Merge redux branch (keystone light)
Change-Id: I2cb5b198a06848f42f919ea49e338443131e263e
|
@ -1,21 +1,17 @@
|
||||||
*.pyc
|
*.pyc
|
||||||
.cache/
|
*.swp
|
||||||
.project
|
vendor
|
||||||
.project/
|
.ksl-venv
|
||||||
.pydevproject
|
|
||||||
.pydevproject/
|
|
||||||
.settings/
|
|
||||||
.keystone-venv/
|
|
||||||
.venv
|
.venv
|
||||||
build/
|
.tox
|
||||||
dist/
|
|
||||||
doc/source/sourcecode
|
|
||||||
keystone.egg-info/
|
keystone.egg-info/
|
||||||
*.db
|
run_tests.log
|
||||||
.*.swp
|
|
||||||
*.log
|
|
||||||
*.pid
|
|
||||||
pidfile
|
|
||||||
*.komodoproject
|
|
||||||
.coverage
|
.coverage
|
||||||
|
covhtml
|
||||||
|
pep8.txt
|
||||||
|
nosetests.xml
|
||||||
|
bla.db
|
||||||
|
docs/build
|
||||||
.DS_Store
|
.DS_Store
|
||||||
|
docs/source/modules.rst
|
||||||
|
docs/source/keystone.*
|
||||||
|
|
16
.mailmap
|
@ -1,16 +0,0 @@
|
||||||
<dolph.mathews@rackspace.com> <dolph.mathews@gmail.com>
|
|
||||||
Edouard Thuleau <edouard1.thuleau@orange.com>
|
|
||||||
<jeblair@hp.com> <corvus@gnu.org>
|
|
||||||
<jeblair@hp.com> <james.blair@rackspace.com>
|
|
||||||
<joon.eo@gmail.com> <john.eo@rackspace.com>
|
|
||||||
Khaled Hussein <khaled.hussein@gmail.com> KnightHacker <khaled.hussein@rackspace.com>
|
|
||||||
Khaled Hussein <khaled.hussein@gmail.com> Khaled Hussein <khaled.hussein@rackspace.com>
|
|
||||||
<rjuvvadi@hcl.com> <ramana@venus.lekha.org>
|
|
||||||
<rjuvvadi@hcl.com> <rrjuvvadi@gmail.com>
|
|
||||||
<xtoddx@gmail.com> <todd@rubidine.com>
|
|
||||||
<github@highbridgellc.com> <gihub@highbridgellc.com>
|
|
||||||
<github@highbridgellc.com> <ziad.sawalha@rackspace.com>
|
|
||||||
sirish.bitra <sirish.bitra@gmail.com> sirish bitra <sirish.bitra@gmail.com>
|
|
||||||
sirish.bitra <sirish.bitra@gmail.com> sirishbitra <sirish.bitra@gmail.com>
|
|
||||||
sirish.bitra <sirish.bitra@gmail.com> bsirish <sirish.bitra@gmail.com>
|
|
||||||
sirish.bitra <sirish.bitra@gmail.com> root <root@bsirish.(none)>
|
|
50
AUTHORS
|
@ -1,50 +0,0 @@
|
||||||
Adipudi Praveena <padipudi@padipudi.(none)>
|
|
||||||
Alex Silva <alex.silva@M1BPAGY.(none)>
|
|
||||||
Anne Gentle <anne@openstack.org>
|
|
||||||
Anthony Young <sleepsonthefloor@gmail.com>
|
|
||||||
Brian Lamar <brian.lamar@gmail.com>
|
|
||||||
Dan Prince <dan.prince@rackspace.com>
|
|
||||||
Dolph Mathews <dolph.mathews@gmail.com>
|
|
||||||
Ed Leafe <ed@leafe.com>
|
|
||||||
Edouard Thuleau <edouard1.thuleau@orange.com>
|
|
||||||
Eoghan Glynn <eglynn@redhat.com>
|
|
||||||
gholt <gholt@brim.net>
|
|
||||||
Ionuț Arțăriși <iartarisi@suse.cz>
|
|
||||||
jabdul <abdulkader.j@hcl.com>
|
|
||||||
James E. Blair <jeblair@hp.com>
|
|
||||||
Jason Cannavale <jason.cannavale@rackspace.com>
|
|
||||||
Jay Pipes <jaypipes@gmail.com>
|
|
||||||
Jenkins <jenkins@review.openstack.org>
|
|
||||||
Jesse Andrews <anotherjesse@gmail.com>
|
|
||||||
Joe Savak <joe.savak@rackspace.com>
|
|
||||||
John Dickinson <me@not.mn>
|
|
||||||
John Eo <joon.eo@gmail.com>
|
|
||||||
Jorge L. Williams <jorge.williams@rackspace.com>
|
|
||||||
Joseph W. Breu <joseph.breu@rackspace.com>
|
|
||||||
Josh Kearney <josh@jk0.org>
|
|
||||||
Julien Danjou <julien.danjou@enovance.com>
|
|
||||||
Justin Shepherd <jshepher@rackspace.com>
|
|
||||||
Kevin L. Mitchell <kevin.mitchell@rackspace.com>
|
|
||||||
Khaled Hussein <khaled.hussein@gmail.com>
|
|
||||||
Kiall Mac Innes <kiall@managedit.ie>
|
|
||||||
Mark Gius <mgius7096@gmail.com>
|
|
||||||
Mark McLoughlin <markmc@redhat.com>
|
|
||||||
Monty Taylor <mordred@inaugust.com>
|
|
||||||
Pádraig Brady <P@draigBrady.com>
|
|
||||||
Paul Voccio <paul@substation9.com>
|
|
||||||
Ramana Juvvadi <rjuvvadi@hcl.com>
|
|
||||||
Robin Norwood <robin.norwood@gmail.com>
|
|
||||||
root <root@newapps.(none)>
|
|
||||||
Sai Krishna <saikrishna1511@gmail.com>
|
|
||||||
Sirish Bitra <sirish.bitra@gmail.com>
|
|
||||||
Sony K. Philip <sony@hcleai.com>
|
|
||||||
termie <github@anarkystic.com>
|
|
||||||
Thierry Carrez <thierry@openstack.org>
|
|
||||||
Todd Willey <xtoddx@gmail.com>
|
|
||||||
Will Kelly <the.william.kelly@gmail.com>
|
|
||||||
Vishvananda Ishaya <vishvananda@gmail.com>
|
|
||||||
Yaguang Tang <heut2008@gmail.com>
|
|
||||||
Yogeshwar Srikrishnan <yoga80@yahoo.com>
|
|
||||||
Yuriy Taraday <yorik.sar@gmail.com>
|
|
||||||
Ziad Sawalha <github@highbridgellc.com>
|
|
||||||
Zhongyue Luo <lzyeval@gmail.com>
|
|
68
HACKING
|
@ -1,68 +0,0 @@
|
||||||
Keystone Style Commandments (pilfered from Nova and added to)
|
|
||||||
=============================================================
|
|
||||||
|
|
||||||
Step 1: Read http://www.python.org/dev/peps/pep-0008/
|
|
||||||
Step 2: Read http://www.python.org/dev/peps/pep-0008/ again
|
|
||||||
Step 3: Read on
|
|
||||||
|
|
||||||
Imports
|
|
||||||
-------
|
|
||||||
- thou shalt not import objects, only modules
|
|
||||||
- thou shalt not import more than one module per line
|
|
||||||
- thou shalt not make relative imports
|
|
||||||
- thou shalt organize your imports according to the following template
|
|
||||||
|
|
||||||
::
|
|
||||||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
||||||
{{stdlib imports in human alphabetical order}}
|
|
||||||
\n
|
|
||||||
{{OpenStack/Keystone imports in human alphabetical order}}
|
|
||||||
\n
|
|
||||||
\n
|
|
||||||
{{begin your code}}
|
|
||||||
|
|
||||||
|
|
||||||
General
|
|
||||||
-------
|
|
||||||
- thou shalt put two newlines twixt toplevel code (funcs, classes, etc)
|
|
||||||
- thou shalt put one newline twixt methods in classes and anywhere else
|
|
||||||
- thou shalt not write "except:", use "except Exception:" at the very least
|
|
||||||
- thou shalt include your name with TODOs as in "TODO(waldo)"
|
|
||||||
- thou shalt not name anything the same name as a builtin or reserved word
|
|
||||||
- thou shouldeth comment profusely
|
|
||||||
- thou shalt not violate causality in our time cone, or else
|
|
||||||
|
|
||||||
|
|
||||||
Human Alphabetical Order Examples
|
|
||||||
---------------------------------
|
|
||||||
::
|
|
||||||
import httplib
|
|
||||||
import logging
|
|
||||||
import random
|
|
||||||
import StringIO
|
|
||||||
import time
|
|
||||||
import unittest
|
|
||||||
|
|
||||||
import keystone.logic.types.fault as fault
|
|
||||||
import keystone.db.sqlalchemy.api as db_api
|
|
||||||
|
|
||||||
Docstrings
|
|
||||||
----------
|
|
||||||
Add them to modules, classes, and functions:
|
|
||||||
"""Summary of the function, class or method, less than 80 characters.
|
|
||||||
|
|
||||||
New paragraph after newline that explains in more detail any general
|
|
||||||
information about the function, class or method. After this, if defining
|
|
||||||
parameters and return types use the Sphinx format. After that an extra
|
|
||||||
newline then close the quotations.
|
|
||||||
|
|
||||||
When writing the docstring for a class, an extra line should be placed
|
|
||||||
after the closing quotations. For more in-depth explanations for these
|
|
||||||
decisions see http://www.python.org/dev/peps/pep-0257/
|
|
||||||
|
|
||||||
:param foo: the foo parameter
|
|
||||||
:param bar: the bar parameter
|
|
||||||
:returns: description of the return value
|
|
||||||
|
|
||||||
"""
|
|
||||||
|
|
|
@ -0,0 +1,192 @@
|
||||||
|
Keystone Style Commandments
|
||||||
|
===========================
|
||||||
|
|
||||||
|
- Step 1: Read http://www.python.org/dev/peps/pep-0008/
|
||||||
|
- Step 2: Read http://www.python.org/dev/peps/pep-0008/ again
|
||||||
|
- Step 3: Read on
|
||||||
|
|
||||||
|
|
||||||
|
General
|
||||||
|
-------
|
||||||
|
- Put two newlines between top-level code (funcs, classes, etc)
|
||||||
|
- Put one newline between methods in classes and anywhere else
|
||||||
|
- Do not write "except:", use "except Exception:" at the very least
|
||||||
|
- Include your name with TODOs as in "#TODO(termie)"
|
||||||
|
- Do not name anything the same name as a built-in or reserved word
|
||||||
|
|
||||||
|
TODO vs FIXME
|
||||||
|
-------------
|
||||||
|
|
||||||
|
- TODO(name): implies that something should be done (cleanup, refactoring,
|
||||||
|
etc), but is expected to be functional.
|
||||||
|
- FIXME(name): implies that the method/function/etc shouldn't be used until
|
||||||
|
that code is resolved and bug fixed.
|
||||||
|
|
||||||
|
Imports
|
||||||
|
-------
|
||||||
|
- Do not import objects, only modules
|
||||||
|
- Do not import more than one module per line
|
||||||
|
- Do not make relative imports
|
||||||
|
- Order your imports by the full module path
|
||||||
|
- Organize your imports according to the following template
|
||||||
|
|
||||||
|
Example::
|
||||||
|
|
||||||
|
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||||
|
{{stdlib imports in human alphabetical order}}
|
||||||
|
\n
|
||||||
|
{{third-party lib imports in human alphabetical order}}
|
||||||
|
\n
|
||||||
|
{{nova imports in human alphabetical order}}
|
||||||
|
\n
|
||||||
|
\n
|
||||||
|
{{begin your code}}
|
||||||
|
|
||||||
|
|
||||||
|
Human Alphabetical Order Examples
|
||||||
|
---------------------------------
|
||||||
|
Example::
|
||||||
|
|
||||||
|
import httplib
|
||||||
|
import logging
|
||||||
|
import random
|
||||||
|
import StringIO
|
||||||
|
import time
|
||||||
|
import unittest
|
||||||
|
|
||||||
|
import eventlet
|
||||||
|
import webob.exc
|
||||||
|
|
||||||
|
import nova.api.ec2
|
||||||
|
from nova.api import openstack
|
||||||
|
from nova.auth import users
|
||||||
|
import nova.flags
|
||||||
|
from nova.endpoint import cloud
|
||||||
|
from nova import test
|
||||||
|
|
||||||
|
|
||||||
|
Docstrings
|
||||||
|
----------
|
||||||
|
Example::
|
||||||
|
|
||||||
|
"""A one line docstring looks like this and ends in a period."""
|
||||||
|
|
||||||
|
|
||||||
|
"""A multiline docstring has a one-line summary, less than 80 characters.
|
||||||
|
|
||||||
|
Then a new paragraph after a newline that explains in more detail any
|
||||||
|
general information about the function, class or method. Example usages
|
||||||
|
are also great to have here if it is a complex class for function.
|
||||||
|
|
||||||
|
When writing the docstring for a class, an extra line should be placed
|
||||||
|
after the closing quotations. For more in-depth explanations for these
|
||||||
|
decisions see http://www.python.org/dev/peps/pep-0257/
|
||||||
|
|
||||||
|
A docstring ends with an empty line before the closing quotations.
|
||||||
|
|
||||||
|
Describe parameters and return values, using the Sphinx format; the
|
||||||
|
appropriate syntax is as follows.
|
||||||
|
|
||||||
|
:param foo: the foo parameter
|
||||||
|
:param bar: the bar parameter
|
||||||
|
:type bar: parameter type for 'bar'
|
||||||
|
:returns: return_type -- description of the return value
|
||||||
|
:returns: description of the return value
|
||||||
|
:raises: AttributeError, KeyError
|
||||||
|
|
||||||
|
"""
|
||||||
|
|
||||||
|
|
||||||
|
Dictionaries/Lists
|
||||||
|
------------------
|
||||||
|
If a dictionary (dict) or list object is longer than 80 characters, its items
|
||||||
|
should be split with newlines. Embedded iterables should have their items
|
||||||
|
indented. Additionally, the last item in the dictionary should have a trailing
|
||||||
|
comma. This increases readability and simplifies future diffs.
|
||||||
|
|
||||||
|
Example::
|
||||||
|
|
||||||
|
my_dictionary = {
|
||||||
|
"image": {
|
||||||
|
"name": "Just a Snapshot",
|
||||||
|
"size": 2749573,
|
||||||
|
"properties": {
|
||||||
|
"user_id": 12,
|
||||||
|
"arch": "x86_64",
|
||||||
|
},
|
||||||
|
"things": [
|
||||||
|
"thing_one",
|
||||||
|
"thing_two",
|
||||||
|
],
|
||||||
|
"status": "ACTIVE",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
Calling Methods
|
||||||
|
---------------
|
||||||
|
Calls to methods 80 characters or longer should format each argument with
|
||||||
|
newlines. This is not a requirement, but a guideline::
|
||||||
|
|
||||||
|
unnecessarily_long_function_name('string one',
|
||||||
|
'string two',
|
||||||
|
kwarg1=constants.ACTIVE,
|
||||||
|
kwarg2=['a', 'b', 'c'])
|
||||||
|
|
||||||
|
|
||||||
|
Rather than constructing parameters inline, it is better to break things up::
|
||||||
|
|
||||||
|
list_of_strings = [
|
||||||
|
'what_a_long_string',
|
||||||
|
'not as long',
|
||||||
|
]
|
||||||
|
|
||||||
|
dict_of_numbers = {
|
||||||
|
'one': 1,
|
||||||
|
'two': 2,
|
||||||
|
'twenty four': 24,
|
||||||
|
}
|
||||||
|
|
||||||
|
object_one.call_a_method('string three',
|
||||||
|
'string four',
|
||||||
|
kwarg1=list_of_strings,
|
||||||
|
kwarg2=dict_of_numbers)
|
||||||
|
|
||||||
|
|
||||||
|
Internationalization (i18n) Strings
|
||||||
|
-----------------------------------
|
||||||
|
In order to support multiple languages, we have a mechanism to support
|
||||||
|
automatic translations of exception and log strings.
|
||||||
|
|
||||||
|
Example::
|
||||||
|
|
||||||
|
msg = _("An error occurred")
|
||||||
|
raise HTTPBadRequest(explanation=msg)
|
||||||
|
|
||||||
|
If you have a variable to place within the string, first internationalize the
|
||||||
|
template string then do the replacement.
|
||||||
|
|
||||||
|
Example::
|
||||||
|
|
||||||
|
msg = _("Missing parameter: %s") % ("flavor",)
|
||||||
|
LOG.error(msg)
|
||||||
|
|
||||||
|
If you have multiple variables to place in the string, use keyword parameters.
|
||||||
|
This helps our translators reorder parameters when needed.
|
||||||
|
|
||||||
|
Example::
|
||||||
|
|
||||||
|
msg = _("The server with id %(s_id)s has no key %(m_key)s")
|
||||||
|
LOG.error(msg % {"s_id": "1234", "m_key": "imageId"})
|
||||||
|
|
||||||
|
|
||||||
|
Creating Unit Tests
|
||||||
|
-------------------
|
||||||
|
For every new feature, unit tests should be created that both test and
|
||||||
|
(implicitly) document the usage of said feature. If submitting a patch for a
|
||||||
|
bug that had no unit test, a new passing unit test should be added. If a
|
||||||
|
submitted bug fix does have a unit test, be sure to add a new one that fails
|
||||||
|
without the patch and passes with the patch.
|
||||||
|
|
||||||
|
For more information on creating unit tests and utilizing the testing
|
||||||
|
infrastructure in OpenStack Nova, please read nova/testing/README.rst.
|
202
LICENSE
|
@ -1,202 +0,0 @@
|
||||||
|
|
||||||
Apache License
|
|
||||||
Version 2.0, January 2004
|
|
||||||
http://www.apache.org/licenses/
|
|
||||||
|
|
||||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
|
||||||
|
|
||||||
1. Definitions.
|
|
||||||
|
|
||||||
"License" shall mean the terms and conditions for use, reproduction,
|
|
||||||
and distribution as defined by Sections 1 through 9 of this document.
|
|
||||||
|
|
||||||
"Licensor" shall mean the copyright owner or entity authorized by
|
|
||||||
the copyright owner that is granting the License.
|
|
||||||
|
|
||||||
"Legal Entity" shall mean the union of the acting entity and all
|
|
||||||
other entities that control, are controlled by, or are under common
|
|
||||||
control with that entity. For the purposes of this definition,
|
|
||||||
"control" means (i) the power, direct or indirect, to cause the
|
|
||||||
direction or management of such entity, whether by contract or
|
|
||||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
|
||||||
outstanding shares, or (iii) beneficial ownership of such entity.
|
|
||||||
|
|
||||||
"You" (or "Your") shall mean an individual or Legal Entity
|
|
||||||
exercising permissions granted by this License.
|
|
||||||
|
|
||||||
"Source" form shall mean the preferred form for making modifications,
|
|
||||||
including but not limited to software source code, documentation
|
|
||||||
source, and configuration files.
|
|
||||||
|
|
||||||
"Object" form shall mean any form resulting from mechanical
|
|
||||||
transformation or translation of a Source form, including but
|
|
||||||
not limited to compiled object code, generated documentation,
|
|
||||||
and conversions to other media types.
|
|
||||||
|
|
||||||
"Work" shall mean the work of authorship, whether in Source or
|
|
||||||
Object form, made available under the License, as indicated by a
|
|
||||||
copyright notice that is included in or attached to the work
|
|
||||||
(an example is provided in the Appendix below).
|
|
||||||
|
|
||||||
"Derivative Works" shall mean any work, whether in Source or Object
|
|
||||||
form, that is based on (or derived from) the Work and for which the
|
|
||||||
editorial revisions, annotations, elaborations, or other modifications
|
|
||||||
represent, as a whole, an original work of authorship. For the purposes
|
|
||||||
of this License, Derivative Works shall not include works that remain
|
|
||||||
separable from, or merely link (or bind by name) to the interfaces of,
|
|
||||||
the Work and Derivative Works thereof.
|
|
||||||
|
|
||||||
"Contribution" shall mean any work of authorship, including
|
|
||||||
the original version of the Work and any modifications or additions
|
|
||||||
to that Work or Derivative Works thereof, that is intentionally
|
|
||||||
submitted to Licensor for inclusion in the Work by the copyright owner
|
|
||||||
or by an individual or Legal Entity authorized to submit on behalf of
|
|
||||||
the copyright owner. For the purposes of this definition, "submitted"
|
|
||||||
means any form of electronic, verbal, or written communication sent
|
|
||||||
to the Licensor or its representatives, including but not limited to
|
|
||||||
communication on electronic mailing lists, source code control systems,
|
|
||||||
and issue tracking systems that are managed by, or on behalf of, the
|
|
||||||
Licensor for the purpose of discussing and improving the Work, but
|
|
||||||
excluding communication that is conspicuously marked or otherwise
|
|
||||||
designated in writing by the copyright owner as "Not a Contribution."
|
|
||||||
|
|
||||||
"Contributor" shall mean Licensor and any individual or Legal Entity
|
|
||||||
on behalf of whom a Contribution has been received by Licensor and
|
|
||||||
subsequently incorporated within the Work.
|
|
||||||
|
|
||||||
2. Grant of Copyright License. Subject to the terms and conditions of
|
|
||||||
this License, each Contributor hereby grants to You a perpetual,
|
|
||||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
||||||
copyright license to reproduce, prepare Derivative Works of,
|
|
||||||
publicly display, publicly perform, sublicense, and distribute the
|
|
||||||
Work and such Derivative Works in Source or Object form.
|
|
||||||
|
|
||||||
3. Grant of Patent License. Subject to the terms and conditions of
|
|
||||||
this License, each Contributor hereby grants to You a perpetual,
|
|
||||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
||||||
(except as stated in this section) patent license to make, have made,
|
|
||||||
use, offer to sell, sell, import, and otherwise transfer the Work,
|
|
||||||
where such license applies only to those patent claims licensable
|
|
||||||
by such Contributor that are necessarily infringed by their
|
|
||||||
Contribution(s) alone or by combination of their Contribution(s)
|
|
||||||
with the Work to which such Contribution(s) was submitted. If You
|
|
||||||
institute patent litigation against any entity (including a
|
|
||||||
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
|
||||||
or a Contribution incorporated within the Work constitutes direct
|
|
||||||
or contributory patent infringement, then any patent licenses
|
|
||||||
granted to You under this License for that Work shall terminate
|
|
||||||
as of the date such litigation is filed.
|
|
||||||
|
|
||||||
4. Redistribution. You may reproduce and distribute copies of the
|
|
||||||
Work or Derivative Works thereof in any medium, with or without
|
|
||||||
modifications, and in Source or Object form, provided that You
|
|
||||||
meet the following conditions:
|
|
||||||
|
|
||||||
(a) You must give any other recipients of the Work or
|
|
||||||
Derivative Works a copy of this License; and
|
|
||||||
|
|
||||||
(b) You must cause any modified files to carry prominent notices
|
|
||||||
stating that You changed the files; and
|
|
||||||
|
|
||||||
(c) You must retain, in the Source form of any Derivative Works
|
|
||||||
that You distribute, all copyright, patent, trademark, and
|
|
||||||
attribution notices from the Source form of the Work,
|
|
||||||
excluding those notices that do not pertain to any part of
|
|
||||||
the Derivative Works; and
|
|
||||||
|
|
||||||
(d) If the Work includes a "NOTICE" text file as part of its
|
|
||||||
distribution, then any Derivative Works that You distribute must
|
|
||||||
include a readable copy of the attribution notices contained
|
|
||||||
within such NOTICE file, excluding those notices that do not
|
|
||||||
pertain to any part of the Derivative Works, in at least one
|
|
||||||
of the following places: within a NOTICE text file distributed
|
|
||||||
as part of the Derivative Works; within the Source form or
|
|
||||||
documentation, if provided along with the Derivative Works; or,
|
|
||||||
within a display generated by the Derivative Works, if and
|
|
||||||
wherever such third-party notices normally appear. The contents
|
|
||||||
of the NOTICE file are for informational purposes only and
|
|
||||||
do not modify the License. You may add Your own attribution
|
|
||||||
notices within Derivative Works that You distribute, alongside
|
|
||||||
or as an addendum to the NOTICE text from the Work, provided
|
|
||||||
that such additional attribution notices cannot be construed
|
|
||||||
as modifying the License.
|
|
||||||
|
|
||||||
You may add Your own copyright statement to Your modifications and
|
|
||||||
may provide additional or different license terms and conditions
|
|
||||||
for use, reproduction, or distribution of Your modifications, or
|
|
||||||
for any such Derivative Works as a whole, provided Your use,
|
|
||||||
reproduction, and distribution of the Work otherwise complies with
|
|
||||||
the conditions stated in this License.
|
|
||||||
|
|
||||||
5. Submission of Contributions. Unless You explicitly state otherwise,
|
|
||||||
any Contribution intentionally submitted for inclusion in the Work
|
|
||||||
by You to the Licensor shall be under the terms and conditions of
|
|
||||||
this License, without any additional terms or conditions.
|
|
||||||
Notwithstanding the above, nothing herein shall supersede or modify
|
|
||||||
the terms of any separate license agreement you may have executed
|
|
||||||
with Licensor regarding such Contributions.
|
|
||||||
|
|
||||||
6. Trademarks. This License does not grant permission to use the trade
|
|
||||||
names, trademarks, service marks, or product names of the Licensor,
|
|
||||||
except as required for reasonable and customary use in describing the
|
|
||||||
origin of the Work and reproducing the content of the NOTICE file.
|
|
||||||
|
|
||||||
7. Disclaimer of Warranty. Unless required by applicable law or
|
|
||||||
agreed to in writing, Licensor provides the Work (and each
|
|
||||||
Contributor provides its Contributions) on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
||||||
implied, including, without limitation, any warranties or conditions
|
|
||||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
|
||||||
PARTICULAR PURPOSE. You are solely responsible for determining the
|
|
||||||
appropriateness of using or redistributing the Work and assume any
|
|
||||||
risks associated with Your exercise of permissions under this License.
|
|
||||||
|
|
||||||
8. Limitation of Liability. In no event and under no legal theory,
|
|
||||||
whether in tort (including negligence), contract, or otherwise,
|
|
||||||
unless required by applicable law (such as deliberate and grossly
|
|
||||||
negligent acts) or agreed to in writing, shall any Contributor be
|
|
||||||
liable to You for damages, including any direct, indirect, special,
|
|
||||||
incidental, or consequential damages of any character arising as a
|
|
||||||
result of this License or out of the use or inability to use the
|
|
||||||
Work (including but not limited to damages for loss of goodwill,
|
|
||||||
work stoppage, computer failure or malfunction, or any and all
|
|
||||||
other commercial damages or losses), even if such Contributor
|
|
||||||
has been advised of the possibility of such damages.
|
|
||||||
|
|
||||||
9. Accepting Warranty or Additional Liability. While redistributing
|
|
||||||
the Work or Derivative Works thereof, You may choose to offer,
|
|
||||||
and charge a fee for, acceptance of support, warranty, indemnity,
|
|
||||||
or other liability obligations and/or rights consistent with this
|
|
||||||
License. However, in accepting such obligations, You may act only
|
|
||||||
on Your own behalf and on Your sole responsibility, not on behalf
|
|
||||||
of any other Contributor, and only if You agree to indemnify,
|
|
||||||
defend, and hold each Contributor harmless for any liability
|
|
||||||
incurred by, or claims asserted against, such Contributor by reason
|
|
||||||
of your accepting any such warranty or additional liability.
|
|
||||||
|
|
||||||
END OF TERMS AND CONDITIONS
|
|
||||||
|
|
||||||
APPENDIX: How to apply the Apache License to your work.
|
|
||||||
|
|
||||||
To apply the Apache License to your work, attach the following
|
|
||||||
boilerplate notice, with the fields enclosed by brackets "[]"
|
|
||||||
replaced with your own identifying information. (Don't include
|
|
||||||
the brackets!) The text should be enclosed in the appropriate
|
|
||||||
comment syntax for the file format. We also recommend that a
|
|
||||||
file or class name and description of purpose be included on the
|
|
||||||
same "printed page" as the copyright notice for easier
|
|
||||||
identification within third-party archives.
|
|
||||||
|
|
||||||
Copyright [yyyy] [name of copyright owner]
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
21
MANIFEST.in
|
@ -1,21 +0,0 @@
|
||||||
include AUTHORS
|
|
||||||
include HACKING
|
|
||||||
include LICENSE
|
|
||||||
include MANIFEST.in
|
|
||||||
include README.md
|
|
||||||
include pylintrc
|
|
||||||
include run_tests.py
|
|
||||||
include run_tests.sh
|
|
||||||
include setup.py
|
|
||||||
graft bin
|
|
||||||
graft doc
|
|
||||||
prune doc/source/sourcecode
|
|
||||||
graft etc
|
|
||||||
graft examples
|
|
||||||
graft keystone/content
|
|
||||||
graft keystone/test/etc
|
|
||||||
graft tools
|
|
||||||
recursive-include keystone *.json *.xml *.cfg README
|
|
||||||
include keystone/backends/ldap/keystone.ldif
|
|
||||||
include keystone/backends/ldap/keystone.schema
|
|
||||||
global-exclude *.pyc *.sdx *.log *.db *.swp
|
|
275
README.md
|
@ -1,275 +0,0 @@
|
||||||
# Keystone: OpenStack Identity Service
|
|
||||||
|
|
||||||
Keystone is a Python implementation of the [OpenStack](http://www.openstack.org) identity service API.
|
|
||||||
|
|
||||||
# Documentation
|
|
||||||
|
|
||||||
## For users and sysadmins
|
|
||||||
|
|
||||||
Learn how to install, configure, manage, and interact with the OpenStack
|
|
||||||
Identity Service API at the [OpenStack Documentation](http://docs.openstack.org/) site.
|
|
||||||
|
|
||||||
## For contributors
|
|
||||||
|
|
||||||
Learn how to setup a development environment and then test, run, and contribute to Keystone at the
|
|
||||||
[Contributor Documentation](http://keystone.openstack.org/) site.
|
|
||||||
|
|
||||||
# Questions/Feedback
|
|
||||||
|
|
||||||
Having trouble? We'd like to help!
|
|
||||||
|
|
||||||
* Try the documentation first — it's got answers to many common questions.
|
|
||||||
* Search for information in the archives of the [OpenStack mailing list](http://wiki.openstack.org/MailingLists), or post a question.
|
|
||||||
* Ask a question in the [#openstack IRC channel](http://wiki.openstack.org/UsingIRC).
|
|
||||||
* If you notice errors, please [open a bug](https://bugs.launchpad.net/keystone) and let us know! Please only use the bug tracker for criticisms and improvements. For tech support, use the resources above.
|
|
||||||
|
|
||||||
# For Contributors
|
|
||||||
|
|
||||||
## What's in the box?
|
|
||||||
|
|
||||||
### Services
|
|
||||||
|
|
||||||
* Keystone - identity store and authentication service
|
|
||||||
* Auth_Token - WSGI middleware that can be used to handle token auth protocol (WSGI or remote proxy)
|
|
||||||
* Echo - A sample service that responds by returning call details
|
|
||||||
|
|
||||||
### Also included:
|
|
||||||
|
|
||||||
* Auth_Basic - Stub for WSGI middleware that will be used to handle basic auth
|
|
||||||
* Auth_OpenID - Stub for WSGI middleware that will be used to handle openid auth protocol (to be implemented)
|
|
||||||
* RemoteAuth - WSGI middleware that can be used in services (like Swift, Nova, and Glance) when Auth middleware is running remotely
|
|
||||||
|
|
||||||
### Built-In commands:
|
|
||||||
|
|
||||||
* bin/keystone - Provides HTTP API for users and administrators
|
|
||||||
* bin/keystone-admin - Provides HTTP API for administrators
|
|
||||||
* bin/keystone-service - Provides HTTP API for users
|
|
||||||
* bin/keystone-manage - Provides command-line interface for managing all aspects of Keystone
|
|
||||||
|
|
||||||
## Running Keystone
|
|
||||||
|
|
||||||
Starting both Admin and Service API endpoints:
|
|
||||||
|
|
||||||
$ ./bin/keystone
|
|
||||||
|
|
||||||
Starting the auth server only (exposes the Service API):
|
|
||||||
|
|
||||||
$ ./bin/keystone-auth
|
|
||||||
|
|
||||||
Starting the admin server only (exposes the Admin API):
|
|
||||||
|
|
||||||
$ ./bin/keystone-admin
|
|
||||||
|
|
||||||
By default, configuration parameters (such as the IP and port binding for each service) are parsed from `etc/keystone.conf`.
|
|
||||||
|
|
||||||
## Configuring Keystone
|
|
||||||
|
|
||||||
Keystone gets its configuration from command-line parameters or a `.conf` file. While command line parameters take precedence,
|
|
||||||
Keystone looks in the following location to find a configuration file:
|
|
||||||
|
|
||||||
1. Command line parameter
|
|
||||||
2. /etc/keystone.conf
|
|
||||||
3. /etc/keystone/keystone.conf
|
|
||||||
4. <topdir>/etc/keystone.conf
|
|
||||||
|
|
||||||
Additional configuration templates are maintained in `keystone/test/etc/` that may be useful as a reference.
|
|
||||||
|
|
||||||
### Editing and Building the API Developer Guide
|
|
||||||
|
|
||||||
Users of the Keystone API are often developers making ReSTful API calls to Keystone. The guide to provide them
|
|
||||||
information is therefore called a `Developer Guide`. Developer in this case is not to be confused with contributors
|
|
||||||
working on the Keystone codebase itself.
|
|
||||||
|
|
||||||
The developer guides are automatically generated from XML and other artifacts that live in the
|
|
||||||
[OpenStack Manuals project](https://launchpad.net/openstack-manuals).
|
|
||||||
|
|
||||||
To build the Developer Guide from source, you need [Maven](http://maven.apache.org/). To build the docs and publish a new PDF:
|
|
||||||
|
|
||||||
$ cd to folder with the pom.xml file
|
|
||||||
$ mvn clean generate-sources && cp target/docbkx/pdf/identitydevguide.pdf ../../keystone/content/identitydevguide.pdf
|
|
||||||
|
|
||||||
The output will go into the `target` folder (the source is in `src`). Output generated is PDF and webhelp.
|
|
||||||
|
|
||||||
# Additional Information:
|
|
||||||
|
|
||||||
## Sample data
|
|
||||||
|
|
||||||
A set of sample data can be loaded by running a shell script:
|
|
||||||
|
|
||||||
$ ./bin/sampledata
|
|
||||||
|
|
||||||
The script calls `keystone-manage` to import the sample data.
|
|
||||||
|
|
||||||
After starting keystone or running `keystone-manage` a `keystone.db` sqlite database should be created in the keystone folder,
|
|
||||||
per the default configuration.
|
|
||||||
|
|
||||||
## Demo
|
|
||||||
|
|
||||||
To run client demo (with all auth middleware running locally on sample service):
|
|
||||||
|
|
||||||
$ ./examples/echo/bin/echod
|
|
||||||
$ python examples/echo/echo_client.py
|
|
||||||
|
|
||||||
## CURL commands
|
|
||||||
|
|
||||||
<pre>
|
|
||||||
# Get an unscoped token
|
|
||||||
$ curl -d '{"auth": {"passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:5000/v2.0/tokens
|
|
||||||
|
|
||||||
# Get a token for a tenant
|
|
||||||
$ curl -d '{"auth": {"passwordCredentials": {"username": "joeuser", "password": "secrete"}, "tenantName": "customer-x"}}' -H "Content-type: application/json" http://localhost:5000/v2.0/tokens
|
|
||||||
|
|
||||||
# Get an admin token
|
|
||||||
$ curl -d '{"auth": {"passwordCredentials": {"username": "admin", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens
|
|
||||||
</pre>
|
|
||||||
|
|
||||||
## Load Testing
|
|
||||||
|
|
||||||
<pre>
|
|
||||||
# Create post data
|
|
||||||
$ echo '{"auth": {"passwordCredentials": {"username": "joeuser", "password": "secrete", "tenantName": "customer-x"}}}' > post_data
|
|
||||||
|
|
||||||
# Call Apache Bench
|
|
||||||
$ ab -c 30 -n 1000 -T "application/json" -p post_data http://127.0.0.1:35357/v2.0/tokens
|
|
||||||
</pre>
|
|
||||||
|
|
||||||
## NOVA Integration
|
|
||||||
|
|
||||||
Initial support for using keystone as nova's identity component has been started.
|
|
||||||
|
|
||||||
# clone projects
|
|
||||||
bzr clone lp:nova
|
|
||||||
git clone git://github.com/openstack/keystone.git
|
|
||||||
|
|
||||||
# install keystone on the host which runs nova
|
|
||||||
run "python setup install" to install keystone.
|
|
||||||
|
|
||||||
# run nova-api based on the paste config in keystone
|
|
||||||
nova/bin/nova-api --api_paste_config=keystone/examples/paste/nova-api-paste.ini
|
|
||||||
|
|
||||||
Assuming you added the test data using bin/sampledata, you can then use joeuser/secrete
|
|
||||||
|
|
||||||
## Swift Integration - Quick Start
|
|
||||||
|
|
||||||
1. Install Swift, either from trunk or version 1.4.1 (once it's released) or
|
|
||||||
higher. Do the standard SAIO install with the included TempAuth to be sure
|
|
||||||
you have a working system to start with. This step is beyond the scope of
|
|
||||||
this quick start; see http://swift.openstack.org/development_saio.html for
|
|
||||||
a Swift development set up guide. Once you have a working Swift install, go
|
|
||||||
ahead and shut it down for now (the default Swift install uses the same
|
|
||||||
ports Keystone wants):
|
|
||||||
|
|
||||||
$ swift-init all stop
|
|
||||||
|
|
||||||
2. Obtain and install a source copy of Keystone:
|
|
||||||
|
|
||||||
$ git clone https://github.com/openstack/keystone.git ~/keystone
|
|
||||||
...
|
|
||||||
$ cd ~/keystone && sudo python setup.py develop
|
|
||||||
...
|
|
||||||
|
|
||||||
3. Start up the Keystone service:
|
|
||||||
|
|
||||||
$ cd ~/keystone/bin && ./keystone
|
|
||||||
Starting the Legacy Authentication component
|
|
||||||
Service API listening on 0.0.0.0:5000
|
|
||||||
Admin API listening on 0.0.0.0:35357
|
|
||||||
|
|
||||||
4. In another window, edit the `~/keystone/keystone/test/sampledata.py` file,
|
|
||||||
find the `swift.publicinternets.com` text and replace it with the URL to
|
|
||||||
your Swift cluster using the following format (note that we're going to
|
|
||||||
change Swift to run on port 8888 later):
|
|
||||||
`http://127.0.0.1:8888/v1/AUTH_%tenant_id%`
|
|
||||||
|
|
||||||
5. Create the sample data entries:
|
|
||||||
|
|
||||||
$ cd ~/keystone/bin && ./sampledata
|
|
||||||
...
|
|
||||||
|
|
||||||
6. Reconfigure Swift's proxy server to use Keystone instead of TempAuth.
|
|
||||||
Here's an example `/etc/swift/proxy-server.conf`:
|
|
||||||
|
|
||||||
[DEFAULT]
|
|
||||||
bind_port = 8888
|
|
||||||
user = <user>
|
|
||||||
|
|
||||||
[pipeline:main]
|
|
||||||
pipeline = catch_errors cache keystone proxy-server
|
|
||||||
|
|
||||||
[app:proxy-server]
|
|
||||||
use = egg:swift#proxy
|
|
||||||
account_autocreate = true
|
|
||||||
|
|
||||||
[filter:keystone]
|
|
||||||
use = egg:keystone#tokenauth
|
|
||||||
auth_protocol = http
|
|
||||||
auth_host = 127.0.0.1
|
|
||||||
auth_port = 35357
|
|
||||||
admin_token = 999888777666
|
|
||||||
delay_auth_decision = 0
|
|
||||||
service_protocol = http
|
|
||||||
service_host = 127.0.0.1
|
|
||||||
service_port = 8100
|
|
||||||
service_pass = dTpw
|
|
||||||
|
|
||||||
[filter:cache]
|
|
||||||
use = egg:swift#memcache
|
|
||||||
set log_name = cache
|
|
||||||
|
|
||||||
[filter:catch_errors]
|
|
||||||
use = egg:swift#catch_errors
|
|
||||||
|
|
||||||
7. Start Swift back up with the new configuration:
|
|
||||||
|
|
||||||
$ swift-init main start
|
|
||||||
...
