openstack/keystone
Code Issues Proposed changes

Merge "Update docs for legacy keystone extensions"

Browse Source
This commit is contained in:
Jenkins 2015-12-09 21:37:50 +00:00 committed by Gerrit Code Review
commit 239aa0ab75
6 changed files with 134 additions and 271 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

136
doc/source/configuration.rst
View File

@ -113,8 +113,8 @@ The primary configuration file is organized into the following sections:
* ``[cache]`` - Caching layer configuration
* ``[catalog]`` - Service catalog driver configuration
* ``[credential]`` - Credential system driver configuration
* ``[endpoint_filter]`` - Endpoint filtering extension configuration
* ``[endpoint_policy]`` - Endpoint policy extension configuration
* ``[endpoint_filter]`` - Endpoint filtering configuration
* ``[endpoint_policy]`` - Endpoint policy configuration
* ``[eventlet_server]`` - Eventlet server configuration
* ``[eventlet_server_ssl]`` - Eventlet server SSL configuration
* ``[federation]`` - Federation driver configuration
@ -897,6 +897,35 @@ Another such example is `available in devstack
(files/default_catalog.templates)
<https://git.openstack.org/cgit/openstack-dev/devstack/tree/files/default_catalog.templates>`_.
Endpoint Filtering enables creation of ad-hoc catalogs for each project-scoped
token request.
Configure the endpoint filter catalog driver in the ``[catalog]`` section.
For example:
.. code-block:: ini
[catalog]
driver = catalog_sql
In the ``[endpoint_filter]`` section, set ``return_all_endpoints_if_no_filter``
to ``False`` to return an empty catalog if no associations are made.
For example:
.. code-block:: ini
[endpoint_filter]
return_all_endpoints_if_no_filter = False
See `API Specification for Endpoint Filtering <http://specs.openstack.org/
openstack/keystone-specs/api/v3/identity-api-v3-os-ep-filter-ext.html>`_ for
the details of API definition.
.. NOTE:: Support status for Endpoint Filtering
*Experimental* (Icehouse, Juno)
*Stable* (Kilo)
Logging
-------
@ -1053,6 +1082,109 @@ including the following in ``keystone.conf``:
[os_inherit]
enabled = True
See `API Specification for Inherit <http://specs.openstack.org/
openstack/keystone-specs/api/v3/identity-api-v3-os-inherit-ext.html>`_
for the details of API definition.
.. NOTE:: Support status for Inherit Role Assignment
*Experimental* (Havava, Icehouse)
*Stable* (Juno)
Endpoint Policy
---------------
The Endpoint Policy feature provides associations between service endpoints
and policies that are already stored in the Identity server and referenced
by a policy ID.
Configure the endpoint policy backend driver in the ``[endpoint_policy]``
section. For example:
.. code-block:: ini
[endpoint_policy]
driver = sql
See `API Specification for Endpoint Policy <http://specs.openstack.org/
openstack/keystone-specs/api/v3/identity-api-v3-os-endpoint-policy.html>`_
for the details of API definition.
.. NOTE:: Support status for Endpoint Policy
*Experimental* (Juno)
*Stable* (Kilo)
OAuth1 1.0a
-----------
The OAuth 1.0a feature provides the ability for Identity users to delegate
roles to third party consumers via the OAuth 1.0a specification.
To enable OAuth1:
1. Add the oauth1 driver to the ``[oauth1]`` section in ``keystone.conf``.
For example:
.. code-block:: ini
[oauth1]
driver = sql
2. Add the ``oauth1`` authentication method to the ``[auth]`` section in
``keystone.conf``:
.. code-block:: ini
[auth]
methods = external,password,token,oauth1
3. Optionally, if deploying under an HTTPD server (i.e. Apache), set the
`WSGIPassAuthorization` to allow the OAuth Authorization headers to pass
through `mod_wsgi`. For example, add the following to the keystone virtual
host file:
.. code-block:: ini
WSGIPassAuthorization On
See `API Specification for OAuth 1.0a <http://specs.openstack.org/openstack/
keystone-specs/api/v3/identity-api-v3-os-oauth1-ext.html>`_ for the details of
API definition.
.. NOTE:: Support status for OAuth 1.0a
*Experimental* (Havana, Icehouse)
*Stable* (Juno)
Revocation Events
-----------------
The Revocation Events feature provides a list of token revocations. Each event
expresses a set of criteria which describes a set of tokens that are
no longer valid.
Add the revoke backend driver to the ``[revoke]`` section in
``keystone.conf``. For example:
.. code-block:: ini
[revoke]
driver = sql
See `API Specification for Revocation Events <https://specs.openstack.org/
openstack/keystone-specs/api/v3/identity-api-v3-os-revoke-ext.html>`_ for
the details of API definition.
.. NOTE:: Support status for Revocation Events
*Experimental* (Juno)
*Stable* (Kilo)
Token Binding
-------------

