OpenStack Identity (keystone)

Make Fernet the default token provider

Bug #1561054 reported by Lance Bragstad
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Wishlist
Lance Bragstad
OpenStack Identity (keystone) ocata-1 "o1"

Bug Description

The fernet token provider should be the default token provider in Keystone. This will allow the keystone development team to deprecate all other token providers in keystone and massively simplify the token provider API.

Tags: fernet
Lance Bragstad (lbragstad)
Changed in keystone:
importance: Undecided → Wishlist
Dolph Mathews (dolph)
Changed in keystone:
status: New → Triaged
guoshan (guoshan)
Changed in keystone:
assignee: nobody → guoshan (guoshan)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/337997

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Shan Guo (<email address hidden>) on branch: master
Review: https://review.openstack.org/337997
Reason: conflicts with https://review.openstack.org/#/c/258650/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/343738

Changed in keystone:
assignee: guoshan (guoshan) → Lance Bragstad (lbragstad)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/343812

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/343860

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/343886

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/343932

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/343935

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/343738
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7646e2181b1036e10dbc938561cbe0f105a70d2f
Submitter: Jenkins
Branch: master

commit 7646e2181b1036e10dbc938561cbe0f105a70d2f
Author: Lance Bragstad <email address hidden>
Date: Mon Jul 18 15:32:22 2016 +0000

    Use freezegun to increment the clock in test_v3_filters

    In preparation for making Fernet the default token provider, we must freeze and
    increment the clock in certain tests. This is because Fernet does not support
    sub-second precision and if a Fernet token is validated in the same second that
    a revocation event has occured, it will be considered invalid.

    This commit makes it so that we freeze the clock in
    test_list_users_filtered_by_funny_name() and increment it by one second when we
    go to list users by name.

    This fix was originally a part of https://review.openstack.org/#/c/258650 but
    this is an attempt to break 258650 into smaller, more reviewable, pieces.

    Partial-Bug: 1561054
    Change-Id: I3ea4af702e6914775156c605799992a41e8e75c5

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/343812
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=72e6196d549bd632496fe353648c74a443f2ca38
Submitter: Jenkins
Branch: master

commit 72e6196d549bd632496fe353648c74a443f2ca38
Author: Lance Bragstad <email address hidden>
Date: Mon Jul 18 17:05:10 2016 +0000

    Run AuthTokenTests against fernet and uuid

    Previously, AuthTokenTests inherited the test structure and ran the tests with
    the default keystone configuration. This commit breaks AuthTokenTests to
    inherit from `object` and sets up FernetAuthTokenTests and UUIDAuthTokenTests
    to setup configuration appropriately and run the tests.

    This fix was originally a part of https://review.openstack.org/#/c/258650 but
    this is an attempt to break 258650 into smaller, more reviewable, pieces.

    Co-Authored-By: Raildo Mascena <email address hidden>
    Co-Authored-By: Adam Young <email address hidden>

    Change-Id: I9acacfe7db4997add5505a9ee1972139af11979e
    Partial-Bug: 1561054

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/345075

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/345089

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/345090

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/345099

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/345104

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/345108

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/345684

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/345685

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/345686

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/345687

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/345688

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/343860
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6bcc03ff1eb5ed149693959b5bc88a9210cd2d4b
Submitter: Jenkins
Branch: master

commit 6bcc03ff1eb5ed149693959b5bc88a9210cd2d4b
Author: Lance Bragstad <email address hidden>
Date: Mon Jul 18 18:52:11 2016 +0000

    Use freezegun to increment clock in test_v3_assignment

    This commit prepares the tests in keystone/tests/unit/test_v3_assignment.py for
    the switch to make Fernet the default token provider. Since Fernet doesn't
    support sub-second precision it is possible to get the wrong response when
    using the token API within the same second as a revocation event. We can either
    introduce a sleep (which slows down our tests) or mock the system clock.

    We can use freezegun to mock the system clock. This commit uses freezegun to
    increment the clock by one second in cases that fail with the Fernet provider.

    This fix was originally a part of https://review.openstack.org/#/c/258650 but
    this is an attempt to break 258650 into smaller, more reviewable, pieces.

