 + .../admin/auth-password-unscoped-request.json | 15 + .../admin/auth-password-unscoped-response.json | 21 + .../auth-password-user-name-unscoped-request.json | 18 + ...h-password-user-name-unscoped-response-HTTP.txt | 8 + .../samples/admin/auth-token-scoped-request.json | 17 + .../samples/admin/auth-token-scoped-response.json | 402 ++ .../samples/admin/auth-token-unscoped-request.json | 12 + .../admin/auth-token-unscoped-response.json | 21 + .../admin/create-role-inferences-response.json | 21 + .../samples/admin/credential-create-request.json | 8 + .../samples/admin/credential-create-response.json | 12 + .../v3/samples/admin/credential-show-response.json | 12 + .../samples/admin/credential-update-request.json | 8 + .../samples/admin/credential-update-response.json | 12 + .../samples/admin/credentials-list-response.json | 109 + .../admin/domain-config-create-request.json | 11 + .../admin/domain-config-create-response.json | 11 + .../admin/domain-config-default-response.json | 13 + .../domain-config-group-default-response.json | 8 + ...omain-config-group-option-default-response.json | 3 + .../domain-config-group-option-show-response.json | 3 + .../domain-config-group-option-update-request.json | 3 + ...domain-config-group-option-update-response.json | 11 + .../admin/domain-config-group-show-response.json | 6 + .../admin/domain-config-group-update-request.json | 8 + .../admin/domain-config-group-update-response.json | 11 + .../samples/admin/domain-config-show-response.json | 11 + .../admin/domain-config-update-request.json | 8 + .../admin/domain-config-update-response.json | 11 + .../v3/samples/admin/domain-create-request.json | 7 + .../v3/samples/admin/domain-create-response.json | 11 + .../admin/domain-group-roles-list-response.json | 23 + .../samples/admin/domain-group-update-request.json | 8 + .../v3/samples/admin/domain-show-response.json | 11 + .../admin/domain-specific-role-create-request.json | 6 + .../v3/samples/admin/domain-update-request.json | 5 + .../v3/samples/admin/domain-update-response.json | 11 + .../admin/domain-user-roles-list-response.json | 23 + .../v3/samples/admin/domains-list-response.json | 27 + .../v3/samples/admin/endpoint-create-request.json | 8 + .../v3/samples/admin/endpoint-create-response.json | 15 + .../v3/samples/admin/endpoint-show-response.json | 14 + .../v3/samples/admin/endpoint-update-request.json | 9 + .../v3/samples/admin/endpoint-update-response.json | 12 + .../v3/samples/admin/endpoints-list-response.json | 333 ++ .../get-available-domain-scopes-response.json | 27 + .../get-available-project-scopes-response.json | 27 + .../admin/get-role-inferences-response.json | 21 + .../admin/get-service-catalog-response.json | 34 + .../v3/samples/admin/group-create-request.json | 7 + .../v3/samples/admin/group-create-response.json | 11 + .../admin/group-roles-domain-list-response.json | 23 + .../samples/admin/group-roles-list-response.json | 23 + .../v3/samples/admin/group-show-response.json | 11 + .../v3/samples/admin/group-update-request.json | 6 + .../v3/samples/admin/group-update-response.json | 11 + .../samples/admin/group-users-list-response.json | 30 + .../v3/samples/admin/groups-list-response.json | 27 + .../samples/admin/identity-version-response.json | 19 + .../samples/admin/identity-versions-response.json | 45 + .../list-implied-roles-for-role-response.json | 30 + .../v3/samples/admin/policies-list-response.json | 37 + .../v3/samples/admin/policy-create-request.json | 8 + .../v3/samples/admin/policy-create-response.json | 12 + .../v3/samples/admin/policy-show-response.json | 16 + .../v3/samples/admin/policy-update-request.json | 12 + .../v3/samples/admin/policy-update-response.json | 16 + .../admin/project-create-domain-request.json | 8 + .../v3/samples/admin/project-create-request.json | 9 + .../v3/samples/admin/project-create-response.json | 14 + .../v3/samples/admin/project-enable-request.json | 5 + .../admin/project-group-roles-list-response.json | 23 + .../admin/project-show-parents-response.json | 26 + .../v3/samples/admin/project-show-response.json | 14 + .../admin/project-show-subtree-response.json | 50 + .../v3/samples/admin/project-update-request.json | 6 + .../v3/samples/admin/project-update-response.json | 14 + .../admin/project-user-roles-list-response.json | 16 + .../v3/samples/admin/projects-list-response.json | 105 + .../v3/samples/admin/region-create-request.json | 7 + .../v3/samples/admin/region-create-response.json | 10 + .../v3/samples/admin/region-show-response.json | 10 + .../v3/samples/admin/region-update-request.json | 5 + .../v3/samples/admin/region-update-response.json | 10 + .../v3/samples/admin/regions-list-response.json | 17 + ...ents-effective-list-include-names-response.json | 60 + .../role-assignments-effective-list-response.json | 42 + .../role-assignments-effective-list-response.txt | 1 + ...-assignments-list-include-subtree-response.json | 42 + .../admin/role-assignments-list-response.json | 41 + .../admin/role-assignments-list-response.txt | 1 + .../v3/samples/admin/role-create-request.json | 5 + .../v3/samples/admin/role-create-response.json | 9 + .../v3/samples/admin/role-inferences-response.json | 57 + .../v3/samples/admin/role-show-response.json | 10 + .../v3/samples/admin/role-update-request.json | 5 + .../v3/samples/admin/role-update-response.json | 10 + .../v3/samples/admin/roles-list-response.json | 51 + .../v3/samples/admin/service-create-request.json | 7 + .../v3/samples/admin/service-create-response.json | 12 + .../v3/samples/admin/service-show-response.json | 12 + .../v3/samples/admin/service-update-request.json | 5 + .../v3/samples/admin/service-update-response.json | 12 + .../v3/samples/admin/services-list-response.json | 99 + .../v3/samples/admin/token-validate-request.txt | 3 + .../v3/samples/admin/user-create-request.json | 9 + .../v3/samples/admin/user-create-response.json | 15 + .../samples/admin/user-groups-list-response.json | 27 + .../admin/user-password-update-request.json | 6 + .../samples/admin/user-projects-list-response.json | 31 + .../admin/user-roles-domain-list-response.json | 23 + .../v3/samples/admin/user-roles-list-response.json | 23 + .../v3/samples/admin/user-show-response.json | 13 + .../v3/samples/admin/user-update-request.json | 6 + .../v3/samples/admin/user-update-response.json | 13 + .../v3/samples/admin/users-list-response.json | 139 + api-ref/source/v3/service-catalog.inc | 521 ++ api-ref/source/v3/status.yaml | 60 + api-ref/source/v3/users.inc | 304 + bindep.txt | 32 + config-generator/keystone.conf | 2 +- etc/keystone-paste.ini | 16 +- etc/keystone.conf.sample | 1954 ++++--- etc/policy.json | 8 +- etc/policy.v3cloudsample.json | 10 +- httpd/keystone-uwsgi-admin.ini | 5 +- httpd/keystone-uwsgi-public.ini | 5 +- keystone/assignment/V8_backends/sql.py | 10 +- keystone/assignment/V8_role_backends/sql.py | 4 +- keystone/assignment/backends/base.py | 400 ++ keystone/assignment/backends/sql.py | 6 +- keystone/assignment/controllers.py | 254 +- keystone/assignment/core.py | 742 +-- keystone/assignment/role_backends/base.py | 267 + keystone/assignment/role_backends/sql.py | 4 +- keystone/assignment/routers.py | 17 +- keystone/assignment/schema.py | 16 + keystone/auth/__init__.py | 1 - keystone/auth/controllers.py | 100 +- keystone/auth/core.py | 86 +- keystone/auth/plugins/base.py | 94 + keystone/auth/plugins/core.py | 8 +- keystone/auth/plugins/external.py | 66 +- keystone/auth/plugins/mapped.py | 53 +- keystone/auth/plugins/oauth1.py | 16 +- keystone/auth/plugins/password.py | 8 +- keystone/auth/plugins/token.py | 18 +- keystone/auth/plugins/totp.py | 14 +- keystone/catalog/backends/base.py | 531 ++ keystone/catalog/backends/sql.py | 18 +- keystone/catalog/backends/templated.py | 22 +- keystone/catalog/controllers.py | 226 +- keystone/catalog/core.py | 615 +- keystone/catalog/schema.py | 33 +- keystone/cmd/all.py | 39 - keystone/cmd/cli.py | 478 +- keystone/cmd/doctor/__init__.py | 77 + keystone/cmd/doctor/caching.py | 35 + keystone/cmd/doctor/credential.py | 73 + keystone/cmd/doctor/database.py | 30 + keystone/cmd/doctor/federation.py | 36 + keystone/cmd/doctor/ldap.py | 52 + keystone/cmd/doctor/security_compliance.py | 64 + keystone/cmd/doctor/tokens.py | 46 + keystone/cmd/doctor/tokens_fernet.py | 51 + keystone/cmd/manage.py | 5 +- keystone/common/authorization.py | 1 + keystone/common/cache/_context_cache.py | 35 +- keystone/common/cache/core.py | 202 +- keystone/common/config.py | 1259 ----- keystone/common/context.py | 54 + keystone/common/controller.py | 205 +- keystone/common/dependency.py | 2 +- keystone/common/driver_hints.py | 4 +- keystone/common/environment/__init__.py | 102 - keystone/common/environment/eventlet_server.py | 212 - keystone/common/fernet_utils.py | 277 + keystone/common/kvs/backends/memcached.py | 4 +- keystone/common/kvs/core.py | 17 +- keystone/common/ldap/__init__.py | 13 +- keystone/common/ldap/core.py | 1947 +------ keystone/common/ldap/models.py | 26 + keystone/common/manager.py | 5 +- keystone/common/models.py | 196 - keystone/common/openssl.py | 56 +- keystone/common/profiler.py | 47 + keystone/common/request.py | 95 + keystone/common/router.py | 4 +- keystone/common/sql/contract_repo/README | 4 + keystone/common/sql/contract_repo/__init__.py | 0 keystone/common/sql/contract_repo/manage.py | 5 + keystone/common/sql/contract_repo/migrate.cfg | 25 + .../001_contract_initial_null_migration.py | 18 + .../002_password_created_at_not_nullable.py | 39 + ...move_unencrypted_blob_column_from_credential.py | 60 + .../versions/004_reset_password_created_at.py | 37 + .../common/sql/contract_repo/versions/__init__.py | 0 keystone/common/sql/core.py | 54 +- keystone/common/sql/data_migration_repo/README | 4 + .../common/sql/data_migration_repo/__init__.py | 0 keystone/common/sql/data_migration_repo/manage.py | 5 + .../common/sql/data_migration_repo/migrate.cfg | 25 + .../versions/001_data_initial_null_migration.py | 18 + .../002_password_created_at_not_nullable.py | 18 + .../003_migrate_unencrypted_credentials.py | 39 + .../versions/004_reset_password_created_at.py | 15 + .../sql/data_migration_repo/versions/__init__.py | 0 keystone/common/sql/expand_repo/README | 4 + keystone/common/sql/expand_repo/__init__.py | 15 + keystone/common/sql/expand_repo/manage.py | 5 + keystone/common/sql/expand_repo/migrate.cfg | 25 + .../versions/001_expand_initial_null_migration.py | 18 + .../002_password_created_at_not_nullable.py | 18 + ...dd_key_hash_and_encrypted_blob_to_credential.py | 129 + .../versions/004_reset_password_created_at.py | 15 + .../common/sql/expand_repo/versions/__init__.py | 15 + .../common/sql/migrate_repo/versions/067_kilo.py | 3 +- .../versions/073_insert_assignment_inherited_pk.py | 2 +- .../versions/082_add_federation_tables.py | 4 +- .../versions/088_domain_specific_roles.py | 31 +- ...grate_data_to_local_user_and_password_tables.py | 22 +- .../versions/094_add_federated_user_table.py | 4 +- .../versions/096_drop_role_name_constraint.py | 50 + .../097_drop_user_name_domainid_constraint.py | 67 + .../sql/migrate_repo/versions/098_placeholder.py | 18 + .../sql/migrate_repo/versions/099_placeholder.py | 18 + .../sql/migrate_repo/versions/100_placeholder.py | 18 + .../versions/101_drop_role_name_constraint.py | 53 + .../migrate_repo/versions/102_drop_domain_table.py | 21 + .../versions/103_add_nonlocal_user_table.py | 32 + .../104_drop_user_name_domainid_constraint.py | 71 + .../versions/105_add_password_date_columns.py | 30 + .../106_allow_password_column_to_be_nullable.py | 21 + .../versions/107_add_user_date_columns.py | 30 + .../versions/108_add_failed_auth_columns.py | 26 + .../109_add_password_self_service_column.py | 24 + keystone/common/sql/migration_helpers.py | 159 +- keystone/common/tokenless_auth.py | 12 +- keystone/common/utils.py | 160 +- keystone/common/validation/__init__.py | 50 +- keystone/common/validation/parameter_types.py | 3 +- keystone/common/validation/validators.py | 40 +- keystone/common/wsgi.py | 217 +- keystone/conf/__init__.py | 186 + keystone/conf/assignment.py | 50 + keystone/conf/auth.py | 99 + keystone/conf/catalog.py | 78 + keystone/conf/constants.py | 30 + keystone/conf/credential.py | 63 + keystone/conf/default.py | 258 + keystone/conf/domain_config.py | 59 + keystone/conf/endpoint_filter.py | 51 + keystone/conf/endpoint_policy.py | 56 + keystone/conf/eventlet_server.py | 95 + keystone/conf/federation.py | 103 + keystone/conf/fernet_tokens.py | 69 + keystone/conf/identity.py | 131 + keystone/conf/identity_mapping.py | 74 + keystone/conf/kvs.py | 76 + keystone/conf/ldap.py | 638 +++ keystone/conf/memcache.py | 96 + keystone/conf/oauth1.py | 62 + keystone/conf/opts.py | 97 + keystone/conf/os_inherit.py | 49 + keystone/conf/paste_deploy.py | 40 + keystone/conf/policy.py | 47 + keystone/conf/resource.py | 114 + keystone/conf/revoke.py | 69 + keystone/conf/role.py | 66 + keystone/conf/saml.py | 193 + keystone/conf/security_compliance.py | 147 + keystone/conf/shadow_users.py | 41 + keystone/conf/signing.py | 134 + keystone/conf/token.py | 192 + keystone/conf/tokenless_auth.py | 68 + keystone/conf/trust.py | 67 + keystone/conf/utils.py | 26 + keystone/contrib/ec2/controllers.py | 74 +- .../endpoint_filter/backends/catalog_sql.py | 8 +- .../endpoint_filter/migrate_repo/__init__.py | 0 .../endpoint_filter/migrate_repo/migrate.cfg | 25 - .../versions/001_add_endpoint_filtering_table.py | 19 - .../versions/002_add_endpoint_groups.py | 19 - .../migrate_repo/versions/__init__.py | 0 keystone/contrib/endpoint_policy/__init__.py | 0 .../contrib/endpoint_policy/backends/__init__.py | 0 keystone/contrib/endpoint_policy/backends/sql.py | 28 - .../endpoint_policy/migrate_repo/__init__.py | 0 .../endpoint_policy/migrate_repo/migrate.cfg | 25 - .../versions/001_add_endpoint_policy_table.py | 19 - .../migrate_repo/versions/__init__.py | 0 keystone/contrib/endpoint_policy/routers.py | 28 - .../contrib/federation/migrate_repo/__init__.py | 0 .../contrib/federation/migrate_repo/migrate.cfg | 25 - .../versions/001_add_identity_provider_table.py | 17 - .../versions/002_add_mapping_tables.py | 17 - .../versions/003_mapping_id_nullable_false.py | 20 - .../versions/004_add_remote_id_column.py | 17 - .../versions/005_add_service_provider_table.py | 17 - .../006_fixup_service_provider_attributes.py | 17 - .../versions/007_add_remote_id_table.py | 17 - .../versions/008_add_relay_state_to_sp.py | 17 - .../federation/migrate_repo/versions/__init__.py | 0 keystone/contrib/oauth1/migrate_repo/__init__.py | 0 keystone/contrib/oauth1/migrate_repo/migrate.cfg | 25 - .../migrate_repo/versions/001_add_oauth_tables.py | 19 - .../versions/002_fix_oauth_tables_fk.py | 19 - .../versions/003_consumer_description_nullalbe.py | 19 - .../versions/004_request_token_roles_nullable.py | 19 - .../migrate_repo/versions/005_consumer_id_index.py | 20 - .../oauth1/migrate_repo/versions/__init__.py | 0 keystone/contrib/revoke/migrate_repo/__init__.py | 0 keystone/contrib/revoke/migrate_repo/migrate.cfg | 25 - .../migrate_repo/versions/001_revoke_table.py | 17 - .../002_add_audit_id_and_chain_to_revoke_table.py | 17 - .../revoke/migrate_repo/versions/__init__.py | 0 keystone/contrib/s3/core.py | 4 +- keystone/credential/__init__.py | 1 + keystone/credential/backends/base.py | 119 + keystone/credential/backends/sql.py | 11 +- keystone/credential/controllers.py | 30 +- keystone/credential/core.py | 207 +- keystone/credential/provider.py | 27 + keystone/credential/providers/__init__.py | 0 keystone/credential/providers/core.py | 38 + keystone/credential/providers/fernet/__init__.py | 13 + keystone/credential/providers/fernet/core.py | 107 + keystone/endpoint_policy/backends/base.py | 186 + keystone/endpoint_policy/backends/sql.py | 2 +- keystone/endpoint_policy/controllers.py | 27 +- keystone/endpoint_policy/core.py | 187 +- keystone/exception.py | 82 +- keystone/federation/V8_backends/sql.py | 39 +- keystone/federation/backends/base.py | 529 ++ keystone/federation/backends/sql.py | 46 +- keystone/federation/controllers.py | 213 +- keystone/federation/core.py | 570 +- keystone/federation/idp.py | 38 +- keystone/federation/routers.py | 4 +- keystone/federation/schema.py | 18 +- keystone/federation/utils.py | 107 +- keystone/identity/backends/base.py | 449 ++ keystone/identity/backends/ldap.py | 425 -- keystone/identity/backends/ldap/__init__.py | 13 + keystone/identity/backends/ldap/common.py | 1951 +++++++ keystone/identity/backends/ldap/core.py | 434 ++ keystone/identity/backends/ldap/models.py | 70 + keystone/identity/backends/sql.py | 340 +- keystone/identity/backends/sql_model.py | 297 + keystone/identity/controllers.py | 188 +- keystone/identity/core.py | 504 +- keystone/identity/generator.py | 4 +- keystone/identity/id_generators/sha256.py | 4 +- keystone/identity/mapping_backends/base.py | 81 + keystone/identity/mapping_backends/sql.py | 21 +- keystone/identity/routers.py | 4 +- keystone/identity/schema.py | 50 +- keystone/identity/shadow_backends/base.py | 115 + keystone/identity/shadow_backends/sql.py | 60 +- .../locale/de/LC_MESSAGES/keystone-log-critical.po | 8 +- keystone/locale/de/LC_MESSAGES/keystone.po | 116 +- .../locale/el/LC_MESSAGES/keystone-log-critical.po | 8 +- .../en_AU/LC_MESSAGES/keystone-log-critical.po | 8 +- .../locale/es/LC_MESSAGES/keystone-log-critical.po | 8 +- keystone/locale/es/LC_MESSAGES/keystone.po | 420 +- .../locale/fr/LC_MESSAGES/keystone-log-critical.po | 8 +- keystone/locale/fr/LC_MESSAGES/keystone.po | 103 +- .../locale/hu/LC_MESSAGES/keystone-log-critical.po | 8 +- .../locale/it/LC_MESSAGES/keystone-log-critical.po | 8 +- keystone/locale/it/LC_MESSAGES/keystone.po | 414 +- .../locale/ja/LC_MESSAGES/keystone-log-critical.po | 8 +- keystone/locale/ja/LC_MESSAGES/keystone.po | 545 +- keystone/locale/keystone-log-critical.pot | 24 - keystone/locale/keystone-log-error.pot | 177 - keystone/locale/keystone-log-info.pot | 238 - keystone/locale/keystone-log-warning.pot | 315 -- keystone/locale/keystone.pot | 1705 ------ .../ko_KR/LC_MESSAGES/keystone-log-critical.po | 8 +- .../locale/ko_KR/LC_MESSAGES/keystone-log-error.po | 140 + .../locale/ko_KR/LC_MESSAGES/keystone-log-info.po | 177 + .../ko_KR/LC_MESSAGES/keystone-log-warning.po | 290 + keystone/locale/ko_KR/LC_MESSAGES/keystone.po | 389 +- .../pl_PL/LC_MESSAGES/keystone-log-critical.po | 8 +- .../pt_BR/LC_MESSAGES/keystone-log-critical.po | 8 +- keystone/locale/pt_BR/LC_MESSAGES/keystone.po | 418 +- .../locale/ru/LC_MESSAGES/keystone-log-critical.po | 8 +- keystone/locale/ru/LC_MESSAGES/keystone.po | 113 +- .../tr_TR/LC_MESSAGES/keystone-log-critical.po | 8 +- .../locale/tr_TR/LC_MESSAGES/keystone-log-error.po | 29 +- .../tr_TR/LC_MESSAGES/keystone-log-warning.po | 32 +- keystone/locale/tr_TR/LC_MESSAGES/keystone.po | 55 +- .../zh_CN/LC_MESSAGES/keystone-log-critical.po | 8 +- .../locale/zh_CN/LC_MESSAGES/keystone-log-error.po | 32 +- keystone/locale/zh_CN/LC_MESSAGES/keystone.po | 164 +- .../zh_TW/LC_MESSAGES/keystone-log-critical.po | 8 +- keystone/locale/zh_TW/LC_MESSAGES/keystone.po | 90 +- keystone/middleware/auth.py | 225 +- keystone/middleware/core.py | 6 +- keystone/models/revoke_model.py | 242 +- keystone/models/token_model.py | 12 +- keystone/notifications.py | 66 +- keystone/oauth1/backends/base.py | 220 + keystone/oauth1/backends/sql.py | 17 +- keystone/oauth1/controllers.py | 133 +- keystone/oauth1/core.py | 218 +- keystone/oauth1/validator.py | 3 +- keystone/policy/backends/base.py | 77 + keystone/policy/backends/rules.py | 14 +- keystone/policy/backends/sql.py | 2 +- keystone/policy/controllers.py | 31 +- keystone/policy/core.py | 73 +- keystone/resource/V8_backends/sql.py | 4 +- keystone/resource/backends/base.py | 632 +++ keystone/resource/backends/sql.py | 31 +- keystone/resource/config_backends/base.py | 155 + keystone/resource/config_backends/sql.py | 60 +- keystone/resource/controllers.py | 158 +- keystone/resource/core.py | 991 +--- keystone/resource/routers.py | 8 +- keystone/resource/schema.py | 49 +- keystone/revoke/backends/base.py | 60 + keystone/revoke/backends/sql.py | 9 +- keystone/revoke/controllers.py | 8 +- keystone/revoke/core.py | 98 +- keystone/server/backends.py | 11 +- keystone/server/common.py | 11 +- keystone/server/eventlet.py | 156 - keystone/server/wsgi.py | 101 +- .../backend/legacy_drivers/federation/V8/api_v3.py | 2 +- .../unit/config_files/backend_postgresql.conf | 4 - .../unit/identity/backends/test_ldap_common.py | 571 ++ .../test_associate_project_endpoint_extension.py | 60 +- keystone/token/_simple_cert.py | 4 +- keystone/token/controllers.py | 76 +- keystone/token/persistence/backends/kvs.py | 30 +- keystone/token/persistence/backends/memcache.py | 4 +- .../token/persistence/backends/memcache_pool.py | 4 +- keystone/token/persistence/backends/sql.py | 12 +- keystone/token/persistence/core.py | 12 +- keystone/token/provider.py | 146 +- keystone/token/providers/common.py | 165 +- keystone/token/providers/fernet/core.py | 41 +- .../token/providers/fernet/token_formatters.py | 31 +- keystone/token/providers/fernet/utils.py | 270 - keystone/token/providers/pki.py | 11 +- keystone/token/providers/pkiz.py | 11 +- keystone/token/providers/uuid.py | 4 +- keystone/token/utils.py | 8 +- keystone/trust/backends/base.py | 72 + keystone/trust/backends/sql.py | 4 +- keystone/trust/controllers.py | 221 +- keystone/trust/core.py | 77 +- keystone/v2_crud/user_crud.py | 16 +- keystone/version/__init__.py | 15 + keystone/version/controllers.py | 61 +- keystone/version/service.py | 6 +- keystone_tempest_plugin/README.rst | 6 + keystone_tempest_plugin/__init__.py | 0 keystone_tempest_plugin/clients.py | 38 + keystone_tempest_plugin/config.py | 27 + keystone_tempest_plugin/plugin.py | 39 + keystone_tempest_plugin/services/__init__.py | 0 .../services/identity/__init__.py | 0 .../services/identity/clients.py | 77 + .../services/identity/v3/__init__.py | 0 .../identity/v3/identity_providers_client.py | 101 + .../services/identity/v3/mapping_rules_client.py | 44 + .../identity/v3/service_providers_client.py | 73 + .../api/identity/v3/test_identity_providers.py | 238 + .../api/identity/v3/test_service_providers.py | 207 + ...pires_at_to_user_response-22f14ab629c48bc2.yaml | 4 + ...p-domain-config-as-stable-716ca5ab33c0cc42.yaml | 12 + .../bp-manage-migration-c398963a943a89fe.yaml | 7 + ...-specific-role-assignment-8f120604a6625852.yaml | 7 + .../notes/bug-1594482-52a5dd1d8477b694.yaml | 8 + ...redential-update-ec2-type-8fb51ff3ad3a449c.yaml | 8 + .../notes/deprecate-v2-apis-894284c17be881d2.yaml | 3 + .../deprecated-as-of-mitaka-8534e43fa40c1d09.yaml | 2 + .../deprecated-as-of-newton-be1d8dbcc6bdc68f.yaml | 7 + ...ew_change_password_method-e8c0e06795bca2d8.yaml | 6 + .../integrate-osprofiler-ad0e16a542b12899.yaml | 12 + .../list_limit-ldap-support-5d31d51466fc49a6.yaml | 6 + .../notes/mapping_populate-521d92445505b8a3.yaml | 13 + ...uth1-headers-content-type-9a9245d9bbec8f8e.yaml | 6 + ...sword-created_at-nullable-b3c284be50d93ef5.yaml | 5 + ...derated_projects_for_user-dcd7bd148efef049.yaml | 7 + .../notes/pre-cache-tokens-73450934918af26b.yaml | 7 + .../notes/python3-support-e4189e0a1a6e2e4f.yaml | 4 + .../removed-as-of-newton-721c06b5dcb1b34a.yaml | 22 + ...ypted_credentials_at_rest-93dcb67b3508e91a.yaml | 14 + .../notes/use-pyldap-6e811c28bf350d6d.yaml | 6 + releasenotes/source/index.rst | 3 +- releasenotes/source/mitaka.rst | 6 + requirements.txt | 36 +- setup.cfg | 34 +- test-requirements.txt | 23 +- tools/cover.sh | 72 + tools/pretty_tox_py3.sh | 12 - tools/sample_data.sh | 115 +- tox.ini | 53 +- 820 files changed, 57086 insertions(+), 24340 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index 8ebcc71..fd007ac 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,0 +5,4 @@ +# Temporarily add Babel reference to avoid problem +# in keystone-coverage-db CI job +Babel>=2.3.4 # BSD + @@ -7,2 +10,0 @@ WebOb>=1.2.3 # MIT -eventlet!=0.18.3,>=0.18.2 # MIT -greenlet>=0.3.2 # MIT @@ -11,3 +13,3 @@ Paste # MIT -Routes!=2.0,!=2.1,>=1.12.3;python_version=='2.7' # MIT -Routes!=2.0,>=1.12.3;python_version!='2.7' # MIT -cryptography>=1.0 # BSD/Apache-2.0 +Routes!=2.0,!=2.1,!=2.3.0,>=1.12.3;python_version=='2.7' # MIT +Routes!=2.0,!=2.3.0,>=1.12.3;python_version!='2.7' # MIT +cryptography!=1.3.0,>=1.0 # BSD/Apache-2.0 @@ -17 +19 @@ sqlalchemy-migrate>=0.9.6 # Apache-2.0 -stevedore>=1.5.0 # Apache-2.0 +stevedore>=1.16.0 # Apache-2.0 @@ -19,2 +21,2 @@ passlib>=1.6 # BSD -python-keystoneclient!=1.8.0,!=2.1.0,>=1.6.0 # Apache-2.0 -keystonemiddleware!=4.1.0,>=4.0.0 # Apache-2.0 +python-keystoneclient!=2.1.0,>=2.0.0 # Apache-2.0 +keystonemiddleware!=4.1.0,!=4.5.0,>=4.0.0 # Apache-2.0 @@ -22,5 +24,5 @@ oslo.cache>=1.5.0 # Apache-2.0 -oslo.concurrency>=3.5.0 # Apache-2.0 -oslo.config>=3.7.0 # Apache-2.0 -oslo.context>=0.2.0 # Apache-2.0 -oslo.messaging>=4.0.0 # Apache-2.0 -oslo.db>=4.1.0 # Apache-2.0 +oslo.concurrency>=3.8.0 # Apache-2.0 +oslo.config>=3.14.0 # Apache-2.0 +oslo.context>=2.9.0 # Apache-2.0 +oslo.messaging>=5.2.0 # Apache-2.0 +oslo.db!=4.13.1,!=4.13.2,>=4.10.0 # Apache-2.0 @@ -30 +32 @@ oslo.middleware>=3.0.0 # Apache-2.0 -oslo.policy>=0.5.0 # Apache-2.0 +oslo.policy>=1.9.0 # Apache-2.0 @@ -32,2 +34 @@ oslo.serialization>=1.10.0 # Apache-2.0 -oslo.service>=1.0.0 # Apache-2.0 -oslo.utils>=3.5.0 # Apache-2.0 +oslo.utils>=3.16.0 # Apache-2.0 @@ -36 +37 @@ pysaml2<4.0.3,>=2.4.0 # Apache-2.0 -dogpile.cache>=0.5.7 # BSD +dogpile.cache>=0.6.2 # BSD @@ -39,0 +41 @@ msgpack-python>=0.4.0 # Apache-2.0 +osprofiler>=1.4.0 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt index b79b26a..41e60a7 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -9 +9,5 @@ bashate>=0.2 # Apache-2.0 -os-testr>=0.4.1 # Apache-2.0 +os-testr>=0.7.0 # Apache-2.0 +freezegun # Apache-2.0 + +# Include drivers for opportunistic testing. +oslo.db[fixtures,mysql,postgresql]!=4.13.1,!=4.13.2,>=4.10.0 # Apache-2.0 @@ -14 +18 @@ coverage>=3.6 # Apache-2.0 -fixtures>=1.3.1 # Apache-2.0/BSD +fixtures>=3.0.0 # Apache-2.0/BSD @@ -18 +22 @@ lxml>=2.3 # BSD -mock>=1.2 # BSD +mock>=2.0 # BSD @@ -21 +25,2 @@ oslotest>=1.10.0 # Apache-2.0 -sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2 # BSD +sphinx!=1.3b1,<1.3,>=1.2.1 # BSD +os-api-ref>=1.0.0 # Apache-2.0 @@ -25,4 +29,0 @@ WebTest>=2.0 # MIT -# mox was removed in favor of mock. We should not re-enable this module. See -# discussion: http://lists.openstack.org/pipermail/openstack-dev/2013-July/012484.html -#mox>=0.5.3 - @@ -35 +36 @@ oslosphinx!=3.4.0,>=2.5.0 # Apache-2.0 -reno>=0.1.1 # Apache2 +reno>=1.8.0 # Apache2 @@ -37 +38 @@ reno>=0.1.1 # Apache2 -tempest-lib>=0.14.0 # Apache-2.0 +tempest>=12.1.0 # Apache-2.0 @@ -40 +41 @@ tempest-lib>=0.14.0 # Apache-2.0 -requests!=2.9.0,>=2.8.1 # Apache-2.0 +requests>=2.10.0 # Apache-2.0