openstack
/
keystone
Code Issues Proposed changes

Merge redux branch (keystone light) 

Change-Id: I2cb5b198a06848f42f919ea49e338443131e263e
This commit is contained in:
James E. Blair 2012-02-14 15:54:59 -08:00
parent 9452cf04bc 90068b0143
commit eef1f0d93a
663 changed files with 11121 additions and 92347 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
.gitignore vendored
View File

@ -1,21 +1,17 @@
*.pyc
.cache/
.project
.project/
.pydevproject
.pydevproject/
.settings/
.keystone-venv/
*.swp
vendor
.ksl-venv
.venv
build/
dist/
doc/source/sourcecode
.tox
keystone.egg-info/
*.db
.*.swp
*.log
*.pid
pidfile
*.komodoproject
run_tests.log
.coverage
covhtml
pep8.txt
nosetests.xml
bla.db
docs/build
.DS_Store
docs/source/modules.rst
docs/source/keystone.*

16
.mailmap
View File

@ -1,16 +0,0 @@
<dolph.mathews@rackspace.com> <dolph.mathews@gmail.com>
Edouard Thuleau <edouard1.thuleau@orange.com>
<jeblair@hp.com> <corvus@gnu.org>
<jeblair@hp.com> <james.blair@rackspace.com>
<joon.eo@gmail.com> <john.eo@rackspace.com>
Khaled Hussein <khaled.hussein@gmail.com> KnightHacker <khaled.hussein@rackspace.com>
Khaled Hussein <khaled.hussein@gmail.com> Khaled Hussein <khaled.hussein@rackspace.com>
<rjuvvadi@hcl.com> <ramana@venus.lekha.org>
<rjuvvadi@hcl.com> <rrjuvvadi@gmail.com>
<xtoddx@gmail.com> <todd@rubidine.com>
<github@highbridgellc.com> <gihub@highbridgellc.com>
<github@highbridgellc.com> <ziad.sawalha@rackspace.com>
sirish.bitra <sirish.bitra@gmail.com> sirish bitra <sirish.bitra@gmail.com>
sirish.bitra <sirish.bitra@gmail.com> sirishbitra <sirish.bitra@gmail.com>
sirish.bitra <sirish.bitra@gmail.com> bsirish <sirish.bitra@gmail.com>
sirish.bitra <sirish.bitra@gmail.com> root <root@bsirish.(none)>

50
AUTHORS
View File

@ -1,50 +0,0 @@
Adipudi Praveena <padipudi@padipudi.(none)>
Alex Silva <alex.silva@M1BPAGY.(none)>
Anne Gentle <anne@openstack.org>
Anthony Young <sleepsonthefloor@gmail.com>
Brian Lamar <brian.lamar@gmail.com>
Dan Prince <dan.prince@rackspace.com>
Dolph Mathews <dolph.mathews@gmail.com>
Ed Leafe <ed@leafe.com>
Edouard Thuleau <edouard1.thuleau@orange.com>
Eoghan Glynn <eglynn@redhat.com>
gholt <gholt@brim.net>
Ionuț Arțăriși <iartarisi@suse.cz>
jabdul <abdulkader.j@hcl.com>
James E. Blair <jeblair@hp.com>
Jason Cannavale <jason.cannavale@rackspace.com>
Jay Pipes <jaypipes@gmail.com>
Jenkins <jenkins@review.openstack.org>
Jesse Andrews <anotherjesse@gmail.com>
Joe Savak <joe.savak@rackspace.com>
John Dickinson <me@not.mn>
John Eo <joon.eo@gmail.com>
Jorge L. Williams <jorge.williams@rackspace.com>
Joseph W. Breu <joseph.breu@rackspace.com>
Josh Kearney <josh@jk0.org>
Julien Danjou <julien.danjou@enovance.com>
Justin Shepherd <jshepher@rackspace.com>
Kevin L. Mitchell <kevin.mitchell@rackspace.com>
Khaled Hussein <khaled.hussein@gmail.com>
Kiall Mac Innes <kiall@managedit.ie>
Mark Gius <mgius7096@gmail.com>
Mark McLoughlin <markmc@redhat.com>
Monty Taylor <mordred@inaugust.com>
Pádraig Brady <P@draigBrady.com>
Paul Voccio <paul@substation9.com>
Ramana Juvvadi <rjuvvadi@hcl.com>
Robin Norwood <robin.norwood@gmail.com>
root <root@newapps.(none)>
Sai Krishna <saikrishna1511@gmail.com>
Sirish Bitra <sirish.bitra@gmail.com>
Sony K. Philip <sony@hcleai.com>
termie <github@anarkystic.com>
Thierry Carrez <thierry@openstack.org>
Todd Willey <xtoddx@gmail.com>
Will Kelly <the.william.kelly@gmail.com>
Vishvananda Ishaya <vishvananda@gmail.com>
Yaguang Tang <heut2008@gmail.com>
Yogeshwar Srikrishnan <yoga80@yahoo.com>
Yuriy Taraday <yorik.sar@gmail.com>
Ziad Sawalha <github@highbridgellc.com>
Zhongyue Luo <lzyeval@gmail.com>

68
HACKING
View File

@ -1,68 +0,0 @@
Keystone Style Commandments (pilfered from Nova and added to)
=============================================================
Step 1: Read http://www.python.org/dev/peps/pep-0008/
Step 2: Read http://www.python.org/dev/peps/pep-0008/ again
Step 3: Read on
Imports
-------
- thou shalt not import objects, only modules
- thou shalt not import more than one module per line
- thou shalt not make relative imports
- thou shalt organize your imports according to the following template
::
# vim: tabstop=4 shiftwidth=4 softtabstop=4
{{stdlib imports in human alphabetical order}}
\n
{{OpenStack/Keystone imports in human alphabetical order}}
\n
\n
{{begin your code}}
General
-------
- thou shalt put two newlines twixt toplevel code (funcs, classes, etc)
- thou shalt put one newline twixt methods in classes and anywhere else
- thou shalt not write "except:", use "except Exception:" at the very least
- thou shalt include your name with TODOs as in "TODO(waldo)"
- thou shalt not name anything the same name as a builtin or reserved word
- thou shouldeth comment profusely
- thou shalt not violate causality in our time cone, or else
Human Alphabetical Order Examples
---------------------------------
::
import httplib
import logging
import random
import StringIO
import time
import unittest
import keystone.logic.types.fault as fault
import keystone.db.sqlalchemy.api as db_api
Docstrings
----------
Add them to modules, classes, and functions:
"""Summary of the function, class or method, less than 80 characters.
New paragraph after newline that explains in more detail any general
information about the function, class or method. After this, if defining
parameters and return types use the Sphinx format. After that an extra
newline then close the quotations.
When writing the docstring for a class, an extra line should be placed
after the closing quotations. For more in-depth explanations for these
decisions see http://www.python.org/dev/peps/pep-0257/
:param foo: the foo parameter
:param bar: the bar parameter
:returns: description of the return value
"""

192
HACKING.rst Normal file
View File

@ -0,0 +1,192 @@
Keystone Style Commandments
===========================
- Step 1: Read http://www.python.org/dev/peps/pep-0008/
- Step 2: Read http://www.python.org/dev/peps/pep-0008/ again
- Step 3: Read on
General
-------
- Put two newlines between top-level code (funcs, classes, etc)
- Put one newline between methods in classes and anywhere else
- Do not write "except:", use "except Exception:" at the very least
- Include your name with TODOs as in "#TODO(termie)"
- Do not name anything the same name as a built-in or reserved word
TODO vs FIXME
-------------
- TODO(name): implies that something should be done (cleanup, refactoring,
etc), but is expected to be functional.
- FIXME(name): implies that the method/function/etc shouldn't be used until
that code is resolved and bug fixed.
Imports
-------
- Do not import objects, only modules
- Do not import more than one module per line
- Do not make relative imports
- Order your imports by the full module path
- Organize your imports according to the following template
Example::
# vim: tabstop=4 shiftwidth=4 softtabstop=4
{{stdlib imports in human alphabetical order}}
\n
{{third-party lib imports in human alphabetical order}}
\n
{{nova imports in human alphabetical order}}
\n
\n
{{begin your code}}
Human Alphabetical Order Examples
---------------------------------
Example::
import httplib
import logging
import random
import StringIO
import time
import unittest
import eventlet
import webob.exc
import nova.api.ec2
from nova.api import openstack
from nova.auth import users
import nova.flags
from nova.endpoint import cloud
from nova import test
Docstrings
----------
Example::
"""A one line docstring looks like this and ends in a period."""
"""A multiline docstring has a one-line summary, less than 80 characters.
Then a new paragraph after a newline that explains in more detail any
general information about the function, class or method. Example usages
are also great to have here if it is a complex class for function.
When writing the docstring for a class, an extra line should be placed
after the closing quotations. For more in-depth explanations for these
decisions see http://www.python.org/dev/peps/pep-0257/
A docstring ends with an empty line before the closing quotations.
Describe parameters and return values, using the Sphinx format; the
appropriate syntax is as follows.
:param foo: the foo parameter
:param bar: the bar parameter
:type bar: parameter type for 'bar'
:returns: return_type -- description of the return value
:returns: description of the return value
:raises: AttributeError, KeyError
"""
Dictionaries/Lists
------------------
If a dictionary (dict) or list object is longer than 80 characters, its items
should be split with newlines. Embedded iterables should have their items
indented. Additionally, the last item in the dictionary should have a trailing
comma. This increases readability and simplifies future diffs.
Example::
my_dictionary = {
"image": {
"name": "Just a Snapshot",
"size": 2749573,
"properties": {
"user_id": 12,
"arch": "x86_64",
},
"things": [
"thing_one",
"thing_two",
],
"status": "ACTIVE",
},
}
Calling Methods
---------------
Calls to methods 80 characters or longer should format each argument with
newlines. This is not a requirement, but a guideline::
unnecessarily_long_function_name('string one',
'string two',
kwarg1=constants.ACTIVE,
kwarg2=['a', 'b', 'c'])
Rather than constructing parameters inline, it is better to break things up::
list_of_strings = [
'what_a_long_string',
'not as long',
]
dict_of_numbers = {
'one': 1,
'two': 2,
'twenty four': 24,
}
object_one.call_a_method('string three',
'string four',
kwarg1=list_of_strings,
kwarg2=dict_of_numbers)
Internationalization (i18n) Strings
-----------------------------------
In order to support multiple languages, we have a mechanism to support
automatic translations of exception and log strings.
Example::
msg = _("An error occurred")
raise HTTPBadRequest(explanation=msg)
If you have a variable to place within the string, first internationalize the
template string then do the replacement.
Example::
msg = _("Missing parameter: %s") % ("flavor",)
LOG.error(msg)
If you have multiple variables to place in the string, use keyword parameters.
This helps our translators reorder parameters when needed.
Example::
msg = _("The server with id %(s_id)s has no key %(m_key)s")
LOG.error(msg % {"s_id": "1234", "m_key": "imageId"})
Creating Unit Tests
-------------------
For every new feature, unit tests should be created that both test and
(implicitly) document the usage of said feature. If submitting a patch for a
bug that had no unit test, a new passing unit test should be added. If a
submitted bug fix does have a unit test, be sure to add a new one that fails
without the patch and passes with the patch.
For more information on creating unit tests and utilizing the testing
infrastructure in OpenStack Nova, please read nova/testing/README.rst.

202
LICENSE
View File

@ -1,202 +0,0 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

21
MANIFEST.in
View File

@ -1,21 +0,0 @@
include AUTHORS
include HACKING
include LICENSE
include MANIFEST.in
include README.md
include pylintrc
include run_tests.py
include run_tests.sh
include setup.py
graft bin
graft doc
prune doc/source/sourcecode
graft etc
graft examples
graft keystone/content
graft keystone/test/etc
graft tools
recursive-include keystone *.json *.xml *.cfg README
include keystone/backends/ldap/keystone.ldif
include keystone/backends/ldap/keystone.schema
global-exclude *.pyc *.sdx *.log *.db *.swp

275
README.md
View File

@ -1,275 +0,0 @@
# Keystone: OpenStack Identity Service
Keystone is a Python implementation of the [OpenStack](http://www.openstack.org) identity service API.
# Documentation
## For users and sysadmins
Learn how to install, configure, manage, and interact with the OpenStack
Identity Service API at the [OpenStack Documentation](http://docs.openstack.org/) site.
## For contributors
Learn how to setup a development environment and then test, run, and contribute to Keystone at the
[Contributor Documentation](http://keystone.openstack.org/) site.
# Questions/Feedback
Having trouble? We'd like to help!
* Try the documentation first — it's got answers to many common questions.
* Search for information in the archives of the [OpenStack mailing list](http://wiki.openstack.org/MailingLists), or post a question.
* Ask a question in the [#openstack IRC channel](http://wiki.openstack.org/UsingIRC).
* If you notice errors, please [open a bug](https://bugs.launchpad.net/keystone) and let us know! Please only use the bug tracker for criticisms and improvements. For tech support, use the resources above.
# For Contributors
## What's in the box?
### Services
* Keystone - identity store and authentication service
* Auth_Token - WSGI middleware that can be used to handle token auth protocol (WSGI or remote proxy)
* Echo - A sample service that responds by returning call details
### Also included:
* Auth_Basic - Stub for WSGI middleware that will be used to handle basic auth
* Auth_OpenID - Stub for WSGI middleware that will be used to handle openid auth protocol (to be implemented)
* RemoteAuth - WSGI middleware that can be used in services (like Swift, Nova, and Glance) when Auth middleware is running remotely
### Built-In commands:
* bin/keystone - Provides HTTP API for users and administrators
* bin/keystone-admin - Provides HTTP API for administrators
* bin/keystone-service - Provides HTTP API for users
* bin/keystone-manage - Provides command-line interface for managing all aspects of Keystone
## Running Keystone
Starting both Admin and Service API endpoints:
$ ./bin/keystone
Starting the auth server only (exposes the Service API):
$ ./bin/keystone-auth
Starting the admin server only (exposes the Admin API):
$ ./bin/keystone-admin
By default, configuration parameters (such as the IP and port binding for each service) are parsed from `etc/keystone.conf`.
## Configuring Keystone
Keystone gets its configuration from command-line parameters or a `.conf` file. While command line parameters take precedence,
Keystone looks in the following location to find a configuration file:
1. Command line parameter
2. /etc/keystone.conf
3. /etc/keystone/keystone.conf
4. <topdir>/etc/keystone.conf
Additional configuration templates are maintained in `keystone/test/etc/` that may be useful as a reference.
### Editing and Building the API Developer Guide
Users of the Keystone API are often developers making ReSTful API calls to Keystone. The guide to provide them
information is therefore called a `Developer Guide`. Developer in this case is not to be confused with contributors
working on the Keystone codebase itself.
The developer guides are automatically generated from XML and other artifacts that live in the
[OpenStack Manuals project](https://launchpad.net/openstack-manuals).
To build the Developer Guide from source, you need [Maven](http://maven.apache.org/). To build the docs and publish a new PDF:
$ cd to folder with the pom.xml file
$ mvn clean generate-sources && cp target/docbkx/pdf/identitydevguide.pdf ../../keystone/content/identitydevguide.pdf
The output will go into the `target` folder (the source is in `src`). Output generated is PDF and webhelp.
# Additional Information:
## Sample data
A set of sample data can be loaded by running a shell script:
$ ./bin/sampledata
The script calls `keystone-manage` to import the sample data.
After starting keystone or running `keystone-manage` a `keystone.db` sqlite database should be created in the keystone folder,
per the default configuration.
## Demo
To run client demo (with all auth middleware running locally on sample service):
$ ./examples/echo/bin/echod
$ python examples/echo/echo_client.py
## CURL commands
<pre>
# Get an unscoped token
$ curl -d '{"auth": {"passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:5000/v2.0/tokens
# Get a token for a tenant
$ curl -d '{"auth": {"passwordCredentials": {"username": "joeuser", "password": "secrete"}, "tenantName": "customer-x"}}' -H "Content-type: application/json" http://localhost:5000/v2.0/tokens
# Get an admin token
$ curl -d '{"auth": {"passwordCredentials": {"username": "admin", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens
</pre>
## Load Testing
<pre>
# Create post data
$ echo '{"auth": {"passwordCredentials": {"username": "joeuser", "password": "secrete", "tenantName": "customer-x"}}}' > post_data
# Call Apache Bench
$ ab -c 30 -n 1000 -T "application/json" -p post_data http://127.0.0.1:35357/v2.0/tokens
</pre>
## NOVA Integration
Initial support for using keystone as nova's identity component has been started.
# clone projects
bzr clone lp:nova
git clone git://github.com/openstack/keystone.git
# install keystone on the host which runs nova
run "python setup install" to install keystone.
# run nova-api based on the paste config in keystone
nova/bin/nova-api --api_paste_config=keystone/examples/paste/nova-api-paste.ini
Assuming you added the test data using bin/sampledata, you can then use joeuser/secrete
## Swift Integration - Quick Start
1. Install Swift, either from trunk or version 1.4.1 (once it's released) or
higher. Do the standard SAIO install with the included TempAuth to be sure
you have a working system to start with. This step is beyond the scope of
this quick start; see http://swift.openstack.org/development_saio.html for
a Swift development set up guide. Once you have a working Swift install, go
ahead and shut it down for now (the default Swift install uses the same
ports Keystone wants):
$ swift-init all stop
2. Obtain and install a source copy of Keystone:
$ git clone https://github.com/openstack/keystone.git ~/keystone
...
$ cd ~/keystone && sudo python setup.py develop
...
3. Start up the Keystone service:
$ cd ~/keystone/bin && ./keystone
Starting the Legacy Authentication component
Service API listening on 0.0.0.0:5000
Admin API listening on 0.0.0.0:35357
4. In another window, edit the `~/keystone/keystone/test/sampledata.py` file,
find the `swift.publicinternets.com` text and replace it with the URL to
your Swift cluster using the following format (note that we're going to
change Swift to run on port 8888 later):
`http://127.0.0.1:8888/v1/AUTH_%tenant_id%`
5. Create the sample data entries:
$ cd ~/keystone/bin && ./sampledata
...
6. Reconfigure Swift's proxy server to use Keystone instead of TempAuth.
Here's an example `/etc/swift/proxy-server.conf`:
[DEFAULT]
bind_port = 8888
user = <user>
[pipeline:main]
pipeline = catch_errors cache keystone proxy-server
[app:proxy-server]
use = egg:swift#proxy
account_autocreate = true
[filter:keystone]
use = egg:keystone#tokenauth
auth_protocol = http
auth_host = 127.0.0.1
auth_port = 35357
admin_token = 999888777666
delay_auth_decision = 0
service_protocol = http
service_host = 127.0.0.1
service_port = 8100
service_pass = dTpw
[filter:cache]
use = egg:swift#memcache
set log_name = cache
[filter:catch_errors]
use = egg:swift#catch_errors
7. Start Swift back up with the new configuration:
$ swift-init main start
...
8. Use `swift` to check everything works (note: you currently have to create a
container or upload something as your first action to have the account
created; there's a Swift bug to be fixed soon):
$ swift -A http://127.0.0.1:5000/v1.0 -U joeuser -K secrete post container
$ swift -A http://127.0.0.1:5000/v1.0 -U joeuser -K secrete stat -v
StorageURL: http://127.0.0.1:8888/v1/AUTH_1234
Auth Token: 74ce1b05-e839-43b7-bd76-85ef178726c3
Account: AUTH_1234
Containers: 1
Objects: 0
Bytes: 0
Accept-Ranges: bytes
X-Trans-Id: tx25c1a6969d8f4372b63912f411de3c3b
**Note: Keystone currently allows any valid token to do anything with any
account.**
But, it works as a demo!
## LDAP Setup on a Mac
Using macports:
sudo port install openldap
It appears the package `python-ldap` needs to be recompiled to work. So,
download it from: http://pypi.python.org/pypi/python-ldap/2.4.1
After unpacking, edit `setup.cfg` as shown below:
library_dirs = /opt/local/lib
include_dirs = /opt/local/include /usr/include/sasl
Then, run:
python setup.py build
sudo python setup.py install
# Relevant Standards and Technologies
[Overlap of Identity Technologies](https://sites.google.com/site/oauthgoog/Overlap)
Keystone could potentially integrate with:
1. [WebID](http://www.w3.org/2005/Incubator/webid/spec/) (See also [FOAF+SSL](http://www.w3.org/wiki/Foaf+ssl))
2. [OpenID](http://openid.net/) and/or [OpenIDConnect](http://openidconnect.com/)
3. [OAUTH2](http://oauth.net/2/)
4. [SAML](http://saml.xml.org/)

222
README.rst Normal file
View File

@ -0,0 +1,222 @@
.. image:: http://term.ie/data/medium_ksl.png
:alt: Keystone
.. toctree::
:maxdepth 2
Keystone is an OpenStack project that provides Identity, Token, Catalog and
Policy services for use specifically by projects in the OpenStack family.
Much of the design is precipitated from the expectation that the auth backends
for most deployments will actually be shims in front of existing user systems.
-----------
Development
-----------
Building the Documentation
--------------------------
The documentation is all generated with Sphinx from within the docs directory.
To generate the full set of HTML documentation:
cd docs
make autodoc
make html
make man
the results are in the docs/build/html and docs/build/man directories
respectively.
------------
The Services
------------
Keystone is organized as a group of services exposed on one or many endpoints.
Many of these services are used in a combined fashion by the frontend, for
example an authenticate call will validate user/tenant credentials with the
Identity service and, upon success, create and return a token with the Token
service.
Identity
--------
The Identity service provides auth credential validation and data about Users,
Tenants and Roles, as well as any associated metadata.
In the basic case all this data is managed by the service, allowing the service
to manage all the CRUD associated with the data.
In other cases, this data is pulled, by varying degrees, from an authoritative
backend service. An example of this would be when backending on LDAP. See
`LDAP Backend` below for more details.
Token
-----
The Token service validates and manages Tokens used for authenticating requests
once a user/tenant's credentials have already been verified.
Catalog
-------
The Catalog service provides an endpoint registry used for endpoint discovery.
Policy
------
The Policy service provides a rule-based authorization engine and the
associated rule management interface.
----------
Data Model
----------
Keystone was designed from the ground up to be amenable to multiple styles of
backends and as such many of the methods and data types will happily accept
more data than they know what to do with and pass them on to a backend.
There are a few main data types:
* **User**: has account credentials, is associated with one or more tenants
* **Tenant**: unit of ownership in openstack, contains one or more users
* **Role**: a first-class piece of metadata associated with many user-tenant pairs.
* **Token**: identifying credential associated with a user or user and tenant
* **Extras**: bucket of key-value metadata associated with a user-tenant pair.
* **Rule**: describes a set of requirements for performing an action.
While the general data model allows a many-to-many relationship between Users
and Tenants and a many-to-one relationship between Extras and User-Tenant pairs,
the actual backend implementations take varying levels of advantage of that
functionality.
KVS Backend
-----------
A simple backend interface meant to be further backended on anything that can
support primary key lookups, the most trivial implementation being an in-memory
dict.
Supports all features of the general data model.
PAM Backend
-----------
Extra simple backend that uses the current system's PAM service to authenticate,
providing a one-to-one relationship between Users and Tenants with the `root`
User also having the 'admin' role.
Templated Backend
-----------------
Largely designed for a common use case around service catalogs in the Keystone
project, a Catalog backend that simply expands pre-configured templates to
provide catalog data.
Example paste.deploy config (uses $ instead of % to avoid ConfigParser's
interpolation)::
[DEFAULT]
catalog.RegionOne.identity.publicURL = http://localhost:$(public_port)s/v2.0
catalog.RegionOne.identity.adminURL = http://localhost:$(public_port)s/v2.0
catalog.RegionOne.identity.internalURL = http://localhost:$(public_port)s/v2.0
catalog.RegionOne.identity.name = 'Identity Service'
----------------
Approach to CRUD
----------------
While it is expected that any "real" deployment at a large company will manage
their users, tenants and other metadata in their existing user systems, a
variety of CRUD operations are provided for the sake of development and testing.
CRUD is treated as an extension or additional feature to the core feature set in
that it is not required that a backend support it.
----------------------------------
Approach to Authorization (Policy)
----------------------------------
Various components in the system require that different actions are allowed
based on whether the user is authorized to perform that action.
For the purposes of Keystone there are only a couple levels of
authorization being checked for:
* Require that the performing user is considered an admin.
* Require that the performing user matches the user being referenced.
Other systems wishing to use the policy engine will require additional styles
of checks and will possibly write completely custom backends. Backends included
in Keystone are:
Trivial True
------------
Allows all actions.
Simple Match
------------
Given a list of matches to check for, simply verify that the credentials
contain the matches. For example::
credentials = {'user_id': 'foo', 'is_admin': 1, 'roles': ['nova:netadmin']}
# An admin only call:
policy_api.can_haz(('is_admin:1',), credentials)
# An admin or owner call:
policy_api.can_haz(('is_admin:1', 'user_id:foo'),
credentials)
# A netadmin call:
policy_api.can_haz(('roles:nova:netadmin',),
credentials)
Credentials are generally built from the user metadata in the 'extras' part
of the Identity API. So, adding a 'role' to the user just means adding the role
to the user metadata.
Capability RBAC
---------------
(Not yet implemented.)
Another approach to authorization can be action-based, with a mapping of roles
to which capabilities are allowed for that role. For example::
credentials = {'user_id': 'foo', 'is_admin': 1, 'roles': ['nova:netadmin']}
# add a policy
policy_api.add_policy('action:nova:add_network', ('roles:nova:netadmin',))
policy_api.can_haz(('action:nova:add_network',), credentials)
In the backend this would look up the policy for 'action:nova:add_network' and
then do what is effectively a 'Simple Match' style match against the creds.
-----------
Still To Do
-----------
* LDAP backend.
* Diablo migration.

