From d9c6b50a3ae514e640fa13a344e59fe3649ee0ef Mon Sep 17 00:00:00 2001 From: Dolph Mathews Date: Fri, 24 Jun 2016 00:59:11 +0000 Subject: [PATCH] Replace keystone.common.config with keystone.conf package keystone.common.config is 1200+ lines of super dense, merge-conflict prone, difficult to navigate, and finicky to maintain code. Let's follow nova's lead and break it down into more manageable modules. This patch creates a new Python package, keystone.conf, and moves all of our configuration options into it, mirroring nova's nova.conf package. There are a couple special modules in keystone.conf introduced here as well: - keystone.conf.__init__: This causes all of Keystone options to be registered on import, so consumers of keystone.conf don't have races with config initialization code while trying to use oslo_config.cfg.CONF directly (keystone.conf replaces all uses for oslo_config.cfg.CONF in keystone). - keystone.conf.base: Keystone's [DEFAULT] group options. I'd prefer this to be called 'default.py', but I'm just copying nova's lead here. - keystone.conf.opts: The entry point for oslo.config itself. - keystone.conf.constants: There are a few constants (deprecation messages, default paths, etc) that are used by multiple configuration modules, so they need to live in a common place. Change-Id: Ia3daffe3fef111b42de203762e966cd14d8927e2 --- keystone/assignment/V8_backends/sql.py | 4 +- keystone/assignment/backends/base.py | 4 +- keystone/assignment/controllers.py | 4 +- keystone/assignment/core.py | 4 +- keystone/assignment/role_backends/base.py | 4 +- keystone/assignment/routers.py | 6 +- keystone/auth/controllers.py | 9 +- keystone/auth/plugins/core.py | 4 +- keystone/auth/plugins/external.py | 4 +- keystone/auth/plugins/token.py | 4 +- keystone/catalog/backends/base.py | 4 +- keystone/catalog/backends/sql.py | 4 +- keystone/catalog/backends/templated.py | 4 +- keystone/catalog/core.py | 4 +- keystone/cmd/cli.py | 10 +- keystone/common/cache/core.py | 4 +- keystone/common/config.py | 1270 ----------------- keystone/common/controller.py | 4 +- keystone/common/kvs/backends/memcached.py | 4 +- keystone/common/kvs/core.py | 4 +- keystone/common/openssl.py | 4 +- keystone/common/profiler.py | 4 +- keystone/common/request.py | 4 +- keystone/common/sql/core.py | 4 +- .../versions/082_add_federation_tables.py | 4 +- keystone/common/sql/migration_helpers.py | 4 +- keystone/common/tokenless_auth.py | 4 +- keystone/common/utils.py | 4 +- keystone/common/wsgi.py | 4 +- keystone/conf/__init__.py | 189 +++ keystone/conf/assignment.py | 48 + keystone/conf/auth.py | 88 ++ keystone/conf/base.py | 224 +++ keystone/conf/catalog.py | 70 + keystone/conf/constants.py | 30 + keystone/conf/credential.py | 38 + keystone/conf/domain_config.py | 56 + keystone/conf/endpoint_filter.py | 46 + keystone/conf/endpoint_policy.py | 52 + keystone/conf/eventlet_server.py | 90 ++ keystone/conf/federation.py | 97 ++ keystone/conf/fernet_tokens.py | 49 + keystone/conf/identity.py | 120 ++ keystone/conf/identity_mapping.py | 67 + keystone/conf/kvs.py | 66 + keystone/conf/ldap.py | 545 +++++++ keystone/conf/memcache.py | 86 ++ keystone/conf/oauth1.py | 53 + keystone/conf/opts.py | 97 ++ keystone/conf/os_inherit.py | 48 + keystone/conf/paste_deploy.py | 37 + keystone/conf/policy.py | 45 + keystone/conf/resource.py | 105 ++ keystone/conf/revoke.py | 67 + keystone/conf/role.py | 62 + keystone/conf/saml.py | 175 +++ keystone/conf/security_compliance.py | 95 ++ keystone/conf/shadow_users.py | 38 + keystone/conf/signing.py | 103 ++ keystone/conf/token.py | 137 ++ keystone/conf/tokenless_auth.py | 63 + keystone/conf/trust.py | 61 + keystone/conf/utils.py | 26 + .../endpoint_filter/backends/catalog_sql.py | 4 +- keystone/credential/core.py | 4 +- keystone/endpoint_policy/core.py | 4 +- keystone/exception.py | 4 +- keystone/federation/controllers.py | 4 +- keystone/federation/core.py | 4 +- keystone/federation/idp.py | 4 +- keystone/federation/utils.py | 4 +- keystone/identity/backends/base.py | 4 +- keystone/identity/backends/ldap/core.py | 4 +- keystone/identity/controllers.py | 4 +- keystone/identity/core.py | 8 +- keystone/identity/generator.py | 4 +- keystone/middleware/auth.py | 4 +- keystone/middleware/core.py | 4 +- keystone/models/token_model.py | 4 +- keystone/notifications.py | 4 +- keystone/oauth1/controllers.py | 4 +- keystone/oauth1/core.py | 4 +- keystone/policy/backends/base.py | 4 +- keystone/policy/backends/rules.py | 4 +- keystone/policy/core.py | 4 +- keystone/resource/backends/base.py | 4 +- keystone/resource/config_backends/base.py | 4 +- keystone/resource/controllers.py | 4 +- keystone/resource/core.py | 4 +- keystone/revoke/backends/base.py | 4 +- keystone/revoke/core.py | 4 +- keystone/server/common.py | 11 +- keystone/server/wsgi.py | 43 +- .../tests/unit/assignment/test_backends.py | 4 +- keystone/tests/unit/backend/core_ldap.py | 4 +- .../tests/unit/common/test_notifications.py | 4 +- keystone/tests/unit/common/test_utils.py | 4 +- .../unit/contrib/federation/test_utils.py | 5 +- keystone/tests/unit/core.py | 11 +- keystone/tests/unit/fakeldap.py | 4 +- keystone/tests/unit/filtering.py | 5 +- .../identity/backends/test_ldap_common.py | 4 +- keystone/tests/unit/identity/test_backends.py | 4 +- .../tests/unit/identity/test_controllers.py | 4 +- keystone/tests/unit/identity/test_core.py | 4 +- .../tests/unit/ksfixtures/auth_plugins.py | 4 +- keystone/tests/unit/ksfixtures/database.py | 4 +- keystone/tests/unit/resource/test_backends.py | 4 +- .../tests/unit/resource/test_controllers.py | 4 +- keystone/tests/unit/resource/test_core.py | 4 +- keystone/tests/unit/test_auth.py | 7 +- keystone/tests/unit/test_backend_ldap.py | 4 +- keystone/tests/unit/test_backend_ldap_pool.py | 5 +- keystone/tests/unit/test_backend_sql.py | 4 +- keystone/tests/unit/test_cli.py | 4 +- keystone/tests/unit/test_config.py | 13 +- keystone/tests/unit/test_exception.py | 9 +- keystone/tests/unit/test_ldap_livetest.py | 4 +- .../tests/unit/test_ldap_pool_livetest.py | 4 +- keystone/tests/unit/test_ldap_tls_livetest.py | 4 +- keystone/tests/unit/test_middleware.py | 4 +- keystone/tests/unit/test_sql_upgrade.py | 4 +- keystone/tests/unit/test_token_provider.py | 4 +- keystone/tests/unit/test_v2.py | 4 +- keystone/tests/unit/test_v3.py | 4 +- keystone/tests/unit/test_v3_assignment.py | 4 +- keystone/tests/unit/test_v3_auth.py | 5 +- keystone/tests/unit/test_v3_credential.py | 4 +- keystone/tests/unit/test_v3_domain_config.py | 4 +- keystone/tests/unit/test_v3_federation.py | 4 +- keystone/tests/unit/test_v3_filters.py | 4 +- keystone/tests/unit/test_v3_identity.py | 4 +- keystone/tests/unit/test_v3_protection.py | 4 +- keystone/tests/unit/test_v3_resource.py | 4 +- keystone/tests/unit/test_versions.py | 5 +- keystone/tests/unit/token/test_backends.py | 4 +- .../tests/unit/token/test_fernet_provider.py | 4 +- keystone/tests/unit/token/test_token_model.py | 4 +- keystone/token/_simple_cert.py | 4 +- keystone/token/controllers.py | 4 +- keystone/token/persistence/backends/kvs.py | 4 +- .../token/persistence/backends/memcache.py | 4 +- .../persistence/backends/memcache_pool.py | 4 +- keystone/token/persistence/backends/sql.py | 4 +- keystone/token/persistence/core.py | 4 +- keystone/token/provider.py | 4 +- keystone/token/providers/common.py | 4 +- keystone/token/providers/fernet/core.py | 4 +- .../providers/fernet/token_formatters.py | 4 +- keystone/token/providers/fernet/utils.py | 4 +- keystone/token/providers/pki.py | 4 +- keystone/token/providers/pkiz.py | 4 +- keystone/token/utils.py | 8 +- keystone/trust/core.py | 4 +- keystone/version/service.py | 4 +- keystone_tempest_plugin/config.py | 1 - setup.cfg | 4 +- 157 files changed, 3485 insertions(+), 1539 deletions(-) delete mode 100644 keystone/common/config.py create mode 100644 keystone/conf/__init__.py create mode 100644 keystone/conf/assignment.py create mode 100644 keystone/conf/auth.py create mode 100644 keystone/conf/base.py create mode 100644 keystone/conf/catalog.py create mode 100644 keystone/conf/constants.py create mode 100644 keystone/conf/credential.py create mode 100644 keystone/conf/domain_config.py create mode 100644 keystone/conf/endpoint_filter.py create mode 100644 keystone/conf/endpoint_policy.py create mode 100644 keystone/conf/eventlet_server.py create mode 100644 keystone/conf/federation.py create mode 100644 keystone/conf/fernet_tokens.py create mode 100644 keystone/conf/identity.py create mode 100644 keystone/conf/identity_mapping.py create mode 100644 keystone/conf/kvs.py create mode 100644 keystone/conf/ldap.py create mode 100644 keystone/conf/memcache.py create mode 100644 keystone/conf/oauth1.py create mode 100644 keystone/conf/opts.py create mode 100644 keystone/conf/os_inherit.py create mode 100644 keystone/conf/paste_deploy.py create mode 100644 keystone/conf/policy.py create mode 100644 keystone/conf/resource.py create mode 100644 keystone/conf/revoke.py create mode 100644 keystone/conf/role.py create mode 100644 keystone/conf/saml.py create mode 100644 keystone/conf/security_compliance.py create mode 100644 keystone/conf/shadow_users.py create mode 100644 keystone/conf/signing.py create mode 100644 keystone/conf/token.py create mode 100644 keystone/conf/tokenless_auth.py create mode 100644 keystone/conf/trust.py create mode 100644 keystone/conf/utils.py diff --git a/keystone/assignment/V8_backends/sql.py b/keystone/assignment/V8_backends/sql.py index f893c1c16d..aaa1cf218c 100644 --- a/keystone/assignment/V8_backends/sql.py +++ b/keystone/assignment/V8_backends/sql.py @@ -12,17 +12,17 @@ # License for the specific language governing permissions and limitations # under the License. -from oslo_config import cfg import sqlalchemy from sqlalchemy.sql.expression import false from keystone.assignment.backends import base from keystone.common import sql +import keystone.conf from keystone import exception from keystone.i18n import _ -CONF = cfg.CONF +CONF = keystone.conf.CONF class AssignmentType(object): diff --git a/keystone/assignment/backends/base.py b/keystone/assignment/backends/base.py index 114976f389..b581fa74fe 100644 --- a/keystone/assignment/backends/base.py +++ b/keystone/assignment/backends/base.py @@ -14,16 +14,16 @@ import abc -from oslo_config import cfg from oslo_log import log from oslo_log import versionutils import six +import keystone.conf from keystone import exception from keystone.i18n import _LW -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/assignment/controllers.py b/keystone/assignment/controllers.py index 001712c718..d093114e60 100644 --- a/keystone/assignment/controllers.py +++ b/keystone/assignment/controllers.py @@ -18,7 +18,6 @@ import functools import uuid -from oslo_config import cfg from oslo_log import log from six.moves import urllib @@ -28,12 +27,13 @@ from keystone.common import dependency from keystone.common import utils from keystone.common import validation from keystone.common import wsgi +import keystone.conf from keystone import exception from keystone.i18n import _ from keystone import notifications -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py index 90e130134f..73653a6dbb 100644 --- a/keystone/assignment/core.py +++ b/keystone/assignment/core.py @@ -17,7 +17,6 @@ import copy from oslo_cache import core as oslo_cache -from oslo_config import cfg from oslo_log import log from oslo_log import versionutils @@ -27,13 +26,14 @@ from keystone.common import cache from keystone.common import dependency from keystone.common import driver_hints from keystone.common import manager +import keystone.conf from keystone import exception from keystone.i18n import _ from keystone.i18n import _LI, _LE from keystone import notifications -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) # This is a general cache region for assignment administration (CRUD diff --git a/keystone/assignment/role_backends/base.py b/keystone/assignment/role_backends/base.py index 3de5e2a278..40f70971d9 100644 --- a/keystone/assignment/role_backends/base.py +++ b/keystone/assignment/role_backends/base.py @@ -14,16 +14,16 @@ import abc -from oslo_config import cfg from oslo_log import log from oslo_log import versionutils import six +import keystone.conf from keystone import exception from keystone.i18n import _ -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/assignment/routers.py b/keystone/assignment/routers.py index 83af6b11be..e5979d7433 100644 --- a/keystone/assignment/routers.py +++ b/keystone/assignment/routers.py @@ -17,15 +17,15 @@ import functools -from oslo_config import cfg - from keystone.assignment import controllers + from keystone.common import json_home from keystone.common import router from keystone.common import wsgi +import keystone.conf -CONF = cfg.CONF +CONF = keystone.conf.CONF build_os_inherit_relation = functools.partial( json_home.build_v3_extension_resource_relation, diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py index d49336c5cf..ffe7f20675 100644 --- a/keystone/auth/controllers.py +++ b/keystone/auth/controllers.py @@ -15,7 +15,6 @@ import sys from keystoneclient.common import cms -from oslo_config import cfg from oslo_log import log from oslo_log import versionutils from oslo_serialization import jsonutils @@ -23,11 +22,11 @@ from oslo_utils import importutils import six import stevedore -from keystone.common import config from keystone.common import controller from keystone.common import dependency from keystone.common import utils from keystone.common import wsgi +import keystone.conf from keystone import exception from keystone.federation import constants from keystone.i18n import _, _LI, _LW @@ -36,7 +35,7 @@ from keystone.resource import controllers as resource_controllers LOG = log.getLogger(__name__) -CONF = cfg.CONF +CONF = keystone.conf.CONF # registry of authentication methods AUTH_METHODS = {} @@ -75,7 +74,7 @@ def load_auth_methods(): return # config.setup_authentication should be idempotent, call it to ensure we # have setup all the appropriate configuration options we may need. - config.setup_authentication() + keystone.conf.auth.setup_authentication() for plugin in set(CONF.auth.methods): AUTH_METHODS[plugin] = load_auth_method(plugin) AUTH_PLUGINS_LOADED = True @@ -389,7 +388,7 @@ class Auth(controller.V3Controller): def __init__(self, *args, **kw): super(Auth, self).__init__(*args, **kw) - config.setup_authentication() + keystone.conf.auth.setup_authentication() def authenticate_for_token(self, request, auth=None): """Authenticate user and issue a token.""" diff --git a/keystone/auth/plugins/core.py b/keystone/auth/plugins/core.py index c513f8150d..64ad58890a 100644 --- a/keystone/auth/plugins/core.py +++ b/keystone/auth/plugins/core.py @@ -14,15 +14,15 @@ import sys -from oslo_config import cfg from oslo_log import log import six from keystone.common import dependency +import keystone.conf from keystone import exception -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/auth/plugins/external.py b/keystone/auth/plugins/external.py index 576c91937d..6fa23839b0 100644 --- a/keystone/auth/plugins/external.py +++ b/keystone/auth/plugins/external.py @@ -16,16 +16,16 @@ import abc -from oslo_config import cfg import six from keystone import auth from keystone.common import dependency +import keystone.conf from keystone import exception from keystone.i18n import _ -CONF = cfg.CONF +CONF = keystone.conf.CONF @six.add_metaclass(abc.ABCMeta) diff --git a/keystone/auth/plugins/token.py b/keystone/auth/plugins/token.py index 5ed81102e4..721d328072 100644 --- a/keystone/auth/plugins/token.py +++ b/keystone/auth/plugins/token.py @@ -12,7 +12,6 @@ # License for the specific language governing permissions and limitations # under the License. -from oslo_config import cfg from oslo_log import log import six @@ -20,6 +19,7 @@ from keystone import auth from keystone.auth.plugins import mapped from keystone.common import dependency from keystone.common import wsgi +import keystone.conf from keystone import exception from keystone.i18n import _ from keystone.models import token_model @@ -27,7 +27,7 @@ from keystone.models import token_model LOG = log.getLogger(__name__) -CONF = cfg.CONF +CONF = keystone.conf.CONF @dependency.requires('federation_api', 'identity_api', 'token_provider_api') diff --git a/keystone/catalog/backends/base.py b/keystone/catalog/backends/base.py index 4ad896b090..fe6856bf17 100644 --- a/keystone/catalog/backends/base.py +++ b/keystone/catalog/backends/base.py @@ -14,14 +14,14 @@ import abc -from oslo_config import cfg from oslo_log import log import six +import keystone.conf from keystone import exception -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/catalog/backends/sql.py b/keystone/catalog/backends/sql.py index d0a04c370a..e9b67f514c 100644 --- a/keystone/catalog/backends/sql.py +++ b/keystone/catalog/backends/sql.py @@ -15,7 +15,6 @@ import itertools -from oslo_config import cfg import sqlalchemy from sqlalchemy.sql import true @@ -23,11 +22,12 @@ from keystone.catalog.backends import base from keystone.common import driver_hints from keystone.common import sql from keystone.common import utils +import keystone.conf from keystone import exception from keystone.i18n import _ -CONF = cfg.CONF +CONF = keystone.conf.CONF class Region(sql.ModelBase, sql.DictBase): diff --git a/keystone/catalog/backends/templated.py b/keystone/catalog/backends/templated.py index d6924bcdcb..d11fa5db44 100644 --- a/keystone/catalog/backends/templated.py +++ b/keystone/catalog/backends/templated.py @@ -15,19 +15,19 @@ import itertools import os.path -from oslo_config import cfg from oslo_log import log import six from keystone.catalog.backends import base from keystone.common import utils +import keystone.conf from keystone import exception from keystone.i18n import _LC LOG = log.getLogger(__name__) -CONF = cfg.CONF +CONF = keystone.conf.CONF def parse_templates(template_lines): diff --git a/keystone/catalog/core.py b/keystone/catalog/core.py index b43b7ce784..4f1003651d 100644 --- a/keystone/catalog/core.py +++ b/keystone/catalog/core.py @@ -16,7 +16,6 @@ """Main entry point into the Catalog service.""" from oslo_cache import core as oslo_cache -from oslo_config import cfg from oslo_log import log from oslo_log import versionutils @@ -25,12 +24,13 @@ from keystone.common import cache from keystone.common import dependency from keystone.common import driver_hints from keystone.common import manager +import keystone.conf from keystone import exception from keystone.i18n import _ from keystone import notifications -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/cmd/cli.py b/keystone/cmd/cli.py index a38ceca082..b31875437d 100644 --- a/keystone/cmd/cli.py +++ b/keystone/cmd/cli.py @@ -25,12 +25,12 @@ from oslo_log import versionutils from oslo_serialization import jsonutils import pbr.version -from keystone.common import config from keystone.common import driver_hints from keystone.common import openssl from keystone.common import sql from keystone.common.sql import migration_helpers from keystone.common import utils +import keystone.conf from keystone import exception from keystone.federation import idp from keystone.federation import utils as mapping_engine @@ -39,7 +39,7 @@ from keystone.server import backends from keystone import token -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) @@ -955,9 +955,9 @@ command_opt = cfg.SubCommandOpt('command', def main(argv=None, config_files=None): CONF.register_cli_opt(command_opt) - config.configure() + keystone.conf.configure() sql.initialize() - config.set_default_for_default_log_levels() + keystone.conf.set_default_for_default_log_levels() CONF(args=argv[1:], project='keystone', @@ -966,5 +966,5 @@ def main(argv=None, config_files=None): default_config_files=config_files) if not CONF.default_config_files: LOG.warning(_LW('Config file not found, using default configs.')) - config.setup_logging() + keystone.conf.setup_logging() CONF.command.cmd_class.main() diff --git a/keystone/common/cache/core.py b/keystone/common/cache/core.py index 5c1a1e3d5a..3c4569a4f9 100644 --- a/keystone/common/cache/core.py +++ b/keystone/common/cache/core.py @@ -16,12 +16,12 @@ import dogpile.cache from dogpile.cache import api from oslo_cache import core as cache -from oslo_config import cfg from keystone.common.cache import _context_cache +import keystone.conf -CONF = cfg.CONF +CONF = keystone.conf.CONF CACHE_REGION = cache.create_region() diff --git a/keystone/common/config.py b/keystone/common/config.py deleted file mode 100644 index b3bfa2c290..0000000000 --- a/keystone/common/config.py +++ /dev/null @@ -1,1270 +0,0 @@ -# Copyright 2012 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import logging -import os - -from oslo_cache import core as cache -from oslo_config import cfg -from oslo_log import log -import oslo_messaging -from oslo_middleware import cors -from osprofiler import opts as profiler -import passlib.utils - -from keystone import exception - - -_DEFAULT_AUTH_METHODS = ['external', 'password', 'token', 'oauth1'] -_CERTFILE = '/etc/keystone/ssl/certs/signing_cert.pem' -_KEYFILE = '/etc/keystone/ssl/private/signing_key.pem' -_SSO_CALLBACK = '/etc/keystone/sso_callback_template.html' - -_DEPRECATE_PKI_MSG = ('PKI token support has been deprecated in the M ' - 'release and will be removed in the O release. Fernet ' - 'or UUID tokens are recommended.') - -_DEPRECATE_INHERIT_MSG = ('The option to enable the OS-INHERIT extension has ' - 'been deprecated in the M release and will be ' - 'removed in the O release. The OS-INHERIT extension ' - 'will be enabled by default.') - -_DEPRECATE_EP_MSG = ('The option to enable the OS-ENDPOINT-POLICY extension ' - 'has been deprecated in the M release and will be ' - 'removed in the O release. The OS-ENDPOINT-POLICY ' - 'extension will be enabled by default.') - -_DEPRECATE_DII_MSG = ('The option to set domain_id_immutable to false ' - 'has been deprecated in the M release and will ' - 'be removed in the O release.') - -_DEPRECATE_EVENTLET_MSG = ('Support for running keystone under eventlet has ' - 'been removed in the N release. These options ' - 'remain for backwards compatibility because they ' - 'are used for URL substitutions.') - -FILE_OPTIONS = { - None: [ - cfg.StrOpt('admin_token', secret=True, default=None, - help='A "shared secret" that can be used to bootstrap ' - 'Keystone. This "token" does not represent a user, ' - 'and carries no explicit authorization. If set ' - 'to `None`, the value is ignored and the ' - '`admin_token` log in mechanism is effectively ' - 'disabled. To completely disable `admin_token` ' - 'in production (highly recommended), remove ' - 'AdminTokenAuthMiddleware from your paste ' - 'application pipelines (for example, in ' - 'keystone-paste.ini).'), - cfg.StrOpt('public_endpoint', - help='The base public endpoint URL for Keystone that is ' - 'advertised to clients (NOTE: this does NOT affect ' - 'how Keystone listens for connections). ' - 'Defaults to the base host URL of the request. E.g. a ' - 'request to http://server:5000/v3/users will ' - 'default to http://server:5000. You should only need ' - 'to set this value if the base URL contains a path ' - '(e.g. /prefix/v3) or the endpoint should be found ' - 'on a different server.'), - cfg.StrOpt('admin_endpoint', - help='The base admin endpoint URL for Keystone that is ' - 'advertised to clients (NOTE: this does NOT affect ' - 'how Keystone listens for connections). ' - 'Defaults to the base host URL of the request. E.g. a ' - 'request to http://server:35357/v3/users will ' - 'default to http://server:35357. You should only need ' - 'to set this value if the base URL contains a path ' - '(e.g. /prefix/v3) or the endpoint should be found ' - 'on a different server.'), - cfg.IntOpt('max_project_tree_depth', default=5, - help='Maximum depth of the project hierarchy, excluding ' - 'the project acting as a domain at the top of the ' - 'hierarchy. WARNING: setting it to a large value may ' - 'adversely impact performance.'), - cfg.IntOpt('max_param_size', default=64, - help='Limit the sizes of user & project ID/names.'), - # we allow tokens to be a bit larger to accommodate PKI - cfg.IntOpt('max_token_size', default=8192, - help='Similar to max_param_size, but provides an ' - 'exception for token values.'), - cfg.StrOpt('member_role_id', - default='9fe2ff9ee4384b1894a90878d3e92bab', - help='Similar to the member_role_name option, this ' - 'represents the default role ID used to associate ' - 'users with their default projects in the v2 API. ' - 'This will be used as the explicit role where one is ' - 'not specified by the v2 API.'), - cfg.StrOpt('member_role_name', default='_member_', - help='This is the role name used in combination with the ' - 'member_role_id option; see that option for more ' - 'detail.'), - # NOTE(lbragstad/morganfainberg): This value of 10k was - # measured as having an approximate 30% clock-time savings - # over the old default of 40k. The passlib default is not - # static and grows over time to constantly approximate ~300ms - # of CPU time to hash; this was considered too high. This - # value still exceeds the glibc default of 5k. - cfg.IntOpt('crypt_strength', default=10000, min=1000, max=100000, - help='The value passed as the keyword "rounds" to ' - 'passlib\'s encrypt method.'), - cfg.IntOpt('list_limit', - help='The maximum number of entities that will be ' - 'returned in a collection, with no limit set by ' - 'default. This global limit may be then overridden ' - 'for a specific driver, by specifying a list_limit ' - 'in the appropriate section (e.g. [assignment]).'), - cfg.BoolOpt('domain_id_immutable', default=True, - help='Set this to false if you want to enable the ' - 'ability for user, group and project entities ' - 'to be moved between domains by updating their ' - 'domain_id. Allowing such movement is not ' - 'recommended if the scope of a domain admin is being ' - 'restricted by use of an appropriate policy file ' - '(see policy.v3cloudsample as an example). This ' - 'ability is deprecated and will be removed in a ' - 'future release.', - deprecated_for_removal=True, - deprecated_reason=_DEPRECATE_DII_MSG), - cfg.BoolOpt('strict_password_check', default=False, - help='If set to true, strict password length checking is ' - 'performed for password manipulation. If a password ' - 'exceeds the maximum length, the operation will fail ' - 'with an HTTP 403 Forbidden error. If set to false, ' - 'passwords are automatically truncated to the ' - 'maximum length.'), - cfg.StrOpt('secure_proxy_ssl_header', default='HTTP_X_FORWARDED_PROTO', - deprecated_for_removal=True, - deprecated_reason='Use http_proxy_to_wsgi middleware ' - 'configuration instead.', - help='The HTTP header used to determine the scheme for the ' - 'original request, even if it was removed by an SSL ' - 'terminating proxy.'), - cfg.BoolOpt('insecure_debug', default=False, - help='If set to true the server will return information ' - 'in the response that may allow an unauthenticated ' - 'or authenticated user to get more information than ' - 'normal, such as why authentication failed. This may ' - 'be useful for debugging but is insecure.'), - cfg.StrOpt('default_publisher_id', - help='Default publisher_id for outgoing notifications'), - cfg.StrOpt('notification_format', default='basic', - choices=['basic', 'cadf'], - help='Define the notification format for Identity Service ' - 'events. A "basic" notification has information about ' - 'the resource being operated on. A "cadf" ' - 'notification has the same information, as well as ' - 'information about the initiator of the event.'), - cfg.MultiStrOpt('notification_opt_out', default=[], - help='Define the notification options to opt-out ' - 'from. The value expected is: ' - 'identity... This ' - 'field can be set multiple times in order to add ' - 'more notifications to opt-out from. For example:' - '\n notification_opt_out=identity.user.created' - '\n notification_opt_out=identity.authenticate.' - 'success'), - ], - 'identity': [ - cfg.StrOpt('default_domain_id', default='default', - help='This references the domain to use for all ' - 'Identity API v2 requests (which are not aware of ' - 'domains). A domain with this ID will be created ' - 'for you by keystone-manage db_sync in migration ' - '008. The domain referenced by this ID cannot be ' - 'deleted on the v3 API, to prevent accidentally ' - 'breaking the v2 API. There is nothing special about ' - 'this domain, other than the fact that it must ' - 'exist to order to maintain support for your v2 ' - 'clients.'), - cfg.BoolOpt('domain_specific_drivers_enabled', - default=False, - help='A subset (or all) of domains can have their own ' - 'identity driver, each with their own partial ' - 'configuration options, stored in either the ' - 'resource backend or in a file in a domain ' - 'configuration directory (depending on the setting ' - 'of domain_configurations_from_database). Only ' - 'values specific to the domain need to be specified ' - 'in this manner. This feature is disabled by ' - 'default; set to true to enable.'), - cfg.BoolOpt('domain_configurations_from_database', - default=False, - help='Extract the domain specific configuration options ' - 'from the resource backend where they have been ' - 'stored with the domain data. This feature is ' - 'disabled by default (in which case the domain ' - 'specific options will be loaded from files in the ' - 'domain configuration directory); set to true to ' - 'enable.'), - cfg.StrOpt('domain_config_dir', - default='/etc/keystone/domains', - help='Path for Keystone to locate the domain specific ' - 'identity configuration files if ' - 'domain_specific_drivers_enabled is set to true.'), - cfg.StrOpt('driver', - default='sql', - help='Entrypoint for the identity backend driver in the ' - 'keystone.identity namespace. Supplied drivers are ' - 'ldap and sql.'), - cfg.BoolOpt('caching', default=True, - help='Toggle for identity caching. This has no ' - 'effect unless global caching is enabled.'), - cfg.IntOpt('cache_time', default=600, - help='Time to cache identity data (in seconds). This has ' - 'no effect unless global and identity caching are ' - 'enabled.'), - cfg.IntOpt('max_password_length', default=4096, - max=passlib.utils.MAX_PASSWORD_SIZE, - help='Maximum supported length for user passwords; ' - 'decrease to improve performance.'), - cfg.IntOpt('list_limit', - help='Maximum number of entities that will be returned in ' - 'an identity collection.'), - ], - 'identity_mapping': [ - cfg.StrOpt('driver', - default='sql', - help='Entrypoint for the identity mapping backend driver ' - 'in the keystone.identity.id_mapping namespace.'), - cfg.StrOpt('generator', - default='sha256', - help='Entrypoint for the public ID generator for user and ' - 'group entities in the keystone.identity.id_generator ' - 'namespace. The Keystone identity mapper only ' - 'supports generators that produce no more than 64 ' - 'characters.'), - cfg.BoolOpt('backward_compatible_ids', - default=True, - help='The format of user and group IDs changed ' - 'in Juno for backends that do not generate UUIDs ' - '(e.g. LDAP), with keystone providing a hash mapping ' - 'to the underlying attribute in LDAP. By default ' - 'this mapping is disabled, which ensures that ' - 'existing IDs will not change. Even when the ' - 'mapping is enabled by using domain specific ' - 'drivers, any users and groups from the default ' - 'domain being handled by LDAP will still not be ' - 'mapped to ensure their IDs remain backward ' - 'compatible. Setting this value to False will ' - 'enable the mapping for even the default LDAP ' - 'driver. It is only safe to do this if you do not ' - 'already have assignments for users and ' - 'groups from the default LDAP domain, and it is ' - 'acceptable for Keystone to provide the different ' - 'IDs to clients than it did previously. Typically ' - 'this means that the only time you can set this ' - 'value to False is when configuring a fresh ' - 'installation.'), - ], - 'shadow_users': [ - cfg.StrOpt('driver', - default='sql', - help='Entrypoint for the shadow users backend driver ' - 'in the keystone.identity.shadow_users namespace.'), - ], - 'trust': [ - cfg.BoolOpt('enabled', default=True, - help='Delegation and impersonation features can be ' - 'optionally disabled.'), - cfg.BoolOpt('allow_redelegation', default=False, - help='Enable redelegation feature.'), - cfg.IntOpt('max_redelegation_count', default=3, - help='Maximum depth of trust redelegation.'), - cfg.StrOpt('driver', - default='sql', - help='Entrypoint for the trust backend driver in the ' - 'keystone.trust namespace.')], - 'os_inherit': [ - cfg.BoolOpt('enabled', default=True, - deprecated_for_removal=True, - deprecated_reason=_DEPRECATE_INHERIT_MSG, - help='role-assignment inheritance to projects from ' - 'owning domain or from projects higher in the ' - 'hierarchy can be optionally disabled. In the ' - 'future, this option will be removed and the ' - 'hierarchy will be always enabled.'), - ], - 'fernet_tokens': [ - cfg.StrOpt('key_repository', - default='/etc/keystone/fernet-keys/', - help='Directory containing Fernet token keys.'), - cfg.IntOpt('max_active_keys', - default=3, - help='This controls how many keys are held in rotation by ' - 'keystone-manage fernet_rotate before they are ' - 'discarded. The default value of 3 means that ' - 'keystone will maintain one staged key, one primary ' - 'key, and one secondary key. Increasing this value ' - 'means that additional secondary keys will be kept in ' - 'the rotation.'), - ], - 'token': [ - cfg.ListOpt('bind', default=[], - help='External auth mechanisms that should add bind ' - 'information to token, e.g., kerberos,x509.'), - cfg.StrOpt('enforce_token_bind', default='permissive', - help='Enforcement policy on tokens presented to Keystone ' - 'with bind information. One of disabled, permissive, ' - 'strict, required or a specifically required bind ' - 'mode, e.g., kerberos or x509 to require binding to ' - 'that authentication.'), - cfg.IntOpt('expiration', default=3600, - help='Amount of time a token should remain valid ' - '(in seconds).'), - cfg.StrOpt('provider', - default='uuid', - help='Controls the token construction, validation, and ' - 'revocation operations. Entrypoint in the ' - 'keystone.token.provider namespace. Core providers ' - 'are [fernet|pkiz|pki|uuid].'), - cfg.StrOpt('driver', - default='sql', - help='Entrypoint for the token persistence backend driver ' - 'in the keystone.token.persistence namespace. ' - 'Supplied drivers are kvs, memcache, memcache_pool, ' - 'and sql.'), - cfg.BoolOpt('caching', default=True, - help='Toggle for token system caching. This has no ' - 'effect unless global caching is enabled.'), - cfg.IntOpt('cache_time', - help='Time to cache tokens (in seconds). This has no ' - 'effect unless global and token caching are ' - 'enabled.'), - cfg.BoolOpt('revoke_by_id', default=True, - help='Revoke token by token identifier. Setting ' - 'revoke_by_id to true enables various forms of ' - 'enumerating tokens, e.g. `list tokens for user`. ' - 'These enumerations are processed to determine the ' - 'list of tokens to revoke. Only disable if you are ' - 'switching to using the Revoke extension with a ' - 'backend other than KVS, which stores events in memory.'), - cfg.BoolOpt('allow_rescope_scoped_token', default=True, - help='Allow rescoping of scoped token. Setting ' - 'allow_rescoped_scoped_token to false prevents a user ' - 'from exchanging a scoped token for any other token.'), - cfg.StrOpt('hash_algorithm', default='md5', - deprecated_for_removal=True, - deprecated_reason=_DEPRECATE_PKI_MSG, - help='The hash algorithm to use for PKI tokens. This can ' - 'be set to any algorithm that hashlib supports. ' - 'WARNING: Before changing this value, the auth_token ' - 'middleware must be configured with the ' - 'hash_algorithms, otherwise token revocation will ' - 'not be processed correctly.'), - cfg.BoolOpt('infer_roles', default=True, - help='Add roles to token that are not explicitly added, ' - 'but that are linked implicitly to other roles.'), - ], - 'revoke': [ - cfg.StrOpt('driver', - default='sql', - help='Entrypoint for an implementation of the backend for ' - 'persisting revocation events in the keystone.revoke ' - 'namespace. Supplied drivers are kvs and sql.'), - cfg.IntOpt('expiration_buffer', default=1800, - help='This value (calculated in seconds) is added to token ' - 'expiration before a revocation event may be removed ' - 'from the backend.'), - cfg.BoolOpt('caching', default=True, - help='Toggle for revocation event caching. This has no ' - 'effect unless global caching is enabled.'), - cfg.IntOpt('cache_time', default=3600, - help='Time to cache the revocation list and the revocation ' - 'events (in seconds). This has no effect unless ' - 'global and token caching are enabled.', - deprecated_opts=[cfg.DeprecatedOpt( - 'revocation_cache_time', group='token')]), - ], - 'signing': [ - cfg.StrOpt('certfile', - default=_CERTFILE, - deprecated_for_removal=True, - deprecated_reason=_DEPRECATE_PKI_MSG, - help='Path of the certfile for token signing. For ' - 'non-production environments, you may be interested ' - 'in using `keystone-manage pki_setup` to generate ' - 'self-signed certificates.'), - cfg.StrOpt('keyfile', - default=_KEYFILE, - deprecated_for_removal=True, - deprecated_reason=_DEPRECATE_PKI_MSG, - help='Path of the keyfile for token signing.'), - cfg.StrOpt('ca_certs', - deprecated_for_removal=True, - deprecated_reason=_DEPRECATE_PKI_MSG, - default='/etc/keystone/ssl/certs/ca.pem', - help='Path of the CA for token signing.'), - cfg.StrOpt('ca_key', - default='/etc/keystone/ssl/private/cakey.pem', - deprecated_for_removal=True, - deprecated_reason=_DEPRECATE_PKI_MSG, - help='Path of the CA key for token signing.'), - cfg.IntOpt('key_size', default=2048, min=1024, - deprecated_for_removal=True, - deprecated_reason=_DEPRECATE_PKI_MSG, - help='Key size (in bits) for token signing cert ' - '(auto generated certificate).'), - cfg.IntOpt('valid_days', default=3650, - deprecated_for_removal=True, - deprecated_reason=_DEPRECATE_PKI_MSG, - help='Days the token signing cert is valid for ' - '(auto generated certificate).'), - cfg.StrOpt('cert_subject', - deprecated_for_removal=True, - deprecated_reason=_DEPRECATE_PKI_MSG, - default=('/C=US/ST=Unset/L=Unset/O=Unset/' - 'CN=www.example.com'), - help='Certificate subject (auto generated certificate) for ' - 'token signing.'), - ], - 'assignment': [ - cfg.StrOpt('driver', - help='Entrypoint for the assignment backend driver in the ' - 'keystone.assignment namespace. Only an SQL driver is ' - 'supplied. If an assignment driver is not ' - 'specified, the identity driver will choose the ' - 'assignment driver (driver selection based on ' - '`[identity]/driver` option is deprecated and will be ' - 'removed in the "O" release).'), - cfg.ListOpt('prohibited_implied_role', default=['admin'], - help='A list of role names which are prohibited from ' - 'being an implied role.'), - ], - 'resource': [ - cfg.StrOpt('driver', - help='Entrypoint for the resource backend driver in the ' - 'keystone.resource namespace. Only an SQL driver is ' - 'supplied. If a resource driver is not specified, ' - 'the assignment driver will choose the resource ' - 'driver.'), - cfg.BoolOpt('caching', default=True, - deprecated_opts=[cfg.DeprecatedOpt('caching', - group='assignment')], - help='Toggle for resource caching. This has no effect ' - 'unless global caching is enabled.'), - cfg.IntOpt('cache_time', - deprecated_opts=[cfg.DeprecatedOpt('cache_time', - group='assignment')], - help='TTL (in seconds) to cache resource data. This has ' - 'no effect unless global caching is enabled.'), - cfg.IntOpt('list_limit', - deprecated_opts=[cfg.DeprecatedOpt('list_limit', - group='assignment')], - help='Maximum number of entities that will be returned ' - 'in a resource collection.'), - cfg.StrOpt('admin_project_domain_name', - help='Name of the domain that owns the ' - '`admin_project_name`. Defaults to None.'), - cfg.StrOpt('admin_project_name', - help='Special project for performing administrative ' - 'operations on remote services. Tokens scoped to ' - 'this project will contain the key/value ' - '`is_admin_project=true`. Defaults to None.'), - cfg.StrOpt('project_name_url_safe', - choices=['off', 'new', 'strict'], default='off', - help='Whether the names of projects are restricted from ' - 'containing url reserved characters. If set to new, ' - 'attempts to create or update a project with a url ' - 'unsafe name will return an error. In addition, if ' - 'set to strict, attempts to scope a token using ' - 'an unsafe project name will return an error.'), - cfg.StrOpt('domain_name_url_safe', - choices=['off', 'new', 'strict'], default='off', - help='Whether the names of domains are restricted from ' - 'containing url reserved characters. If set to new, ' - 'attempts to create or update a domain with a url ' - 'unsafe name will return an error. In addition, if ' - 'set to strict, attempts to scope a token using a ' - 'domain name which is unsafe will return an error.'), - ], - 'domain_config': [ - cfg.StrOpt('driver', - default='sql', - help='Entrypoint for the domain config backend driver in ' - 'the keystone.resource.domain_config namespace.'), - cfg.BoolOpt('caching', default=True, - help='Toggle for domain config caching. This has no ' - 'effect unless global caching is enabled.'), - cfg.IntOpt('cache_time', default=300, - help='TTL (in seconds) to cache domain config data. This ' - 'has no effect unless domain config caching is ' - 'enabled.'), - ], - 'role': [ - # The role driver has no default for backward compatibility reasons. - # If role driver is not specified, the assignment driver chooses - # the backend - cfg.StrOpt('driver', - help='Entrypoint for the role backend driver in the ' - 'keystone.role namespace. Only an SQL driver is ' - 'supplied'), - cfg.BoolOpt('caching', default=True, - help='Toggle for role caching. This has no effect ' - 'unless global caching is enabled.'), - cfg.IntOpt('cache_time', - help='TTL (in seconds) to cache role data. This has ' - 'no effect unless global caching is enabled.'), - cfg.IntOpt('list_limit', - help='Maximum number of entities that will be returned ' - 'in a role collection.'), - ], - 'credential': [ - cfg.StrOpt('driver', - default='sql', - help='Entrypoint for the credential backend driver in the ' - 'keystone.credential namespace.'), - ], - 'oauth1': [ - cfg.StrOpt('driver', - default='sql', - help='Entrypoint for the OAuth backend driver in the ' - 'keystone.oauth1 namespace.'), - cfg.IntOpt('request_token_duration', default=28800, - help='Duration (in seconds) for the OAuth Request Token.'), - cfg.IntOpt('access_token_duration', default=86400, - help='Duration (in seconds) for the OAuth Access Token.'), - ], - 'federation': [ - cfg.StrOpt('driver', - default='sql', - help='Entrypoint for the federation backend driver in the ' - 'keystone.federation namespace.'), - cfg.StrOpt('assertion_prefix', default='', - help='Value to be used when filtering assertion parameters ' - 'from the environment.'), - cfg.StrOpt('remote_id_attribute', - help='Value to be used to obtain the entity ID of the ' - 'Identity Provider from the environment (e.g. if ' - 'using the mod_shib plugin this value is ' - '`Shib-Identity-Provider`).'), - cfg.StrOpt('federated_domain_name', default='Federated', - help='A domain name that is reserved to allow federated ' - 'ephemeral users to have a domain concept. Note that ' - 'an admin will not be able to create a domain with ' - 'this name or update an existing domain to this ' - 'name. You are not advised to change this value ' - 'unless you really have to.'), - cfg.MultiStrOpt('trusted_dashboard', default=[], - help='A list of trusted dashboard hosts. Before ' - 'accepting a Single Sign-On request to return a ' - 'token, the origin host must be a member of the ' - 'trusted_dashboard list. This configuration ' - 'option may be repeated for multiple values. ' - 'For example: ' - 'trusted_dashboard=http://acme.com/auth/websso ' - 'trusted_dashboard=http://beta.com/auth/websso'), - cfg.StrOpt('sso_callback_template', default=_SSO_CALLBACK, - help='Location of Single Sign-On callback handler, will ' - 'return a token to a trusted dashboard host.'), - cfg.BoolOpt('caching', default=True, - help='Toggle for federation caching. This has no effect ' - 'unless global caching is enabled.'), - ], - 'policy': [ - cfg.StrOpt('driver', - default='sql', - help='Entrypoint for the policy backend driver in the ' - 'keystone.policy namespace. Supplied drivers are ' - 'rules and sql.'), - cfg.IntOpt('list_limit', - help='Maximum number of entities that will be returned ' - 'in a policy collection.'), - ], - 'endpoint_filter': [ - cfg.StrOpt('driver', - default='sql', - help='Entrypoint for the endpoint filter backend driver in ' - 'the keystone.endpoint_filter namespace.'), - cfg.BoolOpt('return_all_endpoints_if_no_filter', default=True, - help='Toggle to return all active endpoints if no filter ' - 'exists.'), - ], - 'endpoint_policy': [ - cfg.BoolOpt('enabled', - default=True, - deprecated_for_removal=True, - deprecated_reason=_DEPRECATE_EP_MSG, - help='Enable endpoint_policy functionality.'), - cfg.StrOpt('driver', - default='sql', - help='Entrypoint for the endpoint policy backend driver in ' - 'the keystone.endpoint_policy namespace.'), - ], - 'ldap': [ - cfg.StrOpt('url', default='ldap://localhost', - help='URL(s) for connecting to the LDAP server. Multiple ' - 'LDAP URLs may be specified as a comma separated ' - 'string. The first URL to successfully bind is used ' - 'for the connection.'), - cfg.StrOpt('user', - help='User BindDN to query the LDAP server.'), - cfg.StrOpt('password', secret=True, - help='Password for the BindDN to query the LDAP server.'), - cfg.StrOpt('suffix', default='cn=example,cn=com', - help='LDAP server suffix'), - cfg.BoolOpt('use_dumb_member', default=False, - help='If true, will add a dummy member to groups. This is ' - 'required if the objectclass for groups requires the ' - '"member" attribute.'), - cfg.StrOpt('dumb_member', default='cn=dumb,dc=nonexistent', - help='DN of the "dummy member" to use when ' - '"use_dumb_member" is enabled.'), - cfg.BoolOpt('allow_subtree_delete', default=False, - help='Delete subtrees using the subtree delete control. ' - 'Only enable this option if your LDAP server ' - 'supports subtree deletion.'), - cfg.StrOpt('query_scope', default='one', - choices=['one', 'sub'], - help='The LDAP scope for queries, "one" represents ' - 'oneLevel/singleLevel and "sub" represents ' - 'subtree/wholeSubtree options.'), - cfg.IntOpt('page_size', default=0, - help='Maximum results per page; a value of zero ("0") ' - 'disables paging.'), - cfg.StrOpt('alias_dereferencing', default='default', - choices=['never', 'searching', 'always', 'finding', - 'default'], - help='The LDAP dereferencing option for queries. The ' - '"default" option falls back to using default ' - 'dereferencing configured by your ldap.conf.'), - cfg.IntOpt('debug_level', - help='Sets the LDAP debugging level for LDAP calls. ' - 'A value of 0 means that debugging is not enabled. ' - 'This value is a bitmask, consult your LDAP ' - 'documentation for possible values.'), - cfg.BoolOpt('chase_referrals', - help='Override the system\'s default referral chasing ' - 'behavior for queries.'), - cfg.StrOpt('user_tree_dn', - help='Search base for users. ' - 'Defaults to the suffix value.'), - cfg.StrOpt('user_filter', - help='LDAP search filter for users.'), - cfg.StrOpt('user_objectclass', default='inetOrgPerson', - help='LDAP objectclass for users.'), - cfg.StrOpt('user_id_attribute', default='cn', - help='LDAP attribute mapped to user id. ' - 'WARNING: must not be a multivalued attribute.'), - cfg.StrOpt('user_name_attribute', default='sn', - help='LDAP attribute mapped to user name.'), - cfg.StrOpt('user_description_attribute', default='description', - help='LDAP attribute mapped to user description.'), - cfg.StrOpt('user_mail_attribute', default='mail', - help='LDAP attribute mapped to user email.'), - cfg.StrOpt('user_pass_attribute', default='userPassword', - help='LDAP attribute mapped to password.'), - cfg.StrOpt('user_enabled_attribute', default='enabled', - help='LDAP attribute mapped to user enabled flag.'), - cfg.BoolOpt('user_enabled_invert', default=False, - help='Invert the meaning of the boolean enabled values. ' - 'Some LDAP servers use a boolean lock attribute ' - 'where "true" means an account is disabled. Setting ' - '"user_enabled_invert = true" will allow these lock ' - 'attributes to be used. This setting will have no ' - 'effect if "user_enabled_mask" or ' - '"user_enabled_emulation" settings are in use.'), - cfg.IntOpt('user_enabled_mask', default=0, - help='Bitmask integer to indicate the bit that the enabled ' - 'value is stored in if the LDAP server represents ' - '"enabled" as a bit on an integer rather than a ' - 'boolean. A value of "0" indicates the mask is not ' - 'used. If this is not set to "0" the typical value ' - 'is "2". This is typically used when ' - '"user_enabled_attribute = userAccountControl".'), - cfg.StrOpt('user_enabled_default', default='True', - help='Default value to enable users. This should match an ' - 'appropriate int value if the LDAP server uses ' - 'non-boolean (bitmask) values to indicate if a user ' - 'is enabled or disabled. If this is not set to "True" ' - 'the typical value is "512". This is typically used ' - 'when "user_enabled_attribute = userAccountControl".'), - cfg.ListOpt('user_attribute_ignore', - default=['default_project_id'], - help='List of attributes stripped off the user on ' - 'update.'), - cfg.StrOpt('user_default_project_id_attribute', - help='LDAP attribute mapped to default_project_id for ' - 'users.'), - cfg.BoolOpt('user_allow_create', default=True, - deprecated_for_removal=True, - deprecated_reason="Write support for Identity LDAP " - "backends has been deprecated in the M " - "release and will be removed in the O " - "release.", - help='Allow user creation in LDAP backend.'), - cfg.BoolOpt('user_allow_update', default=True, - deprecated_for_removal=True, - deprecated_reason="Write support for Identity LDAP " - "backends has been deprecated in the M " - "release and will be removed in the O " - "release.", - help='Allow user updates in LDAP backend.'), - cfg.BoolOpt('user_allow_delete', default=True, - deprecated_for_removal=True, - deprecated_reason="Write support for Identity LDAP " - "backends has been deprecated in the M " - "release and will be removed in the O " - "release.", - help='Allow user deletion in LDAP backend.'), - cfg.BoolOpt('user_enabled_emulation', default=False, - help='If true, Keystone uses an alternative method to ' - 'determine if a user is enabled or not by checking ' - 'if they are a member of the ' - '"user_enabled_emulation_dn" group.'), - cfg.StrOpt('user_enabled_emulation_dn', - help='DN of the group entry to hold enabled users when ' - 'using enabled emulation.'), - cfg.BoolOpt('user_enabled_emulation_use_group_config', default=False, - help='Use the "group_member_attribute" and ' - '"group_objectclass" settings to determine ' - 'membership in the emulated enabled group.'), - cfg.ListOpt('user_additional_attribute_mapping', - default=[], - help='List of additional LDAP attributes used for mapping ' - 'additional attribute mappings for users. Attribute ' - 'mapping format is :, where ' - 'ldap_attr is the attribute in the LDAP entry and ' - 'user_attr is the Identity API attribute.'), - cfg.StrOpt('group_tree_dn', - help='Search base for groups. ' - 'Defaults to the suffix value.'), - cfg.StrOpt('group_filter', - help='LDAP search filter for groups.'), - cfg.StrOpt('group_objectclass', default='groupOfNames', - help='LDAP objectclass for groups.'), - cfg.StrOpt('group_id_attribute', default='cn', - help='LDAP attribute mapped to group id.'), - cfg.StrOpt('group_name_attribute', default='ou', - help='LDAP attribute mapped to group name.'), - cfg.StrOpt('group_member_attribute', default='member', - help='LDAP attribute mapped to show group membership.'), - cfg.StrOpt('group_desc_attribute', default='description', - help='LDAP attribute mapped to group description.'), - cfg.ListOpt('group_attribute_ignore', default=[], - help='List of attributes stripped off the group on ' - 'update.'), - cfg.BoolOpt('group_allow_create', default=True, - deprecated_for_removal=True, - deprecated_reason="Write support for Identity LDAP " - "backends has been deprecated in the M " - "release and will be removed in the O " - "release.", - help='Allow group creation in LDAP backend.'), - cfg.BoolOpt('group_allow_update', default=True, - deprecated_for_removal=True, - deprecated_reason="Write support for Identity LDAP " - "backends has been deprecated in the M " - "release and will be removed in the O " - "release.", - help='Allow group update in LDAP backend.'), - cfg.BoolOpt('group_allow_delete', default=True, - deprecated_for_removal=True, - deprecated_reason="Write support for Identity LDAP " - "backends has been deprecated in the M " - "release and will be removed in the O " - "release.", - help='Allow group deletion in LDAP backend.'), - cfg.ListOpt('group_additional_attribute_mapping', - default=[], - help='Additional attribute mappings for groups. Attribute ' - 'mapping format is :, where ' - 'ldap_attr is the attribute in the LDAP entry and ' - 'user_attr is the Identity API attribute.'), - - cfg.StrOpt('tls_cacertfile', - help='CA certificate file path for communicating with ' - 'LDAP servers.'), - cfg.StrOpt('tls_cacertdir', - help='CA certificate directory path for communicating with ' - 'LDAP servers.'), - cfg.BoolOpt('use_tls', default=False, - help='Enable TLS for communicating with LDAP servers.'), - cfg.StrOpt('tls_req_cert', default='demand', - choices=['demand', 'never', 'allow'], - help='Specifies what checks to perform on client ' - 'certificates in an incoming TLS session.'), - cfg.BoolOpt('use_pool', default=True, - help='Enable LDAP connection pooling.'), - cfg.IntOpt('pool_size', default=10, - help='Connection pool size.'), - cfg.IntOpt('pool_retry_max', default=3, - help='Maximum count of reconnect trials.'), - cfg.FloatOpt('pool_retry_delay', default=0.1, - help='Time span in seconds to wait between two ' - 'reconnect trials.'), - cfg.IntOpt('pool_connection_timeout', default=-1, - help='Connector timeout in seconds. Value -1 indicates ' - 'indefinite wait for response.'), - cfg.IntOpt('pool_connection_lifetime', default=600, - help='Connection lifetime in seconds.'), - cfg.BoolOpt('use_auth_pool', default=True, - help='Enable LDAP connection pooling for end user ' - 'authentication. If use_pool is disabled, then this ' - 'setting is meaningless and is not used at all.'), - cfg.IntOpt('auth_pool_size', default=100, - help='End user auth connection pool size.'), - cfg.IntOpt('auth_pool_connection_lifetime', default=60, - help='End user auth connection lifetime in seconds.'), - cfg.BoolOpt('group_members_are_ids', default=False, - help='If the members of the group objectclass are user ' - 'IDs rather than DNs, set this to true. This is the ' - 'case when using posixGroup as the group ' - 'objectclass and OpenDirectory.'), - ], - 'auth': [ - cfg.ListOpt('methods', default=_DEFAULT_AUTH_METHODS, - help='Allowed authentication methods.'), - cfg.StrOpt('password', # nosec : This is the name of the plugin, not - # a password that needs to be protected. - help='Entrypoint for the password auth plugin module in ' - 'the keystone.auth.password namespace.'), - cfg.StrOpt('token', - help='Entrypoint for the token auth plugin module in the ' - 'keystone.auth.token namespace.'), - # deals with REMOTE_USER authentication - cfg.StrOpt('external', - help='Entrypoint for the external (REMOTE_USER) auth ' - 'plugin module in the keystone.auth.external ' - 'namespace. Supplied drivers are DefaultDomain and ' - 'Domain. The default driver is DefaultDomain.'), - cfg.StrOpt('oauth1', - help='Entrypoint for the oAuth1.0 auth plugin module in ' - 'the keystone.auth.oauth1 namespace.'), - ], - 'tokenless_auth': [ - cfg.MultiStrOpt('trusted_issuer', default=[], - help='The list of trusted issuers to further filter ' - 'the certificates that are allowed to ' - 'participate in the X.509 tokenless ' - 'authorization. If the option is absent then ' - 'no certificates will be allowed. ' - 'The naming format for the attributes of a ' - 'Distinguished Name(DN) must be separated by a ' - 'comma and contain no spaces. This configuration ' - 'option may be repeated for multiple values. ' - 'For example: ' - 'trusted_issuer=CN=john,OU=keystone,O=openstack ' - 'trusted_issuer=CN=mary,OU=eng,O=abc'), - cfg.StrOpt('protocol', default='x509', - help='The protocol name for the X.509 tokenless ' - 'authorization along with the option issuer_attribute ' - 'below can look up its corresponding mapping.'), - cfg.StrOpt('issuer_attribute', default='SSL_CLIENT_I_DN', - help='The issuer attribute that is served as an IdP ID ' - 'for the X.509 tokenless authorization along with ' - 'the protocol to look up its corresponding mapping. ' - 'It is the environment variable in the WSGI ' - 'environment that references to the issuer of the ' - 'client certificate.'), - ], - 'paste_deploy': [ - cfg.StrOpt('config_file', default='keystone-paste.ini', - help='Name of the paste configuration file that defines ' - 'the available pipelines.'), - ], - 'memcache': [ - cfg.ListOpt('servers', default=['localhost:11211'], - help='Memcache servers in the format of "host:port".'), - cfg.IntOpt('dead_retry', - default=5 * 60, - help='Number of seconds memcached server is considered dead' - ' before it is tried again. This is used by the key ' - 'value store system (e.g. token ' - 'pooled memcached persistence backend).'), - cfg.IntOpt('socket_timeout', - default=3, - help='Timeout in seconds for every call to a server. This ' - 'is used by the key value store system (e.g. token ' - 'pooled memcached persistence backend).'), - cfg.IntOpt('pool_maxsize', - default=10, - help='Max total number of open connections to every' - ' memcached server. This is used by the key value ' - 'store system (e.g. token pooled memcached ' - 'persistence backend).'), - cfg.IntOpt('pool_unused_timeout', - default=60, - help='Number of seconds a connection to memcached is held' - ' unused in the pool before it is closed. This is used' - ' by the key value store system (e.g. token pooled ' - 'memcached persistence backend).'), - cfg.IntOpt('pool_connection_get_timeout', - default=10, - help='Number of seconds that an operation will wait to get ' - 'a memcache client connection. This is used by the ' - 'key value store system (e.g. token pooled memcached ' - 'persistence backend).'), - ], - 'catalog': [ - cfg.StrOpt('template_file', - default='default_catalog.templates', - help='Catalog template file name for use with the ' - 'template catalog backend.'), - cfg.StrOpt('driver', - default='sql', - help='Entrypoint for the catalog backend driver in the ' - 'keystone.catalog namespace. Supplied drivers are ' - 'kvs, sql, templated, and endpoint_filter.sql'), - cfg.BoolOpt('caching', default=True, - help='Toggle for catalog caching. This has no ' - 'effect unless global caching is enabled.'), - cfg.IntOpt('cache_time', - help='Time to cache catalog data (in seconds). This has no ' - 'effect unless global and catalog caching are ' - 'enabled.'), - cfg.IntOpt('list_limit', - help='Maximum number of entities that will be returned ' - 'in a catalog collection.'), - ], - 'kvs': [ - cfg.ListOpt('backends', default=[], - help='Extra dogpile.cache backend modules to register ' - 'with the dogpile.cache library.'), - cfg.StrOpt('config_prefix', default='keystone.kvs', - help='Prefix for building the configuration dictionary ' - 'for the KVS region. This should not need to be ' - 'changed unless there is another dogpile.cache ' - 'region with the same configuration name.'), - cfg.BoolOpt('enable_key_mangler', default=True, - help='Toggle to disable using a key-mangling function ' - 'to ensure fixed length keys. This is toggle-able ' - 'for debugging purposes, it is highly recommended ' - 'to always leave this set to true.'), - cfg.IntOpt('default_lock_timeout', default=5, - help='Default lock timeout (in seconds) for distributed ' - 'locking.'), - ], - 'saml': [ - cfg.IntOpt('assertion_expiration_time', default=3600, - help='Default TTL, in seconds, for any generated SAML ' - 'assertion created by Keystone.'), - cfg.StrOpt('xmlsec1_binary', - default='xmlsec1', - help='Binary to be called for XML signing. Install the ' - 'appropriate package, specify absolute path or adjust ' - 'your PATH environment variable if the binary cannot ' - 'be found.'), - cfg.StrOpt('certfile', - default=_CERTFILE, - help='Path of the certfile for SAML signing. For ' - 'non-production environments, you may be interested ' - 'in using `keystone-manage pki_setup` to generate ' - 'self-signed certificates. Note, the path cannot ' - 'contain a comma.'), - cfg.StrOpt('keyfile', - default=_KEYFILE, - help='Path of the keyfile for SAML signing. Note, the path ' - 'cannot contain a comma.'), - cfg.StrOpt('idp_entity_id', - help='Entity ID value for unique Identity Provider ' - 'identification. Usually FQDN is set with a suffix. ' - 'A value is required to generate IDP Metadata. ' - 'For example: https://keystone.example.com/v3/' - 'OS-FEDERATION/saml2/idp'), - cfg.StrOpt('idp_sso_endpoint', - help='Identity Provider Single-Sign-On service value, ' - 'required in the Identity Provider\'s metadata. ' - 'A value is required to generate IDP Metadata. ' - 'For example: https://keystone.example.com/v3/' - 'OS-FEDERATION/saml2/sso'), - cfg.StrOpt('idp_lang', default='en', - help='Language used by the organization.'), - cfg.StrOpt('idp_organization_name', - help='Organization name the installation belongs to.'), - cfg.StrOpt('idp_organization_display_name', - help='Organization name to be displayed.'), - cfg.StrOpt('idp_organization_url', - help='URL of the organization.'), - cfg.StrOpt('idp_contact_company', - help='Company of contact person.'), - cfg.StrOpt('idp_contact_name', - help='Given name of contact person'), - cfg.StrOpt('idp_contact_surname', - help='Surname of contact person.'), - cfg.StrOpt('idp_contact_email', - help='Email address of contact person.'), - cfg.StrOpt('idp_contact_telephone', - help='Telephone number of contact person.'), - cfg.StrOpt('idp_contact_type', default='other', - choices=['technical', 'support', 'administrative', - 'billing', 'other'], - help='The contact type describing the main point of ' - 'contact for the identity provider.'), - cfg.StrOpt('idp_metadata_path', - default='/etc/keystone/saml2_idp_metadata.xml', - help='Path to the Identity Provider Metadata file. ' - 'This file should be generated with the ' - 'keystone-manage saml_idp_metadata command.'), - cfg.StrOpt('relay_state_prefix', - default='ss:mem:', - help='The prefix to use for the RelayState SAML ' - 'attribute, used when generating ECP wrapped ' - 'assertions.'), - ], - 'eventlet_server': [ - cfg.StrOpt('public_bind_host', - default='0.0.0.0', # nosec : Bind to all interfaces by - # default for backwards compatibility. - deprecated_opts=[cfg.DeprecatedOpt('bind_host', - group='DEFAULT'), - cfg.DeprecatedOpt('public_bind_host', - group='DEFAULT'), ], - deprecated_for_removal=True, - deprecated_reason=_DEPRECATE_EVENTLET_MSG, - help='The IP address of the network interface for the ' - 'public service to listen on.'), - cfg.PortOpt('public_port', default=5000, - deprecated_name='public_port', - deprecated_group='DEFAULT', - deprecated_for_removal=True, - deprecated_reason=_DEPRECATE_EVENTLET_MSG, - help='The port number which the public service listens ' - 'on.'), - cfg.StrOpt('admin_bind_host', - default='0.0.0.0', # nosec : Bind to all interfaces by - # default for backwards compatibility. - deprecated_opts=[cfg.DeprecatedOpt('bind_host', - group='DEFAULT'), - cfg.DeprecatedOpt('admin_bind_host', - group='DEFAULT')], - deprecated_for_removal=True, - deprecated_reason=_DEPRECATE_EVENTLET_MSG, - help='The IP address of the network interface for the ' - 'admin service to listen on.'), - cfg.PortOpt('admin_port', default=35357, - deprecated_name='admin_port', - deprecated_group='DEFAULT', - deprecated_for_removal=True, - deprecated_reason=_DEPRECATE_EVENTLET_MSG, - help='The port number which the admin service listens ' - 'on.'), - ], - 'security_compliance': [ - cfg.IntOpt('disable_user_account_days_inactive', - default=0, - help='Number of days for which a user can be inactive ' - 'before the account becomes disabled. Setting the ' - 'value to 0 disables this feature.'), - cfg.IntOpt('lockout_failure_attempts', - default=0, - help='Number of times a user can fail login attempts until ' - 'the user account is locked. Setting the value to 0 ' - 'disables this feature.'), - cfg.IntOpt('lockout_duration', - default=1800, - help='Number of seconds a user account will be locked.'), - cfg.IntOpt('password_expires_days', - default=0, - help='Number of days for which a password will be ' - 'considered valid before requiring the user to ' - 'change it. Setting the value to 0 disables this ' - 'feature. Note: this feature is only supported ' - 'via the SQL backend driver for identity.'), - cfg.IntOpt('unique_last_password_count', - default=0, - help='Number of latest password iterations for which the ' - 'password must be unique. Setting the value to 0 ' - 'disables this feature. Note: this feature is only ' - 'supported via the SQL backend driver for identity.'), - cfg.IntOpt('password_change_limit_per_day', - default=0, - help='Maximum number of times a user can change their ' - 'password in a day. Setting the value to 0 disables ' - 'this feature.'), - cfg.StrOpt('password_regex', - default=None, - help='Regular expression used to validate password ' - 'strength requirements. Setting the value to ' - 'None disables this feature. The following ' - 'is an example of a pattern which requires ' - 'at least 1 letter, 1 digit, and have a minimum ' - 'length of 7 characters: ' - '^(?=.*\d)(?=.*[a-zA-Z]).{7,}$') - ] -} - - -CONF = cfg.CONF -oslo_messaging.set_transport_defaults(control_exchange='keystone') - - -def _register_auth_plugin_opt(conf, option): - conf.register_opt(option, group='auth') - - -def setup_authentication(conf=None): - # register any non-default auth methods here (used by extensions, etc) - if conf is None: - conf = CONF - for method_name in conf.auth.methods: - if method_name not in _DEFAULT_AUTH_METHODS: - option = cfg.StrOpt(method_name) - _register_auth_plugin_opt(conf, option) - - -def set_default_for_default_log_levels(): - """Set the default for the default_log_levels option for keystone. - - Keystone uses some packages that other OpenStack services don't use that do - logging. This will set the default_log_levels default level for those - packages. - - This function needs to be called before CONF(). - - """ - extra_log_level_defaults = [ - 'dogpile=INFO', - 'routes=INFO', - ] - - log.register_options(CONF) - log.set_defaults(default_log_levels=log.get_default_log_levels() + - extra_log_level_defaults) - - -def setup_logging(): - """Set up logging for the keystone package.""" - log.setup(CONF, 'keystone') - logging.captureWarnings(True) - - -def find_paste_config(): - """Find Keystone's paste.deploy configuration file. - - Keystone's paste.deploy configuration file is specified in the - ``[paste_deploy]`` section of the main Keystone configuration file, - ``keystone.conf``. - - For example:: - - [paste_deploy] - config_file = keystone-paste.ini - - :returns: The selected configuration filename - :raises: exception.ConfigFileNotFound - - """ - if CONF.paste_deploy.config_file: - paste_config = CONF.paste_deploy.config_file - paste_config_value = paste_config - if not os.path.isabs(paste_config): - paste_config = CONF.find_file(paste_config) - elif CONF.config_file: - paste_config = CONF.config_file[0] - paste_config_value = paste_config - else: - # this provides backwards compatibility for keystone.conf files that - # still have the entire paste configuration included, rather than just - # a [paste_deploy] configuration section referring to an external file - paste_config = CONF.find_file('keystone.conf') - paste_config_value = 'keystone.conf' - if not paste_config or not os.path.exists(paste_config): - raise exception.ConfigFileNotFound(config_file=paste_config_value) - return paste_config - - -def configure(conf=None): - if conf is None: - conf = CONF - - conf.register_cli_opt( - cfg.BoolOpt('standard-threads', default=False, - help='Do not monkey-patch threading system modules.')) - conf.register_cli_opt( - cfg.StrOpt('pydev-debug-host', - help='Host to connect to for remote debugger.')) - conf.register_cli_opt( - cfg.PortOpt('pydev-debug-port', - help='Port to connect to for remote debugger.')) - - for section in FILE_OPTIONS: - for option in FILE_OPTIONS[section]: - if section: - conf.register_opt(option, group=section) - else: - conf.register_opt(option) - - # register any non-default auth methods here (used by extensions, etc) - setup_authentication(conf) - # add oslo.cache related config options - cache.configure(conf) - - -def list_opts(): - """Return a list of oslo_config options available in Keystone. - - The returned list includes all oslo_config options which are registered as - the "FILE_OPTIONS" in keystone.common.config. This list will not include - the options from the oslo-incubator library or any options registered - dynamically at run time. - - Each object in the list is a two element tuple. The first element of - each tuple is the name of the group under which the list of options in the - second element will be registered. A group name of None corresponds to the - [DEFAULT] group in config files. - - This function is also discoverable via the 'oslo_config.opts' entry point - under the 'keystone.config.opts' namespace. - - The purpose of this is to allow tools like the Oslo sample config file - generator to discover the options exposed to users by this library. - - :returns: a list of (group_name, opts) tuples - """ - return list(FILE_OPTIONS.items()) - - -def set_external_opts_defaults(): - """Update default configuration options for oslo.middleware.""" - # CORS Defaults - # TODO(krotscheck): Update with https://review.openstack.org/#/c/285368/ - cfg.set_defaults(cors.CORS_OPTS, - allow_headers=['X-Auth-Token', - 'X-Openstack-Request-Id', - 'X-Subject-Token', - 'X-Project-Id', - 'X-Project-Name', - 'X-Project-Domain-Id', - 'X-Project-Domain-Name', - 'X-Domain-Id', - 'X-Domain-Name'], - expose_headers=['X-Auth-Token', - 'X-Openstack-Request-Id', - 'X-Subject-Token'], - allow_methods=['GET', - 'PUT', - 'POST', - 'DELETE', - 'PATCH'] - ) - - # configure OSprofiler options - profiler.set_defaults(CONF, enabled=False, trace_sqlalchemy=False) - - # Oslo.cache is always enabled by default for request-local caching - # TODO(morganfainberg): Fix this to not use internal interface when - # oslo.cache has proper interface to set defaults added. This is is - # just a bad way to do this. - opts = cache._opts.list_opts() - for opt_list in opts: - if opt_list[0] == 'cache': - for o in opt_list[1]: - if o.name == 'enabled': - o.default = True - - -def set_config_defaults(): - """Override all configuration default values for keystone.""" - set_default_for_default_log_levels() - set_external_opts_defaults() diff --git a/keystone/common/controller.py b/keystone/common/controller.py index 30ab75cff4..978f26d337 100644 --- a/keystone/common/controller.py +++ b/keystone/common/controller.py @@ -15,7 +15,6 @@ import functools import uuid -from oslo_config import cfg from oslo_log import log from oslo_log import versionutils from oslo_utils import strutils @@ -26,13 +25,14 @@ from keystone.common import dependency from keystone.common import driver_hints from keystone.common import utils from keystone.common import wsgi +import keystone.conf from keystone import exception from keystone.i18n import _, _LW from keystone.models import token_model LOG = log.getLogger(__name__) -CONF = cfg.CONF +CONF = keystone.conf.CONF def v2_deprecated(f): diff --git a/keystone/common/kvs/backends/memcached.py b/keystone/common/kvs/backends/memcached.py index a65cf8779f..3bb07cd4a2 100644 --- a/keystone/common/kvs/backends/memcached.py +++ b/keystone/common/kvs/backends/memcached.py @@ -20,14 +20,14 @@ import time from dogpile.cache import api from dogpile.cache.backends import memcached from oslo_cache.backends import memcache_pool -from oslo_config import cfg from six.moves import range +import keystone.conf from keystone import exception from keystone.i18n import _ -CONF = cfg.CONF +CONF = keystone.conf.CONF NO_VALUE = api.NO_VALUE random = _random.SystemRandom() diff --git a/keystone/common/kvs/core.py b/keystone/common/kvs/core.py index 98ee37332a..ea923e73fe 100644 --- a/keystone/common/kvs/core.py +++ b/keystone/common/kvs/core.py @@ -22,12 +22,12 @@ from dogpile.cache import proxy from dogpile.cache import region from dogpile.cache import util as dogpile_util from dogpile.core import nameregistry -from oslo_config import cfg from oslo_log import log from oslo_log import versionutils from oslo_utils import importutils from oslo_utils import reflection +import keystone.conf from keystone import exception from keystone.i18n import _ from keystone.i18n import _LI @@ -39,7 +39,7 @@ __all__ = ('KeyValueStore', 'KeyValueStoreLock', 'LockTimeout', BACKENDS_REGISTERED = False -CONF = cfg.CONF +CONF = keystone.conf.CONF KEY_VALUE_STORE_REGISTRY = weakref.WeakValueDictionary() LOCK_WINDOW = 1 LOG = log.getLogger(__name__) diff --git a/keystone/common/openssl.py b/keystone/common/openssl.py index edaab492ee..2407845145 100644 --- a/keystone/common/openssl.py +++ b/keystone/common/openssl.py @@ -16,14 +16,14 @@ import os import subprocess # nosec : see comments in the code below -from oslo_config import cfg from oslo_log import log from keystone.common import utils +import keystone.conf from keystone.i18n import _LI, _LE, _LW LOG = log.getLogger(__name__) -CONF = cfg.CONF +CONF = keystone.conf.CONF PUBLIC_DIR_PERMS = 0o755 # -rwxr-xr-x PRIVATE_DIR_PERMS = 0o750 # -rwxr-x--- diff --git a/keystone/common/profiler.py b/keystone/common/profiler.py index 625cc706c0..58a515e868 100644 --- a/keystone/common/profiler.py +++ b/keystone/common/profiler.py @@ -15,11 +15,11 @@ import oslo_messaging import osprofiler.notifier import osprofiler.web -from keystone.common import config +import keystone.conf from keystone.i18n import _LI -CONF = config.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/common/request.py b/keystone/common/request.py index b46914cfa7..f8dac41a59 100644 --- a/keystone/common/request.py +++ b/keystone/common/request.py @@ -10,10 +10,10 @@ # License for the specific language governing permissions and limitations # under the License. -from oslo_config import cfg import webob from webob.descriptors import environ_getter +import keystone.conf from keystone import exception from keystone.i18n import _ @@ -21,7 +21,7 @@ from keystone.i18n import _ # Environment variable used to pass the request context CONTEXT_ENV = 'openstack.context' -CONF = cfg.CONF +CONF = keystone.conf.CONF class Request(webob.Request): diff --git a/keystone/common/sql/core.py b/keystone/common/sql/core.py index b7c36203ea..f9cd5ac1e0 100644 --- a/keystone/common/sql/core.py +++ b/keystone/common/sql/core.py @@ -20,7 +20,6 @@ CONF() because it sets up configuration options. """ import functools -from oslo_config import cfg from oslo_db import exception as db_exception from oslo_db import options as db_options from oslo_db.sqlalchemy import enginefacade @@ -35,11 +34,12 @@ from sqlalchemy import types as sql_types from keystone.common import driver_hints from keystone.common import utils +import keystone.conf from keystone import exception from keystone.i18n import _ -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) ModelBase = declarative.declarative_base() diff --git a/keystone/common/sql/migrate_repo/versions/082_add_federation_tables.py b/keystone/common/sql/migrate_repo/versions/082_add_federation_tables.py index 7e426373cb..f0b18048a5 100644 --- a/keystone/common/sql/migrate_repo/versions/082_add_federation_tables.py +++ b/keystone/common/sql/migrate_repo/versions/082_add_federation_tables.py @@ -12,12 +12,12 @@ # License for the specific language governing permissions and limitations # under the License. -from oslo_config import cfg import sqlalchemy as sql from keystone.common.sql import migration_helpers +import keystone.conf -CONF = cfg.CONF +CONF = keystone.conf.CONF _RELAY_STATE_PREFIX = 'relay_state_prefix' diff --git a/keystone/common/sql/migration_helpers.py b/keystone/common/sql/migration_helpers.py index c034910abe..7530c0aa31 100644 --- a/keystone/common/sql/migration_helpers.py +++ b/keystone/common/sql/migration_helpers.py @@ -19,19 +19,19 @@ import sys import migrate from migrate import exceptions -from oslo_config import cfg from oslo_db.sqlalchemy import migration from oslo_utils import importutils import six import sqlalchemy from keystone.common import sql +import keystone.conf from keystone import contrib from keystone import exception from keystone.i18n import _ -CONF = cfg.CONF +CONF = keystone.conf.CONF DEFAULT_EXTENSIONS = [] MIGRATED_EXTENSIONS = ['endpoint_policy', diff --git a/keystone/common/tokenless_auth.py b/keystone/common/tokenless_auth.py index fd9c1592a7..93552466ff 100644 --- a/keystone/common/tokenless_auth.py +++ b/keystone/common/tokenless_auth.py @@ -15,18 +15,18 @@ import hashlib -from oslo_config import cfg from oslo_log import log from keystone.auth import controllers from keystone.common import dependency +import keystone.conf from keystone import exception from keystone.federation import constants as federation_constants from keystone.federation import utils from keystone.i18n import _ -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/common/utils.py b/keystone/common/utils.py index 09c49de5bd..8424ff1228 100644 --- a/keystone/common/utils.py +++ b/keystone/common/utils.py @@ -25,7 +25,6 @@ import os import pwd import uuid -from oslo_config import cfg from oslo_log import log from oslo_serialization import jsonutils from oslo_utils import reflection @@ -36,11 +35,12 @@ import six from six import moves from keystone.common import authorization +import keystone.conf from keystone import exception from keystone.i18n import _, _LE, _LW -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) WHITELISTED_PROPERTIES = [ 'tenant_id', 'project_id', 'user_id', diff --git a/keystone/common/wsgi.py b/keystone/common/wsgi.py index 956c089de8..1187a2b399 100644 --- a/keystone/common/wsgi.py +++ b/keystone/common/wsgi.py @@ -24,7 +24,6 @@ import itertools import re import wsgiref.util -from oslo_config import cfg import oslo_i18n from oslo_log import log from oslo_serialization import jsonutils @@ -39,6 +38,7 @@ from keystone.common import dependency from keystone.common import json_home from keystone.common import request as request_mod from keystone.common import utils +import keystone.conf from keystone import exception from keystone.i18n import _ from keystone.i18n import _LI @@ -46,7 +46,7 @@ from keystone.i18n import _LW from keystone.models import token_model -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) # Environment variable used to pass the request context diff --git a/keystone/conf/__init__.py b/keystone/conf/__init__.py new file mode 100644 index 0000000000..4743fbe7dc --- /dev/null +++ b/keystone/conf/__init__.py @@ -0,0 +1,189 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import logging + +from oslo_cache import core as cache +from oslo_config import cfg +from oslo_log import log +import oslo_messaging +from oslo_middleware import cors +from osprofiler import opts as profiler + +from keystone.conf import assignment +from keystone.conf import auth +from keystone.conf import base +from keystone.conf import catalog +from keystone.conf import credential +from keystone.conf import domain_config +from keystone.conf import endpoint_filter +from keystone.conf import endpoint_policy +from keystone.conf import eventlet_server +from keystone.conf import federation +from keystone.conf import fernet_tokens +from keystone.conf import identity +from keystone.conf import identity_mapping +from keystone.conf import kvs +from keystone.conf import ldap +from keystone.conf import memcache +from keystone.conf import oauth1 +from keystone.conf import os_inherit +from keystone.conf import paste_deploy +from keystone.conf import policy +from keystone.conf import resource +from keystone.conf import revoke +from keystone.conf import role +from keystone.conf import saml +from keystone.conf import shadow_users +from keystone.conf import signing +from keystone.conf import token +from keystone.conf import tokenless_auth +from keystone.conf import trust + + +CONF = cfg.CONF + + +conf_modules = [ + assignment, + auth, + base, + catalog, + credential, + domain_config, + endpoint_filter, + endpoint_policy, + eventlet_server, + federation, + fernet_tokens, + identity, + identity_mapping, + kvs, + ldap, + memcache, + oauth1, + os_inherit, + paste_deploy, + policy, + resource, + revoke, + role, + saml, + shadow_users, + signing, + token, + tokenless_auth, + trust, +] + + +# Options are registered when keystone.conf is first imported. +for module in conf_modules: + module.register_opts(CONF) + + +oslo_messaging.set_transport_defaults(control_exchange='keystone') + + +def set_default_for_default_log_levels(): + """Set the default for the default_log_levels option for keystone. + + Keystone uses some packages that other OpenStack services don't use that do + logging. This will set the default_log_levels default level for those + packages. + + This function needs to be called before CONF(). + + """ + extra_log_level_defaults = [ + 'dogpile=INFO', + 'routes=INFO', + ] + + log.register_options(CONF) + log.set_defaults(default_log_levels=log.get_default_log_levels() + + extra_log_level_defaults) + + +def setup_logging(): + """Set up logging for the keystone package.""" + log.setup(CONF, 'keystone') + logging.captureWarnings(True) + + +def configure(conf=None): + if conf is None: + conf = CONF + + conf.register_cli_opt( + cfg.BoolOpt('standard-threads', default=False, + help='Do not monkey-patch threading system modules.')) + conf.register_cli_opt( + cfg.StrOpt('pydev-debug-host', + help='Host to connect to for remote debugger.')) + conf.register_cli_opt( + cfg.PortOpt('pydev-debug-port', + help='Port to connect to for remote debugger.')) + + for module in conf_modules: + module.register_opts(conf) + + # register any non-default auth methods here (used by extensions, etc) + auth.setup_authentication() + + # add oslo.cache related config options + cache.configure(conf) + + +def set_external_opts_defaults(): + """Update default configuration options for oslo.middleware.""" + # CORS Defaults + # TODO(krotscheck): Update with https://review.openstack.org/#/c/285368/ + cfg.set_defaults(cors.CORS_OPTS, + allow_headers=['X-Auth-Token', + 'X-Openstack-Request-Id', + 'X-Subject-Token', + 'X-Project-Id', + 'X-Project-Name', + 'X-Project-Domain-Id', + 'X-Project-Domain-Name', + 'X-Domain-Id', + 'X-Domain-Name'], + expose_headers=['X-Auth-Token', + 'X-Openstack-Request-Id', + 'X-Subject-Token'], + allow_methods=['GET', + 'PUT', + 'POST', + 'DELETE', + 'PATCH'] + ) + + # configure OSprofiler options + profiler.set_defaults(CONF, enabled=False, trace_sqlalchemy=False) + + # Oslo.cache is always enabled by default for request-local caching + # TODO(morganfainberg): Fix this to not use internal interface when + # oslo.cache has proper interface to set defaults added. This is is + # just a bad way to do this. + opts = cache._opts.list_opts() + for opt_list in opts: + if opt_list[0] == 'cache': + for o in opt_list[1]: + if o.name == 'enabled': + o.default = True + + +def set_config_defaults(): + """Override all configuration default values for keystone.""" + set_default_for_default_log_levels() + set_external_opts_defaults() diff --git a/keystone/conf/assignment.py b/keystone/conf/assignment.py new file mode 100644 index 0000000000..a6876e66f4 --- /dev/null +++ b/keystone/conf/assignment.py @@ -0,0 +1,48 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +driver = cfg.StrOpt( + 'driver', + help=utils.fmt(""" +Entrypoint for the assignment backend driver in the keystone.assignment +namespace. Only an SQL driver is supplied. If an assignment driver is not +specified, the identity driver will choose the assignment driver (driver +selection based on `[identity]/driver` option is deprecated and will be removed +in the "O" release). +""")) + +prohibited_implied_role = cfg.ListOpt( + 'prohibited_implied_role', + default=['admin'], + help=utils.fmt(""" +A list of role names which are prohibited from being an implied role. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + driver, + prohibited_implied_role +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/auth.py b/keystone/conf/auth.py new file mode 100644 index 0000000000..a52c819178 --- /dev/null +++ b/keystone/conf/auth.py @@ -0,0 +1,88 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import constants +from keystone.conf import utils + + +methods = cfg.ListOpt( + 'methods', + default=constants._DEFAULT_AUTH_METHODS, + help=utils.fmt(""" +Allowed authentication methods. +""")) + +password = cfg.StrOpt( # nosec : This is the name of the plugin, not + 'password', # a password that needs to be protected. + help=utils.fmt(""" +Entrypoint for the password auth plugin module in the keystone.auth.password +namespace. +""")) + +token = cfg.StrOpt( + 'token', + help=utils.fmt(""" +Entrypoint for the token auth plugin module in the keystone.auth.token +namespace. +""")) + +# deals with REMOTE_USER authentication +external = cfg.StrOpt( + 'external', + help=utils.fmt(""" +Entrypoint for the external (REMOTE_USER) auth plugin module in the +keystone.auth.external namespace. Supplied drivers are DefaultDomain and +Domain. The default driver is DefaultDomain. +""")) + +oauth1 = cfg.StrOpt( + 'oauth1', + help=utils.fmt(""" +Entrypoint for the oAuth1.0 auth plugin module in the keystone.auth.oauth1 +namespace. +""")) + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + methods, + password, + token, + external, + oauth1, +] + + +def _register_auth_plugin_opt(conf, option): + conf.register_opt(option, group=GROUP_NAME) + + +def setup_authentication(conf=None): + """Register non-default auth methods (used by extensions, etc).""" + # register any non-default auth methods here (used by extensions, etc) + if conf is None: + conf = cfg.CONF + for method_name in conf.auth.methods: + if method_name not in constants._DEFAULT_AUTH_METHODS: + option = cfg.StrOpt(method_name) + _register_auth_plugin_opt(conf, option) + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + setup_authentication(conf) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/base.py b/keystone/conf/base.py new file mode 100644 index 0000000000..1b9a886310 --- /dev/null +++ b/keystone/conf/base.py @@ -0,0 +1,224 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +_DEPRECATE_DII_MSG = utils.fmt(""" +The option to set domain_id_immutable to false has been deprecated in the M +release and will be removed in the O release. +""") + + +admin_token = cfg.StrOpt( + 'admin_token', + secret=True, + default=None, + help=utils.fmt(""" +A "shared secret" that can be used to bootstrap Keystone. This "token" does not +represent a user, and carries no explicit authorization. If set to `None`, the +value is ignored and the `admin_token` log in mechanism is effectively +disabled. To completely disable `admin_token` in production (highly +recommended), remove AdminTokenAuthMiddleware from your paste application +pipelines (for example, in keystone-paste.ini). +""")) + +public_endpoint = cfg.StrOpt( + 'public_endpoint', + help=utils.fmt(""" +The base public endpoint URL for Keystone that is advertised to clients (NOTE: +this does NOT affect how Keystone listens for connections). Defaults to the +base host URL of the request. E.g. a request to http://server:5000/v3/users +will default to http://server:5000. You should only need to set this value if +the base URL contains a path (e.g. /prefix/v3) or the endpoint should be found +on a different server. +""")) + +admin_endpoint = cfg.StrOpt( + 'admin_endpoint', + help=utils.fmt(""" +The base admin endpoint URL for Keystone that is advertised to clients (NOTE: +this does NOT affect how Keystone listens for connections). Defaults to the +base host URL of the request. E.g. a request to http://server:35357/v3/users +will default to http://server:35357. You should only need to set this value if +the base URL contains a path (e.g. /prefix/v3) or the endpoint should be found +on a different server. +""")) + +max_project_tree_depth = cfg.IntOpt( + 'max_project_tree_depth', + default=5, + help=utils.fmt(""" +Maximum depth of the project hierarchy, excluding the project acting as a +domain at the top of the hierarchy. WARNING: setting it to a large value may +adversely impact performance. +""")) + +max_param_size = cfg.IntOpt( + 'max_param_size', + default=64, + help=utils.fmt(""" +Limit the sizes of user & project ID/names. +""")) + +# we allow tokens to be a bit larger to accommodate PKI +max_token_size = cfg.IntOpt( + 'max_token_size', + default=8192, + help=utils.fmt(""" +Similar to max_param_size, but provides an exception for token values. +""")) + +member_role_id = cfg.StrOpt( + 'member_role_id', + default='9fe2ff9ee4384b1894a90878d3e92bab', + help=utils.fmt(""" +Similar to the member_role_name option, this represents the default role ID +used to associate users with their default projects in the v2 API. This will be +used as the explicit role where one is not specified by the v2 API. +""")) + +member_role_name = cfg.StrOpt( + 'member_role_name', + default='_member_', + help=utils.fmt(""" +This is the role name used in combination with the member_role_id option; see +that option for more detail. +""")) + +# NOTE(lbragstad/morganfainberg): This value of 10k was measured as having an +# approximate 30% clock-time savings over the old default of 40k. The passlib +# default is not static and grows over time to constantly approximate ~300ms of +# CPU time to hash; this was considered too high. This value still exceeds the +# glibc default of 5k. +crypt_strength = cfg.IntOpt( + 'crypt_strength', + default=10000, + min=1000, + max=100000, + help=utils.fmt(""" +The value passed as the keyword "rounds" to passlib\'s encrypt method. +""")) + +list_limit = cfg.IntOpt( + 'list_limit', + help=utils.fmt(""" +The maximum number of entities that will be returned in a collection, with no +limit set by default. This global limit may be then overridden for a specific +driver, by specifying a list_limit in the appropriate section (e.g. +[assignment]). +""")) + +domain_id_immutable = cfg.BoolOpt( + 'domain_id_immutable', + default=True, + deprecated_for_removal=True, + deprecated_reason=_DEPRECATE_DII_MSG, + help=utils.fmt(""" +Set this to false if you want to enable the ability for user, group and project +entities to be moved between domains by updating their domain_id. Allowing such +movement is not recommended if the scope of a domain admin is being restricted +by use of an appropriate policy file (see policy.v3cloudsample as an example). +This ability is deprecated and will be removed in a future release. +""")) + +strict_password_check = cfg.BoolOpt( + 'strict_password_check', + default=False, + help=utils.fmt(""" +If set to true, strict password length checking is performed for password +manipulation. If a password exceeds the maximum length, the operation will fail +with an HTTP 403 Forbidden error. If set to false, passwords are automatically +truncated to the maximum length. +""")) + +secure_proxy_ssl_header = cfg.StrOpt( + 'secure_proxy_ssl_header', + default='HTTP_X_FORWARDED_PROTO', + deprecated_for_removal=True, + deprecated_reason=utils.fmt(""" +Use http_proxy_to_wsgi middleware configuration instead. +"""), + help=utils.fmt(""" +The HTTP header used to determine the scheme for the original request, even if +it was removed by an SSL terminating proxy. +""")) + +insecure_debug = cfg.BoolOpt( + 'insecure_debug', + default=False, + help=utils.fmt(""" +If set to true the server will return information in the response that may +allow an unauthenticated or authenticated user to get more information than +normal, such as why authentication failed. This may be useful for debugging but +is insecure. +""")) + +default_publisher_id = cfg.StrOpt( + 'default_publisher_id', + help=utils.fmt(""" +Default publisher_id for outgoing notifications +""")) + +notification_format = cfg.StrOpt( + 'notification_format', + default='basic', + choices=['basic', 'cadf'], + help=utils.fmt(""" +Define the notification format for Identity Service events. A "basic" +notification has information about the resource being operated on. A "cadf" +notification has the same information, as well as information about the +initiator of the event. +""")) + +notification_opt_out = cfg.MultiStrOpt( + 'notification_opt_out', + default=[], + help=utils.fmt(""" +Define the notification options to opt-out from. The value expected is: +identity... This field can be set multiple times in +order to add more notifications to opt-out from. For example: +notification_opt_out=identity.user.create +notification_opt_out=identity.authenticate.success +""")) + + +GROUP_NAME = 'DEFAULT' +ALL_OPTS = [ + admin_token, + public_endpoint, + admin_endpoint, + max_project_tree_depth, + max_param_size, + max_token_size, + member_role_id, + member_role_name, + crypt_strength, + list_limit, + domain_id_immutable, + strict_password_check, + secure_proxy_ssl_header, + insecure_debug, + default_publisher_id, + notification_format, + notification_opt_out, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/catalog.py b/keystone/conf/catalog.py new file mode 100644 index 0000000000..f5dd836e65 --- /dev/null +++ b/keystone/conf/catalog.py @@ -0,0 +1,70 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +template_file = cfg.StrOpt( + 'template_file', + default='default_catalog.templates', + help=utils.fmt(""" +Catalog template file name for use with the template catalog backend. +""")) + +driver = cfg.StrOpt( + 'driver', + default='sql', + help=utils.fmt(""" +Entrypoint for the catalog backend driver in the keystone.catalog namespace. +Supplied drivers are kvs, sql, templated, and endpoint_filter.sql +""")) + +aching = cfg.BoolOpt( + 'caching', + default=True, + help=utils.fmt(""" +Toggle for catalog caching. This has no effect unless global caching is +enabled. +""")) + +cache_time = cfg.IntOpt( + 'cache_time', + help=utils.fmt(""" +Time to cache catalog data (in seconds). This has no effect unless global and +catalog caching are enabled. +""")) + +list_limit = cfg.IntOpt( + 'list_limit', + help=utils.fmt(""" +Maximum number of entities that will be returned in a catalog collection. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + template_file, + driver, + aching, + cache_time, + list_limit, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/constants.py b/keystone/conf/constants.py new file mode 100644 index 0000000000..9fb56d0f5b --- /dev/null +++ b/keystone/conf/constants.py @@ -0,0 +1,30 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +"""Constants for use in the keystone.conf package. + +These constants are shared by more than one module in the keystone.conf +package. + +""" + +from keystone.conf import utils + + +_DEFAULT_AUTH_METHODS = ['external', 'password', 'token', 'oauth1'] + +_CERTFILE = '/etc/keystone/ssl/certs/signing_cert.pem' +_KEYFILE = '/etc/keystone/ssl/private/signing_key.pem' + +_DEPRECATE_PKI_MSG = utils.fmt(""" +PKI token support has been deprecated in the M release and will be removed in +the O release. Fernet or UUID tokens are recommended. +""") diff --git a/keystone/conf/credential.py b/keystone/conf/credential.py new file mode 100644 index 0000000000..4a333c449f --- /dev/null +++ b/keystone/conf/credential.py @@ -0,0 +1,38 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +driver = cfg.StrOpt( + 'driver', + default='sql', + help=utils.fmt(""" +Entrypoint for the credential backend driver in the keystone.credential +namespace. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + driver, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/domain_config.py b/keystone/conf/domain_config.py new file mode 100644 index 0000000000..d81356490f --- /dev/null +++ b/keystone/conf/domain_config.py @@ -0,0 +1,56 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +driver = cfg.StrOpt( + 'driver', + default='sql', + help=utils.fmt(""" +Entrypoint for the domain config backend driver in the +keystone.resource.domain_config namespace. +""")) + +caching = cfg.BoolOpt( + 'caching', + default=True, + help=utils.fmt(""" +Toggle for domain config caching. This has no effect unless global caching is +enabled. +""")) + +cache_time = cfg.IntOpt( + 'cache_time', + default=300, + help=utils.fmt(""" +TTL (in seconds) to cache domain config data. This has no effect unless domain +config caching is enabled. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + driver, + caching, + cache_time, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/endpoint_filter.py b/keystone/conf/endpoint_filter.py new file mode 100644 index 0000000000..29e62d9d82 --- /dev/null +++ b/keystone/conf/endpoint_filter.py @@ -0,0 +1,46 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +driver = cfg.StrOpt( + 'driver', + default='sql', + help=utils.fmt(""" +Entrypoint for the endpoint filter backend driver in the +keystone.endpoint_filter namespace. +""")) + +return_all_endpoints_if_no_filter = cfg.BoolOpt( + 'return_all_endpoints_if_no_filter', + default=True, + help=utils.fmt(""" +Toggle to return all active endpoints if no filter exists. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + driver, + return_all_endpoints_if_no_filter, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/endpoint_policy.py b/keystone/conf/endpoint_policy.py new file mode 100644 index 0000000000..2bac020ad1 --- /dev/null +++ b/keystone/conf/endpoint_policy.py @@ -0,0 +1,52 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +enabled = cfg.BoolOpt( + 'enabled', + default=True, + deprecated_for_removal=True, + deprecated_reason=utils.fmt(""" +The option to enable the OS-ENDPOINT-POLICY extension has been deprecated in +the M release and will be removed in the O release. The OS-ENDPOINT-POLICY +extension will be enabled by default. +"""), + help=utils.fmt(""" +Enable endpoint_policy functionality. +""")) + +driver = cfg.StrOpt( + 'driver', + default='sql', + help=utils.fmt(""" +Entrypoint for the endpoint policy backend driver in the +keystone.endpoint_policy namespace. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + enabled, + driver, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/eventlet_server.py b/keystone/conf/eventlet_server.py new file mode 100644 index 0000000000..c1df98d90a --- /dev/null +++ b/keystone/conf/eventlet_server.py @@ -0,0 +1,90 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +_DEPRECATE_EVENTLET_MSG = utils.fmt(""" +Support for running keystone under eventlet has been removed in the N release. +These options remain for backwards compatibility because they are used for URL +substitutions. +""") + + +public_bind_host = cfg.StrOpt( + 'public_bind_host', + default='0.0.0.0', # nosec : Bind to all interfaces by default for + # backwards compatibility. + deprecated_opts=[ + cfg.DeprecatedOpt('bind_host', group='DEFAULT'), + cfg.DeprecatedOpt('public_bind_host', group='DEFAULT'), + ], + deprecated_for_removal=True, + deprecated_reason=_DEPRECATE_EVENTLET_MSG, + help=utils.fmt(""" +The IP address of the network interface for the public service to listen on. +""")) + +public_port = cfg.PortOpt( + 'public_port', + default=5000, + deprecated_name='public_port', + deprecated_group='DEFAULT', + deprecated_for_removal=True, + deprecated_reason=_DEPRECATE_EVENTLET_MSG, + help=utils.fmt(""" +The port number which the public service listens on. +""")) + +admin_bind_host = cfg.StrOpt( + 'admin_bind_host', + default='0.0.0.0', # nosec : Bind to all interfaces by default for + # backwards compatibility. + deprecated_opts=[ + cfg.DeprecatedOpt('bind_host', group='DEFAULT'), + cfg.DeprecatedOpt('admin_bind_host', group='DEFAULT'), + ], + deprecated_for_removal=True, + deprecated_reason=_DEPRECATE_EVENTLET_MSG, + help=utils.fmt(""" +The IP address of the network interface for the admin service to listen on. +""")) + +admin_port = cfg.PortOpt( + 'admin_port', + default=35357, + deprecated_name='admin_port', + deprecated_group='DEFAULT', + deprecated_for_removal=True, + deprecated_reason=_DEPRECATE_EVENTLET_MSG, + help=utils.fmt(""" +The port number which the admin service listens on. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + public_bind_host, + public_port, + admin_bind_host, + admin_port, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/federation.py b/keystone/conf/federation.py new file mode 100644 index 0000000000..af8887871e --- /dev/null +++ b/keystone/conf/federation.py @@ -0,0 +1,97 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +driver = cfg.StrOpt( + 'driver', + default='sql', + help=utils.fmt(""" +Entrypoint for the federation backend driver in the keystone.federation +namespace. +""")) + +assertion_prefix = cfg.StrOpt( + 'assertion_prefix', + default='', + help=utils.fmt(""" +Value to be used when filtering assertion parameters from the environment. +""")) + +remote_id_attribute = cfg.StrOpt( + 'remote_id_attribute', + help=utils.fmt(""" +Value to be used to obtain the entity ID of the Identity Provider from the +environment (e.g. if using the mod_shib plugin this value is +`Shib-Identity-Provider`). +""")) + +federated_domain_name = cfg.StrOpt( + 'federated_domain_name', + default='Federated', + help=utils.fmt(""" +A domain name that is reserved to allow federated ephemeral users to have a +domain concept. Note that an admin will not be able to create a domain with +this name or update an existing domain to this name. You are not advised to +change this value unless you really have to. +""")) + +trusted_dashboard = cfg.MultiStrOpt( + 'trusted_dashboard', + default=[], + help=utils.fmt(""" +A list of trusted dashboard hosts. Before accepting a Single Sign-On request to +return a token, the origin host must be a member of the trusted_dashboard list. +This configuration option may be repeated for multiple values. For example: +trusted_dashboard=http://acme.com/auth/websso +trusted_dashboard=http://beta.com/auth/websso +""")) + +sso_callback_template = cfg.StrOpt( + 'sso_callback_template', + default='/etc/keystone/sso_callback_template.html', + help=utils.fmt(""" +Location of Single Sign-On callback handler, will return a token to a trusted +dashboard host. +""")) + + +caching = cfg.BoolOpt( + 'caching', + default=True, + help=utils.fmt(""" +Toggle for federation caching. This has no effect unless global caching is +enabled. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + driver, + assertion_prefix, + remote_id_attribute, + federated_domain_name, + trusted_dashboard, + sso_callback_template, + caching, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/fernet_tokens.py b/keystone/conf/fernet_tokens.py new file mode 100644 index 0000000000..0ddfcf79a9 --- /dev/null +++ b/keystone/conf/fernet_tokens.py @@ -0,0 +1,49 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +key_repository = cfg.StrOpt( + 'key_repository', + default='/etc/keystone/fernet-keys/', + help=utils.fmt(""" +Directory containing Fernet token keys. +""")) + +max_active_keys = cfg.IntOpt( + 'max_active_keys', + default=3, + help=utils.fmt(""" +This controls how many keys are held in rotation by keystone-manage +fernet_rotate before they are discarded. The default value of 3 means that +keystone will maintain one staged key, one primary key, and one secondary key. +Increasing this value means that additional secondary keys will be kept in the +rotation. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + key_repository, + max_active_keys, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/identity.py b/keystone/conf/identity.py new file mode 100644 index 0000000000..dec410307a --- /dev/null +++ b/keystone/conf/identity.py @@ -0,0 +1,120 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg +import passlib.utils + +from keystone.conf import utils + + +default_domain_id = cfg.StrOpt( + 'default_domain_id', + default='default', + help=utils.fmt(""" +This references the domain to use for all Identity API v2 requests (which are +not aware of domains). A domain with this ID will be created for you by +keystone-manage db_sync in migration 008. The domain referenced by this ID +cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. +There is nothing special about this domain, other than the fact that it must +exist to order to maintain support for your v2 clients. +""")) + +domain_specific_drivers_enabled = cfg.BoolOpt( + 'domain_specific_drivers_enabled', + default=False, + help=utils.fmt(""" +A subset (or all) of domains can have their own identity driver, each with +their own partial configuration options, stored in either the resource backend +or in a file in a domain configuration directory (depending on the setting of +domain_configurations_from_database). Only values specific to the domain need +to be specified in this manner. This feature is disabled by default; set to +true to enable. +""")) + +domain_configurations_from_database = cfg.BoolOpt( + 'domain_configurations_from_database', + default=False, + help=utils.fmt(""" +Extract the domain specific configuration options from the resource backend +where they have been stored with the domain data. This feature is disabled by +default (in which case the domain specific options will be loaded from files in +the domain configuration directory); set to true to enable. +""")) + +domain_config_dir = cfg.StrOpt( + 'domain_config_dir', + default='/etc/keystone/domains', + help=utils.fmt(""" +Path for Keystone to locate the domain specific identity configuration files if +domain_specific_drivers_enabled is set to true. +""")) + +driver = cfg.StrOpt( + 'driver', + default='sql', + help=utils.fmt(""" +Entrypoint for the identity backend driver in the keystone.identity namespace. +Supplied drivers are ldap and sql. +""")) + +caching = cfg.BoolOpt( + 'caching', + default=True, + help=utils.fmt(""" +Toggle for identity caching. This has no effect unless global caching is +enabled. +""")) + +cache_time = cfg.IntOpt( + 'cache_time', + default=600, + help=utils.fmt(""" +Time to cache identity data (in seconds). This has no effect unless global and +identity caching are enabled. +""")) + +max_password_length = cfg.IntOpt( + 'max_password_length', + default=4096, + max=passlib.utils.MAX_PASSWORD_SIZE, + help=utils.fmt(""" +Maximum supported length for user passwords; decrease to improve +performance. +""")) + +list_limit = cfg.IntOpt( + 'list_limit', + help=utils.fmt(""" +Maximum number of entities that will be returned in an identity collection. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + default_domain_id, + domain_specific_drivers_enabled, + domain_configurations_from_database, + domain_config_dir, + driver, + caching, + cache_time, + max_password_length, + list_limit, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/identity_mapping.py b/keystone/conf/identity_mapping.py new file mode 100644 index 0000000000..9f54efbd18 --- /dev/null +++ b/keystone/conf/identity_mapping.py @@ -0,0 +1,67 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +driver = cfg.StrOpt( + 'driver', + default='sql', + help=utils.fmt(""" +Entrypoint for the identity mapping backend driver in the +keystone.identity.id_mapping namespace. +""")) + +generator = cfg.StrOpt( + 'generator', + default='sha256', + help=utils.fmt(""" +Entrypoint for the public ID generator for user and group entities in the +keystone.identity.id_generator namespace. The Keystone identity mapper only +supports generators that produce no more than 64 characters. +""")) + +backward_compatible_ids = cfg.BoolOpt( + 'backward_compatible_ids', + default=True, + help=utils.fmt(""" +The format of user and group IDs changed in Juno for backends that do not +generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the +underlying attribute in LDAP. By default this mapping is disabled, which +ensures that existing IDs will not change. Even when the mapping is enabled by +using domain specific drivers, any users and groups from the default domain +being handled by LDAP will still not be mapped to ensure their IDs remain +backward compatible. Setting this value to False will enable the mapping for +even the default LDAP driver. It is only safe to do this if you do not already +have assignments for users and groups from the default LDAP domain, and it is +acceptable for Keystone to provide the different IDs to clients than it did +previously. Typically this means that the only time you can set this value to +False is when configuring a fresh installation. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + driver, + generator, + backward_compatible_ids, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/kvs.py b/keystone/conf/kvs.py new file mode 100644 index 0000000000..d00584dffb --- /dev/null +++ b/keystone/conf/kvs.py @@ -0,0 +1,66 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +backends = cfg.ListOpt( + 'backends', + default=[], + help=utils.fmt(""" +Extra dogpile.cache backend modules to register with the dogpile.cache +library. +""")) + +config_prefix = cfg.StrOpt( + 'config_prefix', + default='keystone.kvs', + help=utils.fmt(""" +Prefix for building the configuration dictionary for the KVS region. This +should not need to be changed unless there is another dogpile.cache region with +the same configuration name. +""")) + +enable_key_mangler = cfg.BoolOpt( + 'enable_key_mangler', + default=True, + help=utils.fmt(""" +Toggle to disable using a key-mangling function to ensure fixed length keys. +This is toggle-able for debugging purposes, it is highly recommended to always +leave this set to true. +""")) + +default_lock_timeout = cfg.IntOpt( + 'default_lock_timeout', + default=5, + help=utils.fmt(""" +Default lock timeout (in seconds) for distributed locking. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + backends, + config_prefix, + enable_key_mangler, + default_lock_timeout, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/ldap.py b/keystone/conf/ldap.py new file mode 100644 index 0000000000..33f5a57a45 --- /dev/null +++ b/keystone/conf/ldap.py @@ -0,0 +1,545 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +_DEPRECATED_LDAP_WRITE = utils.fmt(""" +Write support for Identity LDAP backends has been deprecated in the M release +and will be removed in the O release. +""") + + +url = cfg.StrOpt( + 'url', + default='ldap://localhost', + help=utils.fmt(""" +URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified +as a comma separated string. The first URL to successfully bind is used for the +connection. +""")) + +user = cfg.StrOpt( + 'user', + help=utils.fmt(""" +User BindDN to query the LDAP server. +""")) + +password = cfg.StrOpt( + 'password', + secret=True, + help=utils.fmt(""" +Password for the BindDN to query the LDAP server. +""")) + +suffix = cfg.StrOpt( + 'suffix', + default='cn=example,cn=com', + help=utils.fmt(""" +LDAP server suffix +""")) + +use_dumb_member = cfg.BoolOpt( + 'use_dumb_member', + default=False, + help=utils.fmt(""" +If true, will add a dummy member to groups. This is required if the objectclass +for groups requires the "member" attribute. + """)) + +dumb_member = cfg.StrOpt( + 'dumb_member', + default='cn=dumb,dc=nonexistent', + help=utils.fmt(""" +DN of the "dummy member" to use when "use_dumb_member" is enabled. +""")) + +allow_subtree_delete = cfg.BoolOpt( + 'allow_subtree_delete', + default=False, + help=utils.fmt(""" +Delete subtrees using the subtree delete control. Only enable this option if +your LDAP server supports subtree deletion. +""")) + +query_scope = cfg.StrOpt( + 'query_scope', + default='one', + choices=['one', 'sub'], + help=utils.fmt(""" +The LDAP scope for queries, "one" represents oneLevel/singleLevel and "sub" +represents subtree/wholeSubtree options. +""")) + +page_size = cfg.IntOpt( + 'page_size', + default=0, + help=utils.fmt(""" +Maximum results per page; a value of zero ("0") disables paging. +""")) + +alias_dereferencing = cfg.StrOpt( + 'alias_dereferencing', + default='default', + choices=['never', 'searching', 'always', 'finding', 'default'], + help=utils.fmt(""" +The LDAP dereferencing option for queries. The "default" option falls back to +using default dereferencing configured by your ldap.conf. +""")) + +debug_level = cfg.IntOpt( + 'debug_level', + help=utils.fmt(""" +Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging +is not enabled. This value is a bitmask, consult your LDAP documentation for +possible values. +""")) + +chase_referrals = cfg.BoolOpt( + 'chase_referrals', + help=utils.fmt(""" +Override the system's default referral chasing behavior for queries. +""")) + +user_tree_dn = cfg.StrOpt( + 'user_tree_dn', + help=utils.fmt(""" +Search base for users. Defaults to the suffix value. +""")) + +user_filter = cfg.StrOpt( + 'user_filter', + help=utils.fmt(""" +LDAP search filter for users. +""")) + +user_objectclass = cfg.StrOpt( + 'user_objectclass', + default='inetOrgPerson', + help=utils.fmt(""" +LDAP objectclass for users. +""")) + +user_id_attribute = cfg.StrOpt( + 'user_id_attribute', + default='cn', + help=utils.fmt(""" +LDAP attribute mapped to user id. WARNING: must not be a multivalued +attribute. +""")) + +user_name_attribute = cfg.StrOpt( + 'user_name_attribute', + default='sn', + help=utils.fmt(""" +LDAP attribute mapped to user name. +""")) + +user_description_attribute = cfg.StrOpt( + 'user_description_attribute', + default='description', + help=utils.fmt(""" +LDAP attribute mapped to user description. +""")) + +user_mail_attribute = cfg.StrOpt( + 'user_mail_attribute', + default='mail', + help=utils.fmt(""" +LDAP attribute mapped to user email. +""")) + +user_pass_attribute = cfg.StrOpt( + 'user_pass_attribute', + default='userPassword', + help=utils.fmt(""" +LDAP attribute mapped to password. +""")) + +user_enabled_attribute = cfg.StrOpt( + 'user_enabled_attribute', + default='enabled', + help=utils.fmt(""" +LDAP attribute mapped to user enabled flag. +""")) + +user_enabled_invert = cfg.BoolOpt( + 'user_enabled_invert', + default=False, + help=utils.fmt(""" +Invert the meaning of the boolean enabled values. Some LDAP servers use a +boolean lock attribute where "true" means an account is disabled. Setting +"user_enabled_invert = true" will allow these lock attributes to be used. This +setting will have no effect if "user_enabled_mask" or "user_enabled_emulation" +settings are in use. +""")) + +user_enabled_mask = cfg.IntOpt( + 'user_enabled_mask', + default=0, + help=utils.fmt(""" +Bitmask integer to indicate the bit that the enabled value is stored in if the +LDAP server represents "enabled" as a bit on an integer rather than a boolean. +A value of "0" indicates the mask is not used. If this is not set to "0" the +typical value is "2". This is typically used when "user_enabled_attribute = +userAccountControl". +""")) + +user_enabled_default = cfg.StrOpt( + 'user_enabled_default', + default='True', + help=utils.fmt(""" +Default value to enable users. This should match an appropriate int value if +the LDAP server uses non-boolean (bitmask) values to indicate if a user is +enabled or disabled. If this is not set to "True" the typical value is "512". +This is typically used when "user_enabled_attribute = userAccountControl". +""")) + +user_attribute_ignore = cfg.ListOpt( + 'user_attribute_ignore', + default=['default_project_id'], + help=utils.fmt(""" +List of attributes stripped off the user on update. +""")) + +user_default_project_id_attribute = cfg.StrOpt( + 'user_default_project_id_attribute', + help=utils.fmt(""" +LDAP attribute mapped to default_project_id for users. +""")) + +user_allow_create = cfg.BoolOpt( + 'user_allow_create', + default=True, + deprecated_for_removal=True, + deprecated_reason=_DEPRECATED_LDAP_WRITE, + help=utils.fmt(""" +Allow user creation in LDAP backend. +""")) + +user_allow_update = cfg.BoolOpt( + 'user_allow_update', + default=True, + deprecated_for_removal=True, + deprecated_reason=_DEPRECATED_LDAP_WRITE, + help=utils.fmt(""" +Allow user updates in LDAP backend. +""")) + +user_allow_delete = cfg.BoolOpt( + 'user_allow_delete', + default=True, + deprecated_for_removal=True, + deprecated_reason=_DEPRECATED_LDAP_WRITE, + help=utils.fmt(""" +Allow user deletion in LDAP backend. +""")) + +user_enabled_emulation = cfg.BoolOpt( + 'user_enabled_emulation', + default=False, + help=utils.fmt(""" +If true, Keystone uses an alternative method to determine if a user is enabled +or not by checking if they are a member of the "user_enabled_emulation_dn" +group. +""")) + +user_enabled_emulation_dn = cfg.StrOpt( + 'user_enabled_emulation_dn', + help=utils.fmt(""" +DN of the group entry to hold enabled users when using enabled emulation. +""")) + +user_enabled_emulation_use_group_config = cfg.BoolOpt( + 'user_enabled_emulation_use_group_config', + default=False, + help=utils.fmt(""" +Use the "group_member_attribute" and "group_objectclass" settings to determine +membership in the emulated enabled group. +""")) + +user_additional_attribute_mapping = cfg.ListOpt( + 'user_additional_attribute_mapping', + default=[], + help=utils.fmt(""" +List of additional LDAP attributes used for mapping additional attribute +mappings for users. Attribute mapping format is :, where +ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API +attribute. +""")) + +group_tree_dn = cfg.StrOpt( + 'group_tree_dn', + help=utils.fmt(""" +Search base for groups. Defaults to the suffix value. +""")) + +group_filter = cfg.StrOpt( + 'group_filter', + help=utils.fmt(""" +LDAP search filter for groups. +""")) + +group_objectclass = cfg.StrOpt( + 'group_objectclass', + default='groupOfNames', + help=utils.fmt(""" +LDAP objectclass for groups. +""")) + +group_id_attribute = cfg.StrOpt( + 'group_id_attribute', + default='cn', + help=utils.fmt(""" +LDAP attribute mapped to group id. +""")) + +group_name_attribute = cfg.StrOpt( + 'group_name_attribute', + default='ou', + help=utils.fmt(""" +LDAP attribute mapped to group name. +""")) + +group_member_attribute = cfg.StrOpt( + 'group_member_attribute', + default='member', + help=utils.fmt(""" +LDAP attribute mapped to show group membership. +""")) + +group_desc_attribute = cfg.StrOpt( + 'group_desc_attribute', + default='description', + help=utils.fmt(""" +LDAP attribute mapped to group description. +""")) + +group_attribute_ignore = cfg.ListOpt( + 'group_attribute_ignore', + default=[], + help=utils.fmt(""" +List of attributes stripped off the group on update. +""")) + +group_allow_create = cfg.BoolOpt( + 'group_allow_create', + default=True, + deprecated_for_removal=True, + deprecated_reason=_DEPRECATED_LDAP_WRITE, + help=utils.fmt(""" +Allow group creation in LDAP backend. +""")) + +group_allow_update = cfg.BoolOpt( + 'group_allow_update', + default=True, + deprecated_for_removal=True, + deprecated_reason=_DEPRECATED_LDAP_WRITE, + help=utils.fmt(""" +Allow group update in LDAP backend. +""")) + +group_allow_delete = cfg.BoolOpt( + 'group_allow_delete', + default=True, + deprecated_for_removal=True, + deprecated_reason=_DEPRECATED_LDAP_WRITE, + help=utils.fmt(""" +Allow group deletion in LDAP backend. +""")) + +group_additional_attribute_mapping = cfg.ListOpt( + 'group_additional_attribute_mapping', + default=[], + help=utils.fmt(""" +Additional attribute mappings for groups. Attribute mapping format is +:, where ldap_attr is the attribute in the LDAP entry and +user_attr is the Identity API attribute. +""")) + + +tls_cacertfile = cfg.StrOpt( + 'tls_cacertfile', + help=utils.fmt(""" +CA certificate file path for communicating with LDAP servers. +""")) + +tls_cacertdir = cfg.StrOpt( + 'tls_cacertdir', + help=utils.fmt(""" +CA certificate directory path for communicating with LDAP servers. +""")) + +use_tls = cfg.BoolOpt( + 'use_tls', + default=False, + help=utils.fmt(""" +Enable TLS for communicating with LDAP servers. +""")) + +tls_req_cert = cfg.StrOpt( + 'tls_req_cert', + default='demand', + choices=['demand', 'never', 'allow'], + help=utils.fmt(""" +Specifies what checks to perform on client certificates in an incoming TLS +session. +""")) + +use_pool = cfg.BoolOpt( + 'use_pool', + default=True, + help=utils.fmt(""" +Enable LDAP connection pooling. +""")) + +pool_size = cfg.IntOpt( + 'pool_size', + default=10, + help=utils.fmt(""" +Connection pool size. +""")) + +pool_retry_max = cfg.IntOpt( + 'pool_retry_max', + default=3, + help=utils.fmt(""" +Maximum count of reconnect trials. +""")) + +pool_retry_delay = cfg.FloatOpt( + 'pool_retry_delay', + default=0.1, + help=utils.fmt(""" +Time span in seconds to wait between two reconnect trials. +""")) + +pool_connection_timeout = cfg.IntOpt( + 'pool_connection_timeout', + default=-1, + help=utils.fmt(""" +Connector timeout in seconds. Value -1 indicates indefinite wait for +response. +""")) + +pool_connection_lifetime = cfg.IntOpt( + 'pool_connection_lifetime', + default=600, + help=utils.fmt(""" +Connection lifetime in seconds. +""")) + +use_auth_pool = cfg.BoolOpt( + 'use_auth_pool', + default=True, + help=utils.fmt(""" +Enable LDAP connection pooling for end user authentication. If use_pool is +disabled, then this setting is meaningless and is not used at all. +""")) + +auth_pool_size = cfg.IntOpt( + 'auth_pool_size', + default=100, + help=utils.fmt(""" +End user auth connection pool size. +""")) + +auth_pool_connection_lifetime = cfg.IntOpt( + 'auth_pool_connection_lifetime', + default=60, + help=utils.fmt(""" +End user auth connection lifetime in seconds. +""")) + +group_members_are_ids = cfg.BoolOpt( + 'group_members_are_ids', + default=False, + help=utils.fmt(""" +If the members of the group objectclass are user IDs rather than DNs, set this +to true. This is the case when using posixGroup as the group objectclass and +OpenDirectory. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + url, + user, + password, + suffix, + use_dumb_member, + dumb_member, + allow_subtree_delete, + query_scope, + page_size, + alias_dereferencing, + debug_level, + chase_referrals, + user_tree_dn, + user_filter, + user_objectclass, + user_id_attribute, + user_name_attribute, + user_description_attribute, + user_mail_attribute, + user_pass_attribute, + user_enabled_attribute, + user_enabled_invert, + user_enabled_mask, + user_enabled_default, + user_attribute_ignore, + user_default_project_id_attribute, + user_allow_create, + user_allow_update, + user_allow_delete, + user_enabled_emulation, + user_enabled_emulation_dn, + user_enabled_emulation_use_group_config, + user_additional_attribute_mapping, + group_tree_dn, + group_filter, + group_objectclass, + group_id_attribute, + group_name_attribute, + group_member_attribute, + group_desc_attribute, + group_attribute_ignore, + group_allow_create, + group_allow_update, + group_allow_delete, + group_additional_attribute_mapping, + tls_cacertfile, + tls_cacertdir, + use_tls, + tls_req_cert, + use_pool, + pool_size, + pool_retry_max, + pool_retry_delay, + pool_connection_timeout, + pool_connection_lifetime, + use_auth_pool, + auth_pool_size, + auth_pool_connection_lifetime, + group_members_are_ids, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/memcache.py b/keystone/conf/memcache.py new file mode 100644 index 0000000000..1a59a38dbb --- /dev/null +++ b/keystone/conf/memcache.py @@ -0,0 +1,86 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +servers = cfg.ListOpt( + 'servers', + default=['localhost:11211'], + help=utils.fmt(""" +Memcache servers in the format of "host:port". +""")) + +dead_retry = cfg.IntOpt( + 'dead_retry', + default=5 * 60, + help=utils.fmt(""" +Number of seconds memcached server is considered dead before it is tried again. +This is used by the key value store system (e.g. token pooled memcached +persistence backend). +""")) + +socket_timeout = cfg.IntOpt( + 'socket_timeout', + default=3, + help=utils.fmt(""" +Timeout in seconds for every call to a server. This is used by the key value +store system (e.g. token pooled memcached persistence backend). +""")) + +pool_maxsize = cfg.IntOpt( + 'pool_maxsize', + default=10, + help=utils.fmt(""" +Max total number of open connections to every memcached server. This is used by +the key value store system (e.g. token pooled memcached persistence +backend). +""")) + +pool_unused_timeout = cfg.IntOpt( + 'pool_unused_timeout', + default=60, + help=utils.fmt(""" +Number of seconds a connection to memcached is held unused in the pool before +it is closed. This is used by the key value store system (e.g. token pooled +memcached persistence backend). +""")) + +pool_connection_get_timeout = cfg.IntOpt( + 'pool_connection_get_timeout', + default=10, + help=utils.fmt(""" +Number of seconds that an operation will wait to get a memcache client +connection. This is used by the key value store system (e.g. token pooled +memcached persistence backend). +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + servers, + dead_retry, + socket_timeout, + pool_maxsize, + pool_unused_timeout, + pool_connection_get_timeout, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/oauth1.py b/keystone/conf/oauth1.py new file mode 100644 index 0000000000..edd0a75ed9 --- /dev/null +++ b/keystone/conf/oauth1.py @@ -0,0 +1,53 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +driver = cfg.StrOpt( + 'driver', + default='sql', + help=utils.fmt(""" +Entrypoint for the OAuth backend driver in the keystone.oauth1 namespace. +""")) + +request_token_duration = cfg.IntOpt( + 'request_token_duration', + default=28800, + help=utils.fmt(""" +Duration (in seconds) for the OAuth Request Token. +""")) + +access_token_duration = cfg.IntOpt( + 'access_token_duration', + default=86400, + help=utils.fmt(""" +Duration (in seconds) for the OAuth Access Token. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + driver, + request_token_duration, + access_token_duration, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/opts.py b/keystone/conf/opts.py new file mode 100644 index 0000000000..8329510c64 --- /dev/null +++ b/keystone/conf/opts.py @@ -0,0 +1,97 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +"""Single point of entry to generate the sample configuration file. + +This module collects all the necessary info from the other modules in this +package. It is assumed that: + +* Every other module in this package has a 'list_opts' function which + returns a dict where: + + * The keys are strings which are the group names. + + * The value of each key is a list of config options for that group. + +* The conf package doesn't have further packages with config options. + +* This module is only used in the context of sample file generation. + +""" + +import collections +import importlib +import os +import pkgutil + + +LIST_OPTS_FUNC_NAME = 'list_opts' +IGNORED_MODULES = ('opts', 'constants', 'utils') + + +def list_opts(): + opts = collections.defaultdict(list) + module_names = _list_module_names() + imported_modules = _import_modules(module_names) + _append_config_options(imported_modules, opts) + return _tupleize(opts) + + +def _tupleize(d): + """Convert a dict of options to the 2-tuple format.""" + return [(key, value) for key, value in d.items()] + + +def _list_module_names(): + module_names = [] + package_path = os.path.dirname(os.path.abspath(__file__)) + for _, module_name, ispkg in pkgutil.iter_modules(path=[package_path]): + if module_name in IGNORED_MODULES or ispkg: + # Skip this module. + continue + else: + module_names.append(module_name) + return module_names + + +def _import_modules(module_names): + imported_modules = [] + for module_name in module_names: + full_module_path = '.'.join(__name__.split('.')[:-1] + [module_name]) + module = importlib.import_module(full_module_path) + if not hasattr(module, LIST_OPTS_FUNC_NAME): + raise Exception( + "The module '%s' should have a '%s' function which " + "returns the config options." % ( + full_module_path, + LIST_OPTS_FUNC_NAME)) + else: + imported_modules.append(module) + return imported_modules + + +def _process_old_opts(configs): + """Convert old-style 2-tuple configs to dicts.""" + if isinstance(configs, tuple): + configs = [configs] + return {label: options for label, options in configs} + + +def _append_config_options(imported_modules, config_options): + for module in imported_modules: + configs = module.list_opts() + # TODO(markus_z): Remove this compatibility shim once all list_opts() + # functions have been updated to return dicts. + if not isinstance(configs, dict): + configs = _process_old_opts(configs) + for key, val in configs.items(): + config_options[key].extend(val) diff --git a/keystone/conf/os_inherit.py b/keystone/conf/os_inherit.py new file mode 100644 index 0000000000..fa5f80b092 --- /dev/null +++ b/keystone/conf/os_inherit.py @@ -0,0 +1,48 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +_DEPRECATE_INHERIT_MSG = utils.fmt(""" +The option to enable the OS-INHERIT extension has been deprecated in the M +release and will be removed in the O release. The OS-INHERIT extension will be +enabled by default. +""") + + +enabled = cfg.BoolOpt( + 'enabled', + default=True, + deprecated_for_removal=True, + deprecated_reason=_DEPRECATE_INHERIT_MSG, + help=utils.fmt(""" +role-assignment inheritance to projects from owning domain or from projects +higher in the hierarchy can be optionally disabled. In the future, this option +will be removed and the hierarchy will be always enabled. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + enabled, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/paste_deploy.py b/keystone/conf/paste_deploy.py new file mode 100644 index 0000000000..e6eae1cc7a --- /dev/null +++ b/keystone/conf/paste_deploy.py @@ -0,0 +1,37 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +config_file = cfg.StrOpt( + 'config_file', + default='keystone-paste.ini', + help=utils.fmt(""" +Name of the paste configuration file that defines the available pipelines. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + config_file, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/policy.py b/keystone/conf/policy.py new file mode 100644 index 0000000000..f5268aa163 --- /dev/null +++ b/keystone/conf/policy.py @@ -0,0 +1,45 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +driver = cfg.StrOpt( + 'driver', + default='sql', + help=utils.fmt(""" +Entrypoint for the policy backend driver in the keystone.policy namespace. +Supplied drivers are rules and sql. +""")) + +list_limit = cfg.IntOpt( + 'list_limit', + help=utils.fmt(""" +Maximum number of entities that will be returned in a policy collection. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + driver, + list_limit, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/resource.py b/keystone/conf/resource.py new file mode 100644 index 0000000000..3919bf218b --- /dev/null +++ b/keystone/conf/resource.py @@ -0,0 +1,105 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +driver = cfg.StrOpt( + 'driver', + help=utils.fmt(""" +Entrypoint for the resource backend driver in the keystone.resource namespace. +Only an SQL driver is supplied. If a resource driver is not specified, the +assignment driver will choose the resource driver. +""")) + +caching = cfg.BoolOpt( + 'caching', + default=True, + deprecated_opts=[cfg.DeprecatedOpt('caching', group='assignment')], + help=utils.fmt(""" +Toggle for resource caching. This has no effect unless global caching is +enabled. +""")) + +cache_time = cfg.IntOpt( + 'cache_time', + deprecated_opts=[cfg.DeprecatedOpt('cache_time', group='assignment')], + help=utils.fmt(""" +TTL (in seconds) to cache resource data. This has no effect unless global +caching is enabled. +""")) + +list_limit = cfg.IntOpt( + 'list_limit', + deprecated_opts=[cfg.DeprecatedOpt('list_limit', group='assignment')], + help=utils.fmt(""" +Maximum number of entities that will be returned in a resource collection. +""")) + +admin_project_domain_name = cfg.StrOpt( + 'admin_project_domain_name', + help=utils.fmt(""" +Name of the domain that owns the `admin_project_name`. Defaults to None. +""")) + +admin_project_name = cfg.StrOpt( + 'admin_project_name', + help=utils.fmt(""" +Special project for performing administrative operations on remote services. +Tokens scoped to this project will contain the key/value +`is_admin_project=true`. Defaults to None. +""")) + +project_name_url_safe = cfg.StrOpt( + 'project_name_url_safe', + choices=['off', 'new', 'strict'], + default='off', + help=utils.fmt(""" +Whether the names of projects are restricted from containing url reserved +characters. If set to new, attempts to create or update a project with a url +unsafe name will return an error. In addition, if set to strict, attempts to +scope a token using an unsafe project name will return an error. +""")) + +domain_name_url_safe = cfg.StrOpt( + 'domain_name_url_safe', + choices=['off', 'new', 'strict'], + default='off', + help=utils.fmt(""" +Whether the names of domains are restricted from containing url reserved +characters. If set to new, attempts to create or update a domain with a url +unsafe name will return an error. In addition, if set to strict, attempts to +scope a token using a domain name which is unsafe will return an error. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + driver, + caching, + cache_time, + list_limit, + admin_project_domain_name, + admin_project_name, + project_name_url_safe, + domain_name_url_safe, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/revoke.py b/keystone/conf/revoke.py new file mode 100644 index 0000000000..88e27ad077 --- /dev/null +++ b/keystone/conf/revoke.py @@ -0,0 +1,67 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +driver = cfg.StrOpt( + 'driver', + default='sql', + help=utils.fmt(""" +Entrypoint for an implementation of the backend for persisting revocation +events in the keystone.revoke namespace. Supplied drivers are kvs and sql. +""")) + +expiration_buffer = cfg.IntOpt( + 'expiration_buffer', + default=1800, + help=utils.fmt(""" +This value (calculated in seconds) is added to token expiration before a +revocation event may be removed from the backend. +""")) + +caching = cfg.BoolOpt( + 'caching', + default=True, + help=utils.fmt(""" +Toggle for revocation event caching. This has no effect unless global caching +is enabled. +""")) + +cache_time = cfg.IntOpt( + 'cache_time', + default=3600, + deprecated_opts=[ + cfg.DeprecatedOpt('revocation_cache_time', group='token')], + help=utils.fmt(""" +Time to cache the revocation list and the revocation events (in seconds). This +has no effect unless global and token caching are enabled. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + driver, + expiration_buffer, + caching, + cache_time, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/role.py b/keystone/conf/role.py new file mode 100644 index 0000000000..e54fcbe8a5 --- /dev/null +++ b/keystone/conf/role.py @@ -0,0 +1,62 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +# The role driver has no default for backward compatibility reasons. If role +# driver is not specified, the assignment driver chooses the backend. +driver = cfg.StrOpt( + 'driver', + help=utils.fmt(""" +Entrypoint for the role backend driver in the keystone.role namespace. Only an +SQL driver is supplied +""")) + +caching = cfg.BoolOpt( + 'caching', + default=True, + help=utils.fmt(""" +Toggle for role caching. This has no effect unless global caching is enabled. +""")) + +cache_time = cfg.IntOpt( + 'cache_time', + help=utils.fmt(""" +TTL (in seconds) to cache role data. This has no effect unless global caching +is enabled. +""")) + +list_limit = cfg.IntOpt( + 'list_limit', + help=utils.fmt(""" +Maximum number of entities that will be returned in a role collection. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + driver, + caching, + cache_time, + list_limit, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/saml.py b/keystone/conf/saml.py new file mode 100644 index 0000000000..cc7f771379 --- /dev/null +++ b/keystone/conf/saml.py @@ -0,0 +1,175 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import constants +from keystone.conf import utils + + +assertion_expiration_time = cfg.IntOpt( + 'assertion_expiration_time', + default=3600, + help=utils.fmt(""" +Default TTL, in seconds, for any generated SAML assertion created by Keystone. +""")) + +xmlsec1_binary = cfg.StrOpt( + 'xmlsec1_binary', + default='xmlsec1', + help=utils.fmt(""" +Binary to be called for XML signing. Install the appropriate package, specify +absolute path or adjust your PATH environment variable if the binary cannot be +found. +""")) + +certfile = cfg.StrOpt( + 'certfile', + default=constants._CERTFILE, + help=utils.fmt(""" +Path of the certfile for SAML signing. For non-production environments, you may +be interested in using `keystone-manage pki_setup` to generate self-signed +certificates. Note, the path cannot contain a comma. +""")) + +keyfile = cfg.StrOpt( + 'keyfile', + default=constants._KEYFILE, + help=utils.fmt(""" +Path of the keyfile for SAML signing. Note, the path cannot contain a comma. +""")) + +idp_entity_id = cfg.StrOpt( + 'idp_entity_id', + help=utils.fmt(""" +Entity ID value for unique Identity Provider identification. Usually FQDN is +set with a suffix. A value is required to generate IDP Metadata. For example: +https://keystone.example.com/v3/OS-FEDERATION/saml2/idp +""")) + +idp_sso_endpoint = cfg.StrOpt( + 'idp_sso_endpoint', + help=utils.fmt(""" +Identity Provider Single-Sign-On service value, required in the Identity +Provider's metadata. A value is required to generate IDP Metadata. For example: +https://keystone.example.com/v3/OS-FEDERATION/saml2/sso +""")) + +idp_lang = cfg.StrOpt( + 'idp_lang', default='en', + help=utils.fmt(""" +Language used by the organization. +""")) + +idp_organization_name = cfg.StrOpt( + 'idp_organization_name', + help=utils.fmt(""" +Organization name the installation belongs to. +""")) + +idp_organization_display_name = cfg.StrOpt( + 'idp_organization_display_name', + help=utils.fmt(""" +Organization name to be displayed. +""")) + +idp_organization_url = cfg.StrOpt( + 'idp_organization_url', + help=utils.fmt(""" +URL of the organization. +""")) + +idp_contact_company = cfg.StrOpt( + 'idp_contact_company', + help=utils.fmt(""" +Company of contact person. +""")) + +idp_contact_name = cfg.StrOpt( + 'idp_contact_name', + help=utils.fmt(""" +Given name of contact person +""")) + +idp_contact_surname = cfg.StrOpt( + 'idp_contact_surname', + help=utils.fmt(""" +Surname of contact person. +""")) + +idp_contact_email = cfg.StrOpt( + 'idp_contact_email', + help=utils.fmt(""" +Email address of contact person. +""")) + +idp_contact_telephone = cfg.StrOpt( + 'idp_contact_telephone', + help=utils.fmt(""" +Telephone number of contact person. +""")) + +idp_contact_type = cfg.StrOpt( + 'idp_contact_type', + default='other', + choices=['technical', 'support', 'administrative', 'billing', 'other'], + help=utils.fmt(""" +The contact type describing the main point of contact for the identity +provider. +""")) + +idp_metadata_path = cfg.StrOpt( + 'idp_metadata_path', + default='/etc/keystone/saml2_idp_metadata.xml', + help=utils.fmt(""" +Path to the Identity Provider Metadata file. This file should be generated with +the keystone-manage saml_idp_metadata command. +""")) + +relay_state_prefix = cfg.StrOpt( + 'relay_state_prefix', + default='ss:mem:', + help=utils.fmt(""" +The prefix to use for the RelayState SAML attribute, used when generating ECP +wrapped assertions. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + assertion_expiration_time, + xmlsec1_binary, + certfile, + keyfile, + idp_entity_id, + idp_sso_endpoint, + idp_lang, + idp_organization_name, + idp_organization_display_name, + idp_organization_url, + idp_contact_company, + idp_contact_name, + idp_contact_surname, + idp_contact_email, + idp_contact_telephone, + idp_contact_type, + idp_metadata_path, + relay_state_prefix, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/security_compliance.py b/keystone/conf/security_compliance.py new file mode 100644 index 0000000000..c347210250 --- /dev/null +++ b/keystone/conf/security_compliance.py @@ -0,0 +1,95 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +disable_user_account_days_inactive = cfg.IntOpt( + 'disable_user_account_days_inactive', + default=0, + help=utils.fmt(""" +Number of days for which a user can be inactive before the account becomes +disabled. Setting the value to 0 disables this feature. +""")) + +lockout_failure_attempts = cfg.IntOpt( + 'lockout_failure_attempts', + default=0, + help=utils.fmt(""" +Number of times a user can fail login attempts until the user account is +locked. Setting the value to 0 disables this feature. +""")) + +lockout_duration = cfg.IntOpt( + 'lockout_duration', + default=1800, + help=utils.fmt(""" +Number of seconds a user account will be locked. +""")) + +password_expires_days = cfg.IntOpt( + 'password_expires_days', + default=0, + help=utils.fmt(""" +Number of days for which a password will be considered valid before requiring +the user to change it. Setting the value to 0 disables this feature. Note: this +feature is only supported via the SQL backend driver for identity. +""")) + +unique_last_password_count = cfg.IntOpt( + 'unique_last_password_count', + default=0, + help=utils.fmt(""" +Number of latest password iterations for which the password must be unique. +Setting the value to 0 disables this feature. Note: this feature is only +supported via the SQL backend driver for identity. +""")) + +assword_change_limit_per_day = cfg.IntOpt( + 'password_change_limit_per_day', + default=0, + help=utils.fmt(""" +Maximum number of times a user can change their password in a day. Setting the +value to 0 disables this feature. +""")) + +password_regex = cfg.StrOpt( + 'password_regex', + default=None, + help=utils.fmt(""" +Regular expression used to validate password strength requirements. Setting the +value to None disables this feature. The following is an example of a pattern +which requires at least 1 letter, 1 digit, and have a minimum length of 7 +characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + disable_user_account_days_inactive, + lockout_failure_attempts, + lockout_duration, + password_expires_days, + unique_last_password_count, + assword_change_limit_per_day, + password_regex, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/shadow_users.py b/keystone/conf/shadow_users.py new file mode 100644 index 0000000000..ed2da099fc --- /dev/null +++ b/keystone/conf/shadow_users.py @@ -0,0 +1,38 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +driver = cfg.StrOpt( + 'driver', + default='sql', + help=utils.fmt(""" +Entrypoint for the shadow users backend driver in the +keystone.identity.shadow_users namespace. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + driver, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/signing.py b/keystone/conf/signing.py new file mode 100644 index 0000000000..bc80697e0b --- /dev/null +++ b/keystone/conf/signing.py @@ -0,0 +1,103 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import constants +from keystone.conf import utils + + +certfile = cfg.StrOpt( + 'certfile', + default=constants._CERTFILE, + deprecated_for_removal=True, + deprecated_reason=constants._DEPRECATE_PKI_MSG, + help=utils.fmt(""" +Path of the certfile for token signing. For non-production environments, you +may be interested in using `keystone-manage pki_setup` to generate self-signed +certificates. +""")) + +keyfile = cfg.StrOpt( + 'keyfile', + default=constants._KEYFILE, + deprecated_for_removal=True, + deprecated_reason=constants._DEPRECATE_PKI_MSG, + help=utils.fmt(""" +Path of the keyfile for token signing. +""")) + +ca_certs = cfg.StrOpt( + 'ca_certs', + deprecated_for_removal=True, + deprecated_reason=constants._DEPRECATE_PKI_MSG, + default='/etc/keystone/ssl/certs/ca.pem', + help=utils.fmt(""" +Path of the CA for token signing. +""")) + +ca_key = cfg.StrOpt( + 'ca_key', + default='/etc/keystone/ssl/private/cakey.pem', + deprecated_for_removal=True, + deprecated_reason=constants._DEPRECATE_PKI_MSG, + help=utils.fmt(""" +Path of the CA key for token signing. +""")) + +key_size = cfg.IntOpt( + 'key_size', + default=2048, + min=1024, + deprecated_for_removal=True, + deprecated_reason=constants._DEPRECATE_PKI_MSG, + help=utils.fmt(""" +Key size (in bits) for token signing cert (auto generated certificate). +""")) + +valid_days = cfg.IntOpt( + 'valid_days', + default=3650, + deprecated_for_removal=True, + deprecated_reason=constants._DEPRECATE_PKI_MSG, + help=utils.fmt(""" +Days the token signing cert is valid for (auto generated certificate). +""")) + +cert_subject = cfg.StrOpt( + 'cert_subject', + deprecated_for_removal=True, + deprecated_reason=constants._DEPRECATE_PKI_MSG, + default=('/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'), + help=utils.fmt(""" +Certificate subject (auto generated certificate) for token signing. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + certfile, + keyfile, + ca_certs, + ca_key, + key_size, + valid_days, + cert_subject, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/token.py b/keystone/conf/token.py new file mode 100644 index 0000000000..e378c21795 --- /dev/null +++ b/keystone/conf/token.py @@ -0,0 +1,137 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import constants +from keystone.conf import utils + + +bind = cfg.ListOpt( + 'bind', + default=[], + help=utils.fmt(""" +External auth mechanisms that should add bind information to token, e.g., +kerberos,x509. +""")) + +enforce_token_bind = cfg.StrOpt( + 'enforce_token_bind', + default='permissive', + help=utils.fmt(""" +Enforcement policy on tokens presented to Keystone with bind information. One +of disabled, permissive, strict, required or a specifically required bind mode, +e.g., kerberos or x509 to require binding to that authentication. +""")) + +expiration = cfg.IntOpt( + 'expiration', + default=3600, + help=utils.fmt(""" +Amount of time a token should remain valid (in seconds). +""")) + +provider = cfg.StrOpt( + 'provider', + default='uuid', + help=utils.fmt(""" +Controls the token construction, validation, and revocation operations. +Entrypoint in the keystone.token.provider namespace. Core providers are +[fernet|pkiz|pki|uuid]. +""")) + +driver = cfg.StrOpt( + 'driver', + default='sql', + help=utils.fmt(""" +Entrypoint for the token persistence backend driver in the +keystone.token.persistence namespace. Supplied drivers are kvs, memcache, +memcache_pool, and sql. +""")) + +caching = cfg.BoolOpt( + 'caching', + default=True, + help=utils.fmt(""" +Toggle for token system caching. This has no effect unless global caching is +enabled. +""")) + +cache_time = cfg.IntOpt( + 'cache_time', + help=utils.fmt(""" +Time to cache tokens (in seconds). This has no effect unless global and token +caching are enabled. +""")) + +revoke_by_id = cfg.BoolOpt( + 'revoke_by_id', + default=True, + help=utils.fmt(""" +Revoke token by token identifier. Setting revoke_by_id to true enables various +forms of enumerating tokens, e.g. `list tokens for user`. These enumerations +are processed to determine the list of tokens to revoke. Only disable if you +are switching to using the Revoke extension with a backend other than KVS, +which stores events in memory. +""")) + +allow_rescope_scoped_token = cfg.BoolOpt( + 'allow_rescope_scoped_token', + default=True, + help=utils.fmt(""" +Allow rescoping of scoped token. Setting allow_rescoped_scoped_token to false +prevents a user from exchanging a scoped token for any other token. +""")) + +hash_algorithm = cfg.StrOpt( + 'hash_algorithm', + default='md5', + deprecated_for_removal=True, + deprecated_reason=constants._DEPRECATE_PKI_MSG, + help=utils.fmt(""" +The hash algorithm to use for PKI tokens. This can be set to any algorithm that +hashlib supports. WARNING: Before changing this value, the auth_token +middleware must be configured with the hash_algorithms, otherwise token +revocation will not be processed correctly. +""")) + +infer_roles = cfg.BoolOpt( + 'infer_roles', + default=True, + help=utils.fmt(""" +Add roles to token that are not explicitly added, but that are linked +implicitly to other roles. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + bind, + enforce_token_bind, + expiration, + provider, + driver, + caching, + cache_time, + revoke_by_id, + allow_rescope_scoped_token, + hash_algorithm, + infer_roles, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/tokenless_auth.py b/keystone/conf/tokenless_auth.py new file mode 100644 index 0000000000..d0cbf62f32 --- /dev/null +++ b/keystone/conf/tokenless_auth.py @@ -0,0 +1,63 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +trusted_issuer = cfg.MultiStrOpt( + 'trusted_issuer', + default=[], + help=utils.fmt(""" +The list of trusted issuers to further filter the certificates that are allowed +to participate in the X.509 tokenless authorization. If the option is absent +then no certificates will be allowed. The naming format for the attributes of a +Distinguished Name(DN) must be separated by a comma and contain no spaces. This +configuration option may be repeated for multiple values. For example: +trusted_issuer=CN=john,OU=keystone,O=openstack +trusted_issuer=CN=mary,OU=eng,O=abc +""")) + +protocol = cfg.StrOpt( + 'protocol', + default='x509', + help=utils.fmt(""" +The protocol name for the X.509 tokenless authorization along with the option +issuer_attribute below can look up its corresponding mapping. +""")) + +issuer_attribute = cfg.StrOpt( + 'issuer_attribute', + default='SSL_CLIENT_I_DN', + help=utils.fmt(""" +The issuer attribute that is served as an IdP ID for the X.509 tokenless +authorization along with the protocol to look up its corresponding mapping. It +is the environment variable in the WSGI environment that references to the +issuer of the client certificate. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + trusted_issuer, + protocol, + issuer_attribute, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/trust.py b/keystone/conf/trust.py new file mode 100644 index 0000000000..1e73df74b5 --- /dev/null +++ b/keystone/conf/trust.py @@ -0,0 +1,61 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +enabled = cfg.BoolOpt( + 'enabled', + default=True, + help=utils.fmt(""" +Delegation and impersonation features can be optionally disabled. +""")) + +allow_redelegation = cfg.BoolOpt( + 'allow_redelegation', + default=False, + help=utils.fmt(""" +Enable redelegation feature. +""")) + +max_redelegation_count = cfg.IntOpt( + 'max_redelegation_count', + default=3, + help=utils.fmt(""" +Maximum depth of trust redelegation. +""")) + +driver = cfg.StrOpt( + 'driver', + default='sql', + help=utils.fmt(""" +Entrypoint for the trust backend driver in the keystone.trust namespace. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + enabled, + allow_redelegation, + max_redelegation_count, + driver, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/conf/utils.py b/keystone/conf/utils.py new file mode 100644 index 0000000000..43078e8cb6 --- /dev/null +++ b/keystone/conf/utils.py @@ -0,0 +1,26 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +def fmt(docstr): + """Format a docstring for use as documentation in sample config.""" + # Replace newlines with spaces, as docstrings contain literal newlines that + # should not be rendered into the sample configuration file (instead, line + # wrappings should be applied automatically). + docstr = docstr.replace('\n', ' ') + + # Because it's common for docstrings to begin and end with a newline, there + # is now whitespace at the beginning and end of the documentation as a side + # effect of replacing newlines with spaces. + docstr = docstr.strip() + + return docstr diff --git a/keystone/contrib/endpoint_filter/backends/catalog_sql.py b/keystone/contrib/endpoint_filter/backends/catalog_sql.py index 1c39336bd3..b3c2ac5a3b 100644 --- a/keystone/contrib/endpoint_filter/backends/catalog_sql.py +++ b/keystone/contrib/endpoint_filter/backends/catalog_sql.py @@ -12,14 +12,14 @@ # License for the specific language governing permissions and limitations # under the License. -from oslo_config import cfg from keystone.catalog.backends import sql from keystone.common import dependency from keystone.common import utils +import keystone.conf -CONF = cfg.CONF +CONF = keystone.conf.CONF @dependency.requires('catalog_api') diff --git a/keystone/credential/core.py b/keystone/credential/core.py index 3cc28c65b3..006fcbbf82 100644 --- a/keystone/credential/core.py +++ b/keystone/credential/core.py @@ -16,17 +16,17 @@ import abc -from oslo_config import cfg from oslo_log import log import six from keystone.common import dependency from keystone.common import driver_hints from keystone.common import manager +import keystone.conf from keystone import exception -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/endpoint_policy/core.py b/keystone/endpoint_policy/core.py index 546d1d80c4..1288729317 100644 --- a/keystone/endpoint_policy/core.py +++ b/keystone/endpoint_policy/core.py @@ -12,18 +12,18 @@ # License for the specific language governing permissions and limitations # under the License. -from oslo_config import cfg from oslo_log import log from oslo_log import versionutils from keystone.common import dependency from keystone.common import manager +import keystone.conf from keystone.endpoint_policy.backends import base from keystone import exception from keystone.i18n import _, _LE, _LW -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/exception.py b/keystone/exception.py index 263244e829..cb67a67e38 100644 --- a/keystone/exception.py +++ b/keystone/exception.py @@ -12,15 +12,15 @@ # License for the specific language governing permissions and limitations # under the License. -from oslo_config import cfg from oslo_log import log from oslo_utils import encodeutils import six +import keystone.conf from keystone.i18n import _, _LW -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) # Tests use this to make exception message format errors fatal diff --git a/keystone/federation/controllers.py b/keystone/federation/controllers.py index 6ad0e3c983..a4acbae925 100644 --- a/keystone/federation/controllers.py +++ b/keystone/federation/controllers.py @@ -14,7 +14,6 @@ import string -from oslo_config import cfg from oslo_log import log from six.moves import urllib import webob @@ -26,6 +25,7 @@ from keystone.common import dependency from keystone.common import utils as k_utils from keystone.common import validation from keystone.common import wsgi +import keystone.conf from keystone import exception from keystone.federation import idp as keystone_idp from keystone.federation import schema @@ -34,7 +34,7 @@ from keystone.i18n import _ from keystone.models import token_model -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/federation/core.py b/keystone/federation/core.py index 1a61e3148d..738f575dd5 100644 --- a/keystone/federation/core.py +++ b/keystone/federation/core.py @@ -12,13 +12,13 @@ """Main entry point into the Federation service.""" -from oslo_config import cfg from oslo_log import versionutils from keystone.common import cache from keystone.common import dependency from keystone.common import extension from keystone.common import manager +import keystone.conf from keystone import exception from keystone.federation.backends import base from keystone.federation import utils @@ -27,7 +27,7 @@ from keystone.federation import utils # This is a general cache region for service providers. MEMOIZE = cache.get_memoization_decorator(group='federation') -CONF = cfg.CONF +CONF = keystone.conf.CONF EXTENSION_DATA = { 'name': 'OpenStack Federation APIs', 'namespace': 'http://docs.openstack.org/identity/api/ext/' diff --git a/keystone/federation/idp.py b/keystone/federation/idp.py index 17de562a4f..898fcd64e7 100644 --- a/keystone/federation/idp.py +++ b/keystone/federation/idp.py @@ -15,7 +15,6 @@ import os import subprocess # nosec : see comments in the code below import uuid -from oslo_config import cfg from oslo_log import log from oslo_utils import fileutils from oslo_utils import importutils @@ -33,12 +32,13 @@ if not xmldsig: xmldsig = importutils.try_import("xmldsig") from keystone.common import utils +import keystone.conf from keystone import exception from keystone.i18n import _, _LE LOG = log.getLogger(__name__) -CONF = cfg.CONF +CONF = keystone.conf.CONF class SAMLGenerator(object): diff --git a/keystone/federation/utils.py b/keystone/federation/utils.py index d911a8ef40..1ffa5a7eb6 100644 --- a/keystone/federation/utils.py +++ b/keystone/federation/utils.py @@ -21,11 +21,12 @@ from oslo_log import log from oslo_utils import timeutils import six +import keystone.conf from keystone import exception from keystone.i18n import _, _LW -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) @@ -268,6 +269,7 @@ def get_remote_id_parameter(protocol): try: remote_id_parameter = CONF[protocol]['remote_id_attribute'] except AttributeError: + # TODO(dolph): Move configuration registration to keystone.conf CONF.register_opt(cfg.StrOpt('remote_id_attribute'), group=protocol) try: diff --git a/keystone/identity/backends/base.py b/keystone/identity/backends/base.py index 1dd9969a4b..9b73546b7f 100644 --- a/keystone/identity/backends/base.py +++ b/keystone/identity/backends/base.py @@ -14,13 +14,13 @@ import abc -from oslo_config import cfg import six +import keystone.conf from keystone import exception -CONF = cfg.CONF +CONF = keystone.conf.CONF def filter_user(user_ref): diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py index 36603a7aae..fe033c3ab5 100644 --- a/keystone/identity/backends/ldap/core.py +++ b/keystone/identity/backends/ldap/core.py @@ -15,12 +15,12 @@ from __future__ import absolute_import import uuid import ldap.filter -from oslo_config import cfg from oslo_log import log from oslo_log import versionutils import six from keystone.common import driver_hints +import keystone.conf from keystone import exception from keystone.i18n import _, _LW from keystone.identity.backends import base @@ -28,7 +28,7 @@ from keystone.identity.backends.ldap import common as common_ldap from keystone.identity.backends.ldap import models -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) _DEPRECATION_MSG = _('%s for the LDAP identity backend has been deprecated in ' diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py index 30bbc286a5..36013e4b84 100644 --- a/keystone/identity/controllers.py +++ b/keystone/identity/controllers.py @@ -14,19 +14,19 @@ """Workflow Logic the Identity service.""" -from oslo_config import cfg from oslo_log import log from keystone.common import controller from keystone.common import dependency from keystone.common import validation +import keystone.conf from keystone import exception from keystone.i18n import _, _LW from keystone.identity import schema from keystone import notifications -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/identity/core.py b/keystone/identity/core.py index 5d48eb6e01..e7a75bab73 100644 --- a/keystone/identity/core.py +++ b/keystone/identity/core.py @@ -26,10 +26,10 @@ from oslo_log import versionutils from keystone import assignment # TODO(lbragstad): Decouple this dependency from keystone.common import cache from keystone.common import clean -from keystone.common import config from keystone.common import dependency from keystone.common import driver_hints from keystone.common import manager +import keystone.conf from keystone import exception from keystone.i18n import _, _LW from keystone.identity.backends import base as identity_interface @@ -39,7 +39,7 @@ from keystone.identity.shadow_backends import base as shadow_interface from keystone import notifications -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) @@ -117,7 +117,7 @@ class DomainConfigs(dict): # config dict to make sure we call the right driver domain_config = {} domain_config['cfg'] = cfg.ConfigOpts() - config.configure(conf=domain_config['cfg']) + keystone.conf.configure(conf=domain_config['cfg']) domain_config['cfg'](args=[], project='keystone', default_config_files=file_list) domain_config['driver'] = self._load_driver(domain_config) @@ -254,7 +254,7 @@ class DomainConfigs(dict): domain_config = {} domain_config['cfg'] = cfg.ConfigOpts() - config.configure(conf=domain_config['cfg']) + keystone.conf.configure(conf=domain_config['cfg']) domain_config['cfg'](args=[], project='keystone', default_config_files=[]) diff --git a/keystone/identity/generator.py b/keystone/identity/generator.py index 05ad2df5c7..7879f63b31 100644 --- a/keystone/identity/generator.py +++ b/keystone/identity/generator.py @@ -16,15 +16,15 @@ import abc -from oslo_config import cfg import six from keystone.common import dependency from keystone.common import manager +import keystone.conf from keystone import exception -CONF = cfg.CONF +CONF = keystone.conf.CONF @dependency.provider('id_generator_api') diff --git a/keystone/middleware/auth.py b/keystone/middleware/auth.py index a16f1d321d..331160fe57 100644 --- a/keystone/middleware/auth.py +++ b/keystone/middleware/auth.py @@ -11,7 +11,6 @@ # under the License. from keystonemiddleware import auth_token -from oslo_config import cfg from oslo_context import context as oslo_context from oslo_log import log from oslo_log import versionutils @@ -20,6 +19,7 @@ from keystone.common import authorization from keystone.common import dependency from keystone.common import tokenless_auth from keystone.common import wsgi +import keystone.conf from keystone import exception from keystone.federation import constants as federation_constants from keystone.federation import utils @@ -28,7 +28,7 @@ from keystone.middleware import core from keystone.models import token_model from keystone.token.providers import common -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) __all__ = ('AuthContextMiddleware',) diff --git a/keystone/middleware/core.py b/keystone/middleware/core.py index 3e4cea37e1..5f4c0b9e30 100644 --- a/keystone/middleware/core.py +++ b/keystone/middleware/core.py @@ -12,16 +12,16 @@ # License for the specific language governing permissions and limitations # under the License. -from oslo_config import cfg from oslo_log import log from oslo_serialization import jsonutils from keystone.common import wsgi +import keystone.conf from keystone import exception from keystone.i18n import _LW -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) # Header used to transmit the auth token diff --git a/keystone/models/token_model.py b/keystone/models/token_model.py index 2670c774b6..86d0c5a2df 100644 --- a/keystone/models/token_model.py +++ b/keystone/models/token_model.py @@ -13,16 +13,16 @@ """Unified in-memory token model.""" from keystoneclient.common import cms -from oslo_config import cfg from oslo_utils import reflection from oslo_utils import timeutils import six +import keystone.conf from keystone import exception from keystone.federation import constants from keystone.i18n import _ -CONF = cfg.CONF +CONF = keystone.conf.CONF # supported token versions V2 = 'v2.0' V3 = 'v3.0' diff --git a/keystone/notifications.py b/keystone/notifications.py index 55a7159f0d..f7835e4ac7 100644 --- a/keystone/notifications.py +++ b/keystone/notifications.py @@ -19,7 +19,6 @@ import functools import inspect import socket -from oslo_config import cfg from oslo_log import log import oslo_messaging from oslo_utils import reflection @@ -33,6 +32,7 @@ from pycadf import resource from keystone.i18n import _, _LE from keystone.common import dependency from keystone.common import utils +import keystone.conf _CATALOG_HELPER_OBJ = None @@ -69,7 +69,7 @@ _notifier = None SERVICE = 'identity' -CONF = cfg.CONF +CONF = keystone.conf.CONF # NOTE(morganfainberg): Special case notifications that are only used # internally for handling token persistence token deletions diff --git a/keystone/oauth1/controllers.py b/keystone/oauth1/controllers.py index 250ef2fa72..4bc8143ce1 100644 --- a/keystone/oauth1/controllers.py +++ b/keystone/oauth1/controllers.py @@ -14,7 +14,6 @@ """Extensions supporting OAuth1.""" -from oslo_config import cfg from oslo_serialization import jsonutils from oslo_utils import timeutils @@ -23,6 +22,7 @@ from keystone.common import dependency from keystone.common import utils from keystone.common import validation from keystone.common import wsgi +import keystone.conf from keystone import exception from keystone.i18n import _ from keystone import notifications @@ -31,7 +31,7 @@ from keystone.oauth1 import schema from keystone.oauth1 import validator -CONF = cfg.CONF +CONF = keystone.conf.CONF def _emit_user_oauth_consumer_token_invalidate(payload): diff --git a/keystone/oauth1/core.py b/keystone/oauth1/core.py index 53cc61ac62..2f073ac2cf 100644 --- a/keystone/oauth1/core.py +++ b/keystone/oauth1/core.py @@ -20,13 +20,13 @@ import uuid import oauthlib.common from oauthlib import oauth1 -from oslo_config import cfg from oslo_log import log from oslo_log import versionutils from keystone.common import dependency from keystone.common import extension from keystone.common import manager +import keystone.conf from keystone import exception from keystone.i18n import _LE from keystone import notifications @@ -53,7 +53,7 @@ class Token(object): self.verifier = verifier -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/policy/backends/base.py b/keystone/policy/backends/base.py index 473770d16e..99da1b6481 100644 --- a/keystone/policy/backends/base.py +++ b/keystone/policy/backends/base.py @@ -13,11 +13,11 @@ import abc import six +import keystone.conf from keystone import exception -from oslo_config import cfg -CONF = cfg.CONF +CONF = keystone.conf.CONF @six.add_metaclass(abc.ABCMeta) diff --git a/keystone/policy/backends/rules.py b/keystone/policy/backends/rules.py index 7afe893787..fa675d23d2 