Ubuntu
keystone package

Merge lp:~yolanda.robla/ubuntu/precise/keystone/essex-sru into lp:ubuntu/precise-updates/keystone

  1. Precise (12.04)
  2. essex-sru
  3. Merge into precise-updates
Proposed by Yolanda Robla
Status: Superseded
Proposed branch: lp:~yolanda.robla/ubuntu/precise/keystone/essex-sru
Merge into: lp:ubuntu/precise-updates/keystone
Diff against target: 33638 lines (+30158/-3073)
34 files modified
.pc/applied-patches (+0/-3)
.pc/fix-ubuntu-tests.patch/tests/test_keystoneclient.py (+9/-9)
.pc/keystone-CVE-2012-3542.patch/keystone/identity/core.py (+0/-625)
.pc/keystone-CVE-2012-4413.patch/keystone/identity/core.py (+0/-626)
.pc/keystone-CVE-2012-4413.patch/keystone/token/core.py (+0/-107)
.pc/keystone-CVE-2012-4413.patch/tests/test_keystoneclient.py (+0/-970)
.pc/keystone-CVE-2012-5571.patch/keystone/contrib/ec2/core.py (+0/-347)
ChangeLog (+29735/-0)
PKG-INFO (+10/-0)
debian/changelog (+29/-0)
debian/keystone.logrotate (+3/-0)
debian/patches/fix-ubuntu-tests.patch (+10/-12)
debian/patches/keystone-CVE-2012-3542.patch (+0/-18)
debian/patches/keystone-CVE-2012-4413.patch (+0/-147)
debian/patches/keystone-CVE-2012-5571.patch (+0/-62)
debian/patches/series (+0/-3)
doc/keystone_compat_flows.sdx (+0/-99)
keystone.egg-info/PKG-INFO (+10/-0)
keystone.egg-info/SOURCES.txt (+176/-0)
keystone.egg-info/dependency_links.txt (+1/-0)
keystone.egg-info/not-zip-safe (+1/-0)
keystone.egg-info/requires.txt (+11/-0)
keystone.egg-info/top_level.txt (+1/-0)
keystone/identity/core.py (+4/-4)
keystone/token/backends/kvs.py (+13/-8)
keystone/token/backends/memcache.py (+31/-1)
keystone/token/backends/sql.py (+6/-1)
keystone/token/core.py (+11/-5)
setup.cfg (+8/-11)
setup.py (+1/-1)
tests/test_backend.py (+56/-5)
tests/test_backend_memcache.py (+29/-6)
tests/test_keystoneclient.py (+1/-1)
tools/pip-requires (+2/-2)
To merge this branch: bzr merge lp:~yolanda.robla/ubuntu/precise/keystone/essex-sru
Reviewer Review Type Date Requested Status
James Page Needs Fixing
Review via email: mp+140402@code.launchpad.net

This proposal has been superseded by a proposal from 2012-12-18.

To post a comment you must log in.
Revision history for this message
James Page (james-page) wrote :

Yolanda

Minor nitpick; this branch drops an empty line from the changelog;

Other than that builds OK.

review: Needs Fixing
lp:~yolanda.robla/ubuntu/precise/keystone/essex-sru updated
30. By Yolanda Robla

fixing typo in changelog

Unmerged revisions

30. By Yolanda Robla

fixing typo in changelog

29. By Yolanda Robla

[ Chuck Short ]
* debian/keystone.logrotate: Compress log file when rotated. (LP: #1049309)

[ Yolanda Robla Mota ]
* Resynchronize with stable/essex (c17a9992):
  - [8735009] Removing user from a tenant isn't invalidating user access to
    tenant (CVE-2012-5571)
  - [025b1d5] Jenkins jobs fail because of incompatibility between sqlalchemy-
    migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
  - [ddb4019] Open 2012.1.4 development
  - [0e1f05e] memcache driver needs protection against unicode user keys
    (LP: #1056373)
  - [176ee9b] Token invalidation in case of role grant/revoke should be
    limited to affected tenant (LP: #1050025)
  - [58ac669] Token validation includes revoked roles (CVE-2012-4413)
  - [cd1e48a] Memcached Token Backend does not support list tokens
    (LP: #1046905)
  - [5438d3b] Update user's default tenant partially succeeds without authz
    (CVE-2012-3542)

* Dropped, superseeded by new snapshot:
  - debian/patches/CVE-2012-4413.patch [58ac669]
  - debian/patches/CVE-2012-5571.patch [8735009]
  - debian/patches/CVE-2012-3542.patch [5438d3b]