4
TODO Normal file
View File

@ -0,0 +1,4 @@
- test validate token
- policy tests
- ec2 support

84
bin/keystone
View File

@ -1,84 +0,0 @@
#!/usr/bin/env python
# vim: tabstop=4 shiftwidth=4 softtabstop=4
""" This is only a convenience script. It starts two endpoints of Keystone; the
first one is a Service API server running on port 5000 (by default), and the
second one is an Admin API server running on port 35357 (by default).
By default, keystone uses bind_host and bind_port to set its litening ports,
but since this script runs two endpoints, it uses the following options:
Setting any of the Admin API values for bind host or port using the
admin_* entries in the config file. Specoific to this script only is the
-a/--admin-port option on the command-line (nothing else supports that).
Setting any of the Service API values for bind host or port using the
service_* entries in the config file.
"""
import optparse
import os
import sys
import keystone.tools.tracer # @UnusedImport # module runs on import
from keystone.common import config
from keystone.config import CONF
import keystone.server
# If ../../keystone/__init__.py exists, add ../ to Python search path, so that
# it will override what happens to be installed in /usr/(local/)lib/python...
POSSIBLE_TOPDIR = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
os.pardir, os.pardir))
if os.path.exists(os.path.join(POSSIBLE_TOPDIR, 'keystone', '__init__.py')):
sys.path.insert(0, POSSIBLE_TOPDIR)
def get_options():
# Initialize a parser for our configuration paramaters
# since we have special handling for the -a|--admin-port argument
parser = optparse.OptionParser()
common_group = config.add_common_options(parser)
config.add_log_options(parser)
# Handle a special argument to support starting two endpoints
common_group.add_option(
'-a', '--admin-port', dest="admin_port", metavar="PORT",
help="specifies port for Admin API to listen on (default is 35357)")
# Parse CLI arguments and merge with config
(options, args) = config.parse_options(parser)
return options
def main():
# Get merged config and CLI options and admin-specific settings
options = get_options()
config_file = config.find_config_file(options, sys.argv[1:])
CONF(config_files=[config_file])
# Start services
try:
# Load Service API Server
service = keystone.server.Server(name="Service API",
config_name='keystone-legacy-auth')
service.start(wait=False)
except RuntimeError, e:
sys.exit("ERROR: %s" % e)
try:
# Get admin-specific settings
port = options.get('admin_port', None)
host = options.get('bind_host', None)
# Load Admin API server
admin = keystone.server.Server(name='Admin API', config_name='admin')
admin.start(host=host, port=port, wait=True)
except RuntimeError, e:
sys.exit("ERROR: %s" % e)
finally:
service.stop()
if __name__ == '__main__':
main()

69
bin/keystone-admin
View File

@ -1,69 +0,0 @@
#!/usr/bin/env python
# vim: tabstop=4 shiftwidth=4 softtabstop=4
# Copyright 2010 United States Government as represented by the
# Administrator of the National Aeronautics and Space Administration.
# Copyright 2011 OpenStack LLC.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""
Keystone Identity Server - Admin API
"""
import optparse
import os
import sys
# If ../../keystone/__init__.py exists, add ../ to Python search path, so that
# it will override what happens to be installed in /usr/(local/)lib/python...
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
os.pardir,
os.pardir))
if os.path.exists(os.path.join(possible_topdir, 'keystone', '__init__.py')):
sys.path.insert(0, possible_topdir)
import keystone.tools.tracer # @UnusedImport # module runs on import
from keystone.common import config
from keystone.config import CONF
import keystone.server
def get_options():
# Initialize a parser for our configuration paramaters
# since we have special handling for the -a|--admin-port argument
parser = optparse.OptionParser()
common_group = config.add_common_options(parser)
config.add_log_options(parser)
# Parse CLI arguments and merge with config
(options, args) = config.parse_options(parser)
return options
def main():
# Get merged config and CLI options and admin-specific settings
options = get_options()
config_file = config.find_config_file(options, sys.argv[1:])
CONF(config_files=[config_file])
try:
# Load Admin API server
admin = keystone.server.Server(name='Admin API', config_name='admin')
admin.start(wait=True)
except RuntimeError, e:
sys.exit("ERROR: %s" % e)
if __name__ == '__main__':
main()

71
bin/keystone-all Executable file
View File

@ -0,0 +1,71 @@
#!/usr/bin/env python
# vim: tabstop=4 shiftwidth=4 softtabstop=4
import greenlet
import logging
import os
import sys
# If ../../keystone/__init__.py exists, add ../ to Python search path, so that
# it will override what happens to be installed in /usr/(local/)lib/python...
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
os.pardir,
os.pardir))
if os.path.exists(os.path.join(possible_topdir,
'keystone-all',
'__init__.py')):
sys.path.insert(0, possible_topdir)
from paste import deploy
from keystone import config
from keystone.common import wsgi
CONF = config.CONF
def create_server(conf, name, port):
app = deploy.loadapp('config:%s' % conf, name=name)
return wsgi.Server(app, port)
def serve(*servers):
for server in servers:
logging.debug("starting server %s on port %s", server.application,
server.port)
server.start()
for server in servers:
try:
server.wait()
except greenlet.GreenletExit:
pass
if __name__ == '__main__':
dev_conf = os.path.join(possible_topdir,
'etc',
'keystone.conf')
config_files = None
if os.path.exists(dev_conf):
config_files = [dev_conf]
CONF(config_files=config_files)
config.setup_logging(CONF)
# Log the options used when starting if we're in debug mode...
if CONF.debug:
CONF.log_opt_values(logging.getLogger(CONF.prog), logging.DEBUG)
options = deploy.appconfig('config:%s' % CONF.config_file[0])
servers = []
servers.append(create_server(CONF.config_file[0],
'admin',
int(options['admin_port'])))
servers.append(create_server(CONF.config_file[0],
'main',
int(options['public_port'])))
serve(*servers)

70
bin/keystone-auth
View File

@ -1,70 +0,0 @@
#!/usr/bin/env python
# vim: tabstop=4 shiftwidth=4 softtabstop=4
# Copyright 2010 United States Government as represented by the
# Administrator of the National Aeronautics and Space Administration.
# Copyright 2011 OpenStack LLC.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""
Keystone Identity Server - Service API
"""
import optparse
import os
import sys
# If ../../keystone/__init__.py exists, add ../ to Python search path, so that
# it will override what happens to be installed in /usr/(local/)lib/python...
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
os.pardir,
os.pardir))
if os.path.exists(os.path.join(possible_topdir, 'keystone', '__init__.py')):
sys.path.insert(0, possible_topdir)
import keystone.tools.tracer # @UnusedImport # module runs on import
from keystone.common import config
from keystone.config import CONF
import keystone.server
def get_options():
# Initialize a parser for our configuration paramaters
# since we have special handling for the -a|--admin-port argument
parser = optparse.OptionParser()
common_group = config.add_common_options(parser)
config.add_log_options(parser)
# Parse CLI arguments and merge with config
(options, args) = config.parse_options(parser)
return options
def main():
# Get merged config and CLI options and admin-specific settings
options = get_options()
config_file = config.find_config_file(options, sys.argv[1:])
CONF(config_files=[config_file])
try:
# Load Service API server
server = keystone.server.Server(name='Service API',
config_name='keystone-legacy-auth')
server.start(wait=True)
except RuntimeError, e:
sys.exit("ERROR: %s" % e)
if __name__ == '__main__':
main()

235
bin/keystone-control
View File

@ -1,235 +0,0 @@
#!/usr/bin/env python
# vim: tabstop=4 shiftwidth=4 softtabstop=4
# Copyright (c) 2011 OpenStack, LLC.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""
Helper script for starting/stopping/reloading Keystone server programs.
Copied from Glance. Thanks for some of the code, Swifties ;)
"""
from __future__ import with_statement
import errno
import gettext
import os
import optparse
import resource
import signal
import sys
import time
# If ../keystone/__init__.py exists, add ../ to Python search path, so that
# it will override what happens to be installed in /usr/(local/)lib/python...
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
os.pardir,
os.pardir))
if os.path.exists(os.path.join(possible_topdir, 'keystone', '__init__.py')):
sys.path.insert(0, possible_topdir)
gettext.install('keystone', unicode=1)
import keystone.version
from keystone.common import config
ALL_COMMANDS = ['start', 'stop', 'shutdown', 'restart',
'reload', 'force-reload']
ALL_SERVERS = ['keystone-auth', 'keystone-admin']
GRACEFUL_SHUTDOWN_SERVERS = ['keystone-auth', 'keystone-admin']
MAX_DESCRIPTORS = 32768
MAX_MEMORY = (1024 * 1024 * 1024) * 2 # 2 GB
USAGE = """%prog [options] <SERVER> <COMMAND> [CONFPATH]
Where <SERVER> is one of:
all, auth, admin
And command is one of:
start, stop, shutdown, restart, reload, force-reload
And CONFPATH is the optional configuration file to use."""
def pid_files(server, options):
pid_files = []
if options['pid_file']:
if os.path.exists(os.path.abspath(options['pid_file'])):
pid_files = [os.path.abspath(options['pid_file'])]
else:
if os.path.exists('/var/run/keystone/%s.pid' % server):
pid_files = ['/var/run/keystone/%s.pid' % server]
for pid_file in pid_files:
pid = int(open(pid_file).read().strip())
yield pid_file, pid
def do_start(server, options, args):
server_type = '-'.join(server.split('-')[:-1])
for pid_file, pid in pid_files(server, options):
if os.path.exists('/proc/%s' % pid):
print "%s appears to already be running: %s" % (server, pid_file)
return
else:
print "Removing stale pid file %s" % pid_file
os.unlink(pid_file)
try:
resource.setrlimit(resource.RLIMIT_NOFILE,
(MAX_DESCRIPTORS, MAX_DESCRIPTORS))
resource.setrlimit(resource.RLIMIT_DATA,
(MAX_MEMORY, MAX_MEMORY))
except ValueError:
print "Unable to increase file descriptor limit. Running as non-root?"
os.environ['PYTHON_EGG_CACHE'] = '/tmp'
def write_pid_file(pid_file, pid):
dir, file = os.path.split(pid_file)
if not os.path.exists(dir):
try:
os.makedirs(dir)
except OSError, err:
if err.errno == errno.EACCES:
sys.exit('Unable to create %s. Running as non-root?'
% dir)
fp = open(pid_file, 'w')
fp.write('%d\n' % pid)
fp.close()
def launch(ini_file, pid_file):
args = [server, ini_file]
print 'Starting %s with %s' % (server, ini_file)
pid = os.fork()
if pid == 0:
os.setsid()
with open(os.devnull, 'r+b') as nullfile:
for desc in (0, 1, 2): # close stdio
try:
os.dup2(nullfile.fileno(), desc)
except OSError:
pass
try:
os.execlp('%s' % server, server, ini_file)
except OSError, e:
sys.exit('unable to launch %s. Got error: %s'
% (server, "%s" % e))
sys.exit(0)
else:
write_pid_file(pid_file, pid)
if not options['pid_file']:
pid_file = '/var/run/keystone/%s.pid' % server
else:
pid_file = os.path.abspath(options['pid_file'])
conf_file = config.find_config_file(options, args)
if not conf_file:
sys.exit("Could not find any configuration file to use!")
launch_args = [(conf_file, pid_file)]
# start all servers
for conf_file, pid_file in launch_args:
launch(conf_file, pid_file)
def do_stop(server, options, args, graceful=False):
if graceful and server in GRACEFUL_SHUTDOWN_SERVERS:
sig = signal.SIGHUP
else:
sig = signal.SIGTERM
did_anything = False
pfiles = pid_files(server, options)
for pid_file, pid in pfiles:
did_anything = True
try:
print 'Stopping %s pid: %s signal: %s' % (server, pid, sig)
os.kill(pid, sig)
except OSError:
print "Process %d not running" % pid
try:
os.unlink(pid_file)
except OSError:
pass
for pid_file, pid in pfiles:
for _junk in xrange(150): # 15 seconds
if not os.path.exists('/proc/%s' % pid):
break
time.sleep(0.1)
else:
print 'Waited 15 seconds for pid %s (%s) to die; giving up' % \
(pid, pid_file)
if not did_anything:
print 'No %s running' % server
if __name__ == '__main__':
oparser = optparse.OptionParser(usage=USAGE, version='%%prog %s'
% keystone.version.version())
oparser.add_option('--pid-file', default=None, metavar="PATH",
help="File to use as pid file. Default: "
"/var/run/keystone/$server.pid")
config.add_common_options(oparser)
(options, args) = config.parse_options(oparser)
if len(args) < 2:
oparser.print_usage()
sys.exit(1)
server = args.pop(0).lower()
if server == 'all':
servers = ALL_SERVERS
else:
if not server.startswith('keystone-'):
server = 'keystone-%s' % server
if server not in ALL_SERVERS:
server_list = ", ".join([s.replace('keystone-', '')
for s in ALL_SERVERS])
msg = ("Unknown server '%(server)s' specified. Please specify "
"all, or one of the servers: %(server_list)s" % locals())
sys.exit(msg)
servers = [server]
command = args.pop(0).lower()
if command not in ALL_COMMANDS:
command_list = ", ".join(ALL_COMMANDS)
msg = ("Unknown command %(command)s specified. Please specify a "
"command in this list: %(command_list)s" % locals())
sys.exit(msg)
if command == 'start':
for server in servers:
do_start(server, options, args)
if command == 'stop':
for server in servers:
do_stop(server, options, args)
if command == 'shutdown':
for server in servers:
do_stop(server, options, args, graceful=True)
if command == 'restart':
for server in servers:
do_stop(server, options, args)
for server in servers:
do_start(server, options, args)
if command == 'reload' or command == 'force-reload':
for server in servers:
do_stop(server, options, args, graceful=True)
do_start(server, options, args)

42
bin/keystone-import
View File

@ -1,42 +0,0 @@
#!/usr/bin/env python
# vim: tabstop=4 shiftwidth=4 softtabstop=4
# Copyright (C) 2011 OpenStack LLC.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This file is to read a export file from Nova that will import users,
# tenants and EC2 credentials
# The file should be in the keystone-manage format
import os
import sys
import shlex
# If ../../keystone/__init__.py exists, add ../ to Python search path, so that
# it will override what happens to be installed in /usr/(local/)lib/python...
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
os.pardir,
os.pardir))
if os.path.exists(os.path.join(possible_topdir, 'keystone', '__init__.py')):
sys.path.insert(0, possible_topdir)
import keystone.manage
with open(sys.argv[1], 'r') as line:
try:
keystone.manage.main(shlex.split(line))
except Exception as exc:
# Main prints all of the errors we need
sys.exit(1)

36
bin/keystone-manage
View File

@ -2,35 +2,27 @@
import os
import sys
# If ../../keystone/__init__.py exists, add ../ to Python search path, so that
# it will override what happens to be installed in /usr/(local/)lib/python...
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
os.pardir,
os.pardir))
if os.path.exists(os.path.join(possible_topdir, 'keystone', '__init__.py')):
if os.path.exists(os.path.join(possible_topdir,
'keystone',
'__init__.py')):
sys.path.insert(0, possible_topdir)
import keystone.manage
import keystone.manage2
import keystone.tools.tracer # @UnusedImport # module runs on import
from keystone import cli
if __name__ == '__main__':
args = sys.argv[1:]
while True:
if len(args) > 1 and args[0] in keystone.manage.OBJECTS:
# the args look like the old 'subject verb' (e.g. 'user add')
# (this module is pending deprecation)
keystone.manage.main()
break
elif len(args) > 2 and args[0] == '-c':
# Remove -c <config file> and try again
del args[0:2]
elif len(args) > 1 and args[0] == '-d':
# Remove -d and try again
del args[0]
else:
# calls that don't start with a 'subject' go to the new impl
# which uses a 'verb_subject' convention (e.g. 'add_user')
keystone.manage2.main()
break
dev_conf = os.path.join(possible_topdir,
'etc',
'keystone.conf')
config_files = None
if os.path.exists(dev_conf):
config_files = [dev_conf]
cli.main(argv=sys.argv, config_files=config_files)

16
bin/sampledata
View File

@ -1,16 +0,0 @@
#!/usr/bin/env python
import os
import sys
# If ../../keystone/__init__.py exists, add ../ to Python search path, so that
# it will override what happens to be installed in /usr/(local/)lib/python...
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
os.pardir,
os.pardir))
if os.path.exists(os.path.join(possible_topdir, 'keystone', '__init__.py')):
sys.path.insert(0, possible_topdir)
import keystone.test.sampledata
if __name__ == '__main__':
keystone.test.sampledata.main()

96
doc/Makefile
View File

@ -1,96 +0,0 @@
# Makefile for Sphinx documentation
#
# You can set these variables from the command line.
SPHINXOPTS =
SPHINXBUILD = sphinx-build
SPHINXSOURCE = source
PAPER =
BUILDDIR = build
# Internal variables.
PAPEROPT_a4 = -D latex_paper_size=a4
PAPEROPT_letter = -D latex_paper_size=letter
ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) $(SPHINXSOURCE)
.PHONY: help clean html dirhtml pickle json htmlhelp qthelp latex changes linkcheck doctest
.DEFAULT_GOAL = html
help:
@echo "Please use \`make <target>' where <target> is one of"
@echo " html to make standalone HTML files"
@echo " dirhtml to make HTML files named index.html in directories"
@echo " pickle to make pickle files"
@echo " json to make JSON files"
@echo " htmlhelp to make HTML files and a HTML help project"
@echo " qthelp to make HTML files and a qthelp project"
@echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
@echo " changes to make an overview of all changed/added/deprecated items"
@echo " linkcheck to check all external links for integrity"
@echo " doctest to run all doctests embedded in the documentation (if enabled)"
clean:
-rm -rf $(BUILDDIR)/*
if [ -f .autogenerated ] ; then \
cat .autogenerated | xargs rm ; \
rm .autogenerated ; \
fi
html:
$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
dirhtml:
$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
pickle:
$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
@echo
@echo "Build finished; now you can process the pickle files."
json:
$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
@echo
@echo "Build finished; now you can process the JSON files."
htmlhelp:
$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
@echo
@echo "Build finished; now you can run HTML Help Workshop with the" \
".hhp project file in $(BUILDDIR)/htmlhelp."
qthelp:
$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
@echo
@echo "Build finished; now you can run "qcollectiongenerator" with the" \
".qhcp project file in $(BUILDDIR)/qthelp, like this:"
@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/nova.qhcp"
@echo "To view the help file:"
@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/nova.qhc"
latex:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo
@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
@echo "Run \`make all-pdf' or \`make all-ps' in that directory to" \
"run these through (pdf)latex."
changes:
$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
@echo
@echo "The overview file is in $(BUILDDIR)/changes."
linkcheck:
$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
@echo
@echo "Link check complete; look for any errors in the above output " \
"or in $(BUILDDIR)/linkcheck/output.txt."
doctest:
$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
@echo "Testing of doctests in the sources finished, look at the " \
"results in $(BUILDDIR)/doctest/output.txt."

38
doc/README.rst
View File

@ -1,38 +0,0 @@
==================================
Building Contributor Documentation
==================================
This documentation is written by contributors, for contributors.
The source is maintained in the `doc/source` folder using
`reStructuredText`_ and built by `Sphinx`_ (a dependency from `tools/pip-requires`).
.. _reStructuredText: http://docutils.sourceforge.net/rst.html
.. _Sphinx: http://sphinx.pocoo.org/
Building automatically
======================
From the project root, just type::
$ python setup.py build_sphinx
Building manually
=================
#. Generate the code.rst file so that Sphinx will pull in our docstrings::
$ python doc/generate_autodoc_index.py
#. Use `sphinx-build` to produce the docs in HTML::
$ sphinx-build -b html doc/source/ build/sphinx/html/
#. Similarly, build the man pages (optional)::
$ sphinx-build -b man doc/source/ build/sphinx/man/
After building
==============
Navigate to the `build/sphinx/html` directory to browse generated the HTML docs.