100644 --- a/keystone/policy/backends/rules.py +++ b/keystone/policy/backends/rules.py @@ -15,15 +15,15 @@ """Policy engine for keystone.""" -from oslo_config import cfg from oslo_log import log from oslo_policy import policy as common_policy +import keystone.conf from keystone import exception from keystone.policy.backends import base -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/policy/core.py b/keystone/policy/core.py index 1824e9d2bf..96431ab217 100644 --- a/keystone/policy/core.py +++ b/keystone/policy/core.py @@ -14,17 +14,17 @@ """Main entry point into the Policy service.""" -from oslo_config import cfg from oslo_log import versionutils from keystone.common import dependency from keystone.common import manager +import keystone.conf from keystone import exception from keystone import notifications from keystone.policy.backends import base -CONF = cfg.CONF +CONF = keystone.conf.CONF @dependency.provider('policy_api') diff --git a/keystone/resource/backends/base.py b/keystone/resource/backends/base.py index eb0501febc..b3a0e62564 100644 --- a/keystone/resource/backends/base.py +++ b/keystone/resource/backends/base.py @@ -15,17 +15,17 @@ import abc import copy -from oslo_config import cfg from oslo_log import log from oslo_log import versionutils import six +import keystone.conf from keystone import exception from keystone.i18n import _ from keystone.i18n import _LE -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/resource/config_backends/base.py b/keystone/resource/config_backends/base.py index fd24d41769..5a456093a7 100644 --- a/keystone/resource/config_backends/base.py +++ b/keystone/resource/config_backends/base.py @@ -14,13 +14,13 @@ import abc -from oslo_config import cfg import six +import keystone.conf from keystone import exception -CONF = cfg.CONF +CONF = keystone.conf.CONF @six.add_metaclass(abc.ABCMeta) diff --git a/keystone/resource/controllers.py b/keystone/resource/controllers.py index 2f0613b057..ff0df101de 100644 --- a/keystone/resource/controllers.py +++ b/keystone/resource/controllers.py @@ -17,19 +17,19 @@ import uuid -from oslo_config import cfg from keystone.common import controller from keystone.common import dependency from keystone.common import validation from keystone.common import wsgi +import keystone.conf from keystone import exception from keystone.i18n import _ from keystone import notifications from keystone.resource import schema -CONF = cfg.CONF +CONF = keystone.conf.CONF @dependency.requires('resource_api') diff --git a/keystone/resource/core.py b/keystone/resource/core.py index 285722761e..0ad8c7a1f8 100644 --- a/keystone/resource/core.py +++ b/keystone/resource/core.py @@ -12,7 +12,6 @@ """Main entry point into the Resource service.""" -from oslo_config import cfg from oslo_log import log from oslo_log import versionutils import six @@ -24,13 +23,14 @@ from keystone.common import dependency from keystone.common import driver_hints from keystone.common import manager from keystone.common import utils +import keystone.conf from keystone import exception from keystone.i18n import _, _LE, _LW from keystone import notifications from keystone.resource.backends import base from keystone.resource.config_backends import base as config_base -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) MEMOIZE = cache.get_memoization_decorator(group='resource') diff --git a/keystone/revoke/backends/base.py b/keystone/revoke/backends/base.py index 8a59ac0c3c..0d65865ad6 100644 --- a/keystone/revoke/backends/base.py +++ b/keystone/revoke/backends/base.py @@ -15,14 +15,14 @@ import abc import datetime -from oslo_config import cfg from oslo_utils import timeutils import six +import keystone.conf from keystone import exception -CONF = cfg.CONF +CONF = keystone.conf.CONF def revoked_before_cutoff_time(): diff --git a/keystone/revoke/core.py b/keystone/revoke/core.py index 50c1c74a71..5c660c6617 100644 --- a/keystone/revoke/core.py +++ b/keystone/revoke/core.py @@ -13,13 +13,13 @@ """Main entry point into the Revoke service.""" import oslo_cache -from oslo_config import cfg from oslo_log import versionutils from keystone.common import cache from keystone.common import dependency from keystone.common import extension from keystone.common import manager +import keystone.conf from keystone import exception from keystone.i18n import _ from keystone.models import revoke_model @@ -27,7 +27,7 @@ from keystone import notifications from keystone.revoke.backends import base -CONF = cfg.CONF +CONF = keystone.conf.CONF EXTENSION_DATA = { diff --git a/keystone/server/common.py b/keystone/server/common.py index 4b1ee46941..f385cf651c 100644 --- a/keystone/server/common.py +++ b/keystone/server/common.py @@ -12,31 +12,30 @@ # under the License. -from oslo_config import cfg from oslo_log import log -from keystone.common import config from keystone.common import dependency from keystone.common import sql +import keystone.conf from keystone.i18n import _LW from keystone.server import backends -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) def configure(version=None, config_files=None, pre_setup_logging_fn=lambda: None): - config.configure() + keystone.conf.configure() sql.initialize() - config.set_config_defaults() + keystone.conf.set_config_defaults() CONF(project='keystone', version=version, default_config_files=config_files) pre_setup_logging_fn() - config.setup_logging() + keystone.conf.setup_logging() if CONF.insecure_debug: LOG.warning(_LW( diff --git a/keystone/server/wsgi.py b/keystone/server/wsgi.py index 1c8f6350f3..0e4711369d 100644 --- a/keystone/server/wsgi.py +++ b/keystone/server/wsgi.py @@ -14,11 +14,12 @@ import os -from oslo_config import cfg import oslo_i18n from oslo_log import log from keystone.common import profiler +import keystone.conf +from keystone import exception # NOTE(dstanek): i18n.enable_lazy() must be called before @@ -28,12 +29,11 @@ from keystone.common import profiler oslo_i18n.enable_lazy() -from keystone.common import config from keystone.server import common from keystone.version import service as keystone_service -CONF = cfg.CONF +CONF = keystone.conf.CONF def initialize_application(name, @@ -63,7 +63,7 @@ def initialize_application(name, def loadapp(): return keystone_service.loadapp( - 'config:%s' % config.find_paste_config(), name) + 'config:%s' % find_paste_config(), name) _unused, application = common.setup_backends( startup_application_fn=loadapp) @@ -75,6 +75,41 @@ def initialize_application(name, return application +def find_paste_config(): + """Find Keystone's paste.deploy configuration file. + + Keystone's paste.deploy configuration file is specified in the + ``[paste_deploy]`` section of the main Keystone configuration file, + ``keystone.conf``. + + For example:: + + [paste_deploy] + config_file = keystone-paste.ini + + :returns: The selected configuration filename + :raises: exception.ConfigFileNotFound + + """ + if CONF.paste_deploy.config_file: + paste_config = CONF.paste_deploy.config_file + paste_config_value = paste_config + if not os.path.isabs(paste_config): + paste_config = CONF.find_file(paste_config) + elif CONF.config_file: + paste_config = CONF.config_file[0] + paste_config_value = paste_config + else: + # this provides backwards compatibility for keystone.conf files that + # still have the entire paste configuration included, rather than just + # a [paste_deploy] configuration section referring to an external file + paste_config = CONF.find_file('keystone.conf') + paste_config_value = 'keystone.conf' + if not paste_config or not os.path.exists(paste_config): + raise exception.ConfigFileNotFound(config_file=paste_config_value) + return paste_config + + def _get_config_files(env=None): if env is None: env = os.environ diff --git a/keystone/tests/unit/assignment/test_backends.py b/keystone/tests/unit/assignment/test_backends.py index f28050b2ec..29e323abd7 100644 --- a/keystone/tests/unit/assignment/test_backends.py +++ b/keystone/tests/unit/assignment/test_backends.py @@ -13,15 +13,15 @@ import uuid import mock -from oslo_config import cfg from six.moves import range from testtools import matchers +import keystone.conf from keystone import exception from keystone.tests import unit -CONF = cfg.CONF +CONF = keystone.conf.CONF class AssignmentTestHelperMixin(object): diff --git a/keystone/tests/unit/backend/core_ldap.py b/keystone/tests/unit/backend/core_ldap.py index e1d2ebcc67..a46c8d42d4 100644 --- a/keystone/tests/unit/backend/core_ldap.py +++ b/keystone/tests/unit/backend/core_ldap.py @@ -12,16 +12,16 @@ import ldap -from oslo_config import cfg from keystone.common import cache +import keystone.conf from keystone.tests import unit from keystone.tests.unit import default_fixtures from keystone.tests.unit.ksfixtures import database from keystone.tests.unit.ksfixtures import ldapdb -CONF = cfg.CONF +CONF = keystone.conf.CONF def create_group_container(identity_api): diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py index 88b332bc6b..674bef05e8 100644 --- a/keystone/tests/unit/common/test_notifications.py +++ b/keystone/tests/unit/common/test_notifications.py @@ -16,7 +16,6 @@ import uuid import fixtures import mock -from oslo_config import cfg from oslo_config import fixture as config_fixture from oslo_log import log from pycadf import cadftaxonomy @@ -24,12 +23,13 @@ from pycadf import cadftype from pycadf import eventfactory from pycadf import resource as cadfresource +import keystone.conf from keystone import notifications from keystone.tests import unit from keystone.tests.unit import test_v3 -CONF = cfg.CONF +CONF = keystone.conf.CONF EXP_RESOURCE_TYPE = uuid.uuid4().hex CREATED_OPERATION = notifications.ACTIONS.created diff --git a/keystone/tests/unit/common/test_utils.py b/keystone/tests/unit/common/test_utils.py index f704aaa044..95d688ed56 100644 --- a/keystone/tests/unit/common/test_utils.py +++ b/keystone/tests/unit/common/test_utils.py @@ -14,19 +14,19 @@ import datetime import uuid -from oslo_config import cfg from oslo_config import fixture as config_fixture from oslo_serialization import jsonutils import six from keystone.common import utils as common_utils +import keystone.conf from keystone import exception from keystone.tests import unit from keystone.tests.unit import utils from keystone.version import service -CONF = cfg.CONF +CONF = keystone.conf.CONF TZ = utils.TZ diff --git a/keystone/tests/unit/contrib/federation/test_utils.py b/keystone/tests/unit/contrib/federation/test_utils.py index e41be7ba0e..413f24cf92 100644 --- a/keystone/tests/unit/contrib/federation/test_utils.py +++ b/keystone/tests/unit/contrib/federation/test_utils.py @@ -12,17 +12,18 @@ import uuid -from oslo_config import cfg from oslo_config import fixture as config_fixture from oslo_serialization import jsonutils from keystone.auth.plugins import mapped +import keystone.conf from keystone import exception from keystone.federation import utils as mapping_utils from keystone.tests import unit from keystone.tests.unit import mapping_fixtures +CONF = keystone.conf.CONF FAKE_MAPPING_ID = uuid.uuid4().hex @@ -741,7 +742,7 @@ class TestUnicodeAssertionData(unit.BaseTestCase): def setUp(self): super(TestUnicodeAssertionData, self).setUp() - self.config_fixture = self.useFixture(config_fixture.Config(cfg.CONF)) + self.config_fixture = self.useFixture(config_fixture.Config(CONF)) self.config_fixture.config(group='federation', assertion_prefix='PFX') diff --git a/keystone/tests/unit/core.py b/keystone/tests/unit/core.py index 7235779b1d..576135dbc8 100644 --- a/keystone/tests/unit/core.py +++ b/keystone/tests/unit/core.py @@ -29,7 +29,6 @@ import uuid import warnings import fixtures -from oslo_config import cfg from oslo_config import fixture as config_fixture from oslo_context import context as oslo_context from oslo_context import fixture as oslo_ctx_fixture @@ -43,11 +42,11 @@ import testtools from testtools import testcase from keystone import auth -from keystone.common import config from keystone.common import dependency from keystone.common.kvs import core as kvs_core from keystone.common import request from keystone.common import sql +import keystone.conf from keystone import exception from keystone.identity.backends.ldap import common as ks_ldap from keystone import notifications @@ -57,8 +56,8 @@ from keystone.version import controllers from keystone.version import service -config.configure() -config.set_config_defaults() +keystone.conf.configure() +keystone.conf.set_config_defaults() PID = six.text_type(os.getpid()) TESTSDIR = os.path.dirname(os.path.abspath(__file__)) @@ -77,7 +76,7 @@ def _calc_tmpdir(): TMPDIR = _calc_tmpdir() -CONF = cfg.CONF +CONF = keystone.conf.CONF log.register_options(CONF) IN_MEM_DB_CONN_STRING = 'sqlite://' @@ -664,7 +663,7 @@ class TestCase(BaseTestCase): def mocked_register_auth_plugin_opt(conf, opt): self.config_fixture.register_opt(opt, group='auth') self.useFixture(fixtures.MockPatchObject( - config, '_register_auth_plugin_opt', + keystone.conf.auth, '_register_auth_plugin_opt', new=mocked_register_auth_plugin_opt)) self.sql_driver_version_overrides = {} diff --git a/keystone/tests/unit/fakeldap.py b/keystone/tests/unit/fakeldap.py index cdad2f3759..4ce20ae40e 100644 --- a/keystone/tests/unit/fakeldap.py +++ b/keystone/tests/unit/fakeldap.py @@ -27,11 +27,11 @@ import re import shelve import ldap -from oslo_config import cfg from oslo_log import log import six from six import moves +import keystone.conf from keystone import exception from keystone.identity.backends.ldap import common @@ -45,7 +45,7 @@ SCOPE_NAMES = { CONTROL_TREEDELETE = '1.2.840.113556.1.4.805' LOG = log.getLogger(__name__) -CONF = cfg.CONF +CONF = keystone.conf.CONF def _internal_attr(attr_name, value_or_values): diff --git a/keystone/tests/unit/filtering.py b/keystone/tests/unit/filtering.py index 28befb13ed..c632402ba2 100644 --- a/keystone/tests/unit/filtering.py +++ b/keystone/tests/unit/filtering.py @@ -14,11 +14,12 @@ import uuid -from oslo_config import cfg from six.moves import range +import keystone.conf -CONF = cfg.CONF + +CONF = keystone.conf.CONF class FilterTests(object): diff --git a/keystone/tests/unit/identity/backends/test_ldap_common.py b/keystone/tests/unit/identity/backends/test_ldap_common.py index 2a99c3c835..825f25437a 100644 --- a/keystone/tests/unit/identity/backends/test_ldap_common.py +++ b/keystone/tests/unit/identity/backends/test_ldap_common.py @@ -18,10 +18,10 @@ import uuid import fixtures import ldap.dn import mock -from oslo_config import cfg from testtools import matchers from keystone.common import driver_hints +import keystone.conf from keystone.identity.backends.ldap import common as common_ldap from keystone.tests import unit from keystone.tests.unit import default_fixtures @@ -30,7 +30,7 @@ from keystone.tests.unit.ksfixtures import database from keystone.tests.unit.ksfixtures import ldapdb -CONF = cfg.CONF +CONF = keystone.conf.CONF class DnCompareTest(unit.BaseTestCase): diff --git a/keystone/tests/unit/identity/test_backends.py b/keystone/tests/unit/identity/test_backends.py index 72d95479db..5642d25afa 100644 --- a/keystone/tests/unit/identity/test_backends.py +++ b/keystone/tests/unit/identity/test_backends.py @@ -15,18 +15,18 @@ import uuid import mock -from oslo_config import cfg from six.moves import range from testtools import matchers from keystone.common import driver_hints +import keystone.conf from keystone import exception from keystone.tests import unit from keystone.tests.unit import default_fixtures from keystone.tests.unit import filtering -CONF = cfg.CONF +CONF = keystone.conf.CONF class IdentityTests(object): diff --git a/keystone/tests/unit/identity/test_controllers.py b/keystone/tests/unit/identity/test_controllers.py index e173b18b36..6ed7b10bfe 100644 --- a/keystone/tests/unit/identity/test_controllers.py +++ b/keystone/tests/unit/identity/test_controllers.py @@ -14,15 +14,15 @@ import uuid -from oslo_config import cfg +import keystone.conf from keystone import exception from keystone.identity import controllers from keystone.tests import unit from keystone.tests.unit.ksfixtures import database -CONF = cfg.CONF +CONF = keystone.conf.CONF class UserTestCaseNoDefaultDomain(unit.TestCase): diff --git a/keystone/tests/unit/identity/test_core.py b/keystone/tests/unit/identity/test_core.py index 3773da685c..9eadbbd4fb 100644 --- a/keystone/tests/unit/identity/test_core.py +++ b/keystone/tests/unit/identity/test_core.py @@ -17,16 +17,16 @@ import os import uuid import mock -from oslo_config import cfg from oslo_config import fixture as config_fixture +import keystone.conf from keystone import exception from keystone import identity from keystone.tests import unit from keystone.tests.unit.ksfixtures import database -CONF = cfg.CONF +CONF = keystone.conf.CONF class TestDomainConfigs(unit.BaseTestCase): diff --git a/keystone/tests/unit/ksfixtures/auth_plugins.py b/keystone/tests/unit/ksfixtures/auth_plugins.py index 454791e404..c942a5fde7 100644 --- a/keystone/tests/unit/ksfixtures/auth_plugins.py +++ b/keystone/tests/unit/ksfixtures/auth_plugins.py @@ -14,7 +14,7 @@ import fixtures from keystone import auth -from keystone.common import config as common_cfg +import keystone.conf class ConfigAuthPlugins(fixtures.Fixture): @@ -30,7 +30,7 @@ class ConfigAuthPlugins(fixtures.Fixture): super(ConfigAuthPlugins, self).setUp() if self.methods: self.config_fixture.config(group='auth', methods=self.methods) - common_cfg.setup_authentication() + keystone.conf.auth.setup_authentication() if self.method_classes: self.config_fixture.config(group='auth', **self.method_classes) diff --git a/keystone/tests/unit/ksfixtures/database.py b/keystone/tests/unit/ksfixtures/database.py index 43e79316ee..10bee9ace9 100644 --- a/keystone/tests/unit/ksfixtures/database.py +++ b/keystone/tests/unit/ksfixtures/database.py @@ -15,14 +15,14 @@ import functools import os import fixtures -from oslo_config import cfg from oslo_db import options as db_options from keystone.common import sql +import keystone.conf from keystone.tests import unit -CONF = cfg.CONF +CONF = keystone.conf.CONF def run_once(f): diff --git a/keystone/tests/unit/resource/test_backends.py b/keystone/tests/unit/resource/test_backends.py index 15a7f160e7..18debe7bb2 100644 --- a/keystone/tests/unit/resource/test_backends.py +++ b/keystone/tests/unit/resource/test_backends.py @@ -14,18 +14,18 @@ import copy import uuid import mock -from oslo_config import cfg from six.moves import range from testtools import matchers from keystone.common import driver_hints +import keystone.conf from keystone import exception from keystone.tests import unit from keystone.tests.unit import default_fixtures from keystone.tests.unit import utils as test_utils -CONF = cfg.CONF +CONF = keystone.conf.CONF class ResourceTests(object): diff --git a/keystone/tests/unit/resource/test_controllers.py b/keystone/tests/unit/resource/test_controllers.py index 52ac6eba59..d835412fba 100644 --- a/keystone/tests/unit/resource/test_controllers.py +++ b/keystone/tests/unit/resource/test_controllers.py @@ -14,15 +14,15 @@ import uuid -from oslo_config import cfg +import keystone.conf from keystone import exception from keystone.resource import controllers from keystone.tests import unit from keystone.tests.unit.ksfixtures import database -CONF = cfg.CONF +CONF = keystone.conf.CONF class TenantTestCaseNoDefaultDomain(unit.TestCase): diff --git a/keystone/tests/unit/resource/test_core.py b/keystone/tests/unit/resource/test_core.py index 5d2e82abfe..e5351ac358 100644 --- a/keystone/tests/unit/resource/test_core.py +++ b/keystone/tests/unit/resource/test_core.py @@ -15,15 +15,15 @@ import uuid import fixtures import mock -from oslo_config import cfg from testtools import matchers +import keystone.conf from keystone import exception from keystone.tests import unit from keystone.tests.unit.ksfixtures import database -CONF = cfg.CONF +CONF = keystone.conf.CONF class TestResourceManagerNoFixtures(unit.SQLDriverOverrides, unit.TestCase): diff --git a/keystone/tests/unit/test_auth.py b/keystone/tests/unit/test_auth.py index 8970cd993e..0b0f3b7cd4 100644 --- a/keystone/tests/unit/test_auth.py +++ b/keystone/tests/unit/test_auth.py @@ -19,7 +19,6 @@ import string import uuid import mock -from oslo_config import cfg import oslo_utils.fixture from oslo_utils import timeutils import six @@ -28,7 +27,7 @@ from testtools import matchers from keystone import assignment from keystone import auth from keystone.common import authorization -from keystone.common import config +import keystone.conf from keystone import exception from keystone.models import token_model from keystone.tests import unit @@ -39,7 +38,7 @@ from keystone import token from keystone import trust -CONF = cfg.CONF +CONF = keystone.conf.CONF TIME_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ' HOST = ''.join(random.choice(string.ascii_lowercase) for x in range( @@ -1389,5 +1388,5 @@ class NonDefaultAuthTest(unit.TestCase): def test_add_non_default_auth_method(self): self.config_fixture.config(group='auth', methods=['password', 'token', 'custom']) - config.setup_authentication() + keystone.conf.auth.setup_authentication() self.assertTrue(hasattr(CONF.auth, 'custom')) diff --git a/keystone/tests/unit/test_backend_ldap.py b/keystone/tests/unit/test_backend_ldap.py index d64c708cd6..9b4d94d087 100644 --- a/keystone/tests/unit/test_backend_ldap.py +++ b/keystone/tests/unit/test_backend_ldap.py @@ -20,7 +20,6 @@ import uuid import fixtures import ldap import mock -from oslo_config import cfg from oslo_log import versionutils import pkg_resources from six.moves import http_client @@ -29,6 +28,7 @@ from testtools import matchers from keystone.common import cache from keystone.common import driver_hints +import keystone.conf from keystone import exception from keystone import identity from keystone.identity.backends.ldap import common as common_ldap @@ -44,7 +44,7 @@ from keystone.tests.unit.resource import test_backends as resource_tests from keystone.tests.unit.utils import wip -CONF = cfg.CONF +CONF = keystone.conf.CONF def _assert_backends(testcase, **kwargs): diff --git a/keystone/tests/unit/test_backend_ldap_pool.py b/keystone/tests/unit/test_backend_ldap_pool.py index 8e3ec80d6f..93e4d6d2de 100644 --- a/keystone/tests/unit/test_backend_ldap_pool.py +++ b/keystone/tests/unit/test_backend_ldap_pool.py @@ -17,15 +17,16 @@ import fixtures import ldappool import mock -from oslo_config import cfg +import keystone.conf from keystone.identity.backends import ldap from keystone.identity.backends.ldap import common as common_ldap from keystone.tests import unit from keystone.tests.unit import fakeldap from keystone.tests.unit import test_backend_ldap -CONF = cfg.CONF + +CONF = keystone.conf.CONF class LdapPoolCommonTestMixin(object): diff --git a/keystone/tests/unit/test_backend_sql.py b/keystone/tests/unit/test_backend_sql.py index 25407b99a6..d341a34d66 100644 --- a/keystone/tests/unit/test_backend_sql.py +++ b/keystone/tests/unit/test_backend_sql.py @@ -17,7 +17,6 @@ import functools import uuid import mock -from oslo_config import cfg from oslo_db import exception as db_exception from oslo_db import options from six.moves import range @@ -27,6 +26,7 @@ from testtools import matchers from keystone.common import driver_hints from keystone.common import sql +import keystone.conf from keystone import exception from keystone.identity.backends import sql_model as identity_sql from keystone.resource.backends import base as resource @@ -43,7 +43,7 @@ from keystone.tests.unit.trust import test_backends as trust_tests from keystone.token.persistence.backends import sql as token_sql -CONF = cfg.CONF +CONF = keystone.conf.CONF class SqlTests(unit.SQLDriverOverrides, unit.TestCase): diff --git a/keystone/tests/unit/test_cli.py b/keystone/tests/unit/test_cli.py index 68ff9ef98c..be1db964eb 100644 --- a/keystone/tests/unit/test_cli.py +++ b/keystone/tests/unit/test_cli.py @@ -17,7 +17,6 @@ import uuid import fixtures import mock -from oslo_config import cfg from oslo_config import fixture as config_fixture from oslo_log import log from oslotest import mockpatch @@ -26,12 +25,13 @@ from testtools import matchers from keystone.cmd import cli from keystone.common import dependency +import keystone.conf from keystone.i18n import _ from keystone.tests import unit from keystone.tests.unit.ksfixtures import database -CONF = cfg.CONF +CONF = keystone.conf.CONF class CliTestCase(unit.SQLDriverOverrides, unit.TestCase): diff --git a/keystone/tests/unit/test_config.py b/keystone/tests/unit/test_config.py index f7cb4ce1fa..52dfdae22e 100644 --- a/keystone/tests/unit/test_config.py +++ b/keystone/tests/unit/test_config.py @@ -14,14 +14,13 @@ import uuid -from oslo_config import cfg - -from keystone.common import config +import keystone.conf from keystone import exception +from keystone.server import wsgi from keystone.tests import unit -CONF = cfg.CONF +CONF = keystone.conf.CONF class ConfigTestCase(unit.TestCase): @@ -36,14 +35,14 @@ class ConfigTestCase(unit.TestCase): def test_paste_config(self): self.assertEqual(unit.dirs.etc('keystone-paste.ini'), - config.find_paste_config()) + wsgi.find_paste_config()) self.config_fixture.config(group='paste_deploy', config_file=uuid.uuid4().hex) self.assertRaises(exception.ConfigFileNotFound, - config.find_paste_config) + wsgi.find_paste_config) self.config_fixture.config(group='paste_deploy', config_file='') self.assertEqual(unit.dirs.etc('keystone.conf.sample'), - config.find_paste_config()) + wsgi.find_paste_config()) def test_config_default(self): self.assertIs(None, CONF.auth.password) diff --git a/keystone/tests/unit/test_exception.py b/keystone/tests/unit/test_exception.py index ee365afca0..b285964905 100644 --- a/keystone/tests/unit/test_exception.py +++ b/keystone/tests/unit/test_exception.py @@ -14,16 +14,19 @@ import uuid -from oslo_config import cfg from oslo_config import fixture as config_fixture from oslo_serialization import jsonutils import six from keystone.common import wsgi +import keystone.conf from keystone import exception from keystone.tests import unit +CONF = keystone.conf.CONF + + class ExceptionTestCase(unit.BaseTestCase): def assertValidJsonRendering(self, e): resp = wsgi.render_exception(e) @@ -115,7 +118,7 @@ class UnexpectedExceptionTestCase(ExceptionTestCase): def setUp(self): super(UnexpectedExceptionTestCase, self).setUp() self.exc_str = uuid.uuid4().hex - self.config_fixture = self.useFixture(config_fixture.Config(cfg.CONF)) + self.config_fixture = self.useFixture(config_fixture.Config(CONF)) def test_unexpected_error_no_debug(self): self.config_fixture.config(debug=False) @@ -181,7 +184,7 @@ class SecurityErrorTestCase(ExceptionTestCase): def setUp(self): super(SecurityErrorTestCase, self).setUp() - self.config_fixture = self.useFixture(config_fixture.Config(cfg.CONF)) + self.config_fixture = self.useFixture(config_fixture.Config(CONF)) def test_unauthorized_exposure(self): self.config_fixture.config(debug=False) diff --git a/keystone/tests/unit/test_ldap_livetest.py b/keystone/tests/unit/test_ldap_livetest.py index 4e8c3cb6a8..4e229a62ee 100644 --- a/keystone/tests/unit/test_ldap_livetest.py +++ b/keystone/tests/unit/test_ldap_livetest.py @@ -16,16 +16,16 @@ import subprocess import uuid import ldap.modlist -from oslo_config import cfg from six.moves import range +import keystone.conf from keystone import exception from keystone.identity.backends import ldap as identity_ldap from keystone.tests import unit from keystone.tests.unit import test_backend_ldap -CONF = cfg.CONF +CONF = keystone.conf.CONF def create_object(dn, attrs): diff --git a/keystone/tests/unit/test_ldap_pool_livetest.py b/keystone/tests/unit/test_ldap_pool_livetest.py index 6d0ee68707..b4844381fd 