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file '.pc/applied-patches'
2--- .pc/applied-patches 2012-11-26 14:07:34 +0000
3+++ .pc/applied-patches 2012-12-18 13:48:25 +0000
4@@ -1,5 +1,2 @@
5 fix-ubuntu-tests.patch
6 sql_connection.patch
7-keystone-CVE-2012-3542.patch
8-keystone-CVE-2012-4413.patch
9-keystone-CVE-2012-5571.patch
10
11=== modified file '.pc/fix-ubuntu-tests.patch/tests/test_keystoneclient.py'
12--- .pc/fix-ubuntu-tests.patch/tests/test_keystoneclient.py 2012-08-24 03:34:59 +0000
13+++ .pc/fix-ubuntu-tests.patch/tests/test_keystoneclient.py 2012-12-18 13:48:25 +0000
14@@ -769,15 +769,15 @@
15 def test_tenant_add_and_remove_user(self):
16 client = self.get_client(admin=True)
17 client.roles.add_user_role(tenant=self.tenant_baz['id'],
18- user=self.user_foo['id'],
19+ user=self.user_two['id'],
20 role=self.role_useless['id'])
21 user_refs = client.tenants.list_users(tenant=self.tenant_baz['id'])
22- self.assert_(self.user_foo['id'] in [x.id for x in user_refs])
23+ self.assert_(self.user_two['id'] in [x.id for x in user_refs])
24 client.roles.remove_user_role(tenant=self.tenant_baz['id'],
25- user=self.user_foo['id'],
26+ user=self.user_two['id'],
27 role=self.role_useless['id'])
28 user_refs = client.tenants.list_users(tenant=self.tenant_baz['id'])
29- self.assert_(self.user_foo['id'] not in [x.id for x in user_refs])
30+ self.assert_(self.user_two['id'] not in [x.id for x in user_refs])
31
32 def test_user_role_add_404(self):
33 from keystoneclient import exceptions as client_exceptions
34@@ -890,16 +890,16 @@
35 def test_tenant_add_and_remove_user(self):
36 client = self.get_client(admin=True)
37 client.roles.add_user_to_tenant(tenant_id=self.tenant_baz['id'],
38- user_id=self.user_foo['id'],
39+ user_id=self.user_two['id'],
40 role_id=self.role_useless['id'])
41 role_refs = client.roles.get_user_role_refs(
42- user_id=self.user_foo['id'])
43+ user_id=self.user_two['id'])
44 self.assert_(self.tenant_baz['id'] in [x.tenantId for x in role_refs])
45
46 # get the "role_refs" so we get the proper id, this is how the clients
47 # do it
48 roleref_refs = client.roles.get_user_role_refs(
49- user_id=self.user_foo['id'])
50+ user_id=self.user_two['id'])
51 for roleref_ref in roleref_refs:
52 if (roleref_ref.roleId == self.role_useless['id']
53 and roleref_ref.tenantId == self.tenant_baz['id']):
54@@ -907,11 +907,11 @@
55 break
56
57 client.roles.remove_user_from_tenant(tenant_id=self.tenant_baz['id'],
58- user_id=self.user_foo['id'],
59+ user_id=self.user_two['id'],
60 role_id=roleref_ref.id)
61
62 role_refs = client.roles.get_user_role_refs(
63- user_id=self.user_foo['id'])
64+ user_id=self.user_two['id'])
65 self.assert_(self.tenant_baz['id'] not in
66 [x.tenantId for x in role_refs])
67
68
69=== removed directory '.pc/keystone-CVE-2012-3542.patch'
70=== removed directory '.pc/keystone-CVE-2012-3542.patch/keystone'
71=== removed directory '.pc/keystone-CVE-2012-3542.patch/keystone/identity'
72=== removed file '.pc/keystone-CVE-2012-3542.patch/keystone/identity/core.py'
73--- .pc/keystone-CVE-2012-3542.patch/keystone/identity/core.py 2012-08-30 15:10:26 +0000
74+++ .pc/keystone-CVE-2012-3542.patch/keystone/identity/core.py 1970-01-01 00:00:00 +0000
75@@ -1,625 +0,0 @@
76-# vim: tabstop=4 shiftwidth=4 softtabstop=4
77-
78-# Copyright 2012 OpenStack LLC
79-#
80-# Licensed under the Apache License, Version 2.0 (the "License"); you may
81-# not use this file except in compliance with the License. You may obtain
82-# a copy of the License at
83-#
84-# http://www.apache.org/licenses/LICENSE-2.0
85-#
86-# Unless required by applicable law or agreed to in writing, software
87-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
88-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
89-# License for the specific language governing permissions and limitations
90-# under the License.
91-
92-"""Main entry point into the Identity service."""
93-
94-import uuid
95-import urllib
96-import urlparse
97-
98-from keystone import config
99-from keystone import exception
100-from keystone import policy
101-from keystone import token
102-from keystone.common import logging
103-from keystone.common import manager
104-from keystone.common import wsgi
105-
106-
107-CONF = config.CONF
108-
109-LOG = logging.getLogger(__name__)
110-
111-
112-class Manager(manager.Manager):
113- """Default pivot point for the Identity backend.
114-
115- See :mod:`keystone.common.manager.Manager` for more details on how this
116- dynamically calls the backend.
117-
118- """
119-
120- def __init__(self):
121- super(Manager, self).__init__(CONF.identity.driver)
122-
123-
124-class Driver(object):
125- """Interface description for an Identity driver."""
126-
127- def authenticate(self, user_id=None, tenant_id=None, password=None):
128- """Authenticate a given user, tenant and password.
129-
130- Returns: (user, tenant, metadata).
131-
132- """
133- raise exception.NotImplemented()
134-
135- def get_tenant(self, tenant_id):
136- """Get a tenant by id.
137-
138- Returns: tenant_ref or None.
139-
140- """
141- raise exception.NotImplemented()
142-
143- def get_tenant_by_name(self, tenant_name):
144- """Get a tenant by name.
145-
146- Returns: tenant_ref or None.
147-
148- """
149- raise exception.NotImplemented()
150-
151- def get_user(self, user_id):
152- """Get a user by id.
153-
154- Returns: user_ref or None.
155-
156- """
157- raise exception.NotImplemented()
158-
159- def get_user_by_name(self, user_name):
160- """Get a user by name.
161-
162- Returns: user_ref or None.
163-
164- """
165- raise exception.NotImplemented()
166-
167- def get_role(self, role_id):
168- """Get a role by id.
169-
170- Returns: role_ref or None.
171-
172- """
173- raise exception.NotImplemented()
174-
175- def list_users(self):
176- """List all users in the system.
177-
178- NOTE(termie): I'd prefer if this listed only the users for a given
179- tenant.
180-
181- Returns: a list of user_refs or an empty list.
182-
183- """
184- raise exception.NotImplemented()
185-
186- def list_roles(self):
187- """List all roles in the system.
188-
189- Returns: a list of role_refs or an empty list.
190-
191- """
192- raise exception.NotImplemented()
193-
194- # NOTE(termie): seven calls below should probably be exposed by the api
195- # more clearly when the api redesign happens
196- def add_user_to_tenant(self, tenant_id, user_id):
197- raise exception.NotImplemented()
198-
199- def remove_user_from_tenant(self, tenant_id, user_id):
200- raise exception.NotImplemented()
201-
202- def get_all_tenants(self):
203- raise exception.NotImplemented()
204-
205- def get_tenants_for_user(self, user_id):
206- """Get the tenants associated with a given user.
207-
208- Returns: a list of tenant ids.
209-
210- """
211- raise exception.NotImplemented()
212-
213- def get_roles_for_user_and_tenant(self, user_id, tenant_id):
214- """Get the roles associated with a user within given tenant.
215-
216- Returns: a list of role ids.
217-
218- """
219- raise exception.NotImplemented()
220-
221- def add_role_to_user_and_tenant(self, user_id, tenant_id, role_id):
222- """Add a role to a user within given tenant."""
223- raise exception.NotImplemented()
224-
225- def remove_role_from_user_and_tenant(self, user_id, tenant_id, role_id):
226- """Remove a role from a user within given tenant."""
227- raise exception.NotImplemented()
228-
229- # user crud
230- def create_user(self, user_id, user):
231- raise exception.NotImplemented()
232-
233- def update_user(self, user_id, user):
234- raise exception.NotImplemented()
235-
236- def delete_user(self, user_id):
237- raise exception.NotImplemented()
238-
239- # tenant crud
240- def create_tenant(self, tenant_id, tenant):
241- raise exception.NotImplemented()
242-
243- def update_tenant(self, tenant_id, tenant):
244- raise exception.NotImplemented()
245-
246- def delete_tenant(self, tenant_id, tenant):
247- raise exception.NotImplemented()
248-
249- # metadata crud
250-
251- def get_metadata(self, user_id, tenant_id):
252- raise exception.NotImplemented()
253-
254- def create_metadata(self, user_id, tenant_id, metadata):
255- raise exception.NotImplemented()
256-
257- def update_metadata(self, user_id, tenant_id, metadata):
258- raise exception.NotImplemented()
259-
260- def delete_metadata(self, user_id, tenant_id, metadata):
261- raise exception.NotImplemented()
262-
263- # role crud
264- def create_role(self, role_id, role):
265- raise exception.NotImplemented()
266-
267- def update_role(self, role_id, role):
268- raise exception.NotImplemented()
269-
270- def delete_role(self, role_id):
271- raise exception.NotImplemented()
272-
273-
274-class PublicRouter(wsgi.ComposableRouter):
275- def add_routes(self, mapper):
276- tenant_controller = TenantController()
277- mapper.connect('/tenants',
278- controller=tenant_controller,
279- action='get_tenants_for_token',
280- conditions=dict(methods=['GET']))
281-
282-
283-class AdminRouter(wsgi.ComposableRouter):
284- def add_routes(self, mapper):
285- # Tenant Operations
286- tenant_controller = TenantController()
287- mapper.connect('/tenants',
288- controller=tenant_controller,
289- action='get_all_tenants',
290- conditions=dict(method=['GET']))
291- mapper.connect('/tenants/{tenant_id}',
292- controller=tenant_controller,
293- action='get_tenant',
294- conditions=dict(method=['GET']))
295-
296- # User Operations
297- user_controller = UserController()
298- mapper.connect('/users/{user_id}',
299- controller=user_controller,
300- action='get_user',
301- conditions=dict(method=['GET']))
302-
303- # Role Operations
304- roles_controller = RoleController()
305- mapper.connect('/tenants/{tenant_id}/users/{user_id}/roles',
306- controller=roles_controller,
307- action='get_user_roles',
308- conditions=dict(method=['GET']))
309- mapper.connect('/users/{user_id}/roles',
310- controller=user_controller,
311- action='get_user_roles',
312- conditions=dict(method=['GET']))
313-
314-
315-class TenantController(wsgi.Application):
316- def __init__(self):
317- self.identity_api = Manager()
318- self.policy_api = policy.Manager()
319- self.token_api = token.Manager()
320- super(TenantController, self).__init__()
321-
322- def get_all_tenants(self, context, **kw):
323- """Gets a list of all tenants for an admin user."""
324- self.assert_admin(context)
325- tenant_refs = self.identity_api.get_tenants(context)
326- params = {
327- 'limit': context['query_string'].get('limit'),
328- 'marker': context['query_string'].get('marker'),
329- }
330- return self._format_tenant_list(tenant_refs, **params)
331-
332- def get_tenants_for_token(self, context, **kw):
333- """Get valid tenants for token based on token used to authenticate.
334-
335- Pulls the token from the context, validates it and gets the valid
336- tenants for the user in the token.
337-
338- Doesn't care about token scopedness.
339-
340- """
341- try:
342- token_ref = self.token_api.get_token(context=context,
343- token_id=context['token_id'])
344- except exception.NotFound:
345- raise exception.Unauthorized()
346-
347- user_ref = token_ref['user']
348- tenant_ids = self.identity_api.get_tenants_for_user(
349- context, user_ref['id'])
350- tenant_refs = []
351- for tenant_id in tenant_ids:
352- tenant_refs.append(self.identity_api.get_tenant(
353- context=context,
354- tenant_id=tenant_id))
355- params = {
356- 'limit': context['query_string'].get('limit'),
357- 'marker': context['query_string'].get('marker'),
358- }
359- return self._format_tenant_list(tenant_refs, **params)
360-
361- def get_tenant(self, context, tenant_id):
362- # TODO(termie): this stuff should probably be moved to middleware
363- self.assert_admin(context)
364- tenant = self.identity_api.get_tenant(context, tenant_id)
365- if tenant is None:
366- raise exception.TenantNotFound(tenant_id=tenant_id)
367-
368- return {'tenant': tenant}
369-
370- # CRUD Extension
371- def create_tenant(self, context, tenant):
372- tenant_ref = self._normalize_dict(tenant)
373- self.assert_admin(context)
374- tenant_id = (tenant_ref.get('id')
375- and tenant_ref.get('id')
376- or uuid.uuid4().hex)
377- tenant_ref['id'] = tenant_id
378-
379- tenant = self.identity_api.create_tenant(
380- context, tenant_id, tenant_ref)
381- return {'tenant': tenant}
382-
383- def update_tenant(self, context, tenant_id, tenant):
384- self.assert_admin(context)
385- if self.identity_api.get_tenant(context, tenant_id) is None:
386- raise exception.TenantNotFound(tenant_id=tenant_id)
387-
388- tenant_ref = self.identity_api.update_tenant(
389- context, tenant_id, tenant)
390- return {'tenant': tenant_ref}
391-
392- def delete_tenant(self, context, tenant_id, **kw):
393- self.assert_admin(context)
394- if self.identity_api.get_tenant(context, tenant_id) is None:
395- raise exception.TenantNotFound(tenant_id=tenant_id)
396-
397- self.identity_api.delete_tenant(context, tenant_id)
398-
399- def get_tenant_users(self, context, tenant_id, **kw):
400- self.assert_admin(context)
401- if self.identity_api.get_tenant(context, tenant_id) is None:
402- raise exception.TenantNotFound(tenant_id=tenant_id)
403-
404- user_refs = self.identity_api.get_tenant_users(context, tenant_id)
405- return {'users': user_refs}
406-
407- def _format_tenant_list(self, tenant_refs, **kwargs):
408- marker = kwargs.get('marker')
409- page_idx = 0
410- if marker is not None:
411- for (marker_idx, tenant) in enumerate(tenant_refs):
412- if tenant['id'] == marker:
413- # we start pagination after the marker
414- page_idx = marker_idx + 1
415- break
416- else:
417- msg = 'Marker could not be found'
418- raise exception.ValidationError(message=msg)
419-
420- limit = kwargs.get('limit')
421- if limit is not None:
422- try:
423- limit = int(limit)
424- if limit < 0:
425- raise AssertionError()
426- except (ValueError, AssertionError):
427- msg = 'Invalid limit value'
428- raise exception.ValidationError(message=msg)
429-
430- tenant_refs = tenant_refs[page_idx:limit]
431-
432- for x in tenant_refs:
433- if 'enabled' not in x:
434- x['enabled'] = True
435- o = {'tenants': tenant_refs,
436- 'tenants_links': []}
437- return o
438-
439-
440-class UserController(wsgi.Application):
441- def __init__(self):
442- self.identity_api = Manager()
443- self.policy_api = policy.Manager()
444- self.token_api = token.Manager()
445- super(UserController, self).__init__()
446-
447- def get_user(self, context, user_id):
448- self.assert_admin(context)
449- user_ref = self.identity_api.get_user(context, user_id)
450- if not user_ref:
451- raise exception.UserNotFound(user_id=user_id)
452-
453- return {'user': user_ref}
454-
455- def get_users(self, context):
456- # NOTE(termie): i can't imagine that this really wants all the data
457- # about every single user in the system...
458- self.assert_admin(context)
459- user_refs = self.identity_api.list_users(context)
460- return {'users': user_refs}
461-
462- # CRUD extension
463- def create_user(self, context, user):
464- user = self._normalize_dict(user)
465- self.assert_admin(context)
466- tenant_id = user.get('tenantId', None)
467- if (tenant_id is not None
468- and self.identity_api.get_tenant(context, tenant_id) is None):
469- raise exception.TenantNotFound(tenant_id=tenant_id)
470- user_id = uuid.uuid4().hex
471- user_ref = user.copy()
472- user_ref['id'] = user_id
473- new_user_ref = self.identity_api.create_user(
474- context, user_id, user_ref)
475- if tenant_id:
476- self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
477- return {'user': new_user_ref}
478-
479- def update_user(self, context, user_id, user):
480- # NOTE(termie): this is really more of a patch than a put
481- self.assert_admin(context)
482- if self.identity_api.get_user(context, user_id) is None:
483- raise exception.UserNotFound(user_id=user_id)
484-
485- user_ref = self.identity_api.update_user(context, user_id, user)
486-
487- # If the password was changed or the user was disabled we clear tokens
488- if user.get('password') or user.get('enabled', True) == False:
489- try:
490- for token_id in self.token_api.list_tokens(context, user_id):
491- self.token_api.delete_token(context, token_id)
492- except exception.NotImplemented:
493- # The users status has been changed but tokens remain valid for
494- # backends that can't list tokens for users
495- LOG.warning('User %s status has changed, but existing tokens '
496- 'remain valid' % user_id)
497- return {'user': user_ref}
498-
499- def delete_user(self, context, user_id):
500- self.assert_admin(context)
501- if self.identity_api.get_user(context, user_id) is None:
502- raise exception.UserNotFound(user_id=user_id)
503-
504- self.identity_api.delete_user(context, user_id)
505-
506- def set_user_enabled(self, context, user_id, user):
507- return self.update_user(context, user_id, user)
508-
509- def set_user_password(self, context, user_id, user):
510- return self.update_user(context, user_id, user)
511-
512- def update_user_tenant(self, context, user_id, user):
513- """Update the default tenant."""
514- # ensure that we're a member of that tenant
515- tenant_id = user.get('tenantId')
516- self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
517- return self.update_user(context, user_id, user)
518-
519-
520-class RoleController(wsgi.Application):
521- def __init__(self):
522- self.identity_api = Manager()
523- self.token_api = token.Manager()
524- self.policy_api = policy.Manager()
525- super(RoleController, self).__init__()
526-
527- # COMPAT(essex-3)
528- def get_user_roles(self, context, user_id, tenant_id=None):
529- """Get the roles for a user and tenant pair.
530-
531- Since we're trying to ignore the idea of user-only roles we're
532- not implementing them in hopes that the idea will die off.
533-
534- """
535- self.assert_admin(context)
536- if tenant_id is None:
537- raise exception.NotImplemented(message='User roles not supported: '
538- 'tenant ID required')
539-
540- user = self.identity_api.get_user(context, user_id)
541- if user is None:
542- raise exception.UserNotFound(user_id=user_id)
543- tenant = self.identity_api.get_tenant(context, tenant_id)
544- if tenant is None:
545- raise exception.TenantNotFound(tenant_id=tenant_id)
546-
547- roles = self.identity_api.get_roles_for_user_and_tenant(
548- context, user_id, tenant_id)
549- return {'roles': [self.identity_api.get_role(context, x)
550- for x in roles]}
551-
552- # CRUD extension
553- def get_role(self, context, role_id):
554- self.assert_admin(context)
555- role_ref = self.identity_api.get_role(context, role_id)
556- if not role_ref:
557- raise exception.RoleNotFound(role_id=role_id)
558- return {'role': role_ref}
559-
560- def create_role(self, context, role):
561- role = self._normalize_dict(role)
562- self.assert_admin(context)
563- role_id = uuid.uuid4().hex
564- role['id'] = role_id
565- role_ref = self.identity_api.create_role(context, role_id, role)
566- return {'role': role_ref}
567-
568- def delete_role(self, context, role_id):
569- self.assert_admin(context)
570- self.get_role(context, role_id)
571- self.identity_api.delete_role(context, role_id)
572-
573- def get_roles(self, context):
574- self.assert_admin(context)
575- roles = self.identity_api.list_roles(context)
576- # TODO(termie): probably inefficient at some point
577- return {'roles': roles}
578-
579- def add_role_to_user(self, context, user_id, role_id, tenant_id=None):
580- """Add a role to a user and tenant pair.
581-
582- Since we're trying to ignore the idea of user-only roles we're
583- not implementing them in hopes that the idea will die off.
584-
585- """
586- self.assert_admin(context)
587- if tenant_id is None:
588- raise exception.NotImplemented(message='User roles not supported: '
589- 'tenant_id required')
590- if self.identity_api.get_user(context, user_id) is None:
591- raise exception.UserNotFound(user_id=user_id)
592- if self.identity_api.get_tenant(context, tenant_id) is None:
593- raise exception.TenantNotFound(tenant_id=tenant_id)
594- if self.identity_api.get_role(context, role_id) is None:
595- raise exception.RoleNotFound(role_id=role_id)
596-
597- # This still has the weird legacy semantics that adding a role to
598- # a user also adds them to a tenant
599- self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
600- self.identity_api.add_role_to_user_and_tenant(
601- context, user_id, tenant_id, role_id)
602- role_ref = self.identity_api.get_role(context, role_id)
603- return {'role': role_ref}
604-
605- def remove_role_from_user(self, context, user_id, role_id, tenant_id=None):
606- """Remove a role from a user and tenant pair.
607-
608- Since we're trying to ignore the idea of user-only roles we're
609- not implementing them in hopes that the idea will die off.
610-
611- """
612- self.assert_admin(context)
613- if tenant_id is None:
614- raise exception.NotImplemented(message='User roles not supported: '
615- 'tenant_id required')
616- if self.identity_api.get_user(context, user_id) is None:
617- raise exception.UserNotFound(user_id=user_id)
618- if self.identity_api.get_tenant(context, tenant_id) is None:
619- raise exception.TenantNotFound(tenant_id=tenant_id)
620- if self.identity_api.get_role(context, role_id) is None:
621- raise exception.RoleNotFound(role_id=role_id)
622-
623- # This still has the weird legacy semantics that adding a role to
624- # a user also adds them to a tenant, so we must follow up on that
625- self.identity_api.remove_role_from_user_and_tenant(
626- context, user_id, tenant_id, role_id)
627- roles = self.identity_api.get_roles_for_user_and_tenant(
628- context, user_id, tenant_id)
629- if not roles:
630- self.identity_api.remove_user_from_tenant(
631- context, tenant_id, user_id)
632- return
633-
634- # COMPAT(diablo): CRUD extension
635- def get_role_refs(self, context, user_id):
636- """Ultimate hack to get around having to make role_refs first-class.
637-
638- This will basically iterate over the various roles the user has in
639- all tenants the user is a member of and create fake role_refs where
640- the id encodes the user-tenant-role information so we can look
641- up the appropriate data when we need to delete them.
642-
643- """
644- self.assert_admin(context)
645- user_ref = self.identity_api.get_user(context, user_id)
646- tenant_ids = self.identity_api.get_tenants_for_user(context, user_id)
647- o = []
648- for tenant_id in tenant_ids:
649- role_ids = self.identity_api.get_roles_for_user_and_tenant(
650- context, user_id, tenant_id)
651- for role_id in role_ids:
652- ref = {'roleId': role_id,
653- 'tenantId': tenant_id,
654- 'userId': user_id}
655- ref['id'] = urllib.urlencode(ref)
656- o.append(ref)
657- return {'roles': o}
658-
659- # COMPAT(diablo): CRUD extension
660- def create_role_ref(self, context, user_id, role):
661- """This is actually used for adding a user to a tenant.
662-
663- In the legacy data model adding a user to a tenant required setting
664- a role.
665-
666- """
667- self.assert_admin(context)
668- # TODO(termie): for now we're ignoring the actual role
669- tenant_id = role.get('tenantId')
670- role_id = role.get('roleId')
671- self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
672- self.identity_api.add_role_to_user_and_tenant(
673- context, user_id, tenant_id, role_id)
674- role_ref = self.identity_api.get_role(context, role_id)
675- return {'role': role_ref}
676-
677- # COMPAT(diablo): CRUD extension
678- def delete_role_ref(self, context, user_id, role_ref_id):
679- """This is actually used for deleting a user from a tenant.
680-
681- In the legacy data model removing a user from a tenant required
682- deleting a role.
683-
684- To emulate this, we encode the tenant and role in the role_ref_id,
685- and if this happens to be the last role for the user-tenant pair,
686- we remove the user from the tenant.
687-
688- """
689- self.assert_admin(context)
690- # TODO(termie): for now we're ignoring the actual role
691- role_ref_ref = urlparse.parse_qs(role_ref_id)
692- tenant_id = role_ref_ref.get('tenantId')[0]
693- role_id = role_ref_ref.get('roleId')[0]
694- self.identity_api.remove_role_from_user_and_tenant(
695- context, user_id, tenant_id, role_id)
696- roles = self.identity_api.get_roles_for_user_and_tenant(
697- context, user_id, tenant_id)
698- if not roles:
699- self.identity_api.remove_user_from_tenant(
700- context, tenant_id, user_id)
701
702=== removed directory '.pc/keystone-CVE-2012-4413.patch'
703=== removed directory '.pc/keystone-CVE-2012-4413.patch/keystone'
704=== removed directory '.pc/keystone-CVE-2012-4413.patch/keystone/identity'
705=== removed file '.pc/keystone-CVE-2012-4413.patch/keystone/identity/core.py'
706--- .pc/keystone-CVE-2012-4413.patch/keystone/identity/core.py 2012-09-12 09:47:55 +0000
707+++ .pc/keystone-CVE-2012-4413.patch/keystone/identity/core.py 1970-01-01 00:00:00 +0000
708@@ -1,626 +0,0 @@
709-# vim: tabstop=4 shiftwidth=4 softtabstop=4
710-
711-# Copyright 2012 OpenStack LLC
712-#
713-# Licensed under the Apache License, Version 2.0 (the "License"); you may
714-# not use this file except in compliance with the License. You may obtain
715-# a copy of the License at
716-#
717-# http://www.apache.org/licenses/LICENSE-2.0
718-#
719-# Unless required by applicable law or agreed to in writing, software
720-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
721-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
722-# License for the specific language governing permissions and limitations
723-# under the License.
724-
725-"""Main entry point into the Identity service."""
726-
727-import uuid
728-import urllib
729-import urlparse
730-
731-from keystone import config