    Co-Authored-By: Raildo Mascena <email address hidden>
    Co-Authored-By: Adam Young <email address hidden>

    Change-Id: I2604376f63cd84c2a3d1a640dfcfbc29e5682c73
    Partial-Bug: 1561054

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/343886
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=12966b8851a24f1a685aa2172470b873857d2220
Submitter: Jenkins
Branch: master

commit 12966b8851a24f1a685aa2172470b873857d2220
Author: Lance Bragstad <email address hidden>
Date: Mon Jul 18 19:57:49 2016 +0000

    Refactor TestAuthExternalDomain to not inherit tests

    Previously, TestAuthExternalDomain was inheriting from test_v3.RestfulTestCase,
    which allowed it to run as part of the keystone test suite. This commit breaks
    it into a class that only inherits from `object` and introduces 3 other classes
    the inherit the old TestAuthExternalDomain and run the tests according to the
    setup needed.

    Since the Fernet provider doesn't support bind authentication, there is no test
    class to setup Fernet and run the TestAuthExternalDomain behaviors. This change
    will make defaulting to Fernet easier.

    This fix was originally a part of https://review.openstack.org/#/c/258650 but
    this is an attempt to break 258650 into smaller, more reviewable, pieces.

    Co-Authored-By: Raildo Mascena <email address hidden>
    Co-Authored-By: Adam Young <email address hidden>

    Change-Id: I28e575ddada8492bd4fc17b78cb00651d9d4af07
    Partial-Bug: 1561054

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/343932
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e8cd48fa48a7ab8678b440b25549bb3decd198cf
Submitter: Jenkins
Branch: master

commit e8cd48fa48a7ab8678b440b25549bb3decd198cf
Author: Lance Bragstad <email address hidden>
Date: Mon Jul 18 21:22:49 2016 +0000

    Don't run TokenCacheInvalidation with Fernet

    Since the TokenCacheInvalidation tests are specific to token formats that
    require persistent storage, it doesn't make sense to run them with Fernet
    configured. This commit updated the classes the inherit TokenCacheInvalidation
    to test all token formats except the Fernet format.

    This fix was originally a part of https://review.openstack.org/#/c/258650 but
    this is an attempt to break 258650 into smaller, more reviewable, pieces.

    Co-Authored-By: Raildo Mascena <email address hidden>
    Co-Authored-By: Adam Young <email address hidden>

    Change-Id: Iaaf0f29fa1d55b0028729b69704167957a6c5f8c
    Partial-Bug: 1561054

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/343935
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=241d33d7a6528144035a86032961dbda6376ebb0
Submitter: Jenkins
Branch: master

commit 241d33d7a6528144035a86032961dbda6376ebb0
Author: Lance Bragstad <email address hidden>
Date: Mon Jul 18 21:49:53 2016 +0000

    Run AuthWithToken against all token providers

    This makes AuthWithToken inherit directly from `object` and introduces other
    test classes with specific test setup for each format to inherit AuthWithToken.
    This will make the switch to Fernet as default provider easier.

    This fix was originally a part of https://review.openstack.org/#/c/258650 but
    this is an attempt to break 258650 into smaller, more reviewable, pieces.

    Co-Authored-By: Raildo Mascena <email address hidden>
    Co-Authored-By: Adam Young <email address hidden>

    Change-Id: I87a12160e31b2467af01dc8e7b01cc59d5907675
    Partial-Bug: 1561054

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/345075
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e9fc58144012a23d228e589ea9de140dc3efee95
Submitter: Jenkins
Branch: master

commit e9fc58144012a23d228e589ea9de140dc3efee95
Author: Lance Bragstad <email address hidden>
Date: Wed Jul 20 22:14:49 2016 +0000

    refactor: inherit AuthWithRemoteUser for other providers

    This commit makes it so that the AuthWithRemoteUser class no longer inherits
    from other tests cases. Instead it inherits from `object` and I've added
    several other classes that setup each token provider to test the cases in
    AuthWithRemoteUser.

    This helps us move towards making Fernet the default token provider.

    Co-Authored-By: Raildo Mascena <email address hidden>
    Co-Authored-By: Adam Young <email address hidden>

    Change-Id: I3ae63c8ff50a897ef0ae6e8129abc02e5b93747c
    Partial-Bug: 1561054

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/345089
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=66f7b0915bcb374380da0b441cbaebed870aa1b6
Submitter: Jenkins
Branch: master

commit 66f7b0915bcb374380da0b441cbaebed870aa1b6
Author: Lance Bragstad <email address hidden>
Date: Wed Jul 20 22:43:57 2016 +0000

    refactor: make TestAuthKerberos test pki/pkiz/uuid

    This helps us move towards fernet because we don't support bind authentication
    with the Fernet provider, so when we set Fernet to be the default we won't run
    these tests. We will only run Kerberos tests against token providers that
    support it.

