Merge remote-tracking branch 'origin/master' into feature/hierarchical-multitenancy

Change-Id: I7e27d042575609e4107764c1ff2e1048e5a14a02
changes/76/129376/1
Morgan Fainberg 8 years ago
commit 6f806bdc9b
  1. 494
      doc/source/cli_examples.rst
  2. 165
      doc/source/configuration.rst
  3. 86
      doc/source/configuringservices.rst
  4. 4
      doc/source/extensions/shibboleth.rst
  5. 29
      etc/keystone.conf.sample
  6. 40
      etc/policy.v3cloudsample.json
  7. 4
      keystone/auth/controllers.py
  8. 8
      keystone/auth/plugins/mapped.py
  9. 9
      keystone/catalog/backends/templated.py
  10. 47
      keystone/common/cache/_memcache_pool.py
  11. 2
      keystone/common/cache/backends/mongo.py
  12. 2
      keystone/common/cache/core.py
  13. 27
      keystone/common/config.py
  14. 2
      keystone/common/kvs/core.py
  15. 2
      keystone/common/manager.py
  16. 2
      keystone/common/sql/core.py
  17. 3
      keystone/common/sql/migrate_repo/versions/042_endpoint_enabled.py
  18. 3
      keystone/common/sql/migrate_repo/versions/044_service_enabled.py
  19. 4
      keystone/common/sql/migration_helpers.py
  20. 2
      keystone/common/utils.py
  21. 4
      keystone/common/wsgi.py
  22. 1
      keystone/config.py
  23. 2
      keystone/contrib/ec2/controllers.py
  24. 3
      keystone/contrib/federation/backends/sql.py
  25. 2
      keystone/contrib/federation/idp.py
  26. 2
      keystone/contrib/oauth1/backends/sql.py
  27. 2
      keystone/contrib/oauth1/controllers.py
  28. 2
      keystone/controllers.py
  29. 3
      keystone/credential/controllers.py
  30. 2
      keystone/identity/core.py
  31. 2
      keystone/middleware/core.py
  32. 2
      keystone/tests/core.py
  33. 23
      keystone/tests/fakeldap.py
  34. 6
      keystone/tests/ksfixtures/hacking.py
  35. 2
      keystone/tests/rest.py
  36. 23
      keystone/tests/test_backend_kvs.py
  37. 2
      keystone/tests/test_exception.py
  38. 2
      keystone/tests/test_keystoneclient.py
  39. 2
      keystone/tests/test_middleware.py
  40. 36
      keystone/tests/test_sql_migrate_extensions.py
  41. 10
      keystone/tests/test_v3.py
  42. 2
      keystone/tests/test_v3_federation.py
  43. 3
      keystone/tests/test_v3_filters.py
  44. 2
      keystone/tests/test_v3_oauth1.py
  45. 3
      keystone/tests/test_v3_protection.py
  46. 2
      keystone/tests/test_versions.py
  47. 2
      keystone/tests/test_wsgi.py
  48. 4
      keystone/token/backends/__init__.py
  49. 2
      keystone/token/controllers.py
  50. 2
      keystone/token/providers/common.py
  51. 2
      keystone/token/providers/pki.py
  52. 2
      keystone/token/providers/pkiz.py
  53. 121
      keystone/trust/backends/kvs.py
  54. 2
      openstack-common.conf
  55. 1
      requirements.txt
  56. 2
      test-requirements-py3.txt
  57. 2
      test-requirements.txt