732-from keystone import exception
733-from keystone import policy
734-from keystone import token
735-from keystone.common import logging
736-from keystone.common import manager
737-from keystone.common import wsgi
738-
739-
740-CONF = config.CONF
741-
742-LOG = logging.getLogger(__name__)
743-
744-
745-class Manager(manager.Manager):
746- """Default pivot point for the Identity backend.
747-
748- See :mod:`keystone.common.manager.Manager` for more details on how this
749- dynamically calls the backend.
750-
751- """
752-
753- def __init__(self):
754- super(Manager, self).__init__(CONF.identity.driver)
755-
756-
757-class Driver(object):
758- """Interface description for an Identity driver."""
759-
760- def authenticate(self, user_id=None, tenant_id=None, password=None):
761- """Authenticate a given user, tenant and password.
762-
763- Returns: (user, tenant, metadata).
764-
765- """
766- raise exception.NotImplemented()
767-
768- def get_tenant(self, tenant_id):
769- """Get a tenant by id.
770-
771- Returns: tenant_ref or None.
772-
773- """
774- raise exception.NotImplemented()
775-
776- def get_tenant_by_name(self, tenant_name):
777- """Get a tenant by name.
778-
779- Returns: tenant_ref or None.
780-
781- """
782- raise exception.NotImplemented()
783-
784- def get_user(self, user_id):
785- """Get a user by id.
786-
787- Returns: user_ref or None.
788-
789- """
790- raise exception.NotImplemented()
791-
792- def get_user_by_name(self, user_name):
793- """Get a user by name.
794-
795- Returns: user_ref or None.
796-
797- """
798- raise exception.NotImplemented()
799-
800- def get_role(self, role_id):
801- """Get a role by id.
802-
803- Returns: role_ref or None.
804-
805- """
806- raise exception.NotImplemented()
807-
808- def list_users(self):
809- """List all users in the system.
810-
811- NOTE(termie): I'd prefer if this listed only the users for a given
812- tenant.
813-
814- Returns: a list of user_refs or an empty list.
815-
816- """
817- raise exception.NotImplemented()
818-
819- def list_roles(self):
820- """List all roles in the system.
821-
822- Returns: a list of role_refs or an empty list.
823-
824- """
825- raise exception.NotImplemented()
826-
827- # NOTE(termie): seven calls below should probably be exposed by the api
828- # more clearly when the api redesign happens
829- def add_user_to_tenant(self, tenant_id, user_id):
830- raise exception.NotImplemented()
831-
832- def remove_user_from_tenant(self, tenant_id, user_id):
833- raise exception.NotImplemented()
834-
835- def get_all_tenants(self):
836- raise exception.NotImplemented()
837-
838- def get_tenants_for_user(self, user_id):
839- """Get the tenants associated with a given user.
840-
841- Returns: a list of tenant ids.
842-
843- """
844- raise exception.NotImplemented()
845-
846- def get_roles_for_user_and_tenant(self, user_id, tenant_id):
847- """Get the roles associated with a user within given tenant.
848-
849- Returns: a list of role ids.
850-
851- """
852- raise exception.NotImplemented()
853-
854- def add_role_to_user_and_tenant(self, user_id, tenant_id, role_id):
855- """Add a role to a user within given tenant."""
856- raise exception.NotImplemented()
857-
858- def remove_role_from_user_and_tenant(self, user_id, tenant_id, role_id):
859- """Remove a role from a user within given tenant."""
860- raise exception.NotImplemented()
861-
862- # user crud
863- def create_user(self, user_id, user):
864- raise exception.NotImplemented()
865-
866- def update_user(self, user_id, user):
867- raise exception.NotImplemented()
868-
869- def delete_user(self, user_id):
870- raise exception.NotImplemented()
871-
872- # tenant crud
873- def create_tenant(self, tenant_id, tenant):
874- raise exception.NotImplemented()
875-
876- def update_tenant(self, tenant_id, tenant):
877- raise exception.NotImplemented()
878-
879- def delete_tenant(self, tenant_id, tenant):
880- raise exception.NotImplemented()
881-
882- # metadata crud
883-
884- def get_metadata(self, user_id, tenant_id):
885- raise exception.NotImplemented()
886-
887- def create_metadata(self, user_id, tenant_id, metadata):
888- raise exception.NotImplemented()
889-
890- def update_metadata(self, user_id, tenant_id, metadata):
891- raise exception.NotImplemented()
892-
893- def delete_metadata(self, user_id, tenant_id, metadata):
894- raise exception.NotImplemented()
895-
896- # role crud
897- def create_role(self, role_id, role):
898- raise exception.NotImplemented()
899-
900- def update_role(self, role_id, role):
901- raise exception.NotImplemented()
902-
903- def delete_role(self, role_id):
904- raise exception.NotImplemented()
905-
906-
907-class PublicRouter(wsgi.ComposableRouter):
908- def add_routes(self, mapper):
909- tenant_controller = TenantController()
910- mapper.connect('/tenants',
911- controller=tenant_controller,
912- action='get_tenants_for_token',
913- conditions=dict(methods=['GET']))
914-
915-
916-class AdminRouter(wsgi.ComposableRouter):
917- def add_routes(self, mapper):
918- # Tenant Operations
919- tenant_controller = TenantController()
920- mapper.connect('/tenants',
921- controller=tenant_controller,
922- action='get_all_tenants',
923- conditions=dict(method=['GET']))
924- mapper.connect('/tenants/{tenant_id}',
925- controller=tenant_controller,
926- action='get_tenant',
927- conditions=dict(method=['GET']))
928-
929- # User Operations
930- user_controller = UserController()
931- mapper.connect('/users/{user_id}',
932- controller=user_controller,
933- action='get_user',
934- conditions=dict(method=['GET']))
935-
936- # Role Operations
937- roles_controller = RoleController()
938- mapper.connect('/tenants/{tenant_id}/users/{user_id}/roles',
939- controller=roles_controller,
940- action='get_user_roles',
941- conditions=dict(method=['GET']))
942- mapper.connect('/users/{user_id}/roles',
943- controller=user_controller,
944- action='get_user_roles',
945- conditions=dict(method=['GET']))
946-
947-
948-class TenantController(wsgi.Application):
949- def __init__(self):
950- self.identity_api = Manager()
951- self.policy_api = policy.Manager()
952- self.token_api = token.Manager()
953- super(TenantController, self).__init__()
954-
955- def get_all_tenants(self, context, **kw):
956- """Gets a list of all tenants for an admin user."""
957- self.assert_admin(context)
958- tenant_refs = self.identity_api.get_tenants(context)
959- params = {
960- 'limit': context['query_string'].get('limit'),
961- 'marker': context['query_string'].get('marker'),
962- }
963- return self._format_tenant_list(tenant_refs, **params)
964-
965- def get_tenants_for_token(self, context, **kw):
966- """Get valid tenants for token based on token used to authenticate.
967-
968- Pulls the token from the context, validates it and gets the valid
969- tenants for the user in the token.
970-
971- Doesn't care about token scopedness.
972-
973- """
974- try:
975- token_ref = self.token_api.get_token(context=context,
976- token_id=context['token_id'])
977- except exception.NotFound:
978- raise exception.Unauthorized()
979-
980- user_ref = token_ref['user']
981- tenant_ids = self.identity_api.get_tenants_for_user(
982- context, user_ref['id'])
983- tenant_refs = []
984- for tenant_id in tenant_ids:
985- tenant_refs.append(self.identity_api.get_tenant(
986- context=context,
987- tenant_id=tenant_id))
988- params = {
989- 'limit': context['query_string'].get('limit'),
990- 'marker': context['query_string'].get('marker'),
991- }
992- return self._format_tenant_list(tenant_refs, **params)
993-
994- def get_tenant(self, context, tenant_id):
995- # TODO(termie): this stuff should probably be moved to middleware
996- self.assert_admin(context)
997- tenant = self.identity_api.get_tenant(context, tenant_id)
998- if tenant is None:
999- raise exception.TenantNotFound(tenant_id=tenant_id)
1000-
1001- return {'tenant': tenant}
1002-
1003- # CRUD Extension
1004- def create_tenant(self, context, tenant):
1005- tenant_ref = self._normalize_dict(tenant)
1006- self.assert_admin(context)
1007- tenant_id = (tenant_ref.get('id')
1008- and tenant_ref.get('id')
1009- or uuid.uuid4().hex)
1010- tenant_ref['id'] = tenant_id
1011-
1012- tenant = self.identity_api.create_tenant(
1013- context, tenant_id, tenant_ref)
1014- return {'tenant': tenant}
1015-
1016- def update_tenant(self, context, tenant_id, tenant):
1017- self.assert_admin(context)
1018- if self.identity_api.get_tenant(context, tenant_id) is None:
1019- raise exception.TenantNotFound(tenant_id=tenant_id)
1020-
1021- tenant_ref = self.identity_api.update_tenant(
1022- context, tenant_id, tenant)
1023- return {'tenant': tenant_ref}
1024-
1025- def delete_tenant(self, context, tenant_id, **kw):
1026- self.assert_admin(context)
1027- if self.identity_api.get_tenant(context, tenant_id) is None:
1028- raise exception.TenantNotFound(tenant_id=tenant_id)
1029-
1030- self.identity_api.delete_tenant(context, tenant_id)
1031-
1032- def get_tenant_users(self, context, tenant_id, **kw):
1033- self.assert_admin(context)
1034- if self.identity_api.get_tenant(context, tenant_id) is None:
1035- raise exception.TenantNotFound(tenant_id=tenant_id)
1036-
1037- user_refs = self.identity_api.get_tenant_users(context, tenant_id)
1038- return {'users': user_refs}
1039-
1040- def _format_tenant_list(self, tenant_refs, **kwargs):
1041- marker = kwargs.get('marker')
1042- page_idx = 0
1043- if marker is not None:
1044- for (marker_idx, tenant) in enumerate(tenant_refs):
1045- if tenant['id'] == marker:
1046- # we start pagination after the marker
1047- page_idx = marker_idx + 1
1048- break
1049- else:
1050- msg = 'Marker could not be found'
1051- raise exception.ValidationError(message=msg)
1052-
1053- limit = kwargs.get('limit')
1054- if limit is not None:
1055- try:
1056- limit = int(limit)
1057- if limit < 0:
1058- raise AssertionError()
1059- except (ValueError, AssertionError):
1060- msg = 'Invalid limit value'
1061- raise exception.ValidationError(message=msg)
1062-
1063- tenant_refs = tenant_refs[page_idx:limit]
1064-
1065- for x in tenant_refs:
1066- if 'enabled' not in x:
1067- x['enabled'] = True
1068- o = {'tenants': tenant_refs,
1069- 'tenants_links': []}
1070- return o
1071-
1072-
1073-class UserController(wsgi.Application):
1074- def __init__(self):
1075- self.identity_api = Manager()
1076- self.policy_api = policy.Manager()
1077- self.token_api = token.Manager()
1078- super(UserController, self).__init__()
1079-
1080- def get_user(self, context, user_id):
1081- self.assert_admin(context)
1082- user_ref = self.identity_api.get_user(context, user_id)
1083- if not user_ref:
1084- raise exception.UserNotFound(user_id=user_id)
1085-
1086- return {'user': user_ref}
1087-
1088- def get_users(self, context):
1089- # NOTE(termie): i can't imagine that this really wants all the data
1090- # about every single user in the system...
1091- self.assert_admin(context)
1092- user_refs = self.identity_api.list_users(context)
1093- return {'users': user_refs}
1094-
1095- # CRUD extension
1096- def create_user(self, context, user):
1097- user = self._normalize_dict(user)
1098- self.assert_admin(context)
1099- tenant_id = user.get('tenantId', None)
1100- if (tenant_id is not None
1101- and self.identity_api.get_tenant(context, tenant_id) is None):
1102- raise exception.TenantNotFound(tenant_id=tenant_id)
1103- user_id = uuid.uuid4().hex
1104- user_ref = user.copy()
1105- user_ref['id'] = user_id
1106- new_user_ref = self.identity_api.create_user(
1107- context, user_id, user_ref)
1108- if tenant_id:
1109- self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
1110- return {'user': new_user_ref}
1111-
1112- def update_user(self, context, user_id, user):
1113- # NOTE(termie): this is really more of a patch than a put
1114- self.assert_admin(context)
1115- if self.identity_api.get_user(context, user_id) is None:
1116- raise exception.UserNotFound(user_id=user_id)
1117-
1118- user_ref = self.identity_api.update_user(context, user_id, user)
1119-
1120- # If the password was changed or the user was disabled we clear tokens
1121- if user.get('password') or user.get('enabled', True) == False:
1122- try:
1123- for token_id in self.token_api.list_tokens(context, user_id):
1124- self.token_api.delete_token(context, token_id)
1125- except exception.NotImplemented:
1126- # The users status has been changed but tokens remain valid for
1127- # backends that can't list tokens for users
1128- LOG.warning('User %s status has changed, but existing tokens '
1129- 'remain valid' % user_id)
1130- return {'user': user_ref}
1131-
1132- def delete_user(self, context, user_id):
1133- self.assert_admin(context)
1134- if self.identity_api.get_user(context, user_id) is None:
1135- raise exception.UserNotFound(user_id=user_id)
1136-
1137- self.identity_api.delete_user(context, user_id)
1138-
1139- def set_user_enabled(self, context, user_id, user):
1140- return self.update_user(context, user_id, user)
1141-
1142- def set_user_password(self, context, user_id, user):
1143- return self.update_user(context, user_id, user)
1144-
1145- def update_user_tenant(self, context, user_id, user):
1146- """Update the default tenant."""
1147- self.assert_admin(context)
1148- # ensure that we're a member of that tenant
1149- tenant_id = user.get('tenantId')
1150- self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
1151- return self.update_user(context, user_id, user)
1152-
1153-
1154-class RoleController(wsgi.Application):
1155- def __init__(self):
1156- self.identity_api = Manager()
1157- self.token_api = token.Manager()
1158- self.policy_api = policy.Manager()
1159- super(RoleController, self).__init__()
1160-
1161- # COMPAT(essex-3)
1162- def get_user_roles(self, context, user_id, tenant_id=None):
1163- """Get the roles for a user and tenant pair.
1164-
1165- Since we're trying to ignore the idea of user-only roles we're
1166- not implementing them in hopes that the idea will die off.
1167-
1168- """
1169- self.assert_admin(context)
1170- if tenant_id is None:
1171- raise exception.NotImplemented(message='User roles not supported: '
1172- 'tenant ID required')
1173-
1174- user = self.identity_api.get_user(context, user_id)
1175- if user is None:
1176- raise exception.UserNotFound(user_id=user_id)
1177- tenant = self.identity_api.get_tenant(context, tenant_id)
1178- if tenant is None:
1179- raise exception.TenantNotFound(tenant_id=tenant_id)
1180-
1181- roles = self.identity_api.get_roles_for_user_and_tenant(
1182- context, user_id, tenant_id)
1183- return {'roles': [self.identity_api.get_role(context, x)
1184- for x in roles]}
1185-
1186- # CRUD extension
1187- def get_role(self, context, role_id):
1188- self.assert_admin(context)
1189- role_ref = self.identity_api.get_role(context, role_id)
1190- if not role_ref:
1191- raise exception.RoleNotFound(role_id=role_id)
1192- return {'role': role_ref}
1193-
1194- def create_role(self, context, role):
1195- role = self._normalize_dict(role)
1196- self.assert_admin(context)
1197- role_id = uuid.uuid4().hex
1198- role['id'] = role_id
1199- role_ref = self.identity_api.create_role(context, role_id, role)
1200- return {'role': role_ref}
1201-
1202- def delete_role(self, context, role_id):
1203- self.assert_admin(context)
1204- self.get_role(context, role_id)
1205- self.identity_api.delete_role(context, role_id)
1206-
1207- def get_roles(self, context):
1208- self.assert_admin(context)
1209- roles = self.identity_api.list_roles(context)
1210- # TODO(termie): probably inefficient at some point
1211- return {'roles': roles}
1212-
1213- def add_role_to_user(self, context, user_id, role_id, tenant_id=None):
1214- """Add a role to a user and tenant pair.
1215-
1216- Since we're trying to ignore the idea of user-only roles we're
1217- not implementing them in hopes that the idea will die off.
1218-
1219- """
1220- self.assert_admin(context)
1221- if tenant_id is None:
1222- raise exception.NotImplemented(message='User roles not supported: '
1223- 'tenant_id required')
1224- if self.identity_api.get_user(context, user_id) is None:
1225- raise exception.UserNotFound(user_id=user_id)
1226- if self.identity_api.get_tenant(context, tenant_id) is None:
1227- raise exception.TenantNotFound(tenant_id=tenant_id)
1228- if self.identity_api.get_role(context, role_id) is None:
1229- raise exception.RoleNotFound(role_id=role_id)
1230-
1231- # This still has the weird legacy semantics that adding a role to
1232- # a user also adds them to a tenant
1233- self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
1234- self.identity_api.add_role_to_user_and_tenant(
1235- context, user_id, tenant_id, role_id)
1236- role_ref = self.identity_api.get_role(context, role_id)
1237- return {'role': role_ref}
1238-
1239- def remove_role_from_user(self, context, user_id, role_id, tenant_id=None):
1240- """Remove a role from a user and tenant pair.
1241-
1242- Since we're trying to ignore the idea of user-only roles we're
1243- not implementing them in hopes that the idea will die off.
1244-
1245- """
1246- self.assert_admin(context)
1247- if tenant_id is None:
1248- raise exception.NotImplemented(message='User roles not supported: '
1249- 'tenant_id required')
1250- if self.identity_api.get_user(context, user_id) is None:
1251- raise exception.UserNotFound(user_id=user_id)
1252- if self.identity_api.get_tenant(context, tenant_id) is None:
1253- raise exception.TenantNotFound(tenant_id=tenant_id)
1254- if self.identity_api.get_role(context, role_id) is None:
1255- raise exception.RoleNotFound(role_id=role_id)
1256-
1257- # This still has the weird legacy semantics that adding a role to
1258- # a user also adds them to a tenant, so we must follow up on that
1259- self.identity_api.remove_role_from_user_and_tenant(
1260- context, user_id, tenant_id, role_id)
1261- roles = self.identity_api.get_roles_for_user_and_tenant(
1262- context, user_id, tenant_id)
1263- if not roles:
1264- self.identity_api.remove_user_from_tenant(
1265- context, tenant_id, user_id)
1266- return
1267-
1268- # COMPAT(diablo): CRUD extension
1269- def get_role_refs(self, context, user_id):
1270- """Ultimate hack to get around having to make role_refs first-class.
1271-
1272- This will basically iterate over the various roles the user has in
1273- all tenants the user is a member of and create fake role_refs where
1274- the id encodes the user-tenant-role information so we can look
1275- up the appropriate data when we need to delete them.
1276-
1277- """
1278- self.assert_admin(context)
1279- user_ref = self.identity_api.get_user(context, user_id)
1280- tenant_ids = self.identity_api.get_tenants_for_user(context, user_id)
1281- o = []
1282- for tenant_id in tenant_ids:
1283- role_ids = self.identity_api.get_roles_for_user_and_tenant(
1284- context, user_id, tenant_id)
1285- for role_id in role_ids:
1286- ref = {'roleId': role_id,
1287- 'tenantId': tenant_id,
1288- 'userId': user_id}
1289- ref['id'] = urllib.urlencode(ref)
1290- o.append(ref)
1291- return {'roles': o}
1292-
1293- # COMPAT(diablo): CRUD extension
1294- def create_role_ref(self, context, user_id, role):
1295- """This is actually used for adding a user to a tenant.
1296-
1297- In the legacy data model adding a user to a tenant required setting
1298- a role.
1299-
1300- """
1301- self.assert_admin(context)
1302- # TODO(termie): for now we're ignoring the actual role
1303- tenant_id = role.get('tenantId')
1304- role_id = role.get('roleId')
1305- self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
1306- self.identity_api.add_role_to_user_and_tenant(
1307- context, user_id, tenant_id, role_id)
1308- role_ref = self.identity_api.get_role(context, role_id)
1309- return {'role': role_ref}
1310-
1311- # COMPAT(diablo): CRUD extension
1312- def delete_role_ref(self, context, user_id, role_ref_id):
1313- """This is actually used for deleting a user from a tenant.
1314-
1315- In the legacy data model removing a user from a tenant required
1316- deleting a role.
1317-
1318- To emulate this, we encode the tenant and role in the role_ref_id,
1319- and if this happens to be the last role for the user-tenant pair,
1320- we remove the user from the tenant.
1321-
1322- """
1323- self.assert_admin(context)
1324- # TODO(termie): for now we're ignoring the actual role
1325- role_ref_ref = urlparse.parse_qs(role_ref_id)
1326- tenant_id = role_ref_ref.get('tenantId')[0]
1327- role_id = role_ref_ref.get('roleId')[0]
1328- self.identity_api.remove_role_from_user_and_tenant(
1329- context, user_id, tenant_id, role_id)
1330- roles = self.identity_api.get_roles_for_user_and_tenant(
1331- context, user_id, tenant_id)
1332- if not roles:
1333- self.identity_api.remove_user_from_tenant(
1334- context, tenant_id, user_id)
1335
1336=== removed directory '.pc/keystone-CVE-2012-4413.patch/keystone/token'
1337=== removed file '.pc/keystone-CVE-2012-4413.patch/keystone/token/core.py'
1338--- .pc/keystone-CVE-2012-4413.patch/keystone/token/core.py 2012-09-12 09:47:55 +0000
1339+++ .pc/keystone-CVE-2012-4413.patch/keystone/token/core.py 1970-01-01 00:00:00 +0000
1340@@ -1,107 +0,0 @@
1341-# vim: tabstop=4 shiftwidth=4 softtabstop=4
1342-
1343-# Copyright 2012 OpenStack LLC
1344-#
1345-# Licensed under the Apache License, Version 2.0 (the "License"); you may
1346-# not use this file except in compliance with the License. You may obtain
1347-# a copy of the License at
1348-#
1349-# http://www.apache.org/licenses/LICENSE-2.0
1350-#
1351-# Unless required by applicable law or agreed to in writing, software
1352-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
1353-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
1354-# License for the specific language governing permissions and limitations
1355-# under the License.
1356-
1357-"""Main entry point into the Token service."""
1358-
1359-import datetime
1360-
1361-from keystone import config
1362-from keystone import exception
1363-from keystone.common import manager
1364-
1365-
1366-CONF = config.CONF
1367-config.register_int('expiration', group='token', default=86400)
1368-
1369-
1370-class Manager(manager.Manager):
1371- """Default pivot point for the Token backend.
1372-
1373- See :mod:`keystone.common.manager.Manager` for more details on how this
1374- dynamically calls the backend.
1375-
1376- """
1377-
1378- def __init__(self):
1379- super(Manager, self).__init__(CONF.token.driver)
1380-
1381-
1382-class Driver(object):
1383- """Interface description for a Token driver."""
1384-
1385- def get_token(self, token_id):
1386- """Get a token by id.
1387-
1388- :param token_id: identity of the token
1389- :type token_id: string
1390- :returns: token_ref
1391- :raises: keystone.exception.TokenNotFound
1392-
1393- """
1394- raise exception.NotImplemented()
1395-
1396- def create_token(self, token_id, data):
1397- """Create a token by id and data.
1398-
1399- :param token_id: identity of the token
1400- :type token_id: string
1401- :param data: dictionary with additional reference information
1402-
1403- ::
1404-
1405- {
1406- expires=''
1407- id=token_id,
1408- user=user_ref,
1409- tenant=tenant_ref,
1410- metadata=metadata_ref
1411- }
1412-
1413- :type data: dict
1414- :returns: token_ref or None.
1415-
1416- """
1417- raise exception.NotImplemented()
1418-
1419- def delete_token(self, token_id):
1420- """Deletes a token by id.
1421-
1422- :param token_id: identity of the token
1423- :type token_id: string
1424- :returns: None.
1425- :raises: keystone.exception.TokenNotFound
1426-
1427- """
1428- raise exception.NotImplemented()
1429-
1430- def list_tokens(self, user_id):
1431- """Returns a list of current token_id's for a user
1432-
1433- :param user_id: identity of the user
1434- :type user_id: string
1435- :returns: list of token_id's
1436-
1437- """
1438- raise exception.NotImplemented()
1439-
1440- def _get_default_expire_time(self):
1441- """Determine when a token should expire based on the config.
1442-
1443- :returns: a naive utc datetime.datetime object
1444-
1445- """
1446- expire_delta = datetime.timedelta(seconds=CONF.token.expiration)
1447- return datetime.datetime.utcnow() + expire_delta
1448
1449=== removed directory '.pc/keystone-CVE-2012-4413.patch/tests'
1450=== removed file '.pc/keystone-CVE-2012-4413.patch/tests/test_keystoneclient.py'
1451--- .pc/keystone-CVE-2012-4413.patch/tests/test_keystoneclient.py 2012-09-12 09:47:55 +0000
1452+++ .pc/keystone-CVE-2012-4413.patch/tests/test_keystoneclient.py 1970-01-01 00:00:00 +0000
1453@@ -1,970 +0,0 @@
1454-# vim: tabstop=4 shiftwidth=4 softtabstop=4
1455-
1456-# Copyright 2012 OpenStack LLC
1457-#
1458-# Licensed under the Apache License, Version 2.0 (the "License"); you may
1459-# not use this file except in compliance with the License. You may obtain
1460-# a copy of the License at
1461-#
1462-# http://www.apache.org/licenses/LICENSE-2.0
1463-#
1464-# Unless required by applicable law or agreed to in writing, software
1465-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
1466-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
1467-# License for the specific language governing permissions and limitations
1468-# under the License.
1469-
1470-import time
1471-import uuid
1472-
1473-import nose.exc
1474-
1475-from keystone import test
1476-
1477-import default_fixtures
1478-
1479-OPENSTACK_REPO = 'https://review.openstack.org/p/openstack'
1480-KEYSTONECLIENT_REPO = '%s/python-keystoneclient.git' % OPENSTACK_REPO
1481-
1482-
1483-class CompatTestCase(test.TestCase):
1484- def setUp(self):
1485- super(CompatTestCase, self).setUp()
1486-
1487- self.load_backends()
1488- self.load_fixtures(default_fixtures)
1489-
1490- self.public_server = self.serveapp('keystone', name='main')