9495
doc/design/flow_diagram.pdf
View File

File diff suppressed because it is too large Load Diff

BIN
doc/design/flow_diagram.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 160 KiB

87
doc/design/flow_diagram.sdx
View File

@ -1,87 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<diagram>
<source><![CDATA[client:Library
/queue:FIFO
keystone:Service
compute:Service
policy:Service
[c:default_auth_token]
client:unscoped_token, serviceCatalog=keystone.auth<user, creds>
[/c]
[c:get_tenants]
client:tenants=keystone.get_tenants<unscoped_token>
[/c]
[c:tenant_auth_token]
client:token, serviceCatalog=keystone.auth<user, creds, tenant>
[/c]
[c:do_something_in_compute]
client:endpoint=serviceCatalog['compute']
client:success=compute.do_something<token, instance_id>
compute:tenant = parse(url)
[c:auth_middleware]
compute:user, roles=keystone.validate<token, [tenant]>
[/c]
compute:instance=instance_get(instance_id)
[c:policy_middleware]
compute:action='do_something'
compute:target=instance
compute:success=policy.check_acl<user, target, action, roles>
[/c]
compute:execute something logic
[/c]]]></source>
<configuration>
<property name="actorWidth" value="25"/>
<property name="allowMessageProperties" value="false"/>
<property name="arrowSize" value="6"/>
<property name="colorizeThreads" value="true"/>
<property name="destructorWidth" value="30"/>
<property family="Dialog" name="font" size="12" style="0"/>
<property name="fragmentMargin" value="8"/>
<property name="fragmentPadding" value="10"/>
<property name="fragmentTextPadding" value="3"/>
<property name="glue" value="10"/>
<property name="headHeight" value="35"/>
<property name="headLabelPadding" value="5"/>
<property name="headWidth" value="100"/>
<property name="initialSpace" value="10"/>
<property name="leftMargin" value="5"/>
<property name="lineWrap" value="false"/>
<property name="lowerMargin" value="5"/>
<property name="mainLifelineWidth" value="8"/>
<property name="messageLabelSpace" value="3"/>
<property name="messagePadding" value="6"/>
<property name="noteMargin" value="6"/>
<property name="notePadding" value="6"/>
<property name="opaqueMessageText" value="false"/>
<property name="returnArrowVisible" value="true"/>
<property name="rightMargin" value="5"/>
<property name="selfMessageHorizontalSpace" value="15"/>
<property name="separatorBottomMargin" value="8"/>
<property name="separatorTopMargin" value="15"/>
<property name="shouldShadowParticipants" value="true"/>
<property name="spaceBeforeActivation" value="2"/>
<property name="spaceBeforeAnswerToSelf" value="10"/>
<property name="spaceBeforeConstruction" value="6"/>
<property name="spaceBeforeSelfMessage" value="7"/>
<property name="subLifelineWidth" value="6"/>
<property name="tc0" value="-1118482"/>
<property name="tc1" value="-256"/>
<property name="tc2" value="-65536"/>
<property name="tc3" value="-16776961"/>
<property name="tc4" value="-16711936"/>
<property name="tc5" value="-4144960"/>
<property name="tc6" value="-65281"/>
<property name="tc7" value="-14336"/>
<property name="tc8" value="-20561"/>
<property name="tc9" value="-12566464"/>
<property name="threadNumbersVisible" value="false"/>
<property name="threaded" value="true"/>
<property name="upperMargin" value="5"/>
<property name="verticallySplit" value="true"/>
</configuration>
</diagram>

BIN
doc/design/tenants.pdf
View File

Binary file not shown.

8183
doc/design/use_case_1.pdf
View File

File diff suppressed because it is too large Load Diff

BIN
doc/design/use_case_1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 45 KiB

83
doc/design/use_case_1.sdx
View File

@ -1,83 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<diagram>
<source><![CDATA[client:User
/queue:FIFO
keystone:Service
nova:Service
[c:default_auth_token]
client:unscoped_token, globalServiceCatalog=keystone.auth<user, password>
[/c]
[c:get_tenants]
client:tenants=keystone.get_tenants<unscoped_token>
[/c]
[c:tenant_auth_token]
client:token, serviceCatalog=keystone.auth<unscoped_token, tenant>
[/c]
client:endpoint = serviceCatalog['compute']
[c:create_instance]
client:success=nova.createInstance<token, tenant_id>
nova:tenant = parse(url)
[c:auth_middleware]
nova:user, roles=keystone.validate<token, [tenant]>
[/c]
nova:authorize=can_haz(context, user, 'create_instance', tenant_id)
nova:execute create_instance
[/c]
client:200 OK]]></source>
<configuration>
<property name="actorWidth" value="25"/>
<property name="allowMessageProperties" value="false"/>
<property name="arrowSize" value="6"/>
<property name="colorizeThreads" value="true"/>
<property name="destructorWidth" value="30"/>
<property family="Dialog" name="font" size="12" style="0"/>
<property name="fragmentMargin" value="8"/>
<property name="fragmentPadding" value="10"/>
<property name="fragmentTextPadding" value="3"/>
<property name="glue" value="10"/>
<property name="headHeight" value="35"/>
<property name="headLabelPadding" value="5"/>
<property name="headWidth" value="100"/>
<property name="initialSpace" value="10"/>
<property name="leftMargin" value="5"/>
<property name="lineWrap" value="false"/>
<property name="lowerMargin" value="5"/>
<property name="mainLifelineWidth" value="8"/>
<property name="messageLabelSpace" value="3"/>
<property name="messagePadding" value="6"/>
<property name="noteMargin" value="6"/>
<property name="notePadding" value="6"/>
<property name="opaqueMessageText" value="false"/>
<property name="returnArrowVisible" value="true"/>
<property name="rightMargin" value="5"/>
<property name="selfMessageHorizontalSpace" value="15"/>
<property name="separatorBottomMargin" value="8"/>
<property name="separatorTopMargin" value="15"/>
<property name="shouldShadowParticipants" value="true"/>
<property name="spaceBeforeActivation" value="2"/>
<property name="spaceBeforeAnswerToSelf" value="10"/>
<property name="spaceBeforeConstruction" value="6"/>
<property name="spaceBeforeSelfMessage" value="7"/>
<property name="subLifelineWidth" value="6"/>
<property name="tc0" value="-1118482"/>
<property name="tc1" value="-256"/>
<property name="tc2" value="-65536"/>
<property name="tc3" value="-16776961"/>
<property name="tc4" value="-16711936"/>
<property name="tc5" value="-4144960"/>
<property name="tc6" value="-65281"/>
<property name="tc7" value="-14336"/>
<property name="tc8" value="-20561"/>
<property name="tc9" value="-12566464"/>
<property name="threadNumbersVisible" value="false"/>
<property name="threaded" value="true"/>
<property name="upperMargin" value="5"/>
<property name="verticallySplit" value="true"/>
</configuration>
</diagram>

6006
doc/design/use_case_2.pdf
View File

File diff suppressed because it is too large Load Diff

BIN
doc/design/use_case_2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 31 KiB

76
doc/design/use_case_2.sdx
View File

@ -1,76 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<diagram>
<source><![CDATA[client:User
/queue:FIFO
keystone:Service
nova:Service
[c:authenticate]
client:token, serviceCatalog=keystone.auth<user, password, tenant>
[/c]
client:endpoint=serviceCatalog['compute']
[c:create_instance]
client:success=nova.createInstance<token, tenant_id>
nova:tenant = parse(url)
[c:auth_middleware]
nova:user, roles=keystone.validate<token, [tenant]>
[/c]
nova:authorize = can_haz(context, user, 'create_instance', tenant_id)
nova:execute create_instance
[/c]
client:200 OK]]></source>
<configuration>
<property name="actorWidth" value="25"/>
<property name="allowMessageProperties" value="false"/>
<property name="arrowSize" value="6"/>
<property name="colorizeThreads" value="true"/>
<property name="destructorWidth" value="30"/>
<property family="Dialog" name="font" size="12" style="0"/>
<property name="fragmentMargin" value="8"/>
<property name="fragmentPadding" value="10"/>
<property name="fragmentTextPadding" value="3"/>
<property name="glue" value="10"/>
<property name="headHeight" value="35"/>
<property name="headLabelPadding" value="5"/>
<property name="headWidth" value="100"/>
<property name="initialSpace" value="10"/>
<property name="leftMargin" value="5"/>
<property name="lineWrap" value="false"/>
<property name="lowerMargin" value="5"/>
<property name="mainLifelineWidth" value="8"/>
<property name="messageLabelSpace" value="3"/>
<property name="messagePadding" value="6"/>
<property name="noteMargin" value="6"/>
<property name="notePadding" value="6"/>
<property name="opaqueMessageText" value="false"/>
<property name="returnArrowVisible" value="true"/>
<property name="rightMargin" value="5"/>
<property name="selfMessageHorizontalSpace" value="15"/>
<property name="separatorBottomMargin" value="8"/>
<property name="separatorTopMargin" value="15"/>
<property name="shouldShadowParticipants" value="true"/>
<property name="spaceBeforeActivation" value="2"/>
<property name="spaceBeforeAnswerToSelf" value="10"/>
<property name="spaceBeforeConstruction" value="6"/>
<property name="spaceBeforeSelfMessage" value="7"/>
<property name="subLifelineWidth" value="6"/>
<property name="tc0" value="-1118482"/>
<property name="tc1" value="-256"/>
<property name="tc2" value="-65536"/>
<property name="tc3" value="-16776961"/>
<property name="tc4" value="-16711936"/>
<property name="tc5" value="-4144960"/>
<property name="tc6" value="-65281"/>
<property name="tc7" value="-14336"/>
<property name="tc8" value="-20561"/>
<property name="tc9" value="-12566464"/>
<property name="threadNumbersVisible" value="false"/>
<property name="threaded" value="true"/>
<property name="upperMargin" value="5"/>
<property name="verticallySplit" value="true"/>
</configuration>
</diagram>

7995
doc/design/use_case_3.pdf
View File

File diff suppressed because it is too large Load Diff

BIN
doc/design/use_case_3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 42 KiB

80
doc/design/use_case_3.sdx
View File

@ -1,80 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<diagram>
<source><![CDATA[client:User
/queue:FIFO
keystone:Service
nova:Service
[c:unauthenticated_call]
client:\[standard http response requesting authentication\]=nova.createInstance<tenant_id>
client:401 Unauthorized
client:WWW-Authenticate\: Keystone uri="url_to_keystone"
[/c]
[c:authenticate]
client:token, serviceCatalog=keystone.auth<user, creds, tenant>
[/c]
[c:retry_create_instance]
client:success=nova.createInstance<token, tenant_id>
nova:tenant = parse(url)
[c:auth_middleware]
nova:user, roles=keystone.validate<token, [tenant]>
[/c]
nova:authorize=can_haz(context, user, 'create_instance', tenant_id)
nova:execute create_instance
[/c]
client:200 OK]]></source>
<configuration>
<property name="actorWidth" value="25"/>
<property name="allowMessageProperties" value="false"/>
<property name="arrowSize" value="6"/>
<property name="colorizeThreads" value="true"/>
<property name="destructorWidth" value="30"/>
<property family="Dialog" name="font" size="12" style="0"/>
<property name="fragmentMargin" value="8"/>
<property name="fragmentPadding" value="10"/>
<property name="fragmentTextPadding" value="3"/>
<property name="glue" value="10"/>
<property name="headHeight" value="35"/>
<property name="headLabelPadding" value="5"/>
<property name="headWidth" value="100"/>
<property name="initialSpace" value="10"/>
<property name="leftMargin" value="5"/>
<property name="lineWrap" value="false"/>
<property name="lowerMargin" value="5"/>
<property name="mainLifelineWidth" value="8"/>
<property name="messageLabelSpace" value="3"/>
<property name="messagePadding" value="6"/>
<property name="noteMargin" value="6"/>
<property name="notePadding" value="6"/>
<property name="opaqueMessageText" value="false"/>
<property name="returnArrowVisible" value="true"/>
<property name="rightMargin" value="5"/>
<property name="selfMessageHorizontalSpace" value="15"/>
<property name="separatorBottomMargin" value="8"/>
<property name="separatorTopMargin" value="15"/>
<property name="shouldShadowParticipants" value="true"/>
<property name="spaceBeforeActivation" value="2"/>
<property name="spaceBeforeAnswerToSelf" value="10"/>
<property name="spaceBeforeConstruction" value="6"/>
<property name="spaceBeforeSelfMessage" value="7"/>
<property name="subLifelineWidth" value="6"/>
<property name="tc0" value="-1118482"/>
<property name="tc1" value="-256"/>
<property name="tc2" value="-65536"/>
<property name="tc3" value="-16776961"/>
<property name="tc4" value="-16711936"/>
<property name="tc5" value="-4144960"/>
<property name="tc6" value="-65281"/>
<property name="tc7" value="-14336"/>
<property name="tc8" value="-20561"/>
<property name="tc9" value="-12566464"/>
<property name="threadNumbersVisible" value="false"/>
<property name="threaded" value="true"/>
<property name="upperMargin" value="5"/>
<property name="verticallySplit" value="true"/>
</configuration>
</diagram>

76
doc/generate_autodoc_index.py
View File

@ -1,76 +0,0 @@
#!/usr/bin/env python
"""Generates files for sphinx documentation using a simple Autodoc based
template.
To use, just run as a script:
$ python doc/generate_autodoc_index.py
"""
import os
base_dir = os.path.dirname(os.path.abspath(__file__))
RSTDIR=os.path.join(base_dir, "source", "sourcecode")
SOURCEDIR=os.path.join(base_dir, "..")
# Exclude these modules from the autodoc results
EXCLUDE_MODULES = ['keystone.backends.sqlalchemy.migrate_repo']
def in_exclude_list(module_name):
"""Compares a module to the list of excluded modules
Returns true if the provided module resides in or matches
an excluded module, false otherwise.
"""
for excluded_module in EXCLUDE_MODULES:
if module_name.startswith(excluded_module):
return True
return False
def find_autodoc_modules(module_name, sourcedir):
"""returns a list of modules in the SOURCE directory"""
modlist = []
os.chdir(os.path.join(sourcedir, module_name))
for root, dirs, files in os.walk("."):
for filename in files:
if filename.endswith(".py"):
# root = ./keystone/test/unit
# filename = base.py
elements = root.split(os.path.sep)
# replace the leading "." with the module name
elements[0] = module_name
# and get the base module name
base, extension = os.path.splitext(filename)
if not (base == "__init__"):
elements.append(base)
result = (".".join(elements))
if not in_exclude_list(result):
modlist.append(result)
return modlist
if not(os.path.exists(RSTDIR)):
os.mkdir(RSTDIR)
INDEXOUT = open("%s/autoindex.rst" % RSTDIR, "w")
INDEXOUT.write("Source Code Index\n")
INDEXOUT.write("=================\n")
INDEXOUT.write(".. toctree::\n")
INDEXOUT.write(" :maxdepth: 1\n")
INDEXOUT.write("\n")
for module in find_autodoc_modules('keystone', SOURCEDIR):
generated_file = "%s/%s.rst" % (RSTDIR, module)
INDEXOUT.write(" %s\n" % module)
FILEOUT = open(generated_file, "w")
FILEOUT.write("The :mod:`%s` Module\n" % module)
FILEOUT.write("=============================="
"=============================="
"==============================\n")
FILEOUT.write(".. automodule:: %s\n" % module)
FILEOUT.write(" :members:\n")
FILEOUT.write(" :undoc-members:\n")
FILEOUT.write(" :show-inheritance:\n")
FILEOUT.close()
INDEXOUT.close()

97
doc/source/architecture.rst
View File

@ -1,97 +0,0 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
Keystone Architecture
=====================
Keystone has two major components: Authentication and a Service Catalog.
Authentication
--------------
In providing a token-based authentication service for OpenStack, keystone
has several major concepts:
Tenant
A grouping used in OpenStack to contain relevant OpenStack services. A
tenant maps to a Nova "project-id", and in object storage, a tenant can
have multiple containers. Depending on the installation, a tenant can
represent a customer, account, organization, or project.
User
Represents an individual within OpenStack for the purposes of
authenticating them to OpenStack services. Users have credentials, and may
be assigned to one or more tenants. When authenticated, a token is
provided that is specific to a single tenant.
Credentials
Password or other information that uniquely identifies a User to Keystone
for the purposes of providing a token.
Token
A token is an arbitrary bit of text that is used to share authentication
with other OpenStack services so that Keystone can provide a central
location for authenticating users for access to OpenStack services. A
token may be "scoped" or "unscoped". A scoped token represents a user
authenticated to a Tenant, where an unscoped token represents just the
user.
Tokens are valid for a limited amount of time and may be revoked at any
time.
Role
A role is a set of permissions to access and use specific operations for
a given user when applied to a tenant. Roles are logical groupings of
those permissions to enable common permissions to be easily grouped and
bound to users associated with a given tenant.
Service Catalog
---------------
Keystone also provides a list of REST API endpoints as a definitive list for
an OpenStack installation. Key concepts include:
Service
An OpenStack service such as nova, swift, glance, or keystone. A service
may have one of more endpoints through which users can interact with
OpenStack services and resources.
Endpoint
A network accessible address (typically a URL) that represents the API
interface to an OpenStack service. Endpoints may also be grouped into
templates which represent a group of consumable OpenStack services
available across regions.
Template
A collection of endpoints representing a set of consumable OpenStack
service endpoints.
Components of Keystone
----------------------
Keystone includes a command-line interface which interacts with the Keystone
API for administrating keystone and related services.
* keystone - runs both keystone-admin and keystone-service
* keystone-admin - the administrative API for manipulating keystone
* keystone-service - the user oriented API for authentication
* keystone-manage - the command line interface to manipulate keystone
Keystone also includes WSGI middelware to provide authentication support
for Nova and Swift.
Keystone uses a built-in SQLite datastore - and may use an external LDAP
service to authenticate users instead of using stored credentials.

100
doc/source/configuration.rst
View File

@ -1,100 +0,0 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
====================
Configuring Keystone
====================
.. toctree::
:maxdepth: 1
keystone.conf
man/keystone-manage
Once Keystone is installed, there are a number of configuration options
available and potentially some initial data to create and set up.
Sample data / Quick Setup
=========================
Default sampledata is provided for easy setup and testing in bin/sampeldata. To
set up the sample data run the following command while Keystone is running::
$ ./bin/sampledata
The sample data created comes from the file :doc:`sourcecode/keystone.test.sampledata`
Keystone Configuration File
===========================
Most configuration is done via configuration files. The default files are
in ``/etc/keystone.conf``
When starting up a Keystone server, you can specify the configuration file to
use (see :doc:`controllingservers`).
If you do **not** specify a configuration file, keystone will look in the following
directories for a configuration file, in order:
* ``~/.keystone``
* ``~/``
* ``/etc/keystone``
* ``/etc``
The keystone configuration file should be named ``keystone.conf``.
If you installed keystone via your operating system's
package management system, it is likely that you will have sample
configuration files installed in ``/etc/keystone``.
In addition to this documentation page, you can check the
``etc/keystone.conf`` sample configuration
files distributed with keystone for example configuration files for each server
application with detailed comments on what each options does.
Sample Configuration Files
--------------------------
Keystone ships with sample configuration files in keystone/etc. These files are:
1. keystone.conf
A standard configuration file for running keystone in stand-alone mode.
It has a set of default extensions loaded to support administering Keystone
over REST. It uses a local SQLite database.
2. memcache.conf
A configuration that uses memcached for storing tokens (but still SQLite for all
other entities). This requires memcached running.
3. ssl.conf
A configuration that runs Keystone with SSL (so all URLs are accessed over HTTPS).
To run any of these configurations, use the `-c` option::
./keystone -c ../etc/ssl.conf
Usefule Links
-------------
For a sample configuration file with explanations of the settings, see :doc:`keystone.conf`
For configuring an LDAP backend, see http://mirantis.blogspot.com/2011/08/ldap-identity-store-for-openstack.html
For configuration settings of middleware components, see :doc:`middleware`

