[openstack-keystone] juno-1 milestone
Alan Pevec
apevec at fedoraproject.org
Wed Jul 9 11:38:20 UTC 2014
commit bcc3b16b6d2f6b1a99dd2cf7005a00e5e1902ebf
Author: Alan Pevec <alan.pevec at redhat.com>
Date: Fri Jun 13 01:21:36 2014 +0200
juno-1 milestone
.gitignore | 1 +
0001-remove-runtime-dep-on-python-pbr.patch | 27 +-
...-parameter-values-with-keystone-dist.conf.patch | 20 +-
...-Block-delegation-escalation-of-privilege.patch | 41 ++--
0003-Refactor-service-readiness-notification.patch | 265 --------------------
...e-that-in-v2-auth-tenant_id-matches-trust.patch | 45 ++--
openstack-keystone.spec | 32 ++-
sources | 2 +-
8 files changed, 87 insertions(+), 346 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 69f1027..3efb196 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
/keystone-2014.1.tar.gz
/keystone-2014.1.1.tar.gz
+/keystone-2014.2.b1.tar.gz
diff --git a/0001-remove-runtime-dep-on-python-pbr.patch b/0001-remove-runtime-dep-on-python-pbr.patch
index 758ba73..c7c60c8 100644
--- a/0001-remove-runtime-dep-on-python-pbr.patch
+++ b/0001-remove-runtime-dep-on-python-pbr.patch
@@ -1,4 +1,4 @@
-From ac4d68e2aa6612cf9904baba7f2505ebddf6e82c Mon Sep 17 00:00:00 2001
+From 47ef4045c06e1aaa1cacbd9b1f193705187e5fc1 Mon Sep 17 00:00:00 2001
From: Alan Pevec <apevec at redhat.com>
Date: Mon, 9 Sep 2013 00:38:42 +0200
Subject: [PATCH] remove runtime dep on python-pbr
@@ -6,11 +6,11 @@ Subject: [PATCH] remove runtime dep on python-pbr
---
bin/keystone-all | 3 +--
keystone/cli.py | 3 +--
- requirements.txt | 23 +----------------------
- 3 files changed, 3 insertions(+), 26 deletions(-)
+ requirements.txt | 24 +-----------------------
+ 3 files changed, 3 insertions(+), 27 deletions(-)
diff --git a/bin/keystone-all b/bin/keystone-all
-index 8d7c4b3..315f3c1 100755
+index 3214d13..2e468be 100755
--- a/bin/keystone-all
+++ b/bin/keystone-all
@@ -32,7 +32,6 @@ if os.path.exists(os.path.join(possible_topdir,
@@ -21,7 +21,7 @@ index 8d7c4b3..315f3c1 100755
from keystone.openstack.common import gettextutils
# NOTE(dstanek): gettextutils.enable_lazy() must be called before
-@@ -110,7 +109,7 @@ if __name__ == '__main__':
+@@ -102,7 +101,7 @@ if __name__ == '__main__':
config.set_default_for_default_log_levels()
CONF(project='keystone',
@@ -52,12 +52,12 @@ index a9decbd..9411219 100644
default_config_files=config_files)
config.setup_logging()
diff --git a/requirements.txt b/requirements.txt
-index 4b76b1b..e975d85 100644
+index 31b98ea..e975d85 100644
--- a/requirements.txt
+++ b/requirements.txt
-@@ -1,23 +1,2 @@
+@@ -1,24 +1,2 @@
# keystone dependencies
--pbr>=0.6,<1.0
+-pbr>=0.6,!=0.7,<1.0
-WebOb>=1.2.3
-eventlet>=0.13.0
-greenlet>=0.3.2
@@ -67,16 +67,17 @@ index 4b76b1b..e975d85 100644
-Routes>=1.12.3
-six>=1.6.0
-SQLAlchemy>=0.7.8,<=0.9.99
--sqlalchemy-migrate>=0.8.2,!=0.8.4
+-sqlalchemy-migrate>=0.9.1
-passlib
-lxml>=2.3
-iso8601>=0.1.9
--python-keystoneclient>=0.7.0
