Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Aug 16, 2012

  1. Thierry Carrez

    Adding missing files to MANIFEST.in

    Fix MANIFEST.in to include files missing from generated tarballs.
    Fixes bug 1037010.
    
    Change-Id: I33a911e77cc364e761de0c45de7046eca58797b1
    authored August 15, 2012

Aug 14, 2012

  1. Merge "Simplify the sql backend deletion of users and tenants."

    authored August 14, 2012 openstack-gerrit committed August 14, 2012

Aug 13, 2012

  1. Merge "Set example key_size to 1024."

    authored August 13, 2012 openstack-gerrit committed August 13, 2012
  2. Merge "fix broken link"

    authored August 13, 2012 openstack-gerrit committed August 13, 2012

Aug 12, 2012

  1. rbtcollins

    Simplify the sql backend deletion of users and tenants.

    There is a remaining problem in that the table definition permits dangling
    membership in tenants, and vice verca, but this change will make the fix for
    that easier to review, and make the code simpler and faster at the sametime.
    
    See bug 1000609 for the bug report that lead to examining this.
    
    Change-Id: Id7cd5fad7032779d352a7c577c8d10558091d767
    authored August 12, 2012

Aug 07, 2012

  1. Allow overloading of username and tenant name in the config files.

    Includes documentation and sample config file values.
    
    Bug 997700
    
    Patchset adds DocImpact flag for notifying doc team about these new
    config file values.
    
    Change-Id: Ibd3fade3f233a3b89a1c2feaa0a6b5a9569ad86c
    authored July 26, 2012 annegentle committed August 07, 2012
  2. Merge "Implement python version of migration 002."

    authored August 07, 2012 openstack-gerrit committed August 07, 2012

Aug 06, 2012

  1. Merge "Use user home dir as default for cache"

    authored August 06, 2012 openstack-gerrit committed August 06, 2012

Aug 01, 2012

  1. Dolph Mathews

    Enabling SQL Catalog tests (bug 958950)

    Change-Id: I9d33d95ffa357b88f099a5a37aa4a139d93fd82f
    authored August 01, 2012
  2. Use user home dir as default for cache

    This is a better and safer default, as it and minimizes the
    possibility that the cache directory will be prepopulated or
    unwritable, while still providing a reasonable value for the
    individual developer
    
    Creates a better exception for failure to create the cache
    dir
    
    Logs the name of the cache dir actually used.
    
    Bug 1031022
    
    Change-Id: Ia3718107e436ceb034e3a89318ac05265d66d6f1
    authored July 31, 2012

Jul 31, 2012

  1. Dan Prince

    Set example key_size to 1024.

    Updates the default key_size and config file example to 1024.
    Using the previous value of 2048 would cause database truncation
    and/or column size errors because the 'id' column isn't big enough
    to hold that much data.
    
    Works around LP Bug #1031191.
    
    Change-Id: Ic28bf0945a65fb80a4b610a4de7afa485d09e2bb
    authored July 30, 2012
  2. Dan Prince

    Log errors when signing/verifying.

    The patch updates the PKI cms_verify and cms_sign_text methods so
    that they log full error messages to the log file when errors occur.
    These error messages will now include useful output from the openssl
    commands that failed (which should help end users better diagnose
    configuration issues with PKI). For example:
    
     2012-07-31 11:10:53    ERROR [keystone.common.cms] Error opening signing
     key file /etc/keystone/ssl/private/signing_key.pem
     140380567730016:error:0200100D:system library:fopen:Permission
     denied:bss_file.c:398:fopen('/etc/keystone/ssl/private/signing_key.pem','r')
     140380567730016:error:20074002:BIO routines:FILE_CTRL:system
     lib:bss_file.c:400:
     unable to load signing key file
    
    Previously you'd just get an error that looked like this:
    
     CalledProcessError: Command 'openssl' returned non-zero exit status 3
    
    Fixes LP Bug #1031317.
    
    Change-Id: I8990ef057488fe71d077a02b443da464f99fcd94
    authored July 31, 2012
  3. Merge "Assert adminness on token validation (bug 1030968)"

    authored July 31, 2012 openstack-gerrit committed July 31, 2012
  4. Dan Prince

    Implement python version of migration 002.

    This patch adds a python version of keystone migration 002 which
    supports MySQL and PostgreSQL. SQLite still uses manual .sql files
    for now...
    
    Fixes LP Bug #1031164.
    
    Change-Id: I2f4f7b0ea42040994bd8e1711ccbbb6d690c868f
    authored July 30, 2012

Jul 30, 2012

  1. Dan Prince

    Set default signing_dir based on os USER.

