We support custom identity plugins. They (and also LDAP backend) may be
considered as a read-only (not supporting user data modification through
Keystone API). When a user of such backend is disabled in the remote
system Keystone will never learn about that and as such tokens for those
users will remain active. They cannot be renewed, but still they stay
valid.
In order to address this situation we need to do additional steps in the
token validation and identify the current state of the user in the
backend. Due to the use of the token caching it is not possible to reuse
normal token validation functionality (it will never gets invalidated as
such). In order to keep performance impact as low as possible modify the
token validation as following:
- regular checks
- revocation check
- if token is still active and revoke check passed fetch current user
data. When user is disabled - log a warning (explaining the situation)
and raise `UserDisabled` exception.
Since Keystone also does not receive a message when user is reactivated
(i.e. it was accidentally disabled) we cannot use the same approach as
for regular user disabling and generate a token revocation event. This
would cause the user to be locked out until the revocation event
expires.
Closes-bug: #2122615
Change-Id: If5b83feabc670ced54ef12fe7826267af7e3419d
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
Now that reference from keystone-tempest-plugin have been cleaned up,
we can remove these aliases.
Change-Id: I80267d2fb74cebd5f2884d539436c44f17f117e1
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Depends-on: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/951384
The module keystone.oauth1.backends.sql was using the random library to
generate the verifier of a request token. The bandit security scanner
tool from version 1.8.4 onwards identifies the use random.sample as a
low security issue, despite random actually being an alias to
random.SystemRandom(). This change replaces the use of random library
with the secrets library and avoids the use of shadowing random.
Change-Id: I1a0ecd80a44eae6032e985091032aa91ee5c81a5
Signed-off-by: Adrian Jarvis <adrian.jarvis@catalystcloud.nz>
Add file to the reno documentation build to show release notes for
stable/2025.2.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2025.2.
Sem-Ver: feature
Change-Id: I502489b74d553f0bfac193e61c9aa6887be7a710
Signed-off-by: OpenStack Release Bot <infra-root@openstack.org>
Generated-By: openstack/project-config:roles/copy-release-tools-scripts/files/release-tools/add_release_note_page.sh
When using dogpile.cache.memory as the cache backend, the underlying
Python dict gets cached. Then, since we decrypt it in-place, the
decrypted dict remains in cache. As a result, subsequent attempts to
fetch (and decrypt) the credential result in KeyErrors, since
'encrypted_blob' was popped off in the original decryption.
Now, check for 'blob' (and the absence of 'encrypted_blob') in the
dict; if it looks like the credential has already been decrypted, skip
decryption.
Change-Id: Ic634c1c7db16c9acff5cdf39de74c3f82710a16e
Signed-off-by: Tim Burke <tim.burke@gmail.com>
interpretation of the ldap enabled attribute as boolean
is only done if enabled_invert setting is set to true.
Closes-Bug: #2121152
Change-Id: I7260bf46adf003aef7c7ac0d436c3758f658cb0c
Signed-off-by: Benedikt Trefzer <benedikt.trefzer@cirrax.com>
The `schema_version` schema element jsonschema specification is invalid
(https://json-schema.org/understanding-json-schema/reference/object).
Each element of the object properties must specify element data type.
`"name": {"type": "string"}` is not a valid data type, while
`{"type": "string"}` is (and the code treats `schema_version` as a string).
Since there is nearly no jsonschema validation across the keystone code
there is no violations, but once schemas are used in a wider scope (i.e.
to construct an OpenAPI spec) this becomes clearly a failure
Author: Artem Goncharov <artem.goncharov@gmail.com>
Co-author: Rafael Weingärtner <rafael@apache.org>
Change-Id: I8544f1ac45177b31482ad209f931c189eb5efeeb
Signed-off-by: Rafael Weingärtner <rafael@apache.org>
The implementation of AD nested groups searches works fine when
listing the groups a user belongs to, but fails when listing all
members of a group. This function of listing all members is also
used to check if a user belongs to a group which also fails.
This patch fixes the query for getting all users in a group.
Closes-Bug: #2112477
Depends-on: https://review.opendev.org/c/openstack/devstack/+/953569
Depends-on: https://review.opendev.org/c/openstack/devstack/+/954914
Change-Id: I9707e1a9bc4a334902933d6251888144f8c3bc19
Signed-off-by: Jorge Merlino <jorge.merlino@canonical.com>
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I330ad6e8ccaec92f5535779030f8b9eb0aac0bf6
Signed-off-by: OpenStack Proposal Bot <openstack-infra@lists.openstack.org>
Generated-By: openstack/openstack-zuul-jobs:roles/prepare-zanata-client/files/common_translation_update.sh
... to resolve the following warning.
DeprecationWarning: No path_separator found in configuration; falling
back to legacy splitting on spaces/commas for version_locations.
Consider adding path_separator=os to Alembic config.
Also use os.pathsep as the separate assuming it is more safe to be
separate paths.
Change-Id: I6fcf992a0468e76281e885849de69ac49dab61a0
The user id might come from an external provider
in which case we can't make assumptions about its format.
The constraint removed here is breaking the credential APIs for
ldap-based clouds.
Change-Id: I80dfe07ae48fd08de3af9cf5508215e4bbcea13c
2 properties are placed on the wrong level.
Change-Id: Ie3b44527c956fb6d3a2114b14a49e95abd408ccd
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
Not all clouds have uuid project ids; projects might predate
the adoption of uuids in keystone code, or they might draw project
ids from an external provider.
In addition, this constraint is unique to trusts, which results in a
keystone api that works with non-uuid projects 98% of the time but
fails by surprise in this exact case.
For a similar example, see
https: //review.opendev.org/c/openstack/cinder/+/864585
Change-Id: Ic0fe21acb8adfe3030c9b58007456efb4b61799f
This job has not passed for several years and the test framework
it is based on is now deprecated in OSA.
Change-Id: I8a5d75750a8b028cddd9403a5212a1285b19eff7
There are more then only few attributes only present in the response and
cannot be present in the request. The worst effect is that boolean
(enabled) cannot be returned as all this amount of values supported on
the input. This leads to pretty weird results when using produces
openapi spec with the mock generators.
Copy out user properties adopting them to the reality of responses.
Change-Id: Ic4c81cc8f7b90adb2cb6cea19cf2b3c4bff2c00f
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
Ensure that request and response schemas are separated to only specify
formats and patterns on request allowing response to be what it is.
Change-Id: I0a737231b4f3bf0c5fb3445fd1cbc5dbeb91f5ac
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
Closes-bug: #2112112
This reverts commit 3c72ffb369.
Reason for revert: The install docs are broken when the refer to https URLs without actually deploying TLS for keystone
Change-Id: Id412e9f38ef9847092482524a6efe9fc62f06197