|
|
||||||
|
|
||||||
8. Use `swift` to check everything works (note: you currently have to create a
|
|
||||||
container or upload something as your first action to have the account
|
|
||||||
created; there's a Swift bug to be fixed soon):
|
|
||||||
|
|
||||||
$ swift -A http://127.0.0.1:5000/v1.0 -U joeuser -K secrete post container
|
|
||||||
$ swift -A http://127.0.0.1:5000/v1.0 -U joeuser -K secrete stat -v
|
|
||||||
StorageURL: http://127.0.0.1:8888/v1/AUTH_1234
|
|
||||||
Auth Token: 74ce1b05-e839-43b7-bd76-85ef178726c3
|
|
||||||
Account: AUTH_1234
|
|
||||||
Containers: 1
|
|
||||||
Objects: 0
|
|
||||||
Bytes: 0
|
|
||||||
Accept-Ranges: bytes
|
|
||||||
X-Trans-Id: tx25c1a6969d8f4372b63912f411de3c3b
|
|
||||||
|
|
||||||
**Note: Keystone currently allows any valid token to do anything with any
|
|
||||||
account.**
|
|
||||||
|
|
||||||
But, it works as a demo!
|
|
||||||
|
|
||||||
## LDAP Setup on a Mac
|
|
||||||
|
|
||||||
Using macports:
|
|
||||||
|
|
||||||
sudo port install openldap
|
|
||||||
|
|
||||||
It appears the package `python-ldap` needs to be recompiled to work. So,
|
|
||||||
download it from: http://pypi.python.org/pypi/python-ldap/2.4.1
|
|
||||||
|
|
||||||
After unpacking, edit `setup.cfg` as shown below:
|
|
||||||
|
|
||||||
library_dirs = /opt/local/lib
|
|
||||||
include_dirs = /opt/local/include /usr/include/sasl
|
|
||||||
|
|
||||||
Then, run:
|
|
||||||
|
|
||||||
python setup.py build
|
|
||||||
sudo python setup.py install
|
|
||||||
|
|
||||||
# Relevant Standards and Technologies
|
|
||||||
|
|
||||||
[Overlap of Identity Technologies](https://sites.google.com/site/oauthgoog/Overlap)
|
|
||||||
|
|
||||||
Keystone could potentially integrate with:
|
|
||||||
|
|
||||||
1. [WebID](http://www.w3.org/2005/Incubator/webid/spec/) (See also [FOAF+SSL](http://www.w3.org/wiki/Foaf+ssl))
|
|
||||||
2. [OpenID](http://openid.net/) and/or [OpenIDConnect](http://openidconnect.com/)
|
|
||||||
3. [OAUTH2](http://oauth.net/2/)
|
|
||||||
4. [SAML](http://saml.xml.org/)
|
|
|
@ -0,0 +1,222 @@
|
||||||
|
.. image:: http://term.ie/data/medium_ksl.png
|
||||||
|
:alt: Keystone
|
||||||
|
|
||||||
|
.. toctree::
|
||||||
|
:maxdepth 2
|
||||||
|
|
||||||
|
Keystone is an OpenStack project that provides Identity, Token, Catalog and
|
||||||
|
Policy services for use specifically by projects in the OpenStack family.
|
||||||
|
|
||||||
|
Much of the design is precipitated from the expectation that the auth backends
|
||||||
|
for most deployments will actually be shims in front of existing user systems.
|
||||||
|
|
||||||
|
|
||||||
|
-----------
|
||||||
|
Development
|
||||||
|
-----------
|
||||||
|
|
||||||
|
Building the Documentation
|
||||||
|
--------------------------
|
||||||
|
|
||||||
|
The documentation is all generated with Sphinx from within the docs directory.
|
||||||
|
To generate the full set of HTML documentation:
|
||||||
|
|
||||||
|
cd docs
|
||||||
|
make autodoc
|
||||||
|
make html
|
||||||
|
make man
|
||||||
|
|
||||||
|
the results are in the docs/build/html and docs/build/man directories
|
||||||
|
respectively.
|
||||||
|
|
||||||
|
------------
|
||||||
|
The Services
|
||||||
|
------------
|
||||||
|
|
||||||
|
Keystone is organized as a group of services exposed on one or many endpoints.
|
||||||
|
Many of these services are used in a combined fashion by the frontend, for
|
||||||
|
example an authenticate call will validate user/tenant credentials with the
|
||||||
|
Identity service and, upon success, create and return a token with the Token
|
||||||
|
service.
|
||||||
|
|
||||||
|
|
||||||
|
Identity
|
||||||
|
--------
|
||||||
|
|
||||||
|
The Identity service provides auth credential validation and data about Users,
|
||||||
|
Tenants and Roles, as well as any associated metadata.
|
||||||
|
|
||||||
|
In the basic case all this data is managed by the service, allowing the service
|
||||||
|
to manage all the CRUD associated with the data.
|
||||||
|
|
||||||
|
In other cases, this data is pulled, by varying degrees, from an authoritative
|
||||||
|
backend service. An example of this would be when backending on LDAP. See
|
||||||
|
`LDAP Backend` below for more details.
|
||||||
|
|
||||||
|
|
||||||
|
Token
|
||||||
|
-----
|
||||||
|
|
||||||
|
The Token service validates and manages Tokens used for authenticating requests
|
||||||
|
once a user/tenant's credentials have already been verified.
|
||||||
|
|
||||||
|
|
||||||
|
Catalog
|
||||||
|
-------
|
||||||
|
|
||||||
|
The Catalog service provides an endpoint registry used for endpoint discovery.
|
||||||
|
|
||||||
|
|
||||||
|
Policy
|
||||||
|
------
|
||||||
|
|
||||||
|
The Policy service provides a rule-based authorization engine and the
|
||||||
|
associated rule management interface.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
----------
|
||||||
|
Data Model
|
||||||
|
----------
|
||||||
|
|
||||||
|
Keystone was designed from the ground up to be amenable to multiple styles of
|
||||||
|
backends and as such many of the methods and data types will happily accept
|
||||||
|
more data than they know what to do with and pass them on to a backend.
|
||||||
|
|
||||||
|
There are a few main data types:
|
||||||
|
|
||||||
|
* **User**: has account credentials, is associated with one or more tenants
|
||||||
|
* **Tenant**: unit of ownership in openstack, contains one or more users
|
||||||
|
* **Role**: a first-class piece of metadata associated with many user-tenant pairs.
|
||||||
|
* **Token**: identifying credential associated with a user or user and tenant
|
||||||
|
* **Extras**: bucket of key-value metadata associated with a user-tenant pair.
|
||||||
|
* **Rule**: describes a set of requirements for performing an action.
|
||||||
|
|
||||||
|
While the general data model allows a many-to-many relationship between Users
|
||||||
|
and Tenants and a many-to-one relationship between Extras and User-Tenant pairs,
|
||||||
|
the actual backend implementations take varying levels of advantage of that
|
||||||
|
functionality.
|
||||||
|
|
||||||
|
|
||||||
|
KVS Backend
|
||||||
|
-----------
|
||||||
|
|
||||||
|
A simple backend interface meant to be further backended on anything that can
|
||||||
|
support primary key lookups, the most trivial implementation being an in-memory
|
||||||
|
dict.
|
||||||
|
|
||||||
|
Supports all features of the general data model.
|
||||||
|
|
||||||
|
|
||||||
|
PAM Backend
|
||||||
|
-----------
|
||||||
|
|
||||||
|
Extra simple backend that uses the current system's PAM service to authenticate,
|
||||||
|
providing a one-to-one relationship between Users and Tenants with the `root`
|
||||||
|
User also having the 'admin' role.
|
||||||
|
|
||||||
|
|
||||||
|
Templated Backend
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
Largely designed for a common use case around service catalogs in the Keystone
|
||||||
|
project, a Catalog backend that simply expands pre-configured templates to
|
||||||
|
provide catalog data.
|
||||||
|
|
||||||
|
Example paste.deploy config (uses $ instead of % to avoid ConfigParser's
|
||||||
|
interpolation)::
|
||||||
|
|
||||||
|
[DEFAULT]
|
||||||
|
catalog.RegionOne.identity.publicURL = http://localhost:$(public_port)s/v2.0
|
||||||
|
catalog.RegionOne.identity.adminURL = http://localhost:$(public_port)s/v2.0
|
||||||
|
catalog.RegionOne.identity.internalURL = http://localhost:$(public_port)s/v2.0
|
||||||
|
catalog.RegionOne.identity.name = 'Identity Service'
|
||||||
|
|
||||||
|
|
||||||
|
----------------
|
||||||
|
Approach to CRUD
|
||||||
|
----------------
|
||||||
|
|
||||||
|
While it is expected that any "real" deployment at a large company will manage
|
||||||
|
their users, tenants and other metadata in their existing user systems, a
|
||||||
|
variety of CRUD operations are provided for the sake of development and testing.
|
||||||
|
|
||||||
|
CRUD is treated as an extension or additional feature to the core feature set in
|
||||||
|
that it is not required that a backend support it.
|
||||||
|
|
||||||
|
|
||||||
|
----------------------------------
|
||||||
|
Approach to Authorization (Policy)
|
||||||
|
----------------------------------
|
||||||
|
|
||||||
|
Various components in the system require that different actions are allowed
|
||||||
|
based on whether the user is authorized to perform that action.
|
||||||
|
|
||||||
|
For the purposes of Keystone there are only a couple levels of
|
||||||
|
authorization being checked for:
|
||||||
|
|
||||||
|
* Require that the performing user is considered an admin.
|
||||||
|
* Require that the performing user matches the user being referenced.
|
||||||
|
|
||||||
|
Other systems wishing to use the policy engine will require additional styles
|
||||||
|
of checks and will possibly write completely custom backends. Backends included
|
||||||
|
in Keystone are:
|
||||||
|
|
||||||
|
|
||||||
|
Trivial True
|
||||||
|
------------
|
||||||
|
|
||||||
|
Allows all actions.
|
||||||
|
|
||||||
|
|
||||||
|
Simple Match
|
||||||
|
------------
|
||||||
|
|
||||||
|
Given a list of matches to check for, simply verify that the credentials
|
||||||
|
contain the matches. For example::
|
||||||
|
|
||||||
|
credentials = {'user_id': 'foo', 'is_admin': 1, 'roles': ['nova:netadmin']}
|
||||||
|
|
||||||
|
# An admin only call:
|
||||||
|
policy_api.can_haz(('is_admin:1',), credentials)
|
||||||
|
|
||||||
|
# An admin or owner call:
|
||||||
|
policy_api.can_haz(('is_admin:1', 'user_id:foo'),
|
||||||
|
credentials)
|
||||||
|
|
||||||
|
# A netadmin call:
|
||||||
|
policy_api.can_haz(('roles:nova:netadmin',),
|
||||||
|
credentials)
|
||||||
|
|
||||||
|
|
||||||
|
Credentials are generally built from the user metadata in the 'extras' part
|
||||||
|
of the Identity API. So, adding a 'role' to the user just means adding the role
|
||||||
|
to the user metadata.
|
||||||
|
|
||||||
|
|
||||||
|
Capability RBAC
|
||||||
|
---------------
|
||||||
|
|
||||||
|
(Not yet implemented.)
|
||||||
|
|
||||||
|
Another approach to authorization can be action-based, with a mapping of roles
|
||||||
|
to which capabilities are allowed for that role. For example::
|
||||||
|
|
||||||
|
credentials = {'user_id': 'foo', 'is_admin': 1, 'roles': ['nova:netadmin']}
|
||||||
|
|
||||||
|
# add a policy
|
||||||
|
policy_api.add_policy('action:nova:add_network', ('roles:nova:netadmin',))
|
||||||
|
|
||||||
|
policy_api.can_haz(('action:nova:add_network',), credentials)
|
||||||
|
|
||||||
|
|
||||||
|
In the backend this would look up the policy for 'action:nova:add_network' and
|
||||||
|
then do what is effectively a 'Simple Match' style match against the creds.
|
||||||
|
|
||||||
|
|
||||||
|
-----------
|
||||||
|
Still To Do
|
||||||
|
-----------
|
||||||
|
|
||||||
|
* LDAP backend.
|
||||||
|
* Diablo migration.
|
84
bin/keystone
|
@ -1,84 +0,0 @@
|
||||||
#!/usr/bin/env python
|
|
||||||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
||||||
|
|
||||||
""" This is only a convenience script. It starts two endpoints of Keystone; the
|
|
||||||
first one is a Service API server running on port 5000 (by default), and the
|
|
||||||
second one is an Admin API server running on port 35357 (by default).
|
|
||||||
|
|
||||||
By default, keystone uses bind_host and bind_port to set its litening ports,
|
|
||||||
but since this script runs two endpoints, it uses the following options:
|
|
||||||
|
|
||||||
Setting any of the Admin API values for bind host or port using the
|
|
||||||
admin_* entries in the config file. Specoific to this script only is the
|
|
||||||
-a/--admin-port option on the command-line (nothing else supports that).
|
|
||||||
|
|
||||||
Setting any of the Service API values for bind host or port using the
|
|
||||||
service_* entries in the config file.
|
|
||||||
|
|
||||||
"""
|
|
||||||
|
|
||||||
import optparse
|
|
||||||
import os
|
|
||||||
import sys
|
|
||||||
|
|
||||||
import keystone.tools.tracer # @UnusedImport # module runs on import
|
|
||||||
from keystone.common import config
|
|
||||||
from keystone.config import CONF
|
|
||||||
import keystone.server
|
|
||||||
|
|
||||||
# If ../../keystone/__init__.py exists, add ../ to Python search path, so that
|
|
||||||
# it will override what happens to be installed in /usr/(local/)lib/python...
|
|
||||||
POSSIBLE_TOPDIR = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
|
|
||||||
os.pardir, os.pardir))
|
|
||||||
if os.path.exists(os.path.join(POSSIBLE_TOPDIR, 'keystone', '__init__.py')):
|
|
||||||
sys.path.insert(0, POSSIBLE_TOPDIR)
|
|
||||||
|
|
||||||
|
|
||||||
def get_options():
|
|
||||||
# Initialize a parser for our configuration paramaters
|
|
||||||
# since we have special handling for the -a|--admin-port argument
|
|
||||||
parser = optparse.OptionParser()
|
|
||||||
common_group = config.add_common_options(parser)
|
|
||||||
config.add_log_options(parser)
|
|
||||||
|
|
||||||
# Handle a special argument to support starting two endpoints
|
|
||||||
common_group.add_option(
|
|
||||||
'-a', '--admin-port', dest="admin_port", metavar="PORT",
|
|
||||||
help="specifies port for Admin API to listen on (default is 35357)")
|
|
||||||
|
|
||||||
# Parse CLI arguments and merge with config
|
|
||||||
(options, args) = config.parse_options(parser)
|
|
||||||
return options
|
|
||||||
|
|
||||||
|
|
||||||
def main():
|
|
||||||
# Get merged config and CLI options and admin-specific settings
|
|
||||||
options = get_options()
|
|
||||||
config_file = config.find_config_file(options, sys.argv[1:])
|
|
||||||
CONF(config_files=[config_file])
|
|
||||||
|
|
||||||
# Start services
|
|
||||||
try:
|
|
||||||
# Load Service API Server
|
|
||||||
service = keystone.server.Server(name="Service API",
|
|
||||||
config_name='keystone-legacy-auth')
|
|
||||||
service.start(wait=False)
|
|
||||||
except RuntimeError, e:
|
|
||||||
sys.exit("ERROR: %s" % e)
|
|
||||||
|
|
||||||
try:
|
|
||||||
# Get admin-specific settings
|
|
||||||
port = options.get('admin_port', None)
|
|
||||||
host = options.get('bind_host', None)
|
|
||||||
|
|
||||||
# Load Admin API server
|
|
||||||
admin = keystone.server.Server(name='Admin API', config_name='admin')
|
|
||||||
admin.start(host=host, port=port, wait=True)
|
|
||||||
except RuntimeError, e:
|
|
||||||
sys.exit("ERROR: %s" % e)
|
|
||||||
finally:
|
|
||||||
service.stop()
|
|
||||||
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
|
||||||
main()
|
|
|
@ -1,69 +0,0 @@
|
||||||
#!/usr/bin/env python
|
|
||||||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
||||||
|
|
||||||
# Copyright 2010 United States Government as represented by the
|
|
||||||
# Administrator of the National Aeronautics and Space Administration.
|
|
||||||
# Copyright 2011 OpenStack LLC.
|
|
||||||
# All Rights Reserved.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
"""
|
|
||||||
Keystone Identity Server - Admin API
|
|
||||||
"""
|
|
||||||
|
|
||||||
import optparse
|
|
||||||
import os
|
|
||||||
import sys
|
|
||||||
|
|
||||||
# If ../../keystone/__init__.py exists, add ../ to Python search path, so that
|
|
||||||
# it will override what happens to be installed in /usr/(local/)lib/python...
|
|
||||||
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
|
|
||||||
os.pardir,
|
|
||||||
os.pardir))
|
|
||||||
if os.path.exists(os.path.join(possible_topdir, 'keystone', '__init__.py')):
|
|
||||||
sys.path.insert(0, possible_topdir)
|
|
||||||
|
|
||||||
import keystone.tools.tracer # @UnusedImport # module runs on import
|
|
||||||
from keystone.common import config
|
|
||||||
from keystone.config import CONF
|
|
||||||
import keystone.server
|
|
||||||
|
|
||||||
|
|
||||||
def get_options():
|
|
||||||
# Initialize a parser for our configuration paramaters
|
|
||||||
# since we have special handling for the -a|--admin-port argument
|
|
||||||
parser = optparse.OptionParser()
|
|
||||||
common_group = config.add_common_options(parser)
|
|
||||||
config.add_log_options(parser)
|
|
||||||
|
|
||||||
# Parse CLI arguments and merge with config
|
|
||||||
(options, args) = config.parse_options(parser)
|
|
||||||
return options
|
|
||||||
|
|
||||||
|
|
||||||
def main():
|
|
||||||
# Get merged config and CLI options and admin-specific settings
|
|
||||||
options = get_options()
|
|
||||||
config_file = config.find_config_file(options, sys.argv[1:])
|
|
||||||
CONF(config_files=[config_file])
|
|
||||||
try:
|
|
||||||
# Load Admin API server
|
|
||||||
admin = keystone.server.Server(name='Admin API', config_name='admin')
|
|
||||||
admin.start(wait=True)
|
|
||||||
except RuntimeError, e:
|
|
||||||
sys.exit("ERROR: %s" % e)
|
|
||||||
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
|
||||||
main()
|
|
|
@ -0,0 +1,71 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||||
|
|
||||||
|
import greenlet
|
||||||
|
import logging
|
||||||
|
import os
|
||||||
|
import sys
|
||||||
|
|
||||||
|
# If ../../keystone/__init__.py exists, add ../ to Python search path, so that
|
||||||
|
# it will override what happens to be installed in /usr/(local/)lib/python...
|
||||||
|
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
|
||||||
|
os.pardir,
|
||||||
|
os.pardir))
|
||||||
|
if os.path.exists(os.path.join(possible_topdir,
|
||||||
|
'keystone-all',
|
||||||
|
'__init__.py')):
|
||||||
|
sys.path.insert(0, possible_topdir)
|
||||||
|
|
||||||
|
from paste import deploy
|
||||||
|
|
||||||
|
from keystone import config
|
||||||
|
from keystone.common import wsgi
|
||||||
|
|
||||||
|
|
||||||
|
CONF = config.CONF
|
||||||
|
|
||||||
|
|
||||||
|
def create_server(conf, name, port):
|
||||||
|
app = deploy.loadapp('config:%s' % conf, name=name)
|
||||||
|
return wsgi.Server(app, port)
|
||||||
|
|
||||||
|
|
||||||
|
def serve(*servers):
|
||||||
|
for server in servers:
|
||||||
|
logging.debug("starting server %s on port %s", server.application,
|
||||||
|
server.port)
|
||||||
|
server.start()
|
||||||
|
|
||||||
|
for server in servers:
|
||||||
|
try:
|
||||||
|
server.wait()
|
||||||
|
except greenlet.GreenletExit:
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
dev_conf = os.path.join(possible_topdir,
|
||||||
|
'etc',
|
||||||
|
'keystone.conf')
|
||||||
|
config_files = None
|
||||||
|
if os.path.exists(dev_conf):
|
||||||
|
config_files = [dev_conf]
|
||||||
|
|
||||||
|
CONF(config_files=config_files)
|
||||||
|
|
||||||
|
config.setup_logging(CONF)
|
||||||
|
|
||||||
|
# Log the options used when starting if we're in debug mode...
|
||||||
|
if CONF.debug:
|
||||||
|
CONF.log_opt_values(logging.getLogger(CONF.prog), logging.DEBUG)
|
||||||
|
|
||||||
|
options = deploy.appconfig('config:%s' % CONF.config_file[0])
|
||||||
|
|
||||||
|
servers = []
|
||||||
|
servers.append(create_server(CONF.config_file[0],
|
||||||
|
'admin',
|
||||||
|
int(options['admin_port'])))
|
||||||
|
servers.append(create_server(CONF.config_file[0],
|
||||||
|
'main',
|
||||||
|
int(options['public_port'])))
|
||||||
|
serve(*servers)
|
|
@ -1,70 +0,0 @@
|
||||||
#!/usr/bin/env python
|
|
||||||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
||||||
|
|
||||||
# Copyright 2010 United States Government as represented by the
|
|
||||||
# Administrator of the National Aeronautics and Space Administration.
|
|
||||||
# Copyright 2011 OpenStack LLC.
|
|
||||||
# All Rights Reserved.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
"""
|
|
||||||
Keystone Identity Server - Service API
|
|
||||||
"""
|
|
||||||
|
|
||||||
import optparse
|
|
||||||
import os
|
|
||||||
import sys
|
|
||||||
|
|
||||||
# If ../../keystone/__init__.py exists, add ../ to Python search path, so that
|
|
||||||
# it will override what happens to be installed in /usr/(local/)lib/python...
|
|
||||||
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
|
|
||||||
os.pardir,
|
|
||||||
os.pardir))
|
|
||||||
if os.path.exists(os.path.join(possible_topdir, 'keystone', '__init__.py')):
|
|
||||||
sys.path.insert(0, possible_topdir)
|
|
||||||
|
|
||||||
import keystone.tools.tracer # @UnusedImport # module runs on import
|
|
||||||
from keystone.common import config
|
|
||||||
from keystone.config import CONF
|
|
||||||
import keystone.server
|
|
||||||
|
|
||||||
|
|
||||||
def get_options():
|
|
||||||
# Initialize a parser for our configuration paramaters
|
|
||||||
# since we have special handling for the -a|--admin-port argument
|
|
||||||
parser = optparse.OptionParser()
|
|
||||||
common_group = config.add_common_options(parser)
|
|
||||||
config.add_log_options(parser)
|
|
||||||
|
|
||||||
# Parse CLI arguments and merge with config
|
|
||||||
(options, args) = config.parse_options(parser)
|
|
||||||
return options
|
|
||||||
|
|
||||||
|
|
||||||
def main():
|
|
||||||
# Get merged config and CLI options and admin-specific settings
|
|
||||||
options = get_options()
|
|
||||||
config_file = config.find_config_file(options, sys.argv[1:])
|
|
||||||
CONF(config_files=[config_file])
|
|
||||||
try:
|
|
||||||
# Load Service API server
|
|
||||||
server = keystone.server.Server(name='Service API',
|
|
||||||
config_name='keystone-legacy-auth')
|
|
||||||
server.start(wait=True)
|
|
||||||
except RuntimeError, e:
|
|
||||||
sys.exit("ERROR: %s" % e)
|
|
||||||
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
|
||||||
main()
|
|
|
@ -1,235 +0,0 @@
|
||||||
#!/usr/bin/env python
|
|
||||||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
||||||
|
|
||||||
# Copyright (c) 2011 OpenStack, LLC.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
||||||
# implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
"""
|
|
||||||
Helper script for starting/stopping/reloading Keystone server programs.
|
|
||||||
Copied from Glance. Thanks for some of the code, Swifties ;)
|
|
||||||
"""
|
|
||||||
|
|
||||||
from __future__ import with_statement
|
|
||||||
|
|
||||||
import errno
|
|
||||||
import gettext
|
|
||||||
import os
|
|
||||||
import optparse
|
|
||||||
import resource
|
|
||||||
import signal
|
|
||||||
import sys
|
|
||||||
import time
|
|
||||||
|
|
||||||
# If ../keystone/__init__.py exists, add ../ to Python search path, so that
|
|
||||||
# it will override what happens to be installed in /usr/(local/)lib/python...
|
|
||||||
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
|
|
||||||
os.pardir,
|
|
||||||
os.pardir))
|
|
||||||
if os.path.exists(os.path.join(possible_topdir, 'keystone', '__init__.py')):
|
|
||||||
sys.path.insert(0, possible_topdir)
|
|
||||||
|
|
||||||
gettext.install('keystone', unicode=1)
|
|
||||||
|
|
||||||
import keystone.version
|
|
||||||
from keystone.common import config
|
|
||||||
|
|
||||||
ALL_COMMANDS = ['start', 'stop', 'shutdown', 'restart',
|
|
||||||
'reload', 'force-reload']
|
|
||||||
ALL_SERVERS = ['keystone-auth', 'keystone-admin']
|
|
||||||
GRACEFUL_SHUTDOWN_SERVERS = ['keystone-auth', 'keystone-admin']
|
|
||||||
MAX_DESCRIPTORS = 32768
|
|
||||||
MAX_MEMORY = (1024 * 1024 * 1024) * 2 # 2 GB
|
|
||||||
USAGE = """%prog [options] <SERVER> <COMMAND> [CONFPATH]
|
|
||||||
|
|
||||||
Where <SERVER> is one of:
|
|
||||||
|
|
||||||
all, auth, admin
|
|
||||||
|
|
||||||
And command is one of:
|
|
||||||
|
|
||||||
start, stop, shutdown, restart, reload, force-reload
|
|
||||||
|
|
||||||
And CONFPATH is the optional configuration file to use."""
|
|
||||||
|
|
||||||
|
|
||||||
def pid_files(server, options):
|
|
||||||
pid_files = []
|
|
||||||
if options['pid_file']:
|
|
||||||
if os.path.exists(os.path.abspath(options['pid_file'])):
|
|
||||||
pid_files = [os.path.abspath(options['pid_file'])]
|
|
||||||
else:
|
|
||||||
if os.path.exists('/var/run/keystone/%s.pid' % server):
|
|
||||||
pid_files = ['/var/run/keystone/%s.pid' % server]
|
|
||||||
for pid_file in pid_files:
|
|
||||||
pid = int(open(pid_file).read().strip())
|
|
||||||
yield pid_file, pid
|
|
||||||
|
|
||||||
|
|
||||||
def do_start(server, options, args):
|
|
||||||
server_type = '-'.join(server.split('-')[:-1])
|
|
||||||
|
|
||||||
for pid_file, pid in pid_files(server, options):
|
|
||||||
if os.path.exists('/proc/%s' % pid):
|
|
||||||
print "%s appears to already be running: %s" % (server, pid_file)
|
|
||||||
return
|
|
||||||
else:
|
|
||||||
print "Removing stale pid file %s" % pid_file
|
|
||||||
os.unlink(pid_file)
|
|
||||||
|
|
||||||
try:
|
|
||||||
resource.setrlimit(resource.RLIMIT_NOFILE,
|
|
||||||
(MAX_DESCRIPTORS, MAX_DESCRIPTORS))
|
|
||||||
resource.setrlimit(resource.RLIMIT_DATA,
|
|
||||||
(MAX_MEMORY, MAX_MEMORY))
|
|
||||||
except ValueError:
|
|
||||||
print "Unable to increase file descriptor limit. Running as non-root?"
|
|
||||||
os.environ['PYTHON_EGG_CACHE'] = '/tmp'
|
|
||||||
|
|
||||||
def write_pid_file(pid_file, pid):
|
|
||||||
dir, file = os.path.split(pid_file)
|
|
||||||
if not os.path.exists(dir):
|
|
||||||
try:
|
|
||||||
os.makedirs(dir)
|
|
||||||
except OSError, err:
|
|
||||||
if err.errno == errno.EACCES:
|
|
||||||
sys.exit('Unable to create %s. Running as non-root?'
|
|
||||||
% dir)
|
|
||||||
fp = open(pid_file, 'w')
|
|
||||||
fp.write('%d\n' % pid)
|
|
||||||
fp.close()
|
|
||||||
|
|
||||||
def launch(ini_file, pid_file):
|
|
||||||
args = [server, ini_file]
|
|
||||||
print 'Starting %s with %s' % (server, ini_file)
|
|
||||||
|
|
||||||
pid = os.fork()
|
|
||||||
if pid == 0:
|
|
||||||
os.setsid()
|
|
||||||
with open(os.devnull, 'r+b') as nullfile:
|
|
||||||
for desc in (0, 1, 2): # close stdio
|
|
||||||
try:
|
|
||||||
os.dup2(nullfile.fileno(), desc)
|
|
||||||
except OSError:
|
|
||||||
pass
|
|
||||||
try:
|
|
||||||
os.execlp('%s' % server, server, ini_file)
|
|
||||||
except OSError, e:
|
|
||||||
sys.exit('unable to launch %s. Got error: %s'
|
|
||||||
% (server, "%s" % e))
|
|
||||||
sys.exit(0)
|
|
||||||
else:
|
|
||||||
write_pid_file(pid_file, pid)
|
|
||||||
|
|
||||||
if not options['pid_file']:
|
|
||||||
pid_file = '/var/run/keystone/%s.pid' % server
|
|
||||||
else:
|
|
||||||
pid_file = os.path.abspath(options['pid_file'])
|
|
||||||
conf_file = config.find_config_file(options, args)
|
|
||||||
if not conf_file:
|
|
||||||
sys.exit("Could not find any configuration file to use!")
|
|
||||||
launch_args = [(conf_file, pid_file)]
|
|
||||||
|
|
||||||
# start all servers
|
|
||||||
for conf_file, pid_file in launch_args:
|
|
||||||
launch(conf_file, pid_file)
|
|
||||||
|
|
||||||
|
|
||||||
def do_stop(server, options, args, graceful=False):
|
|
||||||
if graceful and server in GRACEFUL_SHUTDOWN_SERVERS:
|
|
||||||
sig = signal.SIGHUP
|
|
||||||
else:
|
|
||||||
sig = signal.SIGTERM
|
|
||||||
|
|
||||||
did_anything = False
|
|
||||||
pfiles = pid_files(server, options)
|
|
||||||
for pid_file, pid in pfiles:
|
|
||||||
did_anything = True
|
|
||||||
try:
|
|
||||||
print 'Stopping %s pid: %s signal: %s' % (server, pid, sig)
|
|
||||||
os.kill(pid, sig)
|
|
||||||
except OSError:
|
|
||||||
print "Process %d not running" % pid
|
|
||||||
try:
|
|
||||||
os.unlink(pid_file)
|
|
||||||
except OSError:
|
|
||||||
pass
|
|
||||||
for pid_file, pid in pfiles:
|
|
||||||
for _junk in xrange(150): # 15 seconds
|
|
||||||
if not os.path.exists('/proc/%s' % pid):
|
|
||||||
break
|
|
||||||
time.sleep(0.1)
|
|
||||||
else:
|
|
||||||
print 'Waited 15 seconds for pid %s (%s) to die; giving up' % \
|
|
||||||
(pid, pid_file)
|
|
||||||
if not did_anything:
|
|
||||||
print 'No %s running' % server
|
|
||||||
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
|
||||||
oparser = optparse.OptionParser(usage=USAGE, version='%%prog %s'
|
|
||||||
% keystone.version.version())
|
|
||||||
oparser.add_option('--pid-file', default=None, metavar="PATH",
|
|
||||||
help="File to use as pid file. Default: "
|
|
||||||
"/var/run/keystone/$server.pid")
|
|
||||||
config.add_common_options(oparser)
|
|
||||||
(options, args) = config.parse_options(oparser)
|
|
||||||
|
|
||||||
if len(args) < 2:
|
|
||||||
oparser.print_usage()
|
|
||||||
sys.exit(1)
|
|
||||||
|
|
||||||
server = args.pop(0).lower()
|
|
||||||
if server == 'all':
|
|
||||||
servers = ALL_SERVERS
|
|
||||||
else:
|
|
||||||
if not server.startswith('keystone-'):
|
|
||||||
server = 'keystone-%s' % server
|
|
||||||
if server not in ALL_SERVERS:
|
|
||||||
server_list = ", ".join([s.replace('keystone-', '')
|
|
||||||
for s in ALL_SERVERS])
|
|
||||||
msg = ("Unknown server '%(server)s' specified. Please specify "
|
|
||||||
"all, or one of the servers: %(server_list)s" % locals())
|
|
||||||
sys.exit(msg)
|
|
||||||
servers = [server]
|
|
||||||
|
|
||||||
command = args.pop(0).lower()
|
|
||||||
if command not in ALL_COMMANDS:
|
|
||||||
command_list = ", ".join(ALL_COMMANDS)
|
|
||||||
msg = ("Unknown command %(command)s specified. Please specify a "
|
|
||||||
"command in this list: %(command_list)s" % locals())
|
|
||||||
sys.exit(msg)
|
|
||||||
|
|
||||||
if command == 'start':
|
|
||||||
for server in servers:
|
|
||||||
do_start(server, options, args)
|
|
||||||
|
|
||||||
if command == 'stop':
|
|
||||||
for server in servers:
|
|
||||||
do_stop(server, options, args)
|
|
||||||
|
|
||||||
if command == 'shutdown':
|
|
||||||
for server in servers:
|
|
||||||
do_stop(server, options, args, graceful=True)
|
|
||||||
|
|
||||||
if command == 'restart':
|
|
||||||
for server in servers:
|
|
||||||
do_stop(server, options, args)
|
|
||||||
for server in servers:
|
|
||||||
do_start(server, options, args)
|
|
||||||
|
|
||||||
if command == 'reload' or command == 'force-reload':
|
|
||||||
for server in servers:
|
|
||||||
do_stop(server, options, args, graceful=True)
|
|
||||||
do_start(server, options, args)
|
|
|
@ -1,42 +0,0 @@
|
||||||
#!/usr/bin/env python
|
|
||||||
|
|
||||||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
||||||
|
|
||||||
# Copyright (C) 2011 OpenStack LLC.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
# This file is to read a export file from Nova that will import users,
|
|
||||||
# tenants and EC2 credentials
|
|
||||||
# The file should be in the keystone-manage format
|
|
||||||
|
|
||||||
import os
|
|
||||||
import sys
|
|
||||||
import shlex
|
|
||||||
|
|
||||||
# If ../../keystone/__init__.py exists, add ../ to Python search path, so that
|
|
||||||
# it will override what happens to be installed in /usr/(local/)lib/python...
|
|
||||||
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
|
|
||||||
os.pardir,
|
|
||||||
os.pardir))
|
|
||||||
if os.path.exists(os.path.join(possible_topdir, 'keystone', '__init__.py')):
|
|
||||||
sys.path.insert(0, possible_topdir)
|
|
||||||
|
|
||||||
import keystone.manage
|
|
||||||
|
|
||||||
with open(sys.argv[1], 'r') as line:
|
|
||||||
try:
|
|
||||||
keystone.manage.main(shlex.split(line))
|
|
||||||
except Exception as exc:
|
|
||||||
# Main prints all of the errors we need
|
|
||||||
sys.exit(1)
|
|
|
@ -2,35 +2,27 @@
|
||||||
|
|
||||||
import os
|
import os
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
# If ../../keystone/__init__.py exists, add ../ to Python search path, so that
|
# If ../../keystone/__init__.py exists, add ../ to Python search path, so that
|
||||||
# it will override what happens to be installed in /usr/(local/)lib/python...
|
# it will override what happens to be installed in /usr/(local/)lib/python...
|
||||||
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
|
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
|
||||||
os.pardir,
|
os.pardir,
|
||||||
os.pardir))
|
os.pardir))
|
||||||
if os.path.exists(os.path.join(possible_topdir, 'keystone', '__init__.py')):
|
if os.path.exists(os.path.join(possible_topdir,
|
||||||
|
'keystone',
|
||||||
|
'__init__.py')):
|
||||||
sys.path.insert(0, possible_topdir)
|
sys.path.insert(0, possible_topdir)
|
||||||
|
|
||||||
import keystone.manage
|
|
||||||
import keystone.manage2
|
from keystone import cli
|
||||||
import keystone.tools.tracer # @UnusedImport # module runs on import
|
|
||||||
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
args = sys.argv[1:]
|
dev_conf = os.path.join(possible_topdir,
|
||||||
while True:
|
'etc',
|
||||||
if len(args) > 1 and args[0] in keystone.manage.OBJECTS:
|
'keystone.conf')
|
||||||
# the args look like the old 'subject verb' (e.g. 'user add')
|
config_files = None
|
||||||
# (this module is pending deprecation)
|
if os.path.exists(dev_conf):
|
||||||
keystone.manage.main()
|
config_files = [dev_conf]
|
||||||
break
|
|
||||||
elif len(args) > 2 and args[0] == '-c':
|
cli.main(argv=sys.argv, config_files=config_files)
|
||||||
# Remove -c <config file> and try again
|
|
||||||
del args[0:2]
|
|
||||||
elif len(args) > 1 and args[0] == '-d':
|
|
||||||
# Remove -d and try again
|
|
||||||
del args[0]
|
|
||||||
else:
|
|
||||||
# calls that don't start with a 'subject' go to the new impl
|
|
||||||
# which uses a 'verb_subject' convention (e.g. 'add_user')
|
|
||||||
keystone.manage2.main()
|
|
||||||
break
|
|
||||||
|
|
|
@ -1,16 +0,0 @@
|
||||||
#!/usr/bin/env python
|
|
||||||
|
|
||||||
import os
|
|
||||||
import sys
|
|
||||||
# If ../../keystone/__init__.py exists, add ../ to Python search path, so that
|
|
||||||
# it will override what happens to be installed in /usr/(local/)lib/python...
|
|
||||||
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
|
|
||||||
os.pardir,
|
|
||||||
os.pardir))
|
|
||||||
if os.path.exists(os.path.join(possible_topdir, 'keystone', '__init__.py')):
|
|
||||||
sys.path.insert(0, possible_topdir)
|
|
||||||
|
|
||||||
import keystone.test.sampledata
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
|
||||||
keystone.test.sampledata.main()
|
|
96
doc/Makefile
|
@ -1,96 +0,0 @@
|
||||||
# Makefile for Sphinx documentation
|
|
||||||
#
|
|
||||||
|
|
||||||
# You can set these variables from the command line.
|
|
||||||
SPHINXOPTS =
|
|
||||||
SPHINXBUILD = sphinx-build
|
|
||||||
SPHINXSOURCE = source
|
|
||||||
PAPER =
|
|
||||||
BUILDDIR = build
|
|
||||||
|
|
||||||
# Internal variables.
|
|
||||||
PAPEROPT_a4 = -D latex_paper_size=a4
|
|
||||||
PAPEROPT_letter = -D latex_paper_size=letter
|
|
||||||
ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) $(SPHINXSOURCE)
|
|
||||||
|
|
||||||
.PHONY: help clean html dirhtml pickle json htmlhelp qthelp latex changes linkcheck doctest
|
|
||||||
|
|
||||||
.DEFAULT_GOAL = html
|
|
||||||
|
|
||||||
help:
|
|
||||||
@echo "Please use \`make <target>' where <target> is one of"
|
|
||||||
@echo " html to make standalone HTML files"
|
|
||||||
@echo " dirhtml to make HTML files named index.html in directories"
|
|
||||||
@echo " pickle to make pickle files"
|
|
||||||
@echo " json to make JSON files"
|
|
||||||
@echo " htmlhelp to make HTML files and a HTML help project"
|
|
||||||
@echo " qthelp to make HTML files and a qthelp project"
|
|
||||||
@echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
|
|
||||||
@echo " changes to make an overview of all changed/added/deprecated items"
|
|
||||||
@echo " linkcheck to check all external links for integrity"
|
|
||||||
@echo " doctest to run all doctests embedded in the documentation (if enabled)"
|
|
||||||
|
|
||||||
clean:
|
|
||||||
-rm -rf $(BUILDDIR)/*
|
|
||||||
if [ -f .autogenerated ] ; then \
|
|
||||||
cat .autogenerated | xargs rm ; \
|
|
||||||
rm .autogenerated ; \
|
|
||||||
fi
|
|
||||||
|
|
||||||
html:
|
|
||||||
$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
|
|
||||||
@echo
|
|
||||||
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
|
|
||||||
|
|
||||||
dirhtml:
|
|
||||||
$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
|
|
||||||
@echo
|
|
||||||
@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
|
|
||||||
|
|
||||||
pickle:
|
|
||||||
$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
|
|
||||||
@echo
|
|
||||||
@echo "Build finished; now you can process the pickle files."
|
|
||||||
|
|
||||||
json:
|
|
||||||
$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
|
|
||||||
@echo
|
|
||||||
@echo "Build finished; now you can process the JSON files."
|
|
||||||
|
|
||||||
htmlhelp:
|
|
||||||
$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
|
|
||||||
@echo
|
|
||||||
@echo "Build finished; now you can run HTML Help Workshop with the" \
|
|
||||||
".hhp project file in $(BUILDDIR)/htmlhelp."
|
|
||||||
|
|
||||||
qthelp:
|
|
||||||
$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
|
|
||||||
@echo
|
|
||||||
@echo "Build finished; now you can run "qcollectiongenerator" with the" \
|
|
||||||
".qhcp project file in $(BUILDDIR)/qthelp, like this:"
|
|
||||||
@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/nova.qhcp"
|
|
||||||
@echo "To view the help file:"
|
|
||||||
@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/nova.qhc"
|
|
||||||
|
|
||||||
latex:
|
|
||||||
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
|
|
||||||
@echo
|
|
||||||
@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
|
|
||||||
@echo "Run \`make all-pdf' or \`make all-ps' in that directory to" \
|
|
||||||
"run these through (pdf)latex."
|
|
||||||
|
|
||||||
changes:
|
|
||||||
$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
|
|
||||||
@echo
|
|
||||||
@echo "The overview file is in $(BUILDDIR)/changes."
|
|
||||||
|
|
||||||
linkcheck:
|
|
||||||
$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
|
|
||||||
@echo
|
|
||||||
@echo "Link check complete; look for any errors in the above output " \
|
|
||||||
"or in $(BUILDDIR)/linkcheck/output.txt."
|
|
||||||
|
|
||||||
doctest:
|
|
||||||
$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
|
|
||||||
@echo "Testing of doctests in the sources finished, look at the " \
|
|
||||||
"results in $(BUILDDIR)/doctest/output.txt."
|
|
|
@ -1,38 +0,0 @@
|
||||||
==================================
|
|
||||||
Building Contributor Documentation
|
|
||||||
==================================
|
|
||||||
|
|
||||||
This documentation is written by contributors, for contributors.
|
|
||||||
|
|
||||||
The source is maintained in the `doc/source` folder using
|
|
||||||
`reStructuredText`_ and built by `Sphinx`_ (a dependency from `tools/pip-requires`).
|
|
||||||
|
|
||||||
.. _reStructuredText: http://docutils.sourceforge.net/rst.html
|
|
||||||
.. _Sphinx: http://sphinx.pocoo.org/
|
|
||||||
|
|
||||||
Building automatically
|
|
||||||
======================
|
|
||||||
|
|
||||||
From the project root, just type::
|
|
||||||
|
|
||||||
$ python setup.py build_sphinx
|
|
||||||
|
|
||||||
Building manually
|
|
||||||
=================
|
|
||||||
|
|
||||||
#. Generate the code.rst file so that Sphinx will pull in our docstrings::
|
|
||||||
|
|
||||||
$ python doc/generate_autodoc_index.py
|
|
||||||
|
|
||||||
#. Use `sphinx-build` to produce the docs in HTML::
|
|
||||||
|
|
||||||
$ sphinx-build -b html doc/source/ build/sphinx/html/
|
|
||||||
|
|
||||||
#. Similarly, build the man pages (optional)::
|
|
||||||
|
|
||||||
$ sphinx-build -b man doc/source/ build/sphinx/man/
|
|
||||||
|
|
||||||
After building
|
|
||||||
==============
|
|
||||||
|
|
||||||
Navigate to the `build/sphinx/html` directory to browse generated the HTML docs.
|
|
Before Width: | Height: | Size: 160 KiB |
|
@ -1,87 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
|
||||||
<diagram>
|
|
||||||
<source><![CDATA[client:Library
|
|
||||||
/queue:FIFO
|
|
||||||
keystone:Service
|
|
||||||
compute:Service
|
|
||||||
policy:Service
|
|
||||||
|
|
||||||
[c:default_auth_token]
|
|
||||||
client:unscoped_token, serviceCatalog=keystone.auth<user, creds>
|
|
||||||
[/c]
|
|
||||||
|
|
||||||
[c:get_tenants]
|
|
||||||
client:tenants=keystone.get_tenants<unscoped_token>
|
|
||||||
[/c]
|
|
||||||
|
|
||||||
[c:tenant_auth_token]
|
|
||||||
client:token, serviceCatalog=keystone.auth<user, creds, tenant>
|
|
||||||
[/c]
|
|
||||||
|
|
||||||
[c:do_something_in_compute]
|
|
||||||
client:endpoint=serviceCatalog['compute']
|
|
||||||
client:success=compute.do_something<token, instance_id>
|
|
||||||
|
|
||||||
compute:tenant = parse(url)
|
|
||||||
[c:auth_middleware]
|
|
||||||
compute:user, roles=keystone.validate<token, [tenant]>
|
|
||||||
[/c]
|
|
||||||
compute:instance=instance_get(instance_id)
|
|
||||||
[c:policy_middleware]
|
|
||||||
compute:action='do_something'
|
|
||||||
compute:target=instance
|
|
||||||
compute:success=policy.check_acl<user, target, action, roles>
|
|
||||||
[/c]
|
|
||||||
compute:execute something logic
|
|
||||||
[/c]]]></source>
|
|
||||||
<configuration>
|
|
||||||
<property name="actorWidth" value="25"/>
|
|
||||||
<property name="allowMessageProperties" value="false"/>
|
|
||||||
<property name="arrowSize" value="6"/>
|
|
||||||
<property name="colorizeThreads" value="true"/>
|
|
||||||
<property name="destructorWidth" value="30"/>
|
|
||||||
<property family="Dialog" name="font" size="12" style="0"/>
|
|
||||||
<property name="fragmentMargin" value="8"/>
|
|
||||||
<property name="fragmentPadding" value="10"/>
|
|
||||||
<property name="fragmentTextPadding" value="3"/>
|
|
||||||
<property name="glue" value="10"/>
|
|
||||||
<property name="headHeight" value="35"/>
|
|
||||||
<property name="headLabelPadding" value="5"/>
|
|
||||||
<property name="headWidth" value="100"/>
|
|
||||||
<property name="initialSpace" value="10"/>
|
|
||||||
<property name="leftMargin" value="5"/>
|
|
||||||
<property name="lineWrap" value="false"/>
|
|
||||||
<property name="lowerMargin" value="5"/>
|
|
||||||
<property name="mainLifelineWidth" value="8"/>
|
|
||||||
<property name="messageLabelSpace" value="3"/>
|
|
||||||
<property name="messagePadding" value="6"/>
|
|
||||||
<property name="noteMargin" value="6"/>
|
|
||||||
<property name="notePadding" value="6"/>
|
|
||||||
<property name="opaqueMessageText" value="false"/>
|
|
||||||
<property name="returnArrowVisible" value="true"/>
|
|
||||||
<property name="rightMargin" value="5"/>
|
|
||||||
<property name="selfMessageHorizontalSpace" value="15"/>
|
|
||||||
<property name="separatorBottomMargin" value="8"/>
|
|
||||||
<property name="separatorTopMargin" value="15"/>
|
|
||||||
<property name="shouldShadowParticipants" value="true"/>
|
|
||||||
<property name="spaceBeforeActivation" value="2"/>
|
|
||||||
<property name="spaceBeforeAnswerToSelf" value="10"/>
|
|
||||||
<property name="spaceBeforeConstruction" value="6"/>
|
|
||||||
<property name="spaceBeforeSelfMessage" value="7"/>
|
|
||||||
<property name="subLifelineWidth" value="6"/>
|
|
||||||
<property name="tc0" value="-1118482"/>
|
|
||||||
<property name="tc1" value="-256"/>
|
|
||||||
<property name="tc2" value="-65536"/>
|
|
||||||
<property name="tc3" value="-16776961"/>
|
|
||||||
<property name="tc4" value="-16711936"/>
|
|
||||||
<property name="tc5" value="-4144960"/>
|
|
||||||
<property name="tc6" value="-65281"/>
|
|
||||||
<property name="tc7" value="-14336"/>
|
|
||||||
<property name="tc8" value="-20561"/>
|
|
||||||
<property name="tc9" value="-12566464"/>
|
|
||||||
<property name="threadNumbersVisible" value="false"/>
|
|
||||||
<property name="threaded" value="true"/>
|
|
||||||
<property name="upperMargin" value="5"/>
|
|
||||||
<property name="verticallySplit" value="true"/>
|
|
||||||
</configuration>
|
|
||||||
</diagram>
|
|
Before Width: | Height: | Size: 45 KiB |
|
@ -1,83 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
|
||||||
<diagram>
|
|
||||||
<source><![CDATA[client:User
|
|
||||||
/queue:FIFO
|
|
||||||
keystone:Service
|
|
||||||
nova:Service
|
|
||||||
|
|
||||||
[c:default_auth_token]
|
|
||||||
client:unscoped_token, globalServiceCatalog=keystone.auth<user, password>
|
|
||||||
[/c]
|
|
||||||
|
|
||||||
[c:get_tenants]
|
|
||||||
client:tenants=keystone.get_tenants<unscoped_token>
|
|
||||||
[/c]
|
|
||||||
|
|
||||||
[c:tenant_auth_token]
|
|
||||||
client:token, serviceCatalog=keystone.auth<unscoped_token, tenant>
|
|
||||||
[/c]
|
|
||||||
|
|
||||||
client:endpoint = serviceCatalog['compute']
|
|
||||||
|
|
||||||
[c:create_instance]
|
|
||||||
client:success=nova.createInstance<token, tenant_id>
|
|
||||||
|
|
||||||
nova:tenant = parse(url)
|
|
||||||
[c:auth_middleware]
|
|
||||||
nova:user, roles=keystone.validate<token, [tenant]>
|
|
||||||
[/c]
|
|
||||||
nova:authorize=can_haz(context, user, 'create_instance', tenant_id)
|
|
||||||
nova:execute create_instance
|
|
||||||
[/c]
|
|
||||||
client:200 OK]]></source>
|
|
||||||
<configuration>
|
|
||||||
<property name="actorWidth" value="25"/>
|
|
||||||
<property name="allowMessageProperties" value="false"/>
|
|
||||||
<property name="arrowSize" value="6"/>
|
|
||||||
<property name="colorizeThreads" value="true"/>
|
|
||||||
<property name="destructorWidth" value="30"/>
|
|
||||||
<property family="Dialog" name="font" size="12" style="0"/>
|
|
||||||
<property name="fragmentMargin" value="8"/>
|
|
||||||
<property name="fragmentPadding" value="10"/>
|
|
||||||
<property name="fragmentTextPadding" value="3"/>
|
|
||||||
<property name="glue" value="10"/>
|
|
||||||
<property name="headHeight" value="35"/>
|
|
||||||
<property name="headLabelPadding" value="5"/>
|
|
||||||
<property name="headWidth" value="100"/>
|
|
||||||
<property name="initialSpace" value="10"/>
|
|
||||||
<property name="leftMargin" value="5"/>
|
|
||||||
<property name="lineWrap" value="false"/>
|
|
||||||
<property name="lowerMargin" value="5"/>
|
|
||||||
<property name="mainLifelineWidth" value="8"/>
|
|
||||||
<property name="messageLabelSpace" value="3"/>
|
|
||||||
<property name="messagePadding" value="6"/>
|
|
||||||
<property name="noteMargin" value="6"/>
|
|
||||||
<property name="notePadding" value="6"/>
|
|
||||||
<property name="opaqueMessageText" value="false"/>
|
|
||||||
<property name="returnArrowVisible" value="true"/>
|
|
||||||
<property name="rightMargin" value="5"/>
|
|
||||||
<property name="selfMessageHorizontalSpace" value="15"/>
|
|
||||||
<property name="separatorBottomMargin" value="8"/>
|
|
||||||
<property name="separatorTopMargin" value="15"/>
|
|
||||||
<property name="shouldShadowParticipants" value="true"/>
|
|
||||||
<property name="spaceBeforeActivation" value="2"/>
|
|
||||||
<property name="spaceBeforeAnswerToSelf" value="10"/>
|
|
||||||
<property name="spaceBeforeConstruction" value="6"/>
|
|
||||||
<property name="spaceBeforeSelfMessage" value="7"/>
|
|
||||||
<property name="subLifelineWidth" value="6"/>
|
|
||||||
<property name="tc0" value="-1118482"/>
|
|
||||||
<property name="tc1" value="-256"/>
|
|
||||||
<property name="tc2" value="-65536"/>
|
|
||||||
<property name="tc3" value="-16776961"/>
|
|
||||||
<property name="tc4" value="-16711936"/>
|
|
||||||
<property name="tc5" value="-4144960"/>
|
|
||||||
<property name="tc6" value="-65281"/>
|
|
||||||
<property name="tc7" value="-14336"/>
|
|
||||||
<property name="tc8" value="-20561"/>
|
|
||||||
<property name="tc9" value="-12566464"/>
|
|
||||||
<property name="threadNumbersVisible" value="false"/>
|
|
||||||
<property name="threaded" value="true"/>
|
|
||||||
<property name="upperMargin" value="5"/>
|
|
||||||
<property name="verticallySplit" value="true"/>
|
|
||||||
</configuration>
|
|
||||||
</diagram>
|
|
Before Width: | Height: | Size: 31 KiB |
|
@ -1,76 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
|
||||||
<diagram>
|
|
||||||
<source><![CDATA[client:User
|
|
||||||
/queue:FIFO
|
|
||||||
keystone:Service
|
|
||||||
nova:Service
|
|
||||||
|
|
||||||
|
|
||||||
[c:authenticate]
|
|
||||||
client:token, serviceCatalog=keystone.auth<user, password, tenant>
|
|
||||||
[/c]
|
|
||||||
|
|
||||||
|
|
||||||
client:endpoint=serviceCatalog['compute']
|
|
||||||
|
|
||||||
[c:create_instance]
|
|
||||||
client:success=nova.createInstance<token, tenant_id>
|
|
||||||
nova:tenant = parse(url)
|
|
||||||
[c:auth_middleware]
|
|
||||||
nova:user, roles=keystone.validate<token, [tenant]>
|
|
||||||
[/c]
|
|
||||||
nova:authorize = can_haz(context, user, 'create_instance', tenant_id)
|
|
||||||
nova:execute create_instance
|
|
||||||
[/c]
|
|
||||||
client:200 OK]]></source>
|
|
||||||
<configuration>
|
|
||||||
<property name="actorWidth" value="25"/>
|
|
||||||
<property name="allowMessageProperties" value="false"/>
|
|
||||||
<property name="arrowSize" value="6"/>
|
|
||||||
<property name="colorizeThreads" value="true"/>
|
|
||||||
<property name="destructorWidth" value="30"/>
|
|
||||||
<property family="Dialog" name="font" size="12" style="0"/>
|
|
||||||
<property name="fragmentMargin" value="8"/>
|
|
||||||
<property name="fragmentPadding" value="10"/>
|
|
||||||
<property name="fragmentTextPadding" value="3"/>
|
|
||||||
<property name="glue" value="10"/>
|
|
||||||
<property name="headHeight" value="35"/>
|
|
||||||
<property name="headLabelPadding" value="5"/>
|
|
||||||
<property name="headWidth" value="100"/>
|
|
||||||
<property name="initialSpace" value="10"/>
|
|
||||||
<property name="leftMargin" value="5"/>
|
|
||||||
<property name="lineWrap" value="false"/>
|
|
||||||
<property name="lowerMargin" value="5"/>
|
|
||||||
<property name="mainLifelineWidth" value="8"/>
|
|
||||||
<property name="messageLabelSpace" value="3"/>
|
|
||||||
<property name="messagePadding" value="6"/>
|
|
||||||
<property name="noteMargin" value="6"/>
|
|
||||||
<property name="notePadding" value="6"/>
|
|
||||||
<property name="opaqueMessageText" value="false"/>
|
|
||||||
<property name="returnArrowVisible" value="true"/>
|
|
||||||
<property name="rightMargin" value="5"/>
|
|
||||||
<property name="selfMessageHorizontalSpace" value="15"/>
|
|
||||||
<property name="separatorBottomMargin" value="8"/>
|
|
||||||
<property name="separatorTopMargin" value="15"/>
|
|
||||||
<property name="shouldShadowParticipants" value="true"/>
|
|
||||||
<property name="spaceBeforeActivation" value="2"/>
|
|
||||||
<property name="spaceBeforeAnswerToSelf" value="10"/>
|
|
||||||
<property name="spaceBeforeConstruction" value="6"/>
|
|
||||||
<property name="spaceBeforeSelfMessage" value="7"/>
|
|
||||||
<property name="subLifelineWidth" value="6"/>
|
|
||||||
<property name="tc0" value="-1118482"/>
|
|
||||||
<property name="tc1" value="-256"/>
|
|
||||||
<property name="tc2" value="-65536"/>
|
|
||||||
<property name="tc3" value="-16776961"/>
|
|
||||||
<property name="tc4" value="-16711936"/>
|
|
||||||
<property name="tc5" value="-4144960"/>
|
|
||||||
<property name="tc6" value="-65281"/>
|
|
||||||
<property name="tc7" value="-14336"/>
|
|
||||||
<property name="tc8" value="-20561"/>
|
|
||||||
<property name="tc9" value="-12566464"/>
|
|
||||||
<property name="threadNumbersVisible" value="false"/>
|
|
||||||
<property name="threaded" value="true"/>
|
|
||||||
<property name="upperMargin" value="5"/>
|
|
||||||
<property name="verticallySplit" value="true"/>
|
|
||||||
</configuration>
|
|
||||||
</diagram>
|
|
Before Width: | Height: | Size: 42 KiB |
|
@ -1,80 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
|
||||||
<diagram>
|
|
||||||
<source><![CDATA[client:User
|
|
||||||
/queue:FIFO
|
|
||||||
keystone:Service
|
|
||||||
nova:Service
|
|
||||||
|
|
||||||
[c:unauthenticated_call]
|
|
||||||
client:\[standard http response requesting authentication\]=nova.createInstance<tenant_id>
|
|
||||||
client:401 Unauthorized
|
|
||||||
client:WWW-Authenticate\: Keystone uri="url_to_keystone"
|
|
||||||
[/c]
|
|
||||||
|
|
||||||
[c:authenticate]
|
|
||||||
client:token, serviceCatalog=keystone.auth<user, creds, tenant>
|
|
||||||
[/c]
|
|
||||||
|
|
||||||
|
|
||||||
[c:retry_create_instance]
|
|
||||||
client:success=nova.createInstance<token, tenant_id>
|
|
||||||
|
|
||||||
nova:tenant = parse(url)
|
|
||||||
[c:auth_middleware]
|
|
||||||
nova:user, roles=keystone.validate<token, [tenant]>
|
|
||||||
[/c]
|
|
||||||
nova:authorize=can_haz(context, user, 'create_instance', tenant_id)
|
|
||||||
nova:execute create_instance
|
|
||||||
[/c]
|
|
||||||
client:200 OK]]></source>
|
|
||||||
<configuration>
|
|
||||||
<property name="actorWidth" value="25"/>
|
|
||||||
<property name="allowMessageProperties" value="false"/>
|
|
||||||
<property name="arrowSize" value="6"/>
|
|
||||||
<property name="colorizeThreads" value="true"/>
|
|
||||||
<property name="destructorWidth" value="30"/>
|
|
||||||
<property family="Dialog" name="font" size="12" style="0"/>
|
|
||||||
<property name="fragmentMargin" value="8"/>
|
|
||||||
<property name="fragmentPadding" value="10"/>
|
|
||||||
<property name="fragmentTextPadding" value="3"/>
|
|
||||||
<property name="glue" value="10"/>
|
|
||||||
<property name="headHeight" value="35"/>
|
|
||||||
<property name="headLabelPadding" value="5"/>
|
|
||||||
<property name="headWidth" value="100"/>
|
|
||||||
<property name="initialSpace" value="10"/>
|
|
||||||
<property name="leftMargin" value="5"/>
|
|
||||||
<property name="lineWrap" value="false"/>
|
|
||||||
<property name="lowerMargin" value="5"/>
|
|
||||||
<property name="mainLifelineWidth" value="8"/>
|
|
||||||
<property name="messageLabelSpace" value="3"/>
|
|
||||||
<property name="messagePadding" value="6"/>
|
|
||||||
<property name="noteMargin" value="6"/>
|
|
||||||
<property name="notePadding" value="6"/>
|
|
||||||
<property name="opaqueMessageText" value="false"/>
|
|
||||||
<property name="returnArrowVisible" value="true"/>
|
|
||||||
<property name="rightMargin" value="5"/>
|
|
||||||
<property name="selfMessageHorizontalSpace" value="15"/>
|
|
||||||
<property name="separatorBottomMargin" value="8"/>
|
|
||||||
<property name="separatorTopMargin" value="15"/>
|
|
||||||
<property name="shouldShadowParticipants" value="true"/>
|
|
||||||
<property name="spaceBeforeActivation" value="2"/>
|
|
||||||
<property name="spaceBeforeAnswerToSelf" value="10"/>
|
|
||||||
<property name="spaceBeforeConstruction" value="6"/>
|
|
||||||
<property name="spaceBeforeSelfMessage" value="7"/>
|
|
||||||
<property name="subLifelineWidth" value="6"/>
|
|
||||||
<property name="tc0" value="-1118482"/>
|
|
||||||
<property name="tc1" value="-256"/>
|
|
||||||
<property name="tc2" value="-65536"/>
|
|
||||||
<property name="tc3" value="-16776961"/>
|
|
||||||
<property name="tc4" value="-16711936"/>
|
|
||||||
<property name="tc5" value="-4144960"/>
|
|
||||||
<property name="tc6" value="-65281"/>
|
|
||||||
<property name="tc7" value="-14336"/>
|
|
||||||
<property name="tc8" value="-20561"/>
|
|
||||||
<property name="tc9" value="-12566464"/>
|
|
||||||
<property name="threadNumbersVisible" value="false"/>
|
|
||||||
<property name="threaded" value="true"/>
|
|
||||||
<property name="upperMargin" value="5"/>
|
|
||||||
<property name="verticallySplit" value="true"/>
|
|
||||||
</configuration>
|
|
||||||
</diagram>
|
|
|
@ -1,76 +0,0 @@
|
||||||
#!/usr/bin/env python
|
|
||||||
"""Generates files for sphinx documentation using a simple Autodoc based
|
|
||||||
template.
|
|
||||||
|
|
||||||
To use, just run as a script:
|
|
||||||
$ python doc/generate_autodoc_index.py
|
|
||||||
"""
|
|
||||||
|
|
||||||
import os
|
|
||||||
|
|
||||||
|
|
||||||
base_dir = os.path.dirname(os.path.abspath(__file__))
|
|
||||||
RSTDIR=os.path.join(base_dir, "source", "sourcecode")
|
|
||||||
SOURCEDIR=os.path.join(base_dir, "..")
|
|
||||||
|
|
||||||
# Exclude these modules from the autodoc results
|
|
||||||
EXCLUDE_MODULES = ['keystone.backends.sqlalchemy.migrate_repo']
|
|
||||||
|
|
||||||
def in_exclude_list(module_name):
|
|
||||||
"""Compares a module to the list of excluded modules
|
|
||||||
|
|
||||||
Returns true if the provided module resides in or matches
|
|
||||||
an excluded module, false otherwise.
|
|
||||||
"""
|
|
||||||
for excluded_module in EXCLUDE_MODULES:
|
|
||||||
if module_name.startswith(excluded_module):
|
|
||||||
return True
|
|
||||||
return False
|
|
||||||
|
|
||||||
def find_autodoc_modules(module_name, sourcedir):
|
|
||||||
"""returns a list of modules in the SOURCE directory"""
|
|
||||||
modlist = []
|
|
||||||
os.chdir(os.path.join(sourcedir, module_name))
|
|
||||||
for root, dirs, files in os.walk("."):
|
|
||||||
for filename in files:
|
|
||||||
if filename.endswith(".py"):
|
|
||||||
# root = ./keystone/test/unit
|
|
||||||
# filename = base.py
|
|
||||||
elements = root.split(os.path.sep)
|
|
||||||
# replace the leading "." with the module name
|
|
||||||
elements[0] = module_name
|
|
||||||
# and get the base module name
|
|
||||||
base, extension = os.path.splitext(filename)
|
|
||||||
if not (base == "__init__"):
|
|
||||||
elements.append(base)
|
|
||||||
result = (".".join(elements))
|
|
||||||
if not in_exclude_list(result):
|
|
||||||
modlist.append(result)
|
|
||||||
return modlist
|
|
||||||
|
|
||||||
if not(os.path.exists(RSTDIR)):
|
|
||||||
os.mkdir(RSTDIR)
|
|
||||||
|
|
||||||
INDEXOUT = open("%s/autoindex.rst" % RSTDIR, "w")
|
|
||||||
INDEXOUT.write("Source Code Index\n")
|
|
||||||
INDEXOUT.write("=================\n")
|
|
||||||
INDEXOUT.write(".. toctree::\n")
|
|
||||||
INDEXOUT.write(" :maxdepth: 1\n")
|
|
||||||
INDEXOUT.write("\n")
|
|
||||||
|
|
||||||
for module in find_autodoc_modules('keystone', SOURCEDIR):
|
|
||||||
generated_file = "%s/%s.rst" % (RSTDIR, module)
|
|
||||||
|
|
||||||
INDEXOUT.write(" %s\n" % module)
|
|
||||||
FILEOUT = open(generated_file, "w")
|
|
||||||
FILEOUT.write("The :mod:`%s` Module\n" % module)
|
|
||||||
FILEOUT.write("=============================="
|
|
||||||
"=============================="
|
|
||||||
"==============================\n")
|
|
||||||
FILEOUT.write(".. automodule:: %s\n" % module)
|
|
||||||
FILEOUT.write(" :members:\n")
|
|
||||||
FILEOUT.write(" :undoc-members:\n")
|
|
||||||
FILEOUT.write(" :show-inheritance:\n")
|
|
||||||
FILEOUT.close()
|
|
||||||
|
|
||||||
INDEXOUT.close()
|
|
|
@ -1,97 +0,0 @@
|
||||||
..
|
|
||||||
Copyright 2011 OpenStack, LLC
|
|
||||||
All Rights Reserved.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
not use this file except in compliance with the License. You may obtain
|
|
||||||
a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
License for the specific language governing permissions and limitations
|
|
||||||
under the License.
|
|
||||||
|
|
||||||
Keystone Architecture
|
|
||||||
=====================
|
|
||||||
|
|
||||||
Keystone has two major components: Authentication and a Service Catalog.
|
|
||||||
|
|
||||||
Authentication
|
|
||||||
--------------
|
|
||||||
|
|
||||||
In providing a token-based authentication service for OpenStack, keystone
|
|
||||||
has several major concepts:
|
|
||||||
|
|
||||||
Tenant
|
|
||||||
A grouping used in OpenStack to contain relevant OpenStack services. A
|
|
||||||
tenant maps to a Nova "project-id", and in object storage, a tenant can
|
|
||||||
have multiple containers. Depending on the installation, a tenant can
|
|
||||||
represent a customer, account, organization, or project.
|
|
||||||
|
|
||||||
User
|
|
||||||
Represents an individual within OpenStack for the purposes of
|
|
||||||
authenticating them to OpenStack services. Users have credentials, and may
|
|
||||||
be assigned to one or more tenants. When authenticated, a token is
|
|
||||||
provided that is specific to a single tenant.
|
|
||||||
|
|
||||||
Credentials
|
|
||||||
Password or other information that uniquely identifies a User to Keystone
|
|
||||||
for the purposes of providing a token.
|
|
||||||
|
|
||||||
Token
|
|
||||||
A token is an arbitrary bit of text that is used to share authentication
|
|
||||||
with other OpenStack services so that Keystone can provide a central
|
|
||||||
location for authenticating users for access to OpenStack services. A
|
|
||||||
token may be "scoped" or "unscoped". A scoped token represents a user
|
|
||||||
authenticated to a Tenant, where an unscoped token represents just the
|
|
||||||
user.
|
|
||||||
|
|
||||||
Tokens are valid for a limited amount of time and may be revoked at any
|
|
||||||
time.
|
|
||||||
|
|
||||||
Role
|
|
||||||
A role is a set of permissions to access and use specific operations for
|
|
||||||
a given user when applied to a tenant. Roles are logical groupings of
|
|
||||||
those permissions to enable common permissions to be easily grouped and
|
|
||||||
bound to users associated with a given tenant.
|
|
||||||
|
|
||||||
Service Catalog
|
|
||||||
---------------
|
|
||||||
|
|
||||||
Keystone also provides a list of REST API endpoints as a definitive list for
|
|
||||||
an OpenStack installation. Key concepts include:
|
|
||||||
|
|
||||||
Service
|
|
||||||
An OpenStack service such as nova, swift, glance, or keystone. A service
|
|
||||||
may have one of more endpoints through which users can interact with
|
|
||||||
OpenStack services and resources.
|
|
||||||
|
|
||||||
Endpoint
|
|
||||||
A network accessible address (typically a URL) that represents the API
|
|
||||||
interface to an OpenStack service. Endpoints may also be grouped into
|
|
||||||
templates which represent a group of consumable OpenStack services
|
|
||||||
available across regions.
|
|
||||||
|
|
||||||
Template
|
|
||||||
A collection of endpoints representing a set of consumable OpenStack
|
|
||||||
service endpoints.
|
|
||||||
|
|
||||||
Components of Keystone
|
|
||||||
----------------------
|
|
||||||
|
|
||||||
Keystone includes a command-line interface which interacts with the Keystone
|
|
||||||
API for administrating keystone and related services.
|
|
||||||
|
|
||||||
* keystone - runs both keystone-admin and keystone-service
|
|
||||||
* keystone-admin - the administrative API for manipulating keystone
|
|
||||||
* keystone-service - the user oriented API for authentication
|
|
||||||
* keystone-manage - the command line interface to manipulate keystone
|
|
||||||
|
|
||||||
Keystone also includes WSGI middelware to provide authentication support
|
|
||||||
for Nova and Swift.
|
|
||||||
|
|
||||||
Keystone uses a built-in SQLite datastore - and may use an external LDAP
|
|
||||||
service to authenticate users instead of using stored credentials.
|
|
|
@ -1,100 +0,0 @@
|
||||||
..
|
|
||||||
Copyright 2011 OpenStack, LLC
|
|
||||||
All Rights Reserved.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
not use this file except in compliance with the License. You may obtain
|
|
||||||
a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
License for the specific language governing permissions and limitations
|
|
||||||
under the License.
|
|
||||||
|
|
||||||
====================
|
|
||||||
Configuring Keystone
|
|
||||||
====================
|
|
||||||
|
|
||||||
.. toctree::
|
|
||||||
:maxdepth: 1
|
|
||||||
|
|
||||||
keystone.conf
|
|
||||||
man/keystone-manage
|
|
||||||
|
|
||||||
Once Keystone is installed, there are a number of configuration options
|
|
||||||
available and potentially some initial data to create and set up.
|
|
||||||
|
|
||||||
Sample data / Quick Setup
|
|
||||||
=========================
|
|
||||||
|
|
||||||
Default sampledata is provided for easy setup and testing in bin/sampeldata. To
|
|
||||||
set up the sample data run the following command while Keystone is running::
|
|
||||||
|
|
||||||
$ ./bin/sampledata
|
|
||||||
|
|
||||||
The sample data created comes from the file :doc:`sourcecode/keystone.test.sampledata`
|
|
||||||
|
|
||||||
|
|
||||||
Keystone Configuration File
|
|
||||||
===========================
|
|
||||||
|
|
||||||
Most configuration is done via configuration files. The default files are
|
|
||||||
in ``/etc/keystone.conf``
|
|
||||||
|
|
||||||
When starting up a Keystone server, you can specify the configuration file to
|
|
||||||
use (see :doc:`controllingservers`).
|
|
||||||
If you do **not** specify a configuration file, keystone will look in the following
|
|
||||||
directories for a configuration file, in order:
|
|
||||||
|
|
||||||
* ``~/.keystone``
|
|
||||||
* ``~/``
|
|
||||||
* ``/etc/keystone``
|
|
||||||
* ``/etc``
|
|
||||||
|
|
||||||
The keystone configuration file should be named ``keystone.conf``.
|
|
||||||
If you installed keystone via your operating system's
|
|
||||||
package management system, it is likely that you will have sample
|
|
||||||
configuration files installed in ``/etc/keystone``.
|
|
||||||
|
|
||||||
In addition to this documentation page, you can check the
|
|
||||||
``etc/keystone.conf`` sample configuration
|
|
||||||
files distributed with keystone for example configuration files for each server
|
|
||||||
application with detailed comments on what each options does.
|
|
||||||
|
|
||||||
Sample Configuration Files
|
|
||||||
--------------------------
|
|
||||||
|
|
||||||
Keystone ships with sample configuration files in keystone/etc. These files are:
|
|
||||||
|
|
||||||
1. keystone.conf
|
|
||||||
|
|
||||||
A standard configuration file for running keystone in stand-alone mode.
|
|
||||||
It has a set of default extensions loaded to support administering Keystone
|
|
||||||
over REST. It uses a local SQLite database.
|
|
||||||
|
|
||||||
2. memcache.conf
|
|
||||||
|
|
||||||
A configuration that uses memcached for storing tokens (but still SQLite for all
|
|
||||||
other entities). This requires memcached running.
|
|
||||||
|
|
||||||
3. ssl.conf
|
|
||||||
|
|
||||||
A configuration that runs Keystone with SSL (so all URLs are accessed over HTTPS).
|
|
||||||
|
|
||||||
To run any of these configurations, use the `-c` option::
|
|
||||||
|
|
||||||
./keystone -c ../etc/ssl.conf
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Usefule Links
|
|
||||||
-------------
|
|
||||||
|
|
||||||
For a sample configuration file with explanations of the settings, see :doc:`keystone.conf`
|
|
||||||
|
|
||||||
For configuring an LDAP backend, see http://mirantis.blogspot.com/2011/08/ldap-identity-store-for-openstack.html
|
|
||||||
|
|
||||||
For configuration settings of middleware components, see :doc:`middleware`
|
|
|
@ -1,333 +0,0 @@
|
||||||
..
|
|
||||||
Copyright 2011 OpenStack, LLC
|
|
||||||
All Rights Reserved.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
not use this file except in compliance with the License. You may obtain
|
|
||||||
a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
License for the specific language governing permissions and limitations
|
|
||||||
under the License.
|
|
||||||
|
|
||||||
==========================================
|
|
||||||
Configuring Services to work with Keystone
|
|
||||||
==========================================
|
|
||||||
|
|
||||||
.. toctree::
|
|
||||||
:maxdepth: 1
|
|
||||||
|
|
||||||
Once Keystone is installed and running, services need to be configured to work
|
|
||||||
with it. These are the steps to configure a service to work with Keystone:
|
|
||||||
|
|
||||||
1. Create or get credentials for the service to use
|
|
||||||
|
|
||||||
A set of credentials are needed for each service (they may be
|
|
||||||
shared if you chose to). Depending on the service, these credentials are
|
|
||||||
either a username and password or a long-lived token..
|
|
||||||
|
|
||||||
2. Register the service, endpoints, roles and other entities
|
|
||||||
|
|
||||||
In order for a service to have it's endpoints and roles show in the service
|
|
||||||
catalog returned by Keystone, a service record needs to be added for the
|
|
||||||
service. Endpoints and roles associated with that service can then be created.
|
|
||||||
|
|
||||||
This can be done through the REST interface (using the OS-KSCATALOG extension)
|
|
||||||
or using keystone-manage.
|
|
||||||
|
|
||||||
3. Install and configure middleware for the service to handle authentication
|
|
||||||
|
|
||||||
Clients making calls to the service will pass in an authentication token. The
|
|
||||||
Keystone middleware will look for and validate that token, taking the
|
|
||||||
appropriate action. It will also retrive additional information from the token
|
|
||||||
such as user name, id, tenant name, id, roles, etc...
|
|
||||||
|
|
||||||
The middleware will pass those data down to the service as headers. The
|
|
||||||
detailed description of this architecture is available here :doc:`middleware_architecture`
|
|
||||||
|
|
||||||
Setting up credentials
|
|
||||||
======================
|
|
||||||
|
|
||||||
First admin user - bootstrapping
|
|
||||||
--------------------------------
|
|
||||||
|
|
||||||
For a default installation of Keystone, before you can use the REST API, you
|
|
||||||
need to create your first initial user and grant that user the right to
|
|
||||||
administer Keystone.
|
|
||||||
|
|
||||||
For the keystone service itself, two
|
|
||||||
Roles are pre-defined in the keystone configuration file
|
|
||||||
(:doc:`keystone.conf`).
|
|
||||||
|
|
||||||
#Role that allows admin operations (access to all operations)
|
|
||||||
keystone-admin-role = Admin
|
|
||||||
|
|
||||||
#Role that allows acting as service (validate tokens, register service,
|
|
||||||
etc...)
|
|
||||||
keystone-service-admin-role = KeystoneServiceAdmin
|
|
||||||
|
|
||||||
In order to create your first user, once Keystone is running use
|
|
||||||
the `keystone-manage` command:
|
|
||||||
|
|
||||||
$ keystone-manage user add admin secrete
|
|
||||||
$ keystone-manage role add Admin
|
|
||||||
$ keystone-manage role add KeystoneServiceAdmin
|
|
||||||
$ keystone-manage role grant Admin admin
|
|
||||||
$ keystone-manage role grant KeystoneServiceAdmin admin
|
|
||||||
|
|
||||||
This creates the `admin` user (with a password of `secrete`), creates
|
|
||||||
two roles (`Admin` and `KeystoneServiceAdmin`), and assigns those roles to
|
|
||||||
the `admin` user. From here, you should now have the choice of using the
|
|
||||||
administrative API (as well as the :doc:`man/keystone-manage` commands) to
|
|
||||||
further configure keystone. There are a number of examples of how to use
|
|
||||||
that API at :doc:`adminAPI_curl_examples`.
|
|
||||||
|
|
||||||
|
|
||||||
Setting up services
|
|
||||||
===================
|
|
||||||
|
|
||||||
Defining Services and Service Endpoints
|
|
||||||
---------------------------------------
|
|
||||||
|
|
||||||
Keystone also acts as a service catalog to let other OpenStack systems know
|
|
||||||
where relevant API endpoints exist for OpenStack Services. The OpenStack
|
|
||||||
Dashboard, in particular, uses this heavily - and this **must** be configured
|
|
||||||
for the OpenStack Dashboard to properly function.
|
|
||||||
|
|
||||||
Here's how we define the services::
|
|
||||||
|
|
||||||
$ keystone-manage service add nova compute "Nova Compute Service"
|
|
||||||
$ keystone-manage service add glance image "Glance Image Service"
|
|
||||||
$ keystone-manage service add swift storage "Swift Object Storage Service"
|
|
||||||
$ keystone-manage service add keystone identity "Keystone Identity Service"
|
|
||||||
|
|
||||||
Once the services are defined, we create endpoints for them. Each service
|
|
||||||
has three relevant URL's associated with it that are used in the command:
|
|
||||||
|
|
||||||
* the public API URL
|
|
||||||
* an administrative API URL
|
|
||||||
* an internal URL
|
|
||||||
|
|
||||||
The "internal URL" is an endpoint the generally offers the same API as the
|
|
||||||
public URL, but over a high-bandwidth, low-latency, unmetered (free) network.
|
|
||||||
You would use that to transfer images from nova to glance for example, and
|
|
||||||
not the Public URL which would go over the internet and be potentially chargeable.
|
|
||||||
|
|
||||||
The "admin URL" is for administering the services and is not exposed or accessible
|
|
||||||
to customers without the apporpriate privileges.