+-python-keystoneclient>=0.9.0
-oslo.config>=1.2.0
--oslo.messaging>=1.3.0a9
+-oslo.messaging>=1.3.0
-Babel>=1.3
-oauthlib>=0.6
--dogpile.cache>=0.5.0
+-dogpile.cache>=0.5.3
-jsonschema>=2.0.0,<3.0.0
--pycadf>=0.4.1
+-pycadf>=0.5.1
+-posix_ipc
+# let RPM handle deps
diff --git a/0002-sync-parameter-values-with-keystone-dist.conf.patch b/0002-sync-parameter-values-with-keystone-dist.conf.patch
index b64388d..5118032 100644
--- a/0002-sync-parameter-values-with-keystone-dist.conf.patch
+++ b/0002-sync-parameter-values-with-keystone-dist.conf.patch
@@ -1,4 +1,4 @@
-From dc539d8b2dd41d8742eae7ff47e6ecec6d6256c6 Mon Sep 17 00:00:00 2001
+From 09b04beb1c52077b68cd25a354d11e706350c96f Mon Sep 17 00:00:00 2001
From: Alan Pevec <apevec at redhat.com>
Date: Mon, 9 Sep 2013 15:22:20 +0200
Subject: [PATCH] sync parameter values with keystone-dist.conf
@@ -11,10 +11,10 @@ Change-Id: If36c384f86843a6506a494d79beca65639fb3480
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample
-index c5f57bf..3aa1314 100644
+index b20139d..b8d39d5 100644
--- a/etc/keystone.conf.sample
+++ b/etc/keystone.conf.sample
-@@ -385,7 +385,7 @@
+@@ -361,7 +361,7 @@
#verbose=false
# Log output to standard error (boolean value)
@@ -23,7 +23,7 @@ index c5f57bf..3aa1314 100644
# Format string to use for log messages with context (string
# value)
-@@ -439,10 +439,11 @@
+@@ -415,10 +415,11 @@
# %(default)s (string value)
#log_date_format=%Y-%m-%d %H:%M:%S
@@ -38,16 +38,16 @@ index c5f57bf..3aa1314 100644
# (Optional) The base directory used for relative --log-file
# paths (string value)
-@@ -581,7 +582,7 @@
+@@ -555,7 +556,7 @@
# Catalog template file name for use with the template catalog
# backend. (string value)
-#template_file=default_catalog.templates
+#template_file=/etc/keystone/default_catalog.templates
- # Keystone catalog backend driver. (string value)
+ # Catalog backend driver. (string value)
#driver=keystone.catalog.backends.sql.Catalog
-@@ -622,7 +623,7 @@
+@@ -596,7 +597,7 @@
# Deprecated group/name - [DEFAULT]/sql_connection
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
@@ -56,16 +56,16 @@ index c5f57bf..3aa1314 100644
# The SQL mode to be used for MySQL sessions. This option,
# including the default, overrides any server-set SQL mode. To
-@@ -710,7 +711,7 @@
+@@ -684,7 +685,7 @@
#
- # Keystone EC2Credential backend driver. (string value)
+ # EC2Credential backend driver. (string value)
-#driver=keystone.contrib.ec2.backends.kvs.Ec2
+#driver=keystone.contrib.ec2.backends.sql.Ec2
[endpoint_filter]
-@@ -1147,7 +1148,7 @@
+@@ -1129,7 +1130,7 @@
# Name of the paste configuration file that defines the
# available pipelines. (string value)
diff --git a/0004-Block-delegation-escalation-of-privilege.patch b/0003-Block-delegation-escalation-of-privilege.patch
similarity index 91%
rename from 0004-Block-delegation-escalation-of-privilege.patch
rename to 0003-Block-delegation-escalation-of-privilege.patch
index e2a3108..e83d7c4 100644
--- a/0004-Block-delegation-escalation-of-privilege.patch
+++ b/0003-Block-delegation-escalation-of-privilege.patch
@@ -1,4 +1,4 @@
-From b954590b1c7676bd0fb0c848123060292f3cfa8e Mon Sep 17 00:00:00 2001
+From 03ceb49f8aacccbfe4d036d2637fdd6ba61743fd Mon Sep 17 00:00:00 2001
From: Adam Young <ayoung at redhat.com>
Date: Thu, 29 May 2014 13:56:17 -0400
Subject: [PATCH] Block delegation escalation of privilege
@@ -11,20 +11,20 @@ Forbids doing the following with either a trust
Change-Id: I1528f9dd003f5e03cbc50b78e1b32dbbf85ffcc2
Closes-Bug: 1324592
-(cherry picked from commit 73785122eefe523bb57c819e085c7f6ec97d779c)
+(cherry picked from commit ebfc2da158d15fe2f36787bcbf7407a0fa8f551d)
---
keystone/common/authorization.py | 36 ++++++++++++-
keystone/contrib/oauth1/controllers.py | 12 +++++
keystone/tests/test_v3_auth.py | 36 +++++++++++++
keystone/tests/test_v3_oauth1.py | 97 ++++++++++++++++++++++++++++++++++
- keystone/trust/controllers.py | 9 ++++
- 5 files changed, 188 insertions(+), 2 deletions(-)
+ keystone/trust/controllers.py | 8 +++
+ 5 files changed, 187 insertions(+), 2 deletions(-)
diff --git a/keystone/common/authorization.py b/keystone/common/authorization.py
-index 6dc7435..11d0d79 100644
+index 1aae1b0..2b7243f 100644
--- a/keystone/common/authorization.py
+++ b/keystone/common/authorization.py
-@@ -67,7 +67,7 @@ def is_v3_token(token):
+@@ -48,7 +48,7 @@ def is_v3_token(token):
def v3_token_to_auth_context(token):
@@ -33,7 +33,7 @@ index 6dc7435..11d0d79 100644
token_data = token['token']
try:
creds['user_id'] = token_data['user']['id']
-@@ -87,11 +87,31 @@ def v3_token_to_auth_context(token):
+@@ -68,11 +68,31 @@ def v3_token_to_auth_context(token):
creds['group_ids'] = [
g['id'] for g in token_data['user'].get(federation.FEDERATION, {}).get(
'groups', [])]
@@ -66,7 +66,7 @@ index 6dc7435..11d0d79 100644
token_data = token['access']
try:
creds['user_id'] = token_data['user']['id']
-@@ -105,6 +125,18 @@ def v2_token_to_auth_context(token):
+@@ -86,6 +106,18 @@ def v2_token_to_auth_context(token):
if 'roles' in token_data['user']:
creds['roles'] = [role['name'] for
role in token_data['user']['roles']]
@@ -86,7 +86,7 @@ index 6dc7435..11d0d79 100644
diff --git a/keystone/contrib/oauth1/controllers.py b/keystone/contrib/oauth1/controllers.py
-index 2c938ba..a185e4f 100644
+index 46b4505..15ea66e 100644
--- a/keystone/contrib/oauth1/controllers.py
+++ b/keystone/contrib/oauth1/controllers.py
@@ -95,6 +95,12 @@ class AccessTokenCrudV3(controller.V3Controller):
@@ -116,10 +116,10 @@ index 2c938ba..a185e4f 100644
req_token = self.oauth_api.get_request_token(request_token_id)
diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
-index 5de7e02..8a27a38 100644
+index cd738b2..235dfe4 100644
--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
-@@ -2777,6 +2777,42 @@ class TestTrustAuth(TestAuthInfo):
+@@ -2898,6 +2898,42 @@ class TestTrustAuth(TestAuthInfo):
self.assertEqual(r.result['token']['project']['name'],
self.project['name'])
@@ -163,7 +163,7 @@ index 5de7e02..8a27a38 100644
revocation_response = self.get('/OS-REVOKE/events',
expected_status=200)
diff --git a/keystone/tests/test_v3_oauth1.py b/keystone/tests/test_v3_oauth1.py
-index b653855..d993889 100644
+index 525b4b0..5f37510 100644
--- a/keystone/tests/test_v3_oauth1.py
+++ b/keystone/tests/test_v3_oauth1.py
@@ -13,6 +13,8 @@
@@ -175,15 +175,15 @@ index b653855..d993889 100644
import uuid
from six.moves import urllib
-@@ -26,6 +28,7 @@ from keystone.contrib.oauth1 import controllers
+@@ -22,6 +24,7 @@ from keystone.contrib import oauth1
+ from keystone.contrib.oauth1 import controllers
+ from keystone.contrib.oauth1 import core
from keystone import exception
- from keystone.openstack.common.db.sqlalchemy import migration
- from keystone.openstack.common import importutils
+from keystone.openstack.common import jsonutils
from keystone.tests import test_v3
-@@ -486,6 +489,100 @@ class AuthTokenTests(OAuthFlowTests):
+@@ -476,6 +479,100 @@ class AuthTokenTests(OAuthFlowTests):
self.assertRaises(exception.TokenNotFound, self.token_api.get_token,
self.keystone_token_id)
@@ -285,14 +285,13 @@ index b653855..d993889 100644
class MaliciousOAuth1Tests(OAuth1Tests):
diff --git a/keystone/trust/controllers.py b/keystone/trust/controllers.py
-index cc3cc1f..552db44 100644
+index ae661f9..3835302 100644
--- a/keystone/trust/controllers.py
+++ b/keystone/trust/controllers.py
-@@ -132,6 +132,15 @@ class TrustV3(controller.V3Controller):
+@@ -124,6 +124,14 @@ class TrustV3(controller.V3Controller):
+ The user creating the trust must be the trustor.
- # TODO(ayoung): instead of raising ValidationError on the first
- # problem, return a collection of all the problems.
-+
+ """
+ # Explicitly prevent a trust token from creating a new trust.
+ auth_context = context.get('environment',
+ {}).get('KEYSTONE_AUTH_CONTEXT', {})
diff --git a/0005-Ensure-that-in-v2-auth-tenant_id-matches-trust.patch b/0004-Ensure-that-in-v2-auth-tenant_id-matches-trust.patch
similarity index 73%
rename from 0005-Ensure-that-in-v2-auth-tenant_id-matches-trust.patch
rename to 0004-Ensure-that-in-v2-auth-tenant_id-matches-trust.patch
index 095d6d1..b639cea 100644
--- a/0005-Ensure-that-in-v2-auth-tenant_id-matches-trust.patch
+++ b/0004-Ensure-that-in-v2-auth-tenant_id-matches-trust.patch
@@ -1,4 +1,4 @@
-From 7debbe93a4854026cdc1b8b0473331a8c44874fc Mon Sep 17 00:00:00 2001
+From 364937ac46caf9e27b1b6700222a6b8e98fb956f Mon Sep 17 00:00:00 2001
From: Jamie Lennox <jamielennox at redhat.com>
Date: Thu, 19 Jun 2014 14:41:22 +1000
Subject: [PATCH] Ensure that in v2 auth tenant_id matches trust
@@ -10,56 +10,55 @@ appropriate roles then a token would be issued.
Ensure that the trust that was given matches the project that was
specified in the scope.
-(cherry picked from commit 1556faec2f65dba60584f0a9657d5b717a6ede3a)
-
Change-Id: I00ad783bcb93cea9e5622965f81b91c80f4570cc
Closes-Bug: #1331912
-(cherry picked from commit 44555e83bad04210cf6ddc24999e753178357043)
+(cherry picked from commit 79ad85a8ed9b7a3403367e2b6affe30ee69d21c5)
---
- keystone/tests/test_auth.py | 15 +++++++++++++--
+ keystone/tests/test_auth.py | 17 +++++++++++++++--
keystone/token/controllers.py | 6 +++++-
- 2 files changed, 18 insertions(+), 3 deletions(-)
+ 2 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py
-index 6d93e7f..4d9d9da 100644
+index 9f41aba..c9e6747 100644
--- a/keystone/tests/test_auth.py
+++ b/keystone/tests/test_auth.py
-@@ -693,13 +693,15 @@ class AuthWithTrust(AuthTest):
- self.new_trust = self.trust_controller.create_trust(
- context, trust=trust_data)['trust']
+@@ -679,12 +679,15 @@ class AuthWithTrust(AuthTest):
+ body_dict = _build_user_auth(username=username, password=password)
+ return self.controller.authenticate({}, body_dict)
-- def build_v2_token_request(self, username, password):
-+ def build_v2_token_request(self, username, password, tenant_id=None):
+- def build_v2_token_request(self, username, password, trust):
++ def build_v2_token_request(self, username, password, trust,
++ tenant_id=None):
+ if not tenant_id:
+ tenant_id = self.tenant_bar['id']
- body_dict = _build_user_auth(username=username, password=password)
- self.unscoped_token = self.controller.authenticate({}, body_dict)
- unscoped_token_id = self.unscoped_token['access']['token']['id']
+ unscoped_token = self.get_unscoped_token(username, password)
+ unscoped_token_id = unscoped_token['access']['token']['id']
request_body = _build_user_auth(token={'id': unscoped_token_id},
- trust_id=self.new_trust['id'],
+ trust_id=trust['id'],
- tenant_id=self.tenant_bar['id'])
+ tenant_id=tenant_id)
return request_body
def test_create_trust_bad_data_fails(self):
-@@ -782,6 +784,15 @@ class AuthWithTrust(AuthTest):
- exception.Forbidden,
- self.controller.authenticate, {}, request_body)
+@@ -796,6 +799,16 @@ class AuthWithTrust(AuthTest):
+ self.assertRaises(exception.Forbidden, self.controller.authenticate,
+ {}, request_body)
+ def test_token_from_trust_wrong_project_fails(self):
+ for assigned_role in self.assigned_roles:
+ self.assignment_api.add_role_to_user_and_project(
+ self.trustor['id'], self.tenant_baz['id'], assigned_role)
-+ request_body = self.build_v2_token_request('TWO', 'two2',
++ new_trust = self.create_trust(self.sample_data, self.trustor['name'])
++ request_body = self.build_v2_token_request('TWO', 'two2', new_trust,
+ self.tenant_baz['id'])
+ self.assertRaises(exception.Forbidden, self.controller.authenticate,
+ {}, request_body)
+
- def fetch_v2_token_from_trust(self):
- request_body = self.build_v2_token_request('TWO', 'two2')
+ def fetch_v2_token_from_trust(self, trust):
+ request_body = self.build_v2_token_request('TWO', 'two2', trust)
auth_response = self.controller.authenticate({}, request_body)
diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py
-index bcae12c..be16145 100644
+index 997abd6..30d941f 100644
--- a/keystone/token/controllers.py
+++ b/keystone/token/controllers.py
@@ -164,6 +164,8 @@ class Auth(controller.V2Controller):
diff --git a/openstack-keystone.spec b/openstack-keystone.spec
index 490c714..86f0f2a 100644
--- a/openstack-keystone.spec
+++ b/openstack-keystone.spec
@@ -1,18 +1,20 @@
#
-# This is 2014.1.1 Icehouse stable release
+# This is 2014.2 Juno-1 milestone
#
-%global release_name icehouse
+%global release_name juno
+%global milestone 1
%global with_doc %{!?_without_doc:1}%{?_without_doc:0}
Name: openstack-keystone
-Version: 2014.1.1
-Release: 4%{?dist}
+Version: 2014.2
+Release: 0.1.b%{milestone}%{?dist}
Summary: OpenStack Identity Service
License: ASL 2.0
URL: http://keystone.openstack.org/
-Source0: http://launchpad.net/keystone/%{release_name}/%{version}/+download/keystone-%{version}.tar.gz
+#Source0: http://launchpad.net/keystone/%{release_name}/%{version}/+download/keystone-%{version}.tar.gz
+Source0: http://launchpad.net/keystone/%{release_name}/%{release_name}-%{milestone}/+download/keystone-%{version}.b%{milestone}.tar.gz
Source1: openstack-keystone.logrotate
Source2: openstack-keystone.service
Source3: openstack-keystone.sysctl
@@ -24,13 +26,12 @@ Source23: openstack-keystone.upstart
#
-# patches_base=2014.1.1
+# patches_base=2014.2.b1
#
Patch0001: 0001-remove-runtime-dep-on-python-pbr.patch
Patch0002: 0002-sync-parameter-values-with-keystone-dist.conf.patch
-Patch0003: 0003-Refactor-service-readiness-notification.patch
-Patch0004: 0004-Block-delegation-escalation-of-privilege.patch
-Patch0005: 0005-Ensure-that-in-v2-auth-tenant_id-matches-trust.patch
+Patch0003: 0003-Block-delegation-escalation-of-privilege.patch
+Patch0004: 0004-Ensure-that-in-v2-auth-tenant_id-matches-trust.patch
BuildArch: noarch
BuildRequires: python2-devel
@@ -40,7 +41,7 @@ BuildRequires: python-pbr
BuildRequires: python-d2to1
Requires: python-keystone = %{version}-%{release}
-Requires: python-keystoneclient >= 1:0.6.0
+Requires: python-keystoneclient >= 1:0.9.0
%if 0%{?rhel} == 6
Requires(post): chkconfig
@@ -87,10 +88,11 @@ Requires: python-netaddr
Requires: python-six >= 1.4.1
Requires: python-babel
Requires: python-oauthlib
-Requires: python-dogpile-cache >= 0.5.0
+Requires: python-dogpile-cache >= 0.5.3
Requires: python-jsonschema
Requires: python-oslo-messaging
Requires: python-pycadf
+Requires: python-posix_ipc
%description -n python-keystone
Keystone is a Python implementation of the OpenStack
@@ -111,13 +113,12 @@ This package contains documentation for Keystone.
%endif
%prep
-%setup -q -n keystone-%{version}
+%setup -q -n keystone-%{version}.b%{milestone}
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
%patch0004 -p1
-%patch0005 -p1
find . \( -name .gitignore -o -name .placeholder \) -delete
find keystone -name \*.py -exec sed -i '/\/usr\/bin\/env python/d' {} \;
@@ -127,6 +128,8 @@ rm -rf keystone.egg-info
# Remove dependency on pbr and set version as per rpm
sed -i s/REDHATKEYSTONEVERSION/%{version}/ bin/keystone-all keystone/cli.py
+sed -i 's/%{version}.b%{milestone}/%{version}/' PKG-INFO
+
# make doc build compatible with python-oslo-sphinx RPM
sed -i 's/oslosphinx/oslo.sphinx/' doc/source/conf.py
@@ -269,6 +272,9 @@ fi
%endif
%changelog
+* Wed Jul 09 2014 Alan Pevec <apevec at redhat.com> 2014.2-0.1.b
+- juno-1 milestone
+
* Wed Jul 09 2014 Alan Pevec <apevec at redhat.com> 2014.1.1-4
- Keystone V2 trusts privilege escalation through user supplied project id
CVE-2014-3520
diff --git a/sources b/sources
index d3f2d7a..eb6441a 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-e99ecd6e0e24fedb69c42108960b3ea4 keystone-2014.1.1.tar.gz
+b7bc2438a5f5ac9e2ae61937ac465791 keystone-2014.2.b1.tar.gz
More information about the scm-commits
mailing list