@ -18,15 +18,495 @@
Command Line Interface Examples
===============================
The Keystone command line interface packaged in `python-keystoneclient`_ only
supports the Identity v2.0 API. The OpenStack common command line interface
packaged in `python-openstackclient`_ supports both v2.0 and v3 APIs.
.. NOTE::
As of the Juno release, it is recommended to use ``python-openstackclient``,
as it suports both v2.0 and v3 APIs. For the purpose of backwards compatibility,
the CLI packaged in ``python-keystoneclient`` is not being removed.
.. _`python-openstackclient`: http://docs.openstack.org/developer/python-openstackclient/
.. _`python-keystoneclient`: http://docs.openstack.org/developer/python-keystoneclient/
Using python-openstackclient (v3)
=================================
Note that if using ``python-openstackclient`` for v3 commands, the following
environment variables must be updated:
.. code-block:: bash
$ export OS_IDENTITY_API_VERSION=3 (Defaults to 2.0)
$ export OS_AUTH_URL=http://localhost:5000/v3
Since Identity API v3 authentication is a bit more complex, there are additional
options that may be set, either as command options or environment variables.
The most common case will be a user supplying both user name and password, along
with the project name; previously in v2.0 this would be sufficient, but since
Identity API v3 has a ``Domain`` component, we need to tell the client in which
domain the user and project exists.
If using a project name as authorization scope, set either of these:
* ``--os-project-domain-name OS_PROJECT_DOMAIN_NAME`` Domain name of the project
which is the requested project-level authorization scope
* ``--os-project-domain-id OS_PROJECT_DOMAIN_ID`` Domain ID of the project which
is the requested project-level authorization scope
Note, if using a project ID as authorization scope, then it is not required to
set ``OS_PROJECT_DOMAIN_NAME`` or ``OS_PROJECT_DOMAIN_ID``, the project ID is
sufficient.
If using user name and password, set either of these:
* ``--os-user-domain-name OS_USER_DOMAIN_NAME`` Domain name of the user
* ``--os-user-domain-id OS_USER_DOMAIN_ID`` Domain ID of the user
If using a domain as authorization scope, set either of these:
* ``--os-domain-name OS_DOMAIN_NAME``: Domain name of the requested domain-level
authorization scope
* ``--os-domain-id OS_DOMAIN_ID``: Domain ID of the requested domain-level
authorization scope
In the examples below, the following are set:
.. code-block:: bash
$ export OS_IDENTITY_API_VERSION=3
$ export OS_AUTH_URL=http://localhost:5000/v3
$ export OS_PROJECT_DOMAIN_ID=default
$ export OS_USER_DOMAIN_ID=default
$ export OS_USERNAME=admin
$ export OS_PASSWORD=openstack
$ export OS_PROJECT_NAME=admin
--------
Projects
--------
``project create``
------------------
positional arguments::
<project-name> New project name
optional arguments::
--description <project-description> New project description
--domain <project-domain> Domain owning the project (name or ID)
--enable Enable project (default)
--disable Disable project
example:
.. code-block:: bash
$ openstack project create heat-project --domain heat
Other commands
--------------
.. code-block:: bash
$ openstack project delete
$ openstack project list
$ openstack project set
$ openstack project show
-----
Users
-----
``user create``
---------------
positional arguments::
<user-name> New user name
optional arguments::
--password <user-password> New user password
--password-prompt Prompt interactively for password
--email <user-email> New user email address
--project <project> Set default project (name or ID)
--domain <domain> New default domain name or ID
--enable Enable user (default)
--disable Disable user
example:
.. code-block:: bash
$ openstack user create heat-user \
--password secrete \
--domain heat \
--project demo \
--email admin@example.com
Other commands
--------------
.. code-block:: bash
$ openstack user delete
$ openstack user list
$ openstack user set
$ openstack user show
------
Groups
------
``group create``
----------------
positional arguments::
<group-name> New group name
optional arguments::
--description <group-description> New group description
--domain <group-domain> References the domain ID or name which owns the group
example:
.. code-block:: bash
$ openstack group create heat-group --domain heat
Other commands
--------------
.. code-block:: bash
$ openstack group delete
$ openstack group list
$ openstack group set
$ openstack group show
-------
Tenants
Domains
-------
Tenants are the high level grouping within Keystone that represent groups of
users. A tenant is the grouping that owns virtual machines within Nova, or
containers within Swift. A tenant can have zero or more users, Users can be
associated with more than one tenant, and each tenant - user pairing can have
a role associated with it.
``domain create``
-----------------
positional arguments::
<domain-name> New domain name
optional arguments::
--description <domain-description> New domain description
--enable Enable domain
--disable Disable domain
example:
.. code-block:: bash
$ openstack domain create heat --description "Heat domain for heat users"
Other commands
--------------
.. code-block:: bash
$ openstack domain delete
$ openstack domain list
$ openstack domain set
$ openstack domain show
Using python-openstackclient (v2.0)
===================================
--------
Projects
--------
``project create``
------------------
positional arguments::
<project-name> New project name
optional arguments::
--description <project-description> New project description
--enable Enable project (default)
--disable Disable project
example:
.. code-block:: bash
$ openstack project create demo
``project delete``
------------------
positional arguments::
<project> Project to delete (name or ID)
example:
.. code-block:: bash
$ openstack project delete demo
-----
Users
-----
``user create``
---------------
positional arguments::
<user-name> New user name
optional arguments::
--password <user-password> New user password
--password-prompt Prompt interactively for password
--email <user-email> New user email address
--project <project> Set default project (name or ID)
--enable Enable user (default)
--disable Disable user
example:
.. code-block:: bash
$ openstack user create heat-user \
--password secrete \
--project demo \
--email admin@example.com
``user delete``
---------------
positional arguments::
<user> User to delete (name or ID)
example:
.. code-block:: bash
$ openstack user delete heat-user
``user list``
-------------
optional arguments::
--project <project> Filter users by project (name or ID)
--long List additional fields in output
example:
.. code-block:: bash
$ openstack user list
``user set``
------------
positional arguments::
<user> User to change (name or ID)
optional arguments::
--name <new-user-name> New user name
--password <user-password> New user password
--password-prompt Prompt interactively for password
--email <user-email> New user email address
--project <project> New default project (name or ID)
--enable Enable user (default)
--disable Disable user
example:
.. code-block:: bash
$ openstack user set heat-user --email newemail@example.com
-----
Roles
-----
``role create``
---------------
positional arguments::
<role-name> New role name
example:
.. code-block:: bash
$ openstack role create demo
``role delete``
---------------
positional arguments::
<role> Name or ID of role to delete
example:
.. code-block:: bash
$ openstack role delete demo
``role list``
-------------
example:
.. code-block:: bash
$ openstack role list
``role show``
-------------
positional arguments::
<role> Name or ID of role to display
example:
.. code-block:: bash
$ openstack role show demo
``role add``
------------
positional arguments::
<role> Role name or ID to add to user
optional arguments::
--project <project> Include project (name or ID)
--user <user> Name or ID of user to include
example:
.. code-block:: bash
$ openstack user role add demo --user heat-user --project heat
``role remove``
---------------
positional arguments::
<role> Role name or ID to remove from user
optional arguments::
--project <project> Project to include (name or ID)
--user <user> Name or ID of user
example:
.. code-block:: bash
$ openstack user role remove demo --user heat-user --project heat
--------
Services
--------
``service create``
------------------
positional arguments::
<service-name> New service name
optional arguments::
--type <service-type> New service type (compute, image, identity, volume, etc)
--description <service-description> New service description
example:
.. code-block:: bash
$ openstack service create nova --type compute --description "Nova Compute Service"
``service list``
----------------
optional arguments::
--long List additional fields in output
example:
.. code-block:: bash
$ openstack service list
``service show``
----------------
positional arguments::
<service> Service to display (type, name or ID)
example:
.. code-block:: bash
$ openstack service show nova
``service delete``
------------------
positional arguments::
<service> Service to delete (name or ID)
example:
.. code-block:: bash
$ openstack service delete nova
Using python-keystoneclient (v2.0)
==================================
-------
Tenants
-------
``tenant-create``
-----------------
@ -112,7 +592,7 @@ example:
$ keystone user-list
``user-update``
---------------
---------------------
arguments

