openstack
/
keystone
Code Issues Proposed changes

Merge remote-tracking branch 'origin/master' into feature/hierarchical-multitenancy 

Change-Id: I7e27d042575609e4107764c1ff2e1048e5a14a02
This commit is contained in:
Morgan Fainberg 2014-10-17 13:05:21 -07:00
parent a5520bc8d3 fdbad9f530
commit 6f806bdc9b
57 changed files with 795 additions and 425 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

494
doc/source/cli_examples.rst
View File

@ -18,16 +18,496 @@
Command Line Interface Examples
===============================
The Keystone command line interface packaged in `python-keystoneclient`_ only
supports the Identity v2.0 API. The OpenStack common command line interface
packaged in `python-openstackclient`_ supports both v2.0 and v3 APIs.
.. NOTE::
As of the Juno release, it is recommended to use ``python-openstackclient``,
as it suports both v2.0 and v3 APIs. For the purpose of backwards compatibility,
the CLI packaged in ``python-keystoneclient`` is not being removed.
.. _`python-openstackclient`: http://docs.openstack.org/developer/python-openstackclient/
.. _`python-keystoneclient`: http://docs.openstack.org/developer/python-keystoneclient/
Using python-openstackclient (v3)
=================================
Note that if using ``python-openstackclient`` for v3 commands, the following
environment variables must be updated:
.. code-block:: bash
$ export OS_IDENTITY_API_VERSION=3 (Defaults to 2.0)
$ export OS_AUTH_URL=http://localhost:5000/v3
Since Identity API v3 authentication is a bit more complex, there are additional
options that may be set, either as command options or environment variables.
The most common case will be a user supplying both user name and password, along
with the project name; previously in v2.0 this would be sufficient, but since
Identity API v3 has a ``Domain`` component, we need to tell the client in which
domain the user and project exists.
If using a project name as authorization scope, set either of these:
* ``--os-project-domain-name OS_PROJECT_DOMAIN_NAME`` Domain name of the project
which is the requested project-level authorization scope
* ``--os-project-domain-id OS_PROJECT_DOMAIN_ID`` Domain ID of the project which
is the requested project-level authorization scope
Note, if using a project ID as authorization scope, then it is not required to
set ``OS_PROJECT_DOMAIN_NAME`` or ``OS_PROJECT_DOMAIN_ID``, the project ID is
sufficient.
If using user name and password, set either of these:
* ``--os-user-domain-name OS_USER_DOMAIN_NAME`` Domain name of the user
* ``--os-user-domain-id OS_USER_DOMAIN_ID`` Domain ID of the user
If using a domain as authorization scope, set either of these:
* ``--os-domain-name OS_DOMAIN_NAME``: Domain name of the requested domain-level
authorization scope
* ``--os-domain-id OS_DOMAIN_ID``: Domain ID of the requested domain-level
authorization scope
In the examples below, the following are set:
.. code-block:: bash
$ export OS_IDENTITY_API_VERSION=3
$ export OS_AUTH_URL=http://localhost:5000/v3
$ export OS_PROJECT_DOMAIN_ID=default
$ export OS_USER_DOMAIN_ID=default
$ export OS_USERNAME=admin
$ export OS_PASSWORD=openstack
$ export OS_PROJECT_NAME=admin
--------
Projects
--------
``project create``
------------------
positional arguments::
<project-name> New project name
optional arguments::
--description <project-description> New project description
--domain <project-domain> Domain owning the project (name or ID)
--enable Enable project (default)
--disable Disable project
example:
.. code-block:: bash
$ openstack project create heat-project --domain heat
Other commands
--------------
.. code-block:: bash
$ openstack project delete
$ openstack project list
$ openstack project set
$ openstack project show
-----
Users
-----
``user create``
---------------
positional arguments::
<user-name> New user name
optional arguments::
--password <user-password> New user password
--password-prompt Prompt interactively for password
--email <user-email> New user email address
--project <project> Set default project (name or ID)
--domain <domain> New default domain name or ID
--enable Enable user (default)
--disable Disable user
example:
.. code-block:: bash
$ openstack user create heat-user \
--password secrete \
--domain heat \
--project demo \
--email admin@example.com
Other commands
--------------
.. code-block:: bash
$ openstack user delete
$ openstack user list
$ openstack user set
$ openstack user show
------
Groups
------
``group create``
----------------
positional arguments::
<group-name> New group name
optional arguments::
--description <group-description> New group description
--domain <group-domain> References the domain ID or name which owns the group
example:
.. code-block:: bash
$ openstack group create heat-group --domain heat
Other commands
--------------
.. code-block:: bash
$ openstack group delete
$ openstack group list
$ openstack group set
$ openstack group show
-------
Domains
-------
``domain create``
-----------------
positional arguments::
<domain-name> New domain name
optional arguments::
--description <domain-description> New domain description
--enable Enable domain
--disable Disable domain
example:
.. code-block:: bash
$ openstack domain create heat --description "Heat domain for heat users"
Other commands
--------------
.. code-block:: bash
$ openstack domain delete
$ openstack domain list
$ openstack domain set
$ openstack domain show
Using python-openstackclient (v2.0)
===================================
--------
Projects
--------
``project create``
------------------
positional arguments::
<project-name> New project name
optional arguments::
--description <project-description> New project description
--enable Enable project (default)
--disable Disable project
example:
.. code-block:: bash
$ openstack project create demo
``project delete``
------------------
positional arguments::
<project> Project to delete (name or ID)
example:
.. code-block:: bash
$ openstack project delete demo
-----
Users
-----
``user create``
---------------
positional arguments::
<user-name> New user name
optional arguments::
--password <user-password> New user password
--password-prompt Prompt interactively for password
--email <user-email> New user email address
--project <project> Set default project (name or ID)
--enable Enable user (default)
--disable Disable user
example:
.. code-block:: bash
$ openstack user create heat-user \
--password secrete \
--project demo \
--email admin@example.com
``user delete``
---------------
positional arguments::
<user> User to delete (name or ID)
example:
.. code-block:: bash
$ openstack user delete heat-user
``user list``
-------------
optional arguments::
--project <project> Filter users by project (name or ID)
--long List additional fields in output
example:
.. code-block:: bash
$ openstack user list
``user set``
------------
positional arguments::
<user> User to change (name or ID)
optional arguments::
--name <new-user-name> New user name
--password <user-password> New user password
--password-prompt Prompt interactively for password
--email <user-email> New user email address
--project <project> New default project (name or ID)
--enable Enable user (default)
--disable Disable user
example:
.. code-block:: bash
$ openstack user set heat-user --email newemail@example.com
-----
Roles
-----
``role create``
---------------
positional arguments::
<role-name> New role name
example:
.. code-block:: bash
$ openstack role create demo
``role delete``
---------------
positional arguments::
<role> Name or ID of role to delete
example:
.. code-block:: bash
$ openstack role delete demo
``role list``
-------------
example:
.. code-block:: bash
$ openstack role list
``role show``
-------------
positional arguments::
<role> Name or ID of role to display
example:
.. code-block:: bash
$ openstack role show demo
``role add``
------------
positional arguments::
<role> Role name or ID to add to user
optional arguments::
--project <project> Include project (name or ID)
--user <user> Name or ID of user to include
example:
.. code-block:: bash
$ openstack user role add demo --user heat-user --project heat
``role remove``
---------------
positional arguments::
<role> Role name or ID to remove from user
optional arguments::
--project <project> Project to include (name or ID)
--user <user> Name or ID of user
example:
.. code-block:: bash
$ openstack user role remove demo --user heat-user --project heat
--------
Services
--------
``service create``
------------------
positional arguments::
<service-name> New service name
optional arguments::
--type <service-type> New service type (compute, image, identity, volume, etc)
--description <service-description> New service description
example:
.. code-block:: bash
$ openstack service create nova --type compute --description "Nova Compute Service"
``service list``
----------------
optional arguments::
--long List additional fields in output
example:
.. code-block:: bash
$ openstack service list
``service show``
----------------
positional arguments::
<service> Service to display (type, name or ID)
example:
.. code-block:: bash
$ openstack service show nova
``service delete``
------------------
positional arguments::
<service> Service to delete (name or ID)
example:
.. code-block:: bash
$ openstack service delete nova
Using python-keystoneclient (v2.0)
==================================
-------
Tenants
-------
Tenants are the high level grouping within Keystone that represent groups of
users. A tenant is the grouping that owns virtual machines within Nova, or
containers within Swift. A tenant can have zero or more users, Users can be
associated with more than one tenant, and each tenant - user pairing can have
a role associated with it.
``tenant-create``
-----------------
@ -112,7 +592,7 @@ example:
$ keystone user-list
``user-update``
---------------
---------------------
arguments