|
|
||||||
|
|
||||||
An example of setting up the endpoint for Nova::
|
|
||||||
|
|
||||||
$ keystone-manage endpointTemplates add RegionOne nova \
|
|
||||||
http://nova-api.mydomain:8774/v1.1/%tenant_id% \
|
|
||||||
http://nova-api.mydomain:8774/v1.1/%tenant_id% \
|
|
||||||
http://nova-api.mydomain:8774/v1.1/%tenant_id% \
|
|
||||||
1 1
|
|
||||||
|
|
||||||
Glance::
|
|
||||||
|
|
||||||
$ keystone-manage endpointTemplates add RegionOne glance \
|
|
||||||
http://glance.mydomain:9292/v1 \
|
|
||||||
http://glance.mydomain:9292/v1 \
|
|
||||||
http://glance.mydomain:9292/v1 \
|
|
||||||
1 1
|
|
||||||
|
|
||||||
Swift::
|
|
||||||
|
|
||||||
$ keystone-manage endpointTemplates add RegionOne swift \
|
|
||||||
http://swift.mydomain:8080/v1/AUTH_%tenant_id% \
|
|
||||||
http://swift.mydomain:8080/v1.0/ \
|
|
||||||
http://swift.mydomain:8080/v1/AUTH_%tenant_id% \
|
|
||||||
1 1
|
|
||||||
|
|
||||||
And setting up an endpoint for Keystone::
|
|
||||||
|
|
||||||
$ keystone-manage endpointTemplates add RegionOne keystone \
|
|
||||||
http://keystone.mydomain:5000/v2.0 \
|
|
||||||
http://keystone.mydomain:35357/v2.0 \
|
|
||||||
http://keystone.mydomain:5000/v2.0 \
|
|
||||||
1 1
|
|
||||||
|
|
||||||
|
|
||||||
Defining an Administrative Service Token
|
|
||||||
----------------------------------------
|
|
||||||
|
|
||||||
An Administrative Service Token is a bit of arbitrary text which is configured
|
|
||||||
in Keystone and used (typically configured into) Nova, Swift, Glance, and any
|
|
||||||
other OpenStack projects, to be able to use Keystone services.
|
|
||||||
|
|
||||||
This token is an arbitrary text string, but must be identical between Keystone
|
|
||||||
and the services using Keystone. This token is bound to a user and tenant as
|
|
||||||
well, so those also need to be created prior to setting it up.
|
|
||||||
|
|
||||||
The *admin* user was set up above, but we haven't created a tenant for that
|
|
||||||
user yet::
|
|
||||||
|
|
||||||
$ keystone-manage tenant add admin
|
|
||||||
|
|
||||||
and while we're here, let's grant the admin user the 'Admin' role to the
|
|
||||||
'admin' tenant::
|
|
||||||
|
|
||||||
$ keystone-manage role add Admin
|
|
||||||
$ keystone-manage role grant Admin admin admin
|
|
||||||
|
|
||||||
Now we can create a service token::
|
|
||||||
|
|
||||||
$ keystone-manage token add 999888777666 admin admin 2015-02-05T00:00
|
|
||||||
|
|
||||||
This creates a service token of '999888777666' associated to the admin user,
|
|
||||||
admin tenant, and expires on February 5th, 2015. This token will be used when
|
|
||||||
configuring Nova, Glance, or other OpenStack services.
|
|
||||||
|
|
||||||
Securing Communications with SSL
|
|
||||||
--------------------------------
|
|
||||||
|
|
||||||
To encrypt traffic between services and Keystone, see :doc:`ssl`
|
|
||||||
|
|
||||||
|
|
||||||
Setting up OpenStack users
|
|
||||||
==========================
|
|
||||||
|
|
||||||
Creating Tenants, Users, and Roles
|
|
||||||
----------------------------------
|
|
||||||
|
|
||||||
Let's set up a 'demo' tenant::
|
|
||||||
|
|
||||||
$ keystone-manage tenant add demo
|
|
||||||
|
|
||||||
And add a 'demo' user with the password 'guest'::
|
|
||||||
|
|
||||||
$ keystone-manage user add demo guest
|
|
||||||
|
|
||||||
Now let's add a role of "Member" and grant 'demo' user that role
|
|
||||||
as it pertains to the tenant 'demo'::
|
|
||||||
|
|
||||||
$ keystone-manage role add Member
|
|
||||||
$ keystone-manage role grant Member demo demo
|
|
||||||
|
|
||||||
Let's also add the admin user as an Admin role to the demo tenant::
|
|
||||||
|
|
||||||
$ keystone-manage role grant Admin admin demo
|
|
||||||
|
|
||||||
Creating EC2 credentials
|
|
||||||
------------------------
|
|
||||||
|
|
||||||
To add EC2 credentials for the `admin` and `demo` accounts::
|
|
||||||
|
|
||||||
$ keystone-manage credentials add admin EC2 'admin' 'secretpassword'
|
|
||||||
$ keystone-manage credentials add admin EC2 'demo' 'secretpassword'
|
|
||||||
|
|
||||||
If you have a large number of credentials to create, you can put them all
|
|
||||||
into a single large file and import them using :doc:`man/keystone-import`. The
|
|
||||||
format of the document looks like::
|
|
||||||
|
|
||||||
credentials add admin EC2 'username' 'password'
|
|
||||||
credentials add admin EC2 'username' 'password'
|
|
||||||
|
|
||||||
Then use::
|
|
||||||
|
|
||||||
$ keystone-import `filename`
|
|
||||||
|
|
||||||
|
|
||||||
Setting Up Middleware
|
|
||||||
=====================
|
|
||||||
|
|
||||||
Keystone Auth-Token Middleware
|
|
||||||
--------------------------------
|
|
||||||
|
|
||||||
The Keystone auth_token middleware is a WSGI component that can be inserted in
|
|
||||||
the WSGI pipeline to handle authenticating tokens with Keystone. See :doc:`middleware`
|
|
||||||
for details on middleware and configuration parameters.
|
|
||||||
|
|
||||||
|
|
||||||
Configuring Nova to use Keystone
|
|
||||||
--------------------------------
|
|
||||||
|
|
||||||
To configure Nova to use Keystone for authentication, the Nova API service
|
|
||||||
can be run against the api-paste file provided by Keystone. This is most
|
|
||||||
easily accomplished by setting the `--api_paste_config` flag in nova.conf to
|
|
||||||
point to `examples/paste/nova-api-paste.ini` from Keystone. This paste file
|
|
||||||
included references to the WSGI authentication middleware provided with the
|
|
||||||
keystone installation.
|
|
||||||
|
|
||||||
When configuring Nova, it is important to create a admin service token for
|
|
||||||
the service (from the Configuration step above) and include that as the key
|
|
||||||
'admin_token' in the nova-api-paste.ini. See the documented
|
|
||||||
:doc:`nova-api-paste` file for references.
|
|
||||||
|
|
||||||
Configuring Swift to use Keystone
|
|
||||||
---------------------------------
|
|
||||||
|
|
||||||
Similar to Nova, swift can be configured to use Keystone for authentication
|
|
||||||
rather than it's built in 'tempauth'.
|
|
||||||
|
|
||||||
1. Add a service endpoint for Swift to Keystone
|
|
||||||
|
|
||||||
2. Configure the paste file for swift-proxy (`/etc/swift/swift-proxy.conf`)
|
|
||||||
|
|
||||||
3. Reconfigure Swift's proxy server to use Keystone instead of TempAuth.
|
|
||||||
Here's an example `/etc/swift/proxy-server.conf`::
|
|
||||||
|
|
||||||
[DEFAULT]
|
|
||||||
bind_port = 8888
|
|
||||||
user = <user>
|
|
||||||
|
|
||||||
[pipeline:main]
|
|
||||||
pipeline = catch_errors cache keystone proxy-server
|
|
||||||
|
|
||||||
[app:proxy-server]
|
|
||||||
use = egg:swift#proxy
|
|
||||||
account_autocreate = true
|
|
||||||
|
|
||||||
[filter:keystone]
|
|
||||||
use = egg:keystone#tokenauth
|
|
||||||
auth_protocol = http
|
|
||||||
auth_host = 127.0.0.1
|
|
||||||
auth_port = 35357
|
|
||||||
admin_token = 999888777666
|
|
||||||
delay_auth_decision = 0
|
|
||||||
service_protocol = http
|
|
||||||
service_host = 127.0.0.1
|
|
||||||
service_port = 8100
|
|
||||||
service_pass = dTpw
|
|
||||||
cache = swift.cache
|
|
||||||
|
|
||||||
[filter:cache]
|
|
||||||
use = egg:swift#memcache
|
|
||||||
set log_name = cache
|
|
||||||
|
|
||||||
[filter:catch_errors]
|
|
||||||
use = egg:swift#catch_errors
|
|
||||||
|
|
||||||
Note that the optional "cache" property in the keystone filter allows any
|
|
||||||
service (not just Swift) to register its memcache client in the WSGI
|
|
||||||
environment. If such a cache exists, Keystone middleware will utilize it
|
|
||||||
to store validated token information, which could result in better overall
|
|
||||||
performance.
|
|
||||||
|
|
||||||
4. Restart swift
|
|
||||||
|
|
||||||
5. Verify that keystone is providing authentication to Swift
|
|
||||||
|
|
||||||
Use `swift` to check everything works (note: you currently have to create a
|
|
||||||
container or upload something as your first action to have the account
|
|
||||||
created; there's a Swift bug to be fixed soon)::
|
|
||||||
|
|
||||||
$ swift -A http://127.0.0.1:5000/v1.0 -U joeuser -K secrete post container
|
|
||||||
$ swift -A http://127.0.0.1:5000/v1.0 -U joeuser -K secrete stat -v
|
|
||||||
StorageURL: http://127.0.0.1:8888/v1/AUTH_1234
|
|
||||||
Auth Token: 74ce1b05-e839-43b7-bd76-85ef178726c3
|
|
||||||
Account: AUTH_1234
|
|
||||||
Containers: 1
|
|
||||||
Objects: 0
|
|
||||||
Bytes: 0
|
|
||||||
Accept-Ranges: bytes
|
|
||||||
X-Trans-Id: tx25c1a6969d8f4372b63912f411de3c3b
|
|
||||||
|
|
||||||
.. WARNING::
|
|
||||||
Keystone currently allows any valid token to do anything with any account.
|
|
||||||
|
|
|
@ -1,135 +0,0 @@
|
||||||
..
|
|
||||||
Copyright 2011 OpenStack, LLC
|
|
||||||
All Rights Reserved.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
not use this file except in compliance with the License. You may obtain
|
|
||||||
a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
License for the specific language governing permissions and limitations
|
|
||||||
under the License.
|
|
||||||
|
|
||||||
========================
|
|
||||||
Developing with Keystone
|
|
||||||
========================
|
|
||||||
|
|
||||||
Get your development environment set up according to :doc:`setup`.
|
|
||||||
|
|
||||||
Running a development instance
|
|
||||||
==============================
|
|
||||||
|
|
||||||
Setting up a virtualenv
|
|
||||||
-----------------------
|
|
||||||
|
|
||||||
We recommend establishing a virtualenv to run keystone within. To establish
|
|
||||||
this environment, use the command::
|
|
||||||
|
|
||||||
$ python tools/install_venv.py
|
|
||||||
|
|
||||||
This will create a local virtual environment in the directory ``.venv``.
|
|
||||||
Once created, you can activate this virtualenv for your current shell using::
|
|
||||||
|
|
||||||
$ source .venv/bin/activate
|
|
||||||
|
|
||||||
The virtual environment can be disabled using the command::
|
|
||||||
|
|
||||||
$ deactivate
|
|
||||||
|
|
||||||
You can also use ``tools\with_venv.sh`` to prefix commands so that they run
|
|
||||||
within the virtual environment. For more information on virtual environments,
|
|
||||||
see virtualenv_.
|
|
||||||
|
|
||||||
.. _virtualenv: http://www.virtualenv.org/
|
|
||||||
|
|
||||||
Running Keystone
|
|
||||||
----------------
|
|
||||||
|
|
||||||
To run the keystone Admin and API server instances, use::
|
|
||||||
|
|
||||||
$ tools/with_venv.sh bin/keystone
|
|
||||||
|
|
||||||
Running a demo service that uses Keystone
|
|
||||||
-----------------------------------------
|
|
||||||
|
|
||||||
To run client demo (with all auth middleware running locally on sample service)::
|
|
||||||
|
|
||||||
$ tools/with_venv.sh examples/echo/bin/echod
|
|
||||||
|
|
||||||
which spins up a simple "echo" service on port 8090. To use a simple echo client::
|
|
||||||
|
|
||||||
$ python examples/echo/echo_client.py
|
|
||||||
|
|
||||||
Interacting with Keystone
|
|
||||||
=========================
|
|
||||||
|
|
||||||
You can interact with Keystone through the command line using :doc:`man/keystone-manage`
|
|
||||||
which allows you to establish tenants, users, etc.
|
|
||||||
|
|
||||||
You can also interact with Keystone through it's REST API. There is a python
|
|
||||||
keystone client library python-keystoneclient_ which interacts exclusively through
|
|
||||||
the REST API.
|
|
||||||
|
|
||||||
.. _python-keystoneclient: https://github.com/4P/python-keystoneclient
|
|
||||||
|
|
||||||
The easiest way to establish some base information in Keystone to interact with is
|
|
||||||
to invoke::
|
|
||||||
|
|
||||||
$ tools/with_venv.sh bin/sampledata
|
|
||||||
|
|
||||||
You can see the details of what that creates in ``keystone/test/sampledata.py``
|
|
||||||
|
|
||||||
Enabling debugging middleware
|
|
||||||
-----------------------------
|
|
||||||
|
|
||||||
You can enable a huge amount of additional data (debugging information) about
|
|
||||||
the request and repsonse objects flowing through Keystone using the debugging
|
|
||||||
WSGI middleware.
|
|
||||||
|
|
||||||
To enable this, just modify the pipelines in ``etc/keystone.conf``, from::
|
|
||||||
|
|
||||||
[pipeline:admin]
|
|
||||||
pipeline =
|
|
||||||
urlnormalizer
|
|
||||||
admin_api
|
|
||||||
|
|
||||||
[pipeline:keystone-legacy-auth]
|
|
||||||
pipeline =
|
|
||||||
urlnormalizer
|
|
||||||
legacy_auth
|
|
||||||
d5_compat
|
|
||||||
service_api
|
|
||||||
|
|
||||||
... to::
|
|
||||||
|
|
||||||
[pipeline:admin]
|
|
||||||
pipeline =
|
|
||||||
debug
|
|
||||||
urlnormalizer
|
|
||||||
d5_compat
|
|
||||||
admin_api
|
|
||||||
|
|
||||||
[pipeline:keystone-legacy-auth]
|
|
||||||
pipeline =
|
|
||||||
debug
|
|
||||||
urlnormalizer
|
|
||||||
legacy_auth
|
|
||||||
d5_compat
|
|
||||||
service_api
|
|
||||||
|
|
||||||
Two simple and easy debugging tools are using the ``-d`` when you start keystone::
|
|
||||||
|
|
||||||
$ ./keystone -d
|
|
||||||
|
|
||||||
and the `--trace-calls` flag::
|
|
||||||
|
|
||||||
$ ./keystone -trace-calls
|
|
||||||
|
|
||||||
The ``-d`` flag outputs debug information to the console. The ``--trace-calls`` flag
|
|
||||||
outputs extensive, nested trace calls to the console and highlights any errors
|
|
||||||
in red.
|
|
||||||
|
|
|
@ -1,158 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
|
||||||
<!-- Created with Inkscape (http://www.inkscape.org/) -->
|
|
||||||
|
|
||||||
<svg
|
|
||||||
xmlns:dc="http://purl.org/dc/elements/1.1/"
|
|
||||||
xmlns:cc="http://creativecommons.org/ns#"
|
|
||||||
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
|
|
||||||
xmlns:svg="http://www.w3.org/2000/svg"
|
|
||||||
xmlns="http://www.w3.org/2000/svg"
|
|
||||||
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
|
|
||||||
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
|
|
||||||
width="193.58089"
|
|
||||||
height="100.32214"
|
|
||||||
id="svg2"
|
|
||||||
version="1.1"
|
|
||||||
inkscape:version="0.48.0 r9654"
|
|
||||||
sodipodi:docname="proxyAuth.svg">
|
|
||||||
<defs
|
|
||||||
id="defs4" />
|
|
||||||
<sodipodi:namedview
|
|
||||||
id="base"
|
|
||||||
pagecolor="#ffffff"
|
|
||||||
bordercolor="#666666"
|
|
||||||
borderopacity="1.0"
|
|
||||||
inkscape:pageopacity="0.0"
|
|
||||||
inkscape:pageshadow="2"
|
|
||||||
inkscape:zoom="0.98901497"
|
|
||||||
inkscape:cx="134.39587"
|
|
||||||
inkscape:cy="72.635488"
|
|
||||||
inkscape:document-units="px"
|
|
||||||
inkscape:current-layer="layer1"
|
|
||||||
showgrid="false"
|
|
||||||
fit-margin-top="0"
|
|
||||||
fit-margin-left="0"
|
|
||||||
fit-margin-right="0"
|
|
||||||
fit-margin-bottom="0"
|
|
||||||
inkscape:window-width="912"
|
|
||||||
inkscape:window-height="842"
|
|
||||||
inkscape:window-x="66"
|
|
||||||
inkscape:window-y="87"
|
|
||||||
inkscape:window-maximized="0" />
|
|
||||||
<metadata
|
|
||||||
id="metadata7">
|
|
||||||
<rdf:RDF>
|
|
||||||
<cc:Work
|
|
||||||
rdf:about="">
|
|
||||||
<dc:format>image/svg+xml</dc:format>
|
|
||||||
<dc:type
|
|
||||||
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
|
|
||||||
<dc:title></dc:title>
|
|
||||||
</cc:Work>
|
|
||||||
</rdf:RDF>
|
|
||||||
</metadata>
|
|
||||||
<g
|
|
||||||
inkscape:label="Layer 1"
|
|
||||||
inkscape:groupmode="layer"
|
|
||||||
id="layer1"
|
|
||||||
transform="translate(-240.60414,-504.67553)">
|
|
||||||
<g
|
|
||||||
id="1"
|
|
||||||
transform="translate(239.41667,503.49764)">
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="25.6"
|
|
||||||
x="136"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="2">Request</text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="36"
|
|
||||||
x="136"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="3">service directly</text>
|
|
||||||
<path
|
|
||||||
d="m 1.85,14.45 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
|
|
||||||
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="4"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 1.85,43.25 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
|
|
||||||
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="5"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="25.6"
|
|
||||||
x="24.799999"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="6">Auth</text>
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="37.599998"
|
|
||||||
x="8.8000002"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="7">Component</text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="53.599998"
|
|
||||||
x="79.199997"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="8">305 </text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="53.599998"
|
|
||||||
x="96"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="9">Use proxy to </text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="63.200001"
|
|
||||||
x="79.199997"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="10">redirect to Auth</text>
|
|
||||||
<path
|
|
||||||
d="M 64.25,72.05 C 83.45,33.65 87.8,15.9 75.1,6.45 67.75,1 54.85,-1.65 42.3,7.85"
|
|
||||||
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="11"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 45.35,9.75 -9.9,4.7 5.1,-9.65 4.8,4.95 z"
|
|
||||||
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="12"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 154.25,14.45 c 0,0 -4.85,0.5 -9.45,0.95 -7,0.7 -13.45,1.2 -17.85,5.1 -2.95,2.65 -5.05,6.8 -3.6,10.1 2.65,6.1 17.05,9.3 23.85,14 5,3.45 5.95,7.65 4.9,11.1 -1.9,6.35 -10.5,10 -23.85,16.2 -8.35,3.9 -18.6,8.85 -26.1,11.85"
|
|
||||||
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="13"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="M 104,86.8 93.05,86.45 102,80.2 l 2,6.6 z"
|
|
||||||
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="14"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 25.85,72.05 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
|
|
||||||
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="15"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 25.85,100.85 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
|
|
||||||
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="16"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="83.199997"
|
|
||||||
x="34.400002"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="17">OpenStack</text>
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="95.199997"
|
|
||||||
x="42.400002"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="18">Service</text>
|
|
||||||
</g>
|
|
||||||
</g>
|
|
||||||
</svg>
|
|
Before Width: | Height: | Size: 6.1 KiB |
|
@ -1,135 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
|
||||||
<!-- Created with Inkscape (http://www.inkscape.org/) -->
|
|
||||||
|
|
||||||
<svg
|
|
||||||
xmlns:dc="http://purl.org/dc/elements/1.1/"
|
|
||||||
xmlns:cc="http://creativecommons.org/ns#"
|
|
||||||
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
|
|
||||||
xmlns:svg="http://www.w3.org/2000/svg"
|
|
||||||
xmlns="http://www.w3.org/2000/svg"
|
|
||||||
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
|
|
||||||
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
|
|
||||||
width="68.500092"
|
|
||||||
height="110.50006"
|
|
||||||
id="svg2"
|
|
||||||
version="1.1"
|
|
||||||
inkscape:version="0.48.0 r9654"
|
|
||||||
sodipodi:docname="mapper.svg">
|
|
||||||
<defs
|
|
||||||
id="defs4" />
|
|
||||||
<sodipodi:namedview
|
|
||||||
id="base"
|
|
||||||
pagecolor="#ffffff"
|
|
||||||
bordercolor="#666666"
|
|
||||||
borderopacity="1.0"
|
|
||||||
inkscape:pageopacity="0.0"
|
|
||||||
inkscape:pageshadow="2"
|
|
||||||
inkscape:zoom="0.98901497"
|
|
||||||
inkscape:cx="34.262561"
|
|
||||||
inkscape:cy="55.237534"
|
|
||||||
inkscape:document-units="px"
|
|
||||||
inkscape:current-layer="layer1"
|
|
||||||
showgrid="false"
|
|
||||||
fit-margin-top="0"
|
|
||||||
fit-margin-left="0"
|
|
||||||
fit-margin-right="0"
|
|
||||||
fit-margin-bottom="0"
|
|
||||||
inkscape:window-width="912"
|
|
||||||
inkscape:window-height="842"
|
|
||||||
inkscape:window-x="66"
|
|
||||||
inkscape:window-y="87"
|
|
||||||
inkscape:window-maximized="0" />
|
|
||||||
<metadata
|
|
||||||
id="metadata7">
|
|
||||||
<rdf:RDF>
|
|
||||||
<cc:Work
|
|
||||||
rdf:about="">
|
|
||||||
<dc:format>image/svg+xml</dc:format>
|
|
||||||
<dc:type
|
|
||||||
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
|
|
||||||
<dc:title></dc:title>
|
|
||||||
</cc:Work>
|
|
||||||
</rdf:RDF>
|
|
||||||
</metadata>
|
|
||||||
<g
|
|
||||||
inkscape:label="Layer 1"
|
|
||||||
inkscape:groupmode="layer"
|
|
||||||
id="layer1"
|
|
||||||
transform="translate(-340.73745,-315.32253)">
|
|
||||||
<g
|
|
||||||
id="1"
|
|
||||||
transform="translate(339.55001,314.13506)">
|
|
||||||
<path
|
|
||||||
d="m 1.85,1.85 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
|
|
||||||
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="2"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 1.85,30.65 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
|
|
||||||
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="3"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="13.6"
|
|
||||||
x="24.799999"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="4">Auth</text>
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="24.799999"
|
|
||||||
x="8.8000002"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="5">Component</text>
|
|
||||||
<path
|
|
||||||
d="m 1.85,81.05 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
|
|
||||||
style="fill:none;stroke:#a6a6a6;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="6"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#bfbfbf;font-family:Arial"
|
|
||||||
y="64"
|
|
||||||
x="24.799999"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="7">Auth</text>
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#bfbfbf;font-family:Arial"
|
|
||||||
y="75.199997"
|
|
||||||
x="8.8000002"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="8">Component</text>
|
|
||||||
<path
|
|
||||||
d="m 1.85,82.25 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
|
|
||||||
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="9"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 1.85,111.05 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
|
|
||||||
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="10"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="93.599998"
|
|
||||||
x="10.4"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="11">OpenStack</text>
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="105.6"
|
|
||||||
x="18.4"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="12">Service</text>
|
|
||||||
<path
|
|
||||||
d="m 35.45,30.65 0,40.9"
|
|
||||||
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="13"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="M 38.9,70.7 35.45,81.05 32,70.7 l 6.9,0 z"
|
|
||||||
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="14"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
</g>
|
|
||||||
</g>
|
|
||||||
</svg>
|
|
Before Width: | Height: | Size: 4.9 KiB |
|
@ -1,52 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
|
||||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
|
|
||||||
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
|
||||||
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
|
|
||||||
-->
|
|
||||||
<!-- Title: DelegateAcceptAuth Pages: 1 -->
|
|
||||||
<svg width="656pt" height="81pt"
|
|
||||||
viewBox="0.00 0.00 656.00 81.23" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
|
||||||
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 77.234)">
|
|
||||||
<title>DelegateAcceptAuth</title>
|
|
||||||
<polygon fill="white" stroke="white" points="-4,5 -4,-77.234 653,-77.234 653,5 -4,5"/>
|
|
||||||
<!-- Start -->
|
|
||||||
<!-- AuthComp -->
|
|
||||||
<g id="node4" class="node"><title>AuthComp</title>
|
|
||||||
<polygon fill="#fdefe3" stroke="#c00000" points="348,-48.234 250,-48.234 250,-8.23398 348,-8.23398 348,-48.234"/>
|
|
||||||
<text text-anchor="middle" x="299" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
|
|
||||||
<text text-anchor="middle" x="299" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
|
|
||||||
</g>
|
|
||||||
<!-- Start->AuthComp -->
|
|
||||||
<g id="edge3" class="edge"><title>Start->AuthComp</title>
|
|
||||||
<path fill="none" stroke="black" d="M54.0748,-28.234C97.1107,-28.234 182.142,-28.234 239.791,-28.234"/>
|
|
||||||
<polygon fill="black" stroke="black" points="239.864,-31.7341 249.863,-28.234 239.863,-24.7341 239.864,-31.7341"/>
|
|
||||||
<text text-anchor="middle" x="152" y="-30.634" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text>
|
|
||||||
</g>
|
|
||||||
<!-- AuthComp->Start -->
|
|
||||||
<g id="edge9" class="edge"><title>AuthComp->Start</title>
|
|
||||||
<path fill="none" stroke="black" d="M249.934,-12.6562C243.944,-11.2496 237.868,-10.0499 232,-9.23398 161.567,0.55976 141.697,4.87673 72,-9.23398 69.1948,-9.80192 66.3471,-10.5503 63.5169,-11.4218"/>
|
|
||||||
<polygon fill="black" stroke="black" points="62.3066,-8.13733 54.0489,-14.7751 64.6436,-14.7357 62.3066,-8.13733"/>
|
|
||||||
<text text-anchor="middle" x="152" y="-11.634" font-family="Times,serif" font-size="14.00">200 Okay</text>
|
|
||||||
</g>
|
|
||||||
<!-- Service -->
|
|
||||||
<g id="node6" class="node"><title>Service</title>
|
|
||||||
<polygon fill="#d1ebf1" stroke="#1f477d" points="648,-48.234 554,-48.234 554,-8.23398 648,-8.23398 648,-48.234"/>
|
|
||||||
<text text-anchor="middle" x="601" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
|
|
||||||
<text text-anchor="middle" x="601" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
|
|
||||||
</g>
|
|
||||||
<!-- AuthComp->Service -->
|
|
||||||
<g id="edge5" class="edge"><title>AuthComp->Service</title>
|
|
||||||
<path fill="none" stroke="black" d="M348.194,-28.234C401.691,-28.234 487.101,-28.234 543.616,-28.234"/>
|
|
||||||
<polygon fill="black" stroke="black" points="543.818,-31.7341 553.818,-28.234 543.818,-24.7341 543.818,-31.7341"/>
|
|
||||||
<text text-anchor="middle" x="451" y="-60.634" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
|
|
||||||
<text text-anchor="middle" x="451" y="-45.634" font-family="Times,serif" font-size="14.00">X-Authorization: Proxy U</text>
|
|
||||||
<text text-anchor="middle" x="451" y="-30.634" font-family="Times,serif" font-size="14.00">X-Identity-Status: Confirmed</text>
|
|
||||||
</g>
|
|
||||||
<!-- Service->AuthComp -->
|
|
||||||
<g id="edge7" class="edge"><title>Service->AuthComp</title>
|
|
||||||
<path fill="none" stroke="black" d="M553.774,-12.7435C547.845,-11.2995 541.819,-10.067 536,-9.23398 461.207,1.47328 440.836,1.17187 366,-9.23398 363.341,-9.6037 360.639,-10.0522 357.922,-10.5631"/>
|
|
||||||
<polygon fill="black" stroke="black" points="357.121,-7.15517 348.066,-12.6562 358.575,-14.0025 357.121,-7.15517"/>
|
|
||||||
<text text-anchor="middle" x="451" y="-11.634" font-family="Times,serif" font-size="14.00">200 Okay</text>
|
|
||||||
</g>
|
|
||||||
</g>
|
|
||||||
</svg>
|
|
Before Width: | Height: | Size: 3.6 KiB |
|
@ -1,30 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
|
||||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
|
|
||||||
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
|
||||||
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
|
|
||||||
-->
|
|
||||||
<!-- Title: Seperate Pages: 1 -->
|
|
||||||
<svg width="106pt" height="124pt"
|
|
||||||
viewBox="0.00 0.00 106.00 124.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
|
||||||
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 120)">
|
|
||||||
<title>Seperate</title>
|
|
||||||
<polygon fill="white" stroke="white" points="-4,5 -4,-120 103,-120 103,5 -4,5"/>
|
|
||||||
<!-- AuthComp -->
|
|
||||||
<g id="node2" class="node"><title>AuthComp</title>
|
|
||||||
<polygon fill="#fdefe3" stroke="#c00000" points="98,-116 0,-116 0,-76 98,-76 98,-116"/>
|
|
||||||
<text text-anchor="middle" x="49" y="-99.4" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
|
|
||||||
<text text-anchor="middle" x="49" y="-83.4" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
|
|
||||||
</g>
|
|
||||||
<!-- Service -->
|
|
||||||
<g id="node4" class="node"><title>Service</title>
|
|
||||||
<polygon fill="#d1ebf1" stroke="#1f477d" points="96,-40 2,-40 2,-0 96,-0 96,-40"/>
|
|
||||||
<text text-anchor="middle" x="49" y="-23.4" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
|
|
||||||
<text text-anchor="middle" x="49" y="-7.4" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
|
|
||||||
</g>
|
|
||||||
<!-- AuthComp->Service -->
|
|
||||||
<g id="edge3" class="edge"><title>AuthComp->Service</title>
|
|
||||||
<path fill="none" stroke="black" d="M49,-75.6334C49,-67.8186 49,-58.7253 49,-50.183"/>
|
|
||||||
<polygon fill="black" stroke="black" points="52.5001,-50.1593 49,-40.1593 45.5001,-50.1593 52.5001,-50.1593"/>
|
|
||||||
</g>
|
|
||||||
</g>
|
|
||||||
</svg>
|
|
Before Width: | Height: | Size: 1.6 KiB |
|
@ -1,51 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
|
||||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
|
|
||||||
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
|
||||||
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
|
|
||||||
-->
|
|
||||||
<!-- Title: StandardAcceptAuth Pages: 1 -->
|
|
||||||
<svg width="644pt" height="66pt"
|
|
||||||
viewBox="0.00 0.00 644.00 66.23" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
|
||||||
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 62.234)">
|
|
||||||
<title>StandardAcceptAuth</title>
|
|
||||||
<polygon fill="white" stroke="white" points="-4,5 -4,-62.234 641,-62.234 641,5 -4,5"/>
|
|
||||||
<!-- Start -->
|
|
||||||
<!-- AuthComp -->
|
|
||||||
<g id="node4" class="node"><title>AuthComp</title>
|
|
||||||
<polygon fill="#fdefe3" stroke="#c00000" points="348,-48.234 250,-48.234 250,-8.23398 348,-8.23398 348,-48.234"/>
|
|
||||||
<text text-anchor="middle" x="299" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
|
|
||||||
<text text-anchor="middle" x="299" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
|
|
||||||
</g>
|
|
||||||
<!-- Start->AuthComp -->
|
|
||||||
<g id="edge3" class="edge"><title>Start->AuthComp</title>
|
|
||||||
<path fill="none" stroke="black" d="M54.0748,-28.234C97.1107,-28.234 182.142,-28.234 239.791,-28.234"/>
|
|
||||||
<polygon fill="black" stroke="black" points="239.864,-31.7341 249.863,-28.234 239.863,-24.7341 239.864,-31.7341"/>
|
|
||||||
<text text-anchor="middle" x="152" y="-30.634" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text>
|
|
||||||
</g>
|
|
||||||
<!-- AuthComp->Start -->
|
|
||||||
<g id="edge9" class="edge"><title>AuthComp->Start</title>
|
|
||||||
<path fill="none" stroke="black" d="M249.934,-12.6562C243.944,-11.2496 237.868,-10.0499 232,-9.23398 161.567,0.55976 141.697,4.87673 72,-9.23398 69.1948,-9.80192 66.3471,-10.5503 63.5169,-11.4218"/>
|
|
||||||
<polygon fill="black" stroke="black" points="62.3066,-8.13733 54.0489,-14.7751 64.6436,-14.7357 62.3066,-8.13733"/>
|
|
||||||
<text text-anchor="middle" x="152" y="-11.634" font-family="Times,serif" font-size="14.00">200 Okay</text>
|
|
||||||
</g>
|
|
||||||
<!-- Service -->
|
|
||||||
<g id="node6" class="node"><title>Service</title>
|
|
||||||
<polygon fill="#d1ebf1" stroke="#1f477d" points="636,-48.234 542,-48.234 542,-8.23398 636,-8.23398 636,-48.234"/>
|
|
||||||
<text text-anchor="middle" x="589" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
|
|
||||||
<text text-anchor="middle" x="589" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
|
|
||||||
</g>
|
|
||||||
<!-- AuthComp->Service -->
|
|
||||||
<g id="edge5" class="edge"><title>AuthComp->Service</title>
|
|
||||||
<path fill="none" stroke="black" d="M348.195,-28.234C399.052,-28.234 478.372,-28.234 531.947,-28.234"/>
|
|
||||||
<polygon fill="black" stroke="black" points="531.971,-31.7341 541.971,-28.234 531.971,-24.7341 531.971,-31.7341"/>
|
|
||||||
<text text-anchor="middle" x="445" y="-45.634" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
|
|
||||||
<text text-anchor="middle" x="445" y="-30.634" font-family="Times,serif" font-size="14.00">X-Authorization: Proxy U</text>
|
|
||||||
</g>
|
|
||||||
<!-- Service->AuthComp -->
|
|
||||||
<g id="edge7" class="edge"><title>Service->AuthComp</title>
|
|
||||||
<path fill="none" stroke="black" d="M541.774,-12.7435C535.845,-11.2995 529.819,-10.067 524,-9.23398 454.486,0.717471 435.553,0.437338 366,-9.23398 363.341,-9.6037 360.639,-10.0522 357.922,-10.5631"/>
|
|
||||||
<polygon fill="black" stroke="black" points="357.121,-7.15517 348.066,-12.6562 358.575,-14.0025 357.121,-7.15517"/>
|
|
||||||
<text text-anchor="middle" x="445" y="-11.634" font-family="Times,serif" font-size="14.00">200 Okay</text>
|
|
||||||
</g>
|
|
||||||
</g>
|
|
||||||
</svg>
|
|
Before Width: | Height: | Size: 3.5 KiB |
|
@ -1,39 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
|
||||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
|
|
||||||
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
|
||||||
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
|
|
||||||
-->
|
|
||||||
<!-- Title: StandardRejectAuth Pages: 1 -->
|
|
||||||
<svg width="590pt" height="84pt"
|
|
||||||
viewBox="0.00 0.00 590.00 84.11" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
|
||||||
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 80.1142)">
|
|
||||||
<title>StandardRejectAuth</title>
|
|
||||||
<polygon fill="white" stroke="white" points="-4,5 -4,-80.1142 587,-80.1142 587,5 -4,5"/>
|
|
||||||
<!-- Start -->
|
|
||||||
<!-- AuthComp -->
|
|
||||||
<g id="node4" class="node"><title>AuthComp</title>
|
|
||||||
<polygon fill="#fdefe3" stroke="#c00000" points="470,-72.1142 372,-72.1142 372,-32.1142 470,-32.1142 470,-72.1142"/>
|
|
||||||
<text text-anchor="middle" x="421" y="-55.5142" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
|
|
||||||
<text text-anchor="middle" x="421" y="-39.5142" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
|
|
||||||
</g>
|
|
||||||
<!-- Start->AuthComp -->
|
|
||||||
<g id="edge3" class="edge"><title>Start->AuthComp</title>
|
|
||||||
<path fill="none" stroke="black" d="M54.087,-55.6146C59.9818,-56.239 66.1921,-56.7925 72,-57.1142 197.142,-64.0451 228.754,-61.7811 354,-57.1142 356.55,-57.0192 359.153,-56.9039 361.782,-56.7725"/>
|
|
||||||
<polygon fill="black" stroke="black" points="362.204,-60.2543 371.991,-56.1946 361.809,-53.2655 362.204,-60.2543"/>
|
|
||||||
<text text-anchor="middle" x="213" y="-63.5142" font-family="Times,serif" font-size="14.00">Authorization: Basic Yjpw</text>
|
|
||||||
</g>
|
|
||||||
<!-- AuthComp->Start -->
|
|
||||||
<g id="edge5" class="edge"><title>AuthComp->Start</title>
|
|
||||||
<path fill="none" stroke="black" d="M381.842,-32.0145C372.913,-28.3297 363.309,-25.0423 354,-23.1142 231.272,2.30687 192.234,12.2721 72,-23.1142 67.3413,-24.4853 62.7097,-26.5048 58.2883,-28.8508"/>
|
|
||||||
<polygon fill="black" stroke="black" points="56.3831,-25.9114 49.5663,-34.022 59.9531,-31.9327 56.3831,-25.9114"/>
|
|
||||||
<text text-anchor="middle" x="213" y="-40.5142" font-family="Times,serif" font-size="14.00">401 Unauthorized</text>
|
|
||||||
<text text-anchor="middle" x="213" y="-25.5142" font-family="Times,serif" font-size="14.00">WWW-Authenticate: Basic Realm="API Realm"</text>
|
|
||||||
</g>
|
|
||||||
<!-- Service -->
|
|
||||||
<g id="node8" class="node"><title>Service</title>
|
|
||||||
<polygon fill="#d1ebf1" stroke="#1f477d" points="582,-72.1142 488,-72.1142 488,-32.1142 582,-32.1142 582,-72.1142"/>
|
|
||||||
<text text-anchor="middle" x="535" y="-55.5142" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
|
|
||||||
<text text-anchor="middle" x="535" y="-39.5142" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
|
|
||||||
</g>
|
|
||||||
</g>
|
|
||||||
</svg>
|
|
Before Width: | Height: | Size: 2.7 KiB |
|
@ -1,24 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
|
||||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
|
|
||||||
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
|
||||||
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
|
|
||||||
-->
|
|
||||||
<!-- Title: Together Pages: 1 -->
|
|
||||||
<svg width="116pt" height="104pt"
|
|
||||||
viewBox="0.00 0.00 116.00 104.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
|
||||||
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 100)">
|
|
||||||
<title>Together</title>
|
|
||||||
<polygon fill="white" stroke="white" points="-4,5 -4,-100 113,-100 113,5 -4,5"/>
|
|
||||||
<!-- Together -->
|
|
||||||
<g id="node2" class="node"><title>Together</title>
|
|
||||||
<polygon fill="#fdefe3" stroke="#fdefe3" points="8,-47 8,-91 101,-91 101,-47 8,-47"/>
|
|
||||||
<polygon fill="none" stroke="#c00000" points="8,-47 8,-91 101,-91 101,-47 8,-47"/>
|
|
||||||
<text text-anchor="start" x="38" y="-75.2333" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
|
|
||||||
<text text-anchor="start" x="13.5" y="-58.4333" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
|
|
||||||
<polygon fill="#d1ebf1" stroke="#d1ebf1" points="8,-4 8,-47 101,-47 101,-4 8,-4"/>
|
|
||||||
<polygon fill="none" stroke="#1f477d" points="8,-4 8,-47 101,-47 101,-4 8,-4"/>
|
|
||||||
<text text-anchor="start" x="15.5" y="-31.7333" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
|
|
||||||
<text text-anchor="start" x="28" y="-14.9333" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
|
|
||||||
</g>
|
|
||||||
</g>
|
|
||||||
</svg>
|
|
Before Width: | Height: | Size: 1.4 KiB |
|
@ -1,215 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
|
||||||
<!-- Created with Inkscape (http://www.inkscape.org/) -->
|
|
||||||
|
|
||||||
<svg
|
|
||||||
xmlns:dc="http://purl.org/dc/elements/1.1/"
|
|
||||||
xmlns:cc="http://creativecommons.org/ns#"
|
|
||||||
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
|
|
||||||
xmlns:svg="http://www.w3.org/2000/svg"
|
|
||||||
xmlns="http://www.w3.org/2000/svg"
|
|
||||||
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
|
|
||||||
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
|
|
||||||
width="183.71901"
|
|
||||||
height="100.41289"
|
|
||||||
id="svg2"
|
|
||||||
version="1.1"
|
|
||||||
inkscape:version="0.48.0 r9654"
|
|
||||||
sodipodi:docname="authComp.svg">
|
|
||||||
<defs
|
|
||||||
id="defs4" />
|
|
||||||
<sodipodi:namedview
|
|
||||||
id="base"
|
|
||||||
pagecolor="#ffffff"
|
|
||||||
bordercolor="#666666"
|
|
||||||
borderopacity="1.0"
|
|
||||||
inkscape:pageopacity="0.0"
|
|
||||||
inkscape:pageshadow="2"
|
|
||||||
inkscape:zoom="0.98901497"
|
|
||||||
inkscape:cx="69.71099"
|
|
||||||
inkscape:cy="-12.532713"
|
|
||||||
inkscape:document-units="px"
|
|
||||||
inkscape:current-layer="layer1"
|
|
||||||
showgrid="false"
|
|
||||||
fit-margin-top="0"
|
|
||||||
fit-margin-left="0"
|
|
||||||
fit-margin-right="0"
|
|
||||||
fit-margin-bottom="0"
|
|
||||||
inkscape:window-width="912"
|
|
||||||
inkscape:window-height="842"
|
|
||||||
inkscape:window-x="66"
|
|
||||||
inkscape:window-y="87"
|
|
||||||
inkscape:window-maximized="0" />
|
|
||||||
<metadata
|
|
||||||
id="metadata7">
|
|
||||||
<rdf:RDF>
|
|
||||||
<cc:Work
|
|
||||||
rdf:about="">
|
|
||||||
<dc:format>image/svg+xml</dc:format>
|
|
||||||
<dc:type
|
|
||||||
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
|
|
||||||
<dc:title></dc:title>
|
|
||||||
</cc:Work>
|
|
||||||
</rdf:RDF>
|
|
||||||
</metadata>
|
|
||||||
<g
|
|
||||||
inkscape:label="Layer 1"
|
|
||||||
inkscape:groupmode="layer"
|
|
||||||
id="layer1"
|
|
||||||
transform="translate(-305.28902,-419.41658)">
|
|
||||||
<g
|
|
||||||
id="1"
|
|
||||||
transform="translate(304.10174,415.42322)">
|
|
||||||
<path
|
|
||||||
d="m 117.05,14.8 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
|
|
||||||
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="2"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 117.05,43.6 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
|
|
||||||
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="3"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="26.4"
|
|
||||||
x="140"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="4">Auth</text>
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="37.599998"
|
|
||||||
x="124"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="5">Component</text>
|
|
||||||
<path
|
|
||||||
d="m 117.05,72.4 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
|
|
||||||
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="6"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 117.05,101.2 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
|
|
||||||
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="7"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="84"
|
|
||||||
x="125.6"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="8">OpenStack</text>
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="95.199997"
|
|
||||||
x="133.60001"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="9">Service</text>
|
|
||||||
<path
|
|
||||||
d="m 150.65,43.6 0,19.3"
|
|
||||||
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="10"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 154.1,62.05 -3.45,10.35 -3.45,-10.35 6.9,0 z"
|
|
||||||
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="11"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="10.4"
|
|
||||||
x="131.2"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="12">Option </text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="10.4"
|
|
||||||
x="158.39999"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="13">(</text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="10.4"
|
|
||||||
x="161.60001"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="14">b</text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="10.4"
|
|
||||||
x="166.39999"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="15">)</text>
|
|
||||||
<path
|
|
||||||
d="m 1.85,14.8 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
|
|
||||||
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="16"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 1.85,43.6 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
|
|
||||||
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="17"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="26.4"
|
|
||||||
x="24.799999"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="18">Auth</text>
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="37.599998"
|
|
||||||
x="8.8000002"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="19">Component</text>
|
|
||||||
<path
|
|
||||||
d="m 1.85,44.8 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
|
|
||||||
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="20"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 1.85,73.6 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
|
|
||||||
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="21"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="56"
|
|
||||||
x="10.4"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="22">OpenStack</text>
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="68"
|
|
||||||
x="18.4"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="23">Service</text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="10.4"
|
|
||||||
x="13.6"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="24">Option </text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="10.4"
|
|
||||||
x="41.599998"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="25">(</text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="10.4"
|
|
||||||
x="44"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="26">a</text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="10.4"
|
|
||||||
x="48.799999"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="27">)</text>
|
|
||||||
<path
|
|
||||||
d="m 93.45,5.2 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,2.4 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-2.4 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z"
|
|
||||||
style="fill:#1f477d;fill-opacity:1;fill-rule:nonzero;stroke:#1f477d;stroke-width:0.80000001px;stroke-linecap:butt;stroke-linejoin:bevel;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="28"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
</g>
|
|
||||||
</g>
|
|
||||||
</svg>
|
|
Before Width: | Height: | Size: 9.7 KiB |
|
@ -1,237 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
|
||||||
<!-- Created with Inkscape (http://www.inkscape.org/) -->
|
|
||||||
|
|
||||||
<svg
|
|
||||||
xmlns:dc="http://purl.org/dc/elements/1.1/"
|
|
||||||
xmlns:cc="http://creativecommons.org/ns#"
|
|
||||||
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
|
|
||||||
xmlns:svg="http://www.w3.org/2000/svg"
|
|
||||||
xmlns="http://www.w3.org/2000/svg"
|
|
||||||
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
|
|
||||||
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
|
|
||||||
width="118.9"
|
|
||||||
height="159.425"
|
|
||||||
id="svg2"
|
|
||||||
version="1.1"
|
|
||||||
inkscape:version="0.48.0 r9654"
|
|
||||||
sodipodi:docname="mapper.svg">
|
|
||||||
<defs
|
|
||||||
id="defs4" />
|
|
||||||
<sodipodi:namedview
|
|
||||||
id="base"
|
|
||||||
pagecolor="#ffffff"
|
|
||||||
bordercolor="#666666"
|
|
||||||
borderopacity="1.0"
|
|
||||||
inkscape:pageopacity="0.0"
|
|
||||||
inkscape:pageshadow="2"
|
|
||||||
inkscape:zoom="1"
|
|
||||||
inkscape:cx="50.251985"
|
|
||||||
inkscape:cy="133.71622"
|
|
||||||
inkscape:document-units="px"
|
|
||||||
inkscape:current-layer="layer1"
|
|
||||||
showgrid="false"
|
|
||||||
fit-margin-top="0"
|
|
||||||
fit-margin-left="0"
|
|
||||||
fit-margin-right="0"
|
|
||||||
fit-margin-bottom="0"
|
|
||||||
inkscape:window-width="1920"
|
|
||||||
inkscape:window-height="1024"
|
|
||||||
inkscape:window-x="-4"
|
|
||||||
inkscape:window-y="-4"
|
|
||||||
inkscape:window-maximized="1" />
|
|
||||||
<metadata
|
|
||||||
id="metadata7">
|
|
||||||
<rdf:RDF>
|
|
||||||
<cc:Work
|
|
||||||
rdf:about="">
|
|
||||||
<dc:format>image/svg+xml</dc:format>
|
|
||||||
<dc:type
|
|
||||||
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
|
|
||||||
<dc:title />
|
|
||||||
</cc:Work>
|
|
||||||
</rdf:RDF>
|
|
||||||
</metadata>
|
|
||||||
<g
|
|
||||||
inkscape:label="Layer 1"
|
|
||||||
inkscape:groupmode="layer"
|
|
||||||
id="layer1"
|
|
||||||
transform="translate(106.03799,-264.63332)">
|
|
||||||
<g
|
|
||||||
id="g3015">
|
|
||||||
<path
|
|
||||||
d="m -80.18799,394.60832 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
|
|
||||||
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="2"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -80.18799,423.40832 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
|
|
||||||
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="3"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="405.85831"
|
|
||||||
x="-72.037987"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="4">OpenStack</text>
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="417.85831"
|
|
||||||
x="-64.037987"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="5">Service</text>
|
|
||||||
<path
|
|
||||||
d="m -46.58799,265.00832 0,19.3"
|
|
||||||
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="6"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -42.804657,340.4626 -3.45,10.35 -3.45,-10.35 6.9,0 z"
|
|
||||||
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="7"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -46.58799,365.80832 0,19.3"
|
|
||||||
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="10"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -43.13799,384.25832 -3.45,10.35 -3.45,-10.35 6.9,0 z"
|
|
||||||
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="11"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -80.18799,322.60832 c -7.2,7.2 -7.2,13.45 -7.2,17.1 0,0.6 0,1.1 0,1.6"
|
|
||||||
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="12"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -83.98799,340.25832 -2.8,10.55 -4.1,-10.15 6.9,-0.4 z"
|
|
||||||
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="13"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -12.98799,322.60832 c 4.4,7 5.3,13.3 4.9,18.7"
|
|
||||||
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="14"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -4.68799,340.25832 -2.9,10.55 -4,-10.15 6.9,-0.4 z"
|
|
||||||
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="15"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -6.98799,366.40832 -17.75,20.4"
|
|
||||||
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="16"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -21.58799,388.45832 -9.4,5.55 4.2,-10.1 5.2,4.55 z"
|
|
||||||
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="17"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -85.58799,366.40832 15.25,20.05"
|
|
||||||
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="18"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -68.08799,383.65832 3.5,10.35 -9,-6.15 5.5,-4.2 z"
|
|
||||||
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="19"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -80.18799,293.80832 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
|
|
||||||
style="fill:#ebf1de;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="20"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -80.18799,322.60832 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
|
|
||||||
style="fill:none;stroke:#688037;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="21"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="311.45834"
|
|
||||||
x="-64.037987"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="22">Mapper</text>
|
|
||||||
<path
|
|
||||||
d="m -105.38799,351.40832 0,14.4 38.4,0 0,-14.4 -38.4,0 z"
|
|
||||||
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="23"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -105.38799,365.80832 38.4,0 0,-14.4 -38.4,0 0,14.4 z"
|
|
||||||
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="24"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="361.85831"
|
|
||||||
x="-100.03799"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="25">Auth</text>
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="361.85831"
|
|
||||||
x="-77.637993"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="26">1</text>
|
|
||||||
<path
|
|
||||||
d="m -65.78799,351.40832 0,14.4 38.4,0 0,-14.4 -38.4,0 z"
|
|
||||||
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="27"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -65.78799,365.80832 38.4,0 0,-14.4 -38.4,0 0,14.4 z"
|
|
||||||
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="28"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="361.85831"
|
|
||||||
x="-60.037991"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="29">Auth</text>
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="361.85831"
|
|
||||||
x="-38.437988"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="30">2</text>
|
|
||||||
<path
|
|
||||||
d="m -26.18799,351.40832 0,14.4 38.4,0 0,-14.4 -38.4,0 z"
|
|
||||||
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="31"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -26.18799,365.80832 38.4,0 0,-14.4 -38.4,0 0,14.4 z"
|
|
||||||
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="32"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="361.85831"
|
|
||||||
x="-20.837988"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="33">Auth</text>
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="361.85831"
|
|
||||||
x="1.562013"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="34">3</text>
|
|
||||||
<path
|
|
||||||
d="m -46.000001,323.49386 0,18.51832"
|
|
||||||
style="fill:none;stroke:#000000;stroke-width:0.73465496;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="6-1"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m -42.883334,284.52051 -3.45,10.35 -3.45,-10.35 6.9,0 z"
|
|
||||||
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="7-7"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
</g>
|
|
||||||
</g>
|
|
||||||
</svg>
|
|
Before Width: | Height: | Size: 9.8 KiB |
|
@ -1,238 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
|
||||||
<!-- Created with Inkscape (http://www.inkscape.org/) -->
|
|
||||||
|
|
||||||
<svg
|
|
||||||
xmlns:dc="http://purl.org/dc/elements/1.1/"
|
|
||||||
xmlns:cc="http://creativecommons.org/ns#"
|
|
||||||
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
|
|
||||||
xmlns:svg="http://www.w3.org/2000/svg"
|
|
||||||
xmlns="http://www.w3.org/2000/svg"
|
|
||||||
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
|
|
||||||
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
|
|
||||||
width="360.43942"
|
|
||||||
height="43.693935"
|
|
||||||
id="svg2"
|
|
||||||
version="1.1"
|
|
||||||
inkscape:version="0.48.0 r9654"
|
|
||||||
sodipodi:docname="layouts.svg">
|
|
||||||
<defs
|
|
||||||
id="defs4" />
|
|
||||||
<sodipodi:namedview
|
|
||||||
id="base"
|
|
||||||
pagecolor="#ffffff"
|
|
||||||
bordercolor="#666666"
|
|
||||||
borderopacity="1.0"
|
|
||||||
inkscape:pageopacity="0.0"
|
|
||||||
inkscape:pageshadow="2"
|
|
||||||
inkscape:zoom="0.98901497"
|
|
||||||
inkscape:cx="238.80946"
|
|
||||||
inkscape:cy="161.99774"
|
|
||||||
inkscape:document-units="px"
|
|
||||||
inkscape:current-layer="layer1"
|
|
||||||
showgrid="false"
|
|
||||||
fit-margin-top="0"
|
|
||||||
fit-margin-left="0"
|
|
||||||
fit-margin-right="0"
|
|
||||||
fit-margin-bottom="0"
|
|
||||||
inkscape:window-width="912"
|
|
||||||
inkscape:window-height="842"
|
|
||||||
inkscape:window-x="66"
|
|
||||||
inkscape:window-y="87"
|
|
||||||
inkscape:window-maximized="0" />
|
|
||||||
<metadata
|
|
||||||
id="metadata7">
|
|
||||||
<rdf:RDF>
|
|
||||||
<cc:Work
|
|
||||||
rdf:about="">
|
|
||||||
<dc:format>image/svg+xml</dc:format>
|
|
||||||
<dc:type
|
|
||||||
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
|
|
||||||
<dc:title></dc:title>
|
|
||||||
</cc:Work>
|
|
||||||
</rdf:RDF>
|
|
||||||
</metadata>
|
|
||||||
<g
|
|
||||||
inkscape:label="Layer 1"
|
|
||||||
inkscape:groupmode="layer"
|
|
||||||
id="layer1"
|
|
||||||
transform="translate(-136.19055,-650.66599)">
|
|
||||||
<g
|
|
||||||
id="1"
|
|
||||||
transform="translate(134.9737,646.56521)">
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="10.4"
|
|
||||||
x="190.39999"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="2">Authorization</text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="10.4"
|
|
||||||
x="240.8"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="3">: </text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="10.4"
|
|
||||||
x="245.60001"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="4">Basic dTpw</text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="20"
|
|
||||||
x="190.39999"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="5">X</text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="20"
|
|
||||||
x="196"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="6">-</text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="20"
|
|
||||||
x="199.2"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="7">Authorization</text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="20"
|
|
||||||
x="248.8"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="8">: </text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="20"
|
|
||||||
x="253.60001"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="9">Proxy U</text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="20"
|
|
||||||
x="5.5999999"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="10">Authorization</text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="20"
|
|
||||||
x="56"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="11">: </text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
|
|
||||||
y="20"
|
|
||||||
x="60.799999"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="12">Basic VTpQ</text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#ff0000;font-family:Arial"
|
|
||||||
y="31.200001"
|
|
||||||
x="34.400002"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="13">500 </text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#ff0000;font-family:Arial"
|
|
||||||
y="31.200001"
|
|
||||||
x="50.400002"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="14">Internal Error</text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#ff0000;font-family:Arial"
|
|
||||||
y="32.799999"
|
|
||||||
x="190.39999"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="15">403 </text>
|
|
||||||
<text
|
|
||||||
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#ff0000;font-family:Arial"
|
|
||||||
y="32.799999"
|
|
||||||
x="206.39999"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="16">Proxy Unauthorized</text>
|
|
||||||
<path
|
|
||||||
d="m 114.4,23.3 c 1,12.6 -38.55,19.05 -91.35,14.85"
|
|
||||||
style="fill:none;stroke:#ff0000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="17"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 23.6,41.65 -10,-4.35 10.65,-2.55 -0.65,6.9 z"
|
|
||||||
style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="18"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 115.6,8.5 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
|
|
||||||
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="19"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 115.6,37.3 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
|
|
||||||
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="20"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="20"
|
|
||||||
x="138.39999"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="21">Auth</text>
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="31.200001"
|
|
||||||
x="122.4"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="22">Component</text>
|
|
||||||
<path
|
|
||||||
d="M 292.6,22.9 C 295,47.25 251.2,54.6 192,39.75"
|
|
||||||
style="fill:none;stroke:#ff0000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="23"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 191.95,43.3 -9.15,-6 10.9,-0.7 -1.75,6.7 z"
|
|
||||||
style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="24"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 293.8,8.5 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
|
|
||||||
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="25"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 293.8,37.3 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
|
|
||||||
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="26"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="20"
|
|
||||||
x="302.39999"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="27">OpenStack</text>
|
|
||||||
<text
|
|
||||||
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
|
|
||||||
y="31.200001"
|
|
||||||
x="310.39999"
|
|
||||||
xml:space="preserve"
|
|
||||||
id="28">Service</text>
|
|
||||||
<path
|
|
||||||
d="m 182.8,22.9 101.5,0"
|
|
||||||
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="29"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 283.45,19.4 10.35,3.5 -10.35,3.45 0,-6.95 z"
|
|
||||||
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="30"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="M 1.6,22.9 106.7,22.85"
|
|
||||||
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
|
|
||||||
id="31"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
<path
|
|
||||||
d="m 105.85,19.35 10.35,3.5 -10.35,3.45 0,-6.95 z"
|
|
||||||
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
|
|
||||||
id="32"
|
|
||||||
inkscape:connector-curvature="0" />
|
|
||||||
</g>
|
|
||||||
</g>
|
|
||||||
</svg>
|
|
Before Width: | Height: | Size: 9.3 KiB |
|
@ -1,112 +0,0 @@
|
||||||
..
|
|
||||||
Copyright 2011 OpenStack, LLC
|
|
||||||
All Rights Reserved.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
not use this file except in compliance with the License. You may obtain
|
|
||||||
a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
License for the specific language governing permissions and limitations
|
|
||||||
under the License.
|
|
||||||
|
|
||||||
keystone.conf example
|
|
||||||
=====================
|
|
||||||
::
|
|
||||||
|
|
||||||
[DEFAULT]
|
|
||||||
# Show more verbose log output (sets INFO log level output)
|
|
||||||
verbose = False
|
|
||||||
|
|
||||||
# Show debugging output in logs (sets DEBUG log level output)
|
|
||||||
debug = False
|
|
||||||
|
|
||||||
# Which backend store should Keystone use by default.
|
|
||||||
# Default: 'sqlite'
|
|
||||||
# Available choices are 'sqlite' [future will include LDAP, PAM, etc]
|
|
||||||
default_store = sqlite
|
|
||||||
|
|
||||||
# Log to this file. Make sure you do not set the same log
|
|
||||||
# file for both the API and registry servers!
|
|
||||||
log_file = %DEST%/keystone/keystone.log
|
|
||||||
|
|
||||||
# List of backends to be configured
|
|
||||||
backends = keystone.backends.sqlalchemy
|
|
||||||
#For LDAP support, add: ,keystone.backends.ldap
|
|
||||||
|
|
||||||
# Dictionary Maps every service to a header.Missing services would get header
|
|
||||||
# X_(SERVICE_NAME) Key => Service Name, Value => Header Name
|
|
||||||
service-header-mappings = {
|
|
||||||
'nova' : 'X-Server-Management-Url',
|
|
||||||
'swift' : 'X-Storage-Url',
|
|
||||||
'cdn' : 'X-CDN-Management-Url'}
|
|
||||||
|
|
||||||
#List of extensions currently loaded.
|
|
||||||
#Refer docs for list of supported extensions.
|
|
||||||
extensions= osksadm,oskscatalog
|
|
||||||
|
|
||||||
# Address to bind the API server
|
|
||||||
# TODO Properties defined within app not available via pipeline.
|
|
||||||
service_host = 0.0.0.0
|
|
||||||
|
|
||||||
# Port the bind the API server to
|
|
||||||
service_port = 5000
|
|
||||||
|
|
||||||
# Address to bind the Admin API server
|
|
||||||
admin_host = 0.0.0.0
|
|
||||||
|
|
||||||
# Port the bind the Admin API server to
|
|
||||||
admin_port = 35357
|
|
||||||
|
|
||||||
#Role that allows to perform admin operations.
|
|
||||||
keystone-admin-role = KeystoneAdmin
|
|
||||||
|
|
||||||
#Role that allows to perform service admin operations.
|
|
||||||
keystone-service-admin-role = KeystoneServiceAdmin
|
|
||||||
|
|
||||||
[keystone.backends.sqlalchemy]
|
|
||||||
# SQLAlchemy connection string for the reference implementation registry
|
|
||||||
# server. Any valid SQLAlchemy connection string is fine.
|
|
||||||
# See: http://bit.ly/ideIpI
|
|
||||||
#sql_connection = sqlite:///keystone.db
|
|
||||||
sql_connection = %SQL_CONN%
|
|
||||||
backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant',
|
|
||||||
'User', 'Credentials', 'EndpointTemplates', 'Token',
|
|
||||||
'Service']
|
|
||||||
|
|
||||||
# Period in seconds after which SQLAlchemy should reestablish its connection
|
|
||||||
# to the database.
|
|
||||||
sql_idle_timeout = 30
|
|
||||||
|
|
||||||
[pipeline:admin]
|
|
||||||
pipeline =
|
|
||||||
urlnormalizer
|
|
||||||
d5_compat
|
|
||||||
admin_api
|
|
||||||
|
|
||||||
[pipeline:keystone-legacy-auth]
|
|
||||||
pipeline =
|
|
||||||
urlnormalizer
|
|
||||||
legacy_auth
|
|
||||||
d5_compat
|
|
||||||
service_api
|
|
||||||
|
|
||||||
[app:service_api]
|
|
||||||
paste.app_factory = keystone.server:service_app_factory
|
|
||||||
|
|
||||||
[app:admin_api]
|
|
||||||
paste.app_factory = keystone.server:admin_app_factory
|
|
||||||
|
|
||||||
[filter:urlnormalizer]
|
|
||||||
paste.filter_factory = keystone.frontends.normalizer:filter_factory
|
|
||||||
|
|
||||||
[filter:legacy_auth]
|
|
||||||
paste.filter_factory = keystone.frontends.legacy_token_auth:filter_factory
|
|
||||||
|
|
||||||
[filter:d5_compat]
|
|
||||||
paste.filter_factory = keystone.frontends.d5_compat:filter_factory
|
|
||||||
|
|
|
@ -1,87 +0,0 @@
|
||||||
==============
|
|
||||||
keystone-admin
|
|
||||||
==============
|
|
||||||
|
|
||||||
---------------------------
|
|
||||||
Keystone Management Utility
|
|
||||||
---------------------------
|
|
||||||
|
|
||||||
:Author: keystone@lists.launchpad.net
|
|
||||||
:Date: 2011-10-31
|
|
||||||
:Copyright: OpenStack LLC
|
|
||||||
:Version: 0.1.2
|
|
||||||
:Manual section: 1
|
|
||||||
:Manual group: cloud computing
|
|
||||||
|
|
||||||
SYNOPSIS
|
|
||||||
========
|
|
||||||
|
|
||||||
keystone-admin [options]
|
|
||||||
|
|
||||||
DESCRIPTION
|
|
||||||
===========
|
|
||||||
|
|
||||||
keystone-admin starts the administrative API server for Keystone.
|
|
||||||
Use :doc:`keystone-control` to stop/start/restart and manage those services
|
|
||||||
once started.
|
|
||||||
|
|
||||||
USAGE
|
|
||||||
=====
|
|
||||||
|
|
||||||
``keystone-admin [options]``
|
|
||||||
|
|
||||||
Common Options
|
|
||||||
--------------
|
|
||||||
|
|
||||||
--version show program's version number and exit
|
|
||||||
-h, --help show this help message and exit
|
|
||||||
-v, --verbose Print more verbose output
|
|
||||||
-d, --debug Print debugging output to console
|
|
||||||
-c PATH, --config-file=PATH Path to the config file to use. When not
|
|
||||||
specified (the default), we generally look at
|
|
||||||
the first argument specified to be a config
|
|
||||||
file, and if that is also missing, we search
|
|
||||||
standard directories for a config file.
|
|
||||||
-p BIND_PORT, --port=BIND_PORT, --bind-port=BIND_PORT
|
|
||||||
specifies port to listen on (default is 5000)
|
|
||||||
--host=BIND_HOST, --bind-host=BIND_HOST
|
|
||||||
specifies host address to listen on (default
|
|
||||||
is all or 0.0.0.0)
|
|
||||||
-t, --trace-calls Turns on call tracing for troubleshooting
|
|
||||||
-a PORT, --admin-port=PORT Specifies port for Admin API to listen on
|
|
||||||
(default is 35357)
|
|
||||||
|
|
||||||
Logging Options
|
|
||||||
---------------
|
|
||||||
|
|
||||||
The following configuration options are specific to logging
|
|
||||||
functionality for this program.
|
|
||||||
|
|
||||||
--log-config=PATH If this option is specified, the logging
|
|
||||||
configuration file specified is used and
|
|
||||||
overrides any other logging options specified.
|
|
||||||
Please see the Python logging module
|
|
||||||
documentation for details on logging
|
|
||||||
configuration files.
|
|
||||||
--log-date-format=FORMAT Format string for %(asctime)s in log records.
|
|
||||||
Default: %Y-%m-%d %H:%M:%S
|
|
||||||
--log-file=PATH (Optional) Name of log file to output to. If
|
|
||||||
not set, logging will go to stdout.
|
|
||||||
--log-dir=LOG_DIR (Optional) The directory to keep log files in
|
|
||||||
(will be prepended to --logfile)
|
|
||||||
|
|
||||||
FILES
|
|
||||||
=====
|
|
||||||
|
|
||||||
None
|
|
||||||
|
|
||||||
SEE ALSO
|
|
||||||
========
|
|
||||||
|
|
||||||
* `Keystone <http://github.com/openstack/keystone>`__
|
|
||||||
|
|
||||||
SOURCE
|
|
||||||
======
|
|
||||||
|
|
||||||
* Keystone is sourced in GitHub `Keystone <http://github.com/openstack/keystone>`__
|
|
||||||
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__
|
|
|
@ -1,87 +0,0 @@
|
||||||
=============
|
|
||||||
keystone-auth
|
|
||||||
=============
|
|
||||||
|
|
||||||
---------------------------
|
|
||||||
Keystone Management Utility
|
|
||||||
---------------------------
|
|
||||||
|
|
||||||
:Author: keystone@lists.launchpad.net
|
|
||||||
:Date: 2011-10-31
|
|
||||||
:Copyright: OpenStack LLC
|
|
||||||
:Version: 0.1.2
|
|
||||||
:Manual section: 1
|
|
||||||
:Manual group: cloud computing
|
|
||||||
|
|
||||||
SYNOPSIS
|
|
||||||
========
|
|
||||||
|
|
||||||
keystone-auth [options]
|
|
||||||
|
|
||||||
DESCRIPTION
|
|
||||||
===========
|
|
||||||
|
|
||||||
keystone-auth starts the service API server for Keystone.
|
|
||||||
Use :doc:`keystone-control` to stop/start/restart and manage those services
|
|
||||||
once started.
|
|
||||||
|
|
||||||
USAGE
|
|
||||||
=====
|
|
||||||
|
|
||||||
``keystone-auth [options]``
|
|
||||||
|
|
||||||
Common Options:
|
|
||||||
^^^^^^^^^^^^^^^
|
|
||||||
|
|
||||||
--version show program's version number and exit
|
|
||||||
-h, --help show this help message and exit
|
|
||||||
-v, --verbose Print more verbose output
|
|
||||||
-d, --debug Print debugging output to console
|
|
||||||
-c PATH, --config-file=PATH Path to the config file to use. When not
|
|
||||||
specified (the default), we generally look at
|
|
||||||
the first argument specified to be a config
|
|
||||||
file, and if that is also missing, we search
|
|
||||||
standard directories for a config file.
|
|
||||||
-p BIND_PORT, --port=BIND_PORT, --bind-port=BIND_PORT
|
|
||||||
specifies port to listen on (default is 5000)
|
|
||||||
--host=BIND_HOST, --bind-host=BIND_HOST
|
|
||||||
specifies host address to listen on (default
|
|
||||||
is all or 0.0.0.0)
|
|
||||||
-t, --trace-calls Turns on call tracing for troubleshooting
|
|
||||||
-a PORT, --admin-port=PORT Specifies port for Admin API to listen on
|
|
||||||
(default is 35357)
|
|
||||||
|
|
||||||
Logging Options:
|
|
||||||
^^^^^^^^^^^^^^^^
|
|
||||||
|
|
||||||
The following configuration options are specific to logging
|
|
||||||
functionality for this program.
|
|
||||||
|
|
||||||
--log-config=PATH If this option is specified, the logging
|
|
||||||
configuration file specified is used and
|
|
||||||
overrides any other logging options specified.
|
|
||||||
Please see the Python logging module
|
|
||||||
documentation for details on logging
|
|
||||||
configuration files.
|
|
||||||
--log-date-format=FORMAT Format string for %(asctime)s in log records.
|
|
||||||
Default: %Y-%m-%d %H:%M:%S
|
|
||||||
--log-file=PATH (Optional) Name of log file to output to. If
|
|
||||||
not set, logging will go to stdout.
|
|
||||||
--log-dir=LOG_DIR (Optional) The directory to keep log files in
|
|
||||||
(will be prepended to --logfile)
|
|
||||||
|
|
||||||
FILES
|
|
||||||
=====
|
|
||||||
|
|
||||||
None
|
|
||||||
|
|
||||||
SEE ALSO
|
|
||||||
========
|
|
||||||
|
|
||||||
* `Keystone <http://github.com/openstack/keystone>`__
|
|
||||||
|
|
||||||
SOURCE
|
|
||||||
======
|
|
||||||
|
|
||||||
* Keystone is sourced in GitHub `Keystone <http://github.com/openstack/keystone>`__
|
|
||||||
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__
|
|
|
@ -1,101 +0,0 @@
|
||||||
================
|
|
||||||
keystone-control
|
|
||||||
================
|
|
||||||
|
|
||||||
---------------------------
|
|
||||||
Keystone Management Utility
|
|
||||||
---------------------------
|
|
||||||
|
|
||||||
:Author: keystone@lists.launchpad.net
|
|
||||||
:Date: 2011-10-31
|
|
||||||
:Copyright: OpenStack LLC
|
|
||||||
:Version: 0.1.2
|
|
||||||
:Manual section: 1
|
|
||||||
:Manual group: cloud computing
|
|
||||||
|
|
||||||
SYNOPSIS
|
|
||||||
========
|
|
||||||
|
|
||||||
keystone-control [options] <server> <commands> (<conf path>)
|
|
||||||
|
|
||||||
DESCRIPTION
|
|
||||||
===========
|
|
||||||
|
|
||||||
keystone-control is the command line tool that interacts with the keystone
|
|
||||||
service to configure Keystone
|
|
||||||
|
|
||||||
USAGE
|
|
||||||
=====
|
|
||||||
|
|
||||||
``keystone-control [options] <server> <command> (<conf path>)``
|
|
||||||
|
|
||||||
where server is one of:
|
|
||||||
|
|
||||||
* all
|
|
||||||
* auth
|
|
||||||
* admin
|
|
||||||
|
|
||||||
and command is one of:
|
|
||||||
|
|
||||||
* start
|
|
||||||
* stop
|
|
||||||
* shutdown
|
|
||||||
* restart
|
|
||||||
* reload
|
|
||||||
* force-reload
|
|
||||||
|
|
||||||
Common Options:
|
|
||||||
^^^^^^^^^^^^^^^
|
|
||||||
|
|
||||||
--version show program's version number and exit
|
|
||||||
-h, --help show this help message and exit
|
|
||||||
-v, --verbose Print more verbose output
|
|
||||||
-d, --debug Print debugging output to console
|
|
||||||
-c PATH, --config-file=PATH Path to the config file to use. When not
|
|
||||||
specified (the default), we generally look at
|
|
||||||
the first argument specified to be a config
|
|
||||||
file, and if that is also missing, we search
|
|
||||||
standard directories for a config file.
|
|
||||||
-p BIND_PORT, --port=BIND_PORT, --bind-port=BIND_PORT
|
|
||||||
specifies port to listen on (default is 5000)
|
|
||||||
--host=BIND_HOST, --bind-host=BIND_HOST
|
|
||||||
specifies host address to listen on (default
|
|
||||||
is all or 0.0.0.0)
|
|
||||||
-t, --trace-calls Turns on call tracing for troubleshooting
|
|
||||||
-a PORT, --admin-port=PORT Specifies port for Admin API to listen on
|
|
||||||
(default is 35357)
|
|
||||||
|
|
||||||
Logging Options:
|
|
||||||
^^^^^^^^^^^^^^^^
|
|
||||||
|
|
||||||
The following configuration options are specific to logging
|
|
||||||
functionality for this program.
|
|
||||||
|
|
||||||
--log-config=PATH If this option is specified, the logging
|
|
||||||
configuration file specified is used and
|
|
||||||
overrides any other logging options specified.
|
|
||||||
Please see the Python logging module
|
|
||||||
documentation for details on logging
|
|
||||||
configuration files.
|
|
||||||
--log-date-format=FORMAT Format string for %(asctime)s in log records.
|
|
||||||
Default: %Y-%m-%d %H:%M:%S
|
|
||||||
--log-file=PATH (Optional) Name of log file to output to. If
|
|
||||||
not set, logging will go to stdout.
|
|
||||||
--log-dir=LOG_DIR (Optional) The directory to keep log files in
|
|
||||||
(will be prepended to --logfile)
|
|
||||||
|
|
||||||
FILES
|
|
||||||
=====
|
|
||||||
|
|
||||||
None
|
|
||||||
|
|
||||||
SEE ALSO
|
|
||||||
========
|
|
||||||
|
|
||||||
* `Keystone <http://github.com/openstack/keystone>`__
|
|
||||||
|
|
||||||
SOURCE
|
|
||||||
======
|
|
||||||
|
|
||||||
* Keystone is sourced in GitHub `Keystone <http://github.com/openstack/keystone>`__
|
|
||||||
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__
|
|
|
@ -1,86 +0,0 @@
|
||||||
===============
|
|
||||||
keystone-import
|
|
||||||
===============
|
|
||||||
|
|
||||||
---------------------------
|
|
||||||
Keystone Management Utility
|
|
||||||
---------------------------
|
|
||||||
|
|
||||||
:Author: keystone@lists.launchpad.net
|
|
||||||
:Date: 2011-10-31
|
|
||||||
:Copyright: OpenStack LLC
|
|
||||||
:Version: 0.1.2
|
|
||||||
:Manual section: 1
|
|
||||||
:Manual group: cloud computing
|
|
||||||
|
|
||||||
SYNOPSIS
|
|
||||||
========
|
|
||||||
|
|
||||||
keystone-import [options] filename
|
|
||||||
|
|
||||||
DESCRIPTION
|
|
||||||
===========
|
|
||||||
|
|
||||||
keystone-import takes a file of commands written in the same format as using
|
|
||||||
:doc:`keystone-manage` and imports that data into Keystone. It is intended to
|
|
||||||
import users, tenants, and EC2 credentials from nova into keystone.
|
|
||||||
|
|
||||||
USAGE
|
|
||||||
=====
|
|
||||||
|
|
||||||
``keystone-import [options] filename``
|
|
||||||
|
|
||||||
Common Options:
|
|
||||||
^^^^^^^^^^^^^^^
|
|
||||||
--version show program's version number and exit
|
|
||||||
-h, --help show this help message and exit
|
|
||||||
-v, --verbose Print more verbose output
|
|
||||||
-d, --debug Print debugging output to console
|
|
||||||
-c PATH, --config-file=PATH Path to the config file to use. When not
|
|
||||||
specified (the default), we generally look at
|
|
||||||
the first argument specified to be a config
|
|
||||||
file, and if that is also missing, we search
|
|
||||||
standard directories for a config file.
|
|
||||||
-p BIND_PORT, --port=BIND_PORT, --bind-port=BIND_PORT
|
|
||||||
specifies port to listen on (default is 5000)
|
|
||||||
--host=BIND_HOST, --bind-host=BIND_HOST
|
|
||||||
specifies host address to listen on (default
|
|
||||||
is all or 0.0.0.0)
|
|
||||||
-t, --trace-calls Turns on call tracing for troubleshooting
|
|
||||||
-a PORT, --admin-port=PORT Specifies port for Admin API to listen on
|
|
||||||
(default is 35357)
|
|
||||||
|
|
||||||
Logging Options:
|
|
||||||
^^^^^^^^^^^^^^^^
|
|
||||||
|
|
||||||
The following configuration options are specific to logging
|
|
||||||
functionality for this program.
|
|
||||||
|
|
||||||
--log-config=PATH If this option is specified, the logging
|
|
||||||
configuration file specified is used and
|
|
||||||
overrides any other logging options specified.
|
|
||||||
Please see the Python logging module
|
|
||||||
documentation for details on logging
|
|
||||||
configuration files.
|
|
||||||
--log-date-format=FORMAT Format string for %(asctime)s in log records.
|
|
||||||
Default: %Y-%m-%d %H:%M:%S
|
|
||||||
--log-file=PATH (Optional) Name of log file to output to. If
|
|
||||||
not set, logging will go to stdout.
|
|
||||||
--log-dir=LOG_DIR (Optional) The directory to keep log files in
|
|
||||||
(will be prepended to --logfile)
|
|
||||||
|
|
||||||
FILES
|
|
||||||
=====
|
|
||||||
|
|
||||||
None
|
|
||||||
|
|
||||||
SEE ALSO
|
|
||||||
========
|
|
||||||
|
|
||||||
* `Keystone <http://github.com/openstack/keystone>`__
|
|
||||||
|
|
||||||
SOURCE
|
|
||||||
======
|
|
||||||
|
|
||||||
* Keystone is sourced in GitHub `Keystone <http://github.com/openstack/keystone>`__
|
|
||||||
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__
|
|
|
@ -1,192 +0,0 @@
|
||||||
===============
|
|
||||||
keystone-manage
|
|
||||||
===============
|
|
||||||
|
|
||||||
---------------------------
|
|
||||||
Keystone Management Utility
|
|
||||||
---------------------------
|
|
||||||
|
|
||||||
:Author: keystone@lists.launchpad.net
|
|
||||||
:Date: 2010-11-16
|
|
||||||
:Copyright: OpenStack LLC
|
|
||||||
:Version: 0.1.2
|
|
||||||
:Manual section: 1
|
|
||||||
:Manual group: cloud computing
|
|
||||||
|
|
||||||
SYNOPSIS
|
|
||||||
========
|
|
||||||
|
|
||||||
keystone-manage [options]
|
|
||||||
|
|
||||||
DESCRIPTION
|
|
||||||
===========
|
|
||||||
|
|
||||||
keystone-manage is the command line tool that interacts with the keystone
|
|
||||||
service to configure Keystone
|
|
||||||
|
|
||||||
USAGE
|
|
||||||
=====
|
|
||||||
|
|
||||||
``keystone-manage [options] type action [additional args]``
|
|
||||||
|
|
||||||
user
|
|
||||||
----
|
|
||||||
|
|
||||||
* **user add** [username] [password]
|
|
||||||
|
|
||||||
adds a user to Keystone's data store
|
|
||||||
|
|
||||||
* **user list**
|
|
||||||
|
|
||||||
lists all users
|
|
||||||
|
|
||||||
* **user disable** [username]
|
|
||||||
|
|
||||||
disables the user *username*
|
|
||||||
|
|
||||||
tenant
|
|
||||||
------
|
|
||||||
|
|
||||||
* **tenant add** [tenant_name]
|
|
||||||
|
|
||||||
adds a tenant to Keystone's data store
|
|
||||||
|
|
||||||
* **tenant list**
|
|
||||||
|
|
||||||
lists all users
|
|
||||||
|
|
||||||
* **tenant disable** [tenant_name]
|
|
||||||
|
|
||||||
role
|
|
||||||
----
|
|
||||||
|
|
||||||
Roles are used to associated users to tenants. Two roles are defined related
|
|
||||||
to the Keystone service in it's configuration file :doc:`../keystone.conf`
|
|
||||||
|
|
||||||
* **role add** [role_name]
|
|
||||||
|
|
||||||
adds a role
|
|
||||||
|
|
||||||
* **role list** ([tenant_name])
|
|
||||||
|
|
||||||
lists all roles, or all roles for tenant, if tenant_name is provided
|
|
||||||
|
|
||||||
* **role grant** [role_name] [username] ([tenant])
|
|
||||||
|
|
||||||
grants a role to a specific user. Granted globally if tenant_name is not
|
|
||||||
provided or granted for a specific tenant if tenant_name is provided.
|
|
||||||
|
|
||||||
service
|
|
||||||
-------
|
|
||||||
|
|
||||||
* **service add** [name] [type] [description] [owner_id]
|
|
||||||
|
|
||||||
adds a service
|
|
||||||
|
|
||||||
* **service list**
|
|
||||||
|
|
||||||
lists all services with id, name, and type
|
|
||||||
|
|
||||||
endpointTemplate
|
|
||||||
----------------
|
|
||||||
|
|
||||||
* **endpointTemplate add** [region] [service_name] [public_url] [admin_url] [internal_url] [enabled] [is_global]
|
|
||||||
|
|
||||||
Add a service endpoint for keystone.
|
|
||||||
|
|
||||||
example::
|
|
||||||
|
|
||||||
keystone-manage endpointTemplates add RegionOne \
|
|
||||||
keystone \
|
|
||||||
http://keystone_host:5000/v2.0 \
|
|
||||||
http://keystone_host:35357/v2.0 \
|
|
||||||
http://keystone_host:5000/v2.0 \
|
|
||||||
1 1
|
|
||||||
|
|
||||||
* **endpointTemplate list** ([tenant_name])
|
|
||||||
|
|
||||||
lists endpoint templates with service, region, and public_url. Restricted to
|
|
||||||
tenant endpoints if tenant_name is provided.
|
|
||||||
|
|
||||||
token
|
|
||||||
-----
|
|
||||||
|
|
||||||
* **token add** [token] [username] [tenant] [expiration]
|
|
||||||
|
|
||||||
adds a token for a given user and tenant with an expiration
|
|
||||||
|
|
||||||
* **token list**
|
|
||||||
|
|
||||||
lists all tokens
|
|
||||||
|
|
||||||
* **token delete** [token]
|
|
||||||
|
|
||||||
deletes the identified token
|
|
||||||
|
|
||||||
endpoint
|
|
||||||
--------
|
|
||||||
|
|
||||||
* **endpoint add** [tenant_name] [endpoint_template]
|
|
||||||
|
|
||||||
adds a tenant-specific endpoint
|
|
||||||
|
|
||||||
credentials
|
|
||||||
-----------
|
|
||||||
|
|
||||||
* **credentials add** [username] [type] [key] [password] ([tenant_name])
|
|
||||||
|
|
||||||
OPTIONS
|
|
||||||
=======
|
|
||||||
|
|
||||||
--version show program's version number and exit
|
|
||||||
-h, --help show this help message and exit
|
|
||||||
-v, --verbose Print more verbose output
|
|
||||||
-d, --debug Print debugging output to console
|
|
||||||
-c PATH, --config-file=PATH Path to the config file to use. When not
|
|
||||||
specified (the default), we generally look at
|
|
||||||
the first argument specified to be a config
|
|
||||||
file, and if that is also missing, we search
|
|
||||||
standard directories for a config file.
|
|
||||||
-p BIND_PORT, --port=BIND_PORT, --bind-port=BIND_PORT
|
|
||||||
specifies port to listen on (default is 5000)
|
|
||||||
--host=BIND_HOST, --bind-host=BIND_HOST
|
|
||||||
specifies host address to listen on (default
|
|
||||||
is all or 0.0.0.0)
|
|
||||||
-t, --trace-calls Turns on call tracing for troubleshooting
|
|
||||||
-a PORT, --admin-port=PORT Specifies port for Admin API to listen on
|
|
||||||
(default is 35357)
|
|
||||||
|
|
||||||
Logging Options:
|
|
||||||
================
|
|
||||||
|
|
||||||
The following configuration options are specific to logging
|
|
||||||
functionality for this program.
|
|
||||||
|
|
||||||
--log-config=PATH If this option is specified, the logging
|
|
||||||
configuration file specified is used and
|
|
||||||
overrides any other logging options specified.
|
|
||||||
Please see the Python logging module
|
|
||||||
documentation for details on logging
|
|
||||||
configuration files.
|
|
||||||
--log-date-format=FORMAT Format string for %(asctime)s in log records.
|
|
||||||
Default: %Y-%m-%d %H:%M:%S
|
|
||||||
--log-file=PATH (Optional) Name of log file to output to. If
|
|
||||||
not set, logging will go to stdout.
|
|
||||||
--log-dir=LOG_DIR (Optional) The directory to keep log files in
|
|
||||||
(will be prepended to --logfile)
|
|
||||||
|
|
||||||
FILES
|
|
||||||
=====
|
|
||||||
|
|
||||||
None
|
|
||||||
|
|
||||||
SEE ALSO
|
|
||||||
========
|
|
||||||
|
|
||||||
* `Keystone <http://github.com/openstack/keystone>`__
|
|
||||||
|
|
||||||
SOURCE
|
|
||||||
======
|
|
||||||
|
|
||||||
* Keystone is sourced in GitHub `Keystone <http://github.com/openstack/keystone>`__
|
|
||||||
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__
|
|
|
@ -1,90 +0,0 @@
|
||||||
========
|
|
||||||
keystone
|
|
||||||
========
|
|
||||||
|
|
||||||
---------------------------
|
|
||||||
Keystone Management Utility
|
|
||||||
---------------------------
|
|
||||||
|
|
||||||
:Author: keystone@lists.launchpad.net
|
|
||||||
:Date: 2010-11-16
|
|
||||||
:Copyright: OpenStack LLC
|
|
||||||
:Version: 0.1.2
|
|
||||||
:Manual section: 1
|
|
||||||
:Manual group: cloud computing
|
|
||||||
|
|
||||||
SYNOPSIS
|
|
||||||
========
|
|
||||||
|
|
||||||
keystone [options]
|
|
||||||
|
|
||||||
DESCRIPTION
|
|
||||||
===========
|
|
||||||
|
|
||||||
keystone starts both the service and administrative API servers for Keystone.
|
|
||||||
Use :doc:`keystone-control` to stop/start/restart and manage those services
|
|
||||||
once started.
|
|
||||||
|
|
||||||
USAGE
|
|
||||||
=====
|
|
||||||
|
|
||||||
keystone ``keystone [options]``
|
|
||||||
|
|
||||||
Common Options:
|
|
||||||
^^^^^^^^^^^^^^^
|
|
||||||
--version show program's version number and exit
|
|
||||||
-h, --help show this help message and exit
|
|
||||||
|
|
||||||
The following configuration options are common to all keystone
|
|
||||||
programs.::
|
|
||||||
|
|
||||||
-v, --verbose Print more verbose output
|
|
||||||
-d, --debug Print debugging output to console
|
|
||||||
-c PATH, --config-file=PATH Path to the config file to use. When not
|
|
||||||
specified (the default), we generally look at
|
|
||||||
the first argument specified to be a config
|
|
||||||
file, and if that is also missing, we search
|
|
||||||
standard directories for a config file.
|
|
||||||
-p BIND_PORT, --port=BIND_PORT, --bind-port=BIND_PORT
|
|
||||||
specifies port to listen on (default is 5000)
|
|
||||||
--host=BIND_HOST, --bind-host=BIND_HOST
|
|
||||||
specifies host address to listen on (default
|
|
||||||
is all or 0.0.0.0)
|
|
||||||
-t, --trace-calls Turns on call tracing for troubleshooting
|
|
||||||
-a PORT, --admin-port=PORT Specifies port for Admin API to listen on
|
|
||||||
(default is 35357)
|
|
||||||
|
|
||||||
Logging Options:
|
|
||||||
^^^^^^^^^^^^^^^^
|
|
||||||
|
|
||||||
The following configuration options are specific to logging
|
|
||||||
functionality for this program.::
|
|
||||||
|
|
||||||
--log-config=PATH If this option is specified, the logging
|
|
||||||
configuration file specified is used and
|
|
||||||
overrides any other logging options specified.
|
|
||||||
Please see the Python logging module
|
|
||||||
documentation for details on logging
|
|
||||||
configuration files.
|
|
||||||
--log-date-format=FORMAT Format string for %(asctime)s in log records.
|
|
||||||
Default: %Y-%m-%d %H:%M:%S
|
|
||||||
--log-file=PATH (Optional) Name of log file to output to. If
|
|
||||||
not set, logging will go to stdout.
|
|
||||||
--log-dir=LOG_DIR (Optional) The directory to keep log files in
|
|
||||||
(will be prepended to --logfile)
|
|
||||||
|
|
||||||
FILES
|
|
||||||
=====
|
|
||||||
|
|
||||||
None
|
|
||||||
|
|
||||||
SEE ALSO
|
|
||||||
========
|
|
||||||
|
|
||||||
* `Keystone <http://github.com/openstack/keystone>`__
|
|
||||||
|
|
||||||
SOURCE
|
|
||||||
======
|
|
||||||
|
|
||||||
* Keystone is sourced in GitHub `Keystone <http://github.com/openstack/keystone>`__
|
|
||||||
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__
|
|
|
@ -1,85 +0,0 @@
|
||||||
==========
|
|
||||||
sampledata
|
|
||||||
==========
|
|
||||||
|
|
||||||
---------------------------
|
|
||||||
Keystone Management Utility
|
|
||||||
---------------------------
|
|
||||||
|
|
||||||
:Author: keystone@lists.launchpad.net
|
|
||||||
:Date: 2011-10-31
|
|
||||||
:Copyright: OpenStack LLC
|
|
||||||
:Version: 0.1.2
|
|
||||||
:Manual section: 1
|
|
||||||
:Manual group: cloud computing
|
|
||||||
|
|
||||||
SYNOPSIS
|
|
||||||
========
|
|
||||||
|
|
||||||
sampledata [options]
|
|
||||||
|
|
||||||
DESCRIPTION
|
|
||||||
===========
|
|
||||||
|
|
||||||
sampledata creates a development set of sample data for use with testing
|
|
||||||
keystone.
|
|
||||||
|
|
||||||
USAGE
|
|
||||||
=====
|
|
||||||
|
|
||||||
``sampledata [options]``
|
|
||||||
|
|
||||||
Common Options:
|
|
||||||
^^^^^^^^^^^^^^^
|
|
||||||
--version show program's version number and exit
|
|
||||||
-h, --help show this help message and exit
|
|
||||||
-v, --verbose Print more verbose output
|
|
||||||
-d, --debug Print debugging output to console
|
|
||||||
-c PATH, --config-file=PATH Path to the config file to use. When not
|
|
||||||
specified (the default), we generally look at
|
|
||||||
the first argument specified to be a config
|
|
||||||
file, and if that is also missing, we search
|
|
||||||
standard directories for a config file.
|
|
||||||
-p BIND_PORT, --port=BIND_PORT, --bind-port=BIND_PORT
|
|
||||||
specifies port to listen on (default is 5000)
|
|
||||||
--host=BIND_HOST, --bind-host=BIND_HOST
|
|
||||||
specifies host address to listen on (default
|
|
||||||
is all or 0.0.0.0)
|
|
||||||
-t, --trace-calls Turns on call tracing for troubleshooting
|
|
||||||
-a PORT, --admin-port=PORT Specifies port for Admin API to listen on
|
|
||||||
(default is 35357)
|
|
||||||
|
|
||||||
Logging Options:
|
|
||||||
^^^^^^^^^^^^^^^^
|
|
||||||
|
|
||||||
The following configuration options are specific to logging
|
|
||||||
functionality for this program.
|
|
||||||
|
|
||||||
--log-config=PATH If this option is specified, the logging
|
|
||||||
configuration file specified is used and
|
|
||||||
overrides any other logging options specified.
|
|
||||||
Please see the Python logging module
|
|
||||||
documentation for details on logging
|
|
||||||
configuration files.
|
|
||||||
--log-date-format=FORMAT Format string for %(asctime)s in log records.
|
|
||||||
Default: %Y-%m-%d %H:%M:%S
|
|
||||||
--log-file=PATH (Optional) Name of log file to output to. If
|
|
||||||
not set, logging will go to stdout.
|
|
||||||
--log-dir=LOG_DIR (Optional) The directory to keep log files in
|
|
||||||
(will be prepended to --logfile)
|
|
||||||
|
|
||||||
FILES
|
|
||||||
=====
|
|
||||||
|
|
||||||
None
|
|
||||||
|
|
||||||
SEE ALSO
|
|
||||||
========
|
|
||||||
|
|
||||||
* `Keystone <http://github.com/openstack/keystone>`__
|
|
||||||
|
|
||||||
SOURCE
|
|
||||||
======
|
|
||||||
|
|
||||||
* Keystone is sourced in GitHub `Keystone <http://github.com/openstack/keystone>`__
|
|
||||||
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__
|
|
|
@ -1,69 +0,0 @@
|
||||||
..
|
|
||||||
Copyright 2011 OpenStack, LLC
|
|
||||||
All Rights Reserved.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
not use this file except in compliance with the License. You may obtain
|
|
||||||
a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
License for the specific language governing permissions and limitations
|
|
||||||
under the License.
|
|
||||||
|
|
||||||
===============================
|
|
||||||
Service API Examples Using Curl
|
|
||||||
===============================
|
|
||||||
|
|
||||||
The service API is defined to be a subset of the Admin API and, by
|
|
||||||
default, runs on port 5000.
|
|
||||||
|
|
||||||
GET /
|
|
||||||
=====
|
|
||||||
|
|
||||||
This call is identical to that documented for the Admin API, except
|
|
||||||
that it uses port 5000, instead of port 35357, by default::
|
|
||||||
|
|
||||||
$ curl http://0.0.0.0:5000
|
|
||||||
|
|
||||||
or::
|
|
||||||
|
|
||||||
$ curl http://0.0.0.0:5000/v2.0/
|
|
||||||
|
|
||||||
See the `Admin API Examples Using Curl`_ for more info.
|
|
||||||
|
|
||||||
.. _`Admin API Examples Using Curl`: adminAPI_curl_examples.html
|
|
||||||
|
|
||||||
GET /extensions
|
|
||||||
===============
|
|
||||||
|
|
||||||
This call is identical to that documented for the Admin API.
|
|
||||||
|
|
||||||
POST /tokens
|
|
||||||
============
|
|
||||||
|
|
||||||
This call is identical to that documented for the Admin API.
|
|
||||||
|
|
||||||
GET /tenants
|
|
||||||
============
|
|
||||||
|
|
||||||
List all of the tenants your token can access::
|
|
||||||
|
|
||||||
$ curl -H "X-Auth-Token:887665443383838" http://localhost:5000/v2.0/tenants
|
|
||||||
|
|
||||||
Returns::
|
|
||||||
|
|
||||||
{
|
|
||||||
"tenants_links": [],
|
|
||||||
"tenants": [
|
|
||||||
{
|
|
||||||
"enabled": true,
|
|
||||||
"description": "None",
|
|
||||||
"name": "customer-x",
|
|
||||||
"id": "1"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
|
@ -1,77 +0,0 @@
|
||||||
================
|
|
||||||
Testing Keystone
|
|
||||||
================
|
|
||||||
|
|
||||||
Keystone uses a number of testing methodologies to ensure correctness.
|
|
||||||
|
|
||||||
Running Built-In Tests
|
|
||||||
======================
|
|
||||||
|
|
||||||
To run the full suites of tests maintained within Keystone, run::
|
|
||||||
|
|
||||||
$ ./run_tests.sh --with-progress
|
|
||||||
|
|
||||||
This shows realtime feedback during test execution, and iterates over
|
|
||||||
multiple configuration variations.
|
|
||||||
|
|
||||||
This differs from how tests are executed from the continuous integration
|
|
||||||
environment. Specifically, Jenkins doesn't care about realtime progress,
|
|
||||||
and aborts after the first test failure (a fail-fast behavior)::
|
|
||||||
|
|
||||||
$ ./run_tests.sh
|
|
||||||
|
|
||||||
Testing Schema Migrations
|
|
||||||
=========================
|
|
||||||
|
|
||||||
The application of schema migrations can be tested using SQLAlchemy Migrate’s built-in test runner, one migration at a time.
|
|
||||||
|
|
||||||
.. WARNING::
|
|
||||||
|
|
||||||
This may leave your database in an inconsistent state; attempt this in non-production environments only!
|
|
||||||
|
|
||||||
This is useful for testing the *next* migration in sequence (both forward & backward) in a database under version control::
|
|
||||||
|
|
||||||
$ python keystone/backends/sqlalchemy/migrate_repo/manage.py test --url=sqlite:///test.db --repository=keystone/backends/sqlalchemy/migrate_repo/
|
|
||||||
|
|
||||||
This command refers to a SQLite database used for testing purposes. Depending on the migration, this command alone does not make assertions as to the integrity of your data during migration.
|
|
||||||
|
|
||||||
Writing Tests
|
|
||||||
=============
|
|
||||||
|
|
||||||
Tests are maintained in the ``keystone.test`` module. Unit tests are
|
|
||||||
isolated from functional tests.
|
|
||||||
|
|
||||||
Functional Tests
|
|
||||||
----------------
|
|
||||||
|
|
||||||
The ``keystone.test.functional.common`` module provides a ``unittest``-based
|
|
||||||
``httplib`` client which you can extend and use for your own tests.
|
|
||||||
Generally, functional tests should serve to illustrate intended use cases
|
|
||||||
and API behaviors. To help make your tests easier to read, the test client:
|
|
||||||
|
|
||||||
- Authenticates with a known user name and password combination
|
|
||||||
- Asserts 2xx HTTP status codes (unless told otherwise)
|
|
||||||
- Abstracts keystone REST verbs & resources into single function calls
|
|
||||||
|
|
||||||
Testing Multiple Configurations
|
|
||||||
-------------------------------
|
|
||||||
|
|
||||||
Several variations of the default configuration are iterated over to
|
|
||||||
ensure test coverage of mutually exclusive featuresets, such as the
|
|
||||||
various backend options.
|
|
||||||
|
|
||||||
These configuration templates are maintained in ``keystone/test/etc`` and
|
|
||||||
are iterated over by ``run_tests.py``.
|
|
||||||
|
|
||||||
Further Testing
|
|
||||||
===============
|
|
||||||
|
|
||||||
devstack_ is the *best* way to quickly deploy keystone with the rest of the
|
|
||||||
OpenStack universe and should be critical step in your development workflow!
|
|
||||||
|
|
||||||
You may also be interested in either the `OpenStack Continuous Integration Project`_
|
|
||||||
or the `OpenStack Integration Testing Project`_.
|
|
||||||
|
|
||||||
.. _devstack: http://devstack.org/
|
|
||||||
.. _OpenStack Continuous Integration Project: https://github.com/openstack/openstack-ci
|
|
||||||
.. _OpenStack Integration Testing Project: https://github.com/openstack/openstack-integration-tests
|
|
|
@ -1,28 +0,0 @@
|
||||||
..
|
|
||||||
Copyright 2011 OpenStack, LLC
|
|
||||||
All Rights Reserved.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
not use this file except in compliance with the License. You may obtain
|
|
||||||
a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
License for the specific language governing permissions and limitations
|
|
||||||
under the License.
|
|
||||||
|
|
||||||
==============
|
|
||||||
Using Keystone
|
|
||||||
==============
|
|
||||||
|
|
||||||
Curl examples
|
|
||||||
-------------
|
|
||||||
|
|
||||||
.. toctree::
|
|
||||||
:maxdepth: 1
|
|
||||||
|
|
||||||
adminAPI_curl_examples
|
|
||||||
serviceAPI_curl_examples
|
|
|
@ -0,0 +1,159 @@
|
||||||
|
# Makefile for Sphinx documentation
|
||||||
|
#
|
||||||
|
|
||||||
|
# You can set these variables from the command line.
|
||||||
|
SPHINXOPTS =
|
||||||
|
SPHINXBUILD = sphinx-build
|
||||||
|
PAPER =
|
||||||
|
BUILDDIR = build
|
||||||
|
SOURCEDIR = source
|
||||||
|
SPHINXAPIDOC = sphinx-apidoc
|
||||||
|
|
||||||
|
# Internal variables.
|
||||||
|
PAPEROPT_a4 = -D latex_paper_size=a4
|
||||||
|
PAPEROPT_letter = -D latex_paper_size=letter
|
||||||
|
ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source
|
||||||
|
# the i18n builder cannot share the environment and doctrees with the others
|
||||||
|
I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source
|
||||||
|
|
||||||
|
.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext
|
||||||
|
|
||||||
|
help:
|
||||||
|
@echo "Please use \`make <target>' where <target> is one of"
|
||||||
|
@echo " autodoc generate the autodoc templates"
|
||||||
|
@echo " html to make standalone HTML files"
|
||||||
|
@echo " dirhtml to make HTML files named index.html in directories"
|
||||||
|
@echo " singlehtml to make a single large HTML file"
|
||||||
|
@echo " pickle to make pickle files"
|
||||||
|
@echo " json to make JSON files"
|
||||||
|
@echo " htmlhelp to make HTML files and a HTML help project"
|
||||||
|
@echo " qthelp to make HTML files and a qthelp project"
|
||||||
|
@echo " devhelp to make HTML files and a Devhelp project"
|
||||||
|
@echo " epub to make an epub"
|
||||||
|
@echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
|
||||||
|
@echo " latexpdf to make LaTeX files and run them through pdflatex"
|
||||||
|
@echo " text to make text files"
|
||||||
|
@echo " man to make manual pages"
|
||||||
|
@echo " texinfo to make Texinfo files"
|
||||||
|
@echo " info to make Texinfo files and run them through makeinfo"
|
||||||
|
@echo " gettext to make PO message catalogs"
|
||||||
|
@echo " changes to make an overview of all changed/added/deprecated items"
|
||||||
|
@echo " linkcheck to check all external links for integrity"
|
||||||
|
@echo " doctest to run all doctests embedded in the documentation (if enabled)"
|
||||||
|
|
||||||
|
clean:
|
||||||
|
-rm -rf $(BUILDDIR)/*
|
||||||
|
|
||||||
|
autodoc:
|
||||||
|
$(SPHINXAPIDOC) -f -o $(SOURCEDIR) ../keystone
|
||||||
|
|
||||||
|
html: autodoc
|
||||||
|
$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
|
||||||
|
|
||||||
|
dirhtml:
|
||||||
|
$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
|
||||||
|
|
||||||
|
singlehtml:
|
||||||
|
$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
|
||||||
|
|
||||||
|
pickle:
|
||||||
|
$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
|
||||||
|
@echo
|
||||||
|
@echo "Build finished; now you can process the pickle files."
|
||||||
|
|
||||||
|
json:
|
||||||
|
$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
|
||||||
|
@echo
|
||||||
|
@echo "Build finished; now you can process the JSON files."
|
||||||
|
|
||||||
|
htmlhelp:
|
||||||
|
$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
|
||||||
|
@echo
|
||||||
|
@echo "Build finished; now you can run HTML Help Workshop with the" \
|
||||||
|
".hhp project file in $(BUILDDIR)/htmlhelp."
|
||||||
|
|
||||||
|
qthelp:
|
||||||
|
$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
|
||||||
|
@echo
|
||||||
|
@echo "Build finished; now you can run "qcollectiongenerator" with the" \
|
||||||
|
".qhcp project file in $(BUILDDIR)/qthelp, like this:"
|
||||||
|
@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/keystone.qhcp"
|
||||||
|
@echo "To view the help file:"
|
||||||
|
@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/keystone.qhc"
|
||||||
|
|
||||||
|
devhelp:
|
||||||
|
$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
|
||||||
|
@echo
|
||||||
|
@echo "Build finished."
|
||||||
|
@echo "To view the help file:"
|
||||||
|
@echo "# mkdir -p $$HOME/.local/share/devhelp/keystone"
|
||||||
|
@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/keystone"
|
||||||
|
@echo "# devhelp"
|
||||||
|
|
||||||
|
epub:
|
||||||
|
$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
|
||||||
|
|
||||||
|
latex:
|
||||||
|
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
|
||||||
|
@echo
|
||||||
|
@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
|
||||||
|
@echo "Run \`make' in that directory to run these through (pdf)latex" \
|
||||||
|
"(use \`make latexpdf' here to do that automatically)."
|
||||||
|
|
||||||
|
latexpdf:
|
||||||
|
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
|
||||||
|
@echo "Running LaTeX files through pdflatex..."
|
||||||
|
$(MAKE) -C $(BUILDDIR)/latex all-pdf
|
||||||
|
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
|
||||||
|
|
||||||
|
text:
|
||||||
|
$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The text files are in $(BUILDDIR)/text."
|
||||||
|
|
||||||
|
man:
|
||||||
|
$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
|
||||||
|
|
||||||
|
texinfo:
|
||||||
|
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
|
||||||
|
@echo "Run \`make' in that directory to run these through makeinfo" \
|
||||||
|
"(use \`make info' here to do that automatically)."
|
||||||
|
|
||||||
|
info:
|
||||||
|
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
|
||||||
|
@echo "Running Texinfo files through makeinfo..."
|
||||||
|
make -C $(BUILDDIR)/texinfo info
|
||||||
|
@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
|
||||||
|
|
||||||
|
gettext:
|
||||||
|
$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
|
||||||
|
|
||||||
|
changes:
|
||||||
|
$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
|
||||||
|
@echo
|
||||||
|
@echo "The overview file is in $(BUILDDIR)/changes."
|
||||||
|
|
||||||
|
linkcheck:
|
||||||
|
$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
|
||||||
|
@echo
|
||||||
|
@echo "Link check complete; look for any errors in the above output " \
|
||||||
|
"or in $(BUILDDIR)/linkcheck/output.txt."
|
||||||
|
|
||||||
|
doctest:
|
||||||
|
$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
|
||||||
|
@echo "Testing of doctests in the sources finished, look at the " \
|
||||||
|
"results in $(BUILDDIR)/doctest/output.txt."
|
|
@ -1,37 +1,39 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
||||||
<diagram>
|
<diagram>
|
||||||
<source><![CDATA[#!>>
|
<source><![CDATA[client:client "Client"
|
||||||
#!Keystone Admin registers an openstack service as a service supported by keystone.
|
compat:compat "Compat"
|
||||||
#!Service credentials returned are provided to the actual service.
|
token:token "Token Service"
|
||||||
#!
|
identity:identity "Identity Service"
|
||||||
#!Actual services use the service credentials to fetch the service token to create roles, endpoints templates,
|
catalog:catalog "Catalog Service"
|
||||||
#!endpoints specific to service and also to validate tokens.
|
|
||||||
#!
|
|
||||||
#!We could extend this behavior to allow any keystone operations carried on behalf of the service to happen
|
|
||||||
#!only using the service token.
|
|
||||||
#!
|
|
||||||
#!Keystone has its own roles to manage itself.Roles specific to a service are available only for that service.
|
|
||||||
#!<<
|
|
||||||
keystone-admin:Actor
|
|
||||||
/queue:FIFO
|
|
||||||
openstack:Service
|
|
||||||
keystone:Service
|
|
||||||
|
|
||||||
[c:Register_Service]
|
[c "Auth, No Tenant"]
|
||||||
keystone-admin:keystone.Register Openstack Service (Service Details)
|
client:{token, user, service_catalog}=compat.POST /v2.0/tokens {'username': user, 'password': password}
|
||||||
keystone:keystone-admin.Provide Service Credentials
|
compat:(user, password, None)=identity.authenticate(user, password, tenant=None)
|
||||||
keystone-admin:openstack.Provide Service Credentials
|
compat:(id, user, password, None)=token.create_token(user, password, tenant=None)
|
||||||
|
compat:{service_catalog (includes all tenants)}=catalog.get_catalog(user, None)
|
||||||
[/c]
|
[/c]
|
||||||
|
|
||||||
[c:Authenticate]
|
[c "Auth, With Tenant"]
|
||||||
openstack:service_token=keystone.Service Credentials
|
client:{scoped_token, user, service_catalog}=compat.POST /v2.0/tokens {'username': user, 'password': password, 'tenant': tenant}
|
||||||
|
compat:(user, password, tenant)=identity.authenticate(user, password, tenant)
|
||||||
|
compat:(id, user, password, tenant)=token.create_token(user, password, tenant)
|
||||||
|
compat:{service_catalog (includes all tenants)}=catalog.get_catalog(user, tenant)
|
||||||
[/c]
|
[/c]
|
||||||
|
|
||||||
[c:Service_Operations]
|
[c "Validate Token, Unscoped"]
|
||||||
openstack:keystone.Add Service Specific Roles<service_token>
|
client:{token, user, tenant=None}=compat.GET /v2.0/tokens/$token
|
||||||
openstack:keystone.Add Service Specific Endpoint Templates<service_token>
|
compat:{token, user, tenant}=token.get_token($token)
|
||||||
openstack:keystone.Add Service Specific Endpoints<service_token>
|
[/c]
|
||||||
openstack:keystone.Validate Token<service_token>
|
|
||||||
|
[c "Validate Token, With Tenant"]
|
||||||
|
client:{token, user, tenant}=compat.GET /v2.0/tokens/$token?belongs_to=$tenant
|
||||||
|
compat:{token, user, tenant}=token.get_token($token)
|
||||||
|
[/c]
|
||||||
|
|
||||||
|
[c "Tenants for Token"]
|
||||||
|
client:{tenants}=compat.(X-Auth-Token: $token) GET /v2.0/tenants
|
||||||
|
compat:{token, user, tenant}=token.get_token($token)
|
||||||
|
compat:{token, user, tenant}=identity.get_tenants($user)
|
||||||
[/c]]]></source>
|
[/c]]]></source>
|
||||||
<configuration>
|
<configuration>
|
||||||
<property name="activationBarBorderThickness" value="1"/>
|
<property name="activationBarBorderThickness" value="1"/>
|
|
@ -14,6 +14,61 @@
|
||||||
License for the specific language governing permissions and limitations
|
License for the specific language governing permissions and limitations
|
||||||
under the License.
|
under the License.
|
||||||
|
|
||||||
|
|
||||||
|
===============================
|
||||||
|
Service API Examples Using Curl
|
||||||
|
===============================
|
||||||
|
|
||||||
|
The service API is defined to be a subset of the Admin API and, by
|
||||||
|
default, runs on port 5000.
|
||||||
|
|
||||||
|
GET /
|
||||||
|
=====
|
||||||
|
|
||||||
|
This call is identical to that documented for the Admin API, except
|
||||||
|
that it uses port 5000, instead of port 35357, by default::
|
||||||
|
|
||||||
|
$ curl http://0.0.0.0:5000
|
||||||
|
|
||||||
|
or::
|
||||||
|
|
||||||
|
$ curl http://0.0.0.0:5000/v2.0/
|
||||||
|
|
||||||
|
See the `Admin API Examples Using Curl`_ for more info.
|
||||||
|
|
||||||
|
.. _`Admin API Examples Using Curl`: adminAPI_curl_examples.html
|
||||||
|
|
||||||
|
GET /extensions
|
||||||
|
===============
|
||||||
|
|
||||||
|
This call is identical to that documented for the Admin API.
|
||||||
|
|
||||||
|
POST /tokens
|
||||||
|
============
|
||||||
|
|
||||||
|
This call is identical to that documented for the Admin API.
|
||||||
|
|
||||||
|
GET /tenants
|
||||||
|
============
|
||||||
|
|
||||||
|
List all of the tenants your token can access::
|
||||||
|
|
||||||
|
$ curl -H "X-Auth-Token:887665443383838" http://localhost:5000/v2.0/tenants
|
||||||
|
|
||||||
|
Returns::
|
||||||
|
|
||||||
|
{
|
||||||
|
"tenants_links": [],
|
||||||
|
"tenants": [
|
||||||
|
{
|
||||||
|
"enabled": true,
|
||||||
|
"description": "None",
|
||||||
|
"name": "customer-x",
|
||||||
|
"id": "1"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
=============================
|
=============================
|
||||||
Admin API Examples Using Curl
|
Admin API Examples Using Curl
|
||||||
=============================
|
=============================
|
|
@ -0,0 +1,203 @@
|
||||||
|
..
|
||||||
|
Copyright 2011 OpenStack, LLC
|
||||||
|
All Rights Reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
not use this file except in compliance with the License. You may obtain
|
||||||
|
a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
License for the specific language governing permissions and limitations
|
||||||
|
under the License.
|
||||||
|
|
||||||
|
Keystone Architecture
|
||||||
|
=====================
|
||||||
|
|
||||||
|
Much of the design is precipitated from the expectation that the auth backends
|
||||||
|
for most deployments will actually be shims in front of existing user systems.
|
||||||
|
|
||||||
|
------------
|
||||||
|
The Services
|
||||||
|
------------
|
||||||
|
|
||||||
|
Keystone is organized as a group of services exposed on one or many endpoints.
|
||||||
|
Many of these services are used in a combined fashion by the frontend, for
|
||||||
|
example an authenticate call will validate user/tenant credentials with the
|
||||||
|
Identity service and, upon success, create and return a token with the Token
|
||||||
|
service.
|
||||||
|
|
||||||
|
|
||||||
|
Identity
|
||||||
|
--------
|
||||||
|
|
||||||
|
The Identity service provides auth credential validation and data about Users,
|
||||||
|
Tenants and Roles, as well as any associated metadata.
|
||||||
|
|
||||||
|
In the basic case all this data is managed by the service, allowing the service
|
||||||
|
to manage all the CRUD associated with the data.
|
||||||
|
|
||||||
|
In other cases, this data is pulled, by varying degrees, from an authoritative
|
||||||
|
backend service. An example of this would be when backending on LDAP. See
|
||||||
|
`LDAP Backend` below for more details.
|
||||||
|
|
||||||
|
|
||||||
|
Token
|
||||||
|
-----
|
||||||
|
|
||||||
|
The Token service validates and manages Tokens used for authenticating requests
|
||||||
|
once a user/tenant's credentials have already been verified.
|
||||||
|
|
||||||
|
|
||||||
|
Catalog
|
||||||
|
-------
|
||||||
|
|
||||||
|
The Catalog service provides an endpoint registry used for endpoint discovery.
|
||||||
|
|
||||||
|
|
||||||
|
Policy
|
||||||
|
------
|
||||||
|
|
||||||
|
The Policy service provides a rule-based authorization engine and the
|
||||||
|
associated rule management interface.
|
||||||
|
|
||||||
|
----------
|
||||||
|
Data Model
|
||||||
|
----------
|
||||||
|
|
||||||
|
Keystone was designed from the ground up to be amenable to multiple styles of
|
||||||
|
backends and as such many of the methods and data types will happily accept
|
||||||
|
more data than they know what to do with and pass them on to a backend.
|
||||||
|
|
||||||
|
There are a few main data types:
|
||||||
|
|
||||||
|
* **User**: has account credentials, is associated with one or more tenants
|
||||||
|
* **Tenant**: unit of ownership in openstack, contains one or more users
|
||||||
|
* **Role**: a first-class piece of metadata associated with many user-tenant pairs.
|
||||||
|
* **Token**: identifying credential associated with a user or user and tenant
|
||||||
|
* **Extras**: bucket of key-value metadata associated with a user-tenant pair.
|
||||||
|
* **Rule**: describes a set of requirements for performing an action.
|
||||||
|
|
||||||
|
While the general data model allows a many-to-many relationship between Users
|
||||||
|
and Tenants and a many-to-one relationship between Extras and User-Tenant pairs,
|
||||||
|
the actual backend implementations take varying levels of advantage of that
|
||||||
|
functionality.
|
||||||
|
|
||||||
|
|
||||||
|
KVS Backend
|
||||||
|
-----------
|
||||||
|
|
||||||
|
A simple backend interface meant to be further backended on anything that can
|
||||||
|
support primary key lookups, the most trivial implementation being an in-memory
|
||||||
|
dict.
|
||||||
|
|
||||||
|
Supports all features of the general data model.
|
||||||
|
|
||||||
|
|
||||||
|
PAM Backend
|
||||||
|
-----------
|
||||||
|
|
||||||
|
Extra simple backend that uses the current system's PAM service to authenticate,
|
||||||
|
providing a one-to-one relationship between Users and Tenants with the `root`
|
||||||
|
User also having the 'admin' role.
|
||||||
|
|
||||||
|
|
||||||
|
Templated Backend
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
Largely designed for a common use case around service catalogs in the Keystone
|
||||||
|
project, a Catalog backend that simply expands pre-configured templates to
|
||||||
|
provide catalog data.
|
||||||
|
|
||||||
|
Example paste.deploy config (uses $ instead of % to avoid ConfigParser's
|
||||||
|
interpolation)::
|
||||||
|
|
||||||
|
[DEFAULT]
|
||||||
|
catalog.RegionOne.identity.publicURL = http://localhost:$(public_port)s/v2.0
|
||||||
|
catalog.RegionOne.identity.adminURL = http://localhost:$(public_port)s/v2.0
|
||||||
|
catalog.RegionOne.identity.internalURL = http://localhost:$(public_port)s/v2.0
|
||||||
|
catalog.RegionOne.identity.name = 'Identity Service'
|
||||||
|
|
||||||
|
|
||||||
|
----------------
|
||||||
|
Approach to CRUD
|
||||||
|
----------------
|
||||||
|
|
||||||
|
While it is expected that any "real" deployment at a large company will manage
|
||||||
|
their users, tenants and other metadata in their existing user systems, a
|
||||||
|
variety of CRUD operations are provided for the sake of development and testing.
|
||||||
|
|
||||||
|
CRUD is treated as an extension or additional feature to the core feature set in
|
||||||
|
that it is not required that a backend support it.
|
||||||
|
|
||||||
|
|
||||||
|
----------------------------------
|
||||||
|
Approach to Authorization (Policy)
|
||||||
|
----------------------------------
|
||||||
|
|
||||||
|
Various components in the system require that different actions are allowed
|
||||||
|
based on whether the user is authorized to perform that action.
|
||||||
|
|
||||||
|
For the purposes of Keystone Light there are only a couple levels of
|
||||||
|
authorization being checked for:
|
||||||
|
|
||||||
|
* Require that the performing user is considered an admin.
|
||||||
|
* Require that the performing user matches the user being referenced.
|
||||||
|
|
||||||
|
Other systems wishing to use the policy engine will require additional styles
|
||||||
|
of checks and will possibly write completely custom backends. Backends included
|
||||||
|
in Keystone Light are:
|
||||||
|
|
||||||
|
|
||||||
|
Trivial True
|
||||||
|
------------
|
||||||
|
|
||||||
|
Allows all actions.
|
||||||
|
|
||||||
|
|
||||||
|
Simple Match
|
||||||
|
------------
|
||||||
|
|
||||||
|
Given a list of matches to check for, simply verify that the credentials
|
||||||
|
contain the matches. For example::
|
||||||
|
|
||||||
|
credentials = {'user_id': 'foo', 'is_admin': 1, 'roles': ['nova:netadmin']}
|
||||||
|
|
||||||
|
# An admin only call:
|
||||||
|
policy_api.can_haz(('is_admin:1',), credentials)
|
||||||
|
|
||||||
|
# An admin or owner call:
|
||||||
|
policy_api.can_haz(('is_admin:1', 'user_id:foo'),
|
||||||
|
credentials)
|
||||||
|
|
||||||
|
# A netadmin call:
|
||||||
|
policy_api.can_haz(('roles:nova:netadmin',),
|
||||||
|
credentials)
|
||||||
|
|
||||||
|
|
||||||
|
Credentials are generally built from the user metadata in the 'extras' part
|
||||||
|
of the Identity API. So, adding a 'role' to the user just means adding the role
|
||||||
|
to the user metadata.
|
||||||
|
|
||||||
|
|
||||||
|
Capability RBAC
|
||||||
|
---------------
|
||||||
|
|
||||||
|
(Not yet implemented.)
|
||||||
|
|
||||||
|
Another approach to authorization can be action-based, with a mapping of roles
|
||||||
|
to which capabilities are allowed for that role. For example::
|
||||||
|
|
||||||
|
credentials = {'user_id': 'foo', 'is_admin': 1, 'roles': ['nova:netadmin']}
|
||||||
|
|
||||||
|
# add a policy
|
||||||
|
policy_api.add_policy('action:nova:add_network', ('roles:nova:netadmin',))
|
||||||
|
|
||||||
|
policy_api.can_haz(('action:nova:add_network',), credentials)
|
||||||
|
|
||||||
|
|
||||||
|
In the backend this would look up the policy for 'action:nova:add_network' and
|
||||||
|
then do what is effectively a 'Simple Match' style match against the creds.
|
|
@ -33,20 +33,6 @@ from blueprint designs to documentation to testing to deployment scripts.
|
||||||
.. _Launchpad: https://launchpad.net/keystone
|
.. _Launchpad: https://launchpad.net/keystone
|
||||||
.. _wiki: http://wiki.openstack.org/
|
.. _wiki: http://wiki.openstack.org/
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Contributing Code
|
|
||||||
-----------------
|
|
||||||
|
|
||||||
To contribute code, sign up for a Launchpad account and sign a contributor license agreement,
|
|
||||||
available on the `<http://wiki.openstack.org/CLA>`_. Once the CLA is signed you
|
|
||||||
can contribute code through the Gerrit version control system which is related to your Launchpad account.
|
|
||||||
|
|
||||||
To contribute tests, docs, code, etc, refer to our `Gerrit-Jenkins-Github Workflow`_.
|
|
||||||
|
|
||||||
.. _`Gerrit-Jenkins-Github Workflow`: http://wiki.openstack.org/GerritJenkinsGithub
|
|
||||||
|
|
||||||
|
|
||||||
#openstack on Freenode IRC Network
|
#openstack on Freenode IRC Network
|
||||||
----------------------------------
|
----------------------------------
|
||||||
|
|
||||||
|
@ -68,10 +54,10 @@ to write drafts for specs or documentation, describe a blueprint, or collaborate
|
||||||
Keystone on Launchpad
|
Keystone on Launchpad
|
||||||
---------------------
|
---------------------
|
||||||
|
|
||||||
Launchpad is a code hosting service that hosts the Keystone source code. From
|
Launchpad is a code hosting that OpenStack is using to track bugs, feature work, and releases of OpenStack. Like other OpenStack projects, Keystone source code is hosted on GitHub
|
||||||
Launchpad you can report bugs, ask questions, and register blueprints (feature requests).
|
|
||||||
|
|
||||||
* `Launchpad Keystone Page <http://launchpad.net/keystone>`_
|
* `Keystone Project Page on Launchpad <http://launchpad.net/keystone>`_
|
||||||
|
* `Keystone Source Repository on GitHub <http://github.com/openstack/keystone>`_
|
||||||
|
|
||||||
OpenStack Blog
|
OpenStack Blog
|
||||||
--------------
|
--------------
|
||||||
|
@ -82,9 +68,9 @@ events and posts from OpenStack contributors.
|
||||||
|
|
||||||
`OpenStack Blog <http://openstack.org/blog>`_
|
`OpenStack Blog <http://openstack.org/blog>`_
|
||||||
|
|
||||||
See also: `Planet OpenStack <http://planet.openstack.org/>`_, aggregating blogs
|
See also: `Planet OpenStack <http://planet.openstack.org/>`_, an aggregation of blogs
|
||||||
about OpenStack from around the internet into a single feed. If you'd like to contribute to this blog
|
about OpenStack from around the internet, combined into a web site and RSS feed. If you'd like to
|
||||||
aggregation with your blog posts, there are instructions for `adding your blog <http://wiki.openstack.org/AddingYourBlog>`_.
|
contribute with your blog posts, there are instructions for `adding your blog <http://wiki.openstack.org/AddingYourBlog>`_.
|
||||||
|
|
||||||
Twitter
|
Twitter
|
||||||
-------
|
-------
|
|
@ -1,25 +1,9 @@
|
||||||
# -*- coding: utf-8 -*-
|
# -*- coding: utf-8 -*-
|
||||||
# Copyright (c) 2010 OpenStack, LLC.
|
|
||||||
#
|
#
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
# keystone documentation build configuration file, created by
|
||||||
# you may not use this file except in compliance with the License.
|
# sphinx-quickstart on Mon Jan 9 12:02:59 2012.
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
#
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
# This file is execfile()d with the current directory set to its containing dir.
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
||||||
# implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
#
|
|
||||||
# Keystone documentation build configuration file, created by
|
|
||||||
# sphinx-quickstart on Tue May 18 13:50:15 2010.
|
|
||||||
#
|
|
||||||
# This file is execfile()'d with the current directory set to it's containing
|
|
||||||
# dir.
|
|
||||||
#
|
#
|
||||||
# Note that not all possible configuration values are present in this
|
# Note that not all possible configuration values are present in this
|
||||||
# autogenerated file.
|
# autogenerated file.
|
||||||
|
@ -27,29 +11,26 @@
|
||||||
# All configuration values have a default; values that are commented out
|
# All configuration values have a default; values that are commented out
|
||||||
# serve to show the default.
|
# serve to show the default.
|
||||||
|
|
||||||
import os
|
|
||||||
import sys
|
import sys
|
||||||
|
import os
|
||||||
|
|
||||||
# If extensions (or modules to document with autodoc) are in another directory,
|
# If extensions (or modules to document with autodoc) are in another directory,
|
||||||
# add these directories to sys.path here. If the directory is relative to the
|
# add these directories to sys.path here. If the directory is relative to the
|
||||||
# documentation root, use os.path.abspath to make it absolute, like shown here.
|
# documentation root, use os.path.abspath to make it absolute, like shown here.
|
||||||
sys.path = [os.path.abspath('../../keystone'),
|
sys.path.insert(0, os.path.abspath('../..'))
|
||||||
os.path.abspath('../..'),
|
|
||||||
os.path.abspath('../../bin')
|
|
||||||
] + sys.path
|
|
||||||
|
|
||||||
# -- General configuration ---------------------------------------------------
|
# -- General configuration -----------------------------------------------------
|
||||||
|
|
||||||
# Add any Sphinx extension module names here, as strings. They can be
|
# If your documentation needs a minimal Sphinx version, state it here.
|
||||||
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
|
#needs_sphinx = '1.0'
|
||||||
|
|
||||||
|
# Add any Sphinx extension module names here, as strings. They can be extensions
|
||||||
|
# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
|
||||||
|
#extensions = ['sphinx.ext.autodoc', 'sphinx.ext.intersphinx', 'sphinx.ext.todo', 'sphinx.ext.coverage']
|
||||||
extensions = ['sphinx.ext.autodoc',
|
extensions = ['sphinx.ext.autodoc',
|
||||||
'sphinx.ext.coverage',
|
'sphinx.ext.todo',
|
||||||
'sphinx.ext.viewcode',
|
# 'sphinx.ect.intersphinx',
|
||||||
'sphinx.ext.ifconfig',
|
'sphinx.ext.coverage']
|
||||||
'sphinx.ext.intersphinx',
|
|
||||||
'sphinx.ext.pngmath',
|
|
||||||
'sphinx.ext.graphviz',
|
|
||||||
'sphinx.ext.todo']
|
|
||||||
|
|
||||||
todo_include_todos = True
|
todo_include_todos = True
|
||||||
|
|
||||||
|
@ -64,25 +45,23 @@ else:
|
||||||
source_suffix = '.rst'
|
source_suffix = '.rst'
|
||||||
|
|
||||||
# The encoding of source files.
|
# The encoding of source files.
|
||||||
#source_encoding = 'utf-8'
|
#source_encoding = 'utf-8-sig'
|
||||||
|
|
||||||
# The master toctree document.
|
# The master toctree document.
|
||||||
master_doc = 'index'
|
master_doc = 'index'
|
||||||
|
|
||||||
# General information about the project.
|
# General information about the project.
|
||||||
project = u'Keystone'
|
project = u'keystone'
|
||||||
copyright = u'2011-present, OpenStack, LLC.'
|
copyright = u'2012, OpenStack, LLC'
|
||||||
|
|
||||||
# The version info for the project you're documenting, acts as replacement for
|
# The version info for the project you're documenting, acts as replacement for
|
||||||
# |version| and |release|, also used in various other places throughout the
|
# |version| and |release|, also used in various other places throughout the
|
||||||
# built documents.
|
# built documents.
|
||||||
#
|
#
|
||||||
# The short X.Y version.
|
# The short X.Y version.
|
||||||
from keystone import version
|
version = '2012.1'
|
||||||
# The full version, including alpha/beta/rc tags.
|
# The full version, including alpha/beta/rc tags.
|
||||||
release = version.version()
|
release = '2012.1-dev'
|
||||||
# The short X.Y version.
|
|
||||||
version = version.canonical_version()
|
|
||||||
|
|
||||||
# The language for content autogenerated by Sphinx. Refer to documentation
|
# The language for content autogenerated by Sphinx. Refer to documentation
|
||||||
# for a list of supported languages.
|
# for a list of supported languages.
|
||||||
|
@ -94,14 +73,11 @@ version = version.canonical_version()
|
||||||
# Else, today_fmt is used as the format for a strftime call.
|
# Else, today_fmt is used as the format for a strftime call.
|
||||||
#today_fmt = '%B %d, %Y'
|
#today_fmt = '%B %d, %Y'
|
||||||
|
|
||||||
# List of documents that shouldn't be included in the build.
|
# List of patterns, relative to source directory, that match files and
|
||||||
#unused_docs = []
|
# directories to ignore when looking for source files.
|
||||||
|
exclude_patterns = []
|
||||||
|
|
||||||
# List of directories, relative to source directory, that shouldn't be searched
|
# The reST default role (used for this markup: `text`) to use for all documents.
|
||||||
# for source files.
|
|
||||||
exclude_trees = []
|
|
||||||
|
|
||||||
# The reST default role (for this markup: `text`) to use for all documents.
|
|
||||||
#default_role = None
|
#default_role = None
|
||||||
|
|
||||||
# If true, '()' will be appended to :func: etc. cross-reference text.
|
# If true, '()' will be appended to :func: etc. cross-reference text.
|
||||||
|
@ -129,23 +105,15 @@ modindex_common_prefix = ['keystone.']
|
||||||
man_pages = [
|
man_pages = [
|
||||||
('man/keystone-manage', 'keystone-manage', u'Keystone Management Utility',
|
('man/keystone-manage', 'keystone-manage', u'Keystone Management Utility',
|
||||||
[u'OpenStack'], 1),
|
[u'OpenStack'], 1),
|
||||||
('man/keystone', 'keystone', u'Keystone Startup Command',
|
('man/keystone-all', 'keystone-all', u'Keystone Startup Command',
|
||||||
[u'OpenStack'], 1),
|
[u'OpenStack'], 1),
|
||||||
('man/keystone-auth', 'keystone-auth', u'Keystone Startup Command',
|
|
||||||
[u'OpenStack'], 1),
|
|
||||||
('man/keystone-admin', 'keystone-admin', u'Keystone Startup Command',
|
|
||||||
[u'OpenStack'], 1),
|
|
||||||
('man/keystone-import', 'keystone-import', u'Keystone Management Utility',
|
|
||||||
[u'OpenStack'], 1),
|
|
||||||
('man/keystone-control', 'keystone-control',
|
|
||||||
u'Keystone Management Utility', [u'OpenStack'], 1)
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
# -- Options for HTML output -------------------------------------------------
|
# -- Options for HTML output ---------------------------------------------------
|
||||||
|
|
||||||
# The theme to use for HTML and HTML Help pages. Major themes that come with
|
# The theme to use for HTML and HTML Help pages. See the documentation for
|
||||||
# Sphinx are currently 'default' and 'sphinxdoc'.
|
# a list of builtin themes.
|
||||||
html_theme_path = ["."]
|
html_theme_path = ["."]
|
||||||
html_theme = '_theme'
|
html_theme = '_theme'
|
||||||
|
|
||||||
|
@ -155,7 +123,7 @@ html_theme = '_theme'
|
||||||
#html_theme_options = {}
|
#html_theme_options = {}
|
||||||
|
|
||||||
# Add any paths that contain custom themes here, relative to this directory.
|
# Add any paths that contain custom themes here, relative to this directory.
|
||||||
#html_theme_path = ['_theme']
|
#html_theme_path = []
|
||||||
|
|
||||||
# The name for this set of Sphinx documents. If None, it defaults to
|
# The name for this set of Sphinx documents. If None, it defaults to
|
||||||
# "<project> v<release> documentation".
|
# "<project> v<release> documentation".
|
||||||
|
@ -176,7 +144,7 @@ html_theme = '_theme'
|
||||||
# Add any paths that contain custom static files (such as style sheets) here,
|
# Add any paths that contain custom static files (such as style sheets) here,
|
||||||
# relative to this directory. They are copied after the builtin static files,
|
# relative to this directory. They are copied after the builtin static files,
|
||||||
# so a file named "default.css" will overwrite the builtin "default.css".
|
# so a file named "default.css" will overwrite the builtin "default.css".
|
||||||
html_static_path = ['_static', 'images']
|
html_static_path = ['static', 'images']
|
||||||
|
|
||||||
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
|
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
|
||||||
# using the given strftime format.
|
# using the given strftime format.
|
||||||
|
@ -194,7 +162,7 @@ html_static_path = ['_static', 'images']
|
||||||
#html_additional_pages = {}
|
#html_additional_pages = {}
|
||||||
|
|
||||||
# If false, no module index is generated.
|
# If false, no module index is generated.
|
||||||
#html_use_modindex = True
|
#html_domain_indices = True
|
||||||
|
|
||||||
# If false, no index is generated.
|
# If false, no index is generated.
|
||||||
#html_use_index = True
|
#html_use_index = True
|
||||||
|
@ -205,32 +173,42 @@ html_static_path = ['_static', 'images']
|
||||||
# If true, links to the reST sources are added to the pages.
|
# If true, links to the reST sources are added to the pages.
|
||||||
#html_show_sourcelink = True
|
#html_show_sourcelink = True
|
||||||
|
|
||||||
|
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
|
||||||
|
#html_show_sphinx = True
|
||||||
|
|
||||||
|
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
|
||||||
|
#html_show_copyright = True
|
||||||
|
|
||||||
# If true, an OpenSearch description file will be output, and all pages will
|
# If true, an OpenSearch description file will be output, and all pages will
|
||||||
# contain a <link> tag referring to it. The value of this option must be the
|
# contain a <link> tag referring to it. The value of this option must be the
|
||||||
# base URL from which the finished HTML is served.
|
# base URL from which the finished HTML is served.
|
||||||
#html_use_opensearch = ''
|
#html_use_opensearch = ''
|
||||||
|
|
||||||
# If nonempty, this is the file name suffix for HTML files (e.g. ".xhtml").
|
# This is the file name suffix for HTML files (e.g. ".xhtml").
|
||||||
#html_file_suffix = ''
|
#html_file_suffix = None
|
||||||
|
|
||||||
# Output file base name for HTML help builder.
|
# Output file base name for HTML help builder.
|
||||||
htmlhelp_basename = 'keystonedoc'
|
htmlhelp_basename = 'keystonedoc'
|
||||||
|
|
||||||
|
|
||||||
# -- Options for LaTeX output ------------------------------------------------
|
# -- Options for LaTeX output --------------------------------------------------
|
||||||
|
|
||||||
# The paper size ('letter' or 'a4').
|
latex_elements = {
|
||||||
#latex_paper_size = 'letter'
|
# The paper size ('letterpaper' or 'a4paper').
|
||||||
|
#'papersize': 'letterpaper',
|
||||||
|
|
||||||
# The font size ('10pt', '11pt' or '12pt').
|
# The font size ('10pt', '11pt' or '12pt').
|
||||||
#latex_font_size = '10pt'
|
#'pointsize': '10pt',
|
||||||
|
|
||||||
|
# Additional stuff for the LaTeX preamble.
|
||||||
|
#'preamble': '',
|
||||||
|
}
|
||||||
|
|
||||||
# Grouping the document tree into LaTeX files. List of tuples
|
# Grouping the document tree into LaTeX files. List of tuples
|
||||||
# (source start file, target name, title, author,
|
# (source start file, target name, title, author, documentclass [howto/manual]).
|
||||||
# documentclass [howto/manual]).
|
|
||||||
latex_documents = [
|
latex_documents = [
|
||||||
('index', 'Keystone.tex', u'Keystone Documentation',
|
('index', 'keystone.tex', u'Keystone Documentation',
|
||||||
u'Keystone Team', 'manual'),
|
u'OpenStack', 'manual'),
|
||||||
]
|
]
|
||||||
|
|
||||||
# The name of an image file (relative to this directory) to place at the top of
|
# The name of an image file (relative to this directory) to place at the top of
|
||||||
|
@ -241,16 +219,55 @@ latex_documents = [
|
||||||
# not chapters.
|
# not chapters.
|
||||||
#latex_use_parts = False
|
#latex_use_parts = False
|
||||||
|
|
||||||
# Additional stuff for the LaTeX preamble.
|
# If true, show page references after internal links.
|
||||||
#latex_preamble = ''
|
#latex_show_pagerefs = False
|
||||||
|
|
||||||
|
# If true, show URL addresses after external links.
|
||||||
|
#latex_show_urls = False
|
||||||
|
|
||||||
# Documents to append as an appendix to all manuals.
|
# Documents to append as an appendix to all manuals.
|
||||||
#latex_appendices = []
|
#latex_appendices = []
|
||||||
|
|
||||||
# If false, no module index is generated.
|
# If false, no module index is generated.
|
||||||
#latex_use_modindex = True
|
#latex_domain_indices = True
|
||||||
|
|
||||||
|
|
||||||
|
# -- Options for manual page output --------------------------------------------
|
||||||
|
|
||||||
|
# One entry per manual page. List of tuples
|
||||||
|
# (source start file, name, description, authors, manual section).
|
||||||
|
man_pages = [
|
||||||
|
('index', 'keystone', u'Keystone Documentation',
|
||||||
|
[u'OpenStack'], 1)
|
||||||
|
]
|
||||||
|
|
||||||
|
# If true, show URL addresses after external links.
|
||||||
|
#man_show_urls = False
|
||||||
|
|
||||||
|
|
||||||
|
# -- Options for Texinfo output ------------------------------------------------
|
||||||
|
|
||||||
|
# Grouping the document tree into Texinfo files. List of tuples
|
||||||
|
# (source start file, target name, title, author,
|
||||||
|
# dir menu entry, description, category)
|
||||||
|
texinfo_documents = [
|
||||||
|
('index', 'keystone', u'Keystone Documentation',
|
||||||
|
u'OpenStack', 'keystone', 'One line description of project.',
|
||||||
|
'Miscellaneous'),
|
||||||
|
]
|
||||||
|
|
||||||
|
# Documents to append as an appendix to all manuals.
|
||||||
|
#texinfo_appendices = []
|
||||||
|
|
||||||
|
# If false, no module index is generated.
|
||||||
|
#texinfo_domain_indices = True
|
||||||
|
|
||||||
|
# How to display URL addresses: 'footnote', 'no', or 'inline'.
|
||||||
|
#texinfo_show_urls = 'footnote'
|
||||||
|
|
||||||
|
|
||||||
# Example configuration for intersphinx: refer to the Python standard library.
|
# Example configuration for intersphinx: refer to the Python standard library.
|
||||||
|
#intersphinx_mapping = {'http://docs.python.org/': None}
|
||||||
intersphinx_mapping = {'python': ('http://docs.python.org/', None),
|
intersphinx_mapping = {'python': ('http://docs.python.org/', None),
|
||||||
'nova': ('http://nova.openstack.org', None),
|
'nova': ('http://nova.openstack.org', None),
|
||||||
'swift': ('http://swift.openstack.org', None),
|
'swift': ('http://swift.openstack.org', None),
|
|
@ -0,0 +1,488 @@
|
||||||
|
..
|
||||||
|
Copyright 2011 OpenStack, LLC
|
||||||
|
All Rights Reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
not use this file except in compliance with the License. You may obtain
|
||||||
|
a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
License for the specific language governing permissions and limitations
|
||||||
|
under the License.
|
||||||
|
|
||||||
|
====================
|
||||||
|
Configuring Keystone
|
||||||
|
====================
|
||||||
|
|
||||||
|
.. toctree::
|
||||||
|
:maxdepth: 1
|
||||||
|
|
||||||
|
man/keystone-manage
|
||||||
|
man/keystone-all
|
||||||
|
|
||||||
|
Once Keystone is installed, it is configured via a primary configuration file
|
||||||
|
(``etc/keystone.conf``), possibly a separate logging configuration file, and
|
||||||
|
initializing data into keystone using the command line client.
|
||||||
|
|
||||||
|
|
||||||
|
Keystone Configuration File
|
||||||
|
===========================
|
||||||
|
|
||||||
|
The keystone configuration file is an 'ini' file format with sections,
|
||||||
|
extended from Paste_, a common system used to configure python WSGI based
|
||||||
|
applications. In addition to the paste config entries, general configuration
|
||||||
|
values are stored under ``[DEFAULT]``, ``[sql]``, ``[ec2]`` and then drivers
|
||||||
|
for the various services are included under their individual sections.
|
||||||
|
|
||||||
|
The services include:
|
||||||
|
* ``[identity]`` - the python module that backends the identity system
|
||||||
|
* ``[catalog]`` - the python module that backends the service catalog
|
||||||
|
* ``[token]`` - the python module that backends the token providing mechanisms
|
||||||
|
* ``[policy]`` - the python module that drives the policy system for RBAC
|
||||||
|
|
||||||
|
The keystone configuration file is expected to be named ``keystone.conf``.
|
||||||
|
When starting up Keystone, you can specify a different configuration file to
|
||||||
|
use with ``--config-file``. If you do **not** specify a configuration file,
|
||||||
|
keystone will look in the following directories for a configuration file, in
|
||||||
|
order:
|
||||||
|
|
||||||
|
* ``~/.keystone``
|
||||||
|
* ``~/``
|
||||||
|
* ``/etc/keystone``
|
||||||
|
* ``/etc``
|
||||||
|
|
||||||
|
Logging is configured externally to the rest of keystone, the file specifying
|
||||||
|
the logging configuration is in the [DEFAULT] section of the keystone conf
|
||||||
|
file under ``log_config``. If you wish to route all your logging through
|
||||||
|
syslog, there is a ``use_syslog`` option also in the [DEFAULT] section that
|
||||||
|
easy.
|
||||||
|
|
||||||
|
A sample logging file is available with the project in the directory
|
||||||
|
``etc/logging.conf.sample``. Like other OpenStack projects, keystone uses the
|
||||||
|
`python logging module`, which includes extensive configuration options for
|
||||||
|
choosing the output levels and formats.
|
||||||
|
|
||||||
|
In addition to this documentation page, you can check the ``etc/keystone.conf``
|
||||||
|
sample configuration files distributed with keystone for example configuration
|
||||||
|
files for each server application.
|
||||||
|
|
||||||
|
.. _Paste: http://pythonpaste.org/
|
||||||
|
.. _`python logging module`: http://docs.python.org/library/logging.html
|
||||||
|
|
||||||
|
Sample Configuration Files
|
||||||
|
--------------------------
|
||||||
|
|
||||||
|
* ``etc/keystone.conf``
|
||||||
|
* ``etc/logging.conf.sample``
|
||||||
|
|
||||||
|
Running Keystone
|
||||||
|
================
|
||||||
|
|
||||||
|
Running keystone is simply starting the services by using the command::
|
||||||
|
|
||||||
|
keystone-all
|
||||||
|
|
||||||
|
Invoking this command starts up two wsgi.Server instances, configured by the
|
||||||
|
``keystone.conf`` file as described above. One of these wsgi 'servers' is
|
||||||
|
``admin`` (the administration API) and the other is ``main`` (the
|
||||||
|
primary/public API interface). Both of these run in a single process.
|
||||||
|
|
||||||
|
Migrating from legacy versions of keystone
|
||||||
|
==========================================
|
||||||
|
Migration support is provided for the following legacy keystone versions:
|
||||||
|
|
||||||
|
* diablo-5
|
||||||
|
* stable/diablo
|
||||||
|
* essex-2
|
||||||
|
* essex-3
|
||||||
|
|
||||||
|
To migrate from legacy versions of keystone, use the following steps:
|
||||||
|
|
||||||
|
Step 1: Configure keystone.conf
|
||||||
|
-------------------------------
|
||||||
|
It is important that the database that you specify be different from the one
|
||||||
|
containing your existing install.
|
||||||
|
|
||||||
|
Step 2: db_sync your new, empty database
|
||||||
|
----------------------------------------
|
||||||
|
Run the following command to configure the most recent schema in your new
|
||||||
|
keystone installation::
|
||||||
|
|
||||||
|
keystone-manage db_sync
|
||||||
|
|
||||||
|
Step 3: Import your legacy data
|
||||||
|
-------------------------------
|
||||||
|
Use the following command to import your old data::
|
||||||
|
|
||||||
|
keystone-manage import_legacy [db_url, e.g. 'mysql://root@foobar/keystone']
|
||||||
|
|
||||||
|
Specify db_url as the connection string that was present in your old
|
||||||
|
keystone.conf file.
|
||||||
|
|
||||||
|
Step 3: Import your legacy service catalog
|
||||||
|
------------------------------------------
|
||||||
|
While the older keystone stored the service catalog in the database,
|
||||||
|
the updated version configures the service catalog using a template file.
|
||||||
|
An example service catalog template file may be found in
|
||||||
|
etc/default_catalog.templates.
|
||||||
|
|
||||||
|
To import your legacy catalog, run this command::
|
||||||
|
|
||||||
|
keystone-manage export_legacy_catalog \
|
||||||
|
[db_url e.g. 'mysql://root@foobar/keystone'] > \
|
||||||
|
[path_to_templates e.g. 'etc/default_catalog.templates']
|
||||||
|
|
||||||
|
After executing this command, you will need to restart the keystone service to
|
||||||
|
see your changes.
|
||||||
|
|
||||||
|
Initializing Keystone
|
||||||
|
=====================
|
||||||
|
|
||||||
|
keystone-manage is designed to execute commands that cannot be administered
|
||||||
|
through the normal REST api. At the moment, the following calls are supported:
|
||||||
|
|
||||||
|
* ``db_sync``: Sync the database.
|
||||||
|
* ``import_legacy``: Import a legacy (pre-essex) version of the db.
|
||||||
|
* ``export_legacy_catalog``: Export service catalog from a legacy (pre-essex) db.
|
||||||
|
|
||||||
|
|
||||||
|
Generally, the following is the first step after a source installation::
|
||||||
|
|
||||||
|
keystone-manage db_sync
|
||||||
|
|
||||||
|
Invoking keystone-manage by itself will give you additional usage information.
|
||||||
|
|
||||||
|
Adding Users, Tenants, and Roles with python-keystoneclient
|
||||||
|
===========================================================
|
||||||
|
|
||||||
|
User, tenants, and roles must be administered using admin credentials.
|
||||||
|
There are two ways to configure python-keystoneclient to use admin
|
||||||
|
credentials, using the token auth method, or password auth method.
|
||||||
|
|
||||||
|
Token Auth Method
|
||||||
|
-----------------
|
||||||
|
To use keystone client using token auth, set the following flags
|
||||||
|
|
||||||
|
* ``--endpoint SERVIVE_ENDPOINT`` : allows you to specify the keystone endpoint to communicate
|
||||||
|
with. The default endpoint is http://localhost:35357/v2.0'
|
||||||
|
* ``--token SERVIVE_TOKEN`` : your administrator service token.
|
||||||
|
|
||||||
|
Password Auth Method
|
||||||
|
--------------------
|
||||||
|
|
||||||
|
* ``--username OS_USERNAME`` : allows you to specify the keystone endpoint to communicate
|
||||||
|
with. For example, http://localhost:35357/v2.0'
|
||||||
|
* ``--password OS_PASSWORD`` : Your administrator password
|
||||||
|
* ``--tenant_name OS_TENANT_NAME`` : Name of your tenant
|
||||||
|
* ``--auth_url OS_AUTH_URL`` : url of your keystone auth server, for example
|
||||||
|
http://localhost:5000/v2.0'
|
||||||
|
|
||||||
|
Example usage
|
||||||
|
-------------
|
||||||
|
``keystone`` is set up to expect commands in the general form of
|
||||||
|
``keystone`` ``command`` ``argument``, followed by flag-like keyword arguments to
|
||||||
|
provide additional (often optional) information. For example, the command
|
||||||
|
``user-list`` and ``tenant-create`` can be invoked as follows::
|
||||||
|
|
||||||
|
# Using token auth env variables
|
||||||
|
export SERVICE_ENDPOINT=http://127.0.0.1:5000/v2.0/
|
||||||
|
export SERVICE_TOKEN=secrete_token
|
||||||
|
keystone user-list
|
||||||
|
keystone tenant-create --name=demo
|
||||||
|
|
||||||
|
# Using token auth flags
|
||||||
|
keystone --token=secrete --endpoint=http://127.0.0.1:5000/v2.0/ user-list
|
||||||
|
keystone --token=secrete --endpoint=http://127.0.0.1:5000/v2.0/ tenant-create --name=demo
|
||||||
|
|
||||||
|
# Using user + password + tenant_name env variables
|
||||||
|
export OS_USERNAME=admin
|
||||||
|
export OS_PASSWORD=secrete
|
||||||
|
export OS_TENANT_NAME=admin
|
||||||
|
keystone user-list
|
||||||
|
keystone tenant-create --name=demo
|
||||||
|
|
||||||
|
# Using user + password + tenant_name flags
|
||||||
|
keystone --username=admin --password=secrete --tenant_name=admin user-list
|
||||||
|
keystone --username=admin --password=secrete --tenant_name=admin tenant-create --name=demo
|
||||||
|
|
||||||
|
Tenants
|
||||||
|
-------
|
||||||
|
|
||||||
|
Tenants are the high level grouping within Keystone that represent groups of
|
||||||
|
users. A tenant is the grouping that owns virtual machines within Nova, or
|
||||||
|
containers within Swift. A tenant can have zero or more users, Users can
|
||||||
|
be associated with more than one tenant, and each tenant - user pairing can
|
||||||
|
have a role associated with it.
|
||||||
|
|
||||||
|
``tenant-create``
|
||||||
|
^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
keyword arguments
|
||||||
|
|
||||||
|
* name
|
||||||
|
* description (optional, defaults to None)
|
||||||
|
* enabled (optional, defaults to True)
|
||||||
|
|
||||||
|
example::
|
||||||
|
|
||||||
|
keystone tenant-create --name=demo
|
||||||
|
|
||||||
|
creates a tenant named "demo".
|
||||||
|
|
||||||
|
``tenant-delete``
|
||||||
|
^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
arguments
|
||||||
|
|
||||||
|
* tenant_id
|
||||||
|
|
||||||
|
example::
|
||||||
|
|
||||||
|
keystone tenant-delete f2b7b39c860840dfa47d9ee4adffa0b3
|
||||||
|
|
||||||
|
``tenant-enable``
|
||||||
|
^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
arguments
|
||||||
|
|
||||||
|
* tenant_id
|
||||||
|
|
||||||
|
example::
|
||||||
|
|
||||||
|
keystone tenant-enable f2b7b39c860840dfa47d9ee4adffa0b3
|
||||||
|
|
||||||
|
``tenant-disable``
|
||||||
|
^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
arguments
|
||||||
|
|
||||||
|
* tenant_id
|
||||||
|
|
||||||
|
example::
|
||||||
|
|
||||||
|
keystone tenant-disable f2b7b39c860840dfa47d9ee4adffa0b3
|
||||||
|
|
||||||
|
Users
|
||||||
|
-----
|
||||||
|
|
||||||
|
``user-create``
|
||||||
|
^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
keyword arguments
|
||||||
|
|
||||||
|
* name
|
||||||
|
* pass
|
||||||
|
* email
|
||||||
|
* default_tenant (optional, defaults to None)
|
||||||
|
* enabled (optional, defaults to True)
|
||||||
|
|
||||||
|
example::
|
||||||
|
|
||||||
|
keystone user-create
|
||||||
|
--name=admin \
|
||||||
|
--pass=secrete \
|
||||||
|
--email=admin@example.com
|
||||||
|
|
||||||
|
``user-delete``
|
||||||
|
^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
keyword arguments
|
||||||
|
|
||||||
|
* user
|
||||||
|
|
||||||
|
example::
|
||||||
|
|
||||||
|
keystone user-delete f2b7b39c860840dfa47d9ee4adffa0b3
|
||||||
|
|
||||||
|
``user-list``
|
||||||
|
^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
list users in the system, optionally by a specific tenant (identified by tenant_id)
|
||||||
|
|
||||||
|
arguments
|
||||||
|
|
||||||
|
* tenant_id (optional, defaults to None)
|
||||||
|
|
||||||
|
example::
|
||||||
|
|
||||||
|
keystone user-list
|
||||||
|
|
||||||
|
``user-update-email``
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
arguments
|
||||||
|
* user_id
|
||||||
|
* email
|
||||||
|
|
||||||
|
|
||||||
|
example::
|
||||||
|
|
||||||
|
keystone user-update-email 03c84b51574841ba9a0d8db7882ac645 "someone@somewhere.com"
|
||||||
|
|
||||||
|
``user-enable``
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
arguments
|
||||||
|
|
||||||
|
* user_id
|
||||||
|
|
||||||
|
example::
|
||||||
|
|
||||||
|
keystone user-enable 03c84b51574841ba9a0d8db7882ac645
|
||||||
|
|
||||||
|
``user-disable``
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
arguments
|
||||||
|
|
||||||
|
* user_id
|
||||||
|
|
||||||
|
example::
|
||||||
|
|
||||||
|
keystone user-disable 03c84b51574841ba9a0d8db7882ac645
|
||||||
|
|
||||||
|
|
||||||
|
``user-update-password``
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
arguments
|
||||||
|
|
||||||
|
* user_id
|
||||||
|
* password
|
||||||
|
|
||||||
|
example::
|
||||||
|
|
||||||
|
keystone user-update-password 03c84b51574841ba9a0d8db7882ac645 foo
|
||||||
|
|
||||||
|
Roles
|
||||||
|
-----
|
||||||
|
|
||||||
|
``role-create``
|
||||||
|
^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
arguments
|
||||||
|
|
||||||
|
* name
|
||||||
|
|
||||||
|
exmaple::
|
||||||
|
|
||||||
|
keystone role-create --name=demo
|
||||||
|
|
||||||
|
``role-delete``
|
||||||
|
^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
arguments
|
||||||
|
|
||||||
|
* role_id
|
||||||
|
|
||||||
|
exmaple::
|
||||||
|
|
||||||
|
keystone role-delete 19d1d3344873464d819c45f521ff9890
|
||||||
|
|
||||||
|
``role-list``
|
||||||
|
^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
exmaple::
|
||||||
|
|
||||||
|
keystone role-list
|
||||||
|
|
||||||
|
``role-get``
|
||||||
|
^^^^^^^^^^^^
|
||||||
|
|
||||||
|
arguments
|
||||||
|
|
||||||
|
* role_id
|
||||||
|
|
||||||
|
exmaple::
|
||||||
|
|
||||||
|
keystone role-get role=19d1d3344873464d819c45f521ff9890
|
||||||
|
|
||||||
|
|
||||||
|
``add-user-role``
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
arguments
|
||||||
|
|
||||||
|
* role_id
|
||||||
|
* user_id
|
||||||
|
* tenant_id
|
||||||
|
|
||||||
|
example::
|
||||||
|
|
||||||
|
keystone role add-user-role \
|
||||||
|
3a751f78ef4c412b827540b829e2d7dd \
|
||||||
|
03c84b51574841ba9a0d8db7882ac645 \
|
||||||
|
20601a7f1d94447daa4dff438cb1c209
|
||||||
|
|
||||||
|
``remove-user-role``
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
arguments
|
||||||
|
|
||||||
|
* role_id
|
||||||
|
* user_id
|
||||||
|
* tenant_id
|
||||||
|
|
||||||
|
example::
|
||||||
|
|
||||||
|
keystone remove-user-role \
|
||||||
|
19d1d3344873464d819c45f521ff9890 \
|
||||||
|
08741d8ed88242ca88d1f61484a0fe3b \
|
||||||
|
20601a7f1d94447daa4dff438cb1c209
|
||||||
|
|
||||||
|
Services
|
||||||
|
--------
|
||||||
|
|
||||||
|
``service-create``
|
||||||
|
^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
keyword arguments
|
||||||
|
|
||||||
|
* name
|
||||||
|
* type
|
||||||
|
* description
|
||||||
|
|
||||||
|
example::
|
||||||
|
|
||||||
|
keystone service create \
|
||||||
|
--name=nova \
|
||||||
|
--type=compute \
|
||||||
|
--description="Nova Compute Service"
|
||||||
|
|
||||||
|
``service-list``
|
||||||
|
^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
arguments
|
||||||
|
|
||||||
|
* service_id
|
||||||
|
|
||||||
|
example::
|
||||||
|
|
||||||
|
keystone service-list
|
||||||
|
|
||||||
|
``service-get``
|
||||||
|
^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
arguments
|
||||||
|
|
||||||
|
* service_id
|
||||||
|
|
||||||
|
example::
|
||||||
|
|
||||||
|
keystone service-get 08741d8ed88242ca88d1f61484a0fe3b
|
||||||
|
|
||||||
|
``service-delete``
|
||||||
|
^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
arguments
|
||||||
|
|
||||||
|
* service_id
|
||||||
|
|
||||||
|
example::
|
||||||
|
|
||||||
|
keystone service-delete 08741d8ed88242ca88d1f61484a0fe3b
|
||||||
|
|
|
@ -0,0 +1,197 @@
|
||||||
|
..
|
||||||
|
Copyright 2011 OpenStack, LLC
|
||||||
|
All Rights Reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
not use this file except in compliance with the License. You may obtain
|
||||||
|
a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
License for the specific language governing permissions and limitations
|
||||||
|
under the License.
|
||||||
|
|
||||||
|
==========================================
|
||||||
|
Configuring Services to work with Keystone
|
||||||
|
==========================================
|
||||||
|
|
||||||
|
.. toctree::
|
||||||
|
:maxdepth: 1
|
||||||
|
|
||||||
|
nova-api-paste
|
||||||
|
middleware_architecture
|
||||||
|
|
||||||
|
Once Keystone is installed and running (see :doc:`configuration`), services
|
||||||
|
need to be configured to work with it. To do this, we primarily install and
|
||||||
|
configure middleware for the OpenStack service to handle authentication tasks
|
||||||
|
or otherwise interact with Keystone.
|
||||||
|
|
||||||
|
In general:
|
||||||
|
* Clients making calls to the service will pass in an authentication token.
|
||||||
|
* The Keystone middleware will look for and validate that token, taking the
|
||||||
|
appropriate action.
|
||||||
|
* It will also retrive additional information from the token such as user
|
||||||
|
name, id, tenant name, id, roles, etc...
|
||||||
|
|
||||||
|
The middleware will pass those data down to the service as headers. More
|
||||||
|
details on the architecture of that setup is described in
|
||||||
|
:doc:`middleware_architecture`
|
||||||
|
|
||||||
|
Setting up credentials
|
||||||
|
======================
|
||||||
|
|
||||||
|
Admin Token
|
||||||
|
-----------
|
||||||
|
|
||||||
|
For a default installation of Keystone, before you can use the REST API, you
|
||||||
|
need to define an authorization token. This is configured in ``keystone.conf``
|
||||||
|
file under the section ``[DEFAULT]``. In the sample file provided with the
|
||||||
|
keystone project, the line defining this token is
|
||||||
|
|
||||||
|
[DEFAULT]
|
||||||
|
admin_token = ADMIN
|
||||||
|
|
||||||
|
This configured token is a "shared secret" between keystone and other
|
||||||
|
openstack services (for example: nova, swift, glance, or horizon), and will
|
||||||
|
need to be set the same between those services in order for keystone services
|
||||||
|
to function correctly.
|
||||||
|
|
||||||
|
Setting up tenants, users, and roles
|
||||||
|
------------------------------------
|
||||||
|
|
||||||
|
You need to minimally define a tenant, user, and role to link the tenant and
|
||||||
|
user as the most basic set of details to get other services authenticating
|
||||||
|
and authorizing with keystone. See doc:`configuration` for a walk through on
|
||||||
|
how to create tenants, users, and roles.
|
||||||
|
|
||||||
|
Setting up services
|
||||||
|
===================
|
||||||
|
|
||||||
|
Defining Services
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
Keystone also acts as a service catalog to let other OpenStack systems know
|
||||||
|
where relevant API endpoints exist for OpenStack Services. The OpenStack
|
||||||
|
Dashboard, in particular, uses this heavily - and this **must** be configured
|
||||||
|
for the OpenStack Dashboard to properly function.
|
||||||
|
|
||||||
|
Here's how we define the services::
|
||||||
|
|
||||||
|
keystone service-create --name=nova \
|
||||||
|
--type=compute \
|
||||||
|
--description="Nova Compute Service"
|
||||||
|
keystone service-create --name=ec2 \
|
||||||
|
--type=ec2 \
|
||||||
|
--description="EC2 Compatibility Layer"
|
||||||
|
keystone service-create --name=glance \
|
||||||
|
--type=image \
|
||||||
|
--description="Glance Image Service"
|
||||||
|
keystone service-create --name=keystone \
|
||||||
|
--type=identity \
|
||||||
|
--description="Keystone Identity Service"
|
||||||
|
keystone service-create --name=swift \
|
||||||
|
--type=object-store \
|
||||||
|
--description="Swift Service"
|
||||||
|
|
||||||
|
The endpoints for these services are defined in a template, an example of
|
||||||
|
which is in the project as the file ``etc/default_catalog.templates``.
|
||||||
|
|
||||||
|
Setting Up Middleware
|
||||||
|
=====================
|
||||||
|
|
||||||
|
Keystone Auth-Token Middleware
|
||||||
|
--------------------------------
|
||||||
|
|
||||||
|
The Keystone auth_token middleware is a WSGI component that can be inserted in
|
||||||
|
the WSGI pipeline to handle authenticating tokens with Keystone.
|
||||||
|
|
||||||
|
Configuring Nova to use Keystone
|
||||||
|
--------------------------------
|
||||||
|
|
||||||
|
To configure Nova to use Keystone for authentication, the Nova API service
|
||||||
|
can be run against the api-paste file provided by Keystone. This is most
|
||||||
|
easily accomplished by setting the `--api_paste_config` flag in nova.conf to
|
||||||
|
point to `examples/paste/nova-api-paste.ini` from Keystone. This paste file
|
||||||
|
included references to the WSGI authentication middleware provided with the
|
||||||
|
keystone installation.
|
||||||
|
|
||||||
|
When configuring Nova, it is important to create a admin service token for
|
||||||
|
the service (from the Configuration step above) and include that as the key
|
||||||
|
'admin_token' in the nova-api-paste.ini. See the documented
|
||||||
|
:doc:`nova-api-paste` file for references.
|
||||||
|
|
||||||
|
Configuring Swift to use Keystone
|
||||||
|
---------------------------------
|
||||||
|
|
||||||
|
Similar to Nova, swift can be configured to use Keystone for authentication
|
||||||
|
rather than it's built in 'tempauth'.
|
||||||
|
|
||||||
|
1. Add a service endpoint for Swift to Keystone
|
||||||
|
|
||||||
|
2. Configure the paste file for swift-proxy (`/etc/swift/swift-proxy.conf`)
|
||||||
|
|
||||||
|
3. Reconfigure Swift's proxy server to use Keystone instead of TempAuth.
|
||||||
|
Here's an example `/etc/swift/proxy-server.conf`::
|
||||||
|
|
||||||
|
[DEFAULT]
|
||||||
|
bind_port = 8888
|
||||||
|
user = <user>
|
||||||
|
|
||||||
|
[pipeline:main]
|
||||||
|
pipeline = catch_errors cache keystone proxy-server
|
||||||
|
|
||||||
|
[app:proxy-server]
|
||||||
|
use = egg:swift#proxy
|
||||||
|
account_autocreate = true
|
||||||
|
|
||||||
|
[filter:keystone]
|
||||||
|
use = egg:keystone#tokenauth
|
||||||
|
auth_protocol = http
|
||||||
|
auth_host = 127.0.0.1
|
||||||
|
auth_port = 35357
|
||||||
|
admin_token = 999888777666
|
||||||
|
delay_auth_decision = 0
|
||||||
|
service_protocol = http
|
||||||
|
service_host = 127.0.0.1
|
||||||
|
service_port = 8100
|
||||||
|
service_pass = dTpw
|
||||||
|
cache = swift.cache
|
||||||
|
|
||||||
|
[filter:cache]
|
||||||
|
use = egg:swift#memcache
|
||||||
|
set log_name = cache
|
||||||
|
|
||||||
|
[filter:catch_errors]
|
||||||
|
use = egg:swift#catch_errors
|
||||||
|
|
||||||
|
Note that the optional "cache" property in the keystone filter allows any
|
||||||
|
service (not just Swift) to register its memcache client in the WSGI
|
||||||
|
environment. If such a cache exists, Keystone middleware will utilize it
|
||||||
|
to store validated token information, which could result in better overall
|
||||||
|
performance.
|
||||||
|
|
||||||
|
4. Restart swift
|
||||||
|
|
||||||
|
5. Verify that keystone is providing authentication to Swift
|
||||||
|
|
||||||
|
Use `swift` to check everything works (note: you currently have to create a
|
||||||
|
container or upload something as your first action to have the account
|
||||||
|
created; there's a Swift bug to be fixed soon)::
|
||||||
|
|
||||||
|
$ swift -A http://127.0.0.1:5000/v1.0 -U joeuser -K secrete post container
|
||||||
|
$ swift -A http://127.0.0.1:5000/v1.0 -U joeuser -K secrete stat -v
|
||||||
|
StorageURL: http://127.0.0.1:8888/v1/AUTH_1234
|
||||||
|
Auth Token: 74ce1b05-e839-43b7-bd76-85ef178726c3
|
||||||
|
Account: AUTH_1234
|
||||||
|
Containers: 1
|
||||||
|
Objects: 0
|
||||||
|
Bytes: 0
|
||||||
|
Accept-Ranges: bytes
|
||||||
|
X-Trans-Id: tx25c1a6969d8f4372b63912f411de3c3b
|
||||||
|
|
||||||
|
.. WARNING::
|
||||||
|
Keystone currently allows any valid token to do anything with any account.
|
||||||
|
|
|
@ -0,0 +1,150 @@
|
||||||
|
..
|
||||||
|
Copyright 2011 OpenStack, LLC
|
||||||
|
All Rights Reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
not use this file except in compliance with the License. You may obtain
|
||||||
|
a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
License for the specific language governing permissions and limitations
|
||||||
|
under the License.
|
||||||
|
|
||||||
|
========================
|
||||||
|
Developing with Keystone
|
||||||
|
========================
|
||||||
|
|
||||||
|
Contributing Code
|
||||||
|
=================
|
||||||
|
|
||||||
|
To contribute code, sign up for a Launchpad account and sign a contributor license agreement,
|
||||||
|
available on the `<http://wiki.openstack.org/CLA>`_. Once the CLA is signed you
|
||||||
|
can contribute code through the Gerrit version control system which is related to your Launchpad account.
|
||||||
|
|
||||||
|
To contribute tests, docs, code, etc, refer to our `Gerrit-Jenkins-Github Workflow`_.
|
||||||
|
|
||||||
|
.. _`Gerrit-Jenkins-Github Workflow`: http://wiki.openstack.org/GerritJenkinsGithub
|
||||||
|
|
||||||
|
Setup
|
||||||
|
-----
|
||||||
|
|
||||||
|
Get your development environment set up according to :doc:`setup`. The instructions from here will
|
||||||
|
assume that you have installed keystone into a virtualenv. If you chose not to, simply exclude "tools/with_venv.sh" from the example commands below.
|
||||||
|
|
||||||
|
Running Keystone
|
||||||
|
----------------
|
||||||
|
|
||||||
|
To run the keystone Admin and API server instances, use::
|
||||||
|
|
||||||
|
$ tools/with_venv.sh bin/keystone-all
|
||||||
|
|
||||||
|
this runs keystone with the configuration the etc/ directory of the project. See :doc:`configuration` for details on how Keystone is configured.
|
||||||
|
|
||||||
|
Interacting with Keystone
|
||||||
|
-------------------------
|
||||||
|
|
||||||
|
You can interact with Keystone through the command line using :doc:`man/keystone-manage`
|
||||||
|
which allows you to establish tenants, users, etc.
|
||||||
|
|
||||||
|
You can also interact with Keystone through it's REST API. There is a python
|
||||||
|
keystone client library `python-keystoneclient`_ which interacts exclusively through
|
||||||
|
the REST API, and which keystone itself uses to provide it's command-line interface.
|
||||||
|
|
||||||
|
When initially getting set up, after you've configured which databases to use,
|
||||||
|
you're probably going to need to run the following to your database schema in place ::
|
||||||
|
|
||||||
|
$ bin/keystone-manage db_sync
|
||||||
|
|
||||||
|
|
||||||
|
.. _`python-keystoneclient`: https://github.com/openstack/python-keystoneclient
|
||||||
|
|
||||||
|
Running Tests
|
||||||
|
=============
|
||||||
|
|
||||||
|
To run the full suites of tests maintained within Keystone, run::
|
||||||
|
|
||||||
|
$ ./run_tests.sh
|
||||||
|
|
||||||
|
This shows realtime feedback during test execution, iterates over
|
||||||
|
multiple configuration variations, and uses external projects to do
|
||||||
|
light integration testing to verify the keystone API against other projects.
|
||||||
|
|
||||||
|
Test Structure
|
||||||
|
--------------
|
||||||
|
|
||||||
|
``./run_test.sh`` uses its python cohort (``run_tests.py``) to iterate
|
||||||
|
through the ``tests`` directory, using Nosetest to collect the tests and
|
||||||
|
invoke them using an OpenStack custom test running that displays the tests
|
||||||
|
as well as the time taken to
|
||||||
|
run those tests.
|
||||||
|
|
||||||
|
Within the tests directory, the general structure of the tests is a basic
|
||||||
|
set of tests represented under a test class, and then subclasses of those
|
||||||
|
tests under other classes with different configurations to drive different
|
||||||
|
backends through the APIs.
|
||||||
|
|
||||||
|
For example, ``test_backend.py`` has a sequence of tests under the class
|
||||||
|
``IdentityTests`` that will work with the default drivers as configured in
|
||||||
|
this projects etc/ directory. ``test_backend_sql.py`` subclasses those tests,
|
||||||
|
changing the configuration by overriding with configuration files stored in
|
||||||
|
the tests directory aimed at enabling the SQL backend for the Identity module.
|
||||||
|
|
||||||
|
Likewise, ``test_cli.py`` takes advantage of the tests written aainst
|
||||||
|
``test_keystoneclient`` to verify the same tests function through different
|
||||||
|
drivers.
|
||||||
|
|
||||||
|
Testing Schema Migrations
|
||||||
|
-------------------------
|
||||||
|
|
||||||
|
The application of schema migrations can be tested using SQLAlchemy Migrate’s
|
||||||
|
built-in test runner, one migration at a time.
|
||||||
|
|
||||||
|
.. WARNING::
|
||||||
|
|
||||||
|
This may leave your database in an inconsistent state; attempt this in non-production environments only!
|
||||||
|
|
||||||
|
This is useful for testing the *next* migration in sequence (both forward & backward) in a database under version control::
|
||||||
|
|
||||||
|
python keystone/common/sql/migrate_repo/manage.py test \
|
||||||
|
--url=sqlite:///test.db \
|
||||||
|
--repository=keystone/common/sql/migrate_repo/
|
||||||
|
|
||||||
|
This command references to a SQLite database (test.db) to be used. Depending on the migration, this command alone does not make assertions as to the integrity of your data during migration.
|
||||||
|
|
||||||
|
Writing Tests
|
||||||
|
-------------
|
||||||
|
|
||||||
|
To add tests covering all drivers, update the base test class (``test_backend.py``, ``test_legacy_compat.py``, and ``test_keystoneclient.py``).
|
||||||
|
|
||||||
|
To add new drivers, subclass the ``test_backend.py`` (look towards ``test_backend_sql.py`` or ``test_backend_kvs.py`` for examples) and update the configuration of the test class in ``setUp()``.
|
||||||
|
|
||||||
|
Further Testing
|
||||||
|
---------------
|
||||||
|
|
||||||
|
devstack_ is the *best* way to quickly deploy keystone with the rest of the
|
||||||
|
OpenStack universe and should be critical step in your development workflow!
|
||||||
|
|
||||||
|
You may also be interested in either the `OpenStack Continuous Integration Project`_
|
||||||
|
or the `OpenStack Integration Testing Project`_.
|
||||||
|
|
||||||
|
.. _devstack: http://devstack.org/
|
||||||
|
.. _OpenStack Continuous Integration Project: https://github.com/openstack/openstack-ci
|
||||||
|
.. _OpenStack Integration Testing Project: https://github.com/openstack/tempest
|
||||||
|
|
||||||
|
Building the Documentation
|
||||||
|
==========================
|
||||||
|
|
||||||
|
The documentation is all generated with Sphinx from within the docs directory.
|
||||||
|
To generate the full set of HTML documentation:
|
||||||
|
|
||||||
|
cd docs
|
||||||
|
make autodoc
|
||||||
|
make html
|
||||||
|
make man
|
||||||
|
|
||||||
|
the results are in the docs/build/html and docs/build/man directories
|
||||||
|
respectively.
|
Before Width: | Height: | Size: 6.6 KiB After Width: | Height: | Size: 6.6 KiB |
Before Width: | Height: | Size: 2.6 KiB After Width: | Height: | Size: 2.6 KiB |
Before Width: | Height: | Size: 2.9 KiB After Width: | Height: | Size: 2.9 KiB |
Before Width: | Height: | Size: 3.5 KiB After Width: | Height: | Size: 3.5 KiB |
Before Width: | Height: | Size: 2.2 KiB After Width: | Height: | Size: 2.2 KiB |
Before Width: | Height: | Size: 3.9 KiB After Width: | Height: | Size: 3.9 KiB |
Before Width: | Height: | Size: 3.6 KiB After Width: | Height: | Size: 3.6 KiB |
Before Width: | Height: | Size: 4.2 KiB After Width: | Height: | Size: 4.2 KiB |
Before Width: | Height: | Size: 4.3 KiB After Width: | Height: | Size: 4.3 KiB |
Before Width: | Height: | Size: 3.9 KiB After Width: | Height: | Size: 3.9 KiB |
Before Width: | Height: | Size: 4.3 KiB After Width: | Height: | Size: 4.3 KiB |
Before Width: | Height: | Size: 3.5 KiB After Width: | Height: | Size: 3.5 KiB |
Before Width: | Height: | Size: 5.7 KiB After Width: | Height: | Size: 5.7 KiB |
|
@ -18,9 +18,9 @@
|
||||||
Welcome to Keystone, the OpenStack Identity Service!
|
Welcome to Keystone, the OpenStack Identity Service!
|
||||||
====================================================
|
====================================================
|
||||||
|
|
||||||
Keystone is a cloud identity service written in Python, which provides
|
Keystone is an OpenStack project that provides Identity, Token, Catalog and
|
||||||
authentication, authorization, and an OpenStack service catalog. It
|
Policy services for use specifically by projects in the OpenStack family.
|
||||||
implements `OpenStack's Identity API`_.
|
It implements `OpenStack's Identity API`_.
|
||||||
|
|
||||||
This document describes Keystone for contributors of the project, and assumes
|
This document describes Keystone for contributors of the project, and assumes
|
||||||
that you are already familiar with Keystone from an `end-user perspective`_.
|
that you are already familiar with Keystone from an `end-user perspective`_.
|
||||||
|
@ -41,81 +41,35 @@ Getting Started
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
|
||||||
releases
|
|
||||||
setup
|
setup
|
||||||
testing
|
|
||||||
migration
|
|
||||||
extensions
|
|
||||||
configuration
|
configuration
|
||||||
controllingservers
|
|
||||||
configuringservices
|
configuringservices
|
||||||
community
|
community
|
||||||
usingkeystone
|
|
||||||
|
|
||||||
Administration
|
|
||||||
==============
|
|
||||||
|
|
||||||
.. toctree::
|
|
||||||
:maxdepth: 1
|
|
||||||
|
|
||||||
backends
|
|
||||||
migration
|
|
||||||
controllingservers
|
|
||||||
configuringservices
|
|
||||||
ssl
|
|
||||||
|
|
||||||
Entities
|
|
||||||
========
|
|
||||||
|
|
||||||
.. toctree::
|
|
||||||
:maxdepth: 1
|
|
||||||
|
|
||||||
endpoints
|
|
||||||
services
|
|
||||||
|
|
||||||
API Use Case Examples
|
|
||||||
=====================
|
|
||||||
|
|
||||||
.. toctree::
|
|
||||||
:maxdepth: 1
|
|
||||||
|
|
||||||
adminAPI_curl_examples
|
|
||||||
serviceAPI_curl_examples
|
|
||||||
|
|
||||||
Configuration File Examples
|
|
||||||
===========================
|
|
||||||
|
|
||||||
.. toctree::
|
|
||||||
:maxdepth: 1
|
|
||||||
|
|
||||||
nova-api-paste
|
|
||||||
keystone.conf
|
|
||||||
|
|
||||||
Man Pages
|
Man Pages
|
||||||
=========
|
---------
|
||||||
|
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
|
||||||
man/keystone-manage
|
|
||||||
man/keystone
|
man/keystone
|
||||||
man/keystone-auth
|
man/keystone-manage
|
||||||
man/keystone-admin
|
|
||||||
man/keystone-import
|
|
||||||
man/keystone-control
|
|
||||||
man/sampledata
|
|
||||||
|
|
||||||
Developer Docs
|
|
||||||
==============
|
|
||||||
|
|
||||||
|
Developers Documentation
|
||||||
|
========================
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
|
||||||
developing
|
developing
|
||||||
architecture
|
architecture
|
||||||
middleware
|
api_curl_examples
|
||||||
middleware_architecture
|
|
||||||
sourcecode/autoindex
|
Code Documentation
|
||||||
|
==================
|
||||||
|
.. toctree::
|
||||||
|
:maxdepth: 1
|
||||||
|
|
||||||
|
modules
|
||||||
|
|
||||||
Indices and tables
|
Indices and tables
|
||||||
==================
|
==================
|
||||||
|
@ -123,3 +77,4 @@ Indices and tables
|
||||||
* :ref:`genindex`
|
* :ref:`genindex`
|
||||||
* :ref:`modindex`
|
* :ref:`modindex`
|
||||||
* :ref:`search`
|
* :ref:`search`
|
||||||
|
|
|
@ -0,0 +1,83 @@
|
||||||
|
========
|
||||||
|
keystone
|
||||||
|
========
|
||||||
|
|
||||||
|
---------------------------
|
||||||
|
Keystone Management Utility
|
||||||
|
---------------------------
|
||||||
|
|
||||||
|
:Author: keystone@lists.launchpad.net
|
||||||
|
:Date: 2010-11-16
|
||||||
|
:Copyright: OpenStack LLC
|
||||||
|
:Version: 0.1.2
|
||||||
|
:Manual section: 1
|
||||||
|
:Manual group: cloud computing
|
||||||
|
|
||||||
|
SYNOPSIS
|
||||||
|
========
|
||||||
|
|
||||||
|
keystone-all [options]
|
||||||
|
|
||||||
|
DESCRIPTION
|
||||||
|
===========
|
||||||
|
|
||||||
|
keystone-all starts both the service and administrative APIs in a single
|
||||||
|
process to provide catalog, authorization, and authentication services for
|
||||||
|
OpenStack.
|
||||||
|
|
||||||
|
USAGE
|
||||||
|
=====
|
||||||
|
|
||||||
|
``keystone-all [options]``
|
||||||
|
|
||||||
|
Common Options:
|
||||||
|
^^^^^^^^^^^^^^^
|
||||||
|
-h, --help show this help message and exit
|
||||||
|
|
||||||
|
The following configuration options are common to all keystone
|
||||||
|
programs.::
|
||||||
|
|
||||||
|
-h, --help show this help message and exit
|
||||||
|
--config-file=PATH Path to a config file to use. Multiple config files
|
||||||
|
can be specified, with values in later files taking
|
||||||
|
precedence. The default files used are: []
|
||||||
|
-d, --debug Print debugging output
|
||||||
|
--nodebug Print debugging output
|
||||||
|
-v, --verbose Print more verbose output
|
||||||
|
--noverbose Print more verbose output
|
||||||
|
--log-config=PATH If this option is specified, the logging configuration
|
||||||
|
file specified is used and overrides any other logging
|
||||||
|
options specified. Please see the Python logging
|
||||||
|
module documentation for details on logging
|
||||||
|
configuration files.
|
||||||
|
--log-format=FORMAT A logging.Formatter log message format string which
|
||||||
|
may use any of the available logging.LogRecord
|
||||||
|
attributes. Default: none
|
||||||
|
--log-date-format=DATE_FORMAT
|
||||||
|
Format string for %(asctime)s in log records. Default:
|
||||||
|
none
|
||||||
|
--log-file=PATH (Optional) Name of log file to output to. If not set,
|
||||||
|
logging will go to stdout.
|
||||||
|
--log-dir=LOG_DIR (Optional) The directory to keep log files in (will be
|
||||||
|
prepended to --logfile)
|
||||||
|
--syslog-log-facility=SYSLOG_LOG_FACILITY
|
||||||
|
(Optional) The syslog facility to use when logging to
|
||||||
|
syslog (defaults to LOG_USER)
|
||||||
|
--use-syslog Use syslog for logging.
|
||||||
|
--nouse-syslog Use syslog for logging.
|
||||||
|
|
||||||
|
FILES
|
||||||
|
=====
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
SEE ALSO
|
||||||
|
========
|
||||||
|
|
||||||
|
* `Keystone <http://github.com/openstack/keystone>`__
|
||||||
|
|
||||||
|
SOURCE
|
||||||
|
======
|
||||||
|
|
||||||
|
* Keystone source is managed in GitHub `Keystone <http://github.com/openstack/keystone>`__
|
||||||
|
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__
|
|
@ -0,0 +1,97 @@
|
||||||
|
===============
|
||||||
|
keystone-manage
|
||||||
|
===============
|
||||||
|
|
||||||
|
---------------------------
|
||||||
|
Keystone Management Utility
|
||||||
|
---------------------------
|
||||||
|
|
||||||
|
:Author: keystone@lists.launchpad.net
|
||||||
|
:Date: 2010-11-16
|
||||||
|
:Copyright: OpenStack LLC
|
||||||
|
:Version: 0.1.2
|
||||||
|
:Manual section: 1
|
||||||
|
:Manual group: cloud computing
|
||||||
|
|
||||||
|
SYNOPSIS
|
||||||
|
========
|
||||||
|
|
||||||
|
keystone-manage [options]
|
||||||
|
|
||||||
|
DESCRIPTION
|
||||||
|
===========
|
||||||
|
|
||||||
|
keystone-manage is the command line tool that interacts with the keystone
|
||||||
|
service to initialize and update data within Keystone. Generally,
|
||||||
|
keystone-manage is only used for operations that can not be accomplished
|
||||||
|
with through the keystone REST api, such data import/export and schema
|
||||||
|
migrations.
|
||||||
|
|
||||||
|
|
||||||
|
USAGE
|
||||||
|
=====
|
||||||
|
|
||||||
|
``keystone-manage [options] action [additional args]``
|
||||||
|
|
||||||
|
|
||||||
|
General keystone-manage options:
|
||||||
|
--------------------------------
|
||||||
|
|
||||||
|
* ``--help`` : display verbose help output.
|
||||||
|
|
||||||
|
Invoking keystone-manage by itself will give you some usage information.
|
||||||
|
|
||||||
|
Available keystone-manage commands:
|
||||||
|
db_sync: Sync the database.
|
||||||
|
import_legacy: Import a legacy (pre-essex) version of the db.
|
||||||
|
export_legacy_catalog: Export service catalog from a legacy (pre-essex) db.
|
||||||
|
|
||||||
|
|
||||||
|
OPTIONS
|
||||||
|
=======
|
||||||
|
|
||||||
|
Options:
|
||||||
|
-h, --help show this help message and exit
|
||||||
|
--config-file=PATH Path to a config file to use. Multiple config files
|
||||||
|
can be specified, with values in later files taking
|
||||||
|
precedence. The default files used are: []
|
||||||
|
-d, --debug Print debugging output
|
||||||
|
--nodebug Print debugging output
|
||||||
|
-v, --verbose Print more verbose output
|
||||||
|
--noverbose Print more verbose output
|
||||||
|
--log-config=PATH If this option is specified, the logging configuration
|
||||||
|
file specified is used and overrides any other logging
|
||||||
|
options specified. Please see the Python logging
|
||||||
|
module documentation for details on logging
|
||||||
|
configuration files.
|
||||||
|
--log-format=FORMAT A logging.Formatter log message format string which
|
||||||
|
may use any of the available logging.LogRecord
|
||||||
|
attributes. Default: none
|
||||||
|
--log-date-format=DATE_FORMAT
|
||||||
|
Format string for %(asctime)s in log records. Default:
|
||||||
|
none
|
||||||
|
--log-file=PATH (Optional) Name of log file to output to. If not set,
|
||||||
|
logging will go to stdout.
|
||||||
|
--log-dir=LOG_DIR (Optional) The directory to keep log files in (will be
|
||||||
|
prepended to --logfile)
|
||||||
|
--syslog-log-facility=SYSLOG_LOG_FACILITY
|
||||||
|
(Optional) The syslog facility to use when logging to
|
||||||
|
syslog (defaults to LOG_USER)
|
||||||
|
--use-syslog Use syslog for logging.
|
||||||
|
--nouse-syslog Use syslog for logging.
|
||||||
|
|
||||||
|
FILES
|
||||||
|
=====
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
SEE ALSO
|
||||||
|
========
|
||||||
|
|
||||||
|
* `Keystone <http://github.com/openstack/keystone>`__
|
||||||
|
|
||||||
|
SOURCE
|
||||||
|
======
|
||||||
|
|
||||||
|
* Keystone is sourced in GitHub `Keystone <http://github.com/openstack/keystone>`__
|
||||||
|
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__
|
|
@ -0,0 +1,143 @@
|
||||||
|
..
|
||||||
|
Copyright 2011 OpenStack, LLC
|
||||||
|
All Rights Reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
not use this file except in compliance with the License. You may obtain
|
||||||
|
a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
License for the specific language governing permissions and limitations
|
||||||
|
under the License.
|
||||||
|
|
||||||
|
nova-api-paste example
|
||||||
|
======================
|
||||||
|
::
|
||||||
|
|
||||||
|
#######
|
||||||
|
# EC2 #
|
||||||
|
#######
|
||||||
|
|
||||||
|
[composite:ec2]
|
||||||
|
use = egg:Paste#urlmap
|
||||||
|
/: ec2versions
|
||||||
|
/services/Cloud: ec2cloud
|
||||||
|
/services/Admin: ec2admin
|
||||||
|
/latest: ec2metadata
|
||||||
|
/2007-01-19: ec2metadata
|
||||||
|
/2007-03-01: ec2metadata
|
||||||
|
/2007-08-29: ec2metadata
|
||||||
|
/2007-10-10: ec2metadata
|
||||||
|
/2007-12-15: ec2metadata
|
||||||
|
/2008-02-01: ec2metadata
|
||||||
|
/2008-09-01: ec2metadata
|
||||||
|
/2009-04-04: ec2metadata
|
||||||
|
/1.0: ec2metadata
|
||||||
|
|
||||||
|
[pipeline:ec2cloud]
|
||||||
|
pipeline = logrequest totoken authtoken keystonecontext cloudrequest authorizer ec2executor
|
||||||
|
|
||||||
|
[pipeline:ec2admin]
|
||||||
|
pipeline = logrequest totoken authtoken keystonecontext adminrequest authorizer ec2executor
|
||||||
|
|
||||||
|
[pipeline:ec2metadata]
|
||||||
|
pipeline = logrequest ec2md
|
||||||
|
|
||||||
|
[pipeline:ec2versions]
|
||||||
|
pipeline = logrequest ec2ver
|
||||||
|
|
||||||
|
[filter:logrequest]
|
||||||
|
paste.filter_factory = nova.api.ec2:RequestLogging.factory
|
||||||
|
|
||||||
|
[filter:ec2lockout]
|
||||||
|
paste.filter_factory = nova.api.ec2:Lockout.factory
|
||||||
|
|
||||||
|
[filter:totoken]
|
||||||
|
paste.filter_factory = keystone.middleware.ec2_token:EC2Token.factory
|
||||||
|
|
||||||
|
[filter:ec2noauth]
|
||||||
|
paste.filter_factory = nova.api.ec2:NoAuth.factory
|
||||||
|
|
||||||
|
[filter:authenticate]
|
||||||
|
paste.filter_factory = nova.api.ec2:Authenticate.factory
|
||||||
|
|
||||||
|
[filter:cloudrequest]
|
||||||
|
controller = nova.api.ec2.cloud.CloudController
|
||||||
|
paste.filter_factory = nova.api.ec2:Requestify.factory
|
||||||
|
|
||||||
|
[filter:adminrequest]
|
||||||
|
controller = nova.api.ec2.admin.AdminController
|
||||||
|
paste.filter_factory = nova.api.ec2:Requestify.factory
|
||||||
|
|
||||||
|
[filter:authorizer]
|
||||||
|
paste.filter_factory = nova.api.ec2:Authorizer.factory
|
||||||
|
|
||||||
|
[app:ec2executor]
|
||||||
|
paste.app_factory = nova.api.ec2:Executor.factory
|
||||||
|
|
||||||
|
[app:ec2ver]
|
||||||
|
paste.app_factory = nova.api.ec2:Versions.factory
|
||||||
|
|
||||||
|
[app:ec2md]
|
||||||
|
paste.app_factory = nova.api.ec2.metadatarequesthandler:MetadataRequestHandler.factory
|
||||||
|
|
||||||
|
#############
|
||||||
|
# Openstack #
|
||||||
|
#############
|
||||||
|
|
||||||
|
[composite:osapi]
|
||||||
|
use = egg:Paste#urlmap
|
||||||
|
/: osversions
|
||||||
|
/v1.1: openstackapi
|
||||||
|
|
||||||
|
[pipeline:openstackapi]
|
||||||
|
pipeline = faultwrap authtoken keystonecontext ratelimit extensions osapiapp
|
||||||
|
|
||||||
|
[filter:faultwrap]
|
||||||
|
paste.filter_factory = nova.api.openstack:FaultWrapper.factory
|
||||||
|
|
||||||
|
[filter:auth]
|
||||||
|
paste.filter_factory = nova.api.openstack.auth:AuthMiddleware.factory
|
||||||
|
|
||||||
|
[filter:noauth]
|
||||||
|
paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory
|
||||||
|
|
||||||
|
[filter:ratelimit]
|
||||||
|
paste.filter_factory = nova.api.openstack.limits:RateLimitingMiddleware.factory
|
||||||
|
|
||||||
|
[filter:extensions]
|
||||||
|
paste.filter_factory = nova.api.openstack.extensions:ExtensionMiddleware.factory
|
||||||
|
|
||||||
|
[app:osapiapp]
|
||||||
|
paste.app_factory = nova.api.openstack:APIRouter.factory
|
||||||
|
|
||||||
|
[pipeline:osversions]
|
||||||
|
pipeline = faultwrap osversionapp
|
||||||
|
|
||||||
|
[app:osversionapp]
|
||||||
|
paste.app_factory = nova.api.openstack.versions:Versions.factory
|
||||||
|
|
||||||
|
##########
|
||||||
|
# Shared #
|
||||||
|
##########
|
||||||
|
|
||||||
|
[filter:keystonecontext]
|
||||||
|
paste.filter_factory = keystone.middleware.nova_keystone_context:NovaKeystoneContext.factory
|
||||||
|
|
||||||
|
[filter:authtoken]
|
||||||
|
paste.filter_factory = keystone.middleware.auth_token:filter_factory
|
||||||
|
service_protocol = http
|
||||||
|
service_host = 127.0.0.1
|
||||||
|
service_port = 5000
|
||||||
|
auth_host = 127.0.0.1
|
||||||
|
auth_port = 35357
|
||||||
|
auth_protocol = http
|
||||||
|
auth_uri = http://your_keystone_host.com:5000/
|
||||||
|
;identical to the admin token defined in keystone.conf
|
||||||
|
admin_token = 999888777666
|
||||||
|
;Uncomment next line and check ip:port to use memcached to cache token requests
|
||||||
|
;memcache_hosts = 127.0.0.1:11211
|
|
@ -18,12 +18,12 @@
|
||||||
Setting up a Keystone development environment
|
Setting up a Keystone development environment
|
||||||
=============================================
|
=============================================
|
||||||
|
|
||||||
This document describes setting up keystone directly from GitHub_
|
This document describes getting the source from keystone's `GitHub repository`_
|
||||||
for development purposes.
|
for development purposes.
|
||||||
|
|
||||||
To install keystone from packaging, refer instead to Keystone's `User Documentation`_.
|
To install keystone from packaging, refer instead to Keystone's `User Documentation`_.
|
||||||
|
|
||||||
.. _GitHub: http://github.com/openstack/keystone
|
.. _`GitHub Repository`: http://github.com/openstack/keystone
|
||||||
.. _`User Documentation`: http://docs.openstack.org/
|
.. _`User Documentation`: http://docs.openstack.org/
|
||||||
|
|
||||||
Prerequisites
|
Prerequisites
|
||||||
|
@ -31,7 +31,7 @@ Prerequisites
|
||||||
|
|
||||||
This document assumes you are using:
|
This document assumes you are using:
|
||||||
|
|
||||||
- Ubuntu 11.10, Fedora 15, openSUSE 11.4, 12.1 or Mac OS X Lion
|
- Ubuntu 11.10, Fedora 15, or Mac OS X Lion
|
||||||
- `Python 2.7`_
|
- `Python 2.7`_
|
||||||
|
|
||||||
.. _`Python 2.7`: http://www.python.org/
|
.. _`Python 2.7`: http://www.python.org/
|
||||||
|
@ -51,7 +51,7 @@ different version of the above, please document your configuration here!
|
||||||
Getting the latest code
|
Getting the latest code
|
||||||
=======================
|
=======================
|
||||||
|
|
||||||
You can clone our latest code from our `Github repository`::
|
Make a clone of the code from our `Github repository`::
|
||||||
|
|
||||||
$ git clone https://github.com/openstack/keystone.git
|
$ git clone https://github.com/openstack/keystone.git
|
||||||
|
|
||||||
|
@ -59,13 +59,17 @@ When that is complete, you can::
|
||||||
|
|
||||||
$ cd keystone
|
$ cd keystone
|
||||||
|
|
||||||
.. _`Github repository`: https://github.com/openstack/keystone
|
|
||||||
|
|
||||||
Installing dependencies
|
Installing dependencies
|
||||||
=======================
|
=======================
|
||||||
|
|
||||||
Keystone maintains a list of PyPi_ dependencies, designed for use by
|
Keystone maintains two lists of dependencies::
|
||||||
pip_.
|
|
||||||
|
tools/pip-requires
|
||||||
|
tools/pip-requires-test
|
||||||
|
|
||||||
|
The first is the list of dependencies needed for running keystone, the second list includes dependencies used for active development and testing of keystone itself.
|
||||||
|
|
||||||
|
These depdendencies can be installed from PyPi_ using the python tool pip_.
|
||||||
|
|
||||||
.. _PyPi: http://pypi.python.org/
|
.. _PyPi: http://pypi.python.org/
|
||||||
.. _pip: http://pypi.python.org/pypi/pip
|
.. _pip: http://pypi.python.org/pypi/pip
|
||||||
|
@ -83,53 +87,65 @@ Fedora 15::
|
||||||
|
|
||||||
$ sudo yum install python-sqlite2 python-lxml python-greenlet-devel python-ldap
|
$ sudo yum install python-sqlite2 python-lxml python-greenlet-devel python-ldap
|
||||||
|
|
||||||
openSUSE 11.4, 12.1::
|
|
||||||
|
|
||||||
$ sudo zypper in python-devel python-xml gcc libxslt-devel python-ldap openldap2-devel
|
|
||||||
|
|
||||||
Mac OS X Lion (requires MacPorts_)::
|
Mac OS X Lion (requires MacPorts_)::
|
||||||
|
|
||||||
$ sudo port install py-ldap
|
$ sudo port install py-ldap
|
||||||
|
|
||||||
.. _MacPorts: http://www.macports.org/
|
.. _MacPorts: http://www.macports.org/
|
||||||
|
|
||||||
PyPi Packages
|
PyPi Packages and VirtualEnv
|
||||||
-------------
|
----------------------------
|
||||||
|
|
||||||
Assuming you have any necessary binary packages & header files available
|
We recommend establishing a virtualenv to run keystone within. Virtualenv limits the python environment
|
||||||
on your system, you can then install PyPi dependencies.
|
to just what you're installing as depdendencies, useful to keep a clean environment for working on
|
||||||
|
Keystone. The tools directory in keystone has a script already created to make this very simple::
|
||||||
|
|
||||||
You may also need to prefix `pip install` with `sudo`, depending on your
|
$ python tools/install_venv.py
|
||||||
environment::
|
|
||||||
|
|
||||||
# Describe dependencies (including non-PyPi dependencies)
|
This will create a local virtual environment in the directory ``.venv``.
|
||||||
$ cat tools/pip-requires
|
Once created, you can activate this virtualenv for your current shell using::
|
||||||
|
|
||||||
# Install all PyPi dependencies (for production, testing, and development)
|
$ source .venv/bin/activate
|
||||||
|
|
||||||
|
The virtual environment can be disabled using the command::
|
||||||
|
|
||||||
|
$ deactivate
|
||||||
|
|
||||||
|
You can also use ``tools\with_venv.sh`` to prefix commands so that they run
|
||||||
|
within the virtual environment. For more information on virtual environments,
|
||||||
|
see virtualenv_.
|
||||||
|
|
||||||
|
.. _virtualenv: http://www.virtualenv.org/
|
||||||
|
|
||||||
|
If you want to run keystone outside of a virtualenv, you can install the dependencies directly
|
||||||
|
into your system from the requires files::
|
||||||
|
|
||||||
|
# Install the dependencies for running keystone
|
||||||
$ pip install -r tools/pip-requires
|
$ pip install -r tools/pip-requires
|
||||||
|
|
||||||
Updating your PYTHONPATH
|
# Install the dependencies for developing, testing, and running keystone
|
||||||
========================
|
$ pip install -r tools/pip-requires-test
|
||||||
|
|
||||||
There are a number of methods for getting Keystone into your PYTHON PATH,
|
|
||||||
the easiest of which is::
|
|
||||||
|
|
||||||
# Fake-install the project by symlinking Keystone into your Python site-packages
|
# Fake-install the project by symlinking Keystone into your Python site-packages
|
||||||
$ python setup.py develop
|
$ python setup.py develop
|
||||||
|
|
||||||
|
|
||||||
|
Verifying Keystone is set up
|
||||||
|
============================
|
||||||
|
|
||||||
|
Once set up, either directly or within a virtualenv, you should be able to invoke python and import
|
||||||
|
the libraries. If you're using a virtualenv, don't forget to activate it::
|
||||||
|
|
||||||
|
$ source .venv/bin/activate
|
||||||
|
$ python
|
||||||
|
|
||||||
You should then be able to `import keystone` from your Python shell
|
You should then be able to `import keystone` from your Python shell
|
||||||
without issue::
|
without issue::
|
||||||
|
|
||||||
>>> import keystone.version
|
>>> import keystone
|
||||||
>>>
|
>>>
|
||||||
|
|
||||||
If you want to check the version of Keystone you are running:
|
If you can import keystone successfully, you should be ready to move on to :doc:`developing`
|
||||||
|
|
||||||
>>> print keystone.version.version()
|
|
||||||
2012.1-dev
|
|
||||||
|
|
||||||
|
|
||||||
If you can import keystone successfully, you should be ready to move on to :doc:`testing`.
|
|
||||||
|
|
||||||
Troubleshooting
|
Troubleshooting
|
||||||
===============
|
===============
|