    Updates the Keystone auth_token middleware so that it sets the
    default signing_dir name base on the OS username obtained
    from the environment. This should help resolve potential permissions
    issues which can occur when multiple OpenStack services attempt
    to use the same signing directory name.
    
    Fixes LP Bug #1031022.
    
    Change-Id: I53bceed27f60721b8f61ffec2d1e91ec2ea464ed
    authored July 30, 2012
  2. Dolph Mathews

    Assert adminness on token validation (bug 1030968)

    - Only affects non-PKI tokens
    
    - Includes style changes following bug 1003962
      - Fixed redundant imports & import order
      - Fixed single quote consistency
      - Fixed line continuations
      - Refactored a bit for readability
    
    Change-Id: I2d2566c615919f4968fd5636744fdb613b8fa3ad
    authored July 30, 2012
  3. Merge "Test for Cert by name"

    authored July 30, 2012 openstack-gerrit committed July 30, 2012
  4. Test for Cert by name

    Fixes a typo in checking if cert file exists.
    
    Bug 1030912
    
    Change-Id: Iea783aaa6bc425a17799d40cd6b378d90ebe6faf
    authored July 30, 2012

Jul 27, 2012

  1. Syed Armani

    Typo error in keystone/doc/source/configuration.rst.

    Change-Id: I076d4679cd797db816b99e63053661515712302b
    authored July 28, 2012
  2. Alan Pevec

    fix broken link

    sections have implicit hyperlink targets
    http://docutils.sourceforge.net/docs/ref/rst/restructuredtext.html#implicit-hyperlink-targets
    
    bug 1027109
    
    Change-Id: I984695c16f77e7939c5aebe65060abc13e3514ca
    authored July 27, 2012

Jul 26, 2012

  1. Cryptographically Signed tokens

    Uses CMS to create tokens that can be verified without network calls.
    
    Tokens encapsulate authorization information.
    This includes user name and roles in JSON.
    The JSON document info is cryptographically signed with a private key
    from Keystone, in accordance with the Cryptographic Message Syntax (CMS)
    in DER format and then Base64 encoded.  The header, footer, and line breaks
    are stripped to minimize the size,  and slashes which are  invalid in Base64
    are converted to hyphens.
    
    Since signed tokens are not validated against the Keystone server,  they
    continue to be valid until the expiration time.  This means that even if a user
    has their roles revoked or their account disabled, those changes will not take
    effect until their token times out.  The prototype for this is Kerberos, which
    has the same limitation, and has funtioned sucessfully with it for decades.  It
    is possible to set the token time out for much shorter than the default of 8
    hours, but that may mean that users tokens will time out prior to completion
    of long running tasks.
    
    This should be a drop in replacement for the current token production code.
    Although  the signed token is longer than the older format, the token is still
    a unique stream of Alpha-Numeric characters.
    
    The auth token middle_ware is capable of handling both uuid and signed tokens.
    
    To start with, the PKI functionality is disabled.  This will keep from breaking
    the existing deployments.  However,  it can be enabled with the config value:
    
    [signing]
    disable_pki = False
    
    The 'id_hash' column is added to the SQL schema because SQL alchemy insists on
    each table having a primary key.  However primary keys are limited to roughly
    250 Characters (768 Bytes,  but there is more than 1 varchar per byte) so the
    ID field cannot be used as the primary key anymore.  id_hash is a hash of the
    id column, and should be used for lookups as it is indexed.
    
    middleware/auth_token.py needs to stand alone in the other services, and uses
    keystone.common.cms in order to verify tokens.
    Token needs to have all of the data from the original authenticate code
    contained in the signed document, as the authenticate RPC will no longer
    be called in mand cases.
    
    The datetime of expiry is signed in the token.
    
    The certificates are accessible via web APIs.  On the remote service side,
    certificates needed to authenitcate tokens are stored in /tmp/keystone-signing
    by default.  Remote systems use Paste API to read configuration values.
    Certificates are retrieved only if they are not on the local system.
    
    When authenticating in Keystone systems, it still does the Database checks for
    token presence.  This allows Keystone to continue to enforce Timeout and
    disabled users.
    
    The service catalog has been added to the  signed token.  Although this greatly
    increases the size of the token,  it makes it consistant with what is fetched
    during the token authenticate checks
    
    This change also fixes time variations in expiry test.  Although unrelated to
    the above changes, it was making testing very frustrating.
    
    For the database Upgrade scripts, we now only  bring 'token' up to V1 in 001
    script.  This makes it possible to use the same 002 script for both upgrade
    and initializing a new database.
    
    Upon upgrade, the current UUID tokens are retained in the id_hash and id fields.
    The mechanisms to verify uuid tokens work the same as before.  On downgrade,
    token_ids are dropped.
    
