[Openstack] python-keystoneclient 0.8.0 released

2014-04-16 Thread Dolph Mathews 
python-keystoneclient 0.8.0 has been released and is now available on pypi
[1].

Given the recency of the 0.7 series, this a relatively small release.
However, 0.8.0 notably fixes a race condition in
keystoneclient.middleware.auth_token for PKI deployments [2], which is
closely related to an issue that was addressed in 0.7.0.

More details on the release are available on Launchpad [3].

Thanks!

-Dolph

[1] https://pypi.python.org/pypi/python-keystoneclient/
[2] https://bugs.launchpad.net/cinder/+bug/1285833
[3] https://launchpad.net/python-keystoneclient/+milestone/0.8.0
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Federated Authn & ldap/saml

2014-04-14 Thread Dolph Mathews 
On Fri, Apr 11, 2014 at 1:57 PM, Adam Lawson  wrote:

> Hi Michael,
> KS Federation was originally planned for Icehouse RC2 but was later
> postponed until the Juno release with priority since there was a
> disagreement re approach. Or something along those lines. But it won't be
> included with Icehouse
>
>
I'm curious as to where you got this information? Federation is the first
new feature listed on Keystone's release notes for Icehouse:


https://wiki.openstack.org/wiki/ReleaseNotes/Icehouse#OpenStack_Identity_.28Keystone.29

Mahalo,
> Adam
>
>
> *Adam Lawson*
>  AQORN, Inc.
> 427 North Tatnall Street
> Ste. 58461
> Wilmington, Delaware 19801-2230
> Toll-free: (888) 406-7620
>
>
>
> On Fri, Apr 11, 2014 at 10:46 AM, Michael Hearn  wrote:
>
>> With the imminent release of Icehouse and keystone federation are there
>> any documents (beta or otherwise) or personal notes that would help with
>> environment prerequisite, setup and configuration.  Actually,  anything
>> that would throw some light on how keystone could make use of an existing
>> LDAP/SAML infra would be graciously accepted
>>
> Marek Dennis replied off-list (not sure why it wasn't on-list?), but
here's a quote from him:

  "There are no official docs yet, however I am working on them and
hopefully the first draft should be ready this week."

Hopefully that means we'll be able to update this thread with a link to
proper docs by the end of the week :)

>  Cheers in advance
>>
>> Mike.
>>
>> ___
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to : openstack@lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
>
> ___
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [OSSA 2014-007] Potential context confusion in Keystone middleware (CVE-2014-0105)

2014-03-27 Thread Dolph Mathews 
Peter Feiner from Gridcentric, Inc. deserves special mention for
independently reporting the same underlying error:

  https://bugs.launchpad.net/python-keystoneclient/+bug/1289074

He also suggested an approach to fix the error which closed the security
vulnerability as well. Thanks, Peter!

On Thu, Mar 27, 2014 at 10:00 AM, Tristan Cacqueray <
tristan.cacque...@enovance.com> wrote:

> OpenStack Security Advisory: 2014-007
> CVE: CVE-2014-0105
> Date: March 27, 2014
> Title: Potential context confusion in Keystone middleware
> Reporter: Kieran Spear (University of Melbourne)
> Products: python-keystoneclient
> Versions: All versions up to 0.6.0
>
> Description:
> Kieran Spear from the University of Melbourne reported a vulnerability
> in Keystone auth_token middleware (shipped in python-keystoneclient). By
> doing repeated requests, with sufficient load on the target system, an
> authenticated user may in certain situations assume another
> authenticated user's complete identity and multi-tenant authorizations,
> potentially resulting in a privilege escalation. Note that it is related
> to a bad interaction between eventlet and python-memcached that should
> be avoided if the calling process already monkey-patches "thread" to use
> eventlet. Only keystone middleware setups using auth_token with memcache
> are vulnerable.
>
> python-keystoneclient fix (included in 0.7.0 release):
> https://review.openstack.org/81078
>
> References:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0105
> https://bugs.launchpad.net/bugs/1282865
>
> --
> Tristan Cacqueray
> OpenStack Vulnerability Management Team
>
>
>
>
> ___
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] python-keystoneclient 0.7.0 (and 0.7.1) released to PyPi

2014-03-27 Thread Dolph Mathews 
On Thu, Mar 27, 2014 at 10:13 AM, Dolph Mathews wrote:

> Hello, everyone!
>
> python-keystoneclient 0.7.0 and 0.7.1 were both released in the past 24
> hours.
>
> v0.7.0 [1] contains a pair of critical fixes, one of which is security
> related. The highlights include:
>
> - Fixed a critical security vulnerability (OSSA 2014-007 [2]) as detailed
> in bug 1282865 [3] and patched in bug 1289074 [4]. Deploying
> keystoneclient.middleware.auth_token with memcached as the caching backend
> in an environment using an unpatched thread module (i.e. failing to call
> `eventlet.patcher.monkey_patch(thread=True)`) no longer results in
> authentication contexts being "confused" between simultaneous requests.
>
> - Fixed a race condition in keystoneclient.middleware.auth_token for PKI
> deployments resulting in spurious 401 Unauthorized responses being returned
> to end users (bug 1285833 [5]).
>
> - Fixed an issue that resulted in leaving hanging connections to keystone
> (bug 1282089)
>
> v0.7.1 [6] includes a workaround to allow the v3 Python library to work
> with deployments configured to advertise a v2.0-versioned identity endpoint
> in their service catalogs.
>
> Upgrading to the latest client is *strongly* recommended. As always, the
> latest client is available on PyPi [7].
>
> Thanks!
>

I just noticed that I numbered most of the links in the original footer
incorrectly, as there are two [2] links, resulting in the rest being off by
one.

The correct numbering as they correspond to the body:

[1] https://launchpad.net/python-keystoneclient/+milestone/0.7.0
[2] http://lists.openstack.org/pipermail/openstack/2014-March/006237.html
[3] https://bugs.launchpad.net/bugs/1282865
[4] https://bugs.launchpad.net/bugs/1289074
[5] https://bugs.launchpad.net/bugs/1285833
[6] https://launchpad.net/python-keystoneclient/+milestone/0.7.1
[7] https://pypi.python.org/pypi/python-keystoneclient/
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] python-keystoneclient 0.7.0 (and 0.7.1) released to PyPi

2014-03-27 Thread Dolph Mathews 
Hello, everyone!

python-keystoneclient 0.7.0 and 0.7.1 were both released in the past 24
hours.

v0.7.0 [1] contains a pair of critical fixes, one of which is security
related. The highlights include:

- Fixed a critical security vulnerability (OSSA 2014-007 [2]) as detailed
in bug 1282865 [3] and patched in bug 1289074 [4]. Deploying
keystoneclient.middleware.auth_token with memcached as the caching backend
in an environment using an unpatched thread module (i.e. failing to call
`eventlet.patcher.monkey_patch(thread=True)`) no longer results in
authentication contexts being "confused" between simultaneous requests.

- Fixed a race condition in keystoneclient.middleware.auth_token for PKI
deployments resulting in spurious 401 Unauthorized responses being returned
to end users (bug 1285833 [5]).

- Fixed an issue that resulted in leaving hanging connections to keystone
(bug 1282089)

v0.7.1 [6] includes a workaround to allow the v3 Python library to work
with deployments configured to advertise a v2.0-versioned identity endpoint
in their service catalogs.

Upgrading to the latest client is *strongly* recommended. As always, the
latest client is available on PyPi [7].

Thanks!

[1] https://launchpad.net/python-keystoneclient/+milestone/0.7.0
[2] http://lists.openstack.org/pipermail/openstack/2014-March/006237.html
[2] https://bugs.launchpad.net/bugs/1282865
[3] https://bugs.launchpad.net/bugs/1289074
[4] https://bugs.launchpad.net/bugs/1285833
[5] https://launchpad.net/python-keystoneclient/+milestone/0.7.1
[6] https://pypi.python.org/pypi/python-keystoneclient/
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] python-keystoneclient v0.3.2 released

2013-08-22 Thread Dolph Mathews 
python-keystoneclient v0.3.2 is now available on pypi [1].

This release notably includes Python lib support for managing & consuming
delegated authorization & impersonation via the Identity API v3 trusts
extension [2], along with numerous small improvements and bug fixes [3].

[1]: https://pypi.python.org/pypi/python-keystoneclient/
[2]:
https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-trust-ext.md
[3]: https://launchpad.net/python-keystoneclient/+milestone/0.3.2

Thanks for your contributions, everyone!


-Dolph
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] Fwd: [keystone] Support domain-specific Identity Backends

2013-08-19 Thread Dolph Mathews 
On Mon, Aug 19, 2013 at 6:09 PM, Miller, Mark M (EB SW Cloud - R&D -
Corvallis)  wrote:

>  Hello Dolph,
>
> We have recently been looking for a way to access multiple LDAP servers
> from a single Keystone server. It looks like the code you just finished
> provides this functionality. Am I correct?
>

I assume you're referring to this blueprint:

  https://blueprints.launchpad.net/keystone/+spec/multiple-ldap-servers

Which was implemented in a commit by henry nash:

  https://review.openstack.org/#/c/39530/


> If so, do you have any sample configuration files that demonstrate how it
> is implemented?
>

The change in itself describes basic impact on configuration:

  https://review.openstack.org/#/c/39530/21/doc/source/configuration.rst

Subsequent doc work is being tracked against openstack-manuals:

  https://bugs.launchpad.net/openstack-manuals/+bug/1209255


>
> Regards,
>
> Mark Miller
>
>



-- 

-Dolph



-- 

-Dolph
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack