diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index c1ef0754f9..31a79e50d8 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -113,8 +113,8 @@ The primary configuration file is organized into the following sections: * ``[cache]`` - Caching layer configuration * ``[catalog]`` - Service catalog driver configuration * ``[credential]`` - Credential system driver configuration -* ``[endpoint_filter]`` - Endpoint filtering extension configuration -* ``[endpoint_policy]`` - Endpoint policy extension configuration +* ``[endpoint_filter]`` - Endpoint filtering configuration +* ``[endpoint_policy]`` - Endpoint policy configuration * ``[eventlet_server]`` - Eventlet server configuration * ``[eventlet_server_ssl]`` - Eventlet server SSL configuration * ``[federation]`` - Federation driver configuration @@ -897,6 +897,35 @@ Another such example is `available in devstack (files/default_catalog.templates) `_. +Endpoint Filtering enables creation of ad-hoc catalogs for each project-scoped +token request. + +Configure the endpoint filter catalog driver in the ``[catalog]`` section. +For example: + +.. code-block:: ini + + [catalog] + driver = catalog_sql + +In the ``[endpoint_filter]`` section, set ``return_all_endpoints_if_no_filter`` +to ``False`` to return an empty catalog if no associations are made. +For example: + +.. code-block:: ini + + [endpoint_filter] + return_all_endpoints_if_no_filter = False + +See `API Specification for Endpoint Filtering `_ for +the details of API definition. + +.. NOTE:: Support status for Endpoint Filtering + + *Experimental* (Icehouse, Juno) + *Stable* (Kilo) + Logging ------- @@ -1053,6 +1082,109 @@ including the following in ``keystone.conf``: [os_inherit] enabled = True +See `API Specification for Inherit `_ +for the details of API definition. + + +.. NOTE:: Support status for Inherit Role Assignment + + *Experimental* (Havava, Icehouse) + *Stable* (Juno) + + +Endpoint Policy +--------------- + +The Endpoint Policy feature provides associations between service endpoints +and policies that are already stored in the Identity server and referenced +by a policy ID. + +Configure the endpoint policy backend driver in the ``[endpoint_policy]`` +section. For example: + +.. code-block:: ini + + [endpoint_policy] + driver = sql + +See `API Specification for Endpoint Policy `_ +for the details of API definition. + +.. NOTE:: Support status for Endpoint Policy + + *Experimental* (Juno) + *Stable* (Kilo) + + +OAuth1 1.0a +----------- + +The OAuth 1.0a feature provides the ability for Identity users to delegate +roles to third party consumers via the OAuth 1.0a specification. + +To enable OAuth1: + +1. Add the oauth1 driver to the ``[oauth1]`` section in ``keystone.conf``. +For example: + +.. code-block:: ini + + [oauth1] + driver = sql + +2. Add the ``oauth1`` authentication method to the ``[auth]`` section in +``keystone.conf``: + +.. code-block:: ini + + [auth] + methods = external,password,token,oauth1 + +3. Optionally, if deploying under an HTTPD server (i.e. Apache), set the +`WSGIPassAuthorization` to allow the OAuth Authorization headers to pass +through `mod_wsgi`. For example, add the following to the keystone virtual +host file: + +.. code-block:: ini + + WSGIPassAuthorization On + +See `API Specification for OAuth 1.0a `_ for the details of +API definition. + +.. NOTE:: Support status for OAuth 1.0a + + *Experimental* (Havana, Icehouse) + *Stable* (Juno) + + +Revocation Events +----------------- + +The Revocation Events feature provides a list of token revocations. Each event +expresses a set of criteria which describes a set of tokens that are +no longer valid. + +Add the revoke backend driver to the ``[revoke]`` section in +``keystone.conf``. For example: + +.. code-block:: ini + + [revoke] + driver = sql + +See `API Specification for Revocation Events `_ for +the details of API definition. + +.. NOTE:: Support status for Revocation Events + + *Experimental* (Juno) + *Stable* (Kilo) + Token Binding ------------- diff --git a/doc/source/extensions.rst b/doc/source/extensions.rst index 0a6b34a23a..4d171f05b7 100644 --- a/doc/source/extensions.rst +++ b/doc/source/extensions.rst @@ -43,99 +43,3 @@ Removal Process It is not intended that functionality should stay in experimental for a long period, functionality that stays `experimental` for more than **two** releases would be expected to make a transition to either `stable` or `out-of-tree`. - -Current Extensions -================== - ------------------- -Endpoint Filtering ------------------- - -The Endpoint Filtering extension enables creation of ad-hoc catalogs for each -project-scoped token request. - -.. NOTE:: Support status for Endpoint Filtering - - *Experimental* (Icehouse, Juno) - *Stable* (Kilo) - -.. toctree:: - :maxdepth: 1 - - extensions/endpoint_filter.rst - -* `API Specification for Endpoint Filtering `__ - ---------------- -Endpoint Policy ---------------- - -The Endpoint Policy extension provides associations between service endpoints -and policies that are already stored in the Identity server and referenced by -a policy ID. - -.. NOTE:: Support status for Endpoint Policy - - *Experimental* (Juno) - *Stable* (Kilo) - -.. toctree:: - :maxdepth: 1 - - extensions/endpoint_policy.rst - -* `API Specification for Endpoint Policy `__ - -------- -Inherit -------- - -The Inherit extension provides the ability for projects to inherit role -assignments from their owning domain, or from projects higher in the -hierarchy. - -.. NOTE:: Support status for Inherit - - *Experimental* (Havava, Icehouse) - *Stable* (Juno) - -* `API Specification for Inherit `__ - ----------- -OAuth 1.0a ----------- - -The OAuth 1.0a extension provides the ability for Identity users to delegate -roles to third party consumers via the OAuth 1.0a specification. - -.. NOTE:: Support status for OAuth 1.0a - - *Experimental* (Havana, Icehouse) - *Stable* (Juno) - -.. toctree:: - :maxdepth: 1 - - extensions/oauth1.rst - -* `API Specification for OAuth 1.0a `__ - ------------------ -Revocation Events ------------------ - -The Revocation Events extension provides a list of token revocations. Each -event expresses a set of criteria which describes a set of tokens that are -no longer valid. - -.. NOTE:: Support status for Revocation Events - - *Experimental* (Juno) - *Stable* (Kilo) - -.. toctree:: - :maxdepth: 1 - - extensions/revoke.rst - -* `API Specification for Revocation Events `__ diff --git a/doc/source/extensions/endpoint_filter.rst b/doc/source/extensions/endpoint_filter.rst deleted file mode 100644 index 4ab194b809..0000000000 --- a/doc/source/extensions/endpoint_filter.rst +++ /dev/null @@ -1,44 +0,0 @@ -.. - Copyright 2011-2013 OpenStack, Foundation - All Rights Reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); you may - not use this file except in compliance with the License. You may obtain - a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - -====================================== -Enabling the Endpoint Filter Extension -====================================== - -To enable the endpoint filter extension: - -1. Add the endpoint filter extension catalog driver to the ``[catalog]`` section - in ``keystone.conf``. For example:: - - [catalog] - driver = catalog_sql - -2. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in - ``keystone-paste.ini``. This must be added after ``json_body`` and before - the last entry in the pipeline. For example:: - - [pipeline:api_v3] - pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension endpoint_filter_extension service_v3 - -3. Create the endpoint filter extension tables if using the provided sql backend. For example:: - - ./bin/keystone-manage db_sync --extension endpoint_filter - -4. Optionally, change ``return_all_endpoints_if_no_filter`` the ``[endpoint_filter]`` section - in ``keystone.conf`` to return an empty catalog if no associations are made. For example:: - - [endpoint_filter] - return_all_endpoints_if_no_filter = False diff --git a/doc/source/extensions/endpoint_policy.rst b/doc/source/extensions/endpoint_policy.rst deleted file mode 100644 index ad403d5065..0000000000 --- a/doc/source/extensions/endpoint_policy.rst +++ /dev/null @@ -1,35 +0,0 @@ -.. - Licensed under the Apache License, Version 2.0 (the "License"); you may - not use this file except in compliance with the License. You may obtain - a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - -====================================== -Enabling the Endpoint Policy Extension -====================================== - -To enable the endpoint policy extension: - -1. Optionally, add the endpoint policy extension driver to the - ``[endpoint_policy]`` section in ``keystone.conf``. For example:: - - [endpoint_policy] - driver = sql - -2. Add the ``endpoint_policy_extension`` policy to the ``api_v3`` pipeline in - ``keystone-paste.ini``. This must be added after ``json_body`` and before - the last entry in the pipeline. For example:: - - [pipeline:api_v3] - pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension service_v3 endpoint_policy_extension service_v3 - -3. Create the endpoint policy extension tables if using the provided SQL backend. For example:: - - ./bin/keystone-manage db_sync --extension endpoint_policy diff --git a/doc/source/extensions/oauth1.rst b/doc/source/extensions/oauth1.rst deleted file mode 100644 index 29955d7415..0000000000 --- a/doc/source/extensions/oauth1.rst +++ /dev/null @@ -1,49 +0,0 @@ -.. - Copyright 2011-2013 OpenStack, Foundation - All Rights Reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); you may - not use this file except in compliance with the License. You may obtain - a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - -============================= -Enabling the OAuth1 Extension -============================= - -To enable the OAuth1 extension: - -1. Optionally, add the oauth1 extension driver to the ``[oauth1]`` section in ``keystone.conf``. For example:: - - [oauth1] - driver = sql - -2. Add the ``oauth1`` authentication method to the ``[auth]`` section in ``keystone.conf``:: - - [auth] - methods = external,password,token,oauth1 - -3. Add the ``oauth1_extension`` filter to the ``api_v3`` pipeline in - ``keystone-paste.ini``. This must be added after ``json_body`` and before - the last entry in the pipeline. For example:: - - [pipeline:api_v3] - pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension oauth1_extension service_v3 - -4. Create the OAuth1 extension tables if using the provided SQL backend. For example:: - - ./bin/keystone-manage db_sync --extension oauth1 - -5. Optionally, if deploying under an HTTPD server (i.e. Apache), set the - `WSGIPassAuthorization` to allow the OAuth Authorization headers to - pass through `mod_wsgi`. For example, add the following to the Keystone - virtual host file:: - - WSGIPassAuthorization On diff --git a/doc/source/extensions/revoke.rst b/doc/source/extensions/revoke.rst deleted file mode 100644 index a89e359d1f..0000000000 --- a/doc/source/extensions/revoke.rst +++ /dev/null @@ -1,45 +0,0 @@ - .. - Licensed under the Apache License, Version 2.0 (the "License"); you may - not use this file except in compliance with the License. You may obtain - a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - -================================= -Enabling the Revocation Extension -================================= - -.. NOTE:: - - As of the Juno release, the example configuration files will have the - ``OS-REVOKE`` extension enabled by default, thus it is not necessary to - perform steps 1 and 2. - Also, for new installations, the revocation extension tables are already - migrated, thus it is not necessary to perform steps 3. - -1. Optionally, add the revoke extension driver to the ``[revoke]`` section - in ``keystone.conf``. For example:: - - [revoke] - driver = sql - -2. Add the required ``filter`` to the ``pipeline`` in ``keystone-paste.ini``. - This must be added after ``json_body`` and before the last entry in the - pipeline. For example:: - - [filter:revoke_extension] - paste.filter_factory = keystone.contrib.revoke.routers:RevokeExtension.factory - - [pipeline:api_v3] - pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension service_v3 - -3. Create the revocation extension tables if using the provided SQL backend. - For example:: - - ./bin/keystone-manage db_sync --extension revoke