1491- self.admin_server = self.serveapp('keystone', name='admin')
1492-
1493- # TODO(termie): is_admin is being deprecated once the policy stuff
1494- # is all working
1495- # TODO(termie): add an admin user to the fixtures and use that user
1496- # override the fixtures, for now
1497- self.metadata_foobar = self.identity_api.update_metadata(
1498- self.user_foo['id'], self.tenant_bar['id'],
1499- dict(roles=['keystone_admin'], is_admin='1'))
1500-
1501- def tearDown(self):
1502- self.public_server.kill()
1503- self.admin_server.kill()
1504- self.public_server = None
1505- self.admin_server = None
1506- super(CompatTestCase, self).tearDown()
1507-
1508- def _public_url(self):
1509- public_port = self.public_server.socket_info['socket'][1]
1510- return "http://localhost:%s/v2.0" % public_port
1511-
1512- def _admin_url(self):
1513- admin_port = self.admin_server.socket_info['socket'][1]
1514- return "http://localhost:%s/v2.0" % admin_port
1515-
1516- def _client(self, admin=False, **kwargs):
1517- from keystoneclient.v2_0 import client as ks_client
1518-
1519- url = self._admin_url() if admin else self._public_url()
1520- kc = ks_client.Client(endpoint=url,
1521- auth_url=self._public_url(),
1522- **kwargs)
1523- kc.authenticate()
1524- # have to manually overwrite the management url after authentication
1525- kc.management_url = url
1526- return kc
1527-
1528- def get_client(self, user_ref=None, tenant_ref=None, admin=False):
1529- if user_ref is None:
1530- user_ref = self.user_foo
1531- if tenant_ref is None:
1532- for user in default_fixtures.USERS:
1533- if user['id'] == user_ref['id']:
1534- tenant_id = user['tenants'][0]
1535- else:
1536- tenant_id = tenant_ref['id']
1537-
1538- return self._client(username=user_ref['name'],
1539- password=user_ref['password'],
1540- tenant_id=tenant_id,
1541- admin=admin)
1542-
1543-
1544-class KeystoneClientTests(object):
1545- """Tests for all versions of keystoneclient."""
1546-
1547- def test_authenticate_tenant_name_and_tenants(self):
1548- client = self.get_client()
1549- tenants = client.tenants.list()
1550- self.assertEquals(tenants[0].id, self.tenant_bar['id'])
1551-
1552- def test_authenticate_tenant_id_and_tenants(self):
1553- client = self._client(username=self.user_foo['name'],
1554- password=self.user_foo['password'],
1555- tenant_id='bar')
1556- tenants = client.tenants.list()
1557- self.assertEquals(tenants[0].id, self.tenant_bar['id'])
1558-
1559- def test_authenticate_invalid_tenant_id(self):
1560- from keystoneclient import exceptions as client_exceptions
1561- self.assertRaises(client_exceptions.Unauthorized,
1562- self._client,
1563- username=self.user_foo['name'],
1564- password=self.user_foo['password'],
1565- tenant_id='baz')
1566-
1567- def test_authenticate_token_no_tenant(self):
1568- client = self.get_client()
1569- token = client.auth_token
1570- token_client = self._client(token=token)
1571- tenants = token_client.tenants.list()
1572- self.assertEquals(tenants[0].id, self.tenant_bar['id'])
1573-
1574- def test_authenticate_token_tenant_id(self):
1575- client = self.get_client()
1576- token = client.auth_token
1577- token_client = self._client(token=token, tenant_id='bar')
1578- tenants = token_client.tenants.list()
1579- self.assertEquals(tenants[0].id, self.tenant_bar['id'])
1580-
1581- def test_authenticate_token_invalid_tenant_id(self):
1582- from keystoneclient import exceptions as client_exceptions
1583- client = self.get_client()
1584- token = client.auth_token
1585- self.assertRaises(client_exceptions.AuthorizationFailure,
1586- self._client, token=token, tenant_id='baz')
1587-
1588- def test_authenticate_token_tenant_name(self):
1589- client = self.get_client()
1590- token = client.auth_token
1591- token_client = self._client(token=token, tenant_name='BAR')
1592- tenants = token_client.tenants.list()
1593- self.assertEquals(tenants[0].id, self.tenant_bar['id'])
1594- self.assertEquals(tenants[0].id, self.tenant_bar['id'])
1595-
1596- def test_authenticate_and_delete_token(self):
1597- from keystoneclient import exceptions as client_exceptions
1598-
1599- client = self.get_client(admin=True)
1600- token = client.auth_token
1601- token_client = self._client(token=token)
1602- tenants = token_client.tenants.list()
1603- self.assertEquals(tenants[0].id, self.tenant_bar['id'])
1604-
1605- client.tokens.delete(token_client.auth_token)
1606-
1607- self.assertRaises(client_exceptions.Unauthorized,
1608- token_client.tenants.list)
1609-
1610- def test_authenticate_no_password(self):
1611- from keystoneclient import exceptions as client_exceptions
1612-
1613- user_ref = self.user_foo.copy()
1614- user_ref['password'] = None
1615- self.assertRaises(client_exceptions.AuthorizationFailure,
1616- self.get_client,
1617- user_ref)
1618-
1619- def test_authenticate_no_username(self):
1620- from keystoneclient import exceptions as client_exceptions
1621-
1622- user_ref = self.user_foo.copy()
1623- user_ref['name'] = None
1624- self.assertRaises(client_exceptions.AuthorizationFailure,
1625- self.get_client,
1626- user_ref)
1627-
1628- def test_authenticate_disabled_tenant(self):
1629- from keystoneclient import exceptions as client_exceptions
1630-
1631- admin_client = self.get_client(admin=True)
1632-
1633- tenant = {
1634- 'name': uuid.uuid4().hex,
1635- 'description': uuid.uuid4().hex,
1636- 'enabled': False,
1637- }
1638- tenant_ref = admin_client.tenants.create(
1639- tenant_name=tenant['name'],
1640- description=tenant['description'],
1641- enabled=tenant['enabled'])
1642- tenant['id'] = tenant_ref.id
1643-
1644- user = {
1645- 'name': uuid.uuid4().hex,
1646- 'password': uuid.uuid4().hex,
1647- 'email': uuid.uuid4().hex,
1648- 'tenant_id': tenant['id'],
1649- }
1650- user_ref = admin_client.users.create(
1651- name=user['name'],
1652- password=user['password'],
1653- email=user['email'],
1654- tenant_id=user['tenant_id'])
1655- user['id'] = user_ref.id
1656-
1657- # password authentication
1658- self.assertRaises(
1659- client_exceptions.Unauthorized,
1660- self._client,
1661- username=user['name'],
1662- password=user['password'],
1663- tenant_id=tenant['id'])
1664-
1665- # token authentication
1666- client = self._client(
1667- username=user['name'],
1668- password=user['password'])
1669- self.assertRaises(
1670- client_exceptions.Unauthorized,
1671- self._client,
1672- token=client.auth_token,
1673- tenant_id=tenant['id'])
1674-
1675- # FIXME(ja): this test should require the "keystone:admin" roled
1676- # (probably the role set via --keystone_admin_role flag)
1677- # FIXME(ja): add a test that admin endpoint is only sent to admin user
1678- # FIXME(ja): add a test that admin endpoint returns unauthorized if not
1679- # admin
1680- def test_tenant_create_update_and_delete(self):
1681- from keystoneclient import exceptions as client_exceptions
1682-
1683- tenant_name = 'original_tenant'
1684- tenant_description = 'My original tenant!'
1685- tenant_enabled = True
1686- client = self.get_client(admin=True)
1687-
1688- # create, get, and list a tenant
1689- tenant = client.tenants.create(tenant_name=tenant_name,
1690- description=tenant_description,
1691- enabled=tenant_enabled)
1692- self.assertEquals(tenant.name, tenant_name)
1693- self.assertEquals(tenant.description, tenant_description)
1694- self.assertEquals(tenant.enabled, tenant_enabled)
1695-
1696- tenant = client.tenants.get(tenant_id=tenant.id)
1697- self.assertEquals(tenant.name, tenant_name)
1698- self.assertEquals(tenant.description, tenant_description)
1699- self.assertEquals(tenant.enabled, tenant_enabled)
1700-
1701- tenant = [t for t in client.tenants.list() if t.id == tenant.id].pop()
1702- self.assertEquals(tenant.name, tenant_name)
1703- self.assertEquals(tenant.description, tenant_description)
1704- self.assertEquals(tenant.enabled, tenant_enabled)
1705-
1706- # update, get, and list a tenant
1707- tenant_name = 'updated_tenant'
1708- tenant_description = 'Updated tenant!'
1709- tenant_enabled = False
1710- tenant = client.tenants.update(tenant_id=tenant.id,
1711- tenant_name=tenant_name,
1712- enabled=tenant_enabled,
1713- description=tenant_description)
1714- self.assertEquals(tenant.name, tenant_name)
1715- self.assertEquals(tenant.description, tenant_description)
1716- self.assertEquals(tenant.enabled, tenant_enabled)
1717-
1718- tenant = client.tenants.get(tenant_id=tenant.id)
1719- self.assertEquals(tenant.name, tenant_name)
1720- self.assertEquals(tenant.description, tenant_description)
1721- self.assertEquals(tenant.enabled, tenant_enabled)
1722-
1723- tenant = [t for t in client.tenants.list() if t.id == tenant.id].pop()
1724- self.assertEquals(tenant.name, tenant_name)
1725- self.assertEquals(tenant.description, tenant_description)
1726- self.assertEquals(tenant.enabled, tenant_enabled)
1727-
1728- # delete, get, and list a tenant
1729- client.tenants.delete(tenant=tenant.id)
1730- self.assertRaises(client_exceptions.NotFound, client.tenants.get,
1731- tenant.id)
1732- self.assertFalse([t for t in client.tenants.list()
1733- if t.id == tenant.id])
1734-
1735- def test_tenant_delete_404(self):
1736- from keystoneclient import exceptions as client_exceptions
1737- client = self.get_client(admin=True)
1738- self.assertRaises(client_exceptions.NotFound,
1739- client.tenants.delete,
1740- tenant=uuid.uuid4().hex)
1741-
1742- def test_tenant_get_404(self):
1743- from keystoneclient import exceptions as client_exceptions
1744- client = self.get_client(admin=True)
1745- self.assertRaises(client_exceptions.NotFound,
1746- client.tenants.get,
1747- tenant_id=uuid.uuid4().hex)
1748-
1749- def test_tenant_update_404(self):
1750- from keystoneclient import exceptions as client_exceptions
1751- client = self.get_client(admin=True)
1752- self.assertRaises(client_exceptions.NotFound,
1753- client.tenants.update,
1754- tenant_id=uuid.uuid4().hex)
1755-
1756- def test_tenant_list(self):
1757- client = self.get_client()
1758- tenants = client.tenants.list()
1759- self.assertEquals(len(tenants), 1)
1760-
1761- # Admin endpoint should return *all* tenants
1762- client = self.get_client(admin=True)
1763- tenants = client.tenants.list()
1764- self.assertEquals(len(tenants), len(default_fixtures.TENANTS))
1765-
1766- def test_invalid_password(self):
1767- from keystoneclient import exceptions as client_exceptions
1768-
1769- good_client = self._client(username=self.user_foo['name'],
1770- password=self.user_foo['password'])
1771- good_client.tenants.list()
1772-
1773- self.assertRaises(client_exceptions.Unauthorized,
1774- self._client,
1775- username=self.user_foo['name'],
1776- password='invalid')
1777-
1778- def test_invalid_user_password(self):
1779- from keystoneclient import exceptions as client_exceptions
1780-
1781- self.assertRaises(client_exceptions.Unauthorized,
1782- self._client,
1783- username='blah',
1784- password='blah')
1785-
1786- def test_change_password_invalidates_token(self):
1787- from keystoneclient import exceptions as client_exceptions
1788-
1789- client = self.get_client(admin=True)
1790-
1791- username = uuid.uuid4().hex
1792- passwd = uuid.uuid4().hex
1793- user = client.users.create(name=username, password=passwd,
1794- email=uuid.uuid4().hex)
1795-
1796- token_id = client.tokens.authenticate(username=username,
1797- password=passwd).id
1798-
1799- # authenticate with a token should work before a password change
1800- client.tokens.authenticate(token=token_id)
1801-
1802- client.users.update_password(user=user.id, password=uuid.uuid4().hex)
1803-
1804- # authenticate with a token should not work after a password change
1805- self.assertRaises(client_exceptions.Unauthorized,
1806- client.tokens.authenticate,
1807- token=token_id)
1808-
1809- def test_disable_user_invalidates_token(self):
1810- from keystoneclient import exceptions as client_exceptions
1811-
1812- admin_client = self.get_client(admin=True)
1813- foo_client = self.get_client(self.user_foo)
1814-
1815- admin_client.users.update_enabled(user=self.user_foo['id'],
1816- enabled=False)
1817-
1818- self.assertRaises(client_exceptions.Unauthorized,
1819- foo_client.tokens.authenticate,
1820- token=foo_client.auth_token)
1821-
1822- self.assertRaises(client_exceptions.Unauthorized,
1823- self.get_client,
1824- self.user_foo)
1825-
1826- def test_token_expiry_maintained(self):
1827- foo_client = self.get_client(self.user_foo)
1828- orig_token = foo_client.service_catalog.catalog['token']
1829-
1830- time.sleep(1.01)
1831- reauthenticated_token = foo_client.tokens.authenticate(
1832- token=foo_client.auth_token)
1833-
1834- self.assertEquals(orig_token['expires'],
1835- reauthenticated_token.expires)
1836-
1837- def test_user_create_update_delete(self):
1838- from keystoneclient import exceptions as client_exceptions
1839-
1840- test_username = 'new_user'
1841- client = self.get_client(admin=True)
1842- user = client.users.create(name=test_username,
1843- password='password',
1844- email='user1@test.com')
1845- self.assertEquals(user.name, test_username)
1846-
1847- user = client.users.get(user=user.id)
1848- self.assertEquals(user.name, test_username)
1849-
1850- user = client.users.update(user=user,
1851- name=test_username,
1852- email='user2@test.com')
1853- self.assertEquals(user.email, 'user2@test.com')
1854-
1855- # NOTE(termie): update_enabled doesn't return anything, probably a bug
1856- client.users.update_enabled(user=user, enabled=False)
1857- user = client.users.get(user.id)
1858- self.assertFalse(user.enabled)
1859-
1860- self.assertRaises(client_exceptions.Unauthorized,
1861- self._client,
1862- username=test_username,
1863- password='password')
1864- client.users.update_enabled(user, True)
1865-
1866- user = client.users.update_password(user=user, password='password2')
1867-
1868- self._client(username=test_username,
1869- password='password2')
1870-
1871- user = client.users.update_tenant(user=user, tenant='bar')
1872- # TODO(ja): once keystonelight supports default tenant
1873- # when you login without specifying tenant, the
1874- # token should be scoped to tenant 'bar'
1875-
1876- client.users.delete(user.id)
1877- self.assertRaises(client_exceptions.NotFound, client.users.get,
1878- user.id)
1879-
1880- # Test creating a user with a tenant (auto-add to tenant)
1881- user2 = client.users.create(name=test_username,
1882- password='password',
1883- email='user1@test.com',
1884- tenant_id='bar')
1885- self.assertEquals(user2.name, test_username)
1886-
1887- def test_user_create_404(self):
1888- from keystoneclient import exceptions as client_exceptions
1889- client = self.get_client(admin=True)
1890- self.assertRaises(client_exceptions.NotFound,
1891- client.users.create,
1892- name=uuid.uuid4().hex,
1893- password=uuid.uuid4().hex,
1894- email=uuid.uuid4().hex,
1895- tenant_id=uuid.uuid4().hex)
1896-
1897- def test_user_get_404(self):
1898- from keystoneclient import exceptions as client_exceptions
1899- client = self.get_client(admin=True)
1900- self.assertRaises(client_exceptions.NotFound,
1901- client.users.get,
1902- user=uuid.uuid4().hex)
1903-
1904- def test_user_list_404(self):
1905- from keystoneclient import exceptions as client_exceptions
1906- client = self.get_client(admin=True)
1907- self.assertRaises(client_exceptions.NotFound,
1908- client.users.list,
1909- tenant_id=uuid.uuid4().hex)
1910-
1911- def test_user_update_404(self):
1912- from keystoneclient import exceptions as client_exceptions
1913- client = self.get_client(admin=True)
1914- self.assertRaises(client_exceptions.NotFound,
1915- client.users.update,
1916- user=uuid.uuid4().hex)
1917-
1918- def test_user_update_tenant_404(self):
1919- raise nose.exc.SkipTest('N/A')
1920- from keystoneclient import exceptions as client_exceptions
1921- client = self.get_client(admin=True)
1922- self.assertRaises(client_exceptions.NotFound,
1923- client.users.update,
1924- user=self.user_foo['id'],
1925- tenant_id=uuid.uuid4().hex)
1926-
1927- def test_user_update_password_404(self):
1928- from keystoneclient import exceptions as client_exceptions
1929- client = self.get_client(admin=True)
1930- self.assertRaises(client_exceptions.NotFound,
1931- client.users.update_password,
1932- user=uuid.uuid4().hex,
1933- password=uuid.uuid4().hex)
1934-
1935- def test_user_delete_404(self):
1936- from keystoneclient import exceptions as client_exceptions
1937- client = self.get_client(admin=True)
1938- self.assertRaises(client_exceptions.NotFound,
1939- client.users.delete,
1940- user=uuid.uuid4().hex)
1941-
1942- def test_user_list(self):
1943- client = self.get_client(admin=True)
1944- users = client.users.list()
1945- self.assertTrue(len(users) > 0)
1946- user = users[0]
1947- self.assertRaises(AttributeError, lambda: user.password)
1948-
1949- def test_user_get(self):
1950- client = self.get_client(admin=True)
1951- user = client.users.get(user=self.user_foo['id'])
1952- self.assertRaises(AttributeError, lambda: user.password)
1953-
1954- def test_role_get(self):
1955- client = self.get_client(admin=True)
1956- role = client.roles.get(role='keystone_admin')
1957- self.assertEquals(role.id, 'keystone_admin')
1958-
1959- def test_role_crud(self):
1960- from keystoneclient import exceptions as client_exceptions
1961-
1962- test_role = 'new_role'
1963- client = self.get_client(admin=True)
1964- role = client.roles.create(name=test_role)
1965- self.assertEquals(role.name, test_role)
1966-
1967- role = client.roles.get(role=role.id)
1968- self.assertEquals(role.name, test_role)
1969-
1970- client.roles.delete(role=role.id)
1971-
1972- self.assertRaises(client_exceptions.NotFound,
1973- client.roles.delete,
1974- role=role.id)
1975- self.assertRaises(client_exceptions.NotFound,
1976- client.roles.get,
1977- role=role.id)
1978-
1979- def test_role_get_404(self):
1980- from keystoneclient import exceptions as client_exceptions
1981- client = self.get_client(admin=True)
1982- self.assertRaises(client_exceptions.NotFound,
1983- client.roles.get,
1984- role=uuid.uuid4().hex)
1985-
1986- def test_role_delete_404(self):
1987- from keystoneclient import exceptions as client_exceptions
1988- client = self.get_client(admin=True)
1989- self.assertRaises(client_exceptions.NotFound,
1990- client.roles.delete,
1991- role=uuid.uuid4().hex)
1992-
1993- def test_role_list_404(self):
1994- from keystoneclient import exceptions as client_exceptions
1995- client = self.get_client(admin=True)
1996- self.assertRaises(client_exceptions.NotFound,
1997- client.roles.roles_for_user,
1998- user=uuid.uuid4().hex,
1999- tenant=uuid.uuid4().hex)
2000- self.assertRaises(client_exceptions.NotFound,
2001- client.roles.roles_for_user,
2002- user=self.user_foo['id'],
2003- tenant=uuid.uuid4().hex)
2004- self.assertRaises(client_exceptions.NotFound,
2005- client.roles.roles_for_user,
2006- user=uuid.uuid4().hex,
2007- tenant=self.tenant_bar['id'])
2008-
2009- def test_role_list(self):
2010- client = self.get_client(admin=True)
2011- roles = client.roles.list()
2012- # TODO(devcamcar): This assert should be more specific.
2013- self.assertTrue(len(roles) > 0)
2014-
2015- def test_ec2_credential_crud(self):
2016- client = self.get_client()
2017- creds = client.ec2.list(user_id=self.user_foo['id'])
2018- self.assertEquals(creds, [])
2019-
2020- cred = client.ec2.create(user_id=self.user_foo['id'],
2021- tenant_id=self.tenant_bar['id'])
2022- creds = client.ec2.list(user_id=self.user_foo['id'])
2023- self.assertEquals(creds, [cred])
2024-
2025- got = client.ec2.get(user_id=self.user_foo['id'], access=cred.access)
2026- self.assertEquals(cred, got)
2027-
2028- client.ec2.delete(user_id=self.user_foo['id'], access=cred.access)
2029- creds = client.ec2.list(user_id=self.user_foo['id'])
2030- self.assertEquals(creds, [])
2031-
2032- def test_ec2_credentials_create_404(self):
2033- from keystoneclient import exceptions as client_exceptions
2034- client = self.get_client()
2035- self.assertRaises(client_exceptions.NotFound,
2036- client.ec2.create,
2037- user_id=uuid.uuid4().hex,
2038- tenant_id=self.tenant_bar['id'])
2039- self.assertRaises(client_exceptions.NotFound,
2040- client.ec2.create,
2041- user_id=self.user_foo['id'],
2042- tenant_id=uuid.uuid4().hex)
2043-
2044- def test_ec2_credentials_delete_404(self):
2045- from keystoneclient import exceptions as client_exceptions
2046- client = self.get_client()
2047- self.assertRaises(client_exceptions.NotFound,
2048- client.ec2.delete,
2049- user_id=uuid.uuid4().hex,
2050- access=uuid.uuid4().hex)
2051-
2052- def test_ec2_credentials_get_404(self):
2053- from keystoneclient import exceptions as client_exceptions
2054- client = self.get_client()
2055- self.assertRaises(client_exceptions.NotFound,
2056- client.ec2.get,
2057- user_id=uuid.uuid4().hex,
2058- access=uuid.uuid4().hex)
2059-
2060- def test_ec2_credentials_list_404(self):
2061- from keystoneclient import exceptions as client_exceptions
2062- client = self.get_client()
2063- self.assertRaises(client_exceptions.NotFound,
2064- client.ec2.list,
2065- user_id=uuid.uuid4().hex)
2066-
2067- def test_ec2_credentials_list_user_forbidden(self):
2068- from keystoneclient import exceptions as client_exceptions
2069-
2070- two = self.get_client(self.user_two)
2071- self.assertRaises(client_exceptions.Forbidden, two.ec2.list,
2072- user_id=self.user_foo['id'])
2073-
2074- def test_ec2_credentials_get_user_forbidden(self):
2075- from keystoneclient import exceptions as client_exceptions
2076-
2077- foo = self.get_client()
2078- cred = foo.ec2.create(user_id=self.user_foo['id'],
2079- tenant_id=self.tenant_bar['id'])
2080-
2081- two = self.get_client(self.user_two)
2082- self.assertRaises(client_exceptions.Forbidden, two.ec2.get,
2083- user_id=self.user_foo['id'], access=cred.access)
2084-
2085- foo.ec2.delete(user_id=self.user_foo['id'], access=cred.access)
2086-
2087- def test_ec2_credentials_delete_user_forbidden(self):
2088- from keystoneclient import exceptions as client_exceptions
2089-
2090- foo = self.get_client()
2091- cred = foo.ec2.create(user_id=self.user_foo['id'],
2092- tenant_id=self.tenant_bar['id'])
2093-
2094- two = self.get_client(self.user_two)
2095- self.assertRaises(client_exceptions.Forbidden, two.ec2.delete,
2096- user_id=self.user_foo['id'], access=cred.access)
2097-
2098- foo.ec2.delete(user_id=self.user_foo['id'], access=cred.access)
2099-
2100- def test_service_create_and_delete(self):
2101- from keystoneclient import exceptions as client_exceptions
2102-
2103- test_service = 'new_service'
2104- client = self.get_client(admin=True)
2105- service = client.services.create(name=test_service,
2106- service_type='test',
2107- description='test')
2108- self.assertEquals(service.name, test_service)
2109-
2110- service = client.services.get(id=service.id)
2111- self.assertEquals(service.name, test_service)
2112-
2113- client.services.delete(id=service.id)
2114- self.assertRaises(client_exceptions.NotFound, client.services.get,
2115- id=service.id)
2116-
2117- def test_service_list(self):
2118- client = self.get_client(admin=True)
2119- test_service = 'new_service'
2120- service = client.services.create(name=test_service,
2121- service_type='test',
2122- description='test')
2123- services = client.services.list()
2124- # TODO(devcamcar): This assert should be more specific.
2125- self.assertTrue(len(services) > 0)
2126-
2127- def test_service_delete_404(self):
2128- from keystoneclient import exceptions as client_exceptions
2129- client = self.get_client(admin=True)
2130- self.assertRaises(client_exceptions.NotFound,
2131- client.services.delete,
2132- id=uuid.uuid4().hex)
2133-
2134- def test_service_get_404(self):
2135- from keystoneclient import exceptions as client_exceptions
2136- client = self.get_client(admin=True)
2137- self.assertRaises(client_exceptions.NotFound,
2138- client.services.get,
2139- id=uuid.uuid4().hex)
2140-
2141- def test_endpoint_create_404(self):
2142- from keystoneclient import exceptions as client_exceptions
2143- client = self.get_client(admin=True)
2144- self.assertRaises(client_exceptions.NotFound,
2145- client.endpoints.create,
2146- region=uuid.uuid4().hex,
2147- service_id=uuid.uuid4().hex,
2148- publicurl=uuid.uuid4().hex,
2149- adminurl=uuid.uuid4().hex,
2150- internalurl=uuid.uuid4().hex)
2151-
2152- def test_endpoint_delete_404(self):
2153- # the catalog backend is expected to return Not Implemented
2154- from keystoneclient import exceptions as client_exceptions
2155- client = self.get_client(admin=True)
2156- self.assertRaises(client_exceptions.HTTPNotImplemented,
2157- client.endpoints.delete,
2158- id=uuid.uuid4().hex)
2159-
2160- def test_admin_requires_adminness(self):
2161- from keystoneclient import exceptions as client_exceptions
2162- # FIXME(ja): this should be Unauthorized
2163- exception = client_exceptions.ClientException
2164-
2165- two = self.get_client(self.user_two, admin=True) # non-admin user
2166-
2167- # USER CRUD
2168- self.assertRaises(exception,
2169- two.users.list)
2170- self.assertRaises(exception,
2171- two.users.get,
2172- user=self.user_two['id'])
2173- self.assertRaises(exception,
2174- two.users.create,
2175- name='oops',
2176- password='password',
2177- email='oops@test.com')
2178- self.assertRaises(exception,
2179- two.users.delete,
2180- user=self.user_foo['id'])
2181-
2182- # TENANT CRUD
2183- self.assertRaises(exception,
2184- two.tenants.list)
2185- self.assertRaises(exception,
2186- two.tenants.get,
2187- tenant_id=self.tenant_bar['id'])
2188- self.assertRaises(exception,
2189- two.tenants.create,
2190- tenant_name='oops',
2191- description="shouldn't work!",
2192- enabled=True)
2193- self.assertRaises(exception,
2194- two.tenants.delete,
2195- tenant=self.tenant_baz['id'])
2196-
2197- # ROLE CRUD
2198- self.assertRaises(exception,
2199- two.roles.get,
2200- role='keystone_admin')
2201- self.assertRaises(exception,
2202- two.roles.list)
2203- self.assertRaises(exception,
2204- two.roles.create,
2205- name='oops')
2206- self.assertRaises(exception,
2207- two.roles.delete,
2208- role='keystone_admin')
2209-
2210- # TODO(ja): MEMBERSHIP CRUD
2211- # TODO(ja): determine what else todo
2212-
2213-
2214-class KcMasterTestCase(CompatTestCase, KeystoneClientTests):
2215- def test_tenant_add_and_remove_user(self):
2216- client = self.get_client(admin=True)
2217- client.roles.add_user_role(tenant=self.tenant_baz['id'],
2218- user=self.user_foo['id'],
2219- role=self.role_useless['id'])
2220- user_refs = client.tenants.list_users(tenant=self.tenant_baz['id'])
2221- self.assert_(self.user_foo['id'] in [x.id for x in user_refs])
2222- client.roles.remove_user_role(tenant=self.tenant_baz['id'],
2223- user=self.user_foo['id'],
2224- role=self.role_useless['id'])
2225- user_refs = client.tenants.list_users(tenant=self.tenant_baz['id'])
2226- self.assert_(self.user_foo['id'] not in [x.id for x in user_refs])
2227-
2228- def test_user_role_add_404(self):
2229- from keystoneclient import exceptions as client_exceptions
2230- client = self.get_client(admin=True)
2231- self.assertRaises(client_exceptions.NotFound,
2232- client.roles.add_user_role,
2233- tenant=uuid.uuid4().hex,
2234- user=self.user_foo['id'],
2235- role=self.role_useless['id'])
2236- self.assertRaises(client_exceptions.NotFound,
2237- client.roles.add_user_role,
2238- tenant=self.tenant_baz['id'],
2239- user=uuid.uuid4().hex,
2240- role=self.role_useless['id'])
2241- self.assertRaises(client_exceptions.NotFound,
2242- client.roles.add_user_role,
2243- tenant=self.tenant_baz['id'],
2244- user=self.user_foo['id'],
2245- role=uuid.uuid4().hex)
2246-
2247- def test_user_role_remove_404(self):
2248- from keystoneclient import exceptions as client_exceptions
2249- client = self.get_client(admin=True)
2250- self.assertRaises(client_exceptions.NotFound,
2251- client.roles.remove_user_role,
2252- tenant=uuid.uuid4().hex,
2253- user=self.user_foo['id'],
2254- role=self.role_useless['id'])
2255- self.assertRaises(client_exceptions.NotFound,
2256- client.roles.remove_user_role,
2257- tenant=self.tenant_baz['id'],
2258- user=uuid.uuid4().hex,
2259- role=self.role_useless['id'])
2260- self.assertRaises(client_exceptions.NotFound,
2261- client.roles.remove_user_role,
2262- tenant=self.tenant_baz['id'],
2263- user=self.user_foo['id'],
2264- role=uuid.uuid4().hex)
2265- self.assertRaises(client_exceptions.NotFound,
2266- client.roles.remove_user_role,
2267- tenant=self.tenant_baz['id'],
2268- user=self.user_foo['id'],
2269- role=self.role_useless['id'])
2270-
2271- def test_tenant_list_marker(self):
2272- client = self.get_client()
2273-
2274- # Add two arbitrary tenants to user for testing purposes
2275- for i in range(2):
2276- tenant_id = uuid.uuid4().hex
2277- tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id}
2278- self.identity_api.create_tenant(tenant_id, tenant)
2279- self.identity_api.add_user_to_tenant(tenant_id,
2280- self.user_foo['id'])
2281-
2282- tenants = client.tenants.list()
2283- self.assertEqual(len(tenants), 3)
2284-
2285- tenants_marker = client.tenants.list(marker=tenants[0].id)
2286- self.assertEqual(len(tenants_marker), 2)
2287- self.assertEqual(tenants[1].name, tenants_marker[0].name)
2288- self.assertEqual(tenants[2].name, tenants_marker[1].name)
2289-
2290- def test_tenant_list_marker_not_found(self):
2291- from keystoneclient import exceptions as client_exceptions
2292-
2293- client = self.get_client()
2294- self.assertRaises(client_exceptions.BadRequest,
2295- client.tenants.list, marker=uuid.uuid4().hex)
2296-
2297- def test_tenant_list_limit(self):
2298- client = self.get_client()
2299-
2300- # Add two arbitrary tenants to user for testing purposes
2301- for i in range(2):
2302- tenant_id = uuid.uuid4().hex
2303- tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id}
2304- self.identity_api.create_tenant(tenant_id, tenant)
2305- self.identity_api.add_user_to_tenant(tenant_id,
2306- self.user_foo['id'])
2307-
2308- tenants = client.tenants.list()
2309- self.assertEqual(len(tenants), 3)
2310-
2311- tenants_limited = client.tenants.list(limit=2)
2312- self.assertEqual(len(tenants_limited), 2)
2313- self.assertEqual(tenants[0].name, tenants_limited[0].name)
2314- self.assertEqual(tenants[1].name, tenants_limited[1].name)
2315-
2316- def test_tenant_list_limit_bad_value(self):
2317- from keystoneclient import exceptions as client_exceptions
2318-
2319- client = self.get_client()
2320- self.assertRaises(client_exceptions.BadRequest,
2321- client.tenants.list, limit='a')
2322- self.assertRaises(client_exceptions.BadRequest,
2323- client.tenants.list, limit=-1)
2324-
2325- def test_roles_get_by_user(self):
2326- client = self.get_client(admin=True)
2327- roles = client.roles.roles_for_user(user=self.user_foo['id'],
2328- tenant=self.tenant_bar['id'])
2329- self.assertTrue(len(roles) > 0)
2330-
2331-
2332-class KcEssex3TestCase(CompatTestCase, KeystoneClientTests):
2333- def test_tenant_add_and_remove_user(self):
2334- raise nose.exc.SkipTest('Keystoneclient Essex 3 tests disabled.')
2335- client = self.get_client(admin=True)
2336- client.roles.add_user_to_tenant(tenant_id=self.tenant_baz['id'],
2337- user_id=self.user_foo['id'],
2338- role_id=self.role_useless['id'])
2339- role_refs = client.roles.get_user_role_refs(
2340- user_id=self.user_foo['id'])
2341- self.assert_(self.tenant_baz['id'] in [x.tenantId for x in role_refs])
2342-
2343- # get the "role_refs" so we get the proper id, this is how the clients
2344- # do it
2345- roleref_refs = client.roles.get_user_role_refs(
2346- user_id=self.user_foo['id'])
2347- for roleref_ref in roleref_refs:
2348- if (roleref_ref.roleId == self.role_useless['id']
2349- and roleref_ref.tenantId == self.tenant_baz['id']):
2350- # use python's scope fall through to leave roleref_ref set
2351- break
2352-
2353- client.roles.remove_user_from_tenant(tenant_id=self.tenant_baz['id'],
2354- user_id=self.user_foo['id'],
2355- role_id=roleref_ref.id)
2356-
2357- role_refs = client.roles.get_user_role_refs(
2358- user_id=self.user_foo['id'])
2359- self.assert_(self.tenant_baz['id'] not in
2360- [x.tenantId for x in role_refs])
2361-
2362- def test_roles_get_by_user(self):
2363- raise nose.exc.SkipTest('Keystoneclient Essex 3 tests disabled.')
2364- client = self.get_client(admin=True)
2365- roles = client.roles.get_user_role_refs(user_id='foo')
2366- self.assertTrue(len(roles) > 0)
2367-
2368- def test_role_list_404(self):
2369- raise nose.exc.SkipTest('N/A')
2370-
2371- def test_authenticate_and_delete_token(self):
2372- raise nose.exc.SkipTest('N/A')
2373-
2374- def test_user_create_update_delete(self):
2375- raise nose.exc.SkipTest('Keystoneclient Essex 3 tests disabled.')
2376- from keystoneclient import exceptions as client_exceptions
2377-
2378- test_username = 'new_user'
2379- client = self.get_client(admin=True)
2380- user = client.users.create(name=test_username,
2381- password='password',
2382- email='user1@test.com')
2383- self.assertEquals(user.name, test_username)
2384-
2385- user = client.users.get(user=user.id)
2386- self.assertEquals(user.name, test_username)
2387-
2388- user = client.users.update_email(user=user, email='user2@test.com')
2389- self.assertEquals(user.email, 'user2@test.com')
2390-
2391- # NOTE(termie): update_enabled doesn't return anything, probably a bug
2392- client.users.update_enabled(user=user, enabled=False)
2393- user = client.users.get(user.id)
2394- self.assertFalse(user.enabled)
2395-
2396- self.assertRaises(client_exceptions.Unauthorized,
2397- self._client,
2398- username=test_username,
2399- password='password')
2400- client.users.update_enabled(user, True)
2401-
2402- user = client.users.update_password(user=user, password='password2')
2403-
2404- self._client(username=test_username,
2405- password='password2')
2406-
2407- user = client.users.update_tenant(user=user, tenant='bar')
2408- # TODO(ja): once keystonelight supports default tenant
2409- # when you login without specifying tenant, the
2410- # token should be scoped to tenant 'bar'
2411-
2412- client.users.delete(user.id)
2413- self.assertRaises(client_exceptions.NotFound, client.users.get,
2414- user.id)
2415-
2416- def test_user_update_404(self):
2417- raise nose.exc.SkipTest('N/A')
2418-
2419- def test_endpoint_create_404(self):
2420- raise nose.exc.SkipTest('N/A')
2421-
2422- def test_endpoint_delete_404(self):
2423- raise nose.exc.SkipTest('N/A')
2424
2425=== removed directory '.pc/keystone-CVE-2012-5571.patch'
2426=== removed directory '.pc/keystone-CVE-2012-5571.patch/keystone'
2427=== removed directory '.pc/keystone-CVE-2012-5571.patch/keystone/contrib'
2428=== removed directory '.pc/keystone-CVE-2012-5571.patch/keystone/contrib/ec2'
2429=== removed file '.pc/keystone-CVE-2012-5571.patch/keystone/contrib/ec2/core.py'
2430--- .pc/keystone-CVE-2012-5571.patch/keystone/contrib/ec2/core.py 2012-11-26 14:07:34 +0000
2431+++ .pc/keystone-CVE-2012-5571.patch/keystone/contrib/ec2/core.py 1970-01-01 00:00:00 +0000
2432@@ -1,347 +0,0 @@
2433-# vim: tabstop=4 shiftwidth=4 softtabstop=4
2434-
2435-# Copyright 2012 OpenStack LLC
2436-#
2437-# Licensed under the Apache License, Version 2.0 (the "License"); you may
2438-# not use this file except in compliance with the License. You may obtain
2439-# a copy of the License at
2440-#
2441-# http://www.apache.org/licenses/LICENSE-2.0
2442-#
2443-# Unless required by applicable law or agreed to in writing, software
2444-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
2445-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
2446-# License for the specific language governing permissions and limitations
2447-# under the License.
2448-
2449-"""Main entry point into the EC2 Credentials service.
2450-
2451-This service allows the creation of access/secret credentials used for
2452-the ec2 interop layer of OpenStack.
2453-
2454-A user can create as many access/secret pairs, each of which map to a
2455-specific tenant. This is required because OpenStack supports a user
2456-belonging to multiple tenants, whereas the signatures created on ec2-style
2457-requests don't allow specification of which tenant the user wishs to act
2458-upon.
2459-
2460-To complete the cycle, we provide a method that OpenStack services can
2461-use to validate a signature and get a corresponding openstack token. This
2462-token allows method calls to other services within the context the
2463-access/secret was created. As an example, nova requests keystone to validate
2464-the signature of a request, receives a token, and then makes a request to
2465-glance to list images needed to perform the requested task.
2466-
2467-"""
2468-
2469-import uuid
2470-
2471-from keystone import catalog
2472-from keystone import config
2473-from keystone import exception
2474-from keystone import identity
2475-from keystone import policy
2476-from keystone import service
2477-from keystone import token
2478-from keystone.common import manager
2479-from keystone.common import utils
2480-from keystone.common import wsgi
2481-
2482-
2483-CONF = config.CONF
2484-
2485-
2486-class Manager(manager.Manager):
2487- """Default pivot point for the EC2 Credentials backend.
2488-
2489- See :mod:`keystone.common.manager.Manager` for more details on how this
2490- dynamically calls the backend.
2491-
2492- """
2493-
2494- def __init__(self):
2495- super(Manager, self).__init__(CONF.ec2.driver)
2496-
2497-
2498-class Ec2Extension(wsgi.ExtensionRouter):
2499- def add_routes(self, mapper):
2500- ec2_controller = Ec2Controller()
2501- # validation
2502- mapper.connect('/ec2tokens',
2503- controller=ec2_controller,
2504- action='authenticate',
2505- conditions=dict(method=['POST']))
2506-
2507- # crud
2508- mapper.connect('/users/{user_id}/credentials/OS-EC2',
2509- controller=ec2_controller,
2510- action='create_credential',
2511- conditions=dict(method=['POST']))
2512- mapper.connect('/users/{user_id}/credentials/OS-EC2',
2513- controller=ec2_controller,
2514- action='get_credentials',
2515- conditions=dict(method=['GET']))
2516- mapper.connect('/users/{user_id}/credentials/OS-EC2/{credential_id}',
2517- controller=ec2_controller,
2518- action='get_credential',
2519- conditions=dict(method=['GET']))
2520- mapper.connect('/users/{user_id}/credentials/OS-EC2/{credential_id}',
2521- controller=ec2_controller,
2522- action='delete_credential',
2523- conditions=dict(method=['DELETE']))
2524-
2525-
2526-class Ec2Controller(wsgi.Application):
2527- def __init__(self):
2528- self.catalog_api = catalog.Manager()
2529- self.identity_api = identity.Manager()
2530- self.token_api = token.Manager()
2531- self.policy_api = policy.Manager()
2532- self.ec2_api = Manager()
2533- super(Ec2Controller, self).__init__()
2534-
2535- def check_signature(self, creds_ref, credentials):
2536- signer = utils.Ec2Signer(creds_ref['secret'])
2537- signature = signer.generate(credentials)
2538- if utils.auth_str_equal(credentials['signature'], signature):
2539- return
2540- # NOTE(vish): Some libraries don't use the port when signing
2541- # requests, so try again without port.
2542- elif ':' in credentials['signature']:
2543- hostname, _port = credentials['host'].split(':')
2544- credentials['host'] = hostname
2545- signature = signer.generate(credentials)
2546- if not utils.auth_str_equal(credentials.signature, signature):
2547- raise exception.Unauthorized(message='Invalid EC2 signature.')
2548- else:
2549- raise exception.Unauthorized(message='EC2 signature not supplied.')
2550-
2551- def authenticate(self, context, credentials=None,
2552- ec2Credentials=None):
2553- """Validate a signed EC2 request and provide a token.
2554-
2555- Other services (such as Nova) use this **admin** call to determine
2556- if a request they signed received is from a valid user.
2557-
2558- If it is a valid signature, an openstack token that maps
2559- to the user/tenant is returned to the caller, along with
2560- all the other details returned from a normal token validation
2561- call.
2562-
2563- The returned token is useful for making calls to other
2564- OpenStack services within the context of the request.
2565-
2566- :param context: standard context
2567- :param credentials: dict of ec2 signature
2568- :param ec2Credentials: DEPRECATED dict of ec2 signature
2569- :returns: token: openstack token equivalent to access key along
2570- with the corresponding service catalog and roles
2571- """
2572-
2573- # FIXME(ja): validate that a service token was used!
2574-
2575- # NOTE(termie): backwards compat hack
2576- if not credentials and ec2Credentials:
2577- credentials = ec2Credentials
2578-
2579- if not 'access' in credentials:
2580- raise exception.Unauthorized(message='EC2 signature not supplied.')
2581-
2582- creds_ref = self._get_credentials(context,
2583- credentials['access'])
2584- self.check_signature(creds_ref, credentials)
2585-
2586- # TODO(termie): don't create new tokens every time
2587- # TODO(termie): this is copied from TokenController.authenticate
2588- token_id = uuid.uuid4().hex
2589- tenant_ref = self.identity_api.get_tenant(
2590- context=context,
2591- tenant_id=creds_ref['tenant_id'])
2592- user_ref = self.identity_api.get_user(
2593- context=context,
2594- user_id=creds_ref['user_id'])
2595- metadata_ref = self.identity_api.get_metadata(
2596- context=context,
2597- user_id=user_ref['id'],
2598- tenant_id=tenant_ref['id'])
2599- catalog_ref = self.catalog_api.get_catalog(
2600- context=context,
2601- user_id=user_ref['id'],
2602- tenant_id=tenant_ref['id'],
2603- metadata=metadata_ref)
2604-
2605- token_ref = self.token_api.create_token(
2606- context, token_id, dict(id=token_id,
2607- user=user_ref,
2608- tenant=tenant_ref,
2609- metadata=metadata_ref))
2610-
2611- # TODO(termie): optimize this call at some point and put it into the
2612- # the return for metadata
2613- # fill out the roles in the metadata
2614- roles_ref = []
2615- for role_id in metadata_ref.get('roles', []):
2616- roles_ref.append(self.identity_api.get_role(context, role_id))
2617-
2618- # TODO(termie): make this a util function or something
2619- # TODO(termie): i don't think the ec2 middleware currently expects a
2620- # full return, but it contains a note saying that it
2621- # would be better to expect a full return
2622- token_controller = service.TokenController()
2623- return token_controller._format_authenticate(
2624- token_ref, roles_ref, catalog_ref)
2625-
2626- def create_credential(self, context, user_id, tenant_id):
2627- """Create a secret/access pair for use with ec2 style auth.
2628-
2629- Generates a new set of credentials that map the the user/tenant
2630- pair.
2631-
2632- :param context: standard context
2633- :param user_id: id of user
2634- :param tenant_id: id of tenant
2635- :returns: credential: dict of ec2 credential
2636- """
2637- if not self._is_admin(context):
2638- self._assert_identity(context, user_id)
2639-
2640- self._assert_valid_user_id(context, user_id)
2641- self._assert_valid_tenant_id(context, tenant_id)
2642-
2643- cred_ref = {'user_id': user_id,
2644- 'tenant_id': tenant_id,
2645- 'access': uuid.uuid4().hex,
2646- 'secret': uuid.uuid4().hex}
2647- self.ec2_api.create_credential(context, cred_ref['access'], cred_ref)
2648- return {'credential': cred_ref}
2649-
2650- def get_credentials(self, context, user_id):
2651- """List all credentials for a user.
2652-
2653- :param context: standard context
2654- :param user_id: id of user
2655- :returns: credentials: list of ec2 credential dicts
2656- """
2657- if not self._is_admin(context):
2658- self._assert_identity(context, user_id)
2659- self._assert_valid_user_id(context, user_id)
2660- return {'credentials': self.ec2_api.list_credentials(context, user_id)}
2661-
2662- def get_credential(self, context, user_id, credential_id):
2663- """Retreive a user's access/secret pair by the access key.
2664-
2665- Grab the full access/secret pair for a given access key.
2666-
2667- :param context: standard context
2668- :param user_id: id of user
2669- :param credential_id: access key for credentials
2670- :returns: credential: dict of ec2 credential
2671- """
2672- if not self._is_admin(context):
2673- self._assert_identity(context, user_id)
2674- self._assert_valid_user_id(context, user_id)
2675- creds = self._get_credentials(context, credential_id)
2676- return {'credential': creds}
2677-
2678- def delete_credential(self, context, user_id, credential_id):
2679- """Delete a user's access/secret pair.
2680-
2681- Used to revoke a user's access/secret pair
2682-
2683- :param context: standard context
2684- :param user_id: id of user
2685- :param credential_id: access key for credentials
2686- :returns: bool: success
2687- """
2688- if not self._is_admin(context):
2689- self._assert_identity(context, user_id)
2690- self._assert_owner(context, user_id, credential_id)
2691-
2692- self._assert_valid_user_id(context, user_id)
2693- self._get_credentials(context, credential_id)
2694- return self.ec2_api.delete_credential(context, credential_id)
2695-
2696- def _get_credentials(self, context, credential_id):
2697- """Return credentials from an ID.
2698-
2699- :param context: standard context
2700- :param credential_id: id of credential
2701- :raises exception.Unauthorized: when credential id is invalid
2702- :returns: credential: dict of ec2 credential.
2703- """
2704- creds = self.ec2_api.get_credential(context,
2705- credential_id)
2706- if not creds:
2707- raise exception.Unauthorized(message='EC2 access key not found.')
2708- return creds
2709-
2710- def _assert_identity(self, context, user_id):
2711- """Check that the provided token belongs to the user.
2712-
2713- :param context: standard context
2714- :param user_id: id of user
2715- :raises exception.Forbidden: when token is invalid
2716-
2717- """
2718- try:
2719- token_ref = self.token_api.get_token(context=context,
2720- token_id=context['token_id'])
2721- except exception.TokenNotFound:
2722- raise exception.Unauthorized()
2723- token_user_id = token_ref['user'].get('id')
2724- if not token_user_id == user_id:
2725- raise exception.Forbidden()
2726-
2727- def _is_admin(self, context):
2728- """Wrap admin assertion error return statement.
2729-
2730- :param context: standard context
2731- :returns: bool: success
2732-
2733- """
2734- try:
2735- self.assert_admin(context)
2736- return True
2737- except exception.Forbidden:
2738- return False
2739-
2740- def _assert_owner(self, context, user_id, credential_id):
2741- """Ensure the provided user owns the credential.
2742-
2743- :param context: standard context
2744- :param user_id: expected credential owner
2745- :param credential_id: id of credential object
2746- :raises exception.Forbidden: on failure
2747-
2748- """
2749- cred_ref = self.ec2_api.get_credential(context, credential_id)
2750- if not user_id == cred_ref['user_id']:
2751- raise exception.Forbidden()
2752-
2753- def _assert_valid_user_id(self, context, user_id):
2754- """Ensure a valid user id.
2755-
2756- :param context: standard context
2757- :param user_id: expected credential owner
2758- :raises exception.UserNotFound: on failure
2759-
2760- """
2761- user_ref = self.identity_api.get_user(
2762- context=context,
2763- user_id=user_id)
2764- if not user_ref:
2765- raise exception.UserNotFound(user_id=user_id)
2766-
2767- def _assert_valid_tenant_id(self, context, tenant_id):
2768- """Ensure a valid tenant id.
2769-
2770- :param context: standard context
2771- :param user_id: expected credential owner
2772- :raises exception.UserNotFound: on failure
2773-
2774- """
2775- tenant_ref = self.identity_api.get_tenant(
2776- context=context,
2777- tenant_id=tenant_id)
2778- if not tenant_ref:
2779- raise exception.TenantNotFound(tenant_id=tenant_id)
2780
2781=== added file 'ChangeLog'
2782--- ChangeLog 1970-01-01 00:00:00 +0000
2783+++ ChangeLog 2012-12-18 13:48:25 +0000
2784@@ -0,0 +1,29735 @@
2785+commit c17a9992c8a94c7728bd762115874f125c0905b7
2786+Merge: 025b1d5 8735009
2787+Author: Jenkins <jenkins@review.openstack.org>
2788+Date: Thu Nov 22 19:41:20 2012 +0000
2789+
2790+ Merge "Ensures User is member of tenant in ec2 validation" into stable/essex
2791+
2792+commit 025b1d52e61fff4dff913fc58d0de81712b808b6
2793+Author: Ionuț Arțăriși <iartarisi@suse.cz>
2794+Date: Wed Oct 31 14:32:04 2012 +0100
2795+
2796+ pin sqlalchemy to 0.7
2797+
2798+ sqlalchemy 0.8.0b1 breaks some dependencies such as sqlalchemy-migrate, pin the version until we fix them
2799+
2800+ Essex backport note: lower bound is not defined, Essex is known to work
2801+ with older sqlalchemy versions e.g. precise has 0.7.4
2802+
2803+ Fixes bug #1073569
2804+
2805+ Change-Id: I6620276bf8f0a7cbc1d51aa226cd33c512e59a48
2806+
2807+ tools/pip-requires | 4 ++--
2808+ 1 file changed, 2 insertions(+), 2 deletions(-)
2809+
2810+commit 8735009dc5b895db265a1cd573f39f4acfca2a19
2811+Author: Vishvananda Ishaya <vishvananda@gmail.com>
2812+Date: Tue Nov 13 15:49:19 2012 -0800
2813+
2814+ Ensures User is member of tenant in ec2 validation
2815+
2816+ It is possible that a user is no longer a member of a tenant when
2817+ they attempt to use an ec2 token. This checks to make sure that
2818+ the user still has at least one valid role in the tenant before
2819+ authenticating them. This should automatically work for the s3
2820+ version as well since it is a subclass.
2821+
2822+ Fixes bug 1064914
2823+
2824+ Change-Id: Ieb237bae936a7b00ce7ba4d4c59aec6c7a69ec21
2825+
2826+ keystone/contrib/ec2/core.py | 23 +++++++++++++----------
2827+ 1 file changed, 13 insertions(+), 10 deletions(-)
2828+
2829+commit ddb40198c9323ff8dc82a44a72e456a7bfe736b8
2830+Author: Mark McLoughlin <markmc@redhat.com>
2831+Date: Thu Oct 11 20:44:32 2012 +0100
2832+
2833+ Open 2012.1.4 development
2834+
2835+ Bump version to 2012.1.4 to formally open development after the release
2836+ of 2012.1.3.
2837+
2838+ See http://wiki.openstack.org/StableBranchRelease
2839+
2840+ Note - 2012.1.3 is expected to be the final official release of Essex.
2841+
2842+ Change-Id: I0de6fae1495deab60bd667e4653210b22b994b39
2843+
2844+ setup.py | 2 +-
2845+ 1 file changed, 1 insertion(+), 1 deletion(-)
2846+
2847+commit 0e1f05e7a851f5fb72742e4d3e4978d76fe23b55
2848+Author: Dolph Mathews <dolph.mathews@gmail.com>
2849+Date: Tue Sep 25 19:04:50 2012 +0000
2850+
2851+ utf-8 encode user keys in memcache (bug 1056373)
2852+
2853+ (cherry picked from commit 431e50a7851d2e7dbb212d02647faeb958ed21e8)
2854+
2855+ Change-Id: I026dd4282742213e69c7aa02e109439b07a73c8e
2856+
2857+ keystone/token/backends/memcache.py | 8 ++++++--
2858+ tests/test_backend_memcache.py | 14 +++++++++++++-
2859+ 2 files changed, 19 insertions(+), 3 deletions(-)
2860+
2861+commit 176ee9bce7557937710c8ec8086ff61cc751cf0f
2862+Author: Dolph Mathews <dolph.mathews@gmail.com>
2863+Date: Thu Sep 13 11:59:11 2012 -0500
2864+
2865+ Limit token revocation to tenant (bug 1050025)
2866+
2867+ Change-Id: I7ebe0192b4900ad9475119a6d582233b37b31fb4
2868+
2869+ keystone/identity/core.py | 8 ++++----
2870+ keystone/token/backends/kvs.py | 15 ++++++++++-----
2871+ keystone/token/backends/memcache.py | 11 ++++++++---
2872+ keystone/token/backends/sql.py | 7 ++++++-
2873+ keystone/token/core.py | 16 +++++++++++-----
2874+ tests/test_backend.py | 22 +++++++++++++++++++++-
2875+ 6 files changed, 60 insertions(+), 19 deletions(-)
2876+