333
doc/source/configuringservices.rst
View File

@ -1,333 +0,0 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
==========================================
Configuring Services to work with Keystone
==========================================
.. toctree::
:maxdepth: 1
Once Keystone is installed and running, services need to be configured to work
with it. These are the steps to configure a service to work with Keystone:
1. Create or get credentials for the service to use
A set of credentials are needed for each service (they may be
shared if you chose to). Depending on the service, these credentials are
either a username and password or a long-lived token..
2. Register the service, endpoints, roles and other entities
In order for a service to have it's endpoints and roles show in the service
catalog returned by Keystone, a service record needs to be added for the
service. Endpoints and roles associated with that service can then be created.
This can be done through the REST interface (using the OS-KSCATALOG extension)
or using keystone-manage.
3. Install and configure middleware for the service to handle authentication
Clients making calls to the service will pass in an authentication token. The
Keystone middleware will look for and validate that token, taking the
appropriate action. It will also retrive additional information from the token
such as user name, id, tenant name, id, roles, etc...
The middleware will pass those data down to the service as headers. The
detailed description of this architecture is available here :doc:`middleware_architecture`
Setting up credentials
======================
First admin user - bootstrapping
--------------------------------
For a default installation of Keystone, before you can use the REST API, you
need to create your first initial user and grant that user the right to
administer Keystone.
For the keystone service itself, two
Roles are pre-defined in the keystone configuration file
(:doc:`keystone.conf`).
#Role that allows admin operations (access to all operations)
keystone-admin-role = Admin
#Role that allows acting as service (validate tokens, register service,
etc...)
keystone-service-admin-role = KeystoneServiceAdmin
In order to create your first user, once Keystone is running use
the `keystone-manage` command:
$ keystone-manage user add admin secrete
$ keystone-manage role add Admin
$ keystone-manage role add KeystoneServiceAdmin
$ keystone-manage role grant Admin admin
$ keystone-manage role grant KeystoneServiceAdmin admin
This creates the `admin` user (with a password of `secrete`), creates
two roles (`Admin` and `KeystoneServiceAdmin`), and assigns those roles to
the `admin` user. From here, you should now have the choice of using the
administrative API (as well as the :doc:`man/keystone-manage` commands) to
further configure keystone. There are a number of examples of how to use
that API at :doc:`adminAPI_curl_examples`.
Setting up services
===================
Defining Services and Service Endpoints
---------------------------------------
Keystone also acts as a service catalog to let other OpenStack systems know
where relevant API endpoints exist for OpenStack Services. The OpenStack
Dashboard, in particular, uses this heavily - and this **must** be configured
for the OpenStack Dashboard to properly function.
Here's how we define the services::
$ keystone-manage service add nova compute "Nova Compute Service"
$ keystone-manage service add glance image "Glance Image Service"
$ keystone-manage service add swift storage "Swift Object Storage Service"
$ keystone-manage service add keystone identity "Keystone Identity Service"
Once the services are defined, we create endpoints for them. Each service
has three relevant URL's associated with it that are used in the command:
* the public API URL
* an administrative API URL
* an internal URL
The "internal URL" is an endpoint the generally offers the same API as the
public URL, but over a high-bandwidth, low-latency, unmetered (free) network.
You would use that to transfer images from nova to glance for example, and
not the Public URL which would go over the internet and be potentially chargeable.
The "admin URL" is for administering the services and is not exposed or accessible
to customers without the apporpriate privileges.
An example of setting up the endpoint for Nova::
$ keystone-manage endpointTemplates add RegionOne nova \
http://nova-api.mydomain:8774/v1.1/%tenant_id% \
http://nova-api.mydomain:8774/v1.1/%tenant_id% \
http://nova-api.mydomain:8774/v1.1/%tenant_id% \
1 1
Glance::
$ keystone-manage endpointTemplates add RegionOne glance \
http://glance.mydomain:9292/v1 \
http://glance.mydomain:9292/v1 \
http://glance.mydomain:9292/v1 \
1 1
Swift::
$ keystone-manage endpointTemplates add RegionOne swift \
http://swift.mydomain:8080/v1/AUTH_%tenant_id% \
http://swift.mydomain:8080/v1.0/ \
http://swift.mydomain:8080/v1/AUTH_%tenant_id% \
1 1
And setting up an endpoint for Keystone::
$ keystone-manage endpointTemplates add RegionOne keystone \
http://keystone.mydomain:5000/v2.0 \
http://keystone.mydomain:35357/v2.0 \
http://keystone.mydomain:5000/v2.0 \
1 1
Defining an Administrative Service Token
----------------------------------------
An Administrative Service Token is a bit of arbitrary text which is configured
in Keystone and used (typically configured into) Nova, Swift, Glance, and any
other OpenStack projects, to be able to use Keystone services.
This token is an arbitrary text string, but must be identical between Keystone
and the services using Keystone. This token is bound to a user and tenant as
well, so those also need to be created prior to setting it up.
The *admin* user was set up above, but we haven't created a tenant for that
user yet::
$ keystone-manage tenant add admin
and while we're here, let's grant the admin user the 'Admin' role to the
'admin' tenant::
$ keystone-manage role add Admin
$ keystone-manage role grant Admin admin admin
Now we can create a service token::
$ keystone-manage token add 999888777666 admin admin 2015-02-05T00:00
This creates a service token of '999888777666' associated to the admin user,
admin tenant, and expires on February 5th, 2015. This token will be used when
configuring Nova, Glance, or other OpenStack services.
Securing Communications with SSL
--------------------------------
To encrypt traffic between services and Keystone, see :doc:`ssl`
Setting up OpenStack users
==========================
Creating Tenants, Users, and Roles
----------------------------------
Let's set up a 'demo' tenant::
$ keystone-manage tenant add demo
And add a 'demo' user with the password 'guest'::
$ keystone-manage user add demo guest
Now let's add a role of "Member" and grant 'demo' user that role
as it pertains to the tenant 'demo'::
$ keystone-manage role add Member
$ keystone-manage role grant Member demo demo
Let's also add the admin user as an Admin role to the demo tenant::
$ keystone-manage role grant Admin admin demo
Creating EC2 credentials
------------------------
To add EC2 credentials for the `admin` and `demo` accounts::
$ keystone-manage credentials add admin EC2 'admin' 'secretpassword'
$ keystone-manage credentials add admin EC2 'demo' 'secretpassword'
If you have a large number of credentials to create, you can put them all
into a single large file and import them using :doc:`man/keystone-import`. The
format of the document looks like::
credentials add admin EC2 'username' 'password'
credentials add admin EC2 'username' 'password'
Then use::
$ keystone-import `filename`
Setting Up Middleware
=====================
Keystone Auth-Token Middleware
--------------------------------
The Keystone auth_token middleware is a WSGI component that can be inserted in
the WSGI pipeline to handle authenticating tokens with Keystone. See :doc:`middleware`
for details on middleware and configuration parameters.
Configuring Nova to use Keystone
--------------------------------
To configure Nova to use Keystone for authentication, the Nova API service
can be run against the api-paste file provided by Keystone. This is most
easily accomplished by setting the `--api_paste_config` flag in nova.conf to
point to `examples/paste/nova-api-paste.ini` from Keystone. This paste file
included references to the WSGI authentication middleware provided with the
keystone installation.
When configuring Nova, it is important to create a admin service token for
the service (from the Configuration step above) and include that as the key
'admin_token' in the nova-api-paste.ini. See the documented
:doc:`nova-api-paste` file for references.
Configuring Swift to use Keystone
---------------------------------
Similar to Nova, swift can be configured to use Keystone for authentication
rather than it's built in 'tempauth'.
1. Add a service endpoint for Swift to Keystone
2. Configure the paste file for swift-proxy (`/etc/swift/swift-proxy.conf`)
3. Reconfigure Swift's proxy server to use Keystone instead of TempAuth.
Here's an example `/etc/swift/proxy-server.conf`::
[DEFAULT]
bind_port = 8888
user = <user>
[pipeline:main]
pipeline = catch_errors cache keystone proxy-server
[app:proxy-server]
use = egg:swift#proxy
account_autocreate = true
[filter:keystone]
use = egg:keystone#tokenauth
auth_protocol = http
auth_host = 127.0.0.1
auth_port = 35357
admin_token = 999888777666
delay_auth_decision = 0
service_protocol = http
service_host = 127.0.0.1
service_port = 8100
service_pass = dTpw
cache = swift.cache
[filter:cache]
use = egg:swift#memcache
set log_name = cache
[filter:catch_errors]
use = egg:swift#catch_errors
Note that the optional "cache" property in the keystone filter allows any
service (not just Swift) to register its memcache client in the WSGI
environment. If such a cache exists, Keystone middleware will utilize it
to store validated token information, which could result in better overall
performance.
4. Restart swift
5. Verify that keystone is providing authentication to Swift
Use `swift` to check everything works (note: you currently have to create a
container or upload something as your first action to have the account
created; there's a Swift bug to be fixed soon)::
$ swift -A http://127.0.0.1:5000/v1.0 -U joeuser -K secrete post container
$ swift -A http://127.0.0.1:5000/v1.0 -U joeuser -K secrete stat -v
StorageURL: http://127.0.0.1:8888/v1/AUTH_1234
Auth Token: 74ce1b05-e839-43b7-bd76-85ef178726c3
Account: AUTH_1234
Containers: 1
Objects: 0
Bytes: 0
Accept-Ranges: bytes
X-Trans-Id: tx25c1a6969d8f4372b63912f411de3c3b
.. WARNING::
Keystone currently allows any valid token to do anything with any account.

135
doc/source/developing.rst
View File

@ -1,135 +0,0 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
========================
Developing with Keystone
========================
Get your development environment set up according to :doc:`setup`.
Running a development instance
==============================
Setting up a virtualenv
-----------------------
We recommend establishing a virtualenv to run keystone within. To establish
this environment, use the command::
$ python tools/install_venv.py
This will create a local virtual environment in the directory ``.venv``.
Once created, you can activate this virtualenv for your current shell using::
$ source .venv/bin/activate
The virtual environment can be disabled using the command::
$ deactivate
You can also use ``tools\with_venv.sh`` to prefix commands so that they run
within the virtual environment. For more information on virtual environments,
see virtualenv_.
.. _virtualenv: http://www.virtualenv.org/
Running Keystone
----------------
To run the keystone Admin and API server instances, use::
$ tools/with_venv.sh bin/keystone
Running a demo service that uses Keystone
-----------------------------------------
To run client demo (with all auth middleware running locally on sample service)::
$ tools/with_venv.sh examples/echo/bin/echod
which spins up a simple "echo" service on port 8090. To use a simple echo client::
$ python examples/echo/echo_client.py
Interacting with Keystone
=========================
You can interact with Keystone through the command line using :doc:`man/keystone-manage`
which allows you to establish tenants, users, etc.
You can also interact with Keystone through it's REST API. There is a python
keystone client library python-keystoneclient_ which interacts exclusively through
the REST API.
.. _python-keystoneclient: https://github.com/4P/python-keystoneclient
The easiest way to establish some base information in Keystone to interact with is
to invoke::
$ tools/with_venv.sh bin/sampledata
You can see the details of what that creates in ``keystone/test/sampledata.py``
Enabling debugging middleware
-----------------------------
You can enable a huge amount of additional data (debugging information) about
the request and repsonse objects flowing through Keystone using the debugging
WSGI middleware.
To enable this, just modify the pipelines in ``etc/keystone.conf``, from::
[pipeline:admin]
pipeline =
urlnormalizer
admin_api
[pipeline:keystone-legacy-auth]
pipeline =
urlnormalizer
legacy_auth
d5_compat
service_api
... to::
[pipeline:admin]
pipeline =
debug
urlnormalizer
d5_compat
admin_api
[pipeline:keystone-legacy-auth]
pipeline =
debug
urlnormalizer
legacy_auth
d5_compat
service_api
Two simple and easy debugging tools are using the ``-d`` when you start keystone::
$ ./keystone -d
and the `--trace-calls` flag::
$ ./keystone -trace-calls
The ``-d`` flag outputs debug information to the console. The ``--trace-calls`` flag
outputs extensive, nested trace calls to the console and highlights any errors
in red.

158
doc/source/images/305.svg
View File

@ -1,158 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="193.58089"
height="100.32214"
id="svg2"
version="1.1"
inkscape:version="0.48.0 r9654"
sodipodi:docname="proxyAuth.svg">
<defs
id="defs4" />
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="0.98901497"
inkscape:cx="134.39587"
inkscape:cy="72.635488"
inkscape:document-units="px"
inkscape:current-layer="layer1"
showgrid="false"
fit-margin-top="0"
fit-margin-left="0"
fit-margin-right="0"
fit-margin-bottom="0"
inkscape:window-width="912"
inkscape:window-height="842"
inkscape:window-x="66"
inkscape:window-y="87"
inkscape:window-maximized="0" />
<metadata
id="metadata7">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(-240.60414,-504.67553)">
<g
id="1"
transform="translate(239.41667,503.49764)">
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="25.6"
x="136"
xml:space="preserve"
id="2">Request</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="36"
x="136"
xml:space="preserve"
id="3">service directly</text>
<path
d="m 1.85,14.45 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="4"
inkscape:connector-curvature="0" />
<path
d="m 1.85,43.25 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="5"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="25.6"
x="24.799999"
xml:space="preserve"
id="6">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="37.599998"
x="8.8000002"
xml:space="preserve"
id="7">Component</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="53.599998"
x="79.199997"
xml:space="preserve"
id="8">305 </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="53.599998"
x="96"
xml:space="preserve"
id="9">Use proxy to </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="63.200001"
x="79.199997"
xml:space="preserve"
id="10">redirect to Auth</text>
<path
d="M 64.25,72.05 C 83.45,33.65 87.8,15.9 75.1,6.45 67.75,1 54.85,-1.65 42.3,7.85"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="11"
inkscape:connector-curvature="0" />
<path
d="m 45.35,9.75 -9.9,4.7 5.1,-9.65 4.8,4.95 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="12"
inkscape:connector-curvature="0" />
<path
d="m 154.25,14.45 c 0,0 -4.85,0.5 -9.45,0.95 -7,0.7 -13.45,1.2 -17.85,5.1 -2.95,2.65 -5.05,6.8 -3.6,10.1 2.65,6.1 17.05,9.3 23.85,14 5,3.45 5.95,7.65 4.9,11.1 -1.9,6.35 -10.5,10 -23.85,16.2 -8.35,3.9 -18.6,8.85 -26.1,11.85"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="13"
inkscape:connector-curvature="0" />
<path
d="M 104,86.8 93.05,86.45 102,80.2 l 2,6.6 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="14"
inkscape:connector-curvature="0" />
<path
d="m 25.85,72.05 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="15"
inkscape:connector-curvature="0" />
<path
d="m 25.85,100.85 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="16"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="83.199997"
x="34.400002"
xml:space="preserve"
id="17">OpenStack</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="95.199997"
x="42.400002"
xml:space="preserve"
id="18">Service</text>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 6.1 KiB

135
doc/source/images/both.svg
View File

@ -1,135 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="68.500092"
height="110.50006"
id="svg2"
version="1.1"
inkscape:version="0.48.0 r9654"
sodipodi:docname="mapper.svg">
<defs
id="defs4" />
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="0.98901497"
inkscape:cx="34.262561"
inkscape:cy="55.237534"
inkscape:document-units="px"
inkscape:current-layer="layer1"
showgrid="false"
fit-margin-top="0"
fit-margin-left="0"
fit-margin-right="0"
fit-margin-bottom="0"
inkscape:window-width="912"
inkscape:window-height="842"
inkscape:window-x="66"
inkscape:window-y="87"
inkscape:window-maximized="0" />
<metadata
id="metadata7">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(-340.73745,-315.32253)">
<g
id="1"
transform="translate(339.55001,314.13506)">
<path
d="m 1.85,1.85 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="2"
inkscape:connector-curvature="0" />
<path
d="m 1.85,30.65 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="3"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="13.6"
x="24.799999"
xml:space="preserve"
id="4">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="24.799999"
x="8.8000002"
xml:space="preserve"
id="5">Component</text>
<path
d="m 1.85,81.05 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#a6a6a6;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="6"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#bfbfbf;font-family:Arial"
y="64"
x="24.799999"
xml:space="preserve"
id="7">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#bfbfbf;font-family:Arial"
y="75.199997"
x="8.8000002"
xml:space="preserve"
id="8">Component</text>
<path
d="m 1.85,82.25 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="9"
inkscape:connector-curvature="0" />
<path
d="m 1.85,111.05 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="10"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="93.599998"
x="10.4"
xml:space="preserve"
id="11">OpenStack</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="105.6"
x="18.4"
xml:space="preserve"
id="12">Service</text>
<path
d="m 35.45,30.65 0,40.9"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="13"
inkscape:connector-curvature="0" />
<path
d="M 38.9,70.7 35.45,81.05 32,70.7 l 6.9,0 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="14"
inkscape:connector-curvature="0" />
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 4.9 KiB

52
doc/source/images/graphs_delegate_accept.svg
View File

@ -1,52 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: DelegateAcceptAuth Pages: 1 -->
<svg width="656pt" height="81pt"
viewBox="0.00 0.00 656.00 81.23" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 77.234)">
<title>DelegateAcceptAuth</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-77.234 653,-77.234 653,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="348,-48.234 250,-48.234 250,-8.23398 348,-8.23398 348,-48.234"/>
<text text-anchor="middle" x="299" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="299" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.0748,-28.234C97.1107,-28.234 182.142,-28.234 239.791,-28.234"/>
<polygon fill="black" stroke="black" points="239.864,-31.7341 249.863,-28.234 239.863,-24.7341 239.864,-31.7341"/>
<text text-anchor="middle" x="152" y="-30.634" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge9" class="edge"><title>AuthComp&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M249.934,-12.6562C243.944,-11.2496 237.868,-10.0499 232,-9.23398 161.567,0.55976 141.697,4.87673 72,-9.23398 69.1948,-9.80192 66.3471,-10.5503 63.5169,-11.4218"/>
<polygon fill="black" stroke="black" points="62.3066,-8.13733 54.0489,-14.7751 64.6436,-14.7357 62.3066,-8.13733"/>
<text text-anchor="middle" x="152" y="-11.634" font-family="Times,serif" font-size="14.00">200 Okay</text>
</g>
<!-- Service -->
<g id="node6" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="648,-48.234 554,-48.234 554,-8.23398 648,-8.23398 648,-48.234"/>
<text text-anchor="middle" x="601" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="601" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M348.194,-28.234C401.691,-28.234 487.101,-28.234 543.616,-28.234"/>
<polygon fill="black" stroke="black" points="543.818,-31.7341 553.818,-28.234 543.818,-24.7341 543.818,-31.7341"/>
<text text-anchor="middle" x="451" y="-60.634" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
<text text-anchor="middle" x="451" y="-45.634" font-family="Times,serif" font-size="14.00">X&#45;Authorization: Proxy U</text>
<text text-anchor="middle" x="451" y="-30.634" font-family="Times,serif" font-size="14.00">X&#45;Identity&#45;Status: Confirmed</text>
</g>
<!-- Service&#45;&gt;AuthComp -->
<g id="edge7" class="edge"><title>Service&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M553.774,-12.7435C547.845,-11.2995 541.819,-10.067 536,-9.23398 461.207,1.47328 440.836,1.17187 366,-9.23398 363.341,-9.6037 360.639,-10.0522 357.922,-10.5631"/>
<polygon fill="black" stroke="black" points="357.121,-7.15517 348.066,-12.6562 358.575,-14.0025 357.121,-7.15517"/>
<text text-anchor="middle" x="451" y="-11.634" font-family="Times,serif" font-size="14.00">200 Okay</text>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 3.6 KiB

30
doc/source/images/graphs_separate.svg
View File

@ -1,30 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: Seperate Pages: 1 -->
<svg width="106pt" height="124pt"
viewBox="0.00 0.00 106.00 124.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 120)">
<title>Seperate</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-120 103,-120 103,5 -4,5"/>
<!-- AuthComp -->
<g id="node2" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="98,-116 0,-116 0,-76 98,-76 98,-116"/>
<text text-anchor="middle" x="49" y="-99.4" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="49" y="-83.4" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Service -->
<g id="node4" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="96,-40 2,-40 2,-0 96,-0 96,-40"/>
<text text-anchor="middle" x="49" y="-23.4" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="49" y="-7.4" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge3" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M49,-75.6334C49,-67.8186 49,-58.7253 49,-50.183"/>
<polygon fill="black" stroke="black" points="52.5001,-50.1593 49,-40.1593 45.5001,-50.1593 52.5001,-50.1593"/>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 1.6 KiB

51
doc/source/images/graphs_standard_accept.svg
View File

@ -1,51 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: StandardAcceptAuth Pages: 1 -->
<svg width="644pt" height="66pt"
viewBox="0.00 0.00 644.00 66.23" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 62.234)">
<title>StandardAcceptAuth</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-62.234 641,-62.234 641,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="348,-48.234 250,-48.234 250,-8.23398 348,-8.23398 348,-48.234"/>
<text text-anchor="middle" x="299" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="299" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.0748,-28.234C97.1107,-28.234 182.142,-28.234 239.791,-28.234"/>
<polygon fill="black" stroke="black" points="239.864,-31.7341 249.863,-28.234 239.863,-24.7341 239.864,-31.7341"/>
<text text-anchor="middle" x="152" y="-30.634" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge9" class="edge"><title>AuthComp&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M249.934,-12.6562C243.944,-11.2496 237.868,-10.0499 232,-9.23398 161.567,0.55976 141.697,4.87673 72,-9.23398 69.1948,-9.80192 66.3471,-10.5503 63.5169,-11.4218"/>
<polygon fill="black" stroke="black" points="62.3066,-8.13733 54.0489,-14.7751 64.6436,-14.7357 62.3066,-8.13733"/>
<text text-anchor="middle" x="152" y="-11.634" font-family="Times,serif" font-size="14.00">200 Okay</text>
</g>
<!-- Service -->
<g id="node6" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="636,-48.234 542,-48.234 542,-8.23398 636,-8.23398 636,-48.234"/>
<text text-anchor="middle" x="589" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="589" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M348.195,-28.234C399.052,-28.234 478.372,-28.234 531.947,-28.234"/>
<polygon fill="black" stroke="black" points="531.971,-31.7341 541.971,-28.234 531.971,-24.7341 531.971,-31.7341"/>
<text text-anchor="middle" x="445" y="-45.634" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
<text text-anchor="middle" x="445" y="-30.634" font-family="Times,serif" font-size="14.00">X&#45;Authorization: Proxy U</text>
</g>
<!-- Service&#45;&gt;AuthComp -->
<g id="edge7" class="edge"><title>Service&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M541.774,-12.7435C535.845,-11.2995 529.819,-10.067 524,-9.23398 454.486,0.717471 435.553,0.437338 366,-9.23398 363.341,-9.6037 360.639,-10.0522 357.922,-10.5631"/>
<polygon fill="black" stroke="black" points="357.121,-7.15517 348.066,-12.6562 358.575,-14.0025 357.121,-7.15517"/>
<text text-anchor="middle" x="445" y="-11.634" font-family="Times,serif" font-size="14.00">200 Okay</text>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 3.5 KiB

39
doc/source/images/graphs_standard_reject.svg
View File

@ -1,39 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: StandardRejectAuth Pages: 1 -->
<svg width="590pt" height="84pt"
viewBox="0.00 0.00 590.00 84.11" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 80.1142)">
<title>StandardRejectAuth</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-80.1142 587,-80.1142 587,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="470,-72.1142 372,-72.1142 372,-32.1142 470,-32.1142 470,-72.1142"/>
<text text-anchor="middle" x="421" y="-55.5142" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="421" y="-39.5142" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.087,-55.6146C59.9818,-56.239 66.1921,-56.7925 72,-57.1142 197.142,-64.0451 228.754,-61.7811 354,-57.1142 356.55,-57.0192 359.153,-56.9039 361.782,-56.7725"/>
<polygon fill="black" stroke="black" points="362.204,-60.2543 371.991,-56.1946 361.809,-53.2655 362.204,-60.2543"/>
<text text-anchor="middle" x="213" y="-63.5142" font-family="Times,serif" font-size="14.00">Authorization: Basic Yjpw</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M381.842,-32.0145C372.913,-28.3297 363.309,-25.0423 354,-23.1142 231.272,2.30687 192.234,12.2721 72,-23.1142 67.3413,-24.4853 62.7097,-26.5048 58.2883,-28.8508"/>
<polygon fill="black" stroke="black" points="56.3831,-25.9114 49.5663,-34.022 59.9531,-31.9327 56.3831,-25.9114"/>
<text text-anchor="middle" x="213" y="-40.5142" font-family="Times,serif" font-size="14.00">401 Unauthorized</text>
<text text-anchor="middle" x="213" y="-25.5142" font-family="Times,serif" font-size="14.00">WWW&#45;Authenticate: Basic Realm=&quot;API Realm&quot;</text>
</g>
<!-- Service -->
<g id="node8" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="582,-72.1142 488,-72.1142 488,-32.1142 582,-32.1142 582,-72.1142"/>
<text text-anchor="middle" x="535" y="-55.5142" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="535" y="-39.5142" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 2.7 KiB

24
doc/source/images/graphs_together.svg
View File

@ -1,24 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: Together Pages: 1 -->
<svg width="116pt" height="104pt"
viewBox="0.00 0.00 116.00 104.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 100)">
<title>Together</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-100 113,-100 113,5 -4,5"/>
<!-- Together -->
<g id="node2" class="node"><title>Together</title>
<polygon fill="#fdefe3" stroke="#fdefe3" points="8,-47 8,-91 101,-91 101,-47 8,-47"/>
<polygon fill="none" stroke="#c00000" points="8,-47 8,-91 101,-91 101,-47 8,-47"/>
<text text-anchor="start" x="38" y="-75.2333" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="start" x="13.5" y="-58.4333" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
<polygon fill="#d1ebf1" stroke="#d1ebf1" points="8,-4 8,-47 101,-47 101,-4 8,-4"/>
<polygon fill="none" stroke="#1f477d" points="8,-4 8,-47 101,-47 101,-4 8,-4"/>
<text text-anchor="start" x="15.5" y="-31.7333" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="start" x="28" y="-14.9333" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 1.4 KiB

215
doc/source/images/layouts.svg
View File

@ -1,215 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="183.71901"
height="100.41289"
id="svg2"
version="1.1"
inkscape:version="0.48.0 r9654"
sodipodi:docname="authComp.svg">
<defs
id="defs4" />
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="0.98901497"
inkscape:cx="69.71099"
inkscape:cy="-12.532713"
inkscape:document-units="px"
inkscape:current-layer="layer1"
showgrid="false"
fit-margin-top="0"
fit-margin-left="0"
fit-margin-right="0"
fit-margin-bottom="0"
inkscape:window-width="912"
inkscape:window-height="842"
inkscape:window-x="66"
inkscape:window-y="87"
inkscape:window-maximized="0" />
<metadata
id="metadata7">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(-305.28902,-419.41658)">
<g
id="1"
transform="translate(304.10174,415.42322)">
<path
d="m 117.05,14.8 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="2"
inkscape:connector-curvature="0" />
<path
d="m 117.05,43.6 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="3"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="26.4"
x="140"
xml:space="preserve"
id="4">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="37.599998"
x="124"
xml:space="preserve"
id="5">Component</text>
<path
d="m 117.05,72.4 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="6"
inkscape:connector-curvature="0" />
<path
d="m 117.05,101.2 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="7"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="84"
x="125.6"
xml:space="preserve"
id="8">OpenStack</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="95.199997"
x="133.60001"
xml:space="preserve"
id="9">Service</text>
<path
d="m 150.65,43.6 0,19.3"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="10"
inkscape:connector-curvature="0" />
<path
d="m 154.1,62.05 -3.45,10.35 -3.45,-10.35 6.9,0 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="11"
inkscape:connector-curvature="0" />
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="131.2"
xml:space="preserve"
id="12">Option </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="158.39999"
xml:space="preserve"
id="13">(</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="161.60001"
xml:space="preserve"
id="14">b</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="166.39999"
xml:space="preserve"
id="15">)</text>
<path
d="m 1.85,14.8 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="16"
inkscape:connector-curvature="0" />
<path
d="m 1.85,43.6 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="17"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="26.4"
x="24.799999"
xml:space="preserve"
id="18">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="37.599998"
x="8.8000002"
xml:space="preserve"
id="19">Component</text>
<path
d="m 1.85,44.8 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="20"
inkscape:connector-curvature="0" />
<path
d="m 1.85,73.6 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="21"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="56"
x="10.4"
xml:space="preserve"
id="22">OpenStack</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="68"
x="18.4"
xml:space="preserve"
id="23">Service</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="13.6"
xml:space="preserve"
id="24">Option </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="41.599998"
xml:space="preserve"
id="25">(</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="44"
xml:space="preserve"
id="26">a</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="48.799999"
xml:space="preserve"
id="27">)</text>
<path
d="m 93.45,5.2 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,2.4 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-2.4 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z"
style="fill:#1f477d;fill-opacity:1;fill-rule:nonzero;stroke:#1f477d;stroke-width:0.80000001px;stroke-linecap:butt;stroke-linejoin:bevel;stroke-opacity:1;stroke-dasharray:none"
id="28"
inkscape:connector-curvature="0" />
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 9.7 KiB