@ -315,28 +315,27 @@ configuration option.
The drivers Keystone provides are:
* ``keystone.token.persistence.backends.memcache_pool.Token`` - The pooled memcached
token persistence engine. This backend supports the concept of pooled memcache
client object (allowing for the re-use of the client objects). This backend has
a number of extra tunable options in the ``[memcache]`` section of the config.
* ``keystone.token.persistence.backends.sql.Token`` - The SQL-based (default)
token persistence engine. This backend stores all token data in the same SQL
store that is used for Identity/Assignment/etc.
token persistence engine.
* ``keystone.token.persistence.backends.memcache.Token`` - The memcached based
token persistence backend. This backend relies on ``dogpile.cache`` and stores
the token data in a set of memcached servers. The servers urls are specified
the token data in a set of memcached servers. The servers URLs are specified
in the ``[memcache]\servers`` configuration option in the Keystone config.
* ``keystone.token.persistence.backends.memcache_pool.Token`` - The pooled memcached
token persistence engine. This backend supports the concept of pooled memcache
client object (allowing for the re-use of the client objects). This backend has
a number of extra tunable options in the ``[memcache]`` section of the config.
.. WARNING::
It is recommended you use the ``keystone.token.persistence.backend.memcache_pool.Token``
backend instead of ``keystone.token.persistence.backend.memcache.Token`` as the token
persistence driver if you are deploying Keystone under eventlet instead of
Apache + mod_wsgi. This recommendation are due to known issues with the use of
``thread.local`` under eventlet that can allow the leaking of memcache client objects
and consumption of extra sockets.
Apache + mod_wsgi. This recommendation is due to known issues with the
use of ``thread.local`` under eventlet that can allow the leaking of
memcache client objects and consumption of extra sockets.
Token Provider
@ -650,9 +649,9 @@ To build your service catalog using this driver, see the built-in help:
.. code-block:: bash
$ keystone
$ keystone help service-create
$ keystone help endpoint-create
$ openstack --help
$ openstack help service create
$ openstack help endpoint create
You can also refer to `an example in Keystone (tools/sample_data.sh)
<https://github.com/openstack/keystone/blob/master/tools/sample_data.sh>`_.
@ -666,8 +665,7 @@ service catalog will not change very much over time.
.. NOTE::
Attempting to manage your service catalog using keystoneclient commands
(e.g. ``keystone endpoint-create``) against this driver will result in
Attempting to change your service catalog against this driver will result in
``HTTP 501 Not Implemented`` errors. This is the expected behavior. If you
want to use these commands, you must instead use the SQL-based Service
Catalog driver.
@ -1014,12 +1012,12 @@ Ensure that your ``keystone.conf`` is configured to use a SQL driver:
[identity]
driver = keystone.identity.backends.sql.Identity
You may also want to configure your ``[sql]`` settings to better reflect your
You may also want to configure your ``[database]`` settings to better reflect your
environment:
.. code-block:: ini
[sql]
[database]
connection = sqlite:///keystone.db
idle_timeout = 200
@ -1038,23 +1036,19 @@ You should now be ready to initialize your new database without error, using:
$ keystone-manage db_sync
To test this, you should now be able to start ``keystone-all`` and use the
Keystone Client to list your tenants (which should successfully return an
OpenStack Client to list your projects (which should successfully return an
empty list from your new database):
.. code-block:: bash
$ keystone --os-token ADMIN --os-endpoint http://127.0.0.1:35357/v2.0/ tenant-list
+----+------+---------+
| id | name | enabled |
+----+------+---------+
+----+------+---------+
$ openstack --os-token ADMIN --os-url http://127.0.0.1:35357/v2.0/ project list
.. NOTE::
We're providing the default OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT values
from ``keystone.conf`` to connect to the Keystone service. If you changed
those values, or deployed Keystone to a different endpoint, you will need
to change the provided command accordingly.
We're providing the default OS_TOKEN and OS_URL values from ``keystone.conf``
to connect to the Keystone service. If you changed those values, or deployed
Keystone to a different endpoint, you will need to change the provided
command accordingly.
Initializing Keystone
=====================
@ -1079,12 +1073,29 @@ prevents unauthorized users from spuriously signing tokens.
be running the Keystone service to ensure proper ownership for the private key
file and the associated certificates.
Adding Users, Tenants, and Roles with python-keystoneclient
===========================================================
Adding Users, Projects, and Roles via Command Line Interfaces
=============================================================
Users, tenants, and roles must be administered using admin credentials.
There are two ways to configure ``python-keystoneclient`` to use admin
credentials, using the either an existing token or password credentials.
Keystone APIs are protected by the rules in the policy file. The default policy
rules require admin credentials to administer ``users``, ``projects``, and
``roles``. See section `Keystone API protection with Role Based Access Control (RBAC)`_
for more details on policy files.
The Keystone command line interface packaged in `python-keystoneclient`_ only
supports the Identity v2.0 API. The OpenStack common command line interface
packaged in `python-openstackclient`_ supports both v2.0 and v3 APIs.
With both command line interfaces there are two ways to configure the client to
use admin credentials, using either an existing token or password credentials.
.. NOTE::
As of the Juno release, it is recommended to use ``python-openstackclient``,
as it supports both v2.0 and v3 APIs. For the purpose of backwards compatibility,
the CLI packaged in ``python-keystoneclient`` is not being removed.
.. _`python-openstackclient`: http://docs.openstack.org/developer/python-openstackclient/
.. _`python-keystoneclient`: http://docs.openstack.org/developer/python-keystoneclient/
Authenticating with a Token
---------------------------
@ -1094,11 +1105,11 @@ Authenticating with a Token
If your Keystone deployment is brand new, you will need to use this
authentication method, along with your ``[DEFAULT] admin_token``.
To use Keystone with a token, set the following flags:
To authenticate with Keystone using a token and ``python-openstackclient``, set
the following flags.
* ``--os-endpoint OS_SERVICE_ENDPOINT``: allows you to specify the Keystone endpoint
to communicate with. The default endpoint is ``http://localhost:35357/v2.0``
* ``--os-token OS_SERVICE_TOKEN``: your service token
* ``--os-url OS_URL``: Keystone endpoint the user communicates with
* ``--os-token OS_TOKEN``: User's service token
To administer a Keystone endpoint, your token should be either belong to a user
with the ``admin`` role, or, if you haven't created one yet, should be equal to
@ -1109,20 +1120,27 @@ to be passed as arguments each time:
.. code-block:: bash
$ export OS_SERVICE_ENDPOINT=http://localhost:35357/v2.0
$ export OS_SERVICE_TOKEN=ADMIN
$ export OS_URL=http://localhost:35357/v2.0
$ export OS_TOKEN=ADMIN
Instead of ``python-openstackclient``, if using ``python-keystoneclient``,
set the following:
* ``--os-endpoint OS_SERVICE_ENDPOINT``: equivalent to ``--os-url OS_URL``
* ``--os-service-token OS_SERVICE_TOKEN``: equivalent to ``--os-token OS_TOKEN``
Authenticating with a Password
------------------------------
To administer a Keystone endpoint, the following user referenced below should
To authenticate with Keystone using a password and ``python-openstackclient``, set
the following flags, note that the following user referenced below should
be granted the ``admin`` role.
* ``--os_username OS_USERNAME``: Name of your user
* ``--os_password OS_PASSWORD``: Password for your user
* ``--os_tenant_name OS_TENANT_NAME``: Name of your tenant
* ``--os_auth_url OS_AUTH_URL``: URL of your Keystone auth server, e.g.
``http://localhost:35357/v2.0``
* ``--os-username OS_USERNAME``: Name of your user
* ``--os-password OS_PASSWORD``: Password for your user
* ``--os-project-name OS_PROJECT_NAME``: Name of your project
* ``--os-auth-url OS_AUTH_URL``: URL of the Keystone authentication server
You can also set these variables in your environment so that they do not need
to be passed as arguments each time:
@ -1131,42 +1149,55 @@ to be passed as arguments each time:
$ export OS_USERNAME=my_username
$ export OS_PASSWORD=my_password
$ export OS_TENANT_NAME=my_tenant
$ export OS_PROJECT_NAME=my_project
$ export OS_AUTH_URL=http://localhost:35357/v2.0
If using ``python-keystoneclient``, set the following instead:
* ``--os-tenant-name OS_TENANT_NAME``: equivalent to ``--os-project-name OS_PROJECT_NAME``
Example usage
-------------
``keystone`` is set up to expect commands in the general form of
``keystone`` ``command`` ``argument``, followed by flag-like keyword arguments to
provide additional (often optional) information. For example, the command
``user-list`` and ``tenant-create`` can be invoked as follows:
``python-openstackclient`` is set up to expect commands in the general form of:
.. code-block:: bash
$ openstack [<global-options>] <object-1> <action> [<object-2>] [<command-arguments>]
For example, the commands ``user list`` and ``project create`` can be invoked
as follows:
.. code-block:: bash
# Using token auth env variables
$ export OS_SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0/
$ export OS_SERVICE_TOKEN=secrete_token
$ keystone user-list
$ keystone tenant-create --name=demo
# Using token authentication, with environment variables
$ export OS_URL=http://127.0.0.1:35357/v2.0/
$ export OS_TOKEN=secrete_token
$ openstack user list
$ openstack project create demo
# Using token auth flags
$ keystone --os-token=secrete --os-endpoint=http://127.0.0.1:35357/v2.0/ user-list
$ keystone --os-token=secrete --os-endpoint=http://127.0.0.1:35357/v2.0/ tenant-create --name=demo
# Using token authentication, with flags
$ openstack --os-token=secrete --os-url=http://127.0.0.1:35357/v2.0/ user list
$ openstack --os-token=secrete --os-url=http://127.0.0.1:35357/v2.0/ project create demo
# Using user + password + tenant_name env variables
# Using password authentication, with environment variables
$ export OS_USERNAME=admin
$ export OS_PASSWORD=secrete
$ export OS_TENANT_NAME=admin
$ keystone user-list
$ keystone tenant-create --name=demo
$ export OS_PROJECT_NAME=admin
$ export OS_AUTH_URL=http://localhost:35357/v2.0
$ openstack user list
$ openstack project create demo
# Using user + password + tenant_name flags
$ keystone --os_username=admin --os_password=secrete --os_tenant_name=admin user-list
$ keystone --os_username=admin --os_password=secrete --os_tenant_name=admin tenant-create --name=demo
# Using password authentication, with flags
$ openstack --os-username=admin --os-password=secrete --os-project-name=admin --os-auth-url=http://localhost:35357/v2.0 user list
$ openstack --os-username=admin --os-password=secrete --os-project-name=admin --os-auth-url=http://localhost:35357/v2.0 project create demo
For additional examples refer to `CLI Examples`_.
For additional examples using ``python-keystoneclient`` refer to `python-keystoneclient examples`_,
likewise, for additional examples using ``python-openstackclient``, refer to `python-openstackclient examples`_.
.. _`CLI Examples`: cli_examples.html
.. _`python-keystoneclient examples`: cli_examples.html#using-python-keystoneclient-v2-0
.. _`python-openstackclient examples`: cli_examples.html#using-python-openstackclient-v3
Removing Expired Tokens

@ -32,7 +32,7 @@ In general:
* The Keystone middleware will look for and validate that token, taking the
appropriate action.
* It will also retrieve additional information from the token such as user
name, id, tenant name, id, roles, etc...
name, user id, project name, project id, roles, etc...
The middleware will pass those data down to the service as headers. More
details on the architecture of that setup is described in
@ -57,10 +57,10 @@ represent a user, and carries no explicit authorization.
To disable in production (highly recommended), remove AdminTokenAuthMiddleware
from your paste application pipelines (for example, in keystone-paste.ini)
Setting up tenants, users, and roles
------------------------------------
Setting up projects, users, and roles
-------------------------------------
You need to minimally define a tenant, user, and role to link the tenant and
You need to minimally define a project, user, and role to link the project and
user as the most basic set of details to get other services authenticating
and authorizing with Keystone.
@ -69,7 +69,7 @@ be able to use to authenticate users against Keystone. The ``auth_token``
middleware supports using either the shared secret described above as
`admin_token` or users for each service.
See :doc:`configuration` for a walk through on how to create tenants, users,
See :doc:`configuration` for a walk through on how to create projects, users,
and roles.
Setting up services
@ -79,53 +79,44 @@ Creating Service Users
----------------------
To configure the OpenStack services with service users, we need to create
a tenant for all the services, and then users for each of the services. We
then assign those service users an Admin role on the service tenant. This
allows them to validate tokens - and authenticate and authorize other user
a project for all the services, and then users for each of the services. We
then assign those service users an ``admin`` role on the service project. This
allows them to validate tokens - and to authenticate and authorize other user
requests.
Create a tenant for the services, typically named 'service' (however, the
Create a project for the services, typically named ``service`` (however, the
name can be whatever you choose):
.. code-block:: bash
$ keystone tenant-create --name=service
$ openstack project create service
This returns a UUID of the tenant - keep that, you'll need it when creating
the users and specifying the roles.
Create service users for nova, glance, swift, and neutron (or whatever
subset is relevant to your deployment):
Create service users for ``nova``, ``glance``, ``swift``, and ``neutron``
(or whatever subset is relevant to your deployment):
.. code-block:: bash
$ keystone user-create --name=nova \
--pass=Sekr3tPass \
--tenant_id=[the uuid of the tenant] \
--email=nova@nothing.com
$ openstack user create nova --password Sekr3tPass --project service
Repeat this for each service you want to enable. Email is a required field
in Keystone right now, but not used in relation to the service accounts. Each
of these commands will also return a UUID of the user. Keep those to assign
the Admin role.
Repeat this for each service you want to enable.
For adding the Admin role to the service accounts, you'll need to know the UUID
of the role you want to add. If you don't have them handy, you can look it
Create an administrative role for the service accounts, typically named
``admin`` (however the name can be whatever you choose). For adding the
administrative role to the service accounts, you'll need to know the
name of the role you want to add. If you don't have it handy, you can look it
up quickly with:
.. code-block:: bash
$ keystone role-list
$ openstack role list
Once you have it, assign the service users to the Admin role. This is all
assuming that you've already created the basic roles and settings as described
in :doc:`configuration`:
Once you have it, grant the administrative role to the service users. This is
all assuming that you've already created the basic roles and settings as
described in :doc:`configuration`:
.. code-block:: bash
$ keystone user-role-add --tenant_id=[uuid of the service tenant] \
--user=[uuid of the service account] \
--role=[uuid of the Admin role]
$ openstack role add admin --project service --user nova
Defining Services
-----------------
@ -147,21 +138,16 @@ Keystone is online, you need to add the services to the catalog:
.. code-block:: bash
$ keystone service-create --name=nova \
--type=compute \
--description="Nova Compute Service"
$ keystone service-create --name=ec2 \
--type=ec2 \
--description="EC2 Compatibility Layer"
$ keystone service-create --name=glance \
--type=image \
--description="Glance Image Service"
$ keystone service-create --name=keystone \
--type=identity \
--description="Keystone Identity Service"
$ keystone service-create --name=swift \
--type=object-store \
--description="Swift Service"
$ openstack service create nova --type compute \
--description "Nova Compute Service"
$ openstack service create ec2 --type ec2 \
--description "EC2 Compatibility Layer"
$ openstack service create glance --type image \
--description "Glance Image Service"
$ openstack service create keystone --type identity \
--description "Keystone Identity Service"
$ openstack service create swift --type object-store \
--description "Swift Service"
Setting Up Middleware
@ -209,9 +195,9 @@ Here is an example paste config filter that makes use of the 'admin_user' and
admin_user = admin
admin_password = keystone123
It should be noted that when using this option an admin tenant/role
relationship is required. The admin user is granted access to the 'Admin'
role to the 'admin' tenant.
It should be noted that when using this option an admin project/role
relationship is required. The admin user is granted access to the 'admin'
role to the 'admin' project.
The auth_token middleware can also be configured in nova.conf
[keystone_authtoken] section to keep paste config clean of site-specific

@ -45,7 +45,9 @@ file. You are advised to examine `Shibboleth Service Provider Configuration docu
An example of your ``/etc/shibboleth/shibboleth2.xml`` may look like
(The example shown below is for reference only, not to be used in a production
environment)::
environment):
.. code-block:: xml
<!--
File configuration courtesy of http://testshib.org

@ -81,17 +81,16 @@
# token values. (integer value)
#max_token_size=8192
# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the assignment table
# with explicit role grants. After migration, the
# member_role_id will be used in the API add_user_to_project.
# (string value)
# Similar to the member_role_name option, this represents the
# default role ID used to associate users with their default
# projects in the v2 API. This will be used as the explicit
# role where one is not specified by the v2 API. (string
# value)
#member_role_id=9fe2ff9ee4384b1894a90878d3e92bab
# During a SQL upgrade member_role_name will be used to create
# a new role that will replace records in the assignment table
# with explicit role grants. After migration, member_role_name
# will be ignored. (string value)
# This is the role name used in combination with the
# member_role_id option; see that option for more detail.
# (string value)
#member_role_name=_member_
# The value passed as the keyword "rounds" to passlib's
@ -536,27 +535,27 @@
# Memcache servers in the format of "host:port".
# (dogpile.cache.memcache and keystone.cache.memcache_pool
# backends only) (list value)
# backends only). (list value)
#memcache_servers=localhost:11211
# Number of seconds memcached server is considered dead before
# it is tried again. (dogpile.cache.memcache and
# keystone.cache.memcache_pool backends only) (integer value)
# keystone.cache.memcache_pool backends only). (integer value)
#memcache_dead_retry=300
# Timeout in seconds for every call to a server.
# (dogpile.cache.memcache and keystone.cache.memcache_pool
# backends only) (integer value)
# backends only). (integer value)
#memcache_socket_timeout=3
# Max total number of open connections to every memcached
# server. (keystone.cache.memcache_pool backend only) (integer
# value)
# server. (keystone.cache.memcache_pool backend only).
# (integer value)
#memcache_pool_maxsize=10
# Number of seconds a connection to memcached is held unused
# in the pool before it is closed.
# (keystone.cache.memcache_pool backend only) (integer value)
# (keystone.cache.memcache_pool backend only). (integer value)
#memcache_pool_unused_timeout=60
# Number of seconds that an operation will wait to get a

@ -12,9 +12,9 @@
"identity:get_region": "",
"identity:list_regions": "",
"identity:create_region": "rule:admin_or_cloud_admin",
"identity:update_region": "rule:admin_or_cloud_admin",
"identity:delete_region": "rule:admin_or_cloud_admin",
"identity:create_region": "rule:cloud_admin",
"identity:update_region": "rule:cloud_admin",
"identity:delete_region": "rule:cloud_admin",
"identity:get_service": "rule:admin_or_cloud_admin",
"identity:list_services": "rule:admin_or_cloud_admin",
@ -143,23 +143,23 @@
"identity:add_endpoint_group_to_project": "rule:admin_required",
"identity:remove_endpoint_group_from_project": "rule:admin_required",
"identity:create_identity_provider": "rule:admin_required",
"identity:list_identity_providers": "rule:admin_required",
"identity:get_identity_providers": "rule:admin_required",
"identity:update_identity_provider": "rule:admin_required",
"identity:delete_identity_provider": "rule:admin_required",
"identity:create_protocol": "rule:admin_required",
"identity:update_protocol": "rule:admin_required",
"identity:get_protocol": "rule:admin_required",
"identity:list_protocols": "rule:admin_required",
"identity:delete_protocol": "rule:admin_required",
"identity:create_mapping": "rule:admin_required",
"identity:get_mapping": "rule:admin_required",
"identity:list_mappings": "rule:admin_required",
"identity:delete_mapping": "rule:admin_required",
"identity:update_mapping": "rule:admin_required",
"identity:create_identity_provider": "rule:cloud_admin",
"identity:list_identity_providers": "rule:cloud_admin",
"identity:get_identity_providers": "rule:cloud_admin",
"identity:update_identity_provider": "rule:cloud_admin",
"identity:delete_identity_provider": "rule:cloud_admin",
"identity:create_protocol": "rule:cloud_admin",
"identity:update_protocol": "rule:cloud_admin",
"identity:get_protocol": "rule:cloud_admin",
"identity:list_protocols": "rule:cloud_admin",
"identity:delete_protocol": "rule:cloud_admin",
"identity:create_mapping": "rule:cloud_admin",
"identity:get_mapping": "rule:cloud_admin",
"identity:list_mappings": "rule:cloud_admin",
"identity:delete_mapping": "rule:cloud_admin",
"identity:update_mapping": "rule:cloud_admin",
"identity:get_auth_catalog": "",
"identity:get_auth_projects": "",

@ -15,6 +15,8 @@
import sys
from keystoneclient.common import cms
from oslo.serialization import jsonutils
from oslo.utils import importutils
from oslo.utils import timeutils
import six
@ -27,8 +29,6 @@ from keystone import config
from keystone.contrib import federation
from keystone import exception
from keystone.i18n import _, _LI
from keystone.openstack.common import importutils
from keystone.openstack.common import jsonutils
from keystone.openstack.common import log

@ -12,6 +12,7 @@
import functools
from oslo.serialization import jsonutils
from pycadf import cadftaxonomy as taxonomy
from six.moves.urllib import parse
@ -21,7 +22,6 @@ from keystone.contrib import federation
from keystone.contrib.federation import utils
from keystone.models import token_model
from keystone import notifications
from keystone.openstack.common import jsonutils
@dependency.requires('federation_api', 'identity_api', 'token_provider_api')
@ -58,7 +58,7 @@ class Mapped(auth.AuthMethodHandler):
token_audit_id = token_ref.audit_id
identity_provider = token_ref.federation_idp_id
protocol = token_ref.federation_protocol_id
user_id = token_ref['user']['id']
user_id = token_ref.user_id
group_ids = token_ref.federation_group_ids
send_notification = functools.partial(
notifications.send_saml_audit_notification, 'authenticate',
@ -92,8 +92,8 @@ class Mapped(auth.AuthMethodHandler):
identity_provider = auth_payload['identity_provider']
protocol = auth_payload['protocol']
group_ids = None
# NOTE(topol): Since the user is coming in from an IdP with a SAML doc
# instead of from a token we set token_id to None
# NOTE(topol): The user is coming in from an IdP with a SAML assertion
# instead of from a token, so we set token_id to None
token_id = None
try:

@ -22,7 +22,6 @@ from keystone import config
from keystone import exception
from keystone.i18n import _LC
from keystone.openstack.common import log
from keystone.openstack.common import versionutils
LOG = log.getLogger(__name__)
@ -123,11 +122,3 @@ class Catalog(kvs.Catalog):
catalog[region][service] = service_data
return catalog
@versionutils.deprecated(
versionutils.deprecated.ICEHOUSE,
in_favor_of='keystone.catalog.backends.templated.Catalog',
remove_in=+2)
class TemplatedCatalog(Catalog):
pass

@ -35,11 +35,6 @@ from keystone.openstack.common import log
LOG = log.getLogger(__name__)
# NOTE(morganfainberg): This is used as the maximum number of seconds a get
# of a new connection will wait for before raising an exception indicating
# a serious / most likely non-recoverable delay has occurred.
CONNECTION_GET_TIMEOUT = 120
# This 'class' is taken from http://stackoverflow.com/a/22520633/238308
# Don't inherit client from threading.local so that we can reuse clients in
# different threads
@ -78,9 +73,25 @@ class ConnectionPool(queue.Queue):
self._acquired = 0
def _create_connection(self):
"""Returns a connection instance.
This is called when the pool needs another instance created.
:returns: a new connection instance
"""
raise NotImplementedError
def _destroy_connection(self, conn):
"""Destroy and cleanup a connection instance.
This is called when the pool wishes to get rid of an existing
connection. This is the opportunity for a subclass to free up
resources and cleaup after itself.
:param conn: the connection object to destroy
"""
raise NotImplementedError
def _debug_logger(self, msg, *args, **kwargs):
@ -110,6 +121,9 @@ class ConnectionPool(queue.Queue):
def _qsize(self):
return self.maxsize - self._acquired
# NOTE(dstanek): stdlib and eventlet Queue implementations
# have different names for the qsize method. This ensures
# that we override both of them.
if not hasattr(queue.Queue, '_qsize'):
qsize = _qsize
@ -121,18 +135,24 @@ class ConnectionPool(queue.Queue):
self._acquired += 1
return conn
def _drop_expired_connections(self, conn):
"""Drop all expired connections from the right end of the queue.
:param conn: connection object
"""
now = time.time()
while self.queue and self.queue[0].ttl < now:
conn = self.queue.popleft().connection
self._debug_logger('Reaping connection %s', id(conn))
self._destroy_connection(conn)
def _put(self, conn):
self.queue.append(_PoolItem(
ttl=time.time() + self._unused_timeout,
connection=conn,
))
self._acquired -= 1
# Drop all expired connections from the right end of the queue
now = time.time()
while self.queue and self.queue[0].ttl < now:
conn = self.queue.popleft().connection
self._debug_logger('Reaping connection %s', id(conn))
self._destroy_connection(conn)
self._drop_expired_connections(conn)
class MemcacheClientPool(ConnectionPool):
@ -173,9 +193,8 @@ class MemcacheClientPool(ConnectionPool):
# If this client found that one of the hosts is dead, mark it as
# such in our internal list
now = time.time()
for i, deaduntil, host in zip(itertools.count(),
self._hosts_deaduntil,
conn.servers):
for i, host in zip(itertools.count(), conn.servers):
deaduntil = self._hosts_deaduntil[i]
# Do nothing if we already know this host is dead
if deaduntil <= now:
if host.deaduntil > now:

@ -17,12 +17,12 @@ import datetime
from dogpile.cache import api
from dogpile.cache import util as dp_util
from oslo.utils import importutils
from oslo.utils import timeutils
import six
from keystone import exception
from keystone.i18n import _
from keystone.openstack.common import importutils
from keystone.openstack.common import log

@ -17,11 +17,11 @@
import dogpile.cache
from dogpile.cache import proxy
from dogpile.cache import util
from oslo.utils import importutils
from keystone import config
from keystone import exception
from keystone.i18n import _
from keystone.openstack.common import importutils
from keystone.openstack.common import log

@ -97,16 +97,15 @@ FILE_OPTIONS = {
'exception for token values.'),
cfg.StrOpt('member_role_id',
default='9fe2ff9ee4384b1894a90878d3e92bab',
help='During a SQL upgrade member_role_id will be used '
'to create a new role that will replace records in '
'the assignment table with explicit role grants. '
'After migration, the member_role_id will be used in '
'the API add_user_to_project.'),
help='Similar to the member_role_name option, this '
'represents the default role ID used to associate '
'users with their default projects in the v2 API. '
'This will be used as the explicit role where one is '
'not specified by the v2 API.'),
cfg.StrOpt('member_role_name', default='_member_',
help='During a SQL upgrade member_role_name will be used '
'to create a new role that will replace records in '
'the assignment table with explicit role grants. '
'After migration, member_role_name will be ignored.'),
help='This is the role name used in combination with the '
'member_role_id option; see that option for more '
'detail.'),
cfg.IntOpt('crypt_strength', default=40000,
help='The value passed as the keyword "rounds" to '
'passlib\'s encrypt method.'),
@ -336,27 +335,27 @@ FILE_OPTIONS = {
cfg.ListOpt('memcache_servers', default=['localhost:11211'],
help='Memcache servers in the format of "host:port".'
' (dogpile.cache.memcache and keystone.cache.memcache_pool'
' backends only)'),
' backends only).'),
cfg.IntOpt('memcache_dead_retry',
default=5 * 60,
help='Number of seconds memcached server is considered dead'
' before it is tried again. (dogpile.cache.memcache and'
' keystone.cache.memcache_pool backends only)'),
' keystone.cache.memcache_pool backends only).'),
cfg.IntOpt('memcache_socket_timeout',
default=3,
help='Timeout in seconds for every call to a server.'
' (dogpile.cache.memcache and keystone.cache.memcache_pool'
' backends only)'),
' backends only).'),
cfg.IntOpt('memcache_pool_maxsize',
default=10,
help='Max total number of open connections to every'
' memcached server. (keystone.cache.memcache_pool backend'
' only)'),
' only).'),
cfg.IntOpt('memcache_pool_unused_timeout',
default=60,
help='Number of seconds a connection to memcached is held'
' unused in the pool before it is closed.'
' (keystone.cache.memcache_pool backend only)'),
' (keystone.cache.memcache_pool backend only).'),
cfg.IntOpt('memcache_pool_connection_get_timeout',
default=10,
help='Number of seconds that an operation will wait to get '

@ -22,6 +22,7 @@ from dogpile.cache import proxy
from dogpile.cache import region
from dogpile.cache import util as dogpile_util
from dogpile.core import nameregistry
from oslo.utils import importutils
import six
from keystone.common import config
@ -29,7 +30,6 @@ from keystone import exception
from keystone.i18n import _
from keystone.i18n import _LI
from keystone.i18n import _LW
from keystone.openstack.common import importutils
from keystone.openstack.common import log

@ -14,7 +14,7 @@
import functools
from keystone.openstack.common import importutils
from oslo.utils import importutils
def response_truncated(f):

@ -26,6 +26,7 @@ from oslo.db import exception as db_exception
from oslo.db import options as db_options
from oslo.db.sqlalchemy import models
from oslo.db.sqlalchemy import session as db_session
from oslo.serialization import jsonutils
import six
import sqlalchemy as sql
from sqlalchemy.ext import declarative
@ -35,7 +36,6 @@ from sqlalchemy import types as sql_types
from keystone.common import utils
from keystone import exception
from keystone.i18n import _
from keystone.openstack.common import jsonutils
from keystone.openstack.common import log

@ -28,12 +28,11 @@ column.
"""
from oslo.serialization import jsonutils
from oslo.utils import strutils
import sqlalchemy as sql
from sqlalchemy.orm import Session
from keystone.openstack.common import jsonutils
def _migrate_enabled_from_extra(migrate_engine, endpoint_table):
"""Remove `enabled` from `extra`, put it in the `enabled` column."""

@ -28,12 +28,11 @@ column.
"""
from oslo.serialization import jsonutils
from oslo.utils import strutils
import sqlalchemy as sql
from sqlalchemy.orm import sessionmaker
from keystone.openstack.common import jsonutils
def _migrate_enabled_from_extra(migrate_engine, service_table):
"""Remove `enabled` from `extra`, put it in the `enabled` column."""