Draft
Conversation
Change-Id: I23bf9b0d14b1f7b3ab5982a2f213844e066dcf34
Update the URL to the upper-constraints file to point to the redirect rule on releases.openstack.org so that anyone working on this branch will switch to the correct upper-constraints list automatically when the requirements repository branches. Until the requirements repository has as stable/2025.1 branch, tests will continue to use the upper-constraints list on master. Change-Id: Ib20317d6b7e0f383d14707370f7938ee125207dc
We will address this in a new API version. For now, such a change would be a breaking one. No release note is included since these changes haven't been released yet. Change-Id: I1e862cb1c5e9c218cea59800ff759a1b094b5906 Signed-off-by: Stephen Finucane <stephenfin@redhat.com> Closes-Bug: #2104185 (cherry picked from commit 05cc3d1)
The presence of a call to 'build_driver_hints' in the method indicates that filters are permitted for this API, even if they're not currently documented. We also rename the variables and fix a docstring to avoid confusion about what the schemas are intended for. Change-Id: I17c4e5116ded437a8561b5f721899cdc653c352e Signed-off-by: Stephen Finucane <stephenfin@redhat.com> (cherry picked from commit 187c1af)
We missed a few in change I1e862cb1c5e9c218cea59800ff759a1b094b5906. We also missed a few comments in places that we can change later. Change-Id: I6fc40baf536605d9d347741bcf035958b8490b07 Signed-off-by: Stephen Finucane <stephenfin@redhat.com> (cherry picked from commit 46ba4f4)
With a change to swap sqlalchemy-migrate with alembic [1] a `db_sync --check` was broken. This is due to both `upgrades.get_db_version` and `upgrades.get_current_heads` are actually checking "current" state of the dabase by calling _get_current_heads[2][3], while obvious intention was to compare intended state with current state. With that we're introducing upgrade.get_head_revisions which will fetch revisions not from the database, but from the environment [4] As a result `db_sync --check` does compare desired state of the DB with actual state and exists with corresponsive status again. [1] https://opendev.org/openstack/keystone/commit/f174b4fa7c4fb010bbacc8c5a5f3625a8fcb41f3 [2] https://opendev.org/openstack/keystone/src/branch/master/keystone/common/sql/upgrades.py#L147 [3] https://opendev.org/openstack/keystone/src/branch/master/keystone/common/sql/upgrades.py#L191 [4] https://alembic.sqlalchemy.org/en/latest/api/runtime.html#alembic.runtime.environment.EnvironmentContext.get_head_revisions Closes-Bug: #2080542 Change-Id: I854d37e3b4a34a7880f157564466bde61a3f886a (cherry picked from commit 5125d9f)
Otherwise you get different behavior depending on the user used, if some have default projects set and others do not. Change-Id: I7c347af983cb8af9be9d19a010fa0f5bf20ab804 Signed-off-by: Stephen Finucane <stephenfin@redhat.com> (cherry picked from commit b6f955b)
The user id might come from an external provider in which case we can't make assumptions about its format. The constraint removed here is breaking the credential APIs for ldap-based clouds. Change-Id: I80dfe07ae48fd08de3af9cf5508215e4bbcea13c (cherry picked from commit 84a30d5) Signed-off-by: Seunghun Lee <seunghun@stackhpc.com>
We cannot cherry-pick the https://review.opendev.org/c/openstack/keystone/+/950184 to the stable branches since it does not work in py39. Since there is also no easy way how to fix the typing error just add ignore comment to that - it makes no difference anyway. Change-Id: I54a74cdc653b05ea681cbccbc1229109df378d6c Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
The implementation of AD nested groups searches works fine when listing the groups a user belongs to, but fails when listing all members of a group. This function of listing all members is also used to check if a user belongs to a group which also fails. This patch fixes the query for getting all users in a group. Closes-Bug: #2112477 Depends-on: https://review.opendev.org/c/openstack/devstack/+/960683 Depends-on: https://review.opendev.org/c/openstack/devstack/+/960684 Change-Id: I9707e1a9bc4a334902933d6251888144f8c3bc19 Signed-off-by: Jorge Merlino <jorge.merlino@canonical.com> (cherry picked from commit f8338be)
Add a policy to enforce authentication with a user in the service group. This maintains AWS compatibility with the added security layer. Closes-Bug: 2119646 Change-Id: Ic84b84247e05f29874e2c5636a033aaedd4de83c Signed-off-by: Grzegorz Grasza <xek@redhat.com> Signed-off-by: Jeremy Stanley <fungi@yuggoth.org> Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com> (cherry picked from commit 68c1817e1cf1ed284d8420a6e1261749648bccd8)
Change-Id: I628a3a6b524cd099345463e3a6bafe16df450581
Change-Id: Ic236212dfda70a28ea6fece177c05308c12936d1
…instead of a hard-coded admin check (which is definitely not enough) Change-Id: Ia6071a0ba7c698ee2a425096888f06a12c1e236e
We are using ldap and our max_size is bigger. Also update tests Change-Id: I13dc7cf77dbad236492f7504033d0cb41a5656cd
…t to cloud_admin for now Co-authored-by: Maurice Escher <maurice.escher@sap.com>
Change-Id: I765e4d2b5999f282a3b324312fb2485bc38ad914
…rofiler_config_default
configuration option to set tags that get added to newly created projects Change-Id: Icac8d54506082816bdaeacb73853a20b49735c16
- add policy_id to target - it was possible to create ec2 creds to different projects without a policy check
Change-Id: I7b81f7d16987f0e633cd999923bdfe19b4e0d3da
Change-Id: I59ff8c35baa4d176508ab8f4813d564049458835
This follows the standard naming convention.
They are pretty common and do not require attention of a developer Change-Id: I1479372579ef745bc0bc2c936f6d234cc775e757
Change-Id: I7ed981a74e9f89327659fb46972e87b79951ae85
Change-Id: Iad1ef565c04d2a2d20a929c4ccd0bf4e7d492afc
Due to architectural reasons, bug https://bugs.launchpad.net/keystone/+bug/1878438 appeared. There is no good way to fix it, upstream also cannot get to it. If someone hits the bug, they get error 500 and keystone crashes. Fix this hard crash and return an Unauthorized response instead. This will not break any existing usecases, because things are not working already. This change should be reverted after upstream fixes the bug. Change-Id: I0d7802ddcdef7646f43fd57a0cf9ae94686d58e9
The ratelimiting middleware seems to bring more maintainance than use, which is why it should be disabled until we figure out how to properly set it up. Change-Id: If01714058982e64bb58bccf7cc853a22fc0c0ac7
Change-Id: I915e3128ff02bde2f00fdefeafde3f6f46b04c5d
Keystone uses many non-standard names for credentials and we need to explicitly list them. Change-Id: Icaaa785f0dd5fb25f3831aafe420b6db731574b1
These messages are too spammy and do not bring any value Change-Id: I13e4dbcc3333cb8e3154e5a463f2614a47dd70da
Add support of configuration allowing inclusion of partial hash of invalid password in event notifications to facilitate anyalysis of failed login attemps. SecurityImpact Related-Bug: 2060972 Depends-On: https://review.opendev.org/c/openstack/keystone-specs/+/915482 Closes-Bug: 2060972 Change-Id: I0f34d90660a4a915c9c3f9512dc6d794b8415cd5
Install the python-binary-memcached package into the Keystone image SALS works only over a binary protocol, and it can only work with `dogpile.cache.bmemcached` backend, which requires pip package `python-binary-memcached` to be present.
We also set `nosec` for one use of `random.sample()` to make `bandit` - which runs as part of `tox -e pep8` - happy. Upstream has that same line in _without_ `nosec` and I don't get why pep8 tests work for them. Change-Id: Id26894f2da2877c2455e02a6d3290bccb2b6decd
* tox: do not exclude-regex tests It doesn't cause failures without the argument. * Do not clone from remote but use Concourse provided repo Concourse already has the repo version to be tested cloned under `source` path. * Do not run memcached Executing without memcached doesn't change the number of tests and the outcome. * Do not set WATCHER_DISABLED=true It looks like runtime parameter, not changing tests behavior. * Make it a normal bash scipt It doesn't have to be one-line, given the way Concourse runs it. But working with it as with a regular script is much easier in development and testing. * Install tools in `tools` venv Installing them on Ubunbut 24.04 fails - https://stackoverflow.com/a/75696359. Whereas an alternative option could be to use `--break-system-packages` - which is less nicer than venv IMHO. * Use latest tox Upstream tests run with v4+, and our could too. * Install OS requirements using bindep The OS requirements packages change over time (some of which are no longer relevant for e.g. Ubuntu 24.04), and are maintained in `bindep.txt`. So just install them with `bindep`, similar to how Zuul does that upstream - https://opendev.org/zuul/zuul-jobs/src/branch/master/roles/bindep/tasks/packages.yaml. The disadvantage could be that it could install more than required - e.g. mysql, postgresql or graphviz, which we don't need for our test run. * Add `build-essential` to fix psycopg2, python-ldap * Install and configure git Without `safe.directory` it fails to use `git` under `/source`, and fails to recognize pbr version correspondingly (https://docs.openstack.org/pbr/latest/user/features.html#version). * Maintain LDAP tests environment variables With or without them the number of executed tests and the outcome are the same. Not sure why so - needs more investigation. But just maintain them as in the documentation - https://docs.openstack.org/keystone/latest/contributor/testing-keystone.html#ldap-tests * Make tox to NOT skip-missing-interpreters This is to make sure that it won't succeed in case the interpreter could not be found.
2025.1 sapcc cherry picks and required changes
With Epoxy release the support for the sha512_crypt hash is dropped. This change adds a check of the password hash when the user authenticates. If the hash of the users password is deprecated then the password will be re-hashed using the default hasher and updated in the database. Change-Id: I4a16401b914c92fd7db9d626cb1642570b36d600 Signed-off-by: Adrian Jarvis <adrian.jarvis@catalystcloud.nz>
Re-hash sha512 hashed passwords with current hashing algorithm
This should not be used in production for the reasons given inline. Change-Id: Ie40f41f57e316888c2b33f2952edcbac702c1c79 Signed-off-by: Stephen Finucane <stephenfin@redhat.com> Depends-on: https://review.opendev.org/c/openstack/devstack/+/962852 Closes-bug: #2126676
For some reason a bug went unnoticed where in the schema validation we log the message from the decorators, but logging itself in not imported. Change-Id: I6ddb69d21d22eafbfcde5c8952a63e39750e6328 Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
Disable response body validation by default
When federated users' group membership changes in the IdP and they reauthenticate, their role assignments should reflect the change immediately, respecting the IdP's TTL configuration rather than waiting for the role assignment cache to expire. This change ensures that federated authentication triggers appropriate cache invalidation for role assignments when group membership has changed. Closes-Bug: #2119031 Change-Id: I79505f3d9e7d9ba46ed6ff40ee0071bdf92b95a0 Signed-off-by: Moutaz Chaara <moutaz.chaara@sap.com> (cherry picked from commit ad87d82)
Fix role assignment cache for federated users
The _ldap_get_all method had a broken optimization that only fetched one page of results when hints.limit was set without filters. This fix removes that optimization and ensures all LDAP queries use conn.search_s() which properly iterates through all pages via _paged_search_s. Also fixes serverctrls None handling in _paged_search_s. Fixes: #434
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.