237
doc/source/images/mapper.svg
View File

@ -1,237 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="118.9"
height="159.425"
id="svg2"
version="1.1"
inkscape:version="0.48.0 r9654"
sodipodi:docname="mapper.svg">
<defs
id="defs4" />
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="1"
inkscape:cx="50.251985"
inkscape:cy="133.71622"
inkscape:document-units="px"
inkscape:current-layer="layer1"
showgrid="false"
fit-margin-top="0"
fit-margin-left="0"
fit-margin-right="0"
fit-margin-bottom="0"
inkscape:window-width="1920"
inkscape:window-height="1024"
inkscape:window-x="-4"
inkscape:window-y="-4"
inkscape:window-maximized="1" />
<metadata
id="metadata7">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title />
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(106.03799,-264.63332)">
<g
id="g3015">
<path
d="m -80.18799,394.60832 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="2"
inkscape:connector-curvature="0" />
<path
d="m -80.18799,423.40832 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="3"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="405.85831"
x="-72.037987"
xml:space="preserve"
id="4">OpenStack</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="417.85831"
x="-64.037987"
xml:space="preserve"
id="5">Service</text>
<path
d="m -46.58799,265.00832 0,19.3"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="6"
inkscape:connector-curvature="0" />
<path
d="m -42.804657,340.4626 -3.45,10.35 -3.45,-10.35 6.9,0 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="7"
inkscape:connector-curvature="0" />
<path
d="m -46.58799,365.80832 0,19.3"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="10"
inkscape:connector-curvature="0" />
<path
d="m -43.13799,384.25832 -3.45,10.35 -3.45,-10.35 6.9,0 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="11"
inkscape:connector-curvature="0" />
<path
d="m -80.18799,322.60832 c -7.2,7.2 -7.2,13.45 -7.2,17.1 0,0.6 0,1.1 0,1.6"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="12"
inkscape:connector-curvature="0" />
<path
d="m -83.98799,340.25832 -2.8,10.55 -4.1,-10.15 6.9,-0.4 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="13"
inkscape:connector-curvature="0" />
<path
d="m -12.98799,322.60832 c 4.4,7 5.3,13.3 4.9,18.7"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="14"
inkscape:connector-curvature="0" />
<path
d="m -4.68799,340.25832 -2.9,10.55 -4,-10.15 6.9,-0.4 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="15"
inkscape:connector-curvature="0" />
<path
d="m -6.98799,366.40832 -17.75,20.4"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="16"
inkscape:connector-curvature="0" />
<path
d="m -21.58799,388.45832 -9.4,5.55 4.2,-10.1 5.2,4.55 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="17"
inkscape:connector-curvature="0" />
<path
d="m -85.58799,366.40832 15.25,20.05"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="18"
inkscape:connector-curvature="0" />
<path
d="m -68.08799,383.65832 3.5,10.35 -9,-6.15 5.5,-4.2 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="19"
inkscape:connector-curvature="0" />
<path
d="m -80.18799,293.80832 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#ebf1de;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="20"
inkscape:connector-curvature="0" />
<path
d="m -80.18799,322.60832 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#688037;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="21"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="311.45834"
x="-64.037987"
xml:space="preserve"
id="22">Mapper</text>
<path
d="m -105.38799,351.40832 0,14.4 38.4,0 0,-14.4 -38.4,0 z"
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="23"
inkscape:connector-curvature="0" />
<path
d="m -105.38799,365.80832 38.4,0 0,-14.4 -38.4,0 0,14.4 z"
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="24"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="361.85831"
x="-100.03799"
xml:space="preserve"
id="25">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="361.85831"
x="-77.637993"
xml:space="preserve"
id="26">1</text>
<path
d="m -65.78799,351.40832 0,14.4 38.4,0 0,-14.4 -38.4,0 z"
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="27"
inkscape:connector-curvature="0" />
<path
d="m -65.78799,365.80832 38.4,0 0,-14.4 -38.4,0 0,14.4 z"
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="28"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="361.85831"
x="-60.037991"
xml:space="preserve"
id="29">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="361.85831"
x="-38.437988"
xml:space="preserve"
id="30">2</text>
<path
d="m -26.18799,351.40832 0,14.4 38.4,0 0,-14.4 -38.4,0 z"
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="31"
inkscape:connector-curvature="0" />
<path
d="m -26.18799,365.80832 38.4,0 0,-14.4 -38.4,0 0,14.4 z"
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="32"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="361.85831"
x="-20.837988"
xml:space="preserve"
id="33">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="361.85831"
x="1.562013"
xml:space="preserve"
id="34">3</text>
<path
d="m -46.000001,323.49386 0,18.51832"
style="fill:none;stroke:#000000;stroke-width:0.73465496;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none"
id="6-1"
inkscape:connector-curvature="0" />
<path
d="m -42.883334,284.52051 -3.45,10.35 -3.45,-10.35 6.9,0 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="7-7"
inkscape:connector-curvature="0" />
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 9.8 KiB

238
doc/source/images/proxyAuth.svg
View File

@ -1,238 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="360.43942"
height="43.693935"
id="svg2"
version="1.1"
inkscape:version="0.48.0 r9654"
sodipodi:docname="layouts.svg">
<defs
id="defs4" />
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="0.98901497"
inkscape:cx="238.80946"
inkscape:cy="161.99774"
inkscape:document-units="px"
inkscape:current-layer="layer1"
showgrid="false"
fit-margin-top="0"
fit-margin-left="0"
fit-margin-right="0"
fit-margin-bottom="0"
inkscape:window-width="912"
inkscape:window-height="842"
inkscape:window-x="66"
inkscape:window-y="87"
inkscape:window-maximized="0" />
<metadata
id="metadata7">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(-136.19055,-650.66599)">
<g
id="1"
transform="translate(134.9737,646.56521)">
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="190.39999"
xml:space="preserve"
id="2">Authorization</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="240.8"
xml:space="preserve"
id="3">: </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="245.60001"
xml:space="preserve"
id="4">Basic dTpw</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="20"
x="190.39999"
xml:space="preserve"
id="5">X</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="20"
x="196"
xml:space="preserve"
id="6">-</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="20"
x="199.2"
xml:space="preserve"
id="7">Authorization</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="20"
x="248.8"
xml:space="preserve"
id="8">: </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="20"
x="253.60001"
xml:space="preserve"
id="9">Proxy U</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="20"
x="5.5999999"
xml:space="preserve"
id="10">Authorization</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="20"
x="56"
xml:space="preserve"
id="11">: </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="20"
x="60.799999"
xml:space="preserve"
id="12">Basic VTpQ</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#ff0000;font-family:Arial"
y="31.200001"
x="34.400002"
xml:space="preserve"
id="13">500 </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#ff0000;font-family:Arial"
y="31.200001"
x="50.400002"
xml:space="preserve"
id="14">Internal Error</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#ff0000;font-family:Arial"
y="32.799999"
x="190.39999"
xml:space="preserve"
id="15">403 </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#ff0000;font-family:Arial"
y="32.799999"
x="206.39999"
xml:space="preserve"
id="16">Proxy Unauthorized</text>
<path
d="m 114.4,23.3 c 1,12.6 -38.55,19.05 -91.35,14.85"
style="fill:none;stroke:#ff0000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="17"
inkscape:connector-curvature="0" />
<path
d="m 23.6,41.65 -10,-4.35 10.65,-2.55 -0.65,6.9 z"
style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="18"
inkscape:connector-curvature="0" />
<path
d="m 115.6,8.5 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="19"
inkscape:connector-curvature="0" />
<path
d="m 115.6,37.3 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="20"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="20"
x="138.39999"
xml:space="preserve"
id="21">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="31.200001"
x="122.4"
xml:space="preserve"
id="22">Component</text>
<path
d="M 292.6,22.9 C 295,47.25 251.2,54.6 192,39.75"
style="fill:none;stroke:#ff0000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="23"
inkscape:connector-curvature="0" />
<path
d="m 191.95,43.3 -9.15,-6 10.9,-0.7 -1.75,6.7 z"
style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="24"
inkscape:connector-curvature="0" />
<path
d="m 293.8,8.5 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="25"
inkscape:connector-curvature="0" />
<path
d="m 293.8,37.3 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="26"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="20"
x="302.39999"
xml:space="preserve"
id="27">OpenStack</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="31.200001"
x="310.39999"
xml:space="preserve"
id="28">Service</text>
<path
d="m 182.8,22.9 101.5,0"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="29"
inkscape:connector-curvature="0" />
<path
d="m 283.45,19.4 10.35,3.5 -10.35,3.45 0,-6.95 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="30"
inkscape:connector-curvature="0" />
<path
d="M 1.6,22.9 106.7,22.85"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="31"
inkscape:connector-curvature="0" />
<path
d="m 105.85,19.35 10.35,3.5 -10.35,3.45 0,-6.95 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="32"
inkscape:connector-curvature="0" />
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 9.3 KiB

112
doc/source/keystone.conf.rst
View File

@ -1,112 +0,0 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
keystone.conf example
=====================
::
[DEFAULT]
# Show more verbose log output (sets INFO log level output)
verbose = False
# Show debugging output in logs (sets DEBUG log level output)
debug = False
# Which backend store should Keystone use by default.
# Default: 'sqlite'
# Available choices are 'sqlite' [future will include LDAP, PAM, etc]
default_store = sqlite
# Log to this file. Make sure you do not set the same log
# file for both the API and registry servers!
log_file = %DEST%/keystone/keystone.log
# List of backends to be configured
backends = keystone.backends.sqlalchemy
#For LDAP support, add: ,keystone.backends.ldap
# Dictionary Maps every service to a header.Missing services would get header
# X_(SERVICE_NAME) Key => Service Name, Value => Header Name
service-header-mappings = {
'nova' : 'X-Server-Management-Url',
'swift' : 'X-Storage-Url',
'cdn' : 'X-CDN-Management-Url'}
#List of extensions currently loaded.
#Refer docs for list of supported extensions.
extensions= osksadm,oskscatalog
# Address to bind the API server
# TODO Properties defined within app not available via pipeline.
service_host = 0.0.0.0
# Port the bind the API server to
service_port = 5000
# Address to bind the Admin API server
admin_host = 0.0.0.0
# Port the bind the Admin API server to
admin_port = 35357
#Role that allows to perform admin operations.
keystone-admin-role = KeystoneAdmin
#Role that allows to perform service admin operations.
keystone-service-admin-role = KeystoneServiceAdmin
[keystone.backends.sqlalchemy]
# SQLAlchemy connection string for the reference implementation registry
# server. Any valid SQLAlchemy connection string is fine.
# See: http://bit.ly/ideIpI
#sql_connection = sqlite:///keystone.db
sql_connection = %SQL_CONN%
backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant',
'User', 'Credentials', 'EndpointTemplates', 'Token',
'Service']
# Period in seconds after which SQLAlchemy should reestablish its connection
# to the database.
sql_idle_timeout = 30
[pipeline:admin]
pipeline =
urlnormalizer
d5_compat
admin_api
[pipeline:keystone-legacy-auth]
pipeline =
urlnormalizer
legacy_auth
d5_compat
service_api
[app:service_api]
paste.app_factory = keystone.server:service_app_factory
[app:admin_api]
paste.app_factory = keystone.server:admin_app_factory
[filter:urlnormalizer]
paste.filter_factory = keystone.frontends.normalizer:filter_factory
[filter:legacy_auth]
paste.filter_factory = keystone.frontends.legacy_token_auth:filter_factory
[filter:d5_compat]
paste.filter_factory = keystone.frontends.d5_compat:filter_factory

87
doc/source/man/keystone-admin.rst
View File

@ -1,87 +0,0 @@
==============
keystone-admin
==============
---------------------------
Keystone Management Utility
---------------------------
:Author: keystone@lists.launchpad.net
:Date: 2011-10-31
:Copyright: OpenStack LLC
:Version: 0.1.2
:Manual section: 1
:Manual group: cloud computing
SYNOPSIS
========
keystone-admin [options]
DESCRIPTION
===========
keystone-admin starts the administrative API server for Keystone.
Use :doc:`keystone-control` to stop/start/restart and manage those services
once started.
USAGE
=====
``keystone-admin [options]``
Common Options
--------------
--version show program's version number and exit
-h, --help show this help message and exit
-v, --verbose Print more verbose output
-d, --debug Print debugging output to console
-c PATH, --config-file=PATH Path to the config file to use. When not
specified (the default), we generally look at
the first argument specified to be a config
file, and if that is also missing, we search
standard directories for a config file.
-p BIND_PORT, --port=BIND_PORT, --bind-port=BIND_PORT
specifies port to listen on (default is 5000)
--host=BIND_HOST, --bind-host=BIND_HOST
specifies host address to listen on (default
is all or 0.0.0.0)
-t, --trace-calls Turns on call tracing for troubleshooting
-a PORT, --admin-port=PORT Specifies port for Admin API to listen on
(default is 35357)
Logging Options
---------------
The following configuration options are specific to logging
functionality for this program.
--log-config=PATH If this option is specified, the logging
configuration file specified is used and
overrides any other logging options specified.
Please see the Python logging module
documentation for details on logging
configuration files.
--log-date-format=FORMAT Format string for %(asctime)s in log records.
Default: %Y-%m-%d %H:%M:%S
--log-file=PATH (Optional) Name of log file to output to. If
not set, logging will go to stdout.
--log-dir=LOG_DIR (Optional) The directory to keep log files in
(will be prepended to --logfile)
FILES
=====
None
SEE ALSO
========
* `Keystone <http://github.com/openstack/keystone>`__
SOURCE
======
* Keystone is sourced in GitHub `Keystone <http://github.com/openstack/keystone>`__
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__

87
doc/source/man/keystone-auth.rst
View File

@ -1,87 +0,0 @@
=============
keystone-auth
=============
---------------------------
Keystone Management Utility
---------------------------
:Author: keystone@lists.launchpad.net
:Date: 2011-10-31
:Copyright: OpenStack LLC
:Version: 0.1.2
:Manual section: 1
:Manual group: cloud computing
SYNOPSIS
========
keystone-auth [options]
DESCRIPTION
===========
keystone-auth starts the service API server for Keystone.
Use :doc:`keystone-control` to stop/start/restart and manage those services
once started.
USAGE
=====
``keystone-auth [options]``
Common Options:
^^^^^^^^^^^^^^^
--version show program's version number and exit
-h, --help show this help message and exit
-v, --verbose Print more verbose output
-d, --debug Print debugging output to console
-c PATH, --config-file=PATH Path to the config file to use. When not
specified (the default), we generally look at
the first argument specified to be a config
file, and if that is also missing, we search
standard directories for a config file.
-p BIND_PORT, --port=BIND_PORT, --bind-port=BIND_PORT
specifies port to listen on (default is 5000)
--host=BIND_HOST, --bind-host=BIND_HOST
specifies host address to listen on (default
is all or 0.0.0.0)
-t, --trace-calls Turns on call tracing for troubleshooting
-a PORT, --admin-port=PORT Specifies port for Admin API to listen on
(default is 35357)
Logging Options:
^^^^^^^^^^^^^^^^
The following configuration options are specific to logging
functionality for this program.
--log-config=PATH If this option is specified, the logging
configuration file specified is used and
overrides any other logging options specified.
Please see the Python logging module
documentation for details on logging
configuration files.
--log-date-format=FORMAT Format string for %(asctime)s in log records.
Default: %Y-%m-%d %H:%M:%S
--log-file=PATH (Optional) Name of log file to output to. If
not set, logging will go to stdout.
--log-dir=LOG_DIR (Optional) The directory to keep log files in
(will be prepended to --logfile)
FILES
=====
None
SEE ALSO
========
* `Keystone <http://github.com/openstack/keystone>`__
SOURCE
======
* Keystone is sourced in GitHub `Keystone <http://github.com/openstack/keystone>`__
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__

101
doc/source/man/keystone-control.rst
View File

@ -1,101 +0,0 @@
================
keystone-control
================
---------------------------
Keystone Management Utility
---------------------------
:Author: keystone@lists.launchpad.net
:Date: 2011-10-31
:Copyright: OpenStack LLC
:Version: 0.1.2
:Manual section: 1
:Manual group: cloud computing
SYNOPSIS
========
keystone-control [options] <server> <commands> (<conf path>)
DESCRIPTION
===========
keystone-control is the command line tool that interacts with the keystone
service to configure Keystone
USAGE
=====
``keystone-control [options] <server> <command> (<conf path>)``
where server is one of:
* all
* auth
* admin
and command is one of:
* start
* stop
* shutdown
* restart
* reload
* force-reload
Common Options:
^^^^^^^^^^^^^^^
--version show program's version number and exit
-h, --help show this help message and exit
-v, --verbose Print more verbose output
-d, --debug Print debugging output to console
-c PATH, --config-file=PATH Path to the config file to use. When not
specified (the default), we generally look at
the first argument specified to be a config
file, and if that is also missing, we search
standard directories for a config file.
-p BIND_PORT, --port=BIND_PORT, --bind-port=BIND_PORT
specifies port to listen on (default is 5000)
--host=BIND_HOST, --bind-host=BIND_HOST
specifies host address to listen on (default
is all or 0.0.0.0)
-t, --trace-calls Turns on call tracing for troubleshooting
-a PORT, --admin-port=PORT Specifies port for Admin API to listen on
(default is 35357)
Logging Options:
^^^^^^^^^^^^^^^^
The following configuration options are specific to logging
functionality for this program.
--log-config=PATH If this option is specified, the logging
configuration file specified is used and
overrides any other logging options specified.
Please see the Python logging module
documentation for details on logging
configuration files.
--log-date-format=FORMAT Format string for %(asctime)s in log records.
Default: %Y-%m-%d %H:%M:%S
--log-file=PATH (Optional) Name of log file to output to. If
not set, logging will go to stdout.
--log-dir=LOG_DIR (Optional) The directory to keep log files in
(will be prepended to --logfile)
FILES
=====
None
SEE ALSO
========
* `Keystone <http://github.com/openstack/keystone>`__
SOURCE
======
* Keystone is sourced in GitHub `Keystone <http://github.com/openstack/keystone>`__
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__

86
doc/source/man/keystone-import.rst
View File

@ -1,86 +0,0 @@
===============
keystone-import
===============
---------------------------
Keystone Management Utility
---------------------------
:Author: keystone@lists.launchpad.net
:Date: 2011-10-31
:Copyright: OpenStack LLC
:Version: 0.1.2
:Manual section: 1
:Manual group: cloud computing
SYNOPSIS
========
keystone-import [options] filename
DESCRIPTION
===========
keystone-import takes a file of commands written in the same format as using
:doc:`keystone-manage` and imports that data into Keystone. It is intended to
import users, tenants, and EC2 credentials from nova into keystone.
USAGE
=====
``keystone-import [options] filename``
Common Options:
^^^^^^^^^^^^^^^
--version show program's version number and exit
-h, --help show this help message and exit
-v, --verbose Print more verbose output
-d, --debug Print debugging output to console
-c PATH, --config-file=PATH Path to the config file to use. When not
specified (the default), we generally look at
the first argument specified to be a config
file, and if that is also missing, we search
standard directories for a config file.
-p BIND_PORT, --port=BIND_PORT, --bind-port=BIND_PORT
specifies port to listen on (default is 5000)
--host=BIND_HOST, --bind-host=BIND_HOST
specifies host address to listen on (default
is all or 0.0.0.0)
-t, --trace-calls Turns on call tracing for troubleshooting
-a PORT, --admin-port=PORT Specifies port for Admin API to listen on
(default is 35357)
Logging Options:
^^^^^^^^^^^^^^^^
The following configuration options are specific to logging
functionality for this program.
--log-config=PATH If this option is specified, the logging
configuration file specified is used and
overrides any other logging options specified.
Please see the Python logging module
documentation for details on logging
configuration files.
--log-date-format=FORMAT Format string for %(asctime)s in log records.
Default: %Y-%m-%d %H:%M:%S
--log-file=PATH (Optional) Name of log file to output to. If
not set, logging will go to stdout.
--log-dir=LOG_DIR (Optional) The directory to keep log files in
(will be prepended to --logfile)
FILES
=====
None
SEE ALSO
========
* `Keystone <http://github.com/openstack/keystone>`__
SOURCE
======
* Keystone is sourced in GitHub `Keystone <http://github.com/openstack/keystone>`__
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__