2877+commit 58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e
2878+Author: Dolph Mathews <dolph.mathews@gmail.com>
2879+Date: Fri Sep 7 14:55:31 2012 -0500
2880+
2881+ Delete user tokens after role grant/revoke
2882+
2883+ Delete user tokens when a new role is granted or revoked, in order to
2884+ prevent old tokens to continue to be valid for the original set of
2885+ roles for the remainder of the token's lifespan.
2886+
2887+ Addresses CVE-2012-4413.
2888+ Fixes bug 1041396.
2889+
2890+ Change-Id: Ib11b5b3a933c6000afe0c875c3f71f1f101bb202
2891+
2892+ keystone/identity/core.py | 7 ++++++-
2893+ keystone/token/core.py | 11 +++++++++++
2894+ tests/test_keystoneclient.py | 18 +++++++++---------
2895+ 3 files changed, 26 insertions(+), 10 deletions(-)
2896+
2897+commit cd1e48a7d60497c528af6d311bd5048821dc1c07
2898+Author: Adam Young <ayoung@redhat.com>
2899+Date: Thu Sep 6 11:54:04 2012 -0400
2900+
2901+ List tokens for memcached backend
2902+
2903+ Creates and updates an index of tokens in a memcache entry keyed
2904+ by the user id
2905+
2906+ Bug 1046905
2907+
2908+ Change-Id: I114810297009331f491dc069d667f358092f1e34
2909+
2910+ keystone/token/backends/memcache.py | 23 +++++++++++++++++++-
2911+ tests/test_backend.py | 41 ++++++++++++++++++++++++++++++-----
2912+ tests/test_backend_memcache.py | 17 ++++++++++++---
2913+ 3 files changed, 72 insertions(+), 9 deletions(-)
2914+
2915+commit 5438d3b5a219d7c8fa67e66e538d325a61617155
2916+Author: Dolph Mathews <dolph.mathews@gmail.com>
2917+Date: Thu Aug 23 07:39:20 2012 -0500
2918+
2919+ Require authz to update user's tenant (bug 1040626)
2920+
2921+ Change-Id: I82f80b84af2bc4db00b3dcb87a2ec338816a82e9
2922+
2923+ keystone/identity/core.py | 1 +
2924+ 1 file changed, 1 insertion(+)
2925+
2926+commit a16a0ab997c3a406da2ccf0005534d5f9d81861f
2927+Merge: a130848 ff6df7c
2928+Author: Jenkins <jenkins@review.openstack.org>
2929+Date: Thu Aug 23 06:17:45 2012 +0000
2930+
2931+ Merge "Returning roles from authenticate in ldap backend" into stable/essex
2932+
2933+commit ff6df7cdbeaed6a8784955ba866332ec5f082ad5
2934+Author: Ryan Lane <rlane@wikimedia.org>
2935+Date: Thu Jul 26 11:41:16 2012 -0700
2936+
2937+ Returning roles from authenticate in ldap backend
2938+
2939+ Without this fix, the LDAP backend doesn't return
2940+ roles during the authentication phase.
2941+
2942+ lp 1035428
2943+
2944+ Change-Id: Ibd7e5a8f5475b56a4d3063c85ab634e4c0614e7e
2945+
2946+ AUTHORS | 1 +
2947+ keystone/identity/backends/ldap/core.py | 24 +++++++++++++++---------
2948+ tests/test_backend.py | 10 ++++++++++
2949+ 3 files changed, 26 insertions(+), 9 deletions(-)
2950+
2951+commit a130848c71f1bc65dcf98c085dee0c4796748faa
2952+Author: Adam Young <ayoung@redhat.com>
2953+Date: Thu Jul 26 15:30:39 2012 -0400
2954+
2955+ Allow overloading of username and tenant name in the config files.
2956+
2957+ Includes documentation and sample config file values.
2958+
2959+ Bug 997700
2960+
2961+ Patchset adds DocImpact flag for notifying doc team about these new
2962+ config file values.
2963+
2964+ (cherry picked from commit 4f3dcb6c9b23867e6049f24c851b12904aee3b76)
2965+
2966+ Conflicts:
2967+
2968+ etc/keystone.conf.sample
2969+ keystone/config.py
2970+
2971+ Change-Id: I94a162be07c224c705333804a53910833df96b8e
2972+
2973+ doc/source/configuration.rst | 13 +++++++++++++
2974+ keystone/config.py | 2 ++
2975+ keystone/identity/backends/ldap/core.py | 2 ++
2976+ 3 files changed, 17 insertions(+)
2977+
2978+commit 359c426f3009b6088efc364c035d104b089eb37a
2979+Author: Mark McLoughlin <markmc@redhat.com>
2980+Date: Fri Aug 10 06:54:48 2012 +0100
2981+
2982+ Open 2012.1.3 development
2983+
2984+ Bump version to 2012.1.3 to formally open development of the next
2985+ Essex stable update release.
2986+
2987+ See http://wiki.openstack.org/StableBranchRelease
2988+
2989+ Change-Id: Ie3a82ed9b26d25a83b284d57e3d58ab6f4c31b30
2990+
2991+ setup.py | 2 +-
2992+ 1 file changed, 1 insertion(+), 1 deletion(-)
2993+
2994+commit afc37aeb10638807c9839fcc6f403b34029662a5
2995+Author: Mark McLoughlin <markmc@redhat.com>
2996+Date: Wed Aug 8 00:45:22 2012 +0100
2997+
2998+ Open 2012.1.2 development
2999+
3000+ Bump version to 2012.1.2 to formally open development of the next
3001+ Essex stable update release.
3002+
3003+ See http://wiki.openstack.org/StableBranchRelease
3004+
3005+ Change-Id: Id20de09f981f5389afbb9622ade9de7d4f3fd015
3006+
3007+ setup.py | 2 +-
3008+ 1 file changed, 1 insertion(+), 1 deletion(-)
3009+
3010+commit f65604db7b504709fcb9aba2bcfd34a2aebffed3
3011+Merge: 46b3722 5373601
3012+Author: Jenkins <jenkins@review.openstack.org>
3013+Date: Tue Jul 31 10:31:57 2012 +0000
3014+
3015+ Merge "Raise unauthorized if tenant disabled (bug 988920)" into stable/essex
3016+
3017+commit 46b3722245283858017cf4df83e2e1ca2311211d
3018+Merge: d56a3fb 708c80e
3019+Author: Jenkins <jenkins@review.openstack.org>
3020+Date: Mon Jul 30 16:11:58 2012 +0000
3021+
3022+ Merge "fix variable names to coincide with the ones in common.ldap" into stable/essex
3023+
3024+commit 5373601bbdda10f879c08af1698852142b75f8d5
3025+Author: Dolph Mathews <dolph.mathews@gmail.com>
3026+Date: Mon Jul 16 16:08:32 2012 -0500
3027+
3028+ Raise unauthorized if tenant disabled (bug 988920)
3029+
3030+ If the client attempts to explicitly authenticate against a disabled
3031+ tenant, keystone should return HTTP 401 Unauthorized.
3032+
3033+ Change-Id: I49fe56b6ef8d9f2fc6b9357472dae8964bb9cb9c
3034+
3035+ keystone/service.py | 11 ++++++++++
3036+ tests/test_keystoneclient.py | 47 ++++++++++++++++++++++++++++++++++++++++++
3037+ 2 files changed, 58 insertions(+)
3038+
3039+commit d56a3fb026268e87bdd54b862be388d69d5a1266
3040+Author: Dmitry Khovyakov <dkhovyakov@griddynamics.com>
3041+Date: Wed Jul 11 14:17:46 2012 +0300
3042+
3043+ Import ec2 credentials from old keystone db
3044+
3045+ Fix bug #1016056
3046+
3047+ Change-Id: Iebf31ccbdeff274b2c8f265911d3411963dd4844
3048+
3049+ AUTHORS | 1 +
3050+ keystone/common/sql/legacy.py | 19 +++++++++++++++++++
3051+ 2 files changed, 20 insertions(+)
3052+
3053+commit 0b95c3cf66659a828de055b8d026c11e333cd8c8
3054+Author: J. Daniel Schmidt <jdsn@suse.de>
3055+Date: Thu Jul 12 11:22:33 2012 +0200
3056+
3057+ cleanup dependent data upon user/tenant deletion
3058+
3059+ fixes bug 974199
3060+ fixes bug 973243
3061+
3062+ * upon deletion of tenant also delete user tenant relations
3063+ * upon deletion of tenant or user also delete corresponding metadata
3064+ * add foreign keys in metadata to ensure consistency
3065+
3066+ see also: https://bugs.launchpad.net/keystone/+bug/959294/comments/16
3067+
3068+ Change-Id: I264714fe82b727e3e0f5273bcb781a580a3f3826
3069+
3070+ AUTHORS | 1 +
3071+ keystone/identity/backends/sql.py | 21 +++++++++++++++++++++
3072+ tests/test_backend_sql.py | 35 +++++++++++++++++++++++++++++++++++
3073+ 3 files changed, 57 insertions(+)
3074+
3075+commit 708c80ea8e4ca1897b6815b559ad9437b36448ef
3076+Author: Ionuț Arțăriși <iartarisi@suse.cz>
3077+Date: Fri Jun 29 13:02:26 2012 +0200
3078+
3079+ fix variable names to coincide with the ones in common.ldap
3080+
3081+ Change-Id: I148d8d9b0a67b8c45d06227829d0105935216c4d
3082+
3083+ keystone/identity/backends/ldap/core.py | 6 +++---
3084+ 1 file changed, 3 insertions(+), 3 deletions(-)
3085+
3086+commit f1762e6d81be38fc6f9b3e12735a868896ce931d
3087+Merge: d111d54 14b136a
3088+Author: Jenkins <jenkins@review.openstack.org>
3089+Date: Thu Jul 5 16:04:40 2012 +0000
3090+
3091+ Merge "Require authz for user role list (bug 1006815)" into stable/essex
3092+
3093+commit d111d548767bfed1d2c892e7bb443155c166fdc5
3094+Merge: 1428278 24df3ad
3095+Author: Jenkins <jenkins@review.openstack.org>
3096+Date: Thu Jul 5 15:43:54 2012 +0000
3097+
3098+ Merge "Require authz for service CRUD (bug 1006822)" into stable/essex
3099+
3100+commit 1428278b6202b7cb285f9e1bb278f894c05d31b0
3101+Merge: d8dbdbc 707b725
3102+Author: Jenkins <jenkins@review.openstack.org>
3103+Date: Thu Jun 28 14:16:31 2012 +0000
3104+
3105+ Merge "Set defaultbranch in .gitreview to stable/essex" into stable/essex
3106+
3107+commit d8dbdbced061fa4a4e42ec33c4b7e7752b0ebc04
3108+Author: Rafael Durán Castañeda <rafadurancastaneda@gmail.com>
3109+Date: Tue Jun 19 20:35:43 2012 +0200
3110+
3111+ Monkey patching 'thread'.
3112+
3113+ Fixes bug 1012381.
3114+
3115+ Change-Id: Icb7b2372df96d647fc6dcd4c4ebe72c8aa607f9d
3116+
3117+ AUTHORS | 1 +
3118+ keystone/common/wsgi.py | 2 +-
3119+ 2 files changed, 2 insertions(+), 1 deletion(-)
3120+
3121+commit 14b136aed9d988f5a8f3e699bd4577c9b874d6c1
3122+Author: Dolph Mathews <dolph.mathews@gmail.com>
3123+Date: Sun Jun 3 12:24:07 2012 -0500
3124+
3125+ Require authz for user role list (bug 1006815)
3126+
3127+ Change-Id: I65f25dcca3e265f44746930917434b45e64de15e
3128+
3129+ keystone/identity/core.py | 1 +
3130+ tests/test_content_types.py | 11 +++++++++++
3131+ 2 files changed, 12 insertions(+)
3132+
3133+commit 24df3adb3f50cbb5ada411bc67aba8a781e6a431
3134+Author: Dolph Mathews <dolph.mathews@gmail.com>
3135+Date: Sun Jun 3 11:00:54 2012 -0500
3136+
3137+ Require authz for service CRUD (bug 1006822)
3138+
3139+ Change-Id: Ia90f0aa2b856b9a9874d4865fb92ee913e8125c5
3140+
3141+ keystone/catalog/core.py | 7 +++++++
3142+ tests/test_content_types.py | 33 +++++++++++++++++++++++++++++++++
3143+ 2 files changed, 40 insertions(+)
3144+
3145+commit 707b7259f9772e5f498990297c65b68116bdc3c1
3146+Author: Mark McLoughlin <markmc@redhat.com>
3147+Date: Fri Jun 22 21:16:26 2012 +0100
3148+
3149+ Set defaultbranch in .gitreview to stable/essex
3150+
3151+ This allows people run git-review without any arguments.
3152+
3153+ Change-Id: I3f1c7ce22cbe40ed34f084fd3dbc0941ba787bcf
3154+
3155+ .gitreview | 2 ++
3156+ 1 file changed, 2 insertions(+)
3157+
3158+commit 29e74e73a6e51cffc0371b32354558391826a4aa
3159+Author: Derek Higgins <derekh@redhat.com>
3160+Date: Tue Jun 5 09:33:53 2012 +0100
3161+
3162+ Carrying over token expiry time when token chaining
3163+
3164+ Fixes bug #998185
3165+
3166+ This commit causes the token expiry time to be maintained when
3167+ one token is being created from another
3168+
3169+ Change-Id: I7b61692a60d9227423b93c267864a5abe939ca33
3170+
3171+ keystone/service.py | 3 ++-
3172+ tests/test_keystoneclient.py | 12 ++++++++++++
3173+ 2 files changed, 14 insertions(+), 1 deletion(-)
3174+
3175+commit 9a841f3ba93d5a0bd1f56cc897415258ed6cf877
3176+Merge: 35d5ebd d960043
3177+Author: Jenkins <jenkins@review.openstack.org>
3178+Date: Thu Jun 14 19:56:21 2012 +0000
3179+
3180+ Merge "Invalidate user tokens when a user is disabled" into stable/essex
3181+
3182+commit 35d5ebd54e02e4b79515e882506f0a518548d273
3183+Merge: 9695b86 ea03d05
3184+Author: Jenkins <jenkins@review.openstack.org>
3185+Date: Thu Jun 14 16:58:30 2012 +0000
3186+
3187+ Merge "Invalidate user tokens when password is changed" into stable/essex
3188+
3189+commit 9695b8681801f3624b8f40dc06797aa171b5f30d
3190+Merge: 0dcfe7e f70505c
3191+Author: Jenkins <jenkins@review.openstack.org>
3192+Date: Thu Jun 14 16:15:39 2012 +0000
3193+
3194+ Merge "Fix expired token tests" into stable/essex
3195+
3196+commit 0dcfe7ec2df5a45271847914997cbba92fdda330
3197+Merge: 18513c3 4265499
3198+Author: Jenkins <jenkins@review.openstack.org>
3199+Date: Thu Jun 14 15:42:01 2012 +0000
3200+
3201+ Merge "Corrects url conversion in export_legacy_catalog" into stable/essex
3202+
3203+commit d9600434da14976463a0bd03abd8e0309f0db454
3204+Author: Derek Higgins <derekh@redhat.com>
3205+Date: Fri May 11 13:42:43 2012 +0100
3206+
3207+ Invalidate user tokens when a user is disabled
3208+
3209+ Fixes Bug 997194
3210+
3211+ Delete valid tokens for a user when they have been disabled
3212+
3213+ Moved logic to delete tokens into update_user, as this can be called
3214+ directly form the REST API.
3215+
3216+ Also checks if a user is enabled when creating a token from another
3217+ token, this helps in cases there the backend didn't support listing of
3218+ tokens (and as a result weren't deleted)
3219+
3220+ Change-Id: Ib5ed73a7873bfa66ef31bf6d0f0322f50e677688
3221+
3222+ keystone/identity/core.py | 22 ++++++++++++----------
3223+ keystone/service.py | 14 +++++++++++++-
3224+ tests/test_keystoneclient.py | 21 +++++++++++++++++++--
3225+ 3 files changed, 44 insertions(+), 13 deletions(-)
3226+
3227+commit ea03d05ed5de0c015042876100d37a6a14bf56de
3228+Author: Derek Higgins <derekh@redhat.com>
3229+Date: Wed May 9 15:55:46 2012 +0100
3230+
3231+ Invalidate user tokens when password is changed
3232+
3233+ Fixes bug 996595
3234+
3235+ This commit will cause all valid tokens to be deleted for a user
3236+ who's password is changed (implemented for the sql and kvs backends)
3237+
3238+ Change-Id: I6ad7da8957b7041983a3fc91d9ba9368667d06ac
3239+
3240+ AUTHORS | 1 +
3241+ keystone/identity/core.py | 14 +++++++++++++-
3242+ keystone/token/backends/kvs.py | 15 +++++++++++++++
3243+ keystone/token/backends/sql.py | 14 ++++++++++++++
3244+ keystone/token/core.py | 10 ++++++++++
3245+ tests/test_keystoneclient.py | 23 +++++++++++++++++++++++
3246+ 6 files changed, 76 insertions(+), 1 deletion(-)
3247+
3248+commit 18513c36e63ee2da417f1125cfa05ea9d525b6ee
3249+Author: Mark McLoughlin <markmc@redhat.com>
3250+Date: Thu Jun 14 10:59:33 2012 +0100
3251+
3252+ Open 2012.1.1 development
3253+
3254+ Bump version to 2012.1.1 to formally open development of the next
3255+ Essex stable update release.
3256+
3257+ See http://wiki.openstack.org/StableBranchRelease
3258+
3259+ Change-Id: I845e8abca87751bbe4ebfa9414add247f2afdc1f
3260+
3261+ setup.py | 2 +-
3262+ 1 file changed, 1 insertion(+), 1 deletion(-)
3263+
3264+commit f70505ced12ae7319dedaf75bedb964c7469c6dd
3265+Author: Mark McLoughlin <markmc@redhat.com>
3266+Date: Tue Apr 10 13:35:30 2012 +0100
3267+
3268+ Fix expired token tests
3269+
3270+ Fixes bug #983800
3271+
3272+ The expiration timestamps are expressed in UTC time, so ensure:
3273+
3274+ 1) The timestamp of the token created by the test is UTC time (i.e.
3275+ utcnow() vs now())
3276+
3277+ 2) The expiration check in the dummy memcache client properly
3278+ accounts for UTC (i.e. utctimetuple() vs timetuple())
3279+
3280+ Change-Id: Ie7356456f79ab5a8070a79771bb7d210b1cedd47
3281+
3282+ tests/test_backend.py | 2 +-
3283+ tests/test_backend_memcache.py | 2 +-
3284+ 2 files changed, 2 insertions(+), 2 deletions(-)
3285+
3286+commit aa7e7b96e7bd05819c899906091b9121385dc125
3287+Author: Dan Prince <dprince@redhat.com>
3288+Date: Wed Apr 11 10:57:56 2012 -0400
3289+
3290+ Add ChangeLog to tarball.
3291+
3292+ Fixes LP Bug #978981.
3293+
3294+ Change-Id: I5b98df88673422cfc39c471fd77eecd77fa0cf2c
3295+
3296+ MANIFEST.in | 1 +
3297+ 1 file changed, 1 insertion(+)
3298+
3299+commit d0a73669369d86ff4c7b9de715fa4eec9bc58b59
3300+Author: Adam Gandelman <adamg@canonical.com>
3301+Date: Mon Jun 11 10:35:16 2012 -0700
3302+
3303+ Flush tenant membership deletion before user
3304+
3305+ Ensure user tenant membership is *actually* removed before deleting
3306+ user.
3307+
3308+ Applied to 'stable/essex', originally committed to trunk via
3309+ https://review.openstack.org/#/c/7353/
3310+
3311+ Fixes bug 998137.
3312+
3313+ Change-Id: Ib52970d68f288b8742c3e060c7040838a1c738c2
3314+
3315+ keystone/identity/backends/sql.py | 1 +
3316+ 1 file changed, 1 insertion(+)
3317+
3318+commit 426549934e323a9bc435b9ec58163e88f5e74a32
3319+Author: Sam Morrison <sorrison@gmail.com>
3320+Date: Mon May 7 09:09:57 2012 +1000
3321+
3322+ Corrects url conversion in export_legacy_catalog
3323+
3324+ Fixes bug 994936
3325+
3326+ Change-Id: Ia63fdae7d0bcd7f8b0b587da588404765e22fb8f
3327+
3328+ AUTHORS | 1 +
3329+ keystone/common/sql/legacy.py | 2 +-
3330+ tests/test_import_legacy.py | 2 +-
3331+ 3 files changed, 3 insertions(+), 2 deletions(-)
3332+
3333+commit 7715d6cd72477af83d95563b69a5f0273bdb719b
3334+Author: Alan Pevec <apevec@redhat.com>
3335+Date: Mon Jun 11 20:19:50 2012 +0200
3336+
3337+ Fix test env for the stable branch
3338+
3339+ Need both changes in one commit to pass the gate!
3340+
3341+ * Nail pep8 dependencies to 1.0.1.
3342+
3343+ Nails the pep8 deps for tox and test-requires to 1.0.1.
3344+ Fixes an issues causing pep8 failures due to a new pep8 release.
3345+
3346+ (cherry picked from Nova stable)
3347+
3348+ * Switch to 1000 rounds during unit tests
3349+
3350+ Fixes bug 992918
3351+
3352+ passlib 1.6 introduced a minimum number of rounds for sha512_crypt. As
3353+ a result, increase the rounds used during testing to the minimum
3354+
3355+ Change-Id: Ic0c635e92b4f13180a047904a6efa490ab599012
3356+
3357+ tests/test_overrides.conf | 2 +-
3358+ tools/test-requires | 2 +-
3359+ tox.ini | 2 +-
3360+ 3 files changed, 3 insertions(+), 3 deletions(-)
3361+
3362+commit aff45d69a73033241531f5e3542a8d1782ddd859
3363+Author: Mark McLoughlin <markmc@redhat.com>
3364+Date: Fri Mar 30 12:17:48 2012 +0100
3365+
3366+ Make import_nova_auth only create roles which don't already exist
3367+
3368+ Fixes bug #969088
3369+
3370+ If a role already exists, there's no particular need for import_nova_auth
3371+ to barf. Instead, we should just use the existing role.
3372+
3373+ Change-Id: I18ae38af62b4c2b2423e20e436611fc30f844ae1
3374+
3375+ keystone/common/sql/nova.py | 5 ++++-
3376+ tests/test_migrate_nova_auth.py | 9 +++++++++
3377+ 2 files changed, 13 insertions(+), 1 deletion(-)
3378+
3379+commit 7d08d12cea96910145f05499ba7d124603d7c4f6
3380+Author: Adam Gandelman <adamg@canonical.com>
3381+Date: Mon Apr 2 14:21:43 2012 -0700
3382+
3383+ Remove tenant membership during user deletion
3384+
3385+ Remove users' tenant membership on user deletion. Resolves a FK constraint
3386+ issue that previously went unnoticed due to testing against database
3387+ configurations that do not support FK constraints (MyISAM).
3388+
3389+ Fixes LP bug 959294.
3390+
3391+ Update: * Move tenant membership cleanup to the sql identity backend
3392+ * Add a test case to test_backend_sql
3393+
3394+ Change-Id: Ib4f5da03033f7886b36d1ab3b8b4ac37f08b2e0e
3395+
3396+ keystone/identity/backends/sql.py | 8 ++++++++
3397+ tests/test_backend_sql.py | 11 +++++++++++
3398+ 2 files changed, 19 insertions(+)
3399+
3400+commit aa542c420aa283968a0154a29038ec0bb1be9326
3401+Author: Chmouel Boudjnah <chmouel@chmouel.com>
3402+Date: Mon Apr 2 17:15:47 2012 +0200
3403+
3404+ Add a _ at the end of reseller_prefix default.
3405+
3406+ - Fixes bug 971592.
3407+
3408+ Change-Id: Ic9edb2b8b0043413e4ec16de9c669646ae4230a6
3409+
3410+ keystone/middleware/swift_auth.py | 11 ++++++++++-
3411+ 1 file changed, 10 insertions(+), 1 deletion(-)
3412+
3413+commit 0a0513d9fb1b84d5b998ff47088aee7f121dc794
3414+Merge: a05daf5 89e8dc0
3415+Author: Jenkins <jenkins@review.openstack.org>
3416+Date: Tue Apr 3 19:39:43 2012 +0000
3417+
3418+ Merge "Add support to swift_auth for tokenless authz" into milestone-proposed
3419+
3420+commit a05daf5f53fbf0084e0f19ed4a8b686ff60bcb90
3421+Merge: bc153d5 4314ae6
3422+Author: Jenkins <jenkins@review.openstack.org>
3423+Date: Tue Apr 3 19:29:19 2012 +0000
3424+
3425+ Merge "additional logging to support debugging auth issue" into milestone-proposed
3426+
3427+commit 89e8dc075151acc85d8c4f8972d3910c7f33bd25
3428+Author: Maru Newby <mnewby@internap.com>
3429+Date: Tue Mar 20 22:19:36 2012 -0700
3430+
3431+ Add support to swift_auth for tokenless authz
3432+
3433+ * Updates keystone.middleware.swift_auth to allow token-less
3434+ (unauthenticated) access for container sync (bug 954030) and
3435+ permitted referrers (bug 924578).
3436+
3437+ Change-Id: Ieccf458c44dfe55f546dc15c79704800dad59ac0
3438+
3439+ doc/source/configuringservices.rst | 3 +
3440+ keystone/middleware/swift_auth.py | 106 +++++++++++++++++++++++++----------
3441+ tests/test_swift_auth_middleware.py | 56 +++++++++---------
3442+ 3 files changed, 104 insertions(+), 61 deletions(-)
3443+
3444+commit 4314ae6c038b96c080dfd13938678e358e5574e7
3445+Author: Joe Heck <heckj@mac.com>
3446+Date: Fri Mar 30 22:04:16 2012 -0700
3447+
3448+ additional logging to support debugging auth issue
3449+
3450+ fixes bug 969801
3451+
3452+ Change-Id: Iaf752e5f3692c91030cfd8575114f2c3293d1dba
3453+
3454+ keystone/middleware/auth_token.py | 8 +++++++-
3455+ 1 file changed, 7 insertions(+), 1 deletion(-)
3456+
3457+commit bc153d5ad9b32737dd55c33fd12468e89189eded
3458+Author: Maru Newby <mnewby@internap.com>
3459+Date: Mon Mar 26 16:08:56 2012 -0700
3460+
3461+ Fixed misc errors in configuration.rst
3462+
3463+ * Addresses bug 965788
3464+
3465+ Change-Id: I5aa276589a9818c7f523e6da9531af363139adbb
3466+
3467+ doc/source/configuration.rst | 10 ++++++----
3468+ 1 file changed, 6 insertions(+), 4 deletions(-)
3469+
3470+commit ada402155acf5bda83d1b0fbedfbb0d7e4144b58
3471+Author: termie <github@anarkystic.com>
3472+Date: Thu Mar 29 16:03:17 2012 -0700
3473+
3474+ don't duplicate the extra dict in extra
3475+
3476+ fixes bug 929815
3477+
3478+ Change-Id: Icfbe9a4b0eb2ef9b24bcf41113a6ec8e636210a9
3479+
3480+ keystone/catalog/backends/sql.py | 4 ++--
3481+ keystone/identity/backends/sql.py | 4 ++--
3482+ 2 files changed, 4 insertions(+), 4 deletions(-)
3483+
3484+commit 1b7aa15ae425e68c15588ba738e9b701b62d995a
3485+Author: Dolph Mathews <dolph.mathews@gmail.com>
3486+Date: Tue Mar 27 10:57:04 2012 -0700
3487+
3488+ Raise keystone.exception for HTTP 401 (bug 962563)
3489+
3490+ Change-Id: I22e3b6769c69ef5917028980007d3295fed99fb7
3491+
3492+ keystone/contrib/s3/core.py | 3 ++-
3493+ 1 file changed, 2 insertions(+), 1 deletion(-)
3494+
3495+commit b1336b0a3921621741ff8ba2adbc44113357e175
3496+Author: Dolph Mathews <dolph.mathews@gmail.com>
3497+Date: Fri Mar 23 10:46:16 2012 -0500
3498+
3499+ Validate object refs (return 404 instead of 500)
3500+
3501+ Combined fix for bug 963056:
3502+ user-crud 404
3503+ service-crud 404
3504+ ec2-credential-crud 404
3505+ user-role-crud 404
3506+ endpoint-crud 404
3507+
3508+ Change-Id: I7762aaaae9817ea7426039e4700e16b59e18cba1
3509+
3510+ keystone/catalog/core.py | 5 +-
3511+ keystone/contrib/ec2/core.py | 2 +
3512+ keystone/exception.py | 2 +-
3513+ keystone/identity/backends/kvs.py | 4 +
3514+ keystone/identity/backends/sql.py | 4 +
3515+ keystone/identity/core.py | 26 +++++-
3516+ tests/test_keystoneclient.py | 175 +++++++++++++++++++++++++++++++++++++
3517+ tests/test_keystoneclient_sql.py | 7 ++
3518+ 8 files changed, 222 insertions(+), 3 deletions(-)
3519+
3520+commit 80afa04f6e031207e6a7003843852b37c81eacc6
3521+Merge: f745dae d9959d8
3522+Author: Jenkins <jenkins@review.openstack.org>
3523+Date: Tue Apr 3 14:45:36 2012 +0000
3524+
3525+ Merge "tenant-crud 404 (bug 963056)" into milestone-proposed
3526+
3527+commit f745dae9a6d9c68140476daa8403d0efc09826ab
3528+Merge: 8037722 b56e326
3529+Author: Jenkins <jenkins@review.openstack.org>
3530+Date: Tue Apr 3 13:30:07 2012 +0000
3531+
3532+ Merge "role-crud 404 (bug 963056)" into milestone-proposed
3533+
3534+commit d9959d85a759b4acdff52c25f20a9462d66b185d
3535+Author: Dolph Mathews <dolph.mathews@gmail.com>
3536+Date: Fri Mar 23 10:23:06 2012 -0500
3537+
3538+ tenant-crud 404 (bug 963056)
3539+
3540+ tenant-get
3541+ tenant-update
3542+ tenant-delete
3543+
3544+ Change-Id: I9e67cea985f546c9ddf6ce6d82a11486099bd524
3545+
3546+ keystone/identity/core.py | 10 +++++++++-
3547+ tests/test_keystoneclient.py | 21 +++++++++++++++++++++
3548+ 2 files changed, 30 insertions(+), 1 deletion(-)
3549+
3550+commit b56e32645fa88cd21f4b5289cfb68d51fcbf740c
3551+Author: Dolph Mathews <dolph.mathews@gmail.com>
3552+Date: Fri Mar 23 09:10:59 2012 -0500
3553+
3554+ role-crud 404 (bug 963056)
3555+
3556+ role-get
3557+ role-delete
3558+ role-list
3559+
3560+ Change-Id: I099b1e1e5bd2cd77a2ea3b72fb0f14b88a3af26e
3561+
3562+ keystone/identity/backends/kvs.py | 3 +--
3563+ keystone/identity/backends/sql.py | 3 +--
3564+ keystone/identity/core.py | 13 ++++++++++--
3565+ tests/test_keystoneclient.py | 41 +++++++++++++++++++++++++++++++++++--
3566+ 4 files changed, 52 insertions(+), 8 deletions(-)
3567+
3568+commit 8037722264668d9b66326cdfac25f6cf84d2b7d4
3569+Author: Maru Newby <mnewby@internap.com>
3570+Date: Tue Mar 20 18:47:19 2012 -0700
3571+
3572+ Improve swift_auth test coverage + Minor fixes
3573+
3574+ * Isolates authorize() tests from wsgi tests
3575+ * Adds coverage for authorize()
3576+ * Adds support for a blank reseller_prefix
3577+ * Adds swift_auth test dependencies to tools/test-requires
3578+ * Cleans up authorize()'s use of tenant_id/tenant_name
3579+ (addresses bug 963546)
3580+
3581+ Change-Id: I603b89ab4fe8559b0f5d72528afd659ee0f0bce1
3582+
3583+ AUTHORS | 1 +
3584+ keystone/middleware/swift_auth.py | 18 +--
3585+ tests/test_swift_auth_middleware.py | 281 ++++++++++++++++++-----------------
3586+ tools/test-requires | 4 +
3587+ 4 files changed, 158 insertions(+), 146 deletions(-)
3588+
3589+commit f3ce326a8c9ab85f60145e6a198e061fd9ccf431
3590+Merge: 7abe0aa 1904228
3591+Author: Jenkins <jenkins@review.openstack.org>
3592+Date: Fri Mar 23 17:59:24 2012 +0000
3593+
3594+ Merge "Check values for EC2."
3595+
3596+commit 7abe0aa3845459b95a7d4e401e51d4ab8c4c0280
3597+Author: Chmouel Boudjnah <chmouel@chmouel.com>
3598+Date: Wed Mar 21 16:59:15 2012 +0000
3599+
3600+ S3 tokens cleanups.
3601+
3602+ - Cleanups.
3603+ - Remove reference about config admin_username/password/token.
3604+ - Return proper http error on errors.
3605+ - Add unittests (skip them for now when swift is not installed).
3606+ - Fixes bug 956983.
3607+
3608+ Change-Id: I392fc274f3b01a5a0b5779dd13f9cd3b819ee65a
3609+
3610+ doc/source/configuringservices.rst | 6 +-
3611+ keystone/middleware/s3_token.py | 124 ++++++++++++++++++++++------------