    Co-Authored-By: Raildo Mascena <email address hidden>
    Co-Authored-By: Adam Young <email address hidden>

    Change-Id: Ie80f74e47046c5d8d3c2f31e5b84e4210e775f7f
    Partial-Bug: 1561054

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/345090
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=05ec0328771ed22397853b9b7b07e6746cb8c33c
Submitter: Jenkins
Branch: master

commit 05ec0328771ed22397853b9b7b07e6746cb8c33c
Author: Lance Bragstad <email address hidden>
Date: Wed Jul 20 23:02:47 2016 +0000

    refactor: make TestAuthExternalDefaultDomain test uuid/pki/pkiz

    Bind authentication is only supported by uuid, pki, and pkiz token providers.
    This makes it easier to switch Fernet to be the default.

    This fix was originally a part of https://review.openstack.org/#/c/258650 but
    this is an attempt to break 258650 into smaller, more reviewable, pieces.

    Co-Authored-By: Raildo Mascena <email address hidden>
    Co-Authored-By: Adam Young <email address hidden>

    Change-Id: I195ae1def4e2e7e27125f09cf058718b73eb839e
    Partial-Bug: 1561054

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/345099
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d6ac15cda707b198d00fb688a5fc529134b8118c
Submitter: Jenkins
Branch: master

commit d6ac15cda707b198d00fb688a5fc529134b8118c
Author: Lance Bragstad <email address hidden>
Date: Wed Jul 20 23:25:15 2016 +0000

    refactor: make TestFetchRevocationList test uuid

    The TestFetchRevocationList should be inherited and tested by the uuid token
    provider. The other token providers don't support Revocation Lists, so don't
    test them with it.

    This is an effort to break https://review.openstack.org/#/c/258650 into
    smaller, more reviewable pieces.

    Co-Authored-By: Raildo Mascena <email address hidden>
    Co-Authored-By: Adam Young <email address hidden>

    Change-Id: I6be1c5c583d336cc83cf3670c10d4364ddc16bbd
    Partial-Bug: 1561054

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/345104
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=32467320bd368f72db06ee119c103cb18d103a74
Submitter: Jenkins
Branch: master

commit 32467320bd368f72db06ee119c103cb18d103a74
Author: Lance Bragstad <email address hidden>
Date: Wed Jul 20 23:55:44 2016 +0000

    Use freezegun in OSRevokeTests

    This makes it easier for us to switch fernet to be the default token provider
    because we can increment the clock in order to get the list of revocation
    events.

    This is an effort to break https://review.openstack.org/#/c/258650 into
    smaller, more reviewable pieces.

    Co-Authored-By: Raildo Mascena <email address hidden>
    Co-Authored-By: Adam Young <email address hidden>

    Change-Id: Ia47a78509d033596b0101b28e9cd38abafdb199a
    Partial-Bug: 1561054

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/345108
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f324506d06ab7a4e3632158c2cf4ff8554de5cd1
Submitter: Jenkins
Branch: master

commit f324506d06ab7a4e3632158c2cf4ff8554de5cd1
Author: Lance Bragstad <email address hidden>
Date: Thu Jul 21 00:07:38 2016 +0000

    Only run KvsTokenCacheInvalidation against uuid

    It only makes sense to run these tests against the UUID token provider. We
    don't need to run this against the Fernet provider since keystone doesn't store
    Fernet tokens.

    This is an effort to break https://review.openstack.org/#/c/258650 into
    smaller, more reviewable pieces.

    Co-Authored-By: Raildo Mascena <email address hidden>
    Co-Authored-By: Adam Young <email address hidden>

    Change-Id: I72aaf2967723c695cc445c2a1074adf5760dc46b
    Partial-Bug: 1561054

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/345684
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cd26ae9227fc3782cc8ca077011202310aea0738
Submitter: Jenkins
Branch: master

commit cd26ae9227fc3782cc8ca077011202310aea0738
Author: Lance Bragstad <email address hidden>
Date: Thu Jul 21 18:40:38 2016 +0000

    Use freezegun in AssignmentInheritanceTestCase

    This makes it so that we properly advance the clock after revocation events.
    Is also makes it easier to switch to Fernet as the default token provider.

    This fix was originally a part of https://review.openstack.org/#/c/258650 but
    this is an attempt to break 258650 into smaller, more reviewable, pieces.

    Co-Authored-By: Raildo Mascena <email address hidden>
    Co-Authored-By: Adam Young <email address hidden>

    Change-Id: I83509e81e4da26cad48ed3cb3f9733ddb7ae965e
    Partial-Bug: 1561054

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/345685
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5bbc78a9a814c711f694b1ba939d417875d30049
Submitter: Jenkins
Branch: master

commit 5bbc78a9a814c711f694b1ba939d417875d30049
Author: Lance Bragstad <email address hidden>
Date: Thu Jul 21 19:36:16 2016 +0000

    Make it so federated tokens are validated on v2.0

    This makes it so that when we validate a fernet federated token against v2.0
    and raise an Unauthorized exception.

    This is an effort to break https://review.openstack.org/#/c/258650 into
    smaller, more reviewable pieces.

    Co-Authored-By: Raildo Mascena <email address hidden>
    Co-Authored-By: Adam Young <email address hidden>

    Change-Id: I321e9e72bb31617b4ecf8ba1e0171dfc099b88c7
    Partial-Bug: 1561054

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/345686
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b77c5b789fae62aa7375296bf49985cf213e0a87
Submitter: Jenkins
Branch: master

commit b77c5b789fae62aa7375296bf49985cf213e0a87
Author: Lance Bragstad <email address hidden>
Date: Thu Jul 21 20:38:01 2016 +0000

    Make AuthWithTrust testable against uuid and fernet

    We should make AuthWithTrust something that is tested against both the uuid
    token provider and the fernet token provider. This helps us move towards making
    fernet the default token provider.

    This is an effort to break https://review.openstack.org/#/c/258650 into
    smaller, more reviewable pieces.

    Co-Authored-By: Raildo Mascena <email address hidden>
    Co-Authored-By: Adam Young <email address hidden>

    Change-Id: I0fd2187421fc677e7d422d4b449eec3056a134e9
    Partial-Bug: 1561054

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/345687
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0b600cedf6c85ece1d4144d9dc61165c8c6c8698
Submitter: Jenkins
Branch: master

commit 0b600cedf6c85ece1d4144d9dc61165c8c6c8698
Author: Lance Bragstad <email address hidden>
Date: Thu Jul 21 21:42:25 2016 +0000

    Allow V2TestCase to be tested against fernet and uuid

    This helps make our switch to fernet as the default token provider easier.

    This is an effort to break https://review.openstack.org/#/c/258650 into
    smaller, more reviewable pieces.

    Co-Authored-By: Raildo Mascena <email address hidden>
    Co-Authored-By: Adam Young <email address hidden>

    Change-Id: I67121265cf06eb11586c90c37c6439bcdb28acf0
    Partial-Bug: 1561054

OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Samuel de Medeiros Queiroz (samueldmq)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Samuel de Medeiros Queiroz (samueldmq) → Lance Bragstad (lbragstad)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Morgan Fainberg (mdrnstm)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Morgan Fainberg (mdrnstm) → Lance Bragstad (lbragstad)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Steve Martinelli (stevemar)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Steve Martinelli (stevemar) → Lance Bragstad (lbragstad)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Steve Martinelli (stevemar)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/345688
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=57cc1e332f8e794aee06cd25f5b3204b83922353
Submitter: Jenkins
Branch: master

commit 57cc1e332f8e794aee06cd25f5b3204b83922353
Author: Lance Bragstad <email address hidden>
Date: Thu Jul 21 21:54:18 2016 +0000

    Switch fernet to be the default token provider.

    Make Fernet the default token provider in keystone.

    Co-Authored-By: Raildo Mascena <email address hidden>
    Co-Authored-By: Adam Young <email address hidden>

    Depends-On: I3b819ae8d2924f3bece03902e05d1a8c5e5923f1
    Depends-On: I7bb6c2fa1fe83b70cb147e6ca4c68bea3028706b
    Depends-On: Ia51f28a70ae099f1ec93851d271db8556aced836
    Change-Id: I29b22be75525aed5c50b34dc343af36c9b94c18c
    Closes-Bug: 1561054

Changed in keystone:
status: In Progress → Fix Released
Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → ocata-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 11.0.0.0b1

This issue was fixed in the openstack/keystone 11.0.0.0b1 development milestone.

Steve Martinelli (stevemar)
Changed in keystone:
assignee: Steve Martinelli (stevemar) → Lance Bragstad (lbragstad)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.