We jubilantly announce the release of: keystone 11.0.0: OpenStack Identity This release is part of the ocata release series. Download the package from: https://tarballs.openstack.org/keystone/ For more details, please see below. 11.0.0 ^^^^^^ * The default token provider is now Fernet. * The PKI and PKIz token format has been removed. See "Other Notes" for more details. * Support for writing to LDAP has been removed. See "Other Notes" for more details. New Features ************ * [blueprint allow-expired (https://blueprints.launchpad.net/keystone/+spec/allow-expired)] An *allow_expired* flag is added to the token validation call ("GET/HEAD /v3/auth/tokens") that allows fetching a token that has expired. This allows for validating tokens in long running operations. * [blueprint password-expires-validation (https://blueprints.launchpad.net/keystone/+spec/password-expires- validation)] Token responses will now have a "password_expires_at" field in the "user" object, this can be expressed briefly as: {"token": {"user": {"password_expires_at": null}}} If PCI support is enabled, via the "[security_compliance]" configuration options, then the "password_expires_at" field will be populated with a timestamp. Otherwise, it will default to "null", indicating the password does not expire. * [blueprint pci-dss-notifications (https://blueprints.launchpad.net/keystone/+spec/pci-dss- notifications)] CADF notifications now extend to PCI-DSS events. A "reason" object is added to the notification. A "reason" object has both a "reasonType" (a short description of the reason) and "reasonCode" (the HTTP return code). The following events will be impacted: * If a user does not change their passwords at least once every X days. See "[security_compliance] password_expires_days". * If a user is locked out after many failed authentication attempts. See "[security_compliance] lockout_failure_attempts". * If a user submits a new password that was recently used. See "[security_compliance] unique_last_password_count". * If a password does not meet the specified criteria. See "[security_compliance] password_regex". * If a user attempts to change their password too often. See "[security_compliance] minimum_password_age". For additional details see: event notifications (Seehttps://docs.op enstack.org/developer/keystone/event_notifications.html) * [blueprint pci-dss-password-requirements-api (https://blueprints.launchpad.net/keystone/+spec/pci-dss-password- requirements-api)] Added a new API ("/v3/domains/{domain_id}/config/security_compliance") to retrieve regular expression requirements for passwords. Specifically, "[security_compliance] password_regex" and "[security_compliance] password_regex_description" will be returned. Note that these options are only meaningful if PCI support is enabled, via various "[security_compliance]" configuration options. * [blueprint pci-dss-query-password-expired-users (https://blueprints.launchpad.net/keystone/+spec/pci-dss-query- password-expired-users)] Added a "password_expires_at" query to "/v3/users" and "/v3/groups/{group_id}/users". The "password_expires_at" query is comprised of two parts, an "operator" (valid choices listed below) and a "timestamp" (of form "YYYY-MM- DDTHH:mm:ssZ"). The APIs will filter the list of users based on the "operator" and "timestamp" given. * lt - password expires before the timestamp * lte - password expires at or before timestamp * gt - password expires after the timestamp * gte - password expires at or after the timestamp * eq - password expires at the timestamp * neq - password expires not at the timestamp * [blueprint per-user-auth-plugin-reqs (https://blueprints.launchpad.net/keystone/+spec/per-user-auth- plugin-reqs)] Per-user Multi-Factor-Auth rules (MFA Rules) have been implemented. These rules define which auth methods can be used (e.g. Password, TOTP) and provides the ability to require multiple auth forms to successfully get a token. The MFA rules are set via the user create and update API ("POST/PATCH /v3/users") call; the options allow an admin to force a user to use specific forms of authentication or combinations of forms of authentication to get a token. The rules are specified as follows: user["options"]["multi_factor_auth_rules"] = [["password", "totp"], ["password", "custom-auth-method"]] The rules are specified as a list of lists. The elements of the sub- lists must be strings and are intended to mirror the required authentication method names (e.g. "password", "totp", etc) as defined in the "keystone.conf" file in the "[auth] methods" option. Each list of methods specifies a rule. If the auth methods provided by a user match (or exceed) the auth methods in the list, that rule is used. The first rule found (rules will not be processed in a specific order) that matches will be used. If a user has the ruleset defined as "[["password", "totp"]]" the user must provide both password and totp auth methods (and both methods must succeed) to receive a token. However, if a user has a ruleset defined as "[["password"], ["password", "totp"]]" the user may use the "password" method on it's own but would be required to use both "password" and "totp" if "totp" is specified at all. Any auth methods that are not defined in "keystone.conf" in the "[auth] methods" option are ignored when the rules are processed. Empty rules are not allowed. If a rule is empty due to no-valid auth methods existing within it, the rule is discarded at authentication time. If there are no rules or no valid rules for the user, authentication occurs in the default manner: any single configured auth method is sufficient to receive a token. In the case a user should be exempt from MFA Rules, regardless if they are set, the User-Option "multi_factor_auth_enabled" may be set to "False" for that user via the user create and update API ("POST/PATCH /v3/users") call. If this option is set to "False" the MFA rules will be ignored for the user. Any other value except "False" will result in the MFA Rules being processed; the option can only be a boolean ("True" or "False") or "None" (which will result in the default behavior (same as "True") but the option will no longer be shown in the "user["options"]" dictionary. To mark a user exempt from the MFA Rules: user["options"]["multi_factor_auth_enabled"] = False The "token" auth method typically should not be specified in any MFA Rules. The "token" auth method will include all previous auth methods for the original auth request and will match the appropriate ruleset. This is intentional, as the "token" method is used for rescoping/changing active projects. SECURITY INFO: The MFA rules are only processed when authentication happens through the V3 authentication APIs. If V2 Auth is enabled it is possible to circumvent the MFA rules if the user can authenticate via V2 Auth API. It is recommended to disable V2 authentication for full enforcement of the MFA rules. * [blueprint manage-migration (https://blueprints.launchpad.net/keystone/+spec/manage-migration)] The federated identity mapping engine now supports the ability to automatically provision "projects" for "federated users". A role assignment will automatically be created for the user on the specificed proejct. If the project specified within the mapping does not exist, it will be automatically created in the "domain" associated with the "identity provider". This behavior can be triggered using a specific syntax within the "local" rules section of a mapping. For more information see: mapping combinations (https ://docs.openstack.org/developer/keystone/federation/federated_ident ity.html#mapping-combinations) * [blueprint support-federated-attr (https://blueprints.launchpad.net/keystone/+spec/support-federated- attr)] Added new filters to the *list user* API ("GET /v3/users") to support querying federted identity atttributes: "idp_id", "protocol_id", and "unique_id". * [bug 1638603 (https://bugs.launchpad.net/keystone/+bug/1638603)] Add support for nested groups in Active Directory. A new boolean option "[ldap] group_ad_nesting" has been added, it defaults to "False". Enable the option is using Active Directory with nested groups. This option will impact the "list_users_in_group", "list_groups_for_user", and "check_user_in_group" operations. * [bug 1641645 (https://bugs.launchpad.net/keystone/+bug/1641645)] RBAC protection was removed from the *Self-service change user password* API ("/v3/user/$user_id/password"), meaning, a user can now change their password without a token specified in the "X-Auth- Token" header. This change will allow a user, with an expired password, to update their password without the need of an administrator. * [bug 1641654 (https://bugs.launchpad.net/keystone/+bug/1641654)] The "healthcheck" middleware from *oslo.middleware* has been added to the keystone application pipelines by default. This middleware provides a common method to check the health of keystone. Refer to the example paste provided in "keystone-paste.ini" to see how to include the "healthcheck" middleware. * [bug 1641816 (https://bugs.launchpad.net/keystone/+bug/1641816)] The "[token] cache_on_issue" option is now enabled by default. This option has no effect unless global caching and token caching are enabled. * [bug 1642348 (https://bugs.launchpad.net/keystone/+bug/1642348)] Added new option "[security_compliance] lockout_ignored_user_ids" to allow deployers to specify users that are exempt from PCI lockout rules. * [Bug 1645487 (https://bugs.launchpad.net/keystone/+bug/1645487)] Added a new PCI-DSS feature that will require users to immediately change their password upon first use for new users and after an administrative password reset. The new feature can be enabled by setting [security_compliance] "change_password_upon_first_use" to "True". Upgrade Notes ************* * [blueprint allow-expired (https://blueprints.launchpad.net/keystone/+spec/allow-expired)] To allow long running operations to complete services must be able to fetch expired tokens via the "allow_expired" flag. The length of time a token is retrievable for beyond its traditional expiry is managed by the "[token] allow_expired_window" option and so the data must be retrievable for this about of time. When using fernet tokens this means that the key rotation period must exceed this time so that older tokens are still decrytable. Ensure that you do not rotate fernet keys faster than "[token] expiration" + "[token] allow_expired_window" seconds. * [bug 1547684 (https://bugs.launchpad.net/keystone/+bug/1547684)] A minor change to the "policy.v3cloudsample.json" sample file was performed so the sample file loads correctly. The "cloud_admin" rule has changed from: "role:admin and (token.is_admin_project:True or domain_id:admin_domain_id)" To the properly written: "role:admin and (is_admin_project:True or domain_id:admin_domain_id)" Adjust configuration tools as necessary, see the "fixes" section for more details on this change. * [bug 1561054 (https://bugs.launchpad.net/keystone/+bug/1561054)] The default token provider has switched from UUID to Fernet. Please note that Fernet requires a key repository to be in place prior to running Ocata, this can be done running "keystone-manage fernet_setup". Additionally, for multi-node deployments, it is imperative that a key distribution process be in use before upgrading. Once a key repository has been created it should be distributed to all keystone nodes in the deployment. This ensures that each keystone node will be able to validate tokens issued across the deployment. If you do not wish to switch token formats, you will need to explicitly set the token provider for each node in the deployment by setting "[token] provider" to "uuid" in "keystone.conf". Documentation can be found at fernet-tokens (https://docs.openstack.org/developer/keystone/configuration.html #encryption-keys-for-fernet-tokens). * [bug 1641654 (https://bugs.launchpad.net/keystone/+bug/1641654)] The "healthcheck" middleware from *oslo.middleware* has been added to the keystone application pipelines by default. The following section has been added to "keystone-paste.ini": [filter:healthcheck] use = egg:oslo.middleware#healthcheck It is recommended to have the "healthcheck" middleware first in the pipeline: pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler ... * [bug 1641660 (https://bugs.launchpad.net/keystone/+bug/1641660)] The default value for "[DEFAULT] notification_format" has been changed from "basic" to "cadf". The CADF notifications have more information about the user that initiated the request. * [bug 1641660 (https://bugs.launchpad.net/keystone/+bug/1641660)] The default value for "[DEFAULT] notification_opt_out" has been changed to include: "identity.authenticate.success", "identity.authenticate.pending" and "identity.authenticate.failed". If a deployment relies on these notifications, then override the default setting. * [bug 1642687 (https://bugs.launchpad.net/keystone/+bug/1642687)] Upon a successful upgrade, all existing "identity providers" will now be associated with a automatically created domain. Each "identity provider" that existed prior to the *Ocata* release will now have a "domain_id" field. The new domain will have an "id" (random UUID), a "name" (that will match the "identity provider" ID , and be "enabled" by default. * [Related to Bug 1649446 (https://bugs.launchpad.net/keystone/+bug/1649446)] The "identity:list_revoke_events" rule has been changed in both sample policy files, "policy.json" and "policy.v3cloudsample.json". From: "identity:list_revoke_events": "" To: "identity:list_revoke_events": "rule:service_or_admin" Deprecation Notes ***************** * [bug 1659995 (https://bugs.launchpad.net/keystone/+bug/1659995)] The config option "[security_compliance] ignore_password_expires_user_ids" has been deprecated in favor of using the option value set, available via the user create and update API call * [blueprint deprecated-as-of-ocata (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of- ocata)] The catalog backend "endpoint_filter.sql" has been deprecated in the *Ocata* release, it has been consolidated with the "sql" backend. It is recommended to replace the "endpoint_filter.sql" catalog backend with the "sql" backend. The "endpoint_filter.sql" backend will be removed in the *Pike* release. * [blueprint deprecated-as-of-ocata (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of- ocata)] Various KVS backends and config options have been deprecated and will be removed in the *Pike* release. This includes: * "keystone.common.kvs.backends.inmemdb.MemoryBackend" * "keystone.common.kvs.backends.memcached.MemcachedBackend" * "keystone.token.persistence.backends.kvs.Token" * all config options under "[kvs]" in *keystone.conf* * the config option "[memcached] servers" in *keystone.conf* Critical Issues *************** * [bug 1561054 (https://bugs.launchpad.net/keystone/+bug/1561054)] If upgrading to Fernet tokens, you must have a key repository and key distribution mechanism in place, otherwise token validation may not work. Please see the upgrade section for more details. Security Issues *************** * [bug 1650676 (https://bugs.launchpad.net/keystone/+bug/1656076)] Authentication plugins now required "AuthContext" objects to be used. This has added security features to ensure information such as the "user_id" does not change between authentication methods being processed by the server. The "keystone.controllers.Auth.authenticate" method now requires the argument "auth_context" to be an actual "AuthContext" object. Bug Fixes ********* * [bug 1524030 (https://bugs.launchpad.net/keystone/+bug/1524030)] During token validation we have reduced the number of revocation events returned, only returning a subset of events relevant to the token. Thus, improving overall token validation performance. * [bug 1651989 (https://bugs.launchpad.net/keystone/+bug/1651989)] Due to "bug 1547684", when using the "policy.v3cloudsample.json" sample file, a domain admin token was being treated as a cloud admin. Since the "is_admin_project" functionality only supports project-scoped tokens, we automatically set any domain scoped token to have the property "is_admin_project" to "False". [bug 1547684 (https://bugs.launchpad.net/keystone/+bug/1547684)] A typo in the "policy.v3cloudsample.json" sample file was causing *oslo.policy* to not load the file. See the "upgrades" section for more details. * [bug 1571878 (https://bugs.launchpad.net/keystone/+bug/1571878)] A valid "mapping_id" is now required when creating or updating a federation protocol. If the "mapping_id" does not exist, a "400 - Bad Request" will be returned. * [bug 1616424 (https://bugs.launchpad.net/keystone/+bug/1616424)] Provide better exception messages when creating OAuth request tokens and OAuth access tokens via the "/v3/OS-OAUTH1/request_token" and "/v3/OS-OAUTH1/access_token" APIs, respectively. * [bug 1622310 (https://bugs.launchpad.net/keystone/+bug/1622310)] Trusts will now be invalidated if: the project to which the trust is scoped, or the user (trustor or trustee) for which the delegation is assigned, has been deleted. * [bug 1636950 (https://bugs.launchpad.net/keystone/+bug/1636950)] New option "[ldap] connection_timeout" allows a deployer to set a "OPT_NETWORK_TIMEOUT" value to use with the LDAP server. This allows the LDAP server to return a "SERVER_DOWN" exception, if the LDAP URL is incorrect if there is a connection failure. By default, the value for "[ldap] connection_timeout" is -1, meaning it is disabled. Set a postive value (in seconds) to enable the option. * [bug 1642457 (https://bugs.launchpad.net/keystone/+bug/1642457)] Handle disk write and IO failures when rotating keys for Fernet tokens. Rather than creating empty keys, properly catch and log errors when unable to write to disk. * [bug 1642687 (https://bugs.launchpad.net/keystone/+bug/1642687)] When registering an "identity provider" via the OS-FEDERATION API, it is now recommended to include a "domain_id" to associate with the "identity provider" in the request. Federated users that authenticate with the "identity provider" will now be associated with the "domain_id" specified. If no "domain_id" is specified, then a domain will be automatically created. * [bug 1642687 (https://bugs.launchpad.net/keystone/+bug/1642687)] Users that authenticate with an "identity provider" will now have a "domain_id" attribute, that is associated with the "identity provider". * [bug 1642692 (https://bugs.launchpad.net/keystone/+bug/1642692)] When a *federation protocol* is deleted, all users that authenticated with the *federation protocol* will also be deleted. * [bug 1649138 (https://bugs.launchpad.net/keystone/+bug/1649138)] When using LDAP as an identity backend, the initial bind will now occur upon creation of a connection object, i.e. early on when performing LDAP queries, no matter whether the bind is authenticated or anonymous, so that any connection errors can be handled correctly and early. * [Bug 1649446 (https://bugs.launchpad.net/keystone/+bug/1651989)] The default policy for listing revocation events has changed. Previously, any authenticated user could list revocation events; it is now, by default, an admin or service user only function. This can be changed by modifying the policy file being used by keystone. * [bug 1656076 (https://bugs.launchpad.net/keystone/+bug/1656076)] The various plugins under "keystone.controllers.Auth.authenticate" now require "AuthContext" objects to be returned. * [bug 1659995 (https://bugs.launchpad.net/keystone/+bug/1659995)] New options have been made available via the user create and update API ("POST/PATCH /v3/users") call, the options will allow an admin to mark users as exempt from certain PCI requirements via an API. Set the following user attributes to "True" or "False" in an API request. To mark a user as exempt from the PCI password lockout policy: user['options']['ignore_lockout_failure_attempts'] To mark a user as exempt from the PCI password expiry policy: user['options']['ignore_password_expiry'] To mark a user as exempt from the PCI reset policy: user['options']['ignore_change_password_upon_first_use'] Other Notes *********** * [bug 1017606 (https://bugs.launchpad.net/keystone/+bug/1017606)] The signature on the "get_catalog" and "get_v3_catalog" methods of "keystone.catalog.backends.base.CatalogDriverBase" have been updated. Third-party extensions that extend the abstract class ("CatalogDriverBase") should be updated according to the new parameter names. The method signatures have changed from: get_catalog(self, user_id, tenant_id) get_v3_catalog(self, user_id, tenant_id) to: get_catalog(self, user_id, project_id) get_v3_catalog(self, user_id, project_id) * [bug 1524030 (https://bugs.launchpad.net/keystone/+bug/1524030)] The signature on the "list_events" method of "keystone.revoke.backends.base.RevokeDriverBase" has been updated. Third-party extensions that extend the abstract class ("RevokeDriverBase") should update their code according to the new parameter names. The method signature has changed from: list_events(self, last_fetch=None) to: list_events(self, last_fetch=None, token=None) * [bug 1563101 (https://bugs.launchpad.net/keystone/+bug/1563101)] The token provider driver interface has moved from "keystone.token.provider.Provider" to "keystone.token.providers.base.Provider". If implementing a custom token provider, subclass from the new location. * [bug 1582585 (https://bugs.launchpad.net/keystone/+bug/1582585)] A new method "get_domain_mapping_list" was added to "keystone.identity.mapping_backends.base.MappingDriverBase". Third- party extensions that extend the abstract class ("MappingDriverBase") should implement this new method. The method has the following signature: get_domain_mapping_list(self, domain_id) and will return a list of mappings for a given domain ID. * [bug 1611102 (https://bugs.launchpad.net/keystone/+bug/1611102)] The methods "list_endpoints_for_policy()" and "get_policy_for_endpoint()" have been removed from the "keystone.endpoint_policy.backends.base.EndpointPolicyDriverBase" abstract class, they were unused. * [bug 1622310 (https://bugs.launchpad.net/keystone/+bug/1622310)] A new method "delete_trusts_for_project" has been added to "keystone.trust.backends.base.TrustDriverBase". Third-party extensions that extend the abstract class ("TrustDriverBase") should be updated according to the new parameter names. The signature for the new method is: delete_trusts_for_project(self, project_id) * [bug 1642687 (https://bugs.launchpad.net/keystone/+bug/1642687)] The signature on the "create_federated_user" method of "keystone.identity.shadow_backends.base.ShadowUsersDriverBase" has been updated. Third-party extensions that extend the abstract class ("ShadowUsersDriverBase") should be updated according to the new parameter names. The method signature has changed from: create_federated_user(self, federated_dict) to: create_federated_user(self, domain_id, federated_dict) * [bug 1659730 (https://bugs.launchpad.net/keystone/+bug/1659730)] The signature on the "authenticate" method of "keystone.auth.plugins.base.AuthMethodHandler" has been updated. Third-party extensions that extend the abstract class ("AuthMethodHandler") should update their code according to the new parameter names. The method signature has changed from: authenticate(self, context, auth_payload, auth_context) to: authenticate(self, request, auth_payload, auth_context) * PKI and PKIz token formats have been removed in favor of Fernet tokens. * Write support for the LDAP has been removed in favor of read-only support. The following operations are no longer supported for LDAP: * "create user" * "create group" * "delete user" * "delete group" * "update user" * "update group" * "add user to group" * "remove user from group" * Routes and SQL backends for the contrib extensions have been removed, they have been incorporated into keystone and are no longer optional. This affects: * "keystone/contrib/admin_crud" * "keystone/contrib/endpoint_filter" * "keystone/contrib/federation" * "keystone/contrib/oauth1" * "keystone/contrib/revoke" * "keystone/contrib/simple_cert" * "keystone/contrib/user_crud" * Keystone cache backends have been removed in favor of their *oslo.cache* counter-part. This affects: * "keystone/common/cache/backends/mongo" * "keystone/common/cache/backends/memcache_pool" * "keystone/common/cache/backends/noop" * Several token validation methods from the abstract class "keystone.token.providers.base.Provider" were removed (see below) in favor of a single method to validate tokens ("validate_token"), that has the signature "validate_token(self, token_ref)". If using a custom token provider, update the custom provider accordingly. * "validate_v2_token" * "validate_v3_token" * "validate_non_persistent_token" * Several token issuance methods from the abstract class "keystone.token.providers.base.Provider" were removed (see below) in favor of a single method to issue tokens ("issue_token"). If using a custom token provider, updated the custom provider accordingly. * "issue_v2_token" * "issue_v3_token" * The "[DEFAULT] domain_id_immutable" configuration option has been removed in favor of strictly immutable domain IDs. * The "[endpoint_policy] enabled" configuration option has been removed in favor of always enabling the endpoint policy extension. * The auth plugin "keystone.auth.plugins.saml2.Saml2" has been removed in favor of the auth plugin "keystone.auth.plugins.mapped.Mapped". * The "memcache" and "memcache_pool" token persistence backends have been removed in favor of using Fernet tokens (which require no persistence). * The "httpd/keystone.py" file has been removed in favor of the "keystone-wsgi-admin" and "keystone-wsgi-public" scripts. * The "keystone/service.py" file has been removed, the logic has been moved to the "keystone/version/service.py". * The check for admin token from "build_auth_context" middleware has been removed. If your deployment requires the use of *admin token*, update "keystone-paste.ini" so that "admin_token_auth" is before "build_auth_context" in the paste pipelines, otherwise remove the "admin_token_auth" middleware from "keystone-paste.ini" entirely. * The "[assignment] driver" now defaults to "sql". Logic to determine the default assignment driver if one wasn't supplied through configuration has been removed. Keystone only supports one assignment driver and it shouldn't be changed unless you're deploying a custom assignment driver. * The "[resource] driver" now defaults to "sql". Logic to determine the default resource driver if one wasn't supplied through configuration has been removed. Keystone only supports one resource driver and it shouldn't be changed unless you're deploying a custom resource driver. * The "[os_inherit] enabled" config option has been removed, the *OS- INHERIT* extension is now always enabled. * The "[DEFAULT] domain_id_immutable" option has been removed. This removes the ability to change the "domain_id" attribute of users, groups, and projects. The behavior was introduced to allow deployers to migrate entities from one domain to another by updating the "domain_id" attribute of an entity. This functionality was deprecated in the Mitaka release is now removed. Changes in keystone 10.0.0.0rc1..11.0.0 --------------------------------------- 9aa0f31 Modify the spelling mistakes 6603d40 Prepare for using standard python tests 63ab7b8 update keystone.conf.sample for ocata-rc a64b474 Add MFA Rules Release Note 5c861c0 Remove de-dupe for MFA Rule parsing. 1328d49 Add comment to clarify resource-options jsonschema 29951be Cleanup TODO, AuthContext and AuthInfo to auth.core 1451659 Cleanup TODO about auth.controller code moved to core 1130557 Add validation that token method isn't needed in MFARules a4c226f Add validation for mfa rule validator (storage) b17c3a5 Process and validate auth methods against MFA rules feac9e7 No need to enable infer_roles setting 8354fb3 Fix bad error message from FernetUtils 30d9095 Use https for docs.openstack.org references bc787f0 Update PCI documenation 2e7c7c9 Auth Plugins pass data back via AuthHandlerResponse 5dd81b9 Auth Method Handlers now return a response object always ab9237f Add MFA Rules and Enabled User options 28945a1 cleanup release notes from PCI options 9844fa1 Create user option `ignore_lockout_failure_attempts` 47cd729 Implement better validation for resource options 930728a Deprecate [security_compliance]\password_expires_ignore_user_ids dce8a2c Fixes deprecations caused by latest oslo.context 0b3e59e PCI-DSS Force users to change password upon first use 5e2cc88 clean up release notes for ocata d6a05f5 Reuse already existing groups from upstream tempest config c2fdd3b add additional deprecation warnings for KVS options 2bb1720 Address follow-up comments from previous patchset 85e8a7b Cleanup for resource-specific options 2a79614 Adds tests showing how mapping locals are handled 9f4fbd8 Add 'options' as an explicit user schema validation 1896d1b Code-Defined Resource-specific Options c19f243 Set the domain for federated users 6e0faa9 Refactor shadow users tests 2bd88d3 Add domain_id to the user table 6f10795 Do not call `to_dict` outside of a session context 821a4ff Remove code supporting moving resources between domains 91c2dbd Change unit test class to a less generic name 2518ca8 Remove dogpile.core dependencies 3f38162 Verbose breakup of method into seperate methods 3d06b69 Fixed unraised exception in _disallow_write for LDAP 28c70f4 Add password expiration queries for PCI-DSS 35deec2 Add missing parentheses 19c6530 Add queries for federated attributes in list_users e9a6a84 update entry points related to paste middleware a7b393b Remove LDAP write support 50e4ed9 Remove releated role_tree_dn test a551b94 Add warning about using `external` with federation 3ae73b6 Allow user to change own expired password 73939d9 Fix warnings generated by os-api-ref 1.2.0 5e89f1b Improvements to external auth documentation page 5b7b146 Test cross domain authentication via implied roles e988490 Updates to project mapping documentation ca51177 Add documentation for auto-provisioning 9e830db Implement federated auto-provisioning d08894d Fix typo in main docs page 9785f6a switch @hybrid_property to @property 9e1e2c2 Catch potential SyntaxError in federation mapping 7f2b7e5 Fix typo in shibboleth federation docs 3039e6c Handling of 'region' parameter as None ee2747b Corrected punctuation on multiple exceptions 0d2f249 Exclude 'keystone_tempest_plugin' in doc build 0f3f08c Force use of AuthContext object in .authentcate() 45f7ff3 Cascade delete federated_user fk 7e69eef update sample config for ocata release ee3eb00 Drop type in filters 03ceac6 Add DB operations tracing 066bf83 fix broken links 9602807 Changed 'Driver' reference to 'TokenDriverBase' f2d0f8c Fix keystone-manage mapping_engine tester f8ee249 Add anonymous bind to get_connection method 2d239cf Set connection timeout for LDAP configuration 872939d Invalid parameter name on interface dd71d11 Bump API version and date d4a890a listing revoke events should be admin only 1c94ae7 Adds projects mapping to the mapping engine d42bb2d Updated docstring for test_sql_upgrade.py b63cc5f Use public interfaces of pep8 for hacking d4129c2 [api-ref] Clean up OS-EP-FILTER association docs b4c97d3 Remove comment from previous migration 6e71105 [api-ref] Clean up OS-EP-FILTER documentation ebbc06e Fixed not in toctree warnings when building docs 83b2109 Remove stevedore warning when building docs 74af136 Update docs to require domain_id when registering Identity Providers e439476 Retry on deadlock Transactions in backend 62ae2e4 Fix region_id responses and requests to be consistent 3838cff Remove endpoint_id parameter from EP-FILTER docs 131c8c1 [api] fix ep filter example 8c190a1 Require domain_id when registering Identity Providers 41d70a6 Fix minor typo a2a06d0 Remove references to Python 3.4 54dc086 Improve assertion in test efb5875 Use assertGreater(len(x), y) instead of assertTrue(len(x) > y) 42d19a0 Correct invalid rst in api docs 318a333 Fixed 7 tests running twice in v3 identity b4012e8 Fix issues with keystone-dsvm-py35-functional-v3-only on py35 f19f131 Fix the usage of tempest.client.Manager class ec4d055 Correct timestamp format in token responses ddff3bd Remove unused exceptions from CADF notifications 46749a9 Minor improvement in test_user_id_persistence 663865d Remove CONF.domain_id_immutable 48864fd Fix test function name with two underscores to have only one 62fa3cd Updated from global requirements 11545b5 Fix import ordering in tempest plugins 76139d1 [api] Inconsistency between v3 API and keystone token timestamps 647b83d Federated authentication via ECP functional tests 937a1a3 Removes unnecessary utf-8 encoding 5b7c9a6 Handle disk write failure when doing Fernet key rotation ef48072 Fix cloud_admin rule and ensure only project tokens can be cloud admin 1dbbec0 Updated from global requirements 2674918 Remove duplicate role assignment in federated setup 0145084 Remove unused variables from federation tests a5d8069 Remove unused variables from unit test method eff8381 Add reason to CADF notifications in docs dbb05ae [doc] point release note docs to project team guide 1a00498 [api] set `is_admin_project` on tokens for admin project 91167ad Settings for test cases 7fe14c8 Add reason to notifications for PCI-DSS c5eb31f Fix typo in doc e1e3f2f fix one typo. 15c1e7a Updated from global requirements 944b3b0 Wrap invalidation region to context-local cache eac57b8 move common sql test helpers to base class 2dfd163 Use assertGreater(len(x), y) instead of assertTrue(len(x) > y) 52f6fe1 replace assertTrue with assertIs. bb89d92 Replace logging with oslo_log. 3845e36 expose v3policy failure with is_admin_token a54ab53 Add doctor checks for ldap symptoms 1000501 Implement password requirements API ed7d2f0 Fix a typo in comment 1417939 Add unit tests for doctor token_fernet symptoms e77a249 Remove impossible case from _option_dict method 48573a7 Make _option_dict() a method for domain_config_api c68dc42 Add unit tests for doctor tokens symptoms 4624f47 Add checks for doctor credential symptoms e3f55e7 Make user to nonlocal_user a 1:1 relationship 34f1201 Add id to conflict error if caused by duplicate id 76b1110 Refactors _get_names_from_role_assignments ccf5dc7 Do not manually remove /etc/shibboleth folder b0f9237 API Documentation for user password expires 3204796 Revert "API Documentation for user password expires" 1eb38e4 API Documentation for user password expires b36e1c4 Clean up keystone doc landing page e4ecc04 Add doctor tests on security_compliance and rename 48841fd Fix typo in api-ref doc fd54718 Move V2TokenDataHelper to the v2.0 controller 8307f2c Remove exception from v2 validation path 90f2f96 Make bootstrap idempotent when it needs to be aa97a9c Add unit tests for doctor's database symptoms f5b6912 Print name with duplicate error on user creation 2dae412 Expose idempotency issue with bootstrap 6b16e2c Print domain name in mapping_populate error message f12f83b Correct missspellings of secret 4de9d6b Trivial indentation corrections in mappings doc 359b10c Add doctor check for debug mode enabled b9c8963 Fixed multiple warnings in tox -edocs b9890f8 Get assignments with names honors inheritance flag f84b40a Updated from global requirements aa531a0 Add test to expose bug 1625230 fd13637 Invalidate token cache after token delete 26d40dc Revert "Rename doctor symptom in security_compliance" 812982a Domain included for role in list_role_assignment 28fd030 api-ref update for roles assignments with names ac4f22c Rename doctor symptom in security_compliance 5fe929d Corrects sample-data incorrect credential call 8002025 Correct minor issues in test schema cb7bfce Add unit tests for doctor federation file 3e5ead0 Remove CONF.os_inherit.enabled bb8be1e Add unit tests for doctor's caching symptoms 65d2330 Updated from global requirements f3d58a5 Updated from global requirements 8aa7b73 More info in schema validation error 24dd022 Minor fix in role_assignments api-ref 74942e4 Include mapped in the default auth methods d16ec35 Validate token issue input 9e54c62 Removes unused exceptions 7310375 Removes unused method from assignment core 54b57e2 Removes unused default_assignment_driver method 4f12020 Removed unused EXTENSION_TO_ADD test declarations 71cde67 Use sha512.hash() instead of .encrypt() df721d0 Don't invalidate all user tokens of roleless group bd37276 Upload service provider metadata to testshib 54d2ecc Updated from global requirements e120ac3 SAML federation docs refer to old WSGIScriptAlias 7765130 cache_on_issue default to true 7e9039b Make try/except work for passlib 1.6 and 1.7 2223374 Document token header in federation auth response 364462e Refactor Keystone admin-tokens and admin-users v2 1df211a ignore deprecation warning for .encrypt() d9a6ead Send the identity.deleted.role_assignment after the deletion fcebc2f Allow fetching an expired token d51246c Show team and repo badges on README 05f2317 Remove eventlet-related call to sleep a0104c7 Add a comment about not using assertTrue 41bb06a clean up developer docs 03319d1 Improvements in error messages cfcf395 Remove trailing "d" from -days param of OpenSSL command eeaa4d7 Swap the notification formats in the docs 1e6f780 Normalizes use of ForbiddenAction in trusts 165e5a9 Enable CADF notification format by default 852a518 Remove unused statements in matches 49ec1d2 Fix doc example deeb8df Remove extension and auth_token middleware docs 4c5b15e Move docs from key_terms to architecture 0a9051b move content from configuringservices to configuration 2edc392 Update configuration.rst documentation 5ae4ca1 Verbose 401/403 debug responses a93d03e Fix the misspelling in `keystone/tests/unit/test_cli.py` 5a930e7 refactor notification test to work with either format ef30103 Clarify the v2.0 validation path adb4513 Remove metadata from token provider 4f1af94 Lockout ignore user list 98b3109 Add developer docs for keystone-manage doctor f4a30aa [api] add changelog from 3.0 -> 3.7 fbafc06 Devstack plugin to federate with testshib.org 34b0cf2 Remove entry_points to non-existent drivers 0bbc94e Fix typo in doc 5d93b99 remove release note about LDAP write removal d3e955f Change "Change User Password" request example 3f92a97 Fixes remaining nits in endpoint_policy tests 2d540f5 Remove reference to future removal of saml fea1936 Limits config fixture usage to where it's needed 3d513da Updated from global requirements eff2b3b Remove format_token method c0c23fd Remove issue_v3_token in favor of issue_token dd1e705 Remove issue_v2_token 4c095cc refactor the token controller e361a3a Use issue_v3_token instead of issue_v2_token a74be79 Updates to the architecture doc e8e56dc Support nested groups in Active Directory eeac2cb Add healthcheck middleware to pipelines 6ed37d2 Request cache should not update context 32affef Change cfg.set_defaults into cors.set_defaults 470d92f Updated from global requirements 6589dbd Updated from global requirements 52f58eb Doc warning for keystone db migration 08e9ba9 Wording error in upgrading documentation e28dddd Updated from global requirements 52c2a81 fix credentials backend tests 18bb515 Allow running expand & migrate at the same time c5bcc34 Add test cases for passing "None" as a hint 2d56415 Fix test_revoke to run all tests after pki removal 1b79994 Updated from global requirements 57cc1e3 Switch fernet to be the default token provider. 8a66ef6 Remove support for PKI and PKIz tokens 1a1c625 Doc the difference between memcache and cache cda7688 Doctor ldap check fix for config files e498979 Additional logging when authenticating 2e70ecd Document OS-SIMPLE-CERT Routes c70baa0 Document v2 Revoked Token Route 095ed91 Add api-ref /auth/tokens/OS-PKI/revoked (v3) 731a766 Fix broken links in the docs 75e8cd1 Add structure for Devstack plugin a4fdb40 Add bindep environment to tox e49a95f Pass a request to controllers instead of a context 357bb56 Create default role as a part of bootstrap 093d14f Updated from global requirements 339d6a6 Don't deprecate the LDAP property which is still needed 707b023 Clarifying on the remove of `build_auth_context` middleware 2870deb log.error use _ of i18n fd6445e Doctor check for LDAP domain specific configs b8435cc Updated from global requirements 53f104f Updated from global requirements de8fbcf Validate mapping exists when creating/updating a protocol f516777 Remove new_id() in test_revoke 1c38db6 Adds warning when no domain configs were uploaded e5add63 Add release note for fernet tokens d45d82f Tweak api-ref doc for v3 roles bc756d5 Tweak api-ref doc for v3 roles status codes 43b55f1 Reorder APIs in api-ref for v3 groups c7c0b99 [api-ref] Remove the duplicated sample bef1444 Follow-on of memcache token persistence removal 1939159 changed domain id to name in JSON request e3962e5 More configuration doc edits 980554a Remove backend dependencies from token provider 696a10c Updated from global requirements 382279f [api-ref] Fix couple of issues on OS-INHERIT API 35b9f08 Code cleanup 4f92ac0 Replace tenant with project for keystone catalog e7e577c Imported Translations from Zanata 38f79a8 Update, correct, and enhance federation docs f0319c7 Invalidate trust when the related project is deleted 8b68bbd Remove unused arg(project and initiator) 25d0535 Drop MANIFEST.in - it's not needed by pbr f77db0a Ignore unknown arguments to fetch_token 02452d0 Return password_expires_at during auth d49f2b1 Move the token abstract base class out of core ca73d29 Add is_admin_project to policy dict 94f1074 Fix a typo in token_formatters.py 9e84371 Improve check_token validation performance 477189d Add revocation event indexes 130a72d Add docs for PCI-DSS 52642cc Invalidate trust when the trustor or trustee is deleted 27d2176 Updated from global requirements 1974f2d [api] add a note about project name restrictions 71134fb One validate method to rule them all... f84dd99 Simplify the KeystoneToken model 52bde3c Remove validate_v2_token() method abe6157 [api] remove `user_id` and `project_id` from policy 38f2305 Remove the decorator where it's not applied 8789949 Optimize remove unused variable c3c4112 Remove those redundant variable declaration 9fa78cb [doc] Correct mapping JSON example ade01da Remove no use variable (domain_id) ab02ec0 Remove redundant variable declaration fd3e627 Deprecate `endpoint_filter.sql` backend ba96448 remove deprecated `[endpoint_policy] enable` option 86229b3 Pass initiator to Manager as a kwarg 3e0242c create release notes for removed functionality 76d588b Remove driver version specifiers from tests a82d799 Enable release notes translation 1181399 Remove driver version from identity backend test names bbcc1ef Remove driver version from docs 12d8591 Updated from global requirements 4888a11 Default the assignment backend to SQL 3b17b27 remove legacy driver tox target 9aec18b Use validate_v3_token instead of validate_token d3054b5 Ensure all v2.0 tokens are validated the same way 6f6543b Make sure all v3 tokens are validated the same way 7c00add re-add valid comment about None domain ID d7b836e Default the resource backend to SQL 4fd55f2 Make returning is_domain conditional 9117e45 Move audit initiator creation to request cb43ea8 Don't validate token expiry in the persistence backend 29fbffa Add tests for validating expired tokens 5046ba0 Fix a typo in _init_.py 432fa4a Remove password history validation from admin password resets ac04a51 Updating the document regarding LDAP options cd23e77 Updated from global requirements 38f9a82 Remove the unused sdx doc files 635d4a4 Updated from global requirements ec7cec0 Remove the no use arg (auth=None) bb1e6d0 Fix typo in docstring a20d66c Tweak api-ref for v3 groups status codes 86483a7 Updated from global requirements 28e6144 Add Apache 2.0 license to source file e828d59 Fix a typo in core.py and bp-domain-config-default-82e42d946ee7cb43.yaml 4be9164 Validate password history for self-service password changes 7f3296d Make test_v3_auth exercise the whole API 810e156 Remove stable driver interfaces a0ee0bb Updated from global requirements ae0d189 Remove the check for admin token in build_auth_context middleware abab343 Reorder APIs in api-ref doc for v3 users ca4b452 Fix a docstring typo in test_v3_resource.py ee32611 Using assertIsNone(...) instead of assertIs(None, ...) a615a85 Updated from global requirements 4a079a4 remove deprecated items from contrib d3ece04 Update man page for Ocata release version and date 09131e1 Using assertIsNone() instead of assertIs(None) 7b66744 Remove default=None when set value in config 7d56cb7 Undeprecate options used for signing a0fb216 Remove unused path in the v2 token controller 7f3f596 Fix the belongsTo query parameter ba984db Fix 'API Specification for Endpoint Filtering' broken link e88097f Add domain check in domain-specific role implication f0172f8 Override credential key repository for null key tests 36be7e5 Remove useless method override 564c495 remove memcache token persistence backends 9f9b728 remove keystone/service.py d1ed08d remove saml2 auth plugin 2388cef remove httpd/keystone.py 1371fb4 remove cache backends 5035ea1 Revert "Allow compatibility with keystonemiddleware 4.0.0" 3c7e140 Consolidate the common code into one method 54e41a3 Handle the exception from creating request token properly 9488ec5 Fix formatting strings in LOG.debug 3adb158 Fix formatting strings in LOG.warning be5385c Handle the exception from creating access token properly 0c14179 Updated from global requirements 3d00a20 Tweak status code in api-ref doc for v3 users 5fc08a7 Fix prameters names in Keystone API v2-ext f1da1c0 Refactor Keystone admin-tenant API v2 32352f4 Refactor Keystone admin-endpoint API 4d08a1c Fix for unindent warning in doc build 3a84987 add placeholder migrations for newton 0c82abc Remove default=None for config options 0818d42 Ensure the sqla-migrate scripts cache is cleared d312859 Move test_sql_upgrade.MigrationRepository into keystone.common 5c6d1f3 Rename sql.migration_helpers to sql.upgrades 47d4d08 Give domain admin rights to domain specific implied roles 981b46c Update reno for stable/newton 2d79b03 Refactor find_migrate_repo(): require caller to specify repo 32328de Fixes password created_at errors due to the server_default e226948 Move the responsibility for stdout to the CLI module 50430f5 Use a read-only DB session to retrieve schema version 1249360 Move rolling upgrade repo names into constants 8ec5930 Removal of imports within functions dfa6e3f Trivial fixes in the ldap common functions b52e0de Test that rolling upgrade repos are in lockstep be80981 Adds tests for verify_length_and_trunc_password() 97585c1 EndpointPolicy driver doesn't inherit interface f534f36 Faster id mapping lookup c4784d7 Create unit tests for endpoint policy drivers c6ed3cd Use URIOpt for endpoint URL options Diffstat (except docs and test files) ------------------------------------- CONTRIBUTING.rst | 4 +- HACKING.rst | 2 +- MANIFEST.in | 21 - README.rst | 17 +- api-ref/source/conf.py | 2 +- api-ref/source/v2-admin/admin-certificates.inc | 41 + api-ref/source/v2-admin/admin-endpoints.inc | 34 +- .../v2-admin/admin-endpoints_parameters.yaml | 71 -- api-ref/source/v2-admin/admin-tenants.inc | 81 +- api-ref/source/v2-admin/admin-tokens.inc | 48 +- api-ref/source/v2-admin/admin-users.inc | 84 +- api-ref/source/v2-admin/index.rst | 1 + api-ref/source/v2-admin/parameters.yaml | 305 +++-- .../admin/show-ca-certificate-v2-response.txt | 19 + .../admin/show-signing-certificate-v2-response.txt | 19 + api-ref/source/v2-ext/ksadm-admin.inc | 142 +-- api-ref/source/v2-ext/kscrud.inc | 6 +- api-ref/source/v2-ext/ksec2-admin.inc | 42 +- api-ref/source/v2-ext/parameters.yaml | 155 +-- api-ref/source/v2/index.rst | 3 +- api-ref/source/v2/overview.inc | 16 +- api-ref/source/v2/parameters.yaml | 21 +- api-ref/source/v2/revocations.inc | 32 + .../v2/samples/admin/extension-show-response.json | 2 +- .../v2/samples/admin/extensions-list-response.json | 16 +- .../v2/samples/admin/revoked-tokens-response.json | 3 + .../v2/samples/admin/version-show-response.json | 2 +- .../v2/samples/admin/versions-list-response.json | 2 +- api-ref/source/v3-ext/ep-filter.inc | 306 ++--- api-ref/source/v3-ext/federation.inc | 7 + .../v3-ext/federation/assertion/assertion.inc | 6 +- api-ref/source/v3-ext/federation/auth/auth.inc | 6 +- .../source/v3-ext/federation/auth/parameters.yaml | 9 + .../v3-ext/federation/identity-provider/idp.inc | 36 +- .../federation/identity-provider/parameters.yaml | 9 + .../identity-provider/samples/get-response.json | 1 + .../identity-provider/samples/list-response.json | 2 + .../samples/register-request.json | 1 + .../samples/register-response.json | 1 + .../identity-provider/samples/update-response.json | 1 + .../source/v3-ext/federation/mapping/mapping.inc | 10 +- .../projects-domains/projects-domains.inc | 4 +- .../v3-ext/federation/service-provider/sp.inc | 10 +- api-ref/source/v3-ext/index.rst | 2 + api-ref/source/v3-ext/oauth.inc | 28 +- api-ref/source/v3-ext/parameters.yaml | 2 +- api-ref/source/v3-ext/revoke.inc | 2 +- .../create-endpoint-group-request.json | 2 +- .../OS-EP-FILTER/get-projects-response.json | 29 - .../list-associations-by-endpoint-response.json | 29 + .../list-associations-by-project-response.json | 29 + .../OS-EP-FILTER/list-endpoints-response.json | 29 - .../update-endpoint-group-request.json | 7 + .../update-endpoint-group-response.json | 14 + .../show-ca-certificate-response.txt | 19 + .../show-signing-certificate-response.txt | 19 + api-ref/source/v3-ext/simple-cert.inc | 42 + api-ref/source/v3-ext/trust.inc | 18 +- api-ref/source/v3/authenticate-v3.inc | 33 +- api-ref/source/v3/credentials.inc | 10 +- api-ref/source/v3/domains-config-v3.inc | 28 +- api-ref/source/v3/domains.inc | 10 +- api-ref/source/v3/groups.inc | 354 +++--- api-ref/source/v3/index.rst | 124 +- api-ref/source/v3/inherit.inc | 92 +- api-ref/source/v3/os-pki.inc | 32 + api-ref/source/v3/parameters.yaml | 79 +- api-ref/source/v3/policies.inc | 22 +- api-ref/source/v3/projects.inc | 21 +- api-ref/source/v3/regions-v3.inc | 10 +- api-ref/source/v3/roles.inc | 961 ++++++++++------ .../auth-password-explicit-unscoped-response.json | 3 +- .../auth-password-project-scoped-response.json | 3 +- ...auth-password-unscoped-request-with-domain.json | 2 +- .../admin/auth-password-unscoped-response.json | 3 +- .../auth-password-user-name-unscoped-request.json | 18 - .../samples/admin/auth-token-scoped-response.json | 3 +- .../admin/auth-token-unscoped-response.json | 3 +- .../samples/admin/credential-update-request.json | 2 +- .../samples/admin/credential-update-response.json | 2 +- .../v3/samples/admin/get-pki-revoked-response.json | 3 + .../samples/admin/group-roles-list-response.json | 23 - .../samples/admin/identity-versions-response.json | 2 +- .../v3/samples/admin/policies-list-response.json | 8 +- .../v3/samples/admin/policy-create-request.json | 4 +- .../v3/samples/admin/policy-create-response.json | 2 - .../v3/samples/admin/policy-show-response.json | 4 +- .../v3/samples/admin/policy-update-request.json | 4 +- .../v3/samples/admin/policy-update-response.json | 4 +- ...ents-effective-list-include-names-response.json | 10 +- .../admin/user-password-update-request.json | 2 +- .../v3/samples/admin/user-roles-list-response.json | 23 - api-ref/source/v3/service-catalog.inc | 20 +- api-ref/source/v3/status.yaml | 4 + api-ref/source/v3/users.inc | 348 +++--- config-generator/keystone.conf | 1 - devstack/files/federation/shib_apache_alias.txt | 1 + devstack/files/federation/shib_apache_handler.txt | 16 + devstack/files/federation/shibboleth2.xml | 77 ++ devstack/lib/federation.sh | 127 +++ devstack/plugin.sh | 64 ++ etc/keystone-paste.ini | 13 +- etc/keystone.conf.sample | 813 ++++++++------ etc/policy.json | 3 +- etc/policy.v3cloudsample.json | 17 +- examples/pki/cms/auth_token_revoked.json | 85 -- examples/pki/cms/auth_token_revoked.pem | 44 - examples/pki/cms/auth_token_scoped.json | 85 -- examples/pki/cms/auth_token_scoped.pem | 44 - examples/pki/cms/auth_token_unscoped.json | 23 - examples/pki/cms/auth_token_unscoped.pem | 19 - examples/pki/cms/revocation_list.json | 8 - examples/pki/cms/revocation_list.pem | 15 - examples/pki/gen_pki.sh | 233 ---- httpd/keystone.py | 41 - keystone/assignment/V8_backends/__init__.py | 0 keystone/assignment/V8_backends/sql.py | 452 -------- keystone/assignment/V8_role_backends/__init__.py | 0 keystone/assignment/V8_role_backends/sql.py | 80 -- keystone/assignment/backends/base.py | 251 ----- keystone/assignment/backends/sql.py | 5 +- keystone/assignment/controllers.py | 103 +- keystone/assignment/core.py | 207 +--- keystone/assignment/role_backends/base.py | 134 --- keystone/assignment/role_backends/sql.py | 2 +- keystone/assignment/routers.py | 157 ++- keystone/auth/__init__.py | 4 + keystone/auth/controllers.py | 485 ++------ keystone/auth/core.py | 478 +++++++- keystone/auth/plugins/base.py | 39 +- keystone/auth/plugins/core.py | 2 - keystone/auth/plugins/external.py | 14 +- keystone/auth/plugins/mapped.py | 195 +++- keystone/auth/plugins/oauth1.py | 12 +- keystone/auth/plugins/password.py | 8 +- keystone/auth/plugins/saml2.py | 35 - keystone/auth/plugins/token.py | 51 +- keystone/auth/plugins/totp.py | 8 +- keystone/auth/schema.py | 83 ++ keystone/catalog/backends/base.py | 14 +- keystone/catalog/backends/sql.py | 95 +- keystone/catalog/backends/templated.py | 16 +- keystone/catalog/controllers.py | 88 +- keystone/catalog/core.py | 23 +- keystone/cmd/cli.py | 226 ++-- keystone/cmd/doctor/__init__.py | 2 + keystone/cmd/doctor/caching.py | 2 +- keystone/cmd/doctor/credential.py | 6 +- keystone/cmd/doctor/database.py | 3 +- keystone/cmd/doctor/debug.py | 28 + keystone/cmd/doctor/ldap.py | 95 ++ keystone/cmd/doctor/security_compliance.py | 2 +- keystone/cmd/doctor/tokens.py | 6 - keystone/cmd/doctor/tokens_fernet.py | 6 +- keystone/cmd/manage.py | 5 +- keystone/common/authorization.py | 3 +- keystone/common/cache/_context_cache.py | 10 +- keystone/common/cache/backends/__init__.py | 0 keystone/common/cache/backends/memcache_pool.py | 28 - keystone/common/cache/backends/mongo.py | 25 - keystone/common/cache/backends/noop.py | 56 - keystone/common/cache/core.py | 4 + keystone/common/context.py | 12 +- keystone/common/controller.py | 46 +- keystone/common/driver_hints.py | 9 +- keystone/common/fernet_utils.py | 71 +- keystone/common/json_home.py | 10 +- keystone/common/kvs/backends/inmemdb.py | 5 + keystone/common/kvs/backends/memcached.py | 5 + keystone/common/kvs/core.py | 2 +- keystone/common/manager.py | 32 - keystone/common/openssl.py | 2 +- keystone/common/request.py | 48 +- keystone/common/resource_options.py | 228 ++++ keystone/common/sql/contract_repo/manage.py | 13 + ...move_unencrypted_blob_column_from_credential.py | 4 +- .../versions/004_reset_password_created_at.py | 37 + .../sql/contract_repo/versions/005_placeholder.py | 18 + .../sql/contract_repo/versions/006_placeholder.py | 18 + .../sql/contract_repo/versions/007_placeholder.py | 18 + .../sql/contract_repo/versions/008_placeholder.py | 18 + .../sql/contract_repo/versions/009_placeholder.py | 18 + .../010_contract_add_revocation_event_index.py | 15 + ...11_contract_user_id_unique_for_nonlocal_user.py | 23 + .../versions/012_contract_add_domain_id_to_idp.py | 38 + ...3_protocol_cascade_delete_for_federated_user.py | 31 + .../014_contract_add_domain_id_to_user_table.py | 95 ++ .../015_contract_update_federated_user_domain.py | 34 + .../versions/016_contract_add_user_options.py | 16 + keystone/common/sql/core.py | 46 +- keystone/common/sql/data_migration_repo/manage.py | 13 + .../002_password_created_at_not_nullable.py | 3 - .../versions/004_reset_password_created_at.py | 15 + .../versions/005_placeholder.py | 18 + .../versions/006_placeholder.py | 18 + .../versions/007_placeholder.py | 18 + .../versions/008_placeholder.py | 18 + .../versions/009_placeholder.py | 18 + .../010_migrate_add_revocation_event_index.py | 15 + .../011_expand_user_id_unique_for_nonlocal_user.py | 15 + .../versions/012_migrate_add_domain_id_to_idp.py | 55 + ...3_protocol_cascade_delete_for_federated_user.py | 15 + .../014_migrate_add_domain_id_to_user_table.py | 45 + .../015_migrate_update_federated_user_domain.py | 36 + .../versions/016_migrate_add_user_options.py | 16 + keystone/common/sql/expand_repo/manage.py | 13 + ...dd_key_hash_and_encrypted_blob_to_credential.py | 4 +- .../versions/004_reset_password_created_at.py | 15 + .../sql/expand_repo/versions/005_placeholder.py | 18 + .../sql/expand_repo/versions/006_placeholder.py | 18 + .../sql/expand_repo/versions/007_placeholder.py | 18 + .../sql/expand_repo/versions/008_placeholder.py | 18 + .../sql/expand_repo/versions/009_placeholder.py | 18 + .../010_expand_add_revocation_event_index.py | 31 + .../011_expand_user_id_unique_for_nonlocal_user.py | 15 + .../versions/012_expand_add_domain_id_to_idp.py | 73 ++ ...3_protocol_cascade_delete_for_federated_user.py | 15 + .../014_expand_add_domain_id_to_user_table.py | 165 +++ .../015_expand_update_federated_user_domain.py | 69 ++ .../versions/016_expand_add_user_options.py | 34 + keystone/common/sql/migrate_repo/manage.py | 13 + .../versions/081_add_endpoint_policy_table.py | 4 +- .../versions/082_add_federation_tables.py | 4 +- .../migrate_repo/versions/083_add_oauth1_tables.py | 4 +- .../migrate_repo/versions/084_add_revoke_tables.py | 4 +- .../versions/085_add_endpoint_filtering_table.py | 4 +- .../versions/093_migrate_domains_to_projects.py | 6 +- keystone/common/sql/migration_helpers.py | 254 ----- keystone/common/sql/upgrades.py | 293 +++++ keystone/common/tokenless_auth.py | 4 +- keystone/common/utils.py | 32 +- keystone/common/validation/validators.py | 8 +- keystone/common/wsgi.py | 15 +- keystone/conf/__init__.py | 44 +- keystone/conf/assignment.py | 8 +- keystone/conf/auth.py | 15 +- keystone/conf/constants.py | 9 +- keystone/conf/default.py | 59 +- keystone/conf/endpoint_policy.py | 17 - keystone/conf/kvs.py | 19 + keystone/conf/ldap.py | 151 +-- keystone/conf/memcache.py | 27 +- keystone/conf/os_inherit.py | 49 - keystone/conf/resource.py | 6 +- keystone/conf/security_compliance.py | 30 +- keystone/conf/signing.py | 62 +- keystone/conf/token.py | 60 +- keystone/contrib/admin_crud/__init__.py | 15 - keystone/contrib/admin_crud/core.py | 32 - keystone/contrib/ec2/controllers.py | 28 +- keystone/contrib/ec2/core.py | 4 +- .../endpoint_filter/backends/catalog_sql.py | 62 +- keystone/contrib/endpoint_filter/backends/sql.py | 30 - keystone/contrib/endpoint_filter/routers.py | 33 - keystone/contrib/federation/__init__.py | 0 keystone/contrib/federation/backends/__init__.py | 0 keystone/contrib/federation/backends/sql.py | 29 - keystone/contrib/federation/routers.py | 31 - keystone/contrib/oauth1/__init__.py | 0 keystone/contrib/oauth1/backends/__init__.py | 0 keystone/contrib/oauth1/backends/sql.py | 30 - keystone/contrib/oauth1/routers.py | 33 - keystone/contrib/revoke/__init__.py | 0 keystone/contrib/revoke/backends/__init__.py | 0 keystone/contrib/revoke/backends/sql.py | 28 - keystone/contrib/revoke/routers.py | 31 - keystone/contrib/s3/core.py | 4 +- keystone/contrib/simple_cert/__init__.py | 13 - keystone/contrib/simple_cert/routers.py | 33 - keystone/contrib/user_crud/__init__.py | 15 - keystone/contrib/user_crud/core.py | 32 - keystone/credential/backends/base.py | 2 +- keystone/credential/backends/sql.py | 2 +- keystone/credential/core.py | 15 - keystone/credential/providers/fernet/core.py | 5 +- keystone/endpoint_policy/backends/base.py | 31 +- keystone/endpoint_policy/backends/sql.py | 3 +- keystone/endpoint_policy/core.py | 15 - keystone/exception.py | 176 +-- keystone/federation/V8_backends/__init__.py | 0 keystone/federation/V8_backends/sql.py | 389 ------- keystone/federation/backends/base.py | 162 +-- keystone/federation/backends/sql.py | 5 +- keystone/federation/controllers.py | 6 +- keystone/federation/core.py | 87 +- keystone/federation/schema.py | 19 +- keystone/federation/utils.py | 37 +- keystone/i18n.py | 2 +- keystone/identity/backends/base.py | 30 +- keystone/identity/backends/ldap/common.py | 210 ++-- keystone/identity/backends/ldap/core.py | 238 ++-- keystone/identity/backends/resource_options.py | 121 ++ keystone/identity/backends/sql.py | 70 +- keystone/identity/backends/sql_model.py | 160 ++- keystone/identity/controllers.py | 88 +- keystone/identity/core.py | 253 +++-- keystone/identity/mapping_backends/base.py | 11 +- keystone/identity/mapping_backends/sql.py | 6 +- keystone/identity/schema.py | 12 +- keystone/identity/shadow_backends/base.py | 30 +- keystone/identity/shadow_backends/sql.py | 52 +- keystone/locale/de/LC_MESSAGES/keystone.po | 180 +-- keystone/locale/es/LC_MESSAGES/keystone.po | 176 +-- keystone/locale/fr/LC_MESSAGES/keystone.po | 178 +-- keystone/locale/it/LC_MESSAGES/keystone.po | 172 +-- keystone/locale/ja/LC_MESSAGES/keystone.po | 173 +-- .../locale/ko_KR/LC_MESSAGES/keystone-log-error.po | 22 +- .../locale/ko_KR/LC_MESSAGES/keystone-log-info.po | 25 +- .../ko_KR/LC_MESSAGES/keystone-log-warning.po | 48 +- keystone/locale/ko_KR/LC_MESSAGES/keystone.po | 160 +-- keystone/locale/pt_BR/LC_MESSAGES/keystone.po | 174 +-- keystone/locale/ru/LC_MESSAGES/keystone.po | 166 +-- .../locale/tr_TR/LC_MESSAGES/keystone-log-error.po | 18 +- .../tr_TR/LC_MESSAGES/keystone-log-warning.po | 25 +- keystone/locale/tr_TR/LC_MESSAGES/keystone.po | 52 +- .../locale/zh_CN/LC_MESSAGES/keystone-log-error.po | 12 +- keystone/locale/zh_CN/LC_MESSAGES/keystone.po | 195 +--- keystone/locale/zh_TW/LC_MESSAGES/keystone.po | 155 +-- keystone/middleware/auth.py | 33 +- keystone/models/revoke_model.py | 18 - keystone/models/token_model.py | 192 ++-- keystone/notifications.py | 77 +- keystone/oauth1/backends/base.py | 2 +- keystone/oauth1/backends/sql.py | 6 +- keystone/oauth1/controllers.py | 100 +- keystone/oauth1/core.py | 41 +- keystone/oauth1/validator.py | 6 +- keystone/policy/backends/base.py | 2 +- keystone/policy/backends/rules.py | 5 +- keystone/policy/controllers.py | 16 +- keystone/policy/core.py | 15 - keystone/resource/V8_backends/__init__.py | 0 keystone/resource/V8_backends/sql.py | 260 ----- keystone/resource/backends/base.py | 371 +----- keystone/resource/backends/sql.py | 2 +- keystone/resource/config_backends/base.py | 2 +- keystone/resource/config_backends/sql.py | 2 +- keystone/resource/controllers.py | 71 +- keystone/resource/core.py | 193 ++-- keystone/resource/routers.py | 4 +- keystone/revoke/backends/base.py | 7 +- keystone/revoke/backends/sql.py | 46 +- keystone/revoke/controllers.py | 6 + keystone/revoke/core.py | 26 +- keystone/server/backends.py | 2 +- keystone/service.py | 61 - .../legacy_drivers/assignment/V8/__init__.py | 0 .../backend/legacy_drivers/assignment/V8/sql.py | 39 - .../backend/legacy_drivers/assignment/__init__.py | 0 .../legacy_drivers/federation/V8/__init__.py | 0 .../backend/legacy_drivers/federation/V8/api_v3.py | 108 -- .../backend/legacy_drivers/federation/__init__.py | 0 .../backend/legacy_drivers/resource/V8/__init__.py | 0 .../unit/backend/legacy_drivers/resource/V8/sql.py | 71 -- .../backend/legacy_drivers/resource/__init__.py | 0 .../backend/legacy_drivers/role/V8/__init__.py | 0 .../unit/backend/legacy_drivers/role/V8/sql.py | 30 - .../unit/backend/legacy_drivers/role/__init__.py | 0 .../unit/common/test_resource_options_common.py | 77 ++ .../unit/config_files/backend_pool_liveldap.conf | 3 +- .../unit/config_files/backend_tls_liveldap.conf | 1 - .../unit/endpoint_policy/backends/__init__.py | 0 .../unit/endpoint_policy/backends/test_base.py | 150 +++ .../unit/endpoint_policy/backends/test_sql.py | 43 + .../unit/identity/backends/test_ldap_common.py | 132 +-- .../unit/identity/shadow_users/test_backend.py | 150 +++ .../test_associate_project_endpoint_extension.py | 41 +- keystone/token/_simple_cert.py | 4 +- keystone/token/controllers.py | 742 +++++++----- keystone/token/persistence/__init__.py | 2 +- keystone/token/persistence/backends/kvs.py | 23 +- keystone/token/persistence/backends/memcache.py | 39 - .../token/persistence/backends/memcache_pool.py | 34 - keystone/token/persistence/backends/sql.py | 17 +- keystone/token/persistence/core.py | 47 +- keystone/token/provider.py | 394 +------ keystone/token/providers/base.py | 99 ++ keystone/token/providers/common.py | 557 +++------ keystone/token/providers/fernet/core.py | 10 +- .../token/providers/fernet/token_formatters.py | 62 +- keystone/token/providers/pki.py | 67 -- keystone/token/providers/pkiz.py | 65 -- keystone/token/utils.py | 31 - keystone/trust/backends/base.py | 11 +- keystone/trust/backends/sql.py | 20 +- keystone/trust/controllers.py | 42 +- keystone/trust/core.py | 28 +- keystone/v2_crud/admin_crud.py | 4 +- keystone/v2_crud/user_crud.py | 59 +- keystone/version/__init__.py | 2 +- keystone/version/controllers.py | 6 +- keystone/version/service.py | 4 +- keystone_tempest_plugin/clients.py | 8 +- keystone_tempest_plugin/config.py | 46 +- keystone_tempest_plugin/plugin.py | 12 +- .../services/identity/clients.py | 7 +- .../services/identity/v3/auth_client.py | 40 + .../identity/v3/identity_providers_client.py | 9 +- .../services/identity/v3/saml2_client.py | 92 ++ .../api/identity/v3/test_identity_providers.py | 22 +- .../api/identity/v3/test_service_providers.py | 2 +- .../scenario/test_federated_authentication.py | 176 +++ .../notes/bp-allow-expired-f5d845b9601bc1ef.yaml | 18 + .../bp-domain-config-default-82e42d946ee7cb43.yaml | 2 +- ...ssword-expires-validation-4b32fe7032595932.yaml | 13 + .../bp-pci-dss-notifications-808a205a637bac25.yaml | 22 + ...password-requirements-api-87bc724b2aa554f7.yaml | 9 + ...ry-password-expired-users-a7c96a3843bb9abc.yaml | 15 + ...per-user-auth-plugin-reqs-feb95fd907be4b40.yaml | 64 ++ .../notes/bp-shadow-mapping-06fc7c71a401d707.yaml | 12 + ...bp-support-federated-attr-94084d4073f50280.yaml | 7 + .../notes/bug-1017606-98313bb4c1edf250.yaml | 19 + .../notes/bug-1524030-ccff6b0ec9d1cbf2.yaml | 23 + .../notes/bug-1547684-911aed68a0d3df17.yaml | 29 + .../notes/bug-1561054-dbe88b552a936a05.yaml | 23 + .../notes/bug-1563101-134df5b99ea48f00.yaml | 7 + .../notes/bug-1571878-1bcaea5337905af0.yaml | 7 + .../notes/bug-1582585-a368ac5a252ec84f.yaml | 15 + .../notes/bug-1611102-e1348cbec9b1110a.yaml | 8 + .../notes/bug-1616424-c46ba773f7ac40ae.yaml | 7 + .../notes/bug-1622310-c501cf77437fdfa6.yaml | 18 + .../notes/bug-1636950-8fa1a47fce440977.yaml | 10 + releasenotes/notes/bug-1638603-354ee4167e6e.yaml | 9 + .../notes/bug-1641645-516709f9da3de26f.yaml | 9 + .../notes/bug-1641654-8630ce7bcde43a7e.yaml | 21 + .../notes/bug-1641660-f938267e1ec54071.yaml | 13 + .../notes/bug-1641816-8b39f3f73359c778.yaml | 6 + .../notes/bug-1642348-83d4c86ad3984d75.yaml | 6 + .../notes/bug-1642457-4533f9810a8cd927.yaml | 7 + .../notes/bug-1642687-5497fb56fe86806d.yaml | 18 + .../notes/bug-1642687-c7ab1c9be152db20.yaml | 23 + .../notes/bug-1642692-d669c8fcf9e171d9.yaml | 6 + .../notes/bug-1645487-ca22c216ec26cc9b.yaml | 8 + .../notes/bug-1649138-c53974f6bb0eab14.yaml | 9 + .../notes/bug-1649446-efff94143823755d.yaml | 19 + .../notes/bug-1656076-c4422270f73b43b.yaml | 15 + .../notes/bug-1659730-17834ba2dde668ae.yaml | 18 + .../notes/bug-1659995-f3e716de743b7291.yaml | 26 + .../deprecated-as-of-ocata-a5b2f1e3e39f818e.yaml | 19 + .../integrate-osprofiler-ad0e16a542b12899.yaml | 2 +- .../notes/oslo.cache-a9ce47bfa8809efa.yaml | 2 +- .../removed-as-of-ocata-436bb4b839e74494.yaml | 103 ++ releasenotes/notes/totp-40d93231714c6a20.yaml | 2 +- releasenotes/source/conf.py | 3 + releasenotes/source/index.rst | 1 + releasenotes/source/newton.rst | 6 + requirements.txt | 24 +- setup.cfg | 36 +- test-requirements.txt | 18 +- tools/sample_data.sh | 8 +- tools/test-setup.sh | 57 + tox.ini | 34 +- 583 files changed, 23346 insertions(+), 18774 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index fd007ac..1ae6ccf 100644 --- a/requirements.txt +++ b/requirements.txt @@ -9,2 +9,2 @@ Babel>=2.3.4 # BSD -pbr>=1.6 # Apache-2.0 -WebOb>=1.2.3 # MIT +pbr>=1.8 # Apache-2.0 +WebOb>=1.6.0 # MIT @@ -19,4 +19,4 @@ sqlalchemy-migrate>=0.9.6 # Apache-2.0 -stevedore>=1.16.0 # Apache-2.0 -passlib>=1.6 # BSD -python-keystoneclient!=2.1.0,>=2.0.0 # Apache-2.0 -keystonemiddleware!=4.1.0,!=4.5.0,>=4.0.0 # Apache-2.0 +stevedore>=1.17.1 # Apache-2.0 +passlib>=1.7.0 # BSD +python-keystoneclient>=3.8.0 # Apache-2.0 +keystonemiddleware>=4.12.0 # Apache-2.0 @@ -25 +25 @@ oslo.concurrency>=3.8.0 # Apache-2.0 -oslo.config>=3.14.0 # Apache-2.0 +oslo.config!=3.18.0,>=3.14.0 # Apache-2.0 @@ -27,2 +27,2 @@ oslo.context>=2.9.0 # Apache-2.0 -oslo.messaging>=5.2.0 # Apache-2.0 -oslo.db!=4.13.1,!=4.13.2,>=4.10.0 # Apache-2.0 +oslo.messaging>=5.14.0 # Apache-2.0 +oslo.db>=4.15.0 # Apache-2.0 @@ -30 +30 @@ oslo.i18n>=2.1.0 # Apache-2.0 -oslo.log>=1.14.0 # Apache-2.0 +oslo.log>=3.11.0 # Apache-2.0 @@ -32 +32 @@ oslo.middleware>=3.0.0 # Apache-2.0 -oslo.policy>=1.9.0 # Apache-2.0 +oslo.policy>=1.17.0 # Apache-2.0 @@ -34 +34 @@ oslo.serialization>=1.10.0 # Apache-2.0 -oslo.utils>=3.16.0 # Apache-2.0 +oslo.utils>=3.18.0 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt index 41e60a7..444a2b0 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -9,2 +9,2 @@ bashate>=0.2 # Apache-2.0 -os-testr>=0.7.0 # Apache-2.0 -freezegun # Apache-2.0 +os-testr>=0.8.0 # Apache-2.0 +freezegun>=0.3.6 # Apache-2.0 @@ -13 +13 @@ freezegun # Apache-2.0 -oslo.db[fixtures,mysql,postgresql]!=4.13.1,!=4.13.2,>=4.10.0 # Apache-2.0 +oslo.db[fixtures,mysql,postgresql]>=4.15.0 # Apache-2.0 @@ -16 +16 @@ oslo.db[fixtures,mysql,postgresql]!=4.13.1,!=4.13.2,>=4.10.0 # Apache-2.0 -coverage>=3.6 # Apache-2.0 +coverage>=4.0 # Apache-2.0 @@ -20 +20 @@ fixtures>=3.0.0 # Apache-2.0/BSD -lxml>=2.3 # BSD +lxml!=3.7.0,>=2.3 # BSD @@ -25 +25 @@ oslotest>=1.10.0 # Apache-2.0 -sphinx!=1.3b1,<1.3,>=1.2.1 # BSD +sphinx!=1.3b1,<1.4,>=1.2.1 # BSD @@ -35,2 +35,2 @@ testtools>=1.4.0 # MIT -oslosphinx!=3.4.0,>=2.5.0 # Apache-2.0 -reno>=1.8.0 # Apache2 +oslosphinx>=4.7.0 # Apache-2.0 +reno>=1.8.0 # Apache-2.0 @@ -41 +41 @@ tempest>=12.1.0 # Apache-2.0 -requests>=2.10.0 # Apache-2.0 +requests!=2.12.2,>=2.10.0 # Apache-2.0