192
doc/source/man/keystone-manage.rst
View File

@ -1,192 +0,0 @@
===============
keystone-manage
===============
---------------------------
Keystone Management Utility
---------------------------
:Author: keystone@lists.launchpad.net
:Date: 2010-11-16
:Copyright: OpenStack LLC
:Version: 0.1.2
:Manual section: 1
:Manual group: cloud computing
SYNOPSIS
========
keystone-manage [options]
DESCRIPTION
===========
keystone-manage is the command line tool that interacts with the keystone
service to configure Keystone
USAGE
=====
``keystone-manage [options] type action [additional args]``
user
----
* **user add** [username] [password]
adds a user to Keystone's data store
* **user list**
lists all users
* **user disable** [username]
disables the user *username*
tenant
------
* **tenant add** [tenant_name]
adds a tenant to Keystone's data store
* **tenant list**
lists all users
* **tenant disable** [tenant_name]
role
----
Roles are used to associated users to tenants. Two roles are defined related
to the Keystone service in it's configuration file :doc:`../keystone.conf`
* **role add** [role_name]
adds a role
* **role list** ([tenant_name])
lists all roles, or all roles for tenant, if tenant_name is provided
* **role grant** [role_name] [username] ([tenant])
grants a role to a specific user. Granted globally if tenant_name is not
provided or granted for a specific tenant if tenant_name is provided.
service
-------
* **service add** [name] [type] [description] [owner_id]
adds a service
* **service list**
lists all services with id, name, and type
endpointTemplate
----------------
* **endpointTemplate add** [region] [service_name] [public_url] [admin_url] [internal_url] [enabled] [is_global]
Add a service endpoint for keystone.
example::
keystone-manage endpointTemplates add RegionOne \
keystone \
http://keystone_host:5000/v2.0 \
http://keystone_host:35357/v2.0 \
http://keystone_host:5000/v2.0 \
1 1
* **endpointTemplate list** ([tenant_name])
lists endpoint templates with service, region, and public_url. Restricted to
tenant endpoints if tenant_name is provided.
token
-----
* **token add** [token] [username] [tenant] [expiration]
adds a token for a given user and tenant with an expiration
* **token list**
lists all tokens
* **token delete** [token]
deletes the identified token
endpoint
--------
* **endpoint add** [tenant_name] [endpoint_template]
adds a tenant-specific endpoint
credentials
-----------
* **credentials add** [username] [type] [key] [password] ([tenant_name])
OPTIONS
=======
--version show program's version number and exit
-h, --help show this help message and exit
-v, --verbose Print more verbose output
-d, --debug Print debugging output to console
-c PATH, --config-file=PATH Path to the config file to use. When not
specified (the default), we generally look at
the first argument specified to be a config
file, and if that is also missing, we search
standard directories for a config file.
-p BIND_PORT, --port=BIND_PORT, --bind-port=BIND_PORT
specifies port to listen on (default is 5000)
--host=BIND_HOST, --bind-host=BIND_HOST
specifies host address to listen on (default
is all or 0.0.0.0)
-t, --trace-calls Turns on call tracing for troubleshooting
-a PORT, --admin-port=PORT Specifies port for Admin API to listen on
(default is 35357)
Logging Options:
================
The following configuration options are specific to logging
functionality for this program.
--log-config=PATH If this option is specified, the logging
configuration file specified is used and
overrides any other logging options specified.
Please see the Python logging module
documentation for details on logging
configuration files.
--log-date-format=FORMAT Format string for %(asctime)s in log records.
Default: %Y-%m-%d %H:%M:%S
--log-file=PATH (Optional) Name of log file to output to. If
not set, logging will go to stdout.
--log-dir=LOG_DIR (Optional) The directory to keep log files in
(will be prepended to --logfile)
FILES
=====
None
SEE ALSO
========
* `Keystone <http://github.com/openstack/keystone>`__
SOURCE
======
* Keystone is sourced in GitHub `Keystone <http://github.com/openstack/keystone>`__
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__

90
doc/source/man/keystone.rst
View File

@ -1,90 +0,0 @@
========
keystone
========
---------------------------
Keystone Management Utility
---------------------------
:Author: keystone@lists.launchpad.net
:Date: 2010-11-16
:Copyright: OpenStack LLC
:Version: 0.1.2
:Manual section: 1
:Manual group: cloud computing
SYNOPSIS
========
keystone [options]
DESCRIPTION
===========
keystone starts both the service and administrative API servers for Keystone.
Use :doc:`keystone-control` to stop/start/restart and manage those services
once started.
USAGE
=====
keystone ``keystone [options]``
Common Options:
^^^^^^^^^^^^^^^
--version show program's version number and exit
-h, --help show this help message and exit
The following configuration options are common to all keystone
programs.::
-v, --verbose Print more verbose output
-d, --debug Print debugging output to console
-c PATH, --config-file=PATH Path to the config file to use. When not
specified (the default), we generally look at
the first argument specified to be a config
file, and if that is also missing, we search
standard directories for a config file.
-p BIND_PORT, --port=BIND_PORT, --bind-port=BIND_PORT
specifies port to listen on (default is 5000)
--host=BIND_HOST, --bind-host=BIND_HOST
specifies host address to listen on (default
is all or 0.0.0.0)
-t, --trace-calls Turns on call tracing for troubleshooting
-a PORT, --admin-port=PORT Specifies port for Admin API to listen on
(default is 35357)
Logging Options:
^^^^^^^^^^^^^^^^
The following configuration options are specific to logging
functionality for this program.::
--log-config=PATH If this option is specified, the logging
configuration file specified is used and
overrides any other logging options specified.
Please see the Python logging module
documentation for details on logging
configuration files.
--log-date-format=FORMAT Format string for %(asctime)s in log records.
Default: %Y-%m-%d %H:%M:%S
--log-file=PATH (Optional) Name of log file to output to. If
not set, logging will go to stdout.
--log-dir=LOG_DIR (Optional) The directory to keep log files in
(will be prepended to --logfile)
FILES
=====
None
SEE ALSO
========
* `Keystone <http://github.com/openstack/keystone>`__
SOURCE
======
* Keystone is sourced in GitHub `Keystone <http://github.com/openstack/keystone>`__
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__

85
doc/source/man/sampledata.rst
View File

@ -1,85 +0,0 @@
==========
sampledata
==========
---------------------------
Keystone Management Utility
---------------------------
:Author: keystone@lists.launchpad.net
:Date: 2011-10-31
:Copyright: OpenStack LLC
:Version: 0.1.2
:Manual section: 1
:Manual group: cloud computing
SYNOPSIS
========
sampledata [options]
DESCRIPTION
===========
sampledata creates a development set of sample data for use with testing
keystone.
USAGE
=====
``sampledata [options]``
Common Options:
^^^^^^^^^^^^^^^
--version show program's version number and exit
-h, --help show this help message and exit
-v, --verbose Print more verbose output
-d, --debug Print debugging output to console
-c PATH, --config-file=PATH Path to the config file to use. When not
specified (the default), we generally look at
the first argument specified to be a config
file, and if that is also missing, we search
standard directories for a config file.
-p BIND_PORT, --port=BIND_PORT, --bind-port=BIND_PORT
specifies port to listen on (default is 5000)
--host=BIND_HOST, --bind-host=BIND_HOST
specifies host address to listen on (default
is all or 0.0.0.0)
-t, --trace-calls Turns on call tracing for troubleshooting
-a PORT, --admin-port=PORT Specifies port for Admin API to listen on
(default is 35357)
Logging Options:
^^^^^^^^^^^^^^^^
The following configuration options are specific to logging
functionality for this program.
--log-config=PATH If this option is specified, the logging
configuration file specified is used and
overrides any other logging options specified.
Please see the Python logging module
documentation for details on logging
configuration files.
--log-date-format=FORMAT Format string for %(asctime)s in log records.
Default: %Y-%m-%d %H:%M:%S
--log-file=PATH (Optional) Name of log file to output to. If
not set, logging will go to stdout.
--log-dir=LOG_DIR (Optional) The directory to keep log files in
(will be prepended to --logfile)
FILES
=====
None
SEE ALSO
========
* `Keystone <http://github.com/openstack/keystone>`__
SOURCE
======
* Keystone is sourced in GitHub `Keystone <http://github.com/openstack/keystone>`__
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__

69
doc/source/serviceAPI_curl_examples.rst
View File

@ -1,69 +0,0 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
===============================
Service API Examples Using Curl
===============================
The service API is defined to be a subset of the Admin API and, by
default, runs on port 5000.
GET /
=====
This call is identical to that documented for the Admin API, except
that it uses port 5000, instead of port 35357, by default::
$ curl http://0.0.0.0:5000
or::
$ curl http://0.0.0.0:5000/v2.0/
See the `Admin API Examples Using Curl`_ for more info.
.. _`Admin API Examples Using Curl`: adminAPI_curl_examples.html
GET /extensions
===============
This call is identical to that documented for the Admin API.
POST /tokens
============
This call is identical to that documented for the Admin API.
GET /tenants
============
List all of the tenants your token can access::
$ curl -H "X-Auth-Token:887665443383838" http://localhost:5000/v2.0/tenants
Returns::
{
"tenants_links": [],
"tenants": [
{
"enabled": true,
"description": "None",
"name": "customer-x",
"id": "1"
}
]
}

77
doc/source/testing.rst
View File

@ -1,77 +0,0 @@
================
Testing Keystone
================
Keystone uses a number of testing methodologies to ensure correctness.
Running Built-In Tests
======================
To run the full suites of tests maintained within Keystone, run::
$ ./run_tests.sh --with-progress
This shows realtime feedback during test execution, and iterates over
multiple configuration variations.
This differs from how tests are executed from the continuous integration
environment. Specifically, Jenkins doesn't care about realtime progress,
and aborts after the first test failure (a fail-fast behavior)::
$ ./run_tests.sh
Testing Schema Migrations
=========================
The application of schema migrations can be tested using SQLAlchemy Migrates built-in test runner, one migration at a time.
.. WARNING::
This may leave your database in an inconsistent state; attempt this in non-production environments only!
This is useful for testing the *next* migration in sequence (both forward & backward) in a database under version control::
$ python keystone/backends/sqlalchemy/migrate_repo/manage.py test --url=sqlite:///test.db --repository=keystone/backends/sqlalchemy/migrate_repo/
This command refers to a SQLite database used for testing purposes. Depending on the migration, this command alone does not make assertions as to the integrity of your data during migration.
Writing Tests
=============
Tests are maintained in the ``keystone.test`` module. Unit tests are
isolated from functional tests.
Functional Tests
----------------
The ``keystone.test.functional.common`` module provides a ``unittest``-based
``httplib`` client which you can extend and use for your own tests.
Generally, functional tests should serve to illustrate intended use cases
and API behaviors. To help make your tests easier to read, the test client:
- Authenticates with a known user name and password combination
- Asserts 2xx HTTP status codes (unless told otherwise)
- Abstracts keystone REST verbs & resources into single function calls
Testing Multiple Configurations
-------------------------------
Several variations of the default configuration are iterated over to
ensure test coverage of mutually exclusive featuresets, such as the
various backend options.
These configuration templates are maintained in ``keystone/test/etc`` and
are iterated over by ``run_tests.py``.
Further Testing
===============
devstack_ is the *best* way to quickly deploy keystone with the rest of the
OpenStack universe and should be critical step in your development workflow!
You may also be interested in either the `OpenStack Continuous Integration Project`_
or the `OpenStack Integration Testing Project`_.
.. _devstack: http://devstack.org/
.. _OpenStack Continuous Integration Project: https://github.com/openstack/openstack-ci
.. _OpenStack Integration Testing Project: https://github.com/openstack/openstack-integration-tests

28
doc/source/usingkeystone.rst
View File

@ -1,28 +0,0 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
==============
Using Keystone
==============
Curl examples
-------------
.. toctree::
:maxdepth: 1
adminAPI_curl_examples
serviceAPI_curl_examples

159
docs/Makefile Normal file
View File

@ -0,0 +1,159 @@
# Makefile for Sphinx documentation
#
# You can set these variables from the command line.
SPHINXOPTS =
SPHINXBUILD = sphinx-build
PAPER =
BUILDDIR = build
SOURCEDIR = source
SPHINXAPIDOC = sphinx-apidoc
# Internal variables.
PAPEROPT_a4 = -D latex_paper_size=a4
PAPEROPT_letter = -D latex_paper_size=letter
ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source
# the i18n builder cannot share the environment and doctrees with the others
I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source
.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext
help:
@echo "Please use \`make <target>' where <target> is one of"
@echo " autodoc generate the autodoc templates"
@echo " html to make standalone HTML files"
@echo " dirhtml to make HTML files named index.html in directories"
@echo " singlehtml to make a single large HTML file"
@echo " pickle to make pickle files"
@echo " json to make JSON files"
@echo " htmlhelp to make HTML files and a HTML help project"
@echo " qthelp to make HTML files and a qthelp project"
@echo " devhelp to make HTML files and a Devhelp project"
@echo " epub to make an epub"
@echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
@echo " latexpdf to make LaTeX files and run them through pdflatex"
@echo " text to make text files"
@echo " man to make manual pages"
@echo " texinfo to make Texinfo files"
@echo " info to make Texinfo files and run them through makeinfo"
@echo " gettext to make PO message catalogs"
@echo " changes to make an overview of all changed/added/deprecated items"
@echo " linkcheck to check all external links for integrity"
@echo " doctest to run all doctests embedded in the documentation (if enabled)"
clean:
-rm -rf $(BUILDDIR)/*
autodoc:
$(SPHINXAPIDOC) -f -o $(SOURCEDIR) ../keystone
html: autodoc
$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
dirhtml:
$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
singlehtml:
$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
@echo
@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
pickle:
$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
@echo
@echo "Build finished; now you can process the pickle files."
json:
$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
@echo
@echo "Build finished; now you can process the JSON files."
htmlhelp:
$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
@echo
@echo "Build finished; now you can run HTML Help Workshop with the" \
".hhp project file in $(BUILDDIR)/htmlhelp."
qthelp:
$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
@echo
@echo "Build finished; now you can run "qcollectiongenerator" with the" \
".qhcp project file in $(BUILDDIR)/qthelp, like this:"
@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/keystone.qhcp"
@echo "To view the help file:"
@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/keystone.qhc"
devhelp:
$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
@echo
@echo "Build finished."
@echo "To view the help file:"
@echo "# mkdir -p $$HOME/.local/share/devhelp/keystone"
@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/keystone"
@echo "# devhelp"
epub:
$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
@echo
@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
latex:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo
@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
@echo "Run \`make' in that directory to run these through (pdf)latex" \
"(use \`make latexpdf' here to do that automatically)."
latexpdf:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo "Running LaTeX files through pdflatex..."
$(MAKE) -C $(BUILDDIR)/latex all-pdf
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
text:
$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
@echo
@echo "Build finished. The text files are in $(BUILDDIR)/text."
man:
$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
@echo
@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
texinfo:
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
@echo
@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
@echo "Run \`make' in that directory to run these through makeinfo" \
"(use \`make info' here to do that automatically)."
info:
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
@echo "Running Texinfo files through makeinfo..."
make -C $(BUILDDIR)/texinfo info
@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
gettext:
$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
@echo
@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
changes:
$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
@echo
@echo "The overview file is in $(BUILDDIR)/changes."
linkcheck:
$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
@echo
@echo "Link check complete; look for any errors in the above output " \
"or in $(BUILDDIR)/linkcheck/output.txt."
doctest:
$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
@echo "Testing of doctests in the sources finished, look at the " \
"results in $(BUILDDIR)/doctest/output.txt."

56
doc/design/keystone-service-registration.sdx → docs/keystone_compat_flows.sdx
View File

@ -1,37 +1,39 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<diagram>
<source><![CDATA[#!>>
#!Keystone Admin registers an openstack service as a service supported by keystone.
#!Service credentials returned are provided to the actual service.
#!
#!Actual services use the service credentials to fetch the service token to create roles, endpoints templates,
#!endpoints specific to service and also to validate tokens.
#!
#!We could extend this behavior to allow any keystone operations carried on behalf of the service to happen
#!only using the service token.
#!
#!Keystone has its own roles to manage itself.Roles specific to a service are available only for that service.
#!<<
keystone-admin:Actor
/queue:FIFO
openstack:Service
keystone:Service
<source><![CDATA[client:client "Client"
compat:compat "Compat"
token:token "Token Service"
identity:identity "Identity Service"
catalog:catalog "Catalog Service"
[c:Register_Service]
keystone-admin:keystone.Register Openstack Service (Service Details)
keystone:keystone-admin.Provide Service Credentials
keystone-admin:openstack.Provide Service Credentials
[c "Auth, No Tenant"]
client:{token, user, service_catalog}=compat.POST /v2.0/tokens {'username': user, 'password': password}
compat:(user, password, None)=identity.authenticate(user, password, tenant=None)
compat:(id, user, password, None)=token.create_token(user, password, tenant=None)
compat:{service_catalog (includes all tenants)}=catalog.get_catalog(user, None)
[/c]
[c:Authenticate]
openstack:service_token=keystone.Service Credentials
[c "Auth, With Tenant"]
client:{scoped_token, user, service_catalog}=compat.POST /v2.0/tokens {'username': user, 'password': password, 'tenant': tenant}
compat:(user, password, tenant)=identity.authenticate(user, password, tenant)
compat:(id, user, password, tenant)=token.create_token(user, password, tenant)
compat:{service_catalog (includes all tenants)}=catalog.get_catalog(user, tenant)
[/c]
[c:Service_Operations]
openstack:keystone.Add Service Specific Roles<service_token>
openstack:keystone.Add Service Specific Endpoint Templates<service_token>
openstack:keystone.Add Service Specific Endpoints<service_token>
openstack:keystone.Validate Token<service_token>
[c "Validate Token, Unscoped"]
client:{token, user, tenant=None}=compat.GET /v2.0/tokens/$token
compat:{token, user, tenant}=token.get_token($token)
[/c]
[c "Validate Token, With Tenant"]
client:{token, user, tenant}=compat.GET /v2.0/tokens/$token?belongs_to=$tenant
compat:{token, user, tenant}=token.get_token($token)
[/c]
[c "Tenants for Token"]
client:{tenants}=compat.(X-Auth-Token: $token) GET /v2.0/tenants
compat:{token, user, tenant}=token.get_token($token)
compat:{token, user, tenant}=identity.get_tenants($user)
[/c]]]></source>
<configuration>
<property name="activationBarBorderThickness" value="1"/>

0
doc/source/_templates/.placeholder → docs/source/_templates/.placeholder
View File

0
doc/source/_theme/layout.html → docs/source/_theme/layout.html
View File

0
doc/source/_theme/theme.conf → docs/source/_theme/theme.conf
View File

55
doc/source/adminAPI_curl_examples.rst → docs/source/api_curl_examples.rst
View File

@ -14,6 +14,61 @@
License for the specific language governing permissions and limitations
under the License.
===============================
Service API Examples Using Curl
===============================
The service API is defined to be a subset of the Admin API and, by
default, runs on port 5000.
GET /
=====
This call is identical to that documented for the Admin API, except
that it uses port 5000, instead of port 35357, by default::
$ curl http://0.0.0.0:5000
or::
$ curl http://0.0.0.0:5000/v2.0/
See the `Admin API Examples Using Curl`_ for more info.
.. _`Admin API Examples Using Curl`: adminAPI_curl_examples.html
GET /extensions
===============
This call is identical to that documented for the Admin API.
POST /tokens
============
This call is identical to that documented for the Admin API.
GET /tenants
============
List all of the tenants your token can access::
$ curl -H "X-Auth-Token:887665443383838" http://localhost:5000/v2.0/tenants
Returns::
{
"tenants_links": [],
"tenants": [
{
"enabled": true,
"description": "None",
"name": "customer-x",
"id": "1"
}
]
}
=============================
Admin API Examples Using Curl
=============================

203
docs/source/architecture.rst Normal file
View File

@ -0,0 +1,203 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
Keystone Architecture
=====================
Much of the design is precipitated from the expectation that the auth backends
for most deployments will actually be shims in front of existing user systems.
------------
The Services
------------
Keystone is organized as a group of services exposed on one or many endpoints.
Many of these services are used in a combined fashion by the frontend, for
example an authenticate call will validate user/tenant credentials with the
Identity service and, upon success, create and return a token with the Token
service.
Identity
--------
The Identity service provides auth credential validation and data about Users,
Tenants and Roles, as well as any associated metadata.
In the basic case all this data is managed by the service, allowing the service
to manage all the CRUD associated with the data.
In other cases, this data is pulled, by varying degrees, from an authoritative
backend service. An example of this would be when backending on LDAP. See
`LDAP Backend` below for more details.
Token
-----
The Token service validates and manages Tokens used for authenticating requests
once a user/tenant's credentials have already been verified.
Catalog
-------
The Catalog service provides an endpoint registry used for endpoint discovery.
Policy
------
The Policy service provides a rule-based authorization engine and the
associated rule management interface.
----------
Data Model
----------
Keystone was designed from the ground up to be amenable to multiple styles of
backends and as such many of the methods and data types will happily accept
more data than they know what to do with and pass them on to a backend.
There are a few main data types:
* **User**: has account credentials, is associated with one or more tenants
* **Tenant**: unit of ownership in openstack, contains one or more users
* **Role**: a first-class piece of metadata associated with many user-tenant pairs.
* **Token**: identifying credential associated with a user or user and tenant
* **Extras**: bucket of key-value metadata associated with a user-tenant pair.
* **Rule**: describes a set of requirements for performing an action.
While the general data model allows a many-to-many relationship between Users
and Tenants and a many-to-one relationship between Extras and User-Tenant pairs,
the actual backend implementations take varying levels of advantage of that
functionality.
KVS Backend
-----------
A simple backend interface meant to be further backended on anything that can
support primary key lookups, the most trivial implementation being an in-memory
dict.
Supports all features of the general data model.
PAM Backend
-----------
Extra simple backend that uses the current system's PAM service to authenticate,
providing a one-to-one relationship between Users and Tenants with the `root`
User also having the 'admin' role.
Templated Backend
-----------------
Largely designed for a common use case around service catalogs in the Keystone
project, a Catalog backend that simply expands pre-configured templates to
provide catalog data.
Example paste.deploy config (uses $ instead of % to avoid ConfigParser's
interpolation)::
[DEFAULT]
catalog.RegionOne.identity.publicURL = http://localhost:$(public_port)s/v2.0
catalog.RegionOne.identity.adminURL = http://localhost:$(public_port)s/v2.0
catalog.RegionOne.identity.internalURL = http://localhost:$(public_port)s/v2.0
catalog.RegionOne.identity.name = 'Identity Service'
----------------
Approach to CRUD
----------------
While it is expected that any "real" deployment at a large company will manage
their users, tenants and other metadata in their existing user systems, a
variety of CRUD operations are provided for the sake of development and testing.
CRUD is treated as an extension or additional feature to the core feature set in
that it is not required that a backend support it.
----------------------------------
Approach to Authorization (Policy)
----------------------------------
Various components in the system require that different actions are allowed
based on whether the user is authorized to perform that action.
For the purposes of Keystone Light there are only a couple levels of
authorization being checked for:
* Require that the performing user is considered an admin.
* Require that the performing user matches the user being referenced.
Other systems wishing to use the policy engine will require additional styles
of checks and will possibly write completely custom backends. Backends included
in Keystone Light are:
Trivial True
------------
Allows all actions.
Simple Match
------------
Given a list of matches to check for, simply verify that the credentials
contain the matches. For example::
credentials = {'user_id': 'foo', 'is_admin': 1, 'roles': ['nova:netadmin']}
# An admin only call:
policy_api.can_haz(('is_admin:1',), credentials)
# An admin or owner call:
policy_api.can_haz(('is_admin:1', 'user_id:foo'),
credentials)
# A netadmin call:
policy_api.can_haz(('roles:nova:netadmin',),
credentials)
Credentials are generally built from the user metadata in the 'extras' part
of the Identity API. So, adding a 'role' to the user just means adding the role
to the user metadata.
Capability RBAC
---------------
(Not yet implemented.)
Another approach to authorization can be action-based, with a mapping of roles
to which capabilities are allowed for that role. For example::
credentials = {'user_id': 'foo', 'is_admin': 1, 'roles': ['nova:netadmin']}
# add a policy
policy_api.add_policy('action:nova:add_network', ('roles:nova:netadmin',))
policy_api.can_haz(('action:nova:add_network',), credentials)
In the backend this would look up the policy for 'action:nova:add_network' and
then do what is effectively a 'Simple Match' style match against the creds.