    Takes into account changes for "Raise unauthorized if tenant disabled"
    
        Bug 1003962
    
    Change-Id: I89b5aa609143bbe09a36bfaf64758c5306e86de7
    authored July 02, 2012

Jul 25, 2012

  1. Merge "Raise unauthorized if tenant disabled (bug 988920)"

    authored July 25, 2012 openstack-gerrit committed July 25, 2012

Jul 24, 2012

  1. Merge "Implementation of LDAP functions"

    authored July 24, 2012 openstack-gerrit committed July 24, 2012

Jul 20, 2012

  1. Merge "Files for Apache-HTTPD"

    authored July 20, 2012 openstack-gerrit committed July 20, 2012

Jul 19, 2012

  1. Merge "Sync jsonutils from openstack-common"

    authored July 19, 2012 openstack-gerrit committed July 19, 2012
  2. Merge "Fix the wrong infomation in keystone-manage.rst"

    authored July 19, 2012 openstack-gerrit committed July 19, 2012
  3. Merge "Import ec2 credentials from old keystone db"

    authored July 19, 2012 openstack-gerrit committed July 19, 2012
  4. Merge "Debug output may include passwords (bug 1004114)"

    authored July 19, 2012 openstack-gerrit committed July 19, 2012
  5. Vincent Untz

    Sync jsonutils from openstack-common

    This makes keystone work with recent versions of anyjson.
    
    Changes from openstack-common:
    
        commit ce30714
        Author: Russell Bryant <rbryant@redhat.com>
        Date:   Mon Jul 16 10:30:25 2012 -0400
    
            Use strtime() in to_primitive() for datetime objs.
    
            This patch updates jsonutils.to_primitive() to use timeutils.strtime()
            to convert a datimetime object to a string instead of just using str().
            This ensures that we can easily convert the string back to a datetime
            using timeutils.parse_strtime().
    
            Required for the nova blueprint no-db-messaging.
    
            Change-Id: I725b333695930e12e2832378102514326fec639c
    
        commit 4c9d439
        Author: Tim Daly Jr <timjr@yahoo-inc.com>
        Date:   Tue Jun 26 02:48:42 2012 +0000
    
            Add 'filedecoder' method to the jsonutils wrapper module.
    
            Fixes bug #1017765
    
            After version 3.3.2, the anyjson library will throw a KeyError if
            filedecoder isn't present.  The filedecoder is just like the decoder
            except it takes a file instead of a string, like json.load() instead
            of json.loads().
    
            Change-Id: I7bd012a7b4afa9b1ec987c3e6393cc922b5dadff
    
    Change-Id: Icfd5c39c322ed6e73148c7f5ae03f704a3aa160e
    authored July 19, 2012
  6. Added user name validation. Fixes bug 966251.

    1. Verified name length while creating/updating user.
    2. Disallowed blank user name in create/update.
    3. Added unit test coverage.
    
    Change-Id: I55cd5daf34f4f57d4163be403a7a75c5d22baa62
    authored July 19, 2012

Jul 18, 2012

  1. Dmitry Khovyakov

    Import ec2 credentials from old keystone db

    Fix bug #1016056
    
    Change-Id: Iebf31ccbdeff274b2c8f265911d3411963dd4844
    authored July 11, 2012

Jul 17, 2012

  1. Dolph Mathews

    Debug output may include passwords (bug 1004114)

    Change-Id: If0a7704ff578162d6b7fa8b68c0e0ed37e72cb73
    authored July 17, 2012

Jul 16, 2012

  1. Dolph Mathews

    Raise unauthorized if tenant disabled (bug 988920)

    If the client attempts to explicitly authenticate against a disabled
    tenant, keystone should return HTTP 401 Unauthorized.
    
    Change-Id: I49fe56b6ef8d9f2fc6b9357472dae8964bb9cb9c
    authored July 16, 2012
  2. Files for Apache-HTTPD

    files required for running Keystone in Apache-HTTPD and instructions to set it up
    
    Change-Id: Ib3fdf873ea3816186e6bb63307028ba3aa2edaa9
    authored May 01, 2012
  3. Implementation of LDAP functions

    implementations of delete_tenant, delete_user,
      remove_role_from_user_and_tenant, get_tenant_users
      role.delete_user and remove_role_from_user_and_tenant
      remove_user_from_tenant, change_ role
    
    clean up LDAP sample data for live LDAP
    
    properly check for existance of tenant_id in user.
    
    Some tests expected the functions to be unimplemented.  Those hid the
    failuers on the LDAP Identity provider and have been removed.
    
    Make live tests extend the standard LDAP tests, so they test the same features.
    
    Bug 1021315
    
    Change-Id: I2866ff40fdc13040ba10d189ea2d95440eb4395c
    authored July 12, 2012
Something went wrong with that request. Please try again.