3612+ tests/test_s3_token_middleware.py | 130 ++++++++++++++++++++++++++++++++++++
3613+ 3 files changed, 213 insertions(+), 47 deletions(-)
3614+
3615+commit 1904228a5a3fef549c5b9294eba5c39f9f6f72bd
3616+Author: Chmouel Boudjnah <chmouel@chmouel.com>
3617+Date: Thu Mar 22 21:34:39 2012 +0000
3618+
3619+ Check values for EC2.
3620+
3621+ - Add multiple check to methods to make sure we have a proper
3622+ tenant_id/user_id/credentials.
3623+ - Fixes bug 958135.
3624+
3625+ Change-Id: I4dd171e3db32d6ebdc70bb1a83492c8ecd09c21c
3626+
3627+ keystone/contrib/ec2/core.py | 61 +++++++++++++++++++++++++++++++++++++-----
3628+ 1 file changed, 55 insertions(+), 6 deletions(-)
3629+
3630+commit 9feb00085f75ea2697fd2225e6003c2384904d08
3631+Author: Dolph Mathews <dolph.mathews@gmail.com>
3632+Date: Wed Mar 21 13:11:31 2012 -0500
3633+
3634+ Fix critical typo in endpoint_create (bug 961412)
3635+
3636+ It looks like catalog crud was previously untested.
3637+
3638+ Change-Id: I8e3060b6d6c737d3d97a5bd9076e9a5fdf9945e2
3639+
3640+ keystone/catalog/core.py | 2 +-
3641+ tests/test_keystoneclient_sql.py | 43 ++++++++++++++++++++++++++++++++++++++
3642+ 2 files changed, 44 insertions(+), 1 deletion(-)
3643+
3644+commit 885f8d5950f8441e857d860b4e1cd4fd996440cd
3645+Merge: d61aeda 94904e4
3646+Author: Jenkins <jenkins@review.openstack.org>
3647+Date: Tue Mar 20 23:59:16 2012 +0000
3648+
3649+ Merge "Rename tokenauth to authtoken."
3650+
3651+commit d61aedaf868d984f1c317a73b362a2e7a366ef89
3652+Author: Yong Sheng Gong <gongysh@cn.ibm.com>
3653+Date: Sun Mar 18 23:56:35 2012 +0800
3654+
3655+ unique role name constraint
3656+
3657+ For SQL identity backend, add unique constraint with column definition;
3658+ for kvs and ldap backend, use python code to apply this constraint.
3659+ Test cases test_create_duplicate_role_name_fails and test_rename_duplicate_role_name_fails are added to guard it.
3660+ python run_tests.py test_backend_ldap test_backend_kvs test_backend_sql pass.
3661+
3662+ bug 932258.
3663+
3664+ Change-Id: I990f17a270e84d35c078f215c587a81d6784c192
3665+
3666+ AUTHORS | 1 +
3667+ keystone/identity/backends/kvs.py | 23 +++++++++++++++++++-
3668+ keystone/identity/backends/ldap/core.py | 14 ++++++++++++-
3669+ keystone/identity/backends/sql.py | 2 +-
3670+ tests/test_backend.py | 35 +++++++++++++++++++++++++------
3671+ 5 files changed, 66 insertions(+), 9 deletions(-)
3672+
3673+commit f98cd4f27d68c47a003b529bbcfeffa9140e090d
3674+Merge: 53b3d44 3a296a4
3675+Author: Jenkins <jenkins@review.openstack.org>
3676+Date: Tue Mar 20 23:17:30 2012 +0000
3677+
3678+ Merge "Spring cleaning, fix PEP8 violations."
3679+
3680+commit 53b3d4498848ae2fff58751f9a791a9ebc00b742
3681+Author: Chmouel Boudjnah <chmouel@chmouel.com>
3682+Date: Sat Feb 25 11:37:17 2012 +0100
3683+
3684+ Add test for swift middleware.
3685+
3686+ - skip the tests if we don't have swift installed.
3687+
3688+ Change-Id: I3647538f3e7a32cbfce97b181c532371cef963da
3689+
3690+ tests/test_swift_auth_middleware.py | 203 +++++++++++++++++++++++++++++++++++
3691+ 1 file changed, 203 insertions(+)
3692+
3693+commit 3a296a458c4e2f9465ddc0330d03c3e7ec0e3c50
3694+Author: Chmouel Boudjnah <chmouel@chmouel.com>
3695+Date: Tue Mar 20 10:09:25 2012 +0000
3696+
3697+ Spring cleaning, fix PEP8 violations.
3698+
3699+ Change-Id: Ide832cd64c9b285213e23901eaf81946d504e726
3700+
3701+ doc/source/conf.py | 33 +++++++++++--------
3702+ run_tests.py | 1 -
3703+ tests/default_fixtures.py | 6 ++--
3704+ tests/test_auth_token_middleware.py | 6 ++--
3705+ tests/test_backend.py | 61 +++++++++++++++++------------------
3706+ tests/test_backend_kvs.py | 58 ++++++++++++++++-----------------
3707+ tests/test_backend_sql.py | 30 ++++++++---------
3708+ tests/test_content_types.py | 6 ++--
3709+ tests/test_import_legacy.py | 2 --
3710+ tests/test_keystoneclient.py | 6 ++--
3711+ tests/test_middleware.py | 3 +-
3712+ 11 files changed, 108 insertions(+), 104 deletions(-)
3713+
3714+commit 5ea232a09f88d621980cbd5ef4655f9c9a2e2da1
3715+Merge: da04fc0 009d661
3716+Author: Jenkins <jenkins@review.openstack.org>
3717+Date: Tue Mar 20 22:40:51 2012 +0000
3718+
3719+ Merge "Wrapped unexpected exceptions (bug 955411)"
3720+
3721+commit da04fc0de4b7f46a5559f3c81e54b5402e4876e3
3722+Merge: 57f1cb2 e677327
3723+Author: Jenkins <jenkins@review.openstack.org>
3724+Date: Tue Mar 20 22:34:37 2012 +0000
3725+
3726+ Merge "Support PyPAM in pam backend, update to latest API"
3727+
3728+commit 94904e45e3276e1c274a25c785c0143cd6d6fec1
3729+Author: Chmouel Boudjnah <chmouel@chmouel.com>
3730+Date: Tue Mar 20 17:08:46 2012 +0000
3731+
3732+ Rename tokenauth to authtoken.
3733+
3734+ - Avoid confusing by using the authtoken name for auth_token middleware.
3735+ - Improve swift_auth middleware doc.
3736+
3737+ Change-Id: I287860eba067b99a1d89f8f17200820340836ff9
3738+
3739+ doc/source/configuringservices.rst | 10 +++++-----
3740+ keystone/middleware/swift_auth.py | 9 +++++++--
3741+ 2 files changed, 12 insertions(+), 7 deletions(-)
3742+
3743+commit 57f1cb2c4a37ef0040321732fb64fc6cde02126d
3744+Merge: 80c7936 3e4653a
3745+Author: Jenkins <jenkins@review.openstack.org>
3746+Date: Tue Mar 20 18:04:22 2012 +0000
3747+
3748+ Merge "fix keystone-all's usage of options vs conf"
3749+
3750+commit 80c7936b3147d53659025a76ac232de986f5ce64
3751+Author: termie <github@anarkystic.com>
3752+Date: Tue Mar 20 10:41:03 2012 -0700
3753+
3754+ pass the arguments in when starting keystone-all
3755+
3756+ fixes bug 942793
3757+
3758+ Change-Id: I044a56c1eedae2ecef04dd3aa60b91414b7abc14
3759+
3760+ bin/keystone-all | 2 +-
3761+ 1 file changed, 1 insertion(+), 1 deletion(-)
3762+
3763+commit 3e4653a3914e84aec72ba159c4d23edba8ced48f
3764+Author: termie <github@anarkystic.com>
3765+Date: Tue Mar 20 10:47:31 2012 -0700
3766+
3767+ fix keystone-all's usage of options vs conf
3768+
3769+ we shouldn't be using options at all, that was a leftover piece of code
3770+ from a long time ago.
3771+
3772+ invalidates bug 949373
3773+
3774+ Change-Id: I29fcbd5f641464bda985900172b55bca45843f81
3775+
3776+ bin/keystone-all | 8 ++++----
3777+ etc/keystone.conf | 2 +-
3778+ 2 files changed, 5 insertions(+), 5 deletions(-)
3779+
3780+commit 9c823977baca9944074c62cedf32f5107a95a443
3781+Merge: 3263f45 6f8752b
3782+Author: Jenkins <jenkins@review.openstack.org>
3783+Date: Tue Mar 20 17:19:51 2012 +0000
3784+
3785+ Merge "Clean up sql connection args"
3786+
3787+commit 3263f45926f054c759caa10e391777e7372e73a1
3788+Merge: 5d07cdf ee57716
3789+Author: Jenkins <jenkins@review.openstack.org>
3790+Date: Tue Mar 20 16:59:17 2012 +0000
3791+
3792+ Merge "Improved file logging example (bug 959610)"
3793+
3794+commit 009d661a7e06ad72ab39b93433839bf567755ece
3795+Author: Dolph Mathews <dolph.mathews@gmail.com>
3796+Date: Wed Mar 14 15:06:16 2012 -0500
3797+
3798+ Wrapped unexpected exceptions (bug 955411)
3799+
3800+ - Replaced all webob.exc's (outside of middleware) with
3801+ keystone.exception's
3802+ - Raised 409 Conflict when creating/updating existing
3803+ user/tenant ID/names (bug 955464)
3804+ - Raised 501 Not Implemented for user-role-add w/o tenant_id
3805+ (bug 955548)
3806+
3807+ Change-Id: I9f16cac502c20dd35a6b8da778e85bf3d9cfae49
3808+
3809+ keystone/catalog/backends/sql.py | 2 +-
3810+ keystone/catalog/core.py | 11 ++-----
3811+ keystone/common/ldap/core.py | 11 ++++---
3812+ keystone/common/sql/core.py | 1 +
3813+ keystone/common/wsgi.py | 3 ++
3814+ keystone/contrib/ec2/core.py | 20 +++++--------
3815+ keystone/exception.py | 50 +++++++++++++++++++++++++++----
3816+ keystone/identity/backends/kvs.py | 19 ++++++++----
3817+ keystone/identity/backends/ldap/core.py | 2 +-
3818+ keystone/identity/backends/sql.py | 23 ++++++++++++++
3819+ keystone/identity/core.py | 24 ++++++++-------
3820+ keystone/policy/backends/rules.py | 2 +-
3821+ keystone/service.py | 4 +--
3822+ tests/test_exception.py | 4 +--
3823+ 14 files changed, 121 insertions(+), 55 deletions(-)
3824+
3825+commit 5d07cdf438b97ec2fdc4685b2f1559f3258da102
3826+Author: Michael Basnight <mbasnight@gmail.com>
3827+Date: Tue Mar 20 08:53:31 2012 -0500
3828+
3829+ Changing belongsTo validation back to ID
3830+
3831+ * Fixes lp#960218
3832+
3833+ Change-Id: I6296413c211da92a4d0e07a544ca812d3544cb73
3834+
3835+ keystone/service.py | 2 +-
3836+ tests/test_content_types.py | 2 +-
3837+ 2 files changed, 2 insertions(+), 2 deletions(-)
3838+
3839+commit 3a70a2f9281fdfec6f770cfb60fcd2dce5a77c5f
3840+Merge: 632fb0a 193374a
3841+Author: Jenkins <jenkins@review.openstack.org>
3842+Date: Tue Mar 20 04:55:46 2012 +0000
3843+
3844+ Merge "Fixes LP #954089 - Service list templated catalog"
3845+
3846+commit 632fb0a8cb4eddf76ce0695472601d69115149a9
3847+Merge: 4f3dade 2324247
3848+Author: Jenkins <jenkins@review.openstack.org>
3849+Date: Tue Mar 20 04:49:56 2012 +0000
3850+
3851+ Merge "Swift middleware doc update."
3852+
3853+commit 4f3dade2367270442b685426befd6d6de665797b
3854+Merge: ed231ff 678dcad
3855+Author: Jenkins <jenkins@review.openstack.org>
3856+Date: Tue Mar 20 04:44:01 2012 +0000
3857+
3858+ Merge "Refactor keystone.common.logging use (bug 948224)"
3859+
3860+commit ed231ffa8c3e90125bc73c528d1db8b46f3f5381
3861+Merge: 36b2b22 00a2392
3862+Author: Jenkins <jenkins@review.openstack.org>
3863+Date: Tue Mar 20 04:37:59 2012 +0000
3864+
3865+ Merge "Installing keystone docs"
3866+
3867+commit 6f8752bf6ea74fb8841dac1a1d6b62af019b48e5
3868+Author: Brian Waldon <bcwaldon@gmail.com>
3869+Date: Mon Mar 19 14:21:02 2012 -0700
3870+
3871+ Clean up sql connection args
3872+
3873+ * Convert idle_timeout (pool_recycle) to integer
3874+ * Drop min_pool_size, max_pool_size, pool_timeout
3875+ * Fixes bug 959916
3876+
3877+ Change-Id: Ie124b3abdf00358d6b722e1c2e2a2fb22967ca5a
3878+
3879+ doc/source/configuration.rst | 3 ---
3880+ etc/keystone.conf | 3 ---
3881+ keystone/config.py | 5 +----
3882+ tests/backend_sql.conf | 3 ---
3883+ 4 files changed, 1 insertion(+), 13 deletions(-)
3884+
3885+commit 36b2b228daabd07e185e70800863991cbde6ba95
3886+Merge: 83bc8c0 6f2c858
3887+Author: Jenkins <jenkins@review.openstack.org>
3888+Date: Tue Mar 20 04:15:44 2012 +0000
3889+
3890+ Merge "Update get_metadata to return {}"
3891+
3892+commit ee577163e32b88ca1345124c96ae3113d9a5ccdd
3893+Author: Dolph Mathews <dolph.mathews@gmail.com>
3894+Date: Mon Mar 19 14:49:18 2012 -0500
3895+
3896+ Improved file logging example (bug 959610)
3897+
3898+ - Root logger w/ file handler will log WARNING, ERROR, CRITICAL by default
3899+
3900+ Change-Id: I36cd07cec85712640daa013563401a3bc52f290c
3901+
3902+ .gitignore | 2 +-
3903+ etc/keystone.conf | 2 +-
3904+ etc/logging.conf.sample | 23 ++++-------------------
3905+ 3 files changed, 6 insertions(+), 21 deletions(-)
3906+
3907+commit 83bc8c088ec66a858afce9a889a4407c59b9d48e
3908+Merge: 5027c9d 773f0f8
3909+Author: Jenkins <jenkins@review.openstack.org>
3910+Date: Mon Mar 19 18:07:20 2012 +0000
3911+
3912+ Merge "Fix default port for identity.internalURL"
3913+
3914+commit 5027c9d7150815abe1dde7e4d85d41eb2d0fad4d
3915+Merge: 7c1e32b 56e4103
3916+Author: Jenkins <jenkins@review.openstack.org>
3917+Date: Mon Mar 19 18:01:19 2012 +0000
3918+
3919+ Merge "docstring cleanup to remove sphinx warnings"
3920+
3921+commit 2324247baac2ba620da1f6cdc540462e6f0b6a5f
3922+Author: Chmouel Boudjnah <chmouel@chmouel.com>
3923+Date: Mon Mar 19 14:53:36 2012 +0000
3924+
3925+ Swift middleware doc update.
3926+
3927+ Change-Id: I01ecc4d602b5e887f66d32676f11a92d022f693f
3928+
3929+ doc/source/configuringservices.rst | 13 ++++++++-----
3930+ 1 file changed, 8 insertions(+), 5 deletions(-)
3931+
3932+commit 7c1e32bba6837eb0937e6e7567aa5e7981db7fec
3933+Merge: 43a84e3 2146119
3934+Author: Jenkins <jenkins@review.openstack.org>
3935+Date: Mon Mar 19 16:26:45 2012 +0000
3936+
3937+ Merge "Remove nova-specific middlewares"
3938+
3939+commit 43a84e3b96450d29b7f3139a6e830583038c1d24
3940+Merge: 2c6a232 239e4f6
3941+Author: Jenkins <jenkins@review.openstack.org>
3942+Date: Mon Mar 19 16:20:55 2012 +0000
3943+
3944+ Merge "Add check for MAX_PASSWORD_LENGTH to utils."
3945+
3946+commit 193374af3860e17ed03bb0431d823046079ae444
3947+Author: Jay Pipes <jaypipes@gmail.com>
3948+Date: Tue Mar 13 17:30:07 2012 -0400
3949+
3950+ Fixes LP #954089 - Service list templated catalog
3951+
3952+ * Adds missing test cases for the TemplatedCatalog
3953+ * Adds a base CatalogTest that different backends
3954+ can use
3955+ * Updates kvs.Catalog to raise ServiceNotFound where
3956+ appropriate
3957+ * Updates the tests.test_keystoneclient_sql to actually
3958+ test the SQL catalog backend
3959+ * Removes old test for incorrect endpoints listing
3960+ * Removes the keystone.catalog.core.Driver.service_exists
3961+ method since it was only implemented in the SQL driver
3962+ and wasn't required now that get_service and delete_service
3963+ properly raise ServiceNotFound exception.
3964+
3965+ Change-Id: I35690cc147e56007be27bacf94eeff360e727e5d
3966+
3967+ keystone/catalog/backends/kvs.py | 9 +++-
3968+ keystone/catalog/backends/sql.py | 10 ++---
3969+ keystone/catalog/backends/templated.py | 3 ++
3970+ keystone/catalog/core.py | 12 ++---
3971+ keystone/exception.py | 4 ++
3972+ keystone/test.py | 75 ++++++++++++++++++++------------
3973+ tests/backend_sql.conf | 3 ++
3974+ tests/default_fixtures.py | 21 +++++++++
3975+ tests/test_backend.py | 20 +++++++++
3976+ tests/test_backend_kvs.py | 7 +--
3977+ tests/test_backend_templated.py | 57 ++++++++++++++++++++++++
3978+ tests/test_keystoneclient.py | 8 ----
3979+ 12 files changed, 174 insertions(+), 55 deletions(-)
3980+
3981+commit 2146119eaddaa5b3e375fef6590458a77932a58b
3982+Author: Brian Waldon <bcwaldon@gmail.com>
3983+Date: Mon Mar 19 08:31:26 2012 -0700
3984+
3985+ Remove nova-specific middlewares
3986+
3987+ * Nova now ships with nova.api.auth.NovaKeystoneContext
3988+ * Nova does not depend on either of the middlewares being removed
3989+
3990+ Change-Id: I9546e5c84ea1453f5dfd2dd7bf9924ccda57f87a
3991+
3992+ doc/source/configuringservices.rst | 11 +-
3993+ doc/source/nova-api-paste.rst | 143 --------------------------
3994+ keystone/middleware/nova_auth_token.py | 103 -------------------
3995+ keystone/middleware/nova_keystone_context.py | 71 -------------
3996+ 4 files changed, 1 insertion(+), 327 deletions(-)
3997+
3998+commit 239e4f64c2134338b32ffd6d42c0b6ff70cd040c
3999+Author: Dan Prince <dprince@redhat.com>
4000+Date: Fri Mar 16 21:46:31 2012 -0400
4001+
4002+ Add check for MAX_PASSWORD_LENGTH to utils.
4003+
4004+ Updates to keystone password hashing and checking functions so
4005+ that a max password length is enforced.
4006+
4007+ Fixes LP Bug #959288.
4008+
4009+ Change-Id: Id3048f3c916e92c59ac5b063d09c3d612d51c97c
4010+
4011+ keystone/common/utils.py | 17 +++++++++++++----
4012+ tests/test_utils.py | 5 +++++
4013+ 2 files changed, 18 insertions(+), 4 deletions(-)
4014+
4015+commit 2c6a232c38cf6bbd969421b2fe2fe7d410da327a
4016+Author: Brian Waldon <bcwaldon@gmail.com>
4017+Date: Fri Mar 16 15:55:22 2012 -0700
4018+
4019+ Remove glance_auth_token middleware
4020+
4021+ * Fixes bug 957501
4022+
4023+ Change-Id: I2ae6ec7b391dd41587f2246940a8d392c12c91fe
4024+
4025+ keystone/middleware/glance_auth_token.py | 78 ------------------------------
4026+ 1 file changed, 78 deletions(-)
4027+
4028+commit e67732748c7ad4656f6ef5d9da3ff4789199bf9a
4029+Author: Russell Bryant <rbryant@redhat.com>
4030+Date: Wed Mar 14 16:55:24 2012 -0400
4031+
4032+ Support PyPAM in pam backend, update to latest API
4033+
4034+ Fix bug 938801.
4035+
4036+ This bug pointed out that some distros don't have the same pam Python
4037+ module packaged that this backend was expecting. In my case, on Fedora,
4038+ it's PAM and the API is not compatible with the pam module that was
4039+ used. This patch makes the backend support PyPAM, as well as the
4040+ original pam module that was used.
4041+
4042+ In order to test this, I updated the pam backend to the latest backend
4043+ API. Even though the base class will raise NotImplementedError, I
4044+ included all functions here to make it more clear all of the things
4045+ this backend does not do.
4046+
4047+ Change-Id: I74144f4e63b6830c8224bc87e1662eb5df8728a0
4048+
4049+ keystone/identity/backends/pam.py | 137 +++++++++++++++++++++++++++++++++----
4050+ 1 file changed, 125 insertions(+), 12 deletions(-)
4051+
4052+commit 88ac1edec0b62fe5b18b2b0ffce3798f63f21351
4053+Merge: c93f663 f8cbd61
4054+Author: Jenkins <jenkins@review.openstack.org>
4055+Date: Fri Mar 16 02:34:15 2012 +0000
4056+
4057+ Merge "sample_data.sh: check file paths for packaged installations"
4058+
4059+commit c93f6633cdcde89c346054a478fa17b12940b395
4060+Merge: 2415b17 9363d5f
4061+Author: Jenkins <jenkins@review.openstack.org>
4062+Date: Thu Mar 15 22:34:02 2012 +0000
4063+
4064+ Merge "Properly return 501 for unsupported Catalog calls"
4065+
4066+commit 2415b171b113aea4f4fbec5856b92cec36d44709
4067+Merge: 096300d e7bb737
4068+Author: Jenkins <jenkins@review.openstack.org>
4069+Date: Thu Mar 15 17:23:52 2012 +0000
4070+
4071+ Merge "Add automatically generated code docs."
4072+
4073+commit 096300d072d8545f899586af44968c9ba43d380b
4074+Merge: fdca62c ab6be05
4075+Author: Jenkins <jenkins@review.openstack.org>
4076+Date: Thu Mar 15 14:46:48 2012 +0000
4077+
4078+ Merge "Update username -> name in token response."
4079+
4080+commit 773f0f84af282cd3e53650ccbb99284c37677b6a
4081+Author: Julien Danjou <julien.danjou@enovance.com>
4082+Date: Thu Mar 15 11:38:29 2012 +0100
4083+
4084+ Fix default port for identity.internalURL
4085+
4086+ This should be the public_port and not the admin one.
4087+
4088+ Change-Id: Ib09e7479c0507797532e6bb91d76b7d3083cc761
4089+ Signed-off-by: Julien Danjou <julien.danjou@enovance.com>
4090+
4091+ etc/default_catalog.templates | 2 +-
4092+ 1 file changed, 1 insertion(+), 1 deletion(-)
4093+
4094+commit fdca62c93858e5bac09e5e20e0818585946a598d
4095+Merge: 9a2010b d2c6e88
4096+Author: Jenkins <jenkins@review.openstack.org>
4097+Date: Thu Mar 15 07:49:17 2012 +0000
4098+
4099+ Merge "Raising unauthorized instead of 500 (bug 954547)"
4100+
4101+commit 00a239278553fd357e56da35b559ec329dc9796a
4102+Author: Joe Heck <heckj@mac.com>
4103+Date: Wed Mar 14 19:03:59 2012 -0700
4104+
4105+ Installing keystone docs
4106+
4107+ fixes bug 954217
4108+
4109+ Change-Id: Iba79d2d5bae836037d5b0e10169d9bbdba8603dc
4110+
4111+ doc/source/index.rst | 5 +-
4112+ doc/source/installing.rst | 115 +++++++++++++++++++++++++++++++++++++++++++++
4113+ 2 files changed, 118 insertions(+), 2 deletions(-)
4114+
4115+commit ab6be05068068b0902db44b1d60f56eea4fe1215
4116+Author: Brian Lamar <brian.lamar@rackspace.com>
4117+Date: Wed Mar 14 18:30:13 2012 -0400
4118+
4119+ Update username -> name in token response.
4120+
4121+ Tokens validation responses contain user information. The API docs
4122+ seem to indicate token["user"]["name"] contains the username but
4123+ currently the auth_token.py middleware checks for
4124+ token["user"]["username"]. This updates that check and the tests.
4125+
4126+ Fixes bug 955563
4127+
4128+ Change-Id: Ib2fbf6fcea87f7066394cf14c18158f1e5eeaf06
4129+
4130+ keystone/middleware/auth_token.py | 2 +-
4131+ tests/test_auth_token_middleware.py | 8 ++++----
4132+ 2 files changed, 5 insertions(+), 5 deletions(-)
4133+
4134+commit 678dcad410b2496eb1ed34bb91c0d0914a9c6b0d
4135+Author: Dolph Mathews <dolph.mathews@gmail.com>
4136+Date: Wed Mar 14 14:28:04 2012 -0500
4137+
4138+ Refactor keystone.common.logging use (bug 948224)
4139+
4140+ Change-Id: I01b2b5748a2524273bb8c2b734ab22415652f739
4141+
4142+ HACKING.rst | 20 ++++++++++++++++
4143+ keystone/catalog/backends/templated.py | 2 +-
4144+ keystone/common/bufferedhttp.py | 8 +++++--
4145+ keystone/common/ldap/core.py | 5 ++--
4146+ keystone/common/ldap/fakeldap.py | 4 ++--
4147+ keystone/common/sql/nova.py | 16 ++++++-------
4148+ keystone/common/utils.py | 15 ++++++------
4149+ keystone/common/wsgi.py | 37 +++++++++++++++--------------
4150+ keystone/middleware/auth_token.py | 40 ++++++++++++++++----------------
4151+ keystone/policy/backends/rules.py | 2 +-
4152+ keystone/test.py | 3 ++-
4153+ 11 files changed, 90 insertions(+), 62 deletions(-)
4154+
4155+commit 9a2010bfe81a386610a294d0b29c31e12db79773
4156+Merge: acc9f89 f4915af
4157+Author: Jenkins <jenkins@review.openstack.org>
4158+Date: Wed Mar 14 20:45:40 2012 +0000
4159+
4160+ Merge "Allow connect to another tenant."
4161+
4162+commit e7bb73767ba9b538bdab85cdb4edb2549c02427f
4163+Author: Russell Bryant <rbryant@redhat.com>
4164+Date: Wed Mar 14 16:05:46 2012 -0400
4165+
4166+ Add automatically generated code docs.
4167+
4168+ Fix bug 954734.
4169+
4170+ Fix "python setup.py build_sphinx" to build the code documentation via
4171+ sphinx-apidoc.
4172+
4173+ Change-Id: I18eced31aab424b7c808697324cbf6cfede442a7
4174+
4175+ setup.py | 3 +++
4176+ 1 file changed, 3 insertions(+)
4177+
4178+commit 9363d5fea676e1e083c5afe5287ef30c806046bf
4179+Author: Adam Gandelman <adamg@canonical.com>
4180+Date: Tue Mar 13 16:23:45 2012 -0700
4181+
4182+ Properly return 501 for unsupported Catalog calls
4183+
4184+ Similar to the other APIs, this creates a Driver class that describes
4185+ expected functionality of the catalog driver and raises NotImplemented
4186+ accordingly. NotImplementedError()'s are caught and returned as proper
4187+ 501s instead of AttributeErrors.
4188+
4189+ Also fixes some inconsistent paramters names in the sql backend.
4190+
4191+ Fixes bug 954087
4192+
4193+ Update: Convert usage of NotImplementedError() to new
4194+ keystone.exception.NotImplemented() for all
4195+ unimplemented driver actions.
4196+
4197+ Change-Id: I69d8e21a6f651e69b724ec5ed5784645bad80c00
4198+
4199+ doc/source/architecture.rst | 2 +-
4200+ keystone/catalog/backends/kvs.py | 3 +-
4201+ keystone/catalog/backends/sql.py | 6 +--
4202+ keystone/catalog/core.py | 79 ++++++++++++++++++++++++++++++++++++++
4203+ keystone/exception.py | 6 +++
4204+ keystone/identity/core.py | 56 +++++++++++++--------------
4205+ keystone/policy/core.py | 3 +-
4206+ keystone/service.py | 4 +-
4207+ keystone/token/core.py | 7 ++--
4208+ 9 files changed, 127 insertions(+), 39 deletions(-)
4209+
4210+commit acc9f892b36aa7315ac84d1e7f6506a6fea9fbad
4211+Merge: b03c204 a1e0174
4212+Author: Jenkins <jenkins@review.openstack.org>
4213+Date: Wed Mar 14 18:22:30 2012 +0000
4214+
4215+ Merge "Update docs for keystone client cli args"
4216+
4217+commit 56e41037ba41b2507722dcbc54157cfe4cf4535f
4218+Author: Joe Heck <heckj@mac.com>
4219+Date: Wed Mar 14 17:19:37 2012 +0000
4220+
4221+ docstring cleanup to remove sphinx warnings
4222+
4223+ Change-Id: Icfc273f2466f48307d2addd22b70f1759d23fd97
4224+
4225+ keystone/common/policy.py | 17 ++++++++++-------
4226+ keystone/policy/backends/rules.py | 6 ++++--
4227+ 2 files changed, 14 insertions(+), 9 deletions(-)
4228+
4229+commit b03c2047815ff341547d2d9792dfd392148d277a
4230+Author: Joe Heck <heckj@mac.com>
4231+Date: Wed Mar 14 05:08:58 2012 +0000
4232+
4233+ updating documentation for rewrite of auth_token.
4234+
4235+ fixes bug 944372
4236+
4237+ Change-Id: Ifac365a6eb141e0ca4701cf139d6ea66a0b3ffbc
4238+
4239+ doc/source/configuringservices.rst | 3 +-
4240+ doc/source/images/graphs_305.svg | 41 --
4241+ doc/source/images/graphs_both.svg | 36 --
4242+ .../images/graphs_delegate_forbiden_basic.svg | 53 --
4243+ .../images/graphs_delegate_forbiden_proxy.svg | 52 --
4244+ doc/source/images/graphs_delegate_reject_basic.svg | 55 --
4245+ doc/source/images/graphs_delegate_reject_oauth.svg | 56 --
4246+ .../images/graphs_delegate_unimplemented.svg | 53 --
4247+ doc/source/images/graphs_mapper.svg | 73 ---
4248+ doc/source/images/graphs_proxyAuth.svg | 51 --
4249+ doc/source/images/images_layouts.svg | 200 -------
4250+ doc/source/index.rst | 3 +-
4251+ doc/source/middleware_architecture.rst | 555 +++++---------------
4252+ doc/source/old/middleware.rst | 169 ------
4253+ doc/source/setup.rst | 28 +-
4254+ 15 files changed, 148 insertions(+), 1280 deletions(-)
4255+
4256+commit f4915afc5af0d1252e7779fcc30ffff892a69d91
4257+Author: Chmouel Boudjnah <chmouel@chmouel.com>
4258+Date: Wed Mar 14 16:19:12 2012 +0000
4259+
4260+ Allow connect to another tenant.
4261+
4262+ - Works with nova s3_affix_tenant.
4263+ - This would only be allowed for user who has reselleradmin rights.
4264+ - Fixes bug 954505.
4265+
4266+ Change-Id: Iea84f1c61f6c725982c8bee95889ce084d9ffd82
4267+
4268+ keystone/middleware/s3_token.py | 26 +++++++++++++++++++++-----
4269+ 1 file changed, 21 insertions(+), 5 deletions(-)
4270+
4271+commit fb4cbe9d3766ac0ccbe746114d5c6745bc91e002
4272+Merge: 5b3e05b dc41cb5
4273+Author: Jenkins <jenkins@review.openstack.org>
4274+Date: Wed Mar 14 06:08:00 2012 +0000
4275+
4276+ Merge "Failing to update tenants (bug 953678, bug 954673)"
4277+
4278+commit a1e01747ea81fc128d08c02d449b477f52003680
4279+Author: Dean Troyer <dtroyer@gmail.com>
4280+Date: Wed Mar 14 00:35:47 2012 -0500
4281+
4282+ Update docs for keystone client cli args
4283+
4284+ Changes CLI args in keystone command per updated http://wiki.openstack.org/CLIAuth
4285+
4286+ Change-Id: I097181c418f6cc2226fceb5c79d87fde36026594
4287+
4288+ doc/source/configuration.rst | 12 ++++++------
4289+ 1 file changed, 6 insertions(+), 6 deletions(-)
4290+
4291+commit d2c6e88200bb33708a0861da4d1a10c0f7984895
4292+Author: Dolph Mathews <dolph.mathews@gmail.com>
4293+Date: Tue Mar 13 22:06:34 2012 -0500
4294+
4295+ Raising unauthorized instead of 500 (bug 954547)
4296+
4297+ Change-Id: I557ff1ca51261edf0824aeb4565816216c59c76e
4298+
4299+ keystone/common/wsgi.py | 21 +++++++++++++++------
4300+ 1 file changed, 15 insertions(+), 6 deletions(-)