167
doc/source/configuration.rst
View File

@ -315,28 +315,27 @@ configuration option.
The drivers Keystone provides are:
* ``keystone.token.persistence.backends.sql.Token`` - The SQL-based (default)
token persistence engine. This backend stores all token data in the same SQL
store that is used for Identity/Assignment/etc.
* ``keystone.token.persistence.backends.memcache.Token`` - The memcached based
token persistence backend. This backend relies on ``dogpile.cache`` and stores
the token data in a set of memcached servers. The servers urls are specified
in the ``[memcache]\servers`` configuration option in the Keystone config.
* ``keystone.token.persistence.backends.memcache_pool.Token`` - The pooled memcached
token persistence engine. This backend supports the concept of pooled memcache
client object (allowing for the re-use of the client objects). This backend has
a number of extra tunable options in the ``[memcache]`` section of the config.
* ``keystone.token.persistence.backends.sql.Token`` - The SQL-based (default)
token persistence engine.
* ``keystone.token.persistence.backends.memcache.Token`` - The memcached based
token persistence backend. This backend relies on ``dogpile.cache`` and stores
the token data in a set of memcached servers. The servers URLs are specified
in the ``[memcache]\servers`` configuration option in the Keystone config.
.. WARNING::
It is recommended you use the ``keystone.token.persistence.backend.memcache_pool.Token``
backend instead of ``keystone.token.persistence.backend.memcache.Token`` as the token
persistence driver if you are deploying Keystone under eventlet instead of
Apache + mod_wsgi. This recommendation are due to known issues with the use of
``thread.local`` under eventlet that can allow the leaking of memcache client objects
and consumption of extra sockets.
Apache + mod_wsgi. This recommendation is due to known issues with the
use of ``thread.local`` under eventlet that can allow the leaking of
memcache client objects and consumption of extra sockets.
Token Provider
@ -650,9 +649,9 @@ To build your service catalog using this driver, see the built-in help:
.. code-block:: bash
$ keystone
$ keystone help service-create
$ keystone help endpoint-create
$ openstack --help
$ openstack help service create
$ openstack help endpoint create
You can also refer to `an example in Keystone (tools/sample_data.sh)
<https://github.com/openstack/keystone/blob/master/tools/sample_data.sh>`_.
@ -666,8 +665,7 @@ service catalog will not change very much over time.
.. NOTE::
Attempting to manage your service catalog using keystoneclient commands
(e.g. ``keystone endpoint-create``) against this driver will result in
Attempting to change your service catalog against this driver will result in
``HTTP 501 Not Implemented`` errors. This is the expected behavior. If you
want to use these commands, you must instead use the SQL-based Service
Catalog driver.
@ -1014,12 +1012,12 @@ Ensure that your ``keystone.conf`` is configured to use a SQL driver:
[identity]
driver = keystone.identity.backends.sql.Identity
You may also want to configure your ``[sql]`` settings to better reflect your
You may also want to configure your ``[database]`` settings to better reflect your
environment:
.. code-block:: ini
[sql]
[database]
connection = sqlite:///keystone.db
idle_timeout = 200
@ -1038,23 +1036,19 @@ You should now be ready to initialize your new database without error, using:
$ keystone-manage db_sync
To test this, you should now be able to start ``keystone-all`` and use the
Keystone Client to list your tenants (which should successfully return an
OpenStack Client to list your projects (which should successfully return an
empty list from your new database):
.. code-block:: bash
$ keystone --os-token ADMIN --os-endpoint http://127.0.0.1:35357/v2.0/ tenant-list
+----+------+---------+
| id | name | enabled |
+----+------+---------+
+----+------+---------+
$ openstack --os-token ADMIN --os-url http://127.0.0.1:35357/v2.0/ project list
.. NOTE::
We're providing the default OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT values
from ``keystone.conf`` to connect to the Keystone service. If you changed
those values, or deployed Keystone to a different endpoint, you will need
to change the provided command accordingly.
We're providing the default OS_TOKEN and OS_URL values from ``keystone.conf``
to connect to the Keystone service. If you changed those values, or deployed
Keystone to a different endpoint, you will need to change the provided
command accordingly.
Initializing Keystone
=====================
@ -1079,12 +1073,29 @@ prevents unauthorized users from spuriously signing tokens.
be running the Keystone service to ensure proper ownership for the private key
file and the associated certificates.
Adding Users, Tenants, and Roles with python-keystoneclient
===========================================================
Adding Users, Projects, and Roles via Command Line Interfaces
=============================================================
Users, tenants, and roles must be administered using admin credentials.
There are two ways to configure ``python-keystoneclient`` to use admin
credentials, using the either an existing token or password credentials.
Keystone APIs are protected by the rules in the policy file. The default policy
rules require admin credentials to administer ``users``, ``projects``, and
``roles``. See section `Keystone API protection with Role Based Access Control (RBAC)`_
for more details on policy files.
The Keystone command line interface packaged in `python-keystoneclient`_ only
supports the Identity v2.0 API. The OpenStack common command line interface
packaged in `python-openstackclient`_ supports both v2.0 and v3 APIs.
With both command line interfaces there are two ways to configure the client to
use admin credentials, using either an existing token or password credentials.
.. NOTE::
As of the Juno release, it is recommended to use ``python-openstackclient``,
as it supports both v2.0 and v3 APIs. For the purpose of backwards compatibility,
the CLI packaged in ``python-keystoneclient`` is not being removed.
.. _`python-openstackclient`: http://docs.openstack.org/developer/python-openstackclient/
.. _`python-keystoneclient`: http://docs.openstack.org/developer/python-keystoneclient/
Authenticating with a Token
---------------------------
@ -1094,11 +1105,11 @@ Authenticating with a Token
If your Keystone deployment is brand new, you will need to use this
authentication method, along with your ``[DEFAULT] admin_token``.
To use Keystone with a token, set the following flags:
To authenticate with Keystone using a token and ``python-openstackclient``, set
the following flags.
* ``--os-endpoint OS_SERVICE_ENDPOINT``: allows you to specify the Keystone endpoint
to communicate with. The default endpoint is ``http://localhost:35357/v2.0``
* ``--os-token OS_SERVICE_TOKEN``: your service token
* ``--os-url OS_URL``: Keystone endpoint the user communicates with
* ``--os-token OS_TOKEN``: User's service token
To administer a Keystone endpoint, your token should be either belong to a user
with the ``admin`` role, or, if you haven't created one yet, should be equal to
@ -1109,20 +1120,27 @@ to be passed as arguments each time:
.. code-block:: bash
$ export OS_SERVICE_ENDPOINT=http://localhost:35357/v2.0
$ export OS_SERVICE_TOKEN=ADMIN
$ export OS_URL=http://localhost:35357/v2.0
$ export OS_TOKEN=ADMIN
Instead of ``python-openstackclient``, if using ``python-keystoneclient``,
set the following:
* ``--os-endpoint OS_SERVICE_ENDPOINT``: equivalent to ``--os-url OS_URL``
* ``--os-service-token OS_SERVICE_TOKEN``: equivalent to ``--os-token OS_TOKEN``
Authenticating with a Password
------------------------------
To administer a Keystone endpoint, the following user referenced below should
To authenticate with Keystone using a password and ``python-openstackclient``, set
the following flags, note that the following user referenced below should
be granted the ``admin`` role.
* ``--os_username OS_USERNAME``: Name of your user
* ``--os_password OS_PASSWORD``: Password for your user
* ``--os_tenant_name OS_TENANT_NAME``: Name of your tenant
* ``--os_auth_url OS_AUTH_URL``: URL of your Keystone auth server, e.g.
``http://localhost:35357/v2.0``
* ``--os-username OS_USERNAME``: Name of your user
* ``--os-password OS_PASSWORD``: Password for your user
* ``--os-project-name OS_PROJECT_NAME``: Name of your project
* ``--os-auth-url OS_AUTH_URL``: URL of the Keystone authentication server
You can also set these variables in your environment so that they do not need
to be passed as arguments each time:
@ -1131,42 +1149,55 @@ to be passed as arguments each time:
$ export OS_USERNAME=my_username
$ export OS_PASSWORD=my_password
$ export OS_TENANT_NAME=my_tenant
$ export OS_PROJECT_NAME=my_project
$ export OS_AUTH_URL=http://localhost:35357/v2.0
If using ``python-keystoneclient``, set the following instead:
* ``--os-tenant-name OS_TENANT_NAME``: equivalent to ``--os-project-name OS_PROJECT_NAME``
Example usage
-------------
``keystone`` is set up to expect commands in the general form of
``keystone`` ``command`` ``argument``, followed by flag-like keyword arguments to
provide additional (often optional) information. For example, the command
``user-list`` and ``tenant-create`` can be invoked as follows:
``python-openstackclient`` is set up to expect commands in the general form of:
.. code-block:: bash
# Using token auth env variables
$ export OS_SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0/
$ export OS_SERVICE_TOKEN=secrete_token
$ keystone user-list
$ keystone tenant-create --name=demo
$ openstack [<global-options>] <object-1> <action> [<object-2>] [<command-arguments>]
# Using token auth flags
$ keystone --os-token=secrete --os-endpoint=http://127.0.0.1:35357/v2.0/ user-list
$ keystone --os-token=secrete --os-endpoint=http://127.0.0.1:35357/v2.0/ tenant-create --name=demo
For example, the commands ``user list`` and ``project create`` can be invoked
as follows:
# Using user + password + tenant_name env variables
.. code-block:: bash
# Using token authentication, with environment variables
$ export OS_URL=http://127.0.0.1:35357/v2.0/
$ export OS_TOKEN=secrete_token
$ openstack user list
$ openstack project create demo
# Using token authentication, with flags
$ openstack --os-token=secrete --os-url=http://127.0.0.1:35357/v2.0/ user list
$ openstack --os-token=secrete --os-url=http://127.0.0.1:35357/v2.0/ project create demo
# Using password authentication, with environment variables
$ export OS_USERNAME=admin
$ export OS_PASSWORD=secrete
$ export OS_TENANT_NAME=admin
$ keystone user-list
$ keystone tenant-create --name=demo
$ export OS_PROJECT_NAME=admin
$ export OS_AUTH_URL=http://localhost:35357/v2.0
$ openstack user list
$ openstack project create demo
# Using user + password + tenant_name flags
$ keystone --os_username=admin --os_password=secrete --os_tenant_name=admin user-list
$ keystone --os_username=admin --os_password=secrete --os_tenant_name=admin tenant-create --name=demo
# Using password authentication, with flags
$ openstack --os-username=admin --os-password=secrete --os-project-name=admin --os-auth-url=http://localhost:35357/v2.0 user list
$ openstack --os-username=admin --os-password=secrete --os-project-name=admin --os-auth-url=http://localhost:35357/v2.0 project create demo
For additional examples refer to `CLI Examples`_.
For additional examples using ``python-keystoneclient`` refer to `python-keystoneclient examples`_,
likewise, for additional examples using ``python-openstackclient``, refer to `python-openstackclient examples`_.
.. _`CLI Examples`: cli_examples.html
.. _`python-keystoneclient examples`: cli_examples.html#using-python-keystoneclient-v2-0
.. _`python-openstackclient examples`: cli_examples.html#using-python-openstackclient-v3
Removing Expired Tokens

86
doc/source/configuringservices.rst
View File

@ -32,7 +32,7 @@ In general:
* The Keystone middleware will look for and validate that token, taking the
appropriate action.
* It will also retrieve additional information from the token such as user
name, id, tenant name, id, roles, etc...
name, user id, project name, project id, roles, etc...
The middleware will pass those data down to the service as headers. More
details on the architecture of that setup is described in
@ -57,10 +57,10 @@ represent a user, and carries no explicit authorization.
To disable in production (highly recommended), remove AdminTokenAuthMiddleware
from your paste application pipelines (for example, in keystone-paste.ini)
Setting up tenants, users, and roles
------------------------------------
Setting up projects, users, and roles
-------------------------------------
You need to minimally define a tenant, user, and role to link the tenant and
You need to minimally define a project, user, and role to link the project and
user as the most basic set of details to get other services authenticating
and authorizing with Keystone.
@ -69,7 +69,7 @@ be able to use to authenticate users against Keystone. The ``auth_token``
middleware supports using either the shared secret described above as
`admin_token` or users for each service.
See :doc:`configuration` for a walk through on how to create tenants, users,
See :doc:`configuration` for a walk through on how to create projects, users,
and roles.
Setting up services
@ -79,53 +79,44 @@ Creating Service Users
----------------------
To configure the OpenStack services with service users, we need to create
a tenant for all the services, and then users for each of the services. We
then assign those service users an Admin role on the service tenant. This
allows them to validate tokens - and authenticate and authorize other user
a project for all the services, and then users for each of the services. We
then assign those service users an ``admin`` role on the service project. This
allows them to validate tokens - and to authenticate and authorize other user
requests.
Create a tenant for the services, typically named 'service' (however, the
Create a project for the services, typically named ``service`` (however, the
name can be whatever you choose):
.. code-block:: bash
$ keystone tenant-create --name=service
$ openstack project create service
This returns a UUID of the tenant - keep that, you'll need it when creating
the users and specifying the roles.
Create service users for nova, glance, swift, and neutron (or whatever
subset is relevant to your deployment):
Create service users for ``nova``, ``glance``, ``swift``, and ``neutron``
(or whatever subset is relevant to your deployment):
.. code-block:: bash
$ keystone user-create --name=nova \
--pass=Sekr3tPass \
--tenant_id=[the uuid of the tenant] \
--email=nova@nothing.com
$ openstack user create nova --password Sekr3tPass --project service
Repeat this for each service you want to enable. Email is a required field
in Keystone right now, but not used in relation to the service accounts. Each
of these commands will also return a UUID of the user. Keep those to assign
the Admin role.
Repeat this for each service you want to enable.
For adding the Admin role to the service accounts, you'll need to know the UUID
of the role you want to add. If you don't have them handy, you can look it
Create an administrative role for the service accounts, typically named
``admin`` (however the name can be whatever you choose). For adding the
administrative role to the service accounts, you'll need to know the
name of the role you want to add. If you don't have it handy, you can look it
up quickly with:
.. code-block:: bash
$ keystone role-list
$ openstack role list
Once you have it, assign the service users to the Admin role. This is all
assuming that you've already created the basic roles and settings as described
in :doc:`configuration`:
Once you have it, grant the administrative role to the service users. This is
all assuming that you've already created the basic roles and settings as
described in :doc:`configuration`:
.. code-block:: bash
$ keystone user-role-add --tenant_id=[uuid of the service tenant] \
--user=[uuid of the service account] \
--role=[uuid of the Admin role]
$ openstack role add admin --project service --user nova
Defining Services
-----------------
@ -147,21 +138,16 @@ Keystone is online, you need to add the services to the catalog:
.. code-block:: bash
$ keystone service-create --name=nova \
--type=compute \
--description="Nova Compute Service"
$ keystone service-create --name=ec2 \
--type=ec2 \
--description="EC2 Compatibility Layer"
$ keystone service-create --name=glance \
--type=image \
--description="Glance Image Service"
$ keystone service-create --name=keystone \
--type=identity \
--description="Keystone Identity Service"
$ keystone service-create --name=swift \
--type=object-store \
--description="Swift Service"
$ openstack service create nova --type compute \
--description "Nova Compute Service"
$ openstack service create ec2 --type ec2 \
--description "EC2 Compatibility Layer"
$ openstack service create glance --type image \
--description "Glance Image Service"
$ openstack service create keystone --type identity \
--description "Keystone Identity Service"
$ openstack service create swift --type object-store \
--description "Swift Service"
Setting Up Middleware
@ -209,9 +195,9 @@ Here is an example paste config filter that makes use of the 'admin_user' and
admin_user = admin
admin_password = keystone123
It should be noted that when using this option an admin tenant/role
relationship is required. The admin user is granted access to the 'Admin'
role to the 'admin' tenant.
It should be noted that when using this option an admin project/role
relationship is required. The admin user is granted access to the 'admin'
role to the 'admin' project.
The auth_token middleware can also be configured in nova.conf
[keystone_authtoken] section to keep paste config clean of site-specific

4
doc/source/extensions/shibboleth.rst
View File

@ -45,7 +45,9 @@ file. You are advised to examine `Shibboleth Service Provider Configuration docu
An example of your ``/etc/shibboleth/shibboleth2.xml`` may look like
(The example shown below is for reference only, not to be used in a production
environment)::
environment):
.. code-block:: xml
<!--
File configuration courtesy of http://testshib.org

29
etc/keystone.conf.sample
View File

@ -81,17 +81,16 @@
# token values. (integer value)
#max_token_size=8192
# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the assignment table
# with explicit role grants. After migration, the
# member_role_id will be used in the API add_user_to_project.
# (string value)
# Similar to the member_role_name option, this represents the
# default role ID used to associate users with their default
# projects in the v2 API. This will be used as the explicit
# role where one is not specified by the v2 API. (string
# value)
#member_role_id=9fe2ff9ee4384b1894a90878d3e92bab
# During a SQL upgrade member_role_name will be used to create
# a new role that will replace records in the assignment table
# with explicit role grants. After migration, member_role_name
# will be ignored. (string value)
# This is the role name used in combination with the
# member_role_id option; see that option for more detail.
# (string value)
#member_role_name=_member_
# The value passed as the keyword "rounds" to passlib's
@ -536,27 +535,27 @@
# Memcache servers in the format of "host:port".
# (dogpile.cache.memcache and keystone.cache.memcache_pool
# backends only) (list value)
# backends only). (list value)
#memcache_servers=localhost:11211
# Number of seconds memcached server is considered dead before
# it is tried again. (dogpile.cache.memcache and
# keystone.cache.memcache_pool backends only) (integer value)
# keystone.cache.memcache_pool backends only). (integer value)
#memcache_dead_retry=300
# Timeout in seconds for every call to a server.
# (dogpile.cache.memcache and keystone.cache.memcache_pool
# backends only) (integer value)
# backends only). (integer value)
#memcache_socket_timeout=3
# Max total number of open connections to every memcached
# server. (keystone.cache.memcache_pool backend only) (integer
# value)
# server. (keystone.cache.memcache_pool backend only).
# (integer value)
#memcache_pool_maxsize=10
# Number of seconds a connection to memcached is held unused
# in the pool before it is closed.
# (keystone.cache.memcache_pool backend only) (integer value)
# (keystone.cache.memcache_pool backend only). (integer value)
#memcache_pool_unused_timeout=60
# Number of seconds that an operation will wait to get a

36
etc/policy.v3cloudsample.json
View File

@ -12,9 +12,9 @@
"identity:get_region": "",
"identity:list_regions": "",
"identity:create_region": "rule:admin_or_cloud_admin",
"identity:update_region": "rule:admin_or_cloud_admin",
"identity:delete_region": "rule:admin_or_cloud_admin",
"identity:create_region": "rule:cloud_admin",
"identity:update_region": "rule:cloud_admin",
"identity:delete_region": "rule:cloud_admin",
"identity:get_service": "rule:admin_or_cloud_admin",
"identity:list_services": "rule:admin_or_cloud_admin",
@ -143,23 +143,23 @@
"identity:add_endpoint_group_to_project": "rule:admin_required",
"identity:remove_endpoint_group_from_project": "rule:admin_required",
"identity:create_identity_provider": "rule:admin_required",
"identity:list_identity_providers": "rule:admin_required",
"identity:get_identity_providers": "rule:admin_required",
"identity:update_identity_provider": "rule:admin_required",
"identity:delete_identity_provider": "rule:admin_required",
"identity:create_identity_provider": "rule:cloud_admin",
"identity:list_identity_providers": "rule:cloud_admin",
"identity:get_identity_providers": "rule:cloud_admin",
"identity:update_identity_provider": "rule:cloud_admin",
"identity:delete_identity_provider": "rule:cloud_admin",
"identity:create_protocol": "rule:admin_required",
"identity:update_protocol": "rule:admin_required",
"identity:get_protocol": "rule:admin_required",
"identity:list_protocols": "rule:admin_required",
"identity:delete_protocol": "rule:admin_required",
"identity:create_protocol": "rule:cloud_admin",
"identity:update_protocol": "rule:cloud_admin",
"identity:get_protocol": "rule:cloud_admin",
"identity:list_protocols": "rule:cloud_admin",
"identity:delete_protocol": "rule:cloud_admin",
"identity:create_mapping": "rule:admin_required",
"identity:get_mapping": "rule:admin_required",
"identity:list_mappings": "rule:admin_required",
"identity:delete_mapping": "rule:admin_required",
"identity:update_mapping": "rule:admin_required",
"identity:create_mapping": "rule:cloud_admin",
"identity:get_mapping": "rule:cloud_admin",
"identity:list_mappings": "rule:cloud_admin",
"identity:delete_mapping": "rule:cloud_admin",
"identity:update_mapping": "rule:cloud_admin",
"identity:get_auth_catalog": "",
"identity:get_auth_projects": "",

4
keystone/auth/controllers.py
View File

@ -15,6 +15,8 @@
import sys
from keystoneclient.common import cms
from oslo.serialization import jsonutils
from oslo.utils import importutils
from oslo.utils import timeutils
import six
@ -27,8 +29,6 @@ from keystone import config
from keystone.contrib import federation
from keystone import exception
from keystone.i18n import _, _LI
from keystone.openstack.common import importutils
from keystone.openstack.common import jsonutils
from keystone.openstack.common import log

8
keystone/auth/plugins/mapped.py
View File

@ -12,6 +12,7 @@
import functools
from oslo.serialization import jsonutils
from pycadf import cadftaxonomy as taxonomy
from six.moves.urllib import parse
@ -21,7 +22,6 @@ from keystone.contrib import federation
from keystone.contrib.federation import utils
from keystone.models import token_model
from keystone import notifications
from keystone.openstack.common import jsonutils
@dependency.requires('federation_api', 'identity_api', 'token_provider_api')
@ -58,7 +58,7 @@ class Mapped(auth.AuthMethodHandler):
token_audit_id = token_ref.audit_id
identity_provider = token_ref.federation_idp_id
protocol = token_ref.federation_protocol_id
user_id = token_ref['user']['id']
user_id = token_ref.user_id
group_ids = token_ref.federation_group_ids
send_notification = functools.partial(
notifications.send_saml_audit_notification, 'authenticate',
@ -92,8 +92,8 @@ class Mapped(auth.AuthMethodHandler):
identity_provider = auth_payload['identity_provider']
protocol = auth_payload['protocol']
group_ids = None
# NOTE(topol): Since the user is coming in from an IdP with a SAML doc
# instead of from a token we set token_id to None
# NOTE(topol): The user is coming in from an IdP with a SAML assertion
# instead of from a token, so we set token_id to None
token_id = None
try:

9
keystone/catalog/backends/templated.py
View File

@ -22,7 +22,6 @@ from keystone import config
from keystone import exception
from keystone.i18n import _LC
from keystone.openstack.common import log
from keystone.openstack.common import versionutils
LOG = log.getLogger(__name__)
@ -123,11 +122,3 @@ class Catalog(kvs.Catalog):
catalog[region][service] = service_data
return catalog
@versionutils.deprecated(
versionutils.deprecated.ICEHOUSE,
in_favor_of='keystone.catalog.backends.templated.Catalog',
remove_in=+2)
class TemplatedCatalog(Catalog):
pass

47
keystone/common/cache/_memcache_pool.py vendored
View File

@ -35,11 +35,6 @@ from keystone.openstack.common import log
LOG = log.getLogger(__name__)
# NOTE(morganfainberg): This is used as the maximum number of seconds a get
# of a new connection will wait for before raising an exception indicating
# a serious / most likely non-recoverable delay has occurred.
CONNECTION_GET_TIMEOUT = 120
# This 'class' is taken from http://stackoverflow.com/a/22520633/238308
# Don't inherit client from threading.local so that we can reuse clients in
# different threads
@ -78,9 +73,25 @@ class ConnectionPool(queue.Queue):
self._acquired = 0
def _create_connection(self):
"""Returns a connection instance.
This is called when the pool needs another instance created.
:returns: a new connection instance
"""
raise NotImplementedError
def _destroy_connection(self, conn):
"""Destroy and cleanup a connection instance.
This is called when the pool wishes to get rid of an existing
connection. This is the opportunity for a subclass to free up
resources and cleaup after itself.
:param conn: the connection object to destroy
"""
raise NotImplementedError
def _debug_logger(self, msg, *args, **kwargs):
@ -110,6 +121,9 @@ class ConnectionPool(queue.Queue):
def _qsize(self):
return self.maxsize - self._acquired
# NOTE(dstanek): stdlib and eventlet Queue implementations
# have different names for the qsize method. This ensures
# that we override both of them.
if not hasattr(queue.Queue, '_qsize'):
qsize = _qsize
@ -121,18 +135,24 @@ class ConnectionPool(queue.Queue):
self._acquired += 1
return conn
def _drop_expired_connections(self, conn):
"""Drop all expired connections from the right end of the queue.
:param conn: connection object
"""
now = time.time()
while self.queue and self.queue[0].ttl < now:
conn = self.queue.popleft().connection
self._debug_logger('Reaping connection %s', id(conn))
self._destroy_connection(conn)
def _put(self, conn):
self.queue.append(_PoolItem(
ttl=time.time() + self._unused_timeout,
connection=conn,
))
self._acquired -= 1
# Drop all expired connections from the right end of the queue
now = time.time()
while self.queue and self.queue[0].ttl < now:
conn = self.queue.popleft().connection
self._debug_logger('Reaping connection %s', id(conn))
self._destroy_connection(conn)
self._drop_expired_connections(conn)
class MemcacheClientPool(ConnectionPool):
@ -173,9 +193,8 @@ class MemcacheClientPool(ConnectionPool):
# If this client found that one of the hosts is dead, mark it as
# such in our internal list
now = time.time()
for i, deaduntil, host in zip(itertools.count(),
self._hosts_deaduntil,
conn.servers):
for i, host in zip(itertools.count(), conn.servers):
deaduntil = self._hosts_deaduntil[i]
# Do nothing if we already know this host is dead
if deaduntil <= now:
if host.deaduntil > now:

2
keystone/common/cache/backends/mongo.py vendored
View File

@ -17,12 +17,12 @@ import datetime
from dogpile.cache import api
from dogpile.cache import util as dp_util
from oslo.utils import importutils
from oslo.utils import timeutils
import six
from keystone import exception
from keystone.i18n import _
from keystone.openstack.common import importutils
from keystone.openstack.common import log

2
keystone/common/cache/core.py vendored
View File

@ -17,11 +17,11 @@
import dogpile.cache
from dogpile.cache import proxy
from dogpile.cache import util
from oslo.utils import importutils
from keystone import config
from keystone import exception
from keystone.i18n import _
from keystone.openstack.common import importutils
from keystone.openstack.common import log

27
keystone/common/config.py
View File

@ -97,16 +97,15 @@ FILE_OPTIONS = {
'exception for token values.'),
cfg.StrOpt('member_role_id',
default='9fe2ff9ee4384b1894a90878d3e92bab',
help='During a SQL upgrade member_role_id will be used '
'to create a new role that will replace records in '
'the assignment table with explicit role grants. '
'After migration, the member_role_id will be used in '
'the API add_user_to_project.'),
help='Similar to the member_role_name option, this '
'represents the default role ID used to associate '
'users with their default projects in the v2 API. '
'This will be used as the explicit role where one is '
'not specified by the v2 API.'),
cfg.StrOpt('member_role_name', default='_member_',
help='During a SQL upgrade member_role_name will be used '
'to create a new role that will replace records in '
'the assignment table with explicit role grants. '
'After migration, member_role_name will be ignored.'),
help='This is the role name used in combination with the '
'member_role_id option; see that option for more '
'detail.'),
cfg.IntOpt('crypt_strength', default=40000,
help='The value passed as the keyword "rounds" to '
'passlib\'s encrypt method.'),
@ -336,27 +335,27 @@ FILE_OPTIONS = {
cfg.ListOpt('memcache_servers', default=['localhost:11211'],
help='Memcache servers in the format of "host:port".'
' (dogpile.cache.memcache and keystone.cache.memcache_pool'
' backends only)'),
' backends only).'),
cfg.IntOpt('memcache_dead_retry',
default=5 * 60,
help='Number of seconds memcached server is considered dead'
' before it is tried again. (dogpile.cache.memcache and'
' keystone.cache.memcache_pool backends only)'),
' keystone.cache.memcache_pool backends only).'),
cfg.IntOpt('memcache_socket_timeout',
default=3,
help='Timeout in seconds for every call to a server.'
' (dogpile.cache.memcache and keystone.cache.memcache_pool'
' backends only)'),
' backends only).'),
cfg.IntOpt('memcache_pool_maxsize',
default=10,
help='Max total number of open connections to every'
' memcached server. (keystone.cache.memcache_pool backend'
' only)'),
' only).'),
cfg.IntOpt('memcache_pool_unused_timeout',
default=60,
help='Number of seconds a connection to memcached is held'
' unused in the pool before it is closed.'
' (keystone.cache.memcache_pool backend only)'),
' (keystone.cache.memcache_pool backend only).'),
cfg.IntOpt('memcache_pool_connection_get_timeout',
default=10,
help='Number of seconds that an operation will wait to get '

2
keystone/common/kvs/core.py
View File

@ -22,6 +22,7 @@ from dogpile.cache import proxy
from dogpile.cache import region
from dogpile.cache import util as dogpile_util
from dogpile.core import nameregistry
from oslo.utils import importutils
import six
from keystone.common import config
@ -29,7 +30,6 @@ from keystone import exception
from keystone.i18n import _
from keystone.i18n import _LI
from keystone.i18n import _LW
from keystone.openstack.common import importutils
from keystone.openstack.common import log

2
keystone/common/manager.py
View File

@ -14,7 +14,7 @@
import functools
from keystone.openstack.common import importutils
from oslo.utils import importutils
def response_truncated(f):

2
keystone/common/sql/core.py
View File

@ -26,6 +26,7 @@ from oslo.db import exception as db_exception
from oslo.db import options as db_options
from oslo.db.sqlalchemy import models
from oslo.db.sqlalchemy import session as db_session
from oslo.serialization import jsonutils
import six
import sqlalchemy as sql
from sqlalchemy.ext import declarative
@ -35,7 +36,6 @@ from sqlalchemy import types as sql_types
from keystone.common import utils
from keystone import exception
from keystone.i18n import _
from keystone.openstack.common import jsonutils
from keystone.openstack.common import log

3
keystone/common/sql/migrate_repo/versions/042_endpoint_enabled.py
View File

@ -28,12 +28,11 @@ column.
"""
from oslo.serialization import jsonutils
from oslo.utils import strutils
import sqlalchemy as sql
from sqlalchemy.orm import Session
from keystone.openstack.common import jsonutils
def _migrate_enabled_from_extra(migrate_engine, endpoint_table):
"""Remove `enabled` from `extra`, put it in the `enabled` column."""

3
keystone/common/sql/migrate_repo/versions/044_service_enabled.py
View File

@ -28,12 +28,11 @@ column.
"""
from oslo.serialization import jsonutils
from oslo.utils import strutils
import sqlalchemy as sql
from sqlalchemy.orm import sessionmaker
from keystone.openstack.common import jsonutils
def _migrate_enabled_from_extra(migrate_engine, service_table):
"""Remove `enabled` from `extra`, put it in the `enabled` column."""

4
keystone/common/sql/migration_helpers.py
View File

@ -20,6 +20,8 @@ import sys
import migrate
from migrate import exceptions
from oslo.db.sqlalchemy import migration
from oslo.serialization import jsonutils
from oslo.utils import importutils
import six
import sqlalchemy
@ -29,8 +31,6 @@ from keystone import config
from keystone import contrib
from keystone import exception
from keystone.i18n import _
from keystone.openstack.common import importutils
from keystone.openstack.common import jsonutils
CONF = config.CONF

2
keystone/common/utils.py
View File

@ -23,6 +23,7 @@ import hashlib
import os
import pwd
from oslo.serialization import jsonutils
from oslo.utils import strutils
import passlib.hash
import six
@ -32,7 +33,6 @@ from keystone.common import config
from keystone.common import environment
from keystone import exception
from keystone.i18n import _
from keystone.openstack.common import jsonutils
from keystone.openstack.common import log

4
keystone/common/wsgi.py
View File

@ -21,6 +21,8 @@
import copy
from oslo import i18n
from oslo.serialization import jsonutils
from oslo.utils import importutils
import routes.middleware
import six
import webob.dec
@ -34,8 +36,6 @@ from keystone.i18n import _
from keystone.i18n import _LI
from keystone.i18n import _LW
from keystone.models import token_model
from keystone.openstack.common import importutils
from keystone.openstack.common import jsonutils
from keystone.openstack.common import log

1
keystone/config.py
View File

@ -40,6 +40,7 @@ def set_default_for_default_log_levels():
extra_log_level_defaults = [
'dogpile=INFO',
'routes=INFO',
'keystone.common._memcache_pool=INFO',
]
def find_default_log_levels_opt():

2
keystone/contrib/ec2/controllers.py
View File

@ -37,6 +37,7 @@ import sys
import uuid
from keystoneclient.contrib.ec2 import utils as ec2_utils
from oslo.serialization import jsonutils
import six
from keystone.common import controller
@ -46,7 +47,6 @@ from keystone.common import wsgi
from keystone import exception
from keystone.i18n import _
from keystone.models import token_model
from keystone.openstack.common import jsonutils
@dependency.requires('assignment_api', 'catalog_api', 'credential_api',

3
keystone/contrib/federation/backends/sql.py
View File

@ -12,10 +12,11 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo.serialization import jsonutils
from keystone.common import sql
from keystone.contrib.federation import core
from keystone import exception
from keystone.openstack.common import jsonutils
class FederationProtocolModel(sql.ModelBase, sql.DictBase):

2
keystone/contrib/federation/idp.py
View File

@ -15,6 +15,7 @@ import os
import subprocess
import uuid
from oslo.utils import timeutils
import saml2
from saml2 import md
from saml2 import saml
@ -27,7 +28,6 @@ from keystone import exception
from keystone.i18n import _, _LE
from keystone.openstack.common import fileutils
from keystone.openstack.common import log
from keystone.openstack.common import timeutils
LOG = log.getLogger(__name__)

2
keystone/contrib/oauth1/backends/sql.py
View File

@ -16,6 +16,7 @@ import datetime
import random
import uuid
from oslo.serialization import jsonutils
from oslo.utils import timeutils
import six
@ -23,7 +24,6 @@ from keystone.common import sql
from keystone.contrib.oauth1 import core
from keystone import exception
from keystone.i18n import _
from keystone.openstack.common import jsonutils
class Consumer(sql.ModelBase, sql.DictBase):

2
keystone/contrib/oauth1/controllers.py
View File

@ -14,6 +14,7 @@
"""Extensions supporting OAuth1."""
from oslo.serialization import jsonutils
from oslo.utils import timeutils
from keystone.common import controller
@ -26,7 +27,6 @@ from keystone import exception
from keystone.i18n import _
from keystone.models import token_model
from keystone import notifications
from keystone.openstack.common import jsonutils
CONF = config.CONF

2
keystone/controllers.py
View File

@ -12,13 +12,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo.serialization import jsonutils
import webob
from keystone.common import extension
from keystone.common import json_home
from keystone.common import wsgi
from keystone import exception
from keystone.openstack.common import jsonutils
from keystone.openstack.common import log

3
keystone/credential/controllers.py
View File

@ -14,13 +14,14 @@
import hashlib
from oslo.serialization import jsonutils
from keystone.common import controller
from keystone.common import dependency
from keystone.common import validation
from keystone.credential import schema
from keystone import exception
from keystone.i18n import _
from keystone.openstack.common import jsonutils
@dependency.requires('credential_api')

2
keystone/identity/core.py
View File

@ -20,6 +20,7 @@ import os
import uuid
from oslo.config import cfg
from oslo.utils import importutils
import six
from keystone import clean
@ -31,7 +32,6 @@ from keystone import exception
from keystone.i18n import _
from keystone.identity.mapping_backends import mapping
from keystone import notifications
from keystone.openstack.common import importutils
from keystone.openstack.common import log

2
keystone/middleware/core.py
View File

@ -12,6 +12,7 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo.serialization import jsonutils
import six
import webob.dec
@ -23,7 +24,6 @@ from keystone.common import wsgi
from keystone import exception
from keystone.i18n import _
from keystone.models import token_model
from keystone.openstack.common import jsonutils
from keystone.openstack.common import log
from keystone.openstack.common import versionutils

2
keystone/tests/core.py
View File

@ -378,7 +378,7 @@ class TestCase(BaseTestCase):
driver='keystone.token.persistence.backends.kvs.Token')
self.config_fixture.config(
group='trust',
driver='keystone.trust.backends.kvs.Trust')
driver='keystone.trust.backends.sql.Trust')
self.config_fixture.config(
group='saml', certfile=signing_certfile, keyfile=signing_keyfile)
self.config_fixture.config(

23
keystone/tests/fakeldap.py
View File

@ -327,18 +327,7 @@ class FakeLdap(core.LDAPHandler):
def delete_s(self, dn):
"""Remove the ldap object at specified dn."""
if server_fail:
raise ldap.SERVER_DOWN
key = self.key(dn)
LOG.debug('delete item: dn=%s', core.utf8_decode(dn))
try:
del self.db[key]
except KeyError:
LOG.debug('delete item failed: dn=%s not found.',
core.utf8_decode(dn))
raise ldap.NO_SUCH_OBJECT
self.db.sync()
return self.delete_ext_s(dn, serverctrls=[])
def _getChildren(self, dn):
return [k for k, v in six.iteritems(self.db)
@ -428,7 +417,7 @@ class FakeLdap(core.LDAPHandler):
Args:
base -- dn to search under
scope -- only SCOPE_BASE and SCOPE_SUBTREE are supported
scope -- search scope (base, subtree, onelevel)
filterstr -- filter objects by
attrlist -- attrs to return. Returns all attrs if not specified
@ -483,9 +472,8 @@ class FakeLdap(core.LDAPHandler):
results = list(get_entries())
else:
LOG.debug('search fail: unknown scope %s', scope)
raise NotImplementedError('Search scope %s not implemented.'
% scope)
# openldap client/server raises PROTOCOL_ERROR for unexpected scope
raise ldap.PROTOCOL_ERROR
objects = []
for dn, attrs in results:
@ -569,9 +557,6 @@ class FakeLdapNoSubtreeDelete(FakeLdap):
an entry that has children.
"""
def delete_s(self, dn):
self.delete_ext_s(dn, [], None)
def delete_ext_s(self, dn, serverctrls, clientctrls=None):
"""Remove the ldap object at specified dn."""
if server_fail:

6
keystone/tests/ksfixtures/hacking.py
View File

@ -96,7 +96,7 @@ class HackingCode(fixtures.Fixture):
import logging
import logging as stlib_logging
from keystone.i18n import _
from keystone.i18n import _ as oslog_i18n
from keystone.i18n import _ as oslo_i18n
from keystone.openstack.common import log
from keystone.openstack.common import log as oslo_logging
@ -105,7 +105,7 @@ class HackingCode(fixtures.Fixture):
L0.debug(_('text'))
class C:
def __init__(self):
L0.debug(oslog_i18n('text', {}))
L0.debug(oslo_i18n('text', {}))
# stdlib logging w/ alias and specifying a logger
class C:
@ -118,7 +118,7 @@ class HackingCode(fixtures.Fixture):
# oslo logging and specifying a logger
L2 = log.getLogger(__name__)
L2.debug(oslog_i18n('text'))
L2.debug(oslo_i18n('text'))
# oslo logging w/ alias
class C:

2
keystone/tests/rest.py
View File

@ -15,12 +15,12 @@
import io
from lxml import etree
from oslo.serialization import jsonutils
import six
import webtest
from keystone.auth import controllers as auth_controllers
from keystone.common import serializer
from keystone.openstack.common import jsonutils
from keystone import tests
from keystone.tests import default_fixtures
from keystone.tests.ksfixtures import database

23
keystone/tests/test_backend_kvs.py
View File

@ -20,8 +20,6 @@ import six
from keystone import config
from keystone import exception
from keystone import tests
from keystone.tests import default_fixtures
from keystone.tests.ksfixtures import database
from keystone.tests import test_backend
@ -104,24 +102,6 @@ class KvsToken(tests.TestCase, test_backend.TokenTests):
self.assertEqual(expected_user_token_list, user_token_list)
class KvsTrust(tests.TestCase, test_backend.TrustTests):
def setUp(self):
super(KvsTrust, self).setUp()
# Need to load the SQL database support for the fixtures
self.useFixture(database.Database())
self.load_backends()
self.load_fixtures(default_fixtures)
def config_overrides(self):
super(KvsTrust, self).config_overrides()
self.config_fixture.config(
group='trust',
driver='keystone.trust.backends.kvs.Trust')
self.config_fixture.config(
group='catalog',
driver='keystone.catalog.backends.kvs.Catalog')
class KvsCatalog(tests.TestCase, test_backend.CatalogTests):
def setUp(self):
super(KvsCatalog, self).setUp()
@ -130,9 +110,6 @@ class KvsCatalog(tests.TestCase, test_backend.CatalogTests):
def config_overrides(self):
super(KvsCatalog, self).config_overrides()
self.config_fixture.config(
group='trust',
driver='keystone.trust.backends.kvs.Trust')
self.config_fixture.config(
group='catalog',
driver='keystone.catalog.backends.kvs.Catalog')

2
keystone/tests/test_exception.py
View File

@ -14,11 +14,11 @@
import uuid
from oslo.serialization import jsonutils
import six
from keystone.common import wsgi
from keystone import exception
from keystone.openstack.common import jsonutils
from keystone import tests

2
keystone/tests/test_keystoneclient.py
View File

@ -17,11 +17,11 @@ import os
import uuid
import mock
from oslo.serialization import jsonutils
from oslo.utils import timeutils
import webob
from keystone import config
from keystone.openstack.common import jsonutils
from keystone import tests
from keystone.tests import default_fixtures
from keystone.tests.ksfixtures import appserver

2
keystone/tests/test_middleware.py
View File

@ -12,11 +12,11 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo.serialization import jsonutils
import webob
from keystone import config
from keystone import middleware
from keystone.openstack.common import jsonutils
from keystone import tests

36
keystone/tests/test_sql_migrate_extensions.py
View File

@ -151,17 +151,43 @@ class EndpointFilterExtension(test_sql_upgrade.SqlMigrateBase):
def repo_package(self):
return endpoint_filter
def upgrade(self, version):
super(EndpointFilterExtension, self).upgrade(
version, repository=self.repo_path)
def downgrade(self, version):
super(EndpointFilterExtension, self).downgrade(
version, repository=self.repo_path)
def _assert_v1_tables(self):
self.assertTableColumns('project_endpoint',
['endpoint_id', 'project_id'])
self.assertTableDoesNotExist('endpoint_group')
self.assertTableDoesNotExist('project_endpoint_group')
def _assert_v2_tables(self):
self.assertTableColumns('project_endpoint',
['endpoint_id', 'project_id'])
self.assertTableColumns('endpoint_group',
['id', 'name', 'description', 'filters'])
self.assertTableColumns('project_endpoint_group',
['endpoint_group_id', 'project_id'])
def test_upgrade(self):
self.assertTableDoesNotExist('project_endpoint')
self.upgrade(1, repository=self.repo_path)
self.upgrade(1)
self._assert_v1_tables()
self.assertTableColumns('project_endpoint',
['endpoint_id', 'project_id'])
self.upgrade(2)
self._assert_v2_tables()
def test_downgrade(self):
self.upgrade(1, repository=self.repo_path)
self.assertTableColumns('project_endpoint',
['endpoint_id', 'project_id'])
self.downgrade(0, repository=self.repo_path)
self.upgrade(2)
self._assert_v2_tables()
self.downgrade(1)
self._assert_v1_tables()
self.downgrade(0)
self.assertTableDoesNotExist('project_endpoint')

10
keystone/tests/test_v3.py
View File

@ -16,6 +16,7 @@ import datetime
import uuid
from lxml import etree
from oslo.serialization import jsonutils
from oslo.utils import timeutils
import six
from testtools import matchers
@ -27,7 +28,6 @@ from keystone.common import serializer
from keystone import config
from keystone import exception
from keystone import middleware
from keystone.openstack.common import jsonutils
from keystone.policy.backends import rules
from keystone import tests
from keystone.tests.ksfixtures import database
@ -1023,17 +1023,13 @@ class RestfulTestCase(tests.SQLDriverOverrides, rest.RestfulTestCase,
self.assertEqual(ref['name'], entity['name'])
return entity
def assertValidRoleAssignmentListResponse(self, resp, ref=None,
expected_length=None,
def assertValidRoleAssignmentListResponse(self, resp, expected_length=None,
resource_url=None):
entities = resp.result.get('role_assignments')
if expected_length is not None:
self.assertEqual(len(entities), expected_length)
elif ref is not None:
# we're at least expecting the ref
self.assertNotEmpty(entities)
# collections should have relational links
self.assertValidListLinks(resp.result.get('links'),
@ -1042,8 +1038,6 @@ class RestfulTestCase(tests.SQLDriverOverrides, rest.RestfulTestCase,
for entity in entities:
self.assertIsNotNone(entity)
self.assertValidRoleAssignment(entity)
if ref:
self.assertValidRoleAssignment(entity, ref)
return entities
def assertValidRoleAssignment(self, entity, ref=None, url=None):

2
keystone/tests/test_v3_federation.py
View File

@ -17,6 +17,7 @@ import uuid
from lxml import etree
import mock
from oslo.serialization import jsonutils
from oslotest import mockpatch
import saml2
from saml2 import saml
@ -32,7 +33,6 @@ from keystone.contrib.federation import idp as keystone_idp
from keystone.contrib.federation import utils as mapping_utils
from keystone import exception
from keystone import notifications
from keystone.openstack.common import jsonutils
from keystone.openstack.common import log
from keystone.tests import federation_fixtures
from keystone.tests import mapping_fixtures

3
keystone/tests/test_v3_filters.py
View File

@ -15,8 +15,9 @@
import uuid
from oslo.serialization import jsonutils
from keystone import config
from keystone.openstack.common import jsonutils
from keystone.policy.backends import rules
from keystone.tests import filtering
from keystone.tests.ksfixtures import temporaryfile

2
keystone/tests/test_v3_oauth1.py
View File

@ -15,6 +15,7 @@
import copy
import uuid
from oslo.serialization import jsonutils
from six.moves import urllib
from keystone import config
@ -22,7 +23,6 @@ from keystone.contrib import oauth1
from keystone.contrib.oauth1 import controllers
from keystone.contrib.oauth1 import core
from keystone import exception
from keystone.openstack.common import jsonutils
from keystone.tests.ksfixtures import temporaryfile
from keystone.tests import test_v3

3
keystone/tests/test_v3_protection.py
View File

@ -15,9 +15,10 @@
import uuid
from oslo.serialization import jsonutils
from keystone import config
from keystone import exception
from keystone.openstack.common import jsonutils
from keystone.policy.backends import rules
from keystone import tests
from keystone.tests.ksfixtures import temporaryfile

2
keystone/tests/test_versions.py
View File

@ -18,12 +18,12 @@ import functools
import random
import mock
from oslo.serialization import jsonutils
from testtools import matchers as tt_matchers
from keystone.common import json_home
from keystone import config
from keystone import controllers
from keystone.openstack.common import jsonutils
from keystone import tests
from keystone.tests import matchers

2
keystone/tests/test_wsgi.py
View File

@ -18,6 +18,7 @@ import uuid
import mock
from oslo import i18n
from oslo.serialization import jsonutils
import six
from testtools import matchers
import webob
@ -25,7 +26,6 @@ import webob
from keystone.common import environment
from keystone.common import wsgi
from keystone import exception
from keystone.openstack.common import jsonutils
from keystone import tests

4
keystone/token/backends/__init__.py
View File

@ -10,6 +10,6 @@
# License for the specific language governing permissions and limitations
# under the License.
# NOTE(morganfainberg): This module is for transition from the old token
# backend package location to the new one. This module is slated for removal
# NOTE(morganfainberg): This package is for transition from the old token
# backend package location to the new one. This package is slated for removal
# in the Kilo development cycle.

2
keystone/token/controllers.py
View File

@ -16,6 +16,7 @@ import datetime
import sys
from keystoneclient.common import cms
from oslo.serialization import jsonutils
from oslo.utils import timeutils
import six
@ -26,7 +27,6 @@ from keystone import config
from keystone import exception
from keystone.i18n import _
from keystone.models import token_model
from keystone.openstack.common import jsonutils
from keystone.openstack.common import log
from keystone.token import provider

2
keystone/token/providers/common.py
View File

@ -12,6 +12,7 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo.serialization import jsonutils
from oslo.utils import timeutils
import six
from six.moves.urllib import parse
@ -21,7 +22,6 @@ from keystone import config
from keystone.contrib import federation
from keystone import exception
from keystone.i18n import _
from keystone.openstack.common import jsonutils
from keystone.openstack.common import log
from keystone import token
from keystone.token import provider

2
keystone/token/providers/pki.py
View File

@ -15,12 +15,12 @@
"""Keystone PKI Token Provider"""
from keystoneclient.common import cms
from oslo.serialization import jsonutils
from keystone.common import environment
from keystone import config
from keystone import exception
from keystone.i18n import _
from keystone.openstack.common import jsonutils
from keystone.openstack.common import log
from keystone.token.providers import common

2
keystone/token/providers/pkiz.py
View File

@ -13,12 +13,12 @@
"""Keystone Compressed PKI Token Provider"""
from keystoneclient.common import cms
from oslo.serialization import jsonutils
from keystone.common import environment
from keystone import config
from keystone import exception
from keystone.i18n import _
from keystone.openstack.common import jsonutils
from keystone.openstack.common import log
from keystone.token.providers import common

121
keystone/trust/backends/kvs.py
View File

@ -1,121 +0,0 @@
# Copyright 2012 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""
An in memory implementation of the trusts API.
only to be used for testing purposes
"""
import copy
from oslo.utils import timeutils
from keystone.common import kvs
from keystone import exception
from keystone.openstack.common import versionutils
from keystone import trust as keystone_trust
def _filter_trust(ref, deleted=False):
if ref['deleted_at'] and not deleted:
return None
if (ref.get('expires_at') and timeutils.utcnow() > ref['expires_at'] and
not deleted):
return None
remaining_uses = ref.get('remaining_uses')
# Do not return trusts that can't be used anymore
if remaining_uses is not None and not deleted:
if remaining_uses <= 0:
return None
ref = copy.deepcopy(ref)
return ref
class Trust(kvs.Base, keystone_trust.Driver):
@versionutils.deprecated(versionutils.deprecated.JUNO,
in_favor_of='keystone.trust.backends.sql',
remove_in=+1,
what='keystone.trust.backends.kvs')
def __init__(self):
super(Trust, self).__init__()
def create_trust(self, trust_id, trust, roles):
trust_ref = copy.deepcopy(trust)
trust_ref['id'] = trust_id
trust_ref['deleted_at'] = None
trust_ref['roles'] = roles
if (trust_ref.get('expires_at') and
trust_ref['expires_at'].tzinfo is not None):
trust_ref['expires_at'] = (timeutils.normalize_time
(trust_ref['expires_at']))
self.db.set('trust-%s' % trust_id, trust_ref)
trustee_user_id = trust_ref['trustee_user_id']
trustee_list = self.db.get('trustee-%s' % trustee_user_id, [])
trustee_list.append(trust_id)
self.db.set('trustee-%s' % trustee_user_id, trustee_list)
trustor_user_id = trust_ref['trustor_user_id']
trustor_list = self.db.get('trustor-%s' % trustor_user_id, [])
trustor_list.append(trust_id)
self.db.set('trustor-%s' % trustor_user_id, trustor_list)
return trust_ref
def consume_use(self, trust_id):
try:
orig_ref = self.db.get('trust-%s' % trust_id)
except exception.NotFound:
raise exception.TrustNotFound(trust_id=trust_id)
remaining_uses = orig_ref.get('remaining_uses')
if remaining_uses is None:
# unlimited uses, do nothing
return
elif remaining_uses > 0:
ref = copy.deepcopy(orig_ref)
ref['remaining_uses'] -= 1
self.db.set('trust-%s' % trust_id, ref)
else:
raise exception.TrustUseLimitReached(trust_id=trust_id)
def get_trust(self, trust_id, deleted=False):
try:
ref = self.db.get('trust-%s' % trust_id)
return _filter_trust(ref, deleted=deleted)
except exception.NotFound:
return None
def delete_trust(self, trust_id):
try:
ref = self.db.get('trust-%s' % trust_id)
except exception.NotFound:
raise exception.TrustNotFound(trust_id=trust_id)
ref['deleted_at'] = timeutils.utcnow()
self.db.set('trust-%s' % trust_id, ref)
def list_trusts(self):
trusts = []
for key, value in self.db.items():
if key.startswith("trust-") and not value['deleted_at']:
trusts.append(value)
return trusts
def list_trusts_for_trustee(self, trustee_user_id):
trusts = []
for trust in self.db.get('trustee-%s' % trustee_user_id, []):
trusts.append(self.get_trust(trust))
return trusts
def list_trusts_for_trustor(self, trustor_user_id):
trusts = []
for trust in self.db.get('trustor-%s' % trustor_user_id, []):
trusts.append(self.get_trust(trust))
return trusts

2
openstack-common.conf
View File

@ -2,8 +2,6 @@
module=config
module=gettextutils
module=importutils
module=jsonutils
module=log
module=policy
module=processutils

1
requirements.txt
View File

@ -22,6 +22,7 @@ oslo.config>=1.4.0 # Apache-2.0
oslo.messaging>=1.4.0
oslo.db>=1.0.0 # Apache-2.0
oslo.i18n>=1.0.0 # Apache-2.0
oslo.serialization>=1.0.0 # Apache-2.0
oslo.utils>=1.0.0 # Apache-2.0
Babel>=1.3
oauthlib>=0.6

2
test-requirements-py3.txt
View File

@ -51,7 +51,7 @@ testscenarios>=0.4
# keystoneclient <0.2.1
httplib2>=0.7.5
# replaces httplib2 in keystoneclient >=0.2.1
requests>=1.2.1,!=2.4.0
requests>=2.2.0,!=2.4.0
keyring>=2.1,!=3.3
# For documentation

2
test-requirements.txt
View File

@ -52,7 +52,7 @@ testscenarios>=0.4
# keystoneclient <0.2.1
httplib2>=0.7.5
# replaces httplib2 in keystoneclient >=0.2.1
requests>=1.2.1,!=2.4.0
requests>=2.2.0,!=2.4.0
keyring>=2.1,!=3.3
# For documentation