96
doc/source/extensions.rst
View File

@ -43,99 +43,3 @@ Removal Process
It is not intended that functionality should stay in experimental for a long
period, functionality that stays `experimental` for more than **two** releases
would be expected to make a transition to either `stable` or `out-of-tree`.
Current Extensions
==================
------------------
Endpoint Filtering
------------------
The Endpoint Filtering extension enables creation of ad-hoc catalogs for each
project-scoped token request.
.. NOTE:: Support status for Endpoint Filtering
*Experimental* (Icehouse, Juno)
*Stable* (Kilo)
.. toctree::
:maxdepth: 1
extensions/endpoint_filter.rst
* `API Specification for Endpoint Filtering <http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-ep-filter-ext.html>`__
---------------
Endpoint Policy
---------------
The Endpoint Policy extension provides associations between service endpoints
and policies that are already stored in the Identity server and referenced by
a policy ID.
.. NOTE:: Support status for Endpoint Policy
*Experimental* (Juno)
*Stable* (Kilo)
.. toctree::
:maxdepth: 1
extensions/endpoint_policy.rst
* `API Specification for Endpoint Policy <http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-endpoint-policy.html>`__
-------
Inherit
-------
The Inherit extension provides the ability for projects to inherit role
assignments from their owning domain, or from projects higher in the
hierarchy.
.. NOTE:: Support status for Inherit
*Experimental* (Havava, Icehouse)
*Stable* (Juno)
* `API Specification for Inherit <http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-inherit-ext.html>`__
----------
OAuth 1.0a
----------
The OAuth 1.0a extension provides the ability for Identity users to delegate
roles to third party consumers via the OAuth 1.0a specification.
.. NOTE:: Support status for OAuth 1.0a
*Experimental* (Havana, Icehouse)
*Stable* (Juno)
.. toctree::
:maxdepth: 1
extensions/oauth1.rst
* `API Specification for OAuth 1.0a <http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-oauth1-ext.html>`__
-----------------
Revocation Events
-----------------
The Revocation Events extension provides a list of token revocations. Each
event expresses a set of criteria which describes a set of tokens that are
no longer valid.
.. NOTE:: Support status for Revocation Events
*Experimental* (Juno)
*Stable* (Kilo)
.. toctree::
:maxdepth: 1
extensions/revoke.rst
* `API Specification for Revocation Events <http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-revoke-ext.html>`__

44
doc/source/extensions/endpoint_filter.rst
View File

@ -1,44 +0,0 @@
..
Copyright 2011-2013 OpenStack, Foundation
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
======================================
Enabling the Endpoint Filter Extension
======================================
To enable the endpoint filter extension:
1. Add the endpoint filter extension catalog driver to the ``[catalog]`` section
in ``keystone.conf``. For example::
[catalog]
driver = catalog_sql
2. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in
``keystone-paste.ini``. This must be added after ``json_body`` and before
the last entry in the pipeline. For example::
[pipeline:api_v3]
pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension endpoint_filter_extension service_v3
3. Create the endpoint filter extension tables if using the provided sql backend. For example::
./bin/keystone-manage db_sync --extension endpoint_filter
4. Optionally, change ``return_all_endpoints_if_no_filter`` the ``[endpoint_filter]`` section
in ``keystone.conf`` to return an empty catalog if no associations are made. For example::
[endpoint_filter]
return_all_endpoints_if_no_filter = False

35
doc/source/extensions/endpoint_policy.rst
View File

@ -1,35 +0,0 @@
..
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
======================================
Enabling the Endpoint Policy Extension
======================================
To enable the endpoint policy extension:
1. Optionally, add the endpoint policy extension driver to the
``[endpoint_policy]`` section in ``keystone.conf``. For example::
[endpoint_policy]
driver = sql
2. Add the ``endpoint_policy_extension`` policy to the ``api_v3`` pipeline in
``keystone-paste.ini``. This must be added after ``json_body`` and before
the last entry in the pipeline. For example::
[pipeline:api_v3]
pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension service_v3 endpoint_policy_extension service_v3
3. Create the endpoint policy extension tables if using the provided SQL backend. For example::
./bin/keystone-manage db_sync --extension endpoint_policy

49
doc/source/extensions/oauth1.rst
View File

@ -1,49 +0,0 @@
..
Copyright 2011-2013 OpenStack, Foundation
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
=============================
Enabling the OAuth1 Extension
=============================
To enable the OAuth1 extension:
1. Optionally, add the oauth1 extension driver to the ``[oauth1]`` section in ``keystone.conf``. For example::
[oauth1]
driver = sql
2. Add the ``oauth1`` authentication method to the ``[auth]`` section in ``keystone.conf``::
[auth]
methods = external,password,token,oauth1
3. Add the ``oauth1_extension`` filter to the ``api_v3`` pipeline in
``keystone-paste.ini``. This must be added after ``json_body`` and before
the last entry in the pipeline. For example::
[pipeline:api_v3]
pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension oauth1_extension service_v3
4. Create the OAuth1 extension tables if using the provided SQL backend. For example::
./bin/keystone-manage db_sync --extension oauth1
5. Optionally, if deploying under an HTTPD server (i.e. Apache), set the
`WSGIPassAuthorization` to allow the OAuth Authorization headers to
pass through `mod_wsgi`. For example, add the following to the Keystone
virtual host file::
WSGIPassAuthorization On

45
doc/source/extensions/revoke.rst
View File

@ -1,45 +0,0 @@
..
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
=================================
Enabling the Revocation Extension
=================================
.. NOTE::
As of the Juno release, the example configuration files will have the
``OS-REVOKE`` extension enabled by default, thus it is not necessary to
perform steps 1 and 2.
Also, for new installations, the revocation extension tables are already
migrated, thus it is not necessary to perform steps 3.
1. Optionally, add the revoke extension driver to the ``[revoke]`` section
in ``keystone.conf``. For example::
[revoke]
driver = sql
2. Add the required ``filter`` to the ``pipeline`` in ``keystone-paste.ini``.
This must be added after ``json_body`` and before the last entry in the
pipeline. For example::
[filter:revoke_extension]
paste.filter_factory = keystone.contrib.revoke.routers:RevokeExtension.factory
[pipeline:api_v3]
pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension service_v3
3. Create the revocation extension tables if using the provided SQL backend.
For example::
./bin/keystone-manage db_sync --extension revoke