100644 --- a/keystone/tests/unit/test_ldap_pool_livetest.py +++ b/keystone/tests/unit/test_ldap_pool_livetest.py @@ -15,8 +15,8 @@ import uuid import ldappool -from oslo_config import cfg +import keystone.conf from keystone.identity.backends import ldap from keystone.identity.backends.ldap import common as ldap_common from keystone.tests import unit @@ -25,7 +25,7 @@ from keystone.tests.unit import test_backend_ldap_pool from keystone.tests.unit import test_ldap_livetest -CONF = cfg.CONF +CONF = keystone.conf.CONF class LiveLDAPPoolIdentity(test_backend_ldap_pool.LdapPoolCommonTestMixin, diff --git a/keystone/tests/unit/test_ldap_tls_livetest.py b/keystone/tests/unit/test_ldap_tls_livetest.py index 98e2882d2f..87a9cb368e 100644 --- a/keystone/tests/unit/test_ldap_tls_livetest.py +++ b/keystone/tests/unit/test_ldap_tls_livetest.py @@ -14,15 +14,15 @@ # under the License. import ldap.modlist -from oslo_config import cfg +import keystone.conf from keystone import exception from keystone import identity from keystone.tests import unit from keystone.tests.unit import test_ldap_livetest -CONF = cfg.CONF +CONF = keystone.conf.CONF def create_object(dn, attrs): diff --git a/keystone/tests/unit/test_middleware.py b/keystone/tests/unit/test_middleware.py index 0f574878d2..aede051f1d 100644 --- a/keystone/tests/unit/test_middleware.py +++ b/keystone/tests/unit/test_middleware.py @@ -16,12 +16,12 @@ import copy import hashlib import uuid -from oslo_config import cfg from six.moves import http_client import webtest from keystone.common import authorization from keystone.common import tokenless_auth +import keystone.conf from keystone import exception from keystone.federation import constants as federation_constants from keystone import middleware @@ -30,7 +30,7 @@ from keystone.tests.unit import mapping_fixtures from keystone.tests.unit import test_backend_sql -CONF = cfg.CONF +CONF = keystone.conf.CONF class MiddlewareRequestTestBase(unit.TestCase): diff --git a/keystone/tests/unit/test_sql_upgrade.py b/keystone/tests/unit/test_sql_upgrade.py index d863389ef7..8a9f1e4819 100644 --- a/keystone/tests/unit/test_sql_upgrade.py +++ b/keystone/tests/unit/test_sql_upgrade.py @@ -38,7 +38,6 @@ import migrate from migrate.versioning import api as versioning_api from migrate.versioning import repository import mock -from oslo_config import cfg from oslo_db import exception as db_exception from oslo_db.sqlalchemy import migration from oslo_db.sqlalchemy import test_base @@ -48,13 +47,14 @@ from testtools import matchers from keystone.common import sql from keystone.common.sql import migration_helpers +import keystone.conf from keystone import exception from keystone.tests import unit from keystone.tests.unit import default_fixtures from keystone.tests.unit.ksfixtures import database -CONF = cfg.CONF +CONF = keystone.conf.CONF # NOTE(morganfainberg): This should be updated when each DB migration collapse # is done to mirror the expected structure of the DB in the format of diff --git a/keystone/tests/unit/test_token_provider.py b/keystone/tests/unit/test_token_provider.py index d591242497..698f54823f 100644 --- a/keystone/tests/unit/test_token_provider.py +++ b/keystone/tests/unit/test_token_provider.py @@ -14,12 +14,12 @@ import datetime -from oslo_config import cfg from oslo_utils import timeutils from six.moves import reload_module from keystone.common import dependency from keystone.common import utils +import keystone.conf from keystone import exception from keystone.tests import unit from keystone.tests.unit import ksfixtures @@ -31,7 +31,7 @@ from keystone.token.providers import pkiz from keystone.token.providers import uuid -CONF = cfg.CONF +CONF = keystone.conf.CONF FUTURE_DELTA = datetime.timedelta(seconds=CONF.token.expiration) CURRENT_DATE = timeutils.utcnow() diff --git a/keystone/tests/unit/test_v2.py b/keystone/tests/unit/test_v2.py index 563edef648..6cf2b611ae 100644 --- a/keystone/tests/unit/test_v2.py +++ b/keystone/tests/unit/test_v2.py @@ -16,20 +16,20 @@ import time import uuid from keystoneclient.common import cms -from oslo_config import cfg from oslo_serialization import jsonutils import six from six.moves import http_client from testtools import matchers from keystone.common import extension as keystone_extension +import keystone.conf from keystone.tests import unit from keystone.tests.unit import default_fixtures from keystone.tests.unit import ksfixtures from keystone.tests.unit import rest from keystone.tests.unit.schema import v2 -CONF = cfg.CONF +CONF = keystone.conf.CONF class CoreApiTests(object): diff --git a/keystone/tests/unit/test_v3.py b/keystone/tests/unit/test_v3.py index d39feb7181..a72977f0f6 100644 --- a/keystone/tests/unit/test_v3.py +++ b/keystone/tests/unit/test_v3.py @@ -15,7 +15,6 @@ import uuid import mock -from oslo_config import cfg import oslo_context.context from oslo_serialization import jsonutils from oslo_utils import timeutils @@ -27,6 +26,7 @@ from keystone import auth from keystone.common import authorization from keystone.common import cache from keystone.common.validation import validators +import keystone.conf from keystone import exception from keystone import middleware from keystone.middleware import auth as middleware_auth @@ -35,7 +35,7 @@ from keystone.tests import unit from keystone.tests.unit import rest -CONF = cfg.CONF +CONF = keystone.conf.CONF DEFAULT_DOMAIN_ID = 'default' TIME_FORMAT = unit.TIME_FORMAT diff --git a/keystone/tests/unit/test_v3_assignment.py b/keystone/tests/unit/test_v3_assignment.py index 9bc923d3a7..d7a5424995 100644 --- a/keystone/tests/unit/test_v3_assignment.py +++ b/keystone/tests/unit/test_v3_assignment.py @@ -13,16 +13,16 @@ import random import uuid -from oslo_config import cfg from six.moves import http_client from six.moves import range from testtools import matchers +import keystone.conf from keystone.tests import unit from keystone.tests.unit import test_v3 -CONF = cfg.CONF +CONF = keystone.conf.CONF class AssignmentTestCase(test_v3.RestfulTestCase, diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index 2a31c1eb26..3abbe77912 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -20,7 +20,6 @@ import uuid from keystoneclient.common import cms import mock -from oslo_config import cfg from oslo_log import versionutils from oslo_serialization import jsonutils as json from oslo_utils import fixture @@ -34,6 +33,7 @@ from testtools import testcase from keystone import auth from keystone.auth.plugins import totp from keystone.common import utils +import keystone.conf from keystone.contrib.revoke import routers from keystone import exception from keystone.policy.backends import rules @@ -42,7 +42,8 @@ from keystone.tests import unit from keystone.tests.unit import ksfixtures from keystone.tests.unit import test_v3 -CONF = cfg.CONF + +CONF = keystone.conf.CONF class TestAuthInfo(common_auth.AuthTestMixin, testcase.TestCase): diff --git a/keystone/tests/unit/test_v3_credential.py b/keystone/tests/unit/test_v3_credential.py index 07995f190e..993468cf3c 100644 --- a/keystone/tests/unit/test_v3_credential.py +++ b/keystone/tests/unit/test_v3_credential.py @@ -17,18 +17,18 @@ import json import uuid from keystoneclient.contrib.ec2 import utils as ec2_utils -from oslo_config import cfg from six.moves import http_client from testtools import matchers from keystone.common import utils +import keystone.conf from keystone.contrib.ec2 import controllers from keystone import exception from keystone.tests import unit from keystone.tests.unit import test_v3 -CONF = cfg.CONF +CONF = keystone.conf.CONF CRED_TYPE_EC2 = controllers.CRED_TYPE_EC2 diff --git a/keystone/tests/unit/test_v3_domain_config.py b/keystone/tests/unit/test_v3_domain_config.py index eefdecda0e..4200d6a698 100644 --- a/keystone/tests/unit/test_v3_domain_config.py +++ b/keystone/tests/unit/test_v3_domain_config.py @@ -13,15 +13,15 @@ import copy import uuid -from oslo_config import cfg from six.moves import http_client +import keystone.conf from keystone import exception from keystone.tests import unit from keystone.tests.unit import test_v3 -CONF = cfg.CONF +CONF = keystone.conf.CONF class DomainConfigTestCase(test_v3.RestfulTestCase): diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py index c72362cfd0..681fd40ecd 100644 --- a/keystone/tests/unit/test_v3_federation.py +++ b/keystone/tests/unit/test_v3_federation.py @@ -20,7 +20,6 @@ import uuid import fixtures from lxml import etree import mock -from oslo_config import cfg from oslo_log import versionutils from oslo_serialization import jsonutils from oslo_utils import importutils @@ -34,6 +33,7 @@ if not xmldsig: xmldsig = importutils.try_import("xmldsig") from keystone.auth import controllers as auth_controllers +import keystone.conf from keystone.contrib.federation import routers from keystone import exception from keystone.federation import controllers as federation_controllers @@ -49,7 +49,7 @@ from keystone.tests.unit import utils from keystone.token.providers import common as token_common -CONF = cfg.CONF +CONF = keystone.conf.CONF ROOTDIR = os.path.dirname(os.path.abspath(__file__)) XMLDIR = os.path.join(ROOTDIR, 'saml2/') diff --git a/keystone/tests/unit/test_v3_filters.py b/keystone/tests/unit/test_v3_filters.py index 7ccadb50ec..90b23104ed 100644 --- a/keystone/tests/unit/test_v3_filters.py +++ b/keystone/tests/unit/test_v3_filters.py @@ -13,10 +13,10 @@ # License for the specific language governing permissions and limitations # under the License. -from oslo_config import cfg from oslo_serialization import jsonutils from six.moves import range +import keystone.conf from keystone.tests import unit from keystone.tests.unit import filtering from keystone.tests.unit import ksfixtures @@ -24,7 +24,7 @@ from keystone.tests.unit.ksfixtures import temporaryfile from keystone.tests.unit import test_v3 -CONF = cfg.CONF +CONF = keystone.conf.CONF class IdentityTestFilteredCase(filtering.FilterTests, diff --git a/keystone/tests/unit/test_v3_identity.py b/keystone/tests/unit/test_v3_identity.py index b3366e09a0..d46f939898 100644 --- a/keystone/tests/unit/test_v3_identity.py +++ b/keystone/tests/unit/test_v3_identity.py @@ -16,18 +16,18 @@ import uuid import fixtures import mock -from oslo_config import cfg from oslo_log import log from six.moves import http_client from testtools import matchers from keystone.common import controller +import keystone.conf from keystone import exception from keystone.tests import unit from keystone.tests.unit import test_v3 -CONF = cfg.CONF +CONF = keystone.conf.CONF # NOTE(morganfainberg): To be removed when admin_token_auth middleware is diff --git a/keystone/tests/unit/test_v3_protection.py b/keystone/tests/unit/test_v3_protection.py index e0ed0cc20c..96aa14513e 100644 --- a/keystone/tests/unit/test_v3_protection.py +++ b/keystone/tests/unit/test_v3_protection.py @@ -15,10 +15,10 @@ import uuid -from oslo_config import cfg from oslo_serialization import jsonutils from six.moves import http_client +import keystone.conf from keystone import exception from keystone.tests import unit from keystone.tests.unit import ksfixtures @@ -27,7 +27,7 @@ from keystone.tests.unit import test_v3 from keystone.tests.unit import utils -CONF = cfg.CONF +CONF = keystone.conf.CONF class IdentityTestProtectedCase(test_v3.RestfulTestCase): diff --git a/keystone/tests/unit/test_v3_resource.py b/keystone/tests/unit/test_v3_resource.py index 1d6f4ac3cd..8523ddb1d5 100644 --- a/keystone/tests/unit/test_v3_resource.py +++ b/keystone/tests/unit/test_v3_resource.py @@ -12,19 +12,19 @@ import uuid -from oslo_config import cfg from six.moves import http_client from six.moves import range from testtools import matchers from keystone.common import controller +import keystone.conf from keystone import exception from keystone.tests import unit from keystone.tests.unit import test_v3 from keystone.tests.unit import utils as test_utils -CONF = cfg.CONF +CONF = keystone.conf.CONF class ResourceTestCase(test_v3.RestfulTestCase, diff --git a/keystone/tests/unit/test_versions.py b/keystone/tests/unit/test_versions.py index 0ef5adef0f..de604ec78a 100644 --- a/keystone/tests/unit/test_versions.py +++ b/keystone/tests/unit/test_versions.py @@ -18,19 +18,20 @@ import functools import random import mock -from oslo_config import cfg from oslo_serialization import jsonutils from six.moves import http_client from testtools import matchers as tt_matchers import webob from keystone.common import json_home +import keystone.conf from keystone.tests import unit from keystone.tests.unit import utils from keystone.version import controllers -CONF = cfg.CONF +CONF = keystone.conf.CONF + v2_MEDIA_TYPES = [ { diff --git a/keystone/tests/unit/token/test_backends.py b/keystone/tests/unit/token/test_backends.py index feb7e017ac..6fe9738303 100644 --- a/keystone/tests/unit/token/test_backends.py +++ b/keystone/tests/unit/token/test_backends.py @@ -16,18 +16,18 @@ import hashlib import uuid from keystoneclient.common import cms -from oslo_config import cfg from oslo_utils import timeutils import six from six.moves import range +import keystone.conf from keystone import exception from keystone.tests import unit from keystone.tests.unit import utils as test_utils from keystone.token import provider -CONF = cfg.CONF +CONF = keystone.conf.CONF NULL_OBJECT = object() diff --git a/keystone/tests/unit/token/test_fernet_provider.py b/keystone/tests/unit/token/test_fernet_provider.py index f6194f9c32..bcb0674d71 100644 --- a/keystone/tests/unit/token/test_fernet_provider.py +++ b/keystone/tests/unit/token/test_fernet_provider.py @@ -20,8 +20,8 @@ import msgpack from oslo_utils import timeutils from six.moves import urllib -from keystone.common import config from keystone.common import utils +import keystone.conf from keystone import exception from keystone.federation import constants as federation_constants from keystone.tests import unit @@ -33,7 +33,7 @@ from keystone.token.providers.fernet import token_formatters from keystone.token.providers.fernet import utils as fernet_utils -CONF = config.CONF +CONF = keystone.conf.CONF class TestFernetTokenProvider(unit.TestCase): diff --git a/keystone/tests/unit/token/test_token_model.py b/keystone/tests/unit/token/test_token_model.py index 8e0015697e..e113e38fee 100644 --- a/keystone/tests/unit/token/test_token_model.py +++ b/keystone/tests/unit/token/test_token_model.py @@ -13,10 +13,10 @@ import copy import uuid -from oslo_config import cfg from oslo_utils import timeutils from six.moves import range +import keystone.conf from keystone import exception from keystone.federation import constants as federation_constants from keystone.models import token_model @@ -24,7 +24,7 @@ from keystone.tests.unit import core from keystone.tests.unit import test_token_provider -CONF = cfg.CONF +CONF = keystone.conf.CONF class TestKeystoneTokenModel(core.TestCase): diff --git a/keystone/token/_simple_cert.py b/keystone/token/_simple_cert.py index 9c3692556a..c33b9d696b 100644 --- a/keystone/token/_simple_cert.py +++ b/keystone/token/_simple_cert.py @@ -14,7 +14,6 @@ # it is only used in support of the PKI/PKIz token providers. import functools -from oslo_config import cfg import webob from keystone.common import controller @@ -22,10 +21,11 @@ from keystone.common import dependency from keystone.common import extension from keystone.common import json_home from keystone.common import wsgi +import keystone.conf from keystone import exception -CONF = cfg.CONF +CONF = keystone.conf.CONF EXTENSION_DATA = { 'name': 'OpenStack Simple Certificate API', 'namespace': 'http://docs.openstack.org/identity/api/ext/' diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py index a045ebd6ad..3baf389579 100644 --- a/keystone/token/controllers.py +++ b/keystone/token/controllers.py @@ -17,7 +17,6 @@ import sys from keystone.common import utils from keystoneclient.common import cms -from oslo_config import cfg from oslo_log import log from oslo_serialization import jsonutils from oslo_utils import timeutils @@ -26,13 +25,14 @@ import six from keystone.common import controller from keystone.common import dependency from keystone.common import wsgi +import keystone.conf from keystone import exception from keystone.i18n import _ from keystone.models import token_model from keystone.token import provider -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/token/persistence/backends/kvs.py b/keystone/token/persistence/backends/kvs.py index 46fc5c07e0..1225f04945 100644 --- a/keystone/token/persistence/backends/kvs.py +++ b/keystone/token/persistence/backends/kvs.py @@ -17,20 +17,20 @@ from __future__ import absolute_import import copy import threading -from oslo_config import cfg from oslo_log import log from oslo_utils import timeutils import six from keystone.common import kvs from keystone.common import utils +import keystone.conf from keystone import exception from keystone.i18n import _, _LE, _LW from keystone import token from keystone.token import provider -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) STORE_CONF_LOCK = threading.Lock() diff --git a/keystone/token/persistence/backends/memcache.py b/keystone/token/persistence/backends/memcache.py index e6b0fcab42..fb57f704c1 100644 --- a/keystone/token/persistence/backends/memcache.py +++ b/keystone/token/persistence/backends/memcache.py @@ -13,13 +13,13 @@ # License for the specific language governing permissions and limitations # under the License. -from oslo_config import cfg from oslo_log import versionutils +import keystone.conf from keystone.token.persistence.backends import kvs -CONF = cfg.CONF +CONF = keystone.conf.CONF class Token(kvs.Token): diff --git a/keystone/token/persistence/backends/memcache_pool.py b/keystone/token/persistence/backends/memcache_pool.py index 39a5ca65ae..2c12d6874b 100644 --- a/keystone/token/persistence/backends/memcache_pool.py +++ b/keystone/token/persistence/backends/memcache_pool.py @@ -10,13 +10,13 @@ # License for the specific language governing permissions and limitations # under the License. -from oslo_config import cfg from oslo_log import versionutils +import keystone.conf from keystone.token.persistence.backends import memcache -CONF = cfg.CONF +CONF = keystone.conf.CONF class Token(memcache.Token): diff --git a/keystone/token/persistence/backends/sql.py b/keystone/token/persistence/backends/sql.py index fd9e0977e1..f74926919c 100644 --- a/keystone/token/persistence/backends/sql.py +++ b/keystone/token/persistence/backends/sql.py @@ -15,18 +15,18 @@ import copy import functools -from oslo_config import cfg from oslo_log import log from oslo_utils import timeutils from keystone.common import sql +import keystone.conf from keystone import exception from keystone.i18n import _LI from keystone import token from keystone.token import provider -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/token/persistence/core.py b/keystone/token/persistence/core.py index 00c40a0be7..5f91cd818b 100644 --- a/keystone/token/persistence/core.py +++ b/keystone/token/persistence/core.py @@ -17,7 +17,6 @@ import abc import copy -from oslo_config import cfg from oslo_log import log from oslo_utils import timeutils import six @@ -25,12 +24,13 @@ import six from keystone.common import cache from keystone.common import dependency from keystone.common import manager +import keystone.conf from keystone import exception from keystone.i18n import _LW from keystone.token import utils -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) MEMOIZE = cache.get_memoization_decorator(group='token') REVOCATION_MEMOIZE = cache.get_memoization_decorator(group='token', diff --git a/keystone/token/provider.py b/keystone/token/provider.py index 37710eb0bf..9f29cd6db5 100644 --- a/keystone/token/provider.py +++ b/keystone/token/provider.py @@ -20,7 +20,6 @@ import datetime import sys import uuid -from oslo_config import cfg from oslo_log import log from oslo_utils import timeutils import six @@ -28,6 +27,7 @@ import six from keystone.common import cache from keystone.common import dependency from keystone.common import manager +import keystone.conf from keystone import exception from keystone.i18n import _, _LE from keystone.models import token_model @@ -37,7 +37,7 @@ from keystone.token import providers from keystone.token import utils -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) MEMOIZE = cache.get_memoization_decorator(group='token') diff --git a/keystone/token/providers/common.py b/keystone/token/providers/common.py index 86ade33a7f..2de1d38dab 100644 --- a/keystone/token/providers/common.py +++ b/keystone/token/providers/common.py @@ -12,7 +12,6 @@ # License for the specific language governing permissions and limitations # under the License. -from oslo_config import cfg from oslo_log import log from oslo_serialization import jsonutils import six @@ -21,6 +20,7 @@ from six.moves.urllib import parse from keystone.common import controller as common_controller from keystone.common import dependency from keystone.common import utils +import keystone.conf from keystone import exception from keystone.federation import constants as federation_constants from keystone.i18n import _, _LE @@ -29,7 +29,7 @@ from keystone.token import provider LOG = log.getLogger(__name__) -CONF = cfg.CONF +CONF = keystone.conf.CONF @dependency.requires('catalog_api', 'resource_api', 'assignment_api') diff --git a/keystone/token/providers/fernet/core.py b/keystone/token/providers/fernet/core.py index 52fa80c806..9c0a51b8f6 100644 --- a/keystone/token/providers/fernet/core.py +++ b/keystone/token/providers/fernet/core.py @@ -12,17 +12,17 @@ import os -from oslo_config import cfg from keystone.common import dependency from keystone.common import utils as ks_utils +import keystone.conf from keystone.federation import constants as federation_constants from keystone.i18n import _ from keystone.token.providers import common from keystone.token.providers.fernet import token_formatters as tf -CONF = cfg.CONF +CONF = keystone.conf.CONF @dependency.requires('trust_api', 'oauth_api') diff --git a/keystone/token/providers/fernet/token_formatters.py b/keystone/token/providers/fernet/token_formatters.py index 4afe068032..1571af9f83 100644 --- a/keystone/token/providers/fernet/token_formatters.py +++ b/keystone/token/providers/fernet/token_formatters.py @@ -17,7 +17,6 @@ import uuid from cryptography import fernet import msgpack -from oslo_config import cfg from oslo_log import log from oslo_utils import timeutils import six @@ -26,13 +25,14 @@ from six.moves import urllib from keystone.auth import plugins as auth_plugins from keystone.common import utils as ks_utils +import keystone.conf from keystone import exception from keystone.i18n import _, _LI from keystone.token import provider from keystone.token.providers.fernet import utils -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) # Fernet byte indexes as as computed by pypi/keyless_fernet and defined in diff --git a/keystone/token/providers/fernet/utils.py b/keystone/token/providers/fernet/utils.py index 1c3552d4de..ddff1307ea 100644 --- a/keystone/token/providers/fernet/utils.py +++ b/keystone/token/providers/fernet/utils.py @@ -14,15 +14,15 @@ import os import stat from cryptography import fernet -from oslo_config import cfg from oslo_log import log +import keystone.conf from keystone.i18n import _LE, _LW, _LI LOG = log.getLogger(__name__) -CONF = cfg.CONF +CONF = keystone.conf.CONF def validate_key_repository(requires_write=False): diff --git a/keystone/token/providers/pki.py b/keystone/token/providers/pki.py index 2eb2e69b90..a43861370d 100644 --- a/keystone/token/providers/pki.py +++ b/keystone/token/providers/pki.py @@ -17,18 +17,18 @@ import subprocess # nosec : used to catch subprocess exceptions from keystoneclient.common import cms -from oslo_config import cfg from oslo_log import log from oslo_log import versionutils from oslo_serialization import jsonutils from keystone.common import utils +import keystone.conf from keystone import exception from keystone.i18n import _, _LE from keystone.token.providers import common -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone/token/providers/pkiz.py b/keystone/token/providers/pkiz.py index 50d1523ed0..69ebd86acd 100644 --- a/keystone/token/providers/pkiz.py +++ b/keystone/token/providers/pkiz.py @@ -15,18 +15,18 @@ import subprocess # nosec : used to catch subprocess exceptions from keystoneclient.common import cms -from oslo_config import cfg from oslo_log import log from oslo_log import versionutils from oslo_serialization import jsonutils from keystone.common import utils +import keystone.conf from keystone import exception from keystone.i18n import _ from keystone.token.providers import common -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) ERROR_MESSAGE = _('Unable to sign token.') diff --git a/keystone/token/utils.py b/keystone/token/utils.py index 96a09246e9..1243e4bc8c 100644 --- a/keystone/token/utils.py +++ b/keystone/token/utils.py @@ -11,7 +11,11 @@ # under the License. from keystoneclient.common import cms -from oslo_config import cfg + +import keystone.conf + + +CONF = keystone.conf.CONF def generate_unique_id(token_id): @@ -24,4 +28,4 @@ def generate_unique_id(token_id): returns the passed-in value (such as a UUID token ID or an existing hash). """ - return cms.cms_hash_token(token_id, mode=cfg.CONF.token.hash_algorithm) + return cms.cms_hash_token(token_id, mode=CONF.token.hash_algorithm) diff --git a/keystone/trust/core.py b/keystone/trust/core.py index e7dc0ffa81..af4feee747 100644 --- a/keystone/trust/core.py +++ b/keystone/trust/core.py @@ -16,18 +16,18 @@ import abc -from oslo_config import cfg import six from six.moves import zip from keystone.common import dependency from keystone.common import manager +import keystone.conf from keystone import exception from keystone.i18n import _ from keystone import notifications -CONF = cfg.CONF +CONF = keystone.conf.CONF @dependency.requires('identity_api') diff --git a/keystone/version/service.py b/keystone/version/service.py index 229603173b..f63e02c2d7 100644 --- a/keystone/version/service.py +++ b/keystone/version/service.py @@ -15,7 +15,6 @@ import functools import sys -from oslo_config import cfg from oslo_log import log from paste import deploy import routes @@ -24,6 +23,7 @@ from keystone.assignment import routers as assignment_routers from keystone.auth import routers as auth_routers from keystone.catalog import routers as catalog_routers from keystone.common import wsgi +import keystone.conf from keystone.credential import routers as credential_routers from keystone.endpoint_policy import routers as endpoint_policy_routers from keystone.federation import routers as federation_routers @@ -42,7 +42,7 @@ from keystone.version import controllers from keystone.version import routers -CONF = cfg.CONF +CONF = keystone.conf.CONF LOG = log.getLogger(__name__) diff --git a/keystone_tempest_plugin/config.py b/keystone_tempest_plugin/config.py index aaebcfb171..79cbad3d3a 100644 --- a/keystone_tempest_plugin/config.py +++ b/keystone_tempest_plugin/config.py @@ -13,7 +13,6 @@ # License for the specific language governing permissions and limitations # under the License. - from oslo_config import cfg diff --git a/setup.cfg b/setup.cfg index ad3e5ca3e0..8a5a8a5014 100644 --- a/setup.cfg +++ b/setup.cfg @@ -181,10 +181,10 @@ keystone.revoke = sql = keystone.revoke.backends.sql:Revoke oslo.config.opts = - keystone = keystone.common.config:list_opts + keystone = keystone.conf.opts:list_opts oslo.config.opts.defaults = - keystone = keystone.common.config:set_external_opts_defaults + keystone = keystone.conf:set_external_opts_defaults paste.filter_factory = admin_token_auth = keystone.middleware:AdminTokenAuthMiddleware.factory