4301+
4302+commit dc41cb5c11951b416d3e379bc944ac85737b979a
4303+Author: Dolph Mathews <dolph.mathews@gmail.com>
4304+Date: Tue Mar 13 16:11:27 2012 -0500
4305+
4306+ Failing to update tenants (bug 953678, bug 954673)
4307+
4308+ - GET /tenants: Enabled attribute was being overridden
4309+ - "POST" /tenants/{tenant_id}: was failing to update KVS
4310+
4311+ Change-Id: Icc1efef52d35777d73e6010bdfc0409e24570aa2
4312+
4313+ keystone/identity/backends/kvs.py | 3 +-
4314+ keystone/identity/core.py | 3 +-
4315+ tests/test_keystoneclient.py | 56 ++++++++++++++++++++++++++++---------
4316+ 3 files changed, 47 insertions(+), 15 deletions(-)
4317+
4318+commit 5b3e05bbabd5366461630327e4498fe582ff8ab7
4319+Author: Adam Young <ayoung@redhat.com>
4320+Date: Wed Mar 7 16:04:32 2012 -0500
4321+
4322+ added LDAP section to architecture and architecture
4323+
4324+ https://bugs.launchpad.net/keystone/+bug/949521
4325+
4326+ Bug 949521
4327+
4328+ Change-Id: I2e37c0d946e3d97a2c4bc4bf4a50bd94466f70c2
4329+
4330+ doc/source/architecture.rst | 6 ++++++
4331+ doc/source/configuration.rst | 42 +++++++++++++++++++++++++++++++++++++++---
4332+ 2 files changed, 45 insertions(+), 3 deletions(-)
4333+
4334+commit e65a22c43a7fe44621080cee01f394c90b54320d
4335+Author: Peng Yong <ppyy@pubyun.com>
4336+Date: Sun Mar 11 10:35:15 2012 +0800
4337+
4338+ Bug #943031 MySQL Server has gone away
4339+ added docnotes of error messages caught for mysql and reference
4340+
4341+ Change-Id: I147b32193436be891e54e36c6adc1b16fda886d3
4342+
4343+ AUTHORS | 1 +
4344+ keystone/common/sql/core.py | 43 +++++++++++++++++++++++++++++++++++++++----
4345+ 2 files changed, 40 insertions(+), 4 deletions(-)
4346+
4347+commit 97460ef70b7a8008a27f73384c389c2b4c23dded
4348+Merge: dee8153 73af033
4349+Author: Jenkins <jenkins@review.openstack.org>
4350+Date: Tue Mar 13 21:28:39 2012 +0000
4351+
4352+ Merge "Improved legacy tenancy resolution (bug 951933)"
4353+
4354+commit dee81534cb2743262e2287da35e9b5970bd9cc12
4355+Author: Joe Heck <heckj@mac.com>
4356+Date: Tue Mar 13 13:53:40 2012 -0700
4357+
4358+ making all use of time follow datetime.utcnow()
4359+ fixes bug 954057
4360+
4361+ Change-Id: I14fa475dc03410b8843ab028d30fbc8802c4be30
4362+
4363+ keystone/token/backends/kvs.py | 2 +-
4364+ keystone/token/backends/sql.py | 2 +-
4365+ keystone/token/core.py | 4 ++--
4366+ tests/test_backend_memcache.py | 2 +-
4367+ 4 files changed, 5 insertions(+), 5 deletions(-)
4368+
4369+commit 73af033ded8fe9ba54c37ab4f2a7553b3be1e450
4370+Author: Dolph Mathews <dolph.mathews@gmail.com>
4371+Date: Tue Mar 13 12:27:53 2012 -0500
4372+
4373+ Improved legacy tenancy resolution (bug 951933)
4374+
4375+ Change-Id: Ia6fd5eb57e8d7f90328117351f7b814b1b4495dc
4376+
4377+ keystone/middleware/auth_token.py | 33 ++++--
4378+ tests/test_auth_token_middleware.py | 201 ++++++++++++++++++++++++++---------
4379+ 2 files changed, 174 insertions(+), 60 deletions(-)
4380+
4381+commit f8cbd611cfa258f75051e41ebd83501cfec06630
4382+Author: Alan Pevec <apevec@redhat.com>
4383+Date: Mon Feb 27 17:59:33 2012 +0100
4384+
4385+ sample_data.sh: check file paths for packaged installations
4386+
4387+ v4: try to use system-wide configuration first
4388+ then fallback to assuming git checkout
4389+
4390+ Change-Id: I6916f554cb9848fcb2d090e142b8915ad19a7486
4391+
4392+ tools/sample_data.sh | 19 +++++++++++++++----
4393+ 1 file changed, 15 insertions(+), 4 deletions(-)
4394+
4395+commit 1e07b98d77a6ccb254e6f4411682235a47dab137
4396+Author: Chmouel Boudjnah <chmouel@chmouel.com>
4397+Date: Sat Mar 10 17:22:06 2012 +0100
4398+
4399+ Fix iso8601 import/use and date comparaison.
4400+
4401+ - Store the unix time from iso8601.parse_date to compare against
4402+ time.time.
4403+ - on a WSGI environement the import don't get passed to the methods from
4404+ __init__ use a self. variable.
4405+ - Fixes bug 951603.
4406+ - Add unit tests.
4407+ - Add iso8601 to test-requires.
4408+
4409+ Change-Id: Ia8af8b203d1310d5ae6868c3a14dfdf68d6e5331
4410+
4411+ keystone/middleware/auth_token.py | 6 ++-
4412+ tests/test_auth_token_middleware.py | 93 ++++++++++++++++++++++++++++-------
4413+ tools/test-requires | 1 +
4414+ 3 files changed, 79 insertions(+), 21 deletions(-)
4415+
4416+commit a036b3f77ba39301d0a5d44afe6c4253c0db8b15
4417+Author: Dean Troyer <dtroyer@gmail.com>
4418+Date: Mon Mar 12 14:45:34 2012 -0500
4419+
4420+ Fix double-quoted service names
4421+
4422+ The Keystone service template parser doesn't do any quote interpolation,
4423+ it just splits on ' = ' and passes the two parts on. So we just remove
4424+ the quotes for now.
4425+
4426+ Fixes bug 943523
4427+
4428+ Change-Id: Ib9e17e70926339ab67f9c50a52a5036eeb7bfb65
4429+
4430+ etc/default_catalog.templates | 10 +++++-----
4431+ 1 file changed, 5 insertions(+), 5 deletions(-)
4432+
4433+commit f6fd0c79219e0b4f8108aba73553b120f763af54
4434+Merge: 0c3c27c 1b64c84
4435+Author: Jenkins <jenkins@review.openstack.org>
4436+Date: Sun Mar 11 06:42:37 2012 +0000
4437+
4438+ Merge "Remove Nova Diablo reference from migrate docs"
4439+
4440+commit 1b64c8405381000b8738195b265c6c81690d8e9e
4441+Author: Brian Waldon <bcwaldon@gmail.com>
4442+Date: Sat Mar 10 20:59:40 2012 -0800
4443+
4444+ Remove Nova Diablo reference from migrate docs
4445+
4446+ Change-Id: Ic8e07197db0b926c2ac7ee0ad6fcc936314ffe6f
4447+
4448+ doc/source/configuration.rst | 2 +-
4449+ 1 file changed, 1 insertion(+), 1 deletion(-)
4450+
4451+commit 0c3c27c7dbf8a4d359e8cae7f80fcaad5d8582e9
4452+Author: Deepak Garg <deepakgarg.iitg@gmail.com>
4453+Date: Thu Mar 8 09:16:26 2012 +0530
4454+
4455+ Fixes the cli documentation of user/tenant/roles
4456+
4457+ Fixed the subcommands and basic misconfiguration mentioned in bug #948211
4458+
4459+ Note: deleted the old commands after the review comments.
4460+
4461+ Change-Id: I2a8491c35f346d120581156ae1743d07c3c11fd0
4462+
4463+ AUTHORS | 1 +
4464+ doc/source/configuration.rst | 103 +++++++++++++-----------------------------
4465+ 2 files changed, 32 insertions(+), 72 deletions(-)
4466+
4467+commit 9d245f8b6867bb7cb2b1230055de1230a483f0cb
4468+Merge: a863c13 2f4fb46
4469+Author: Jenkins <jenkins@review.openstack.org>
4470+Date: Sun Mar 11 01:54:48 2012 +0000
4471+
4472+ Merge "create service endpoints in sample data"
4473+
4474+commit a863c136720a1e3ddc098588afd171dc10ffb308
4475+Author: Brian Waldon <bcwaldon@gmail.com>
4476+Date: Sat Mar 10 13:59:44 2012 -0800
4477+
4478+ Add simple set of tests for auth_token middleware
4479+
4480+ Change-Id: Ie959e91dc555e35b8e5ba4b01c68a3f232efc115
4481+
4482+ keystone/middleware/auth_token.py | 7 +-
4483+ tests/test_auth_token_middleware.py | 162 +++++++++++++++++++++++++++++++++++
4484+ 2 files changed, 168 insertions(+), 1 deletion(-)
4485+
4486+commit 7ee2a4618314217c1b5bae15e9346be4d9cb8107
4487+Merge: c373132 d6631d8
4488+Author: Jenkins <jenkins@review.openstack.org>
4489+Date: Sat Mar 10 19:21:04 2012 +0000
4490+
4491+ Merge "update documention on changing user password"
4492+
4493+commit c373132e7fc720690d0f7531e1f5871632984c4f
4494+Merge: 6db0067 259d938
4495+Author: Jenkins <jenkins@review.openstack.org>
4496+Date: Sat Mar 10 19:01:34 2012 +0000
4497+
4498+ Merge "enables run_test option to skip integration"
4499+
4500+commit 6db00670ea33c39c408d657525ebd778c8932ce1
4501+Merge: ee5083d 48f2c7d
4502+Author: Jenkins <jenkins@review.openstack.org>
4503+Date: Sat Mar 10 11:29:31 2012 +0000
4504+
4505+ Merge "Add AUTHORS to the tarball."
4506+
4507+commit d6631d81d5f469415aed2023367adccb529ea656
4508+Author: Yaguang Tang <heut2008@gmail.com>
4509+Date: Sat Mar 10 15:51:56 2012 +0800
4510+
4511+ update documention on changing user password
4512+
4513+ Change-Id: I73be30eed4d2eed7a53c9dbdb5f29ec9c8f6eb6f
4514+
4515+ doc/source/configuration.rst | 4 ++--
4516+ 1 file changed, 2 insertions(+), 2 deletions(-)
4517+
4518+commit ee5083d7b4d7c9f3d687ccba6fe652af0966b9e0
4519+Merge: b5c8b3a 94abc7e
4520+Author: Jenkins <jenkins@review.openstack.org>
4521+Date: Sat Mar 10 07:35:54 2012 +0000
4522+
4523+ Merge "Make sure we have a port number before int it."
4524+
4525+commit 259d9380e835d03d7358e4d953404b8207b8e8d7
4526+Author: Joe Heck <heckj@mac.com>
4527+Date: Fri Mar 9 22:41:47 2012 -0800
4528+
4529+ enables run_test option to skip integration
4530+
4531+ * fixes bug 948495
4532+
4533+ Change-Id: I274bfe9611d677c44117a0d9ff67394790794fc4
4534+
4535+ run_tests.sh | 8 ++++++++
4536+ 1 file changed, 8 insertions(+)
4537+
4538+commit b5c8b3a81911491c97ee95e741c75ffd269f382a
4539+Author: Chmouel Boudjnah <chmouel@chmouel.com>
4540+Date: Fri Mar 2 15:31:54 2012 +0000
4541+
4542+ Add token caching via memcache.
4543+
4544+ - Fixes bug 938253
4545+ - caching requires both python-memcache and iso8601
4546+
4547+ Change-Id: I23d5849aad4c6a2333b903eaca6d4f00be8615d3
4548+
4549+ doc/source/nova-api-paste.rst | 2 +-
4550+ doc/source/old/middleware.rst | 2 +-
4551+ keystone/middleware/auth_token.py | 70 +++++++++++++++++++++++++++++++++++++
4552+ 3 files changed, 72 insertions(+), 2 deletions(-)
4553+
4554+commit 6f2c858f4382395bd4b4232e7ba3dd509327e4c6
4555+Author: Brian Lamar <brian.lamar@rackspace.com>
4556+Date: Fri Mar 9 15:24:25 2012 -0500
4557+
4558+ Update get_metadata to return {}
4559+
4560+ Fixes bug 951093
4561+
4562+ While the actual issue was encountered in keystone/service.py,
4563+ the underlying issue is that all identity backends seems to be
4564+ returning None when no metadata is found for a user. I would argue
4565+ that returning {} makes it easier on clients.
4566+
4567+ Change-Id: I06faf755cc0dbe45b5d0a0f86c6235b27c856047
4568+
4569+ keystone/identity/backends/kvs.py | 2 +-
4570+ keystone/identity/backends/ldap/core.py | 8 +++-----
4571+ keystone/identity/backends/sql.py | 2 +-
4572+ tests/default_fixtures.py | 4 ++++
4573+ tests/test_backend.py | 19 +++++++++++++++++--
4574+ 5 files changed, 26 insertions(+), 9 deletions(-)
4575+
4576+commit e05bc6a6edeee5e1430e6c36fb38c911821800f5
4577+Author: Dolph Mathews <dolph.mathews@gmail.com>
4578+Date: Thu Mar 1 12:31:53 2012 -0600
4579+
4580+ Diablo to Essex migration docs (bug 934328)
4581+
4582+ - Also includes notes to address bug 947060
4583+
4584+ Change-Id: I2756457861f3e84334a7d37aed31372a3b02dd40
4585+
4586+ doc/source/configuration.rst | 408 ++++++++++++++++++++++--------------
4587+ doc/source/man/keystone-manage.rst | 9 +-
4588+ 2 files changed, 260 insertions(+), 157 deletions(-)
4589+
4590+commit 5720730c2e55259f1894368e766256cded51a1df
4591+Author: Dolph Mathews <dolph.mathews@gmail.com>
4592+Date: Fri Mar 2 13:38:39 2012 -0600
4593+
4594+ Added license header (bug 929663)
4595+
4596+ Change-Id: Ia36a22f2d6bba411e4fad81ea2d6fa1f0465a733
4597+
4598+ keystone/catalog/__init__.py | 16 ++++++++++++++++
4599+ keystone/common/kvs.py | 14 ++++++++++++++
4600+ keystone/common/ldap/__init__.py | 16 ++++++++++++++++
4601+ keystone/common/ldap/core.py | 14 ++++++++++++++
4602+ keystone/common/logging.py | 14 ++++++++++++++
4603+ keystone/common/manager.py | 14 ++++++++++++++
4604+ keystone/common/serializer.py | 16 ++++++++++++++++
4605+ keystone/common/sql/__init__.py | 16 ++++++++++++++++
4606+ keystone/common/sql/core.py | 14 ++++++++++++++
4607+ keystone/common/sql/legacy.py | 14 ++++++++++++++
4608+ keystone/common/sql/nova.py | 14 ++++++++++++++
4609+ keystone/common/sql/util.py | 14 ++++++++++++++
4610+ keystone/contrib/admin_crud/__init__.py | 16 ++++++++++++++++
4611+ keystone/contrib/ec2/__init__.py | 16 ++++++++++++++++
4612+ keystone/contrib/s3/__init__.py | 16 ++++++++++++++++
4613+ keystone/identity/__init__.py | 16 ++++++++++++++++
4614+ keystone/identity/backends/ldap/__init__.py | 16 ++++++++++++++++
4615+ keystone/identity/backends/ldap/core.py | 14 ++++++++++++++
4616+ keystone/middleware/__init__.py | 16 ++++++++++++++++
4617+ keystone/policy/__init__.py | 16 ++++++++++++++++
4618+ keystone/token/__init__.py | 16 ++++++++++++++++
4619+ run_tests.sh | 14 ++++++++++++++
4620+ setup.py | 3 +--
4621+ tests/_ldap_livetest.py | 14 ++++++++++++++
4622+ tests/default_fixtures.py | 16 ++++++++++++++++
4623+ tests/test_backend_ldap.py | 14 ++++++++++++++
4624+ tests/test_content_types.py | 14 ++++++++++++++
4625+ tests/test_serializer.py | 14 ++++++++++++++
4626+ tools/sample_data.sh | 14 ++++++++++++++
4627+ 29 files changed, 419 insertions(+), 2 deletions(-)
4628+
4629+commit 48f2c7d4efb5e4691802fa5124523590b6321975
4630+Author: Dan Prince <dprince@redhat.com>
4631+Date: Fri Mar 9 12:54:06 2012 -0500
4632+
4633+ Add AUTHORS to the tarball.
4634+
4635+ Fixes LP Bug #950998.
4636+
4637+ Change-Id: Ia521a9d013ef4fb332df4dc5576cc3e5f13651bc
4638+
4639+ MANIFEST.in | 1 +
4640+ 1 file changed, 1 insertion(+)
4641+
4642+commit 2f4fb46159e8b73c8aba231ec2239b41bb53183c
4643+Author: Alan Pevec <apevec@redhat.com>
4644+Date: Wed Mar 7 21:31:37 2012 +0100
4645+
4646+ create service endpoints in sample data
4647+
4648+ Enable creation of endpoints by setting ENABLE_ENDPOINTS environment
4649+ variable. Works with Catalog SQL backend.
4650+
4651+ Change-Id: I9ba0ea1b3cf35720fb338e91f48fcbddc326971b
4652+
4653+ keystone/catalog/backends/sql.py | 8 +++++-
4654+ tools/sample_data.sh | 51 +++++++++++++++++++++++++++++++++-----
4655+ 2 files changed, 52 insertions(+), 7 deletions(-)
4656+
4657+commit 303a10b9460c506455a74e890567031cf4c9cdef
4658+Author: Dean Troyer <dtroyer@gmail.com>
4659+Date: Fri Mar 9 00:03:46 2012 -0600
4660+
4661+ Fix EC2 credentials crud after policy backend change
4662+
4663+ https://review.openstack.org/4659 implemented the common policy code
4664+ but made a change to the exception thrown by wsgi.Application.assert_admin()
4665+ and Ec2Controller._is_admin() needed updating.
4666+
4667+ Fixes bug 950557
4668+
4669+ Change-Id: I0e27aeeabd1be5a6012e34aa71efdfc2f2d5a726
4670+
4671+ keystone/contrib/ec2/core.py | 2 +-
4672+ 1 file changed, 1 insertion(+), 1 deletion(-)
4673+
4674+commit 0a124fa6a114ba357f6aec9ba4da5eb503483a95
4675+Merge: a2f2274 524cbd5
4676+Author: Jenkins <jenkins@review.openstack.org>
4677+Date: Thu Mar 8 22:29:04 2012 +0000
4678+
4679+ Merge "add more default catalog templates"
4680+
4681+commit a2f2274c69df2ca5b040a69173f3eb7eb030c561
4682+Author: termie <github@anarkystic.com>
4683+Date: Tue Feb 28 16:50:48 2012 -0800
4684+
4685+ port common policy code to keystone
4686+
4687+ keystone.common.policy is copied from nova
4688+
4689+ leave simple backend in as a shim until devstack stops referencing it
4690+
4691+ Change-Id: Ibd579cfeb99465706d525b6565818a2d8f5f3b7c
4692+
4693+ etc/keystone.conf | 2 +-
4694+ etc/policy.json | 3 +
4695+ keystone/common/policy.py | 207 ++++++++++++++++++++++++++++++++++++
4696+ keystone/common/utils.py | 43 ++++++++
4697+ keystone/common/wsgi.py | 7 +-
4698+ keystone/policy/backends/rules.py | 104 ++++++++++++++++++
4699+ keystone/policy/backends/simple.py | 22 +---
4700+ keystone/policy/core.py | 10 ++
4701+ keystone/test.py | 22 ++--
4702+ tests/policy.json | 3 +
4703+ tests/test_policy.py | 180 +++++++++++++++++++++++++++++++
4704+ 11 files changed, 575 insertions(+), 28 deletions(-)
4705+
4706+commit e5254d48b133f3ec9798cc8eb48a03cb69ff2d97
4707+Merge: e422567 71aa1db
4708+Author: Jenkins <jenkins@review.openstack.org>
4709+Date: Thu Mar 8 21:38:24 2012 +0000
4710+
4711+ Merge "fix Nova Volume Service in sample data"
4712+
4713+commit e4225671cf9c5f3bac5a0f061fa90ad73a6ee673
4714+Author: Michael Basnight <mbasnight@gmail.com>
4715+Date: Wed Mar 7 22:32:23 2012 -0600
4716+
4717+ rename belongs_to to belongsTo as per the API spec.
4718+
4719+ fixes lp#949554
4720+
4721+ Change-Id: Ia24dda7e9aa8e075861029dd5edeafd01c9d89c2
4722+
4723+ keystone/service.py | 4 ++--
4724+ tests/test_content_types.py | 2 +-
4725+ 2 files changed, 3 insertions(+), 3 deletions(-)
4726+
4727+commit 5231d3cc022d7a894e41f03a53eadd9ec4f16220
4728+Merge: 5c6bccf a7472f1
4729+Author: Jenkins <jenkins@review.openstack.org>
4730+Date: Thu Mar 8 20:26:21 2012 +0000
4731+
4732+ Merge "HTTP_AUTHORIZATION was used in proxy mode"
4733+
4734+commit 94abc7ed3e8105cf80ad60558d01fc0839adc027
4735+Author: Chmouel Boudjnah <chmouel@chmouel.com>
4736+Date: Fri Mar 2 11:34:16 2012 +0000
4737+
4738+ Make sure we have a port number before int it.
4739+
4740+ - Remove unused auth_location in s3_token along the way.
4741+ - Fixes bug 944720.
4742+
4743+ Change-Id: Ib6e48511d09798868c5ca3fa00472525bc9f8823
4744+
4745+ keystone/middleware/auth_token.py | 3 +--
4746+ keystone/middleware/s3_token.py | 9 +--------
4747+ 2 files changed, 2 insertions(+), 10 deletions(-)
4748+
4749+commit 5c6bccf1c57b06a19845c696c19274ae9f080104
4750+Author: Michael Basnight <mbasnight@gmail.com>
4751+Date: Wed Mar 7 22:32:23 2012 -0600
4752+
4753+ fixes lp#949648 change belongsTo validate to name
4754+
4755+ Change-Id: I3d36290ad95a0440c006e2daff5b831be62957ae
4756+
4757+ keystone/service.py | 2 +-
4758+ tests/test_content_types.py | 2 +-
4759+ 2 files changed, 2 insertions(+), 2 deletions(-)
4760+
4761+commit 4e4f793e0becb19d77cf137587adb9944a15f5f8
4762+Merge: 161c658 5c7f3cf
4763+Author: Jenkins <jenkins@review.openstack.org>
4764+Date: Thu Mar 8 04:00:28 2012 +0000
4765+
4766+ Merge "Set default identity driver to sql (bug 934332)"
4767+
4768+commit 161c6587af3908a1e6f23c398bc2221395e4466c
4769+Merge: 07985e4 989d62f
4770+Author: Jenkins <jenkins@review.openstack.org>
4771+Date: Thu Mar 8 03:54:52 2012 +0000
4772+
4773+ Merge "Improve auth_str_equal()."
4774+
4775+commit 07985e4349dcead9f5487910020f5dec07351e5e
4776+Merge: d0429ea 98170a7
4777+Author: Jenkins <jenkins@review.openstack.org>
4778+Date: Thu Mar 8 00:34:28 2012 +0000
4779+
4780+ Merge "fixes bug lp#948439 belongs_to and serviceCatalog behavior * removing belongs_to as a kwarg and getting from the context * adding a serviceCatalog for belongs_to calls to tokens * adding test to validate belongs_to behavior in tokens"
4781+
4782+commit a7472f139d7f1c4b40906e66302db720efdb19a7
4783+Author: Jesse Andrews <anotherjesse@gmail.com>
4784+Date: Wed Mar 7 16:00:45 2012 -0800
4785+
4786+ HTTP_AUTHORIZATION was used in proxy mode
4787+
4788+ Change-Id: I72eae79bd1991321eac224777fb186c5022f2c12
4789+
4790+ keystone/middleware/auth_token.py | 6 ------
4791+ 1 file changed, 6 deletions(-)
4792+
4793+commit 71aa1db60ff4f83599819f1d86aea411bfc9f4ae
4794+Author: Alan Pevec <apevec@redhat.com>
4795+Date: Wed Mar 7 13:52:36 2012 +0100
4796+
4797+ fix Nova Volume Service in sample data
4798+
4799+ Change-Id: Ic6bb8ddea1ab894076d1580f5dbbe535aa668a8a
4800+
4801+ tools/sample_data.sh | 4 ++--
4802+ 1 file changed, 2 insertions(+), 2 deletions(-)
4803+
4804+commit 98170a73dd28cebf9737c012d03554ffce5fd1f5
4805+Author: Michael Basnight <mbasnight@gmail.com>
4806+Date: Tue Mar 6 21:36:01 2012 -0600
4807+
4808+ fixes bug lp#948439 belongs_to and serviceCatalog behavior
4809+ * removing belongs_to as a kwarg and getting from the context
4810+ * adding a serviceCatalog for belongs_to calls to tokens
4811+ * adding test to validate belongs_to behavior in tokens
4812+
4813+ Change-Id: If6f6a7007a6830c57a5ac71aef0090e57a064232
4814+
4815+ AUTHORS | 1 +
4816+ keystone/service.py | 22 ++++++++++++++++++----
4817+ tests/test_content_types.py | 22 +++++++++++++++++++---
4818+ 3 files changed, 38 insertions(+), 7 deletions(-)
4819+
4820+commit d0429ea9b8849f99aa170cd09aef7776e2651dbf
4821+Author: Devin Carlen <devin.carlen@gmail.com>
4822+Date: Sat Mar 3 14:01:46 2012 -0800
4823+
4824+ Make bind host configurable
4825+
4826+ * fixes bug 945868
4827+
4828+ Change-Id: Ib33dc9ad1878a9215c1a1ab10814fa7d0905cbdb
4829+
4830+ bin/keystone-all | 6 ++++--
4831+ etc/keystone.conf | 1 +
4832+ keystone/common/wsgi.py | 11 ++++++-----
4833+ keystone/config.py | 1 +
4834+ 4 files changed, 12 insertions(+), 7 deletions(-)
4835+
4836+commit fe6414c8c1f769e6cc87fc001b6c52c5fea0f160
4837+Merge: 358ecca ec35ea8
4838+Author: Jenkins <jenkins@review.openstack.org>
4839+Date: Wed Mar 7 18:11:04 2012 +0000
4840+
4841+ Merge "Fix coverage jobs for Jenkins."
4842+
4843+commit 358eccac110f0ae315382043386296f27a871a73
4844+Merge: b68051c fd4e961
4845+Author: Jenkins <jenkins@review.openstack.org>
4846+Date: Wed Mar 7 18:05:42 2012 +0000
4847+
4848+ Merge "Isolating backtraces to DEBUG (bug 947060)"
4849+
4850+commit 524cbd58acd0c47664e164f72f25524cb95b09f0
4851+Author: Alan Pevec <apevec@redhat.com>
4852+Date: Tue Mar 6 21:46:52 2012 +0100
4853+
4854+ add more default catalog templates
4855+
4856+ Image, Volume and Ec2 services were missing
4857+
4858+ Change-Id: I409b0b587b0019dc97bf46760e8f732aa13b88de
4859+
4860+ etc/default_catalog.templates | 15 +++++++++++++++
4861+ 1 file changed, 15 insertions(+)
4862+
4863+commit ec35ea8b9e3b9ef3422ca8119e743de974099a68
4864+Author: Monty Taylor <mordred@inaugust.com>
4865+Date: Tue Mar 6 22:11:38 2012 -0800
4866+
4867+ Fix coverage jobs for Jenkins.
4868+
4869+ Change-Id: I9a97ac7b997f531d05d4a6beab7d6c16ced7016a
4870+
4871+ tox.ini | 4 ++--
4872+ 1 file changed, 2 insertions(+), 2 deletions(-)
4873+
4874+commit 989d62fe8f606cb4fecaaaf1395e1cd9c3d81d67
4875+Author: Russell Bryant <rbryant@redhat.com>
4876+Date: Tue Mar 6 13:18:58 2012 -0500
4877+
4878+ Improve auth_str_equal().
4879+
4880+ This patch is to improve auth_str_equal() a bit. The whole point of
4881+ this function is to do a string comparison in constant time to help
4882+ protect against timing attacks. The original implementation had a bit
4883+ of a silly property in that it would exit early if the strings were not
4884+ of the same length. This would theoretically still allow someone to
4885+ discover the proper length of a password.
4886+
4887+ This patch moves the length verification to the end. It also makes it
4888+ so the main loop time to run is a function of the provided password
4889+ length instead of the length of the shorter of the two strings.
4890+
4891+ Change-Id: I6dbe076818b7e3e8a313544ebd5c5734b5a025e5
4892+
4893+ keystone/common/utils.py | 22 +++++++++++++---------
4894+ keystone/contrib/ec2/core.py | 4 ++--
4895+ tests/test_utils.py | 1 +
4896+ 3 files changed, 16 insertions(+), 11 deletions(-)
4897+
4898+commit 5c7f3cff8d489fefbc34dadbefea6dc9604c4a4a
4899+Author: Dolph Mathews <dolph.mathews@gmail.com>
4900+Date: Fri Mar 2 11:26:29 2012 -0600
4901+
4902+ Set default identity driver to sql (bug 934332)
4903+
4904+ Change-Id: Ibc5502f0feb2bcc9583ccd1aa9bf9bd94fef43ca
4905+
4906+ etc/keystone.conf | 2 +-
4907+ tests/test_overrides.conf | 3 +++
4908+ 2 files changed, 4 insertions(+), 1 deletion(-)
4909+
4910+commit b68051cd13cc71ebd15cd478afedf0c5d07ebd4e
4911+Author: Dolph Mathews <dolph.mathews@gmail.com>
4912+Date: Fri Mar 2 10:50:57 2012 -0600
4913+
4914+ Renamed sqlite files (bug 944951)
4915+
4916+ Change-Id: Iae7aa34de0bf68da9e422719605753634cc0d113
4917+
4918+ etc/keystone.conf | 2 +-
4919+ keystone/common/sql/util.py | 2 +-
4920+ tests/backend_sql.conf | 2 +-
4921+ 3 files changed, 3 insertions(+), 3 deletions(-)
4922+
4923+commit 6621c79b06fc2848072e59d22d1224ae3a0c593a
4924+Merge: a18b3f2 e8fb989
4925+Author: Jenkins <jenkins@review.openstack.org>
4926+Date: Tue Mar 6 17:07:45 2012 +0000
4927+
4928+ Merge "Add reseller admin capability."
4929+
4930+commit fd4e9616ddca4dbd0c4f0545c376167b966eae8d
4931+Author: Dolph Mathews <dolph.mathews@gmail.com>
4932+Date: Mon Mar 5 16:47:58 2012 -0600
4933+
4934+ Isolating backtraces to DEBUG (bug 947060)
4935+
4936+ Debug mode on: http://pastie.org/3529520
4937+ (full backtrace to stdout)
4938+
4939+ Debug mode off: http://pastie.org/3529526
4940+ (Just an error message to stdout)
4941+
4942+ Change-Id: I1d4e17cf73e7777c3cbaef7c5d7fd18a4f6e53dc
4943+
4944+ keystone/catalog/backends/templated.py | 8 +++++++-
4945+ keystone/common/logging.py | 18 ++++++++++++++++++
4946+ keystone/service.py | 4 ++++
4947+ 3 files changed, 29 insertions(+), 1 deletion(-)
4948+
4949+commit a18b3f29c4a977977e6bf29d1edcba43d5e6005b
4950+Merge: f8d7bbd 460c3f3
4951+Author: Jenkins <jenkins@review.openstack.org>
4952+Date: Mon Mar 5 20:45:05 2012 +0000
4953+
4954+ Merge "Remove trailing whitespaces in regular file"
4955+
4956+commit f8d7bbd45b3e4d4fb3a77a74b1bd54f196dacda0
4957+Merge: fad1a38 bc34635
4958+Author: Jenkins <jenkins@review.openstack.org>
4959+Date: Mon Mar 5 20:39:47 2012 +0000
4960+
4961+ Merge "LDAP get_user_by_name"
4962+
4963+commit fad1a388f89681a0f487ad5bb1aba2a58ea14b47
4964+Author: Joe Heck <heckj@mac.com>
4965+Date: Fri Mar 2 16:39:10 2012 -0800
4966+
4967+ updating readme to point to developer setup docs
4968+ * fixes bug 945274
4969+
4970+ Change-Id: I6caf8da9fd0bd5647ae913efd752dd6651abcb85
4971+
4972+ README.rst | 7 +++++++
4973+ 1 file changed, 7 insertions(+)
4974+
4975+commit e8fb989b8b07f3209300ecba043bdf14c94d497f
4976+Author: Chmouel Boudjnah <chmouel@chmouel.com>
4977+Date: Mon Feb 13 23:29:49 2012 +0000
4978+
4979+ Add reseller admin capability.
4980+
4981+ - A user with the reseller admin role will be able to access to every
4982+ other accounts.
4983+ - Rename name groups to roles.
4984+
4985+ Change-Id: I8e86d8280a8fcdefbd4f9386bec11afdad797167
4986+
4987+ keystone/middleware/swift_auth.py | 45 ++++++++++++++++++++++++-------------
4988+ 1 file changed, 29 insertions(+), 16 deletions(-)
4989+
4990+commit 460c3f389185f352c36ccbe5e9f11579de334643
4991+Author: Hengqing Hu <hudayou@hotmail.com>
4992+Date: Sat Mar 3 13:10:06 2012 +0800
4993+
4994+ Remove trailing whitespaces in regular file
4995+
4996+ Change-Id: I8d05fbb7a372bf9a813da9165cd40af71a1ae4c2
4997+
4998+ AUTHORS | 1 +
4999+ doc/source/index.rst | 2 +-
5000+ doc/source/man/keystone-manage.rst | 2 +-
The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes: