The Keystone defines a 'description' field on its schema which can be
returned if the user have set it on resource creation/update, but the
docs doesn't mention this field, which can be confusing.
Change-Id: Id64792411d2704fee581cf86806eb430f0319256
Signed-off-by: Winicius Silva <winiciusab12@gmail.com>
hacking is not capped by global upper constraints. We should be careful
about its version because no cap can cause problems in stable branches.
Change-Id: I75c4a1c712c8b313d89f1712daba2d0e6b9d2561
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
It depends on pydocstyle which was deprecated and archived. See [1]
where it was indicated that the plugin is also being dead.
[1] https://github.com/PyCQA/flake8-docstrings/issues/68
Change-Id: I5f017a9cf0ae74fef998b1658fc3b8be8cde8b51
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
For some reason a bug went unnoticed where in the schema validation we
log the message from the decorators, but logging itself in not imported.
Change-Id: I6ddb69d21d22eafbfcde5c8952a63e39750e6328
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
Rewrote the federated mapping documentation because it had issues with
missing information, incorrect information or examples that did not make
sense. The layout of it resulted in some important pieces of information
coming at the very end which could cause users to do the wrong thing if
they did not read past sections that didn't pertain to them. Added more
detailed examples of how each of the different mapping engine operations
work. Documented up front how the different pieces of data are mapped
and what must exist and what is created for you. Added a section about
troubleshooting to help users determine what went wrong based on
questions recently seen in the IRC channel. Removed confusing wording
and used a consistent term throughout (e.g. assertion vs context
variables). Added relative links to make the doc flow smoother.
Change-Id: I7382998d02f11e19886c6b83e69c6a7d095a957a
Assisted-by: Claude Sonnet 4.5
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
In change I61429b39086d15aed7d2315d7c3971727a9fa419 we
removed documentation for the name attribute since it is not
recommended. However, the api still accepts and (optionally)
returns this field, which can be confusing.
Rather than pretend it does not exist from a docs perspective,
instead indicate that it does exist but should not be used.
Change-Id: I381de2daf422f3328c75b79ed8c8b543290abe23
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
When validating a token, under load, a full table scan could happen
because of missing indexes.
This new index drastically help the database to get through the
revocation events.
Closes-Bug: #2081082
Change-Id: Ic44c945f3cb65b48ff72052fd2b4f6d45e118b2e
Signed-off-by: Quentin GROLLEAU <quentin.grolleau@corp.ovh.com>
Signed-off-by: Arnaud Morin <arnaud.morin@ovhcloud.com>
When federated users' group membership changes in the IdP and they
reauthenticate, their role assignments should reflect the change
immediately, respecting the IdP's TTL configuration rather than
waiting for the role assignment cache to expire.
This change ensures that federated authentication triggers
appropriate cache invalidation for role assignments when group
membership has changed.
Closes-Bug: #2119031
Change-Id: I79505f3d9e7d9ba46ed6ff40ee0071bdf92b95a0
Signed-off-by: Moutaz Chaara <moutaz.chaara@sap.com>
When passlib was dropped scrypt support was implemented using the
cryptography library. Keep requirements declaration match the reality.
Change-Id: Ic36ab00c43ac9f74777d0ebda55f109cc24a74ff
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
We should use the correct naming convention for alembic migration
folder.
Signed-off-by: Arnaud Morin <arnaud.morin@ovhcloud.com>
Change-Id: I33933e51c05d0c6ae884d7ae429d542621804e79
We were applying the migration up to 2024.01.
Since we added a new expand in 2025.02, let's apply it.
We forgot to do that in a previous change
I51e6c32f17df9473f9a055013eed1fe0a90c8afa
Signed-off-by: Arnaud Morin <arnaud.morin@ovhcloud.com>
Change-Id: I90460353510d77f6d9094902c7925a47a58a3156
We support custom identity plugins. They (and also LDAP backend) may be
considered as a read-only (not supporting user data modification through
Keystone API). When a user of such backend is disabled in the remote
system Keystone will never learn about that and as such tokens for those
users will remain active. They cannot be renewed, but still they stay
valid.
In order to address this situation we need to do additional steps in the
token validation and identify the current state of the user in the
backend. Due to the use of the token caching it is not possible to reuse
normal token validation functionality (it will never gets invalidated as
such). In order to keep performance impact as low as possible modify the
token validation as following:
- regular checks
- revocation check
- if token is still active and revoke check passed fetch current user
data. When user is disabled - log a warning (explaining the situation)
and raise `UserDisabled` exception.
Since Keystone also does not receive a message when user is reactivated
(i.e. it was accidentally disabled) we cannot use the same approach as
for regular user disabling and generate a token revocation event. This
would cause the user to be locked out until the revocation event
expires.
Closes-bug: #2122615
Change-Id: If5b83feabc670ced54ef12fe7826267af7e3419d
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
This fixes the protection tests for creds and ec2
creds that is executed by the protection tox
env.
Change-Id: Ic93ca4ecd80be9dbcb1759de39060eb194e9e1f0
Signed-off-by: Tobias Urdin <tobias.urdin@binero.com>
Add a policy to enforce authentication with a user in the service
group. This maintains AWS compatibility with the added security
layer.
Closes-Bug: 2119646
Change-Id: Ic84b84247e05f29874e2c5636a033aaedd4de83c
Signed-off-by: Grzegorz Grasza <xek@redhat.com>
Signed-off-by: Jeremy Stanley <fungi@yuggoth.org>
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
The world (and requriements) broke us again, not a surprise, but it is
not really sustainable anymore. requirements updated markdown-it-py
which is not supported by myst_parser (which got in limbo) which is
necessary by os-openapi to build sphinx extension. There seems to be no
fast workaround possible for that so temporary (hopefully) disable the
part of building openapi docs.
Change-Id: Idbf4901604522c2b2bafd976a6914963212def83
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
Some multiline strings (descriptions) that are in brackets have a comma
at the end which result in it being treated as a list rather than a
string.
Change-Id: Ib39e2196d1781a24afb152ba1e61c999ab474712
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
This should not be used in production for the reasons given inline.
Change-Id: Ie40f41f57e316888c2b33f2952edcbac702c1c79
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Depends-on: https://review.opendev.org/c/openstack/devstack/+/962852
Closes-bug: #2126676
LDAP drivers can yield refs with values encoded as bytestrings,
which inclues bytes local IDs, while the ID mapping layer
stores/returns strings.
During list post-processing, this mismatch prevents lookups from hitting
the seeded mapping and triggers create_id_mapping again on each pass,
causing unnecessary churn and latency during token issuance.
This change adds unit test for both cases:
- bytes IDs: the original behavior was that the cumulative
create_id_mapping count increased with each iteration.
- string IDs: seeded mapping is reused; no creates across iterations.
The helper always seeds with a string local_id, normalizing the mapping
list local_id to string. After the fix, the results are the same for
string and bytestring.
Signed-off-by: Grzegorz Grasza <xek@redhat.com>
Change-Id: I89235b2721380544304221a2da67a30971c62bf9
... to run all pep8 checks by pre-commit .
Change-Id: Icadac8a5566816fa17257b36c6885a578e888e6e
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
This has been unused since bandit was moved to PyCQA organization.
Also maintain bandit options in pyproject.toml so that these can be
used by different tools more easily.
Change-Id: I7d16d6e58666a943677a18fcc19f66c7bb7a2c8c
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
