Commits on Jul 26, 2012
  1. Cryptographically Signed tokens

    Uses CMS to create tokens that can be verified without network calls.
    Tokens encapsulate authorization information.
    This includes user name and roles in JSON.
    The JSON document info is cryptographically signed with a private key
    from Keystone, in accordance with the Cryptographic Message Syntax (CMS)
    in DER format and then Base64 encoded.  The header, footer, and line breaks
    are stripped to minimize the size,  and slashes which are  invalid in Base64
    are converted to hyphens.
    Since signed tokens are not validated against the Keystone server,  they
    continue to be valid until the expiration time.  This means that even if a user
    has their roles revoked or their account disabled, those changes will not take
    effect until their token times out.  The prototype for this is Kerberos, which
    has the same limitation, and has funtioned sucessfully with it for decades.  It
    is possible to set the token time out for much shorter than the default of 8
    hours, but that may mean that users tokens will time out prior to completion
    of long running tasks.
    This should be a drop in replacement for the current token production code.
    Although  the signed token is longer than the older format, the token is still
    a unique stream of Alpha-Numeric characters.
    The auth token middle_ware is capable of handling both uuid and signed tokens.
    To start with, the PKI functionality is disabled.  This will keep from breaking
    the existing deployments.  However,  it can be enabled with the config value:
    disable_pki = False
    The 'id_hash' column is added to the SQL schema because SQL alchemy insists on
    each table having a primary key.  However primary keys are limited to roughly
    250 Characters (768 Bytes,  but there is more than 1 varchar per byte) so the
    ID field cannot be used as the primary key anymore.  id_hash is a hash of the
    id column, and should be used for lookups as it is indexed.
    middleware/ needs to stand alone in the other services, and uses
    keystone.common.cms in order to verify tokens.
    Token needs to have all of the data from the original authenticate code
    contained in the signed document, as the authenticate RPC will no longer
    be called in mand cases.
    The datetime of expiry is signed in the token.
    The certificates are accessible via web APIs.  On the remote service side,
    certificates needed to authenitcate tokens are stored in /tmp/keystone-signing
    by default.  Remote systems use Paste API to read configuration values.
    Certificates are retrieved only if they are not on the local system.
    When authenticating in Keystone systems, it still does the Database checks for
    token presence.  This allows Keystone to continue to enforce Timeout and
    disabled users.
    The service catalog has been added to the  signed token.  Although this greatly
    increases the size of the token,  it makes it consistant with what is fetched
    during the token authenticate checks
    This change also fixes time variations in expiry test.  Although unrelated to
    the above changes, it was making testing very frustrating.
    For the database Upgrade scripts, we now only  bring 'token' up to V1 in 001
    script.  This makes it possible to use the same 002 script for both upgrade
    and initializing a new database.
    Upon upgrade, the current UUID tokens are retained in the id_hash and id fields.
    The mechanisms to verify uuid tokens work the same as before.  On downgrade,
    token_ids are dropped.
    Takes into account changes for "Raise unauthorized if tenant disabled"
        Bug 1003962
    Change-Id: I89b5aa609143bbe09a36bfaf64758c5306e86de7
    Adam Young committed Jul 3, 2012
Commits on Jul 25, 2012
Commits on Jul 24, 2012
  1. Merge "Implementation of LDAP functions"

    Jenkins committed with openstack-gerrit Jul 24, 2012
Commits on Jul 20, 2012
  1. Merge "Files for Apache-HTTPD"

    Jenkins committed with openstack-gerrit Jul 20, 2012
Commits on Jul 19, 2012
  1. Sync jsonutils from openstack-common

    This makes keystone work with recent versions of anyjson.
    Changes from openstack-common:
        commit ce3071437d1871f77c4d8573cbe5f4ea8c817650
        Author: Russell Bryant <>
        Date:   Mon Jul 16 10:30:25 2012 -0400
            Use strtime() in to_primitive() for datetime objs.
            This patch updates jsonutils.to_primitive() to use timeutils.strtime()
            to convert a datimetime object to a string instead of just using str().
            This ensures that we can easily convert the string back to a datetime
            using timeutils.parse_strtime().
            Required for the nova blueprint no-db-messaging.
            Change-Id: I725b333695930e12e2832378102514326fec639c
        commit 4c9d439ef24f5afdd74aa9153aa8fc772051e6cb
        Author: Tim Daly Jr <>
        Date:   Tue Jun 26 02:48:42 2012 +0000
            Add 'filedecoder' method to the jsonutils wrapper module.
            Fixes bug #1017765
            After version 3.3.2, the anyjson library will throw a KeyError if
            filedecoder isn't present.  The filedecoder is just like the decoder
            except it takes a file instead of a string, like json.load() instead
            of json.loads().
            Change-Id: I7bd012a7b4afa9b1ec987c3e6393cc922b5dadff
    Change-Id: Icfd5c39c322ed6e73148c7f5ae03f704a3aa160e
    vuntz committed Jul 19, 2012
  2. Added user name validation. Fixes bug 966251.

    1. Verified name length while creating/updating user.
    2. Disallowed blank user name in create/update.
    3. Added unit test coverage.
    Change-Id: I55cd5daf34f4f57d4163be403a7a75c5d22baa62
    Unmesh Gurjar committed Jul 19, 2012
Commits on Jul 18, 2012
  1. Import ec2 credentials from old keystone db

    Fix bug #1016056
    Change-Id: Iebf31ccbdeff274b2c8f265911d3411963dd4844
    trid committed Jul 11, 2012
Commits on Jul 17, 2012
  1. Debug output may include passwords (bug 1004114)

    Change-Id: If0a7704ff578162d6b7fa8b68c0e0ed37e72cb73
    dolph committed Jul 17, 2012
Commits on Jul 16, 2012
  1. Raise unauthorized if tenant disabled (bug 988920)

    If the client attempts to explicitly authenticate against a disabled
    tenant, keystone should return HTTP 401 Unauthorized.
    Change-Id: I49fe56b6ef8d9f2fc6b9357472dae8964bb9cb9c
    dolph committed Jul 16, 2012
  2. Files for Apache-HTTPD

    files required for running Keystone in Apache-HTTPD and instructions to set it up
    Change-Id: Ib3fdf873ea3816186e6bb63307028ba3aa2edaa9
    Adam Young committed May 1, 2012
  3. Implementation of LDAP functions

    implementations of delete_tenant, delete_user,
      remove_role_from_user_and_tenant, get_tenant_users
      role.delete_user and remove_role_from_user_and_tenant
      remove_user_from_tenant, change_ role
    clean up LDAP sample data for live LDAP
    properly check for existance of tenant_id in user.
    Some tests expected the functions to be unimplemented.  Those hid the
    failuers on the LDAP Identity provider and have been removed.
    Make live tests extend the standard LDAP tests, so they test the same features.
    Bug 1021315
    Change-Id: I2866ff40fdc13040ba10d189ea2d95440eb4395c
    Adam Young committed Jul 12, 2012
Commits on Jul 15, 2012
  1. Fix the wrong infomation in keystone-manage.rst

    Change-Id: I63d789b15361c74d11531646c30fd45f111e236c
    wanglong committed Jul 15, 2012
Commits on Jul 13, 2012
  1. Webob needs body to calc Content-Length (bug 1016171)

    - Refactored render_response() and added relevant tests
    Change-Id: I121e8cc641fe11a036106cbfd206f0aa1f6da560
    dolph committed Jun 21, 2012
  2. Merge "Admin Auth URI prefix"

    Jenkins committed with openstack-gerrit Jul 13, 2012
Commits on Jul 12, 2012
  1. Merge "adding keystoneclient test"

    Jenkins committed with openstack-gerrit Jul 12, 2012
  2. Prevent service catalog injection in auth_token.

    Updates the auth_token middleware to explicitly prevent
    X-Service-Catalog headers from being injected into responses.
    In general Keystone would override these with its own service
    catalog... however since X-Service-Catalog is optional and
    not all implementations/calls return it is good to be safe and
    just remove incoming X-Service-Catalog headers if they are set.
    Fixes LP Bug #1023998.
    Change-Id: I9497937abd1b434b42b40bc943a508dd7f1a3585
    dprince committed Jul 12, 2012
  3. Admin Auth URI prefix

    Allows the prepending of a prefix to the URI used for admin tasks.  This allows URIs like
    PEP8 fix
    Added To Unit test to ensure auth_prefix is checked
    Bug: 994860
    Change-Id: I851e059e8b17c1bc02ab93d8b09a3fb47b9d3fee
    ayoung committed with Adam Young May 5, 2012
  4. updating testing documentation

    Change-Id: I78c55c3050573d6430028bfc3c3c5d8a8c3e93b0
    heckj committed Jul 12, 2012
  5. adding keystoneclient test

    adding a test for version 0.1.1 with the new tagging scheme (released
    with/just post Essex)
    Change-Id: Ic6900717c616feee0bce8253fae1e51ac837b811
    heckj committed Jul 12, 2012
  6. Removed redundant / excessively verbose debug

    Change-Id: Iea2bc9a3448669031ed3e5578a01537635087289
    dolph committed Jul 12, 2012
Commits on Jul 11, 2012
  1. Making docs pretty!

      * Before:
      * After:
    Change-Id: I80cf07e05d253f582f4bca129f0dcdba1a315469
    jakedahn committed Jul 11, 2012
Commits on Jul 10, 2012
  1. Adding user password setting api call

    Fixes bug 996922
    This commit adds a user_crud module that can be used in the public wsgi
    pipeline, currently the only operation included allows a user to update
    their own password.
    In order to change their password a user should make a HTTP PATCH to
    with the json data fomated like this
    {"user": {"password": "DCBA", "original_password": "ABCD"}}
    in addition to changing the users password, all current tokens
    will be cleared (for token backends that support listing) and
    a new token id will be returned.
    Change-Id: I0cbdafbb29a5b6531ad192f240efb9379f0efd2d
    derekhiggins committed Jul 5, 2012
Commits on Jul 9, 2012
  1. Merge "Fixing pep8 errors in tests/*py"

    Jenkins committed with openstack-gerrit Jul 9, 2012
  2. Fixing pep8 errors in tests/*py

    Fixes bug 1022575
    Making change to tests/*py to pass pep8 tests.
    pep8 tests started failing following
    39b20ac update pep8 to 1.3.3
    04df79b include tests dir in pep8 tests
    Change-Id: I2d7dec0a87f1ae9b5f828d7f321b65bf8c06a421
    derekhiggins committed Jul 9, 2012