26
doc/source/community.rst → docs/source/community.rst
View File

@ -33,20 +33,6 @@ from blueprint designs to documentation to testing to deployment scripts.
.. _Launchpad: https://launchpad.net/keystone
.. _wiki: http://wiki.openstack.org/
Contributing Code
-----------------
To contribute code, sign up for a Launchpad account and sign a contributor license agreement,
available on the `<http://wiki.openstack.org/CLA>`_. Once the CLA is signed you
can contribute code through the Gerrit version control system which is related to your Launchpad account.
To contribute tests, docs, code, etc, refer to our `Gerrit-Jenkins-Github Workflow`_.
.. _`Gerrit-Jenkins-Github Workflow`: http://wiki.openstack.org/GerritJenkinsGithub
#openstack on Freenode IRC Network
----------------------------------
@ -68,10 +54,10 @@ to write drafts for specs or documentation, describe a blueprint, or collaborate
Keystone on Launchpad
---------------------
Launchpad is a code hosting service that hosts the Keystone source code. From
Launchpad you can report bugs, ask questions, and register blueprints (feature requests).
Launchpad is a code hosting that OpenStack is using to track bugs, feature work, and releases of OpenStack. Like other OpenStack projects, Keystone source code is hosted on GitHub
* `Launchpad Keystone Page <http://launchpad.net/keystone>`_
* `Keystone Project Page on Launchpad <http://launchpad.net/keystone>`_
* `Keystone Source Repository on GitHub <http://github.com/openstack/keystone>`_
OpenStack Blog
--------------
@ -82,9 +68,9 @@ events and posts from OpenStack contributors.
`OpenStack Blog <http://openstack.org/blog>`_
See also: `Planet OpenStack <http://planet.openstack.org/>`_, aggregating blogs
about OpenStack from around the internet into a single feed. If you'd like to contribute to this blog
aggregation with your blog posts, there are instructions for `adding your blog <http://wiki.openstack.org/AddingYourBlog>`_.
See also: `Planet OpenStack <http://planet.openstack.org/>`_, an aggregation of blogs
about OpenStack from around the internet, combined into a web site and RSS feed. If you'd like to
contribute with your blog posts, there are instructions for `adding your blog <http://wiki.openstack.org/AddingYourBlog>`_.
Twitter
-------

169
doc/source/conf.py → docs/source/conf.py
View File

@ -1,25 +1,9 @@
# -*- coding: utf-8 -*-
# Copyright (c) 2010 OpenStack, LLC.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# keystone documentation build configuration file, created by
# sphinx-quickstart on Mon Jan 9 12:02:59 2012.
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Keystone documentation build configuration file, created by
# sphinx-quickstart on Tue May 18 13:50:15 2010.
#
# This file is execfile()'d with the current directory set to it's containing
# dir.
# This file is execfile()d with the current directory set to its containing dir.
#
# Note that not all possible configuration values are present in this
# autogenerated file.
@ -27,29 +11,26 @@
# All configuration values have a default; values that are commented out
# serve to show the default.
import os
import sys
import os
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
sys.path = [os.path.abspath('../../keystone'),
os.path.abspath('../..'),
os.path.abspath('../../bin')
] + sys.path
sys.path.insert(0, os.path.abspath('../..'))
# -- General configuration ---------------------------------------------------
# -- General configuration -----------------------------------------------------
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
# If your documentation needs a minimal Sphinx version, state it here.
#needs_sphinx = '1.0'
# Add any Sphinx extension module names here, as strings. They can be extensions
# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
#extensions = ['sphinx.ext.autodoc', 'sphinx.ext.intersphinx', 'sphinx.ext.todo', 'sphinx.ext.coverage']
extensions = ['sphinx.ext.autodoc',
'sphinx.ext.coverage',
'sphinx.ext.viewcode',
'sphinx.ext.ifconfig',
'sphinx.ext.intersphinx',
'sphinx.ext.pngmath',
'sphinx.ext.graphviz',
'sphinx.ext.todo']
'sphinx.ext.todo',
# 'sphinx.ect.intersphinx',
'sphinx.ext.coverage']
todo_include_todos = True
@ -64,25 +45,23 @@ else:
source_suffix = '.rst'
# The encoding of source files.
#source_encoding = 'utf-8'
#source_encoding = 'utf-8-sig'
# The master toctree document.
master_doc = 'index'
# General information about the project.
project = u'Keystone'
copyright = u'2011-present, OpenStack, LLC.'
project = u'keystone'
copyright = u'2012, OpenStack, LLC'
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
# built documents.
#
# The short X.Y version.
from keystone import version
version = '2012.1'
# The full version, including alpha/beta/rc tags.
release = version.version()
# The short X.Y version.
version = version.canonical_version()
release = '2012.1-dev'
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
@ -94,14 +73,11 @@ version = version.canonical_version()
# Else, today_fmt is used as the format for a strftime call.
#today_fmt = '%B %d, %Y'
# List of documents that shouldn't be included in the build.
#unused_docs = []
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
exclude_patterns = []
# List of directories, relative to source directory, that shouldn't be searched
# for source files.
exclude_trees = []
# The reST default role (for this markup: `text`) to use for all documents.
# The reST default role (used for this markup: `text`) to use for all documents.
#default_role = None
# If true, '()' will be appended to :func: etc. cross-reference text.
@ -129,23 +105,15 @@ modindex_common_prefix = ['keystone.']
man_pages = [
('man/keystone-manage', 'keystone-manage', u'Keystone Management Utility',
[u'OpenStack'], 1),
('man/keystone', 'keystone', u'Keystone Startup Command',
('man/keystone-all', 'keystone-all', u'Keystone Startup Command',
[u'OpenStack'], 1),
('man/keystone-auth', 'keystone-auth', u'Keystone Startup Command',
[u'OpenStack'], 1),
('man/keystone-admin', 'keystone-admin', u'Keystone Startup Command',
[u'OpenStack'], 1),
('man/keystone-import', 'keystone-import', u'Keystone Management Utility',
[u'OpenStack'], 1),
('man/keystone-control', 'keystone-control',
u'Keystone Management Utility', [u'OpenStack'], 1)
]
# -- Options for HTML output -------------------------------------------------
# -- Options for HTML output ---------------------------------------------------
# The theme to use for HTML and HTML Help pages. Major themes that come with
# Sphinx are currently 'default' and 'sphinxdoc'.
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
html_theme_path = ["."]
html_theme = '_theme'
@ -155,7 +123,7 @@ html_theme = '_theme'
#html_theme_options = {}
# Add any paths that contain custom themes here, relative to this directory.
#html_theme_path = ['_theme']
#html_theme_path = []
# The name for this set of Sphinx documents. If None, it defaults to
# "<project> v<release> documentation".
@ -176,7 +144,7 @@ html_theme = '_theme'
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
# so a file named "default.css" will overwrite the builtin "default.css".
html_static_path = ['_static', 'images']
html_static_path = ['static', 'images']
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
# using the given strftime format.
@ -194,7 +162,7 @@ html_static_path = ['_static', 'images']
#html_additional_pages = {}
# If false, no module index is generated.
#html_use_modindex = True
#html_domain_indices = True
# If false, no index is generated.
#html_use_index = True
@ -205,32 +173,42 @@ html_static_path = ['_static', 'images']
# If true, links to the reST sources are added to the pages.
#html_show_sourcelink = True
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
#html_show_sphinx = True
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
#html_show_copyright = True
# If true, an OpenSearch description file will be output, and all pages will
# contain a <link> tag referring to it. The value of this option must be the
# base URL from which the finished HTML is served.
#html_use_opensearch = ''
# If nonempty, this is the file name suffix for HTML files (e.g. ".xhtml").
#html_file_suffix = ''
# This is the file name suffix for HTML files (e.g. ".xhtml").
#html_file_suffix = None
# Output file base name for HTML help builder.
htmlhelp_basename = 'keystonedoc'
# -- Options for LaTeX output ------------------------------------------------
# -- Options for LaTeX output --------------------------------------------------
# The paper size ('letter' or 'a4').
#latex_paper_size = 'letter'
latex_elements = {
# The paper size ('letterpaper' or 'a4paper').
#'papersize': 'letterpaper',
# The font size ('10pt', '11pt' or '12pt').
#latex_font_size = '10pt'
#'pointsize': '10pt',
# Additional stuff for the LaTeX preamble.
#'preamble': '',
}
# Grouping the document tree into LaTeX files. List of tuples
# (source start file, target name, title, author,
# documentclass [howto/manual]).
# (source start file, target name, title, author, documentclass [howto/manual]).
latex_documents = [
('index', 'Keystone.tex', u'Keystone Documentation',
u'Keystone Team', 'manual'),
('index', 'keystone.tex', u'Keystone Documentation',
u'OpenStack', 'manual'),
]
# The name of an image file (relative to this directory) to place at the top of
@ -241,16 +219,55 @@ latex_documents = [
# not chapters.
#latex_use_parts = False
# Additional stuff for the LaTeX preamble.
#latex_preamble = ''
# If true, show page references after internal links.
#latex_show_pagerefs = False
# If true, show URL addresses after external links.
#latex_show_urls = False
# Documents to append as an appendix to all manuals.
#latex_appendices = []
# If false, no module index is generated.
#latex_use_modindex = True
#latex_domain_indices = True
# -- Options for manual page output --------------------------------------------
# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
man_pages = [
('index', 'keystone', u'Keystone Documentation',
[u'OpenStack'], 1)
]
# If true, show URL addresses after external links.
#man_show_urls = False
# -- Options for Texinfo output ------------------------------------------------
# Grouping the document tree into Texinfo files. List of tuples
# (source start file, target name, title, author,
# dir menu entry, description, category)
texinfo_documents = [
('index', 'keystone', u'Keystone Documentation',
u'OpenStack', 'keystone', 'One line description of project.',
'Miscellaneous'),
]
# Documents to append as an appendix to all manuals.
#texinfo_appendices = []
# If false, no module index is generated.
#texinfo_domain_indices = True
# How to display URL addresses: 'footnote', 'no', or 'inline'.
#texinfo_show_urls = 'footnote'
# Example configuration for intersphinx: refer to the Python standard library.
#intersphinx_mapping = {'http://docs.python.org/': None}
intersphinx_mapping = {'python': ('http://docs.python.org/', None),
'nova': ('http://nova.openstack.org', None),
'swift': ('http://swift.openstack.org', None),

488
docs/source/configuration.rst Normal file
View File

@ -0,0 +1,488 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
====================
Configuring Keystone
====================
.. toctree::
:maxdepth: 1
man/keystone-manage
man/keystone-all
Once Keystone is installed, it is configured via a primary configuration file
(``etc/keystone.conf``), possibly a separate logging configuration file, and
initializing data into keystone using the command line client.
Keystone Configuration File
===========================
The keystone configuration file is an 'ini' file format with sections,
extended from Paste_, a common system used to configure python WSGI based
applications. In addition to the paste config entries, general configuration
values are stored under ``[DEFAULT]``, ``[sql]``, ``[ec2]`` and then drivers
for the various services are included under their individual sections.
The services include:
* ``[identity]`` - the python module that backends the identity system
* ``[catalog]`` - the python module that backends the service catalog
* ``[token]`` - the python module that backends the token providing mechanisms
* ``[policy]`` - the python module that drives the policy system for RBAC
The keystone configuration file is expected to be named ``keystone.conf``.
When starting up Keystone, you can specify a different configuration file to
use with ``--config-file``. If you do **not** specify a configuration file,
keystone will look in the following directories for a configuration file, in
order:
* ``~/.keystone``
* ``~/``
* ``/etc/keystone``
* ``/etc``
Logging is configured externally to the rest of keystone, the file specifying
the logging configuration is in the [DEFAULT] section of the keystone conf
file under ``log_config``. If you wish to route all your logging through
syslog, there is a ``use_syslog`` option also in the [DEFAULT] section that
easy.
A sample logging file is available with the project in the directory
``etc/logging.conf.sample``. Like other OpenStack projects, keystone uses the
`python logging module`, which includes extensive configuration options for
choosing the output levels and formats.
In addition to this documentation page, you can check the ``etc/keystone.conf``
sample configuration files distributed with keystone for example configuration
files for each server application.
.. _Paste: http://pythonpaste.org/
.. _`python logging module`: http://docs.python.org/library/logging.html
Sample Configuration Files
--------------------------
* ``etc/keystone.conf``
* ``etc/logging.conf.sample``
Running Keystone
================
Running keystone is simply starting the services by using the command::
keystone-all
Invoking this command starts up two wsgi.Server instances, configured by the
``keystone.conf`` file as described above. One of these wsgi 'servers' is
``admin`` (the administration API) and the other is ``main`` (the
primary/public API interface). Both of these run in a single process.
Migrating from legacy versions of keystone
==========================================
Migration support is provided for the following legacy keystone versions:
* diablo-5
* stable/diablo
* essex-2
* essex-3
To migrate from legacy versions of keystone, use the following steps:
Step 1: Configure keystone.conf
-------------------------------
It is important that the database that you specify be different from the one
containing your existing install.
Step 2: db_sync your new, empty database
----------------------------------------
Run the following command to configure the most recent schema in your new
keystone installation::
keystone-manage db_sync
Step 3: Import your legacy data
-------------------------------
Use the following command to import your old data::
keystone-manage import_legacy [db_url, e.g. 'mysql://root@foobar/keystone']
Specify db_url as the connection string that was present in your old
keystone.conf file.
Step 3: Import your legacy service catalog
------------------------------------------
While the older keystone stored the service catalog in the database,
the updated version configures the service catalog using a template file.
An example service catalog template file may be found in
etc/default_catalog.templates.
To import your legacy catalog, run this command::
keystone-manage export_legacy_catalog \
[db_url e.g. 'mysql://root@foobar/keystone'] > \
[path_to_templates e.g. 'etc/default_catalog.templates']
After executing this command, you will need to restart the keystone service to
see your changes.
Initializing Keystone
=====================
keystone-manage is designed to execute commands that cannot be administered
through the normal REST api. At the moment, the following calls are supported:
* ``db_sync``: Sync the database.
* ``import_legacy``: Import a legacy (pre-essex) version of the db.
* ``export_legacy_catalog``: Export service catalog from a legacy (pre-essex) db.
Generally, the following is the first step after a source installation::
keystone-manage db_sync
Invoking keystone-manage by itself will give you additional usage information.
Adding Users, Tenants, and Roles with python-keystoneclient
===========================================================
User, tenants, and roles must be administered using admin credentials.
There are two ways to configure python-keystoneclient to use admin
credentials, using the token auth method, or password auth method.
Token Auth Method
-----------------
To use keystone client using token auth, set the following flags
* ``--endpoint SERVIVE_ENDPOINT`` : allows you to specify the keystone endpoint to communicate
with. The default endpoint is http://localhost:35357/v2.0'
* ``--token SERVIVE_TOKEN`` : your administrator service token.
Password Auth Method
--------------------
* ``--username OS_USERNAME`` : allows you to specify the keystone endpoint to communicate
with. For example, http://localhost:35357/v2.0'
* ``--password OS_PASSWORD`` : Your administrator password
* ``--tenant_name OS_TENANT_NAME`` : Name of your tenant
* ``--auth_url OS_AUTH_URL`` : url of your keystone auth server, for example
http://localhost:5000/v2.0'
Example usage
-------------
``keystone`` is set up to expect commands in the general form of
``keystone`` ``command`` ``argument``, followed by flag-like keyword arguments to
provide additional (often optional) information. For example, the command
``user-list`` and ``tenant-create`` can be invoked as follows::
# Using token auth env variables
export SERVICE_ENDPOINT=http://127.0.0.1:5000/v2.0/
export SERVICE_TOKEN=secrete_token
keystone user-list
keystone tenant-create --name=demo
# Using token auth flags
keystone --token=secrete --endpoint=http://127.0.0.1:5000/v2.0/ user-list
keystone --token=secrete --endpoint=http://127.0.0.1:5000/v2.0/ tenant-create --name=demo
# Using user + password + tenant_name env variables
export OS_USERNAME=admin
export OS_PASSWORD=secrete
export OS_TENANT_NAME=admin
keystone user-list
keystone tenant-create --name=demo
# Using user + password + tenant_name flags
keystone --username=admin --password=secrete --tenant_name=admin user-list
keystone --username=admin --password=secrete --tenant_name=admin tenant-create --name=demo
Tenants
-------
Tenants are the high level grouping within Keystone that represent groups of
users. A tenant is the grouping that owns virtual machines within Nova, or
containers within Swift. A tenant can have zero or more users, Users can
be associated with more than one tenant, and each tenant - user pairing can
have a role associated with it.
``tenant-create``
^^^^^^^^^^^^^^^^^
keyword arguments
* name
* description (optional, defaults to None)
* enabled (optional, defaults to True)
example::
keystone tenant-create --name=demo
creates a tenant named "demo".
``tenant-delete``
^^^^^^^^^^^^^^^^^
arguments
* tenant_id
example::
keystone tenant-delete f2b7b39c860840dfa47d9ee4adffa0b3
``tenant-enable``
^^^^^^^^^^^^^^^^^
arguments
* tenant_id
example::
keystone tenant-enable f2b7b39c860840dfa47d9ee4adffa0b3
``tenant-disable``
^^^^^^^^^^^^^^^^^
arguments
* tenant_id
example::
keystone tenant-disable f2b7b39c860840dfa47d9ee4adffa0b3
Users
-----
``user-create``
^^^^^^^^^^^^^^^
keyword arguments
* name
* pass
* email
* default_tenant (optional, defaults to None)
* enabled (optional, defaults to True)
example::
keystone user-create
--name=admin \
--pass=secrete \
--email=admin@example.com
``user-delete``
^^^^^^^^^^^^^^^
keyword arguments
* user
example::
keystone user-delete f2b7b39c860840dfa47d9ee4adffa0b3
``user-list``
^^^^^^^^^^^^^
list users in the system, optionally by a specific tenant (identified by tenant_id)
arguments
* tenant_id (optional, defaults to None)
example::
keystone user-list
``user-update-email``
^^^^^^^^^^^^^^^^^^^^^
arguments
* user_id
* email
example::
keystone user-update-email 03c84b51574841ba9a0d8db7882ac645 "someone@somewhere.com"
``user-enable``
^^^^^^^^^^^^^^^^^^^^^^^
arguments
* user_id
example::
keystone user-enable 03c84b51574841ba9a0d8db7882ac645
``user-disable``
^^^^^^^^^^^^^^^^^^^^^^^
arguments
* user_id
example::
keystone user-disable 03c84b51574841ba9a0d8db7882ac645
``user-update-password``
^^^^^^^^^^^^^^^^^^^^^^^^
arguments
* user_id
* password
example::
keystone user-update-password 03c84b51574841ba9a0d8db7882ac645 foo
Roles
-----
``role-create``
^^^^^^^^^^^^^^^
arguments
* name
exmaple::
keystone role-create --name=demo
``role-delete``
^^^^^^^^^^^^^^^
arguments
* role_id
exmaple::
keystone role-delete 19d1d3344873464d819c45f521ff9890
``role-list``
^^^^^^^^^^^^^^^
exmaple::
keystone role-list
``role-get``
^^^^^^^^^^^^
arguments
* role_id
exmaple::
keystone role-get role=19d1d3344873464d819c45f521ff9890
``add-user-role``
^^^^^^^^^^^^^^^^^^^^^^
arguments
* role_id
* user_id
* tenant_id
example::
keystone role add-user-role \
3a751f78ef4c412b827540b829e2d7dd \
03c84b51574841ba9a0d8db7882ac645 \
20601a7f1d94447daa4dff438cb1c209
``remove-user-role``
^^^^^^^^^^^^^^^^^^^^^^^^^
arguments
* role_id
* user_id
* tenant_id
example::
keystone remove-user-role \
19d1d3344873464d819c45f521ff9890 \
08741d8ed88242ca88d1f61484a0fe3b \
20601a7f1d94447daa4dff438cb1c209
Services
--------
``service-create``
^^^^^^^^^^^^^^^^^^
keyword arguments
* name
* type
* description
example::
keystone service create \
--name=nova \
--type=compute \
--description="Nova Compute Service"
``service-list``
^^^^^^^^^^^^^^^^
arguments
* service_id
example::
keystone service-list
``service-get``
^^^^^^^^^^^^^^^
arguments
* service_id
example::
keystone service-get 08741d8ed88242ca88d1f61484a0fe3b
``service-delete``
^^^^^^^^^^^^^^^^^^
arguments
* service_id
example::
keystone service-delete 08741d8ed88242ca88d1f61484a0fe3b

197
docs/source/configuringservices.rst Normal file
View File

@ -0,0 +1,197 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
==========================================
Configuring Services to work with Keystone
==========================================
.. toctree::
:maxdepth: 1
nova-api-paste
middleware_architecture
Once Keystone is installed and running (see :doc:`configuration`), services
need to be configured to work with it. To do this, we primarily install and
configure middleware for the OpenStack service to handle authentication tasks
or otherwise interact with Keystone.
In general:
* Clients making calls to the service will pass in an authentication token.
* The Keystone middleware will look for and validate that token, taking the
appropriate action.
* It will also retrive additional information from the token such as user
name, id, tenant name, id, roles, etc...
The middleware will pass those data down to the service as headers. More
details on the architecture of that setup is described in
:doc:`middleware_architecture`
Setting up credentials
======================
Admin Token
-----------
For a default installation of Keystone, before you can use the REST API, you
need to define an authorization token. This is configured in ``keystone.conf``
file under the section ``[DEFAULT]``. In the sample file provided with the
keystone project, the line defining this token is
[DEFAULT]
admin_token = ADMIN
This configured token is a "shared secret" between keystone and other
openstack services (for example: nova, swift, glance, or horizon), and will
need to be set the same between those services in order for keystone services
to function correctly.
Setting up tenants, users, and roles
------------------------------------
You need to minimally define a tenant, user, and role to link the tenant and
user as the most basic set of details to get other services authenticating
and authorizing with keystone. See doc:`configuration` for a walk through on
how to create tenants, users, and roles.
Setting up services
===================
Defining Services
-----------------
Keystone also acts as a service catalog to let other OpenStack systems know
where relevant API endpoints exist for OpenStack Services. The OpenStack
Dashboard, in particular, uses this heavily - and this **must** be configured
for the OpenStack Dashboard to properly function.
Here's how we define the services::
keystone service-create --name=nova \
--type=compute \
--description="Nova Compute Service"
keystone service-create --name=ec2 \
--type=ec2 \
--description="EC2 Compatibility Layer"
keystone service-create --name=glance \
--type=image \
--description="Glance Image Service"
keystone service-create --name=keystone \
--type=identity \
--description="Keystone Identity Service"
keystone service-create --name=swift \
--type=object-store \
--description="Swift Service"
The endpoints for these services are defined in a template, an example of
which is in the project as the file ``etc/default_catalog.templates``.
Setting Up Middleware
=====================
Keystone Auth-Token Middleware
--------------------------------
The Keystone auth_token middleware is a WSGI component that can be inserted in
the WSGI pipeline to handle authenticating tokens with Keystone.
Configuring Nova to use Keystone
--------------------------------
To configure Nova to use Keystone for authentication, the Nova API service
can be run against the api-paste file provided by Keystone. This is most
easily accomplished by setting the `--api_paste_config` flag in nova.conf to
point to `examples/paste/nova-api-paste.ini` from Keystone. This paste file
included references to the WSGI authentication middleware provided with the
keystone installation.
When configuring Nova, it is important to create a admin service token for
the service (from the Configuration step above) and include that as the key
'admin_token' in the nova-api-paste.ini. See the documented
:doc:`nova-api-paste` file for references.
Configuring Swift to use Keystone
---------------------------------
Similar to Nova, swift can be configured to use Keystone for authentication
rather than it's built in 'tempauth'.
1. Add a service endpoint for Swift to Keystone
2. Configure the paste file for swift-proxy (`/etc/swift/swift-proxy.conf`)
3. Reconfigure Swift's proxy server to use Keystone instead of TempAuth.
Here's an example `/etc/swift/proxy-server.conf`::
[DEFAULT]
bind_port = 8888
user = <user>
[pipeline:main]
pipeline = catch_errors cache keystone proxy-server
[app:proxy-server]
use = egg:swift#proxy
account_autocreate = true
[filter:keystone]
use = egg:keystone#tokenauth
auth_protocol = http
auth_host = 127.0.0.1
auth_port = 35357
admin_token = 999888777666
delay_auth_decision = 0
service_protocol = http
service_host = 127.0.0.1
service_port = 8100
service_pass = dTpw
cache = swift.cache
[filter:cache]
use = egg:swift#memcache
set log_name = cache
[filter:catch_errors]
use = egg:swift#catch_errors
Note that the optional "cache" property in the keystone filter allows any
service (not just Swift) to register its memcache client in the WSGI
environment. If such a cache exists, Keystone middleware will utilize it
to store validated token information, which could result in better overall
performance.
4. Restart swift
5. Verify that keystone is providing authentication to Swift
Use `swift` to check everything works (note: you currently have to create a
container or upload something as your first action to have the account
created; there's a Swift bug to be fixed soon)::
$ swift -A http://127.0.0.1:5000/v1.0 -U joeuser -K secrete post container
$ swift -A http://127.0.0.1:5000/v1.0 -U joeuser -K secrete stat -v
StorageURL: http://127.0.0.1:8888/v1/AUTH_1234
Auth Token: 74ce1b05-e839-43b7-bd76-85ef178726c3
Account: AUTH_1234
Containers: 1
Objects: 0
Bytes: 0
Accept-Ranges: bytes
X-Trans-Id: tx25c1a6969d8f4372b63912f411de3c3b
.. WARNING::
Keystone currently allows any valid token to do anything with any account.

150
docs/source/developing.rst Normal file
View File

@ -0,0 +1,150 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
========================
Developing with Keystone
========================
Contributing Code
=================
To contribute code, sign up for a Launchpad account and sign a contributor license agreement,
available on the `<http://wiki.openstack.org/CLA>`_. Once the CLA is signed you
can contribute code through the Gerrit version control system which is related to your Launchpad account.
To contribute tests, docs, code, etc, refer to our `Gerrit-Jenkins-Github Workflow`_.
.. _`Gerrit-Jenkins-Github Workflow`: http://wiki.openstack.org/GerritJenkinsGithub
Setup
-----
Get your development environment set up according to :doc:`setup`. The instructions from here will
assume that you have installed keystone into a virtualenv. If you chose not to, simply exclude "tools/with_venv.sh" from the example commands below.
Running Keystone
----------------
To run the keystone Admin and API server instances, use::
$ tools/with_venv.sh bin/keystone-all
this runs keystone with the configuration the etc/ directory of the project. See :doc:`configuration` for details on how Keystone is configured.
Interacting with Keystone
-------------------------
You can interact with Keystone through the command line using :doc:`man/keystone-manage`
which allows you to establish tenants, users, etc.
You can also interact with Keystone through it's REST API. There is a python
keystone client library `python-keystoneclient`_ which interacts exclusively through
the REST API, and which keystone itself uses to provide it's command-line interface.
When initially getting set up, after you've configured which databases to use,
you're probably going to need to run the following to your database schema in place ::
$ bin/keystone-manage db_sync
.. _`python-keystoneclient`: https://github.com/openstack/python-keystoneclient
Running Tests
=============
To run the full suites of tests maintained within Keystone, run::
$ ./run_tests.sh
This shows realtime feedback during test execution, iterates over
multiple configuration variations, and uses external projects to do
light integration testing to verify the keystone API against other projects.
Test Structure
--------------
``./run_test.sh`` uses its python cohort (``run_tests.py``) to iterate
through the ``tests`` directory, using Nosetest to collect the tests and
invoke them using an OpenStack custom test running that displays the tests
as well as the time taken to
run those tests.
Within the tests directory, the general structure of the tests is a basic
set of tests represented under a test class, and then subclasses of those
tests under other classes with different configurations to drive different
backends through the APIs.
For example, ``test_backend.py`` has a sequence of tests under the class
``IdentityTests`` that will work with the default drivers as configured in
this projects etc/ directory. ``test_backend_sql.py`` subclasses those tests,
changing the configuration by overriding with configuration files stored in
the tests directory aimed at enabling the SQL backend for the Identity module.
Likewise, ``test_cli.py`` takes advantage of the tests written aainst
``test_keystoneclient`` to verify the same tests function through different
drivers.
Testing Schema Migrations
-------------------------
The application of schema migrations can be tested using SQLAlchemy Migrates
built-in test runner, one migration at a time.
.. WARNING::
This may leave your database in an inconsistent state; attempt this in non-production environments only!
This is useful for testing the *next* migration in sequence (both forward & backward) in a database under version control::
python keystone/common/sql/migrate_repo/manage.py test \
--url=sqlite:///test.db \
--repository=keystone/common/sql/migrate_repo/
This command references to a SQLite database (test.db) to be used. Depending on the migration, this command alone does not make assertions as to the integrity of your data during migration.
Writing Tests
-------------
To add tests covering all drivers, update the base test class (``test_backend.py``, ``test_legacy_compat.py``, and ``test_keystoneclient.py``).
To add new drivers, subclass the ``test_backend.py`` (look towards ``test_backend_sql.py`` or ``test_backend_kvs.py`` for examples) and update the configuration of the test class in ``setUp()``.
Further Testing
---------------
devstack_ is the *best* way to quickly deploy keystone with the rest of the
OpenStack universe and should be critical step in your development workflow!
You may also be interested in either the `OpenStack Continuous Integration Project`_
or the `OpenStack Integration Testing Project`_.
.. _devstack: http://devstack.org/
.. _OpenStack Continuous Integration Project: https://github.com/openstack/openstack-ci
.. _OpenStack Integration Testing Project: https://github.com/openstack/tempest
Building the Documentation
==========================
The documentation is all generated with Sphinx from within the docs directory.
To generate the full set of HTML documentation:
cd docs
make autodoc
make html
make man
the results are in the docs/build/html and docs/build/man directories
respectively.

0
doc/source/images/authComp.svg → docs/source/images/authComp.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 6.6 KiB

After

Width:  |  Height:  |  Size: 6.6 KiB

0
doc/source/images/graphs_305.svg → docs/source/images/graphs_305.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.6 KiB

After

Width:  |  Height:  |  Size: 2.6 KiB

0
doc/source/images/graphs_authComp.svg → docs/source/images/graphs_authComp.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.9 KiB

After

Width:  |  Height:  |  Size: 2.9 KiB

0
doc/source/images/graphs_authCompDelegate.svg → docs/source/images/graphs_authCompDelegate.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.5 KiB

After

Width:  |  Height:  |  Size: 3.5 KiB

0
doc/source/images/graphs_both.svg → docs/source/images/graphs_both.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.2 KiB

After

Width:  |  Height:  |  Size: 2.2 KiB

0
doc/source/images/graphs_delegate_forbiden_basic.svg → docs/source/images/graphs_delegate_forbiden_basic.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.9 KiB

After

Width:  |  Height:  |  Size: 3.9 KiB

0
doc/source/images/graphs_delegate_forbiden_proxy.svg → docs/source/images/graphs_delegate_forbiden_proxy.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.6 KiB

After

Width:  |  Height:  |  Size: 3.6 KiB

0
doc/source/images/graphs_delegate_reject_basic.svg → docs/source/images/graphs_delegate_reject_basic.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.2 KiB

After

Width:  |  Height:  |  Size: 4.2 KiB

0
doc/source/images/graphs_delegate_reject_oauth.svg → docs/source/images/graphs_delegate_reject_oauth.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.3 KiB

After

Width:  |  Height:  |  Size: 4.3 KiB

0
doc/source/images/graphs_delegate_unimplemented.svg → docs/source/images/graphs_delegate_unimplemented.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.9 KiB

After

Width:  |  Height:  |  Size: 3.9 KiB

0
doc/source/images/graphs_mapper.svg → docs/source/images/graphs_mapper.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.3 KiB

After

Width:  |  Height:  |  Size: 4.3 KiB

0
doc/source/images/graphs_proxyAuth.svg → docs/source/images/graphs_proxyAuth.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.5 KiB

After

Width:  |  Height:  |  Size: 3.5 KiB

0
doc/source/images/images_layouts.svg → docs/source/images/images_layouts.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 5.7 KiB

After

Width:  |  Height:  |  Size: 5.7 KiB

77
doc/source/index.rst → docs/source/index.rst
View File

@ -18,9 +18,9 @@
Welcome to Keystone, the OpenStack Identity Service!
====================================================
Keystone is a cloud identity service written in Python, which provides
authentication, authorization, and an OpenStack service catalog. It
implements `OpenStack's Identity API`_.
Keystone is an OpenStack project that provides Identity, Token, Catalog and
Policy services for use specifically by projects in the OpenStack family.
It implements `OpenStack's Identity API`_.
This document describes Keystone for contributors of the project, and assumes
that you are already familiar with Keystone from an `end-user perspective`_.
@ -41,81 +41,35 @@ Getting Started
.. toctree::
:maxdepth: 1
releases
setup
testing
migration
extensions
configuration
controllingservers
configuringservices
community
usingkeystone
Administration
==============
.. toctree::
:maxdepth: 1
backends
migration
controllingservers
configuringservices
ssl
Entities
========
.. toctree::
:maxdepth: 1
endpoints
services
API Use Case Examples
=====================
.. toctree::
:maxdepth: 1
adminAPI_curl_examples
serviceAPI_curl_examples
Configuration File Examples
===========================
.. toctree::
:maxdepth: 1
nova-api-paste
keystone.conf
Man Pages
=========
---------
.. toctree::
:maxdepth: 1
man/keystone-manage
man/keystone
man/keystone-auth
man/keystone-admin
man/keystone-import
man/keystone-control
man/sampledata
Developer Docs
==============
man/keystone-manage
Developers Documentation
========================
.. toctree::
:maxdepth: 1
developing
architecture
middleware
middleware_architecture
sourcecode/autoindex
api_curl_examples
Code Documentation
==================
.. toctree::
:maxdepth: 1
modules
Indices and tables
==================
@ -123,3 +77,4 @@ Indices and tables
* :ref:`genindex`
* :ref:`modindex`
* :ref:`search`

83
docs/source/man/keystone-all.rst Normal file
View File

@ -0,0 +1,83 @@
========
keystone
========
---------------------------
Keystone Management Utility
---------------------------
:Author: keystone@lists.launchpad.net
:Date: 2010-11-16
:Copyright: OpenStack LLC
:Version: 0.1.2
:Manual section: 1
:Manual group: cloud computing
SYNOPSIS
========
keystone-all [options]
DESCRIPTION
===========
keystone-all starts both the service and administrative APIs in a single
process to provide catalog, authorization, and authentication services for
OpenStack.
USAGE
=====
``keystone-all [options]``
Common Options:
^^^^^^^^^^^^^^^
-h, --help show this help message and exit
The following configuration options are common to all keystone
programs.::
-h, --help show this help message and exit
--config-file=PATH Path to a config file to use. Multiple config files
can be specified, with values in later files taking
precedence. The default files used are: []
-d, --debug Print debugging output
--nodebug Print debugging output
-v, --verbose Print more verbose output
--noverbose Print more verbose output
--log-config=PATH If this option is specified, the logging configuration
file specified is used and overrides any other logging
options specified. Please see the Python logging
module documentation for details on logging
configuration files.
--log-format=FORMAT A logging.Formatter log message format string which
may use any of the available logging.LogRecord
attributes. Default: none
--log-date-format=DATE_FORMAT
Format string for %(asctime)s in log records. Default:
none
--log-file=PATH (Optional) Name of log file to output to. If not set,
logging will go to stdout.
--log-dir=LOG_DIR (Optional) The directory to keep log files in (will be
prepended to --logfile)
--syslog-log-facility=SYSLOG_LOG_FACILITY
(Optional) The syslog facility to use when logging to
syslog (defaults to LOG_USER)
--use-syslog Use syslog for logging.
--nouse-syslog Use syslog for logging.
FILES
=====
None
SEE ALSO
========
* `Keystone <http://github.com/openstack/keystone>`__
SOURCE
======
* Keystone source is managed in GitHub `Keystone <http://github.com/openstack/keystone>`__
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__

97
docs/source/man/keystone-manage.rst Normal file
View File

@ -0,0 +1,97 @@
===============
keystone-manage
===============
---------------------------
Keystone Management Utility
---------------------------
:Author: keystone@lists.launchpad.net
:Date: 2010-11-16
:Copyright: OpenStack LLC
:Version: 0.1.2
:Manual section: 1
:Manual group: cloud computing
SYNOPSIS
========
keystone-manage [options]
DESCRIPTION
===========
keystone-manage is the command line tool that interacts with the keystone
service to initialize and update data within Keystone. Generally,
keystone-manage is only used for operations that can not be accomplished
with through the keystone REST api, such data import/export and schema
migrations.
USAGE
=====
``keystone-manage [options] action [additional args]``
General keystone-manage options:
--------------------------------
* ``--help`` : display verbose help output.
Invoking keystone-manage by itself will give you some usage information.
Available keystone-manage commands:
db_sync: Sync the database.
import_legacy: Import a legacy (pre-essex) version of the db.
export_legacy_catalog: Export service catalog from a legacy (pre-essex) db.
OPTIONS
=======
Options:
-h, --help show this help message and exit
--config-file=PATH Path to a config file to use. Multiple config files
can be specified, with values in later files taking
precedence. The default files used are: []
-d, --debug Print debugging output
--nodebug Print debugging output
-v, --verbose Print more verbose output
--noverbose Print more verbose output
--log-config=PATH If this option is specified, the logging configuration
file specified is used and overrides any other logging
options specified. Please see the Python logging
module documentation for details on logging
configuration files.
--log-format=FORMAT A logging.Formatter log message format string which
may use any of the available logging.LogRecord
attributes. Default: none
--log-date-format=DATE_FORMAT
Format string for %(asctime)s in log records. Default:
none
--log-file=PATH (Optional) Name of log file to output to. If not set,
logging will go to stdout.
--log-dir=LOG_DIR (Optional) The directory to keep log files in (will be
prepended to --logfile)
--syslog-log-facility=SYSLOG_LOG_FACILITY
(Optional) The syslog facility to use when logging to
syslog (defaults to LOG_USER)
--use-syslog Use syslog for logging.
--nouse-syslog Use syslog for logging.
FILES
=====
None
SEE ALSO
========
* `Keystone <http://github.com/openstack/keystone>`__
SOURCE
======
* Keystone is sourced in GitHub `Keystone <http://github.com/openstack/keystone>`__
* Keystone bugs are managed at Launchpad `Launchpad Keystone <https://bugs.launchpad.net/keystone>`__

0
doc/source/middleware_architecture.rst → docs/source/middleware_architecture.rst
View File

143
docs/source/nova-api-paste.rst Normal file
View File

@ -0,0 +1,143 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
nova-api-paste example
======================
::
#######
# EC2 #
#######
[composite:ec2]
use = egg:Paste#urlmap
/: ec2versions
/services/Cloud: ec2cloud
/services/Admin: ec2admin
/latest: ec2metadata
/2007-01-19: ec2metadata
/2007-03-01: ec2metadata
/2007-08-29: ec2metadata
/2007-10-10: ec2metadata
/2007-12-15: ec2metadata
/2008-02-01: ec2metadata
/2008-09-01: ec2metadata
/2009-04-04: ec2metadata
/1.0: ec2metadata
[pipeline:ec2cloud]
pipeline = logrequest totoken authtoken keystonecontext cloudrequest authorizer ec2executor
[pipeline:ec2admin]
pipeline = logrequest totoken authtoken keystonecontext adminrequest authorizer ec2executor
[pipeline:ec2metadata]
pipeline = logrequest ec2md
[pipeline:ec2versions]
pipeline = logrequest ec2ver
[filter:logrequest]
paste.filter_factory = nova.api.ec2:RequestLogging.factory
[filter:ec2lockout]
paste.filter_factory = nova.api.ec2:Lockout.factory
[filter:totoken]
paste.filter_factory = keystone.middleware.ec2_token:EC2Token.factory
[filter:ec2noauth]
paste.filter_factory = nova.api.ec2:NoAuth.factory
[filter:authenticate]
paste.filter_factory = nova.api.ec2:Authenticate.factory
[filter:cloudrequest]
controller = nova.api.ec2.cloud.CloudController
paste.filter_factory = nova.api.ec2:Requestify.factory
[filter:adminrequest]
controller = nova.api.ec2.admin.AdminController
paste.filter_factory = nova.api.ec2:Requestify.factory
[filter:authorizer]
paste.filter_factory = nova.api.ec2:Authorizer.factory
[app:ec2executor]
paste.app_factory = nova.api.ec2:Executor.factory
[app:ec2ver]
paste.app_factory = nova.api.ec2:Versions.factory
[app:ec2md]
paste.app_factory = nova.api.ec2.metadatarequesthandler:MetadataRequestHandler.factory
#############
# Openstack #
#############
[composite:osapi]
use = egg:Paste#urlmap
/: osversions
/v1.1: openstackapi
[pipeline:openstackapi]
pipeline = faultwrap authtoken keystonecontext ratelimit extensions osapiapp
[filter:faultwrap]
paste.filter_factory = nova.api.openstack:FaultWrapper.factory
[filter:auth]
paste.filter_factory = nova.api.openstack.auth:AuthMiddleware.factory
[filter:noauth]
paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory
[filter:ratelimit]
paste.filter_factory = nova.api.openstack.limits:RateLimitingMiddleware.factory
[filter:extensions]
paste.filter_factory = nova.api.openstack.extensions:ExtensionMiddleware.factory
[app:osapiapp]
paste.app_factory = nova.api.openstack:APIRouter.factory
[pipeline:osversions]
pipeline = faultwrap osversionapp
[app:osversionapp]
paste.app_factory = nova.api.openstack.versions:Versions.factory
##########
# Shared #
##########
[filter:keystonecontext]
paste.filter_factory = keystone.middleware.nova_keystone_context:NovaKeystoneContext.factory
[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 127.0.0.1
service_port = 5000
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
auth_uri = http://your_keystone_host.com:5000/
;identical to the admin token defined in keystone.conf
admin_token = 999888777666
;Uncomment next line and check ip:port to use memcached to cache token requests
;memcache_hosts = 127.0.0.1:11211

0
doc/source/backends.rst → docs/source/old/backends.rst
View File

0
doc/source/controllingservers.rst → docs/source/old/controllingservers.rst
View File

0
doc/source/endpoints.rst → docs/source/old/endpoints.rst
View File

0
doc/source/extensions.rst → docs/source/old/extensions.rst
View File

0
doc/source/middleware.rst → docs/source/old/middleware.rst
View File

0
doc/source/migration.rst → docs/source/old/migration.rst
View File

0
doc/source/releases.rst → docs/source/old/releases.rst
View File

0
doc/source/services.rst → docs/source/old/services.rst
View File

0
doc/source/ssl.rst → docs/source/old/ssl.rst
View File

84
doc/source/setup.rst → docs/source/setup.rst
View File

@ -18,12 +18,12 @@
Setting up a Keystone development environment
=============================================
This document describes setting up keystone directly from GitHub_
This document describes getting the source from keystone's `GitHub repository`_
for development purposes.
To install keystone from packaging, refer instead to Keystone's `User Documentation`_.
.. _GitHub: http://github.com/openstack/keystone
.. _`GitHub Repository`: http://github.com/openstack/keystone
.. _`User Documentation`: http://docs.openstack.org/
Prerequisites
@ -31,7 +31,7 @@ Prerequisites
This document assumes you are using:
- Ubuntu 11.10, Fedora 15, openSUSE 11.4, 12.1 or Mac OS X Lion
- Ubuntu 11.10, Fedora 15, or Mac OS X Lion
- `Python 2.7`_
.. _`Python 2.7`: http://www.python.org/
@ -51,7 +51,7 @@ different version of the above, please document your configuration here!
Getting the latest code
=======================
You can clone our latest code from our `Github repository`::
Make a clone of the code from our `Github repository`::
$ git clone https://github.com/openstack/keystone.git
@ -59,13 +59,17 @@ When that is complete, you can::
$ cd keystone
.. _`Github repository`: https://github.com/openstack/keystone
Installing dependencies
=======================
Keystone maintains a list of PyPi_ dependencies, designed for use by
pip_.
Keystone maintains two lists of dependencies::
tools/pip-requires
tools/pip-requires-test
The first is the list of dependencies needed for running keystone, the second list includes dependencies used for active development and testing of keystone itself.
These depdendencies can be installed from PyPi_ using the python tool pip_.
.. _PyPi: http://pypi.python.org/
.. _pip: http://pypi.python.org/pypi/pip
@ -83,53 +87,65 @@ Fedora 15::
$ sudo yum install python-sqlite2 python-lxml python-greenlet-devel python-ldap
openSUSE 11.4, 12.1::
$ sudo zypper in python-devel python-xml gcc libxslt-devel python-ldap openldap2-devel
Mac OS X Lion (requires MacPorts_)::
$ sudo port install py-ldap
.. _MacPorts: http://www.macports.org/
PyPi Packages
-------------
PyPi Packages and VirtualEnv
----------------------------
Assuming you have any necessary binary packages & header files available
on your system, you can then install PyPi dependencies.
We recommend establishing a virtualenv to run keystone within. Virtualenv limits the python environment
to just what you're installing as depdendencies, useful to keep a clean environment for working on
Keystone. The tools directory in keystone has a script already created to make this very simple::
You may also need to prefix `pip install` with `sudo`, depending on your
environment::
$ python tools/install_venv.py
# Describe dependencies (including non-PyPi dependencies)
$ cat tools/pip-requires
This will create a local virtual environment in the directory ``.venv``.
Once created, you can activate this virtualenv for your current shell using::
# Install all PyPi dependencies (for production, testing, and development)
$ source .venv/bin/activate
The virtual environment can be disabled using the command::
$ deactivate
You can also use ``tools\with_venv.sh`` to prefix commands so that they run
within the virtual environment. For more information on virtual environments,
see virtualenv_.
.. _virtualenv: http://www.virtualenv.org/
If you want to run keystone outside of a virtualenv, you can install the dependencies directly
into your system from the requires files::
# Install the dependencies for running keystone
$ pip install -r tools/pip-requires
Updating your PYTHONPATH
========================
There are a number of methods for getting Keystone into your PYTHON PATH,
the easiest of which is::
# Install the dependencies for developing, testing, and running keystone
$ pip install -r tools/pip-requires-test
# Fake-install the project by symlinking Keystone into your Python site-packages
$ python setup.py develop
Verifying Keystone is set up
============================
Once set up, either directly or within a virtualenv, you should be able to invoke python and import
the libraries. If you're using a virtualenv, don't forget to activate it::
$ source .venv/bin/activate
$ python
You should then be able to `import keystone` from your Python shell
without issue::
>>> import keystone.version
>>> import keystone
>>>
If you want to check the version of Keystone you are running:
>>> print keystone.version.version()
2012.1-dev
If you can import keystone successfully, you should be ready to move on to :doc:`testing`.
If you can import keystone successfully, you should be ready to move on to :doc:`developing`
Troubleshooting
===============

0
doc/source/_static/basic.css → docs/source/static/basic.css
View File

Some files were not shown because too many files have changed in this diff Show More