In queens the v2.0 APIs were removed. This commit removes the
leftover v2.0 policies documented in the sample policy file.
Change-Id: Ibb841bcbc12d0be365ddb2681310a0eee6724782
Add documentation in the User section on managing, using, and rotating
application credentials.
Since application credential support didn't make it into
python-openstackclient in the Queens release, show examples using
python-keystoneclient.
Change-Id: I24bc51d2f3741771ba321fc05d49fd111aa76c15
Both of these drivers were staged for removal in Rocky. Now that
Rocky is open for development we can remove them. This commit removes
just the bare-bones aspects of each. Subsequent patches will do the
following:
- Remove test class that were only meant for sql or uuid scenarios
- Refactor the notification framework to not hint at token storage
- Refactor the token provider API interfaces to be simpler and
cleaner
- Remove the needs_persistence property from the token provider API
and document the ability to push that logic into individual
providers that require it
- Return 403 Forbidden for all requests to fetch a revocation list
- Remove the signing directory configuration options
These changes will result in simpler interfaces which will be
important for people implementing their own token providers and
storage layers.
bp removed-as-of-rocky
Change-Id: I76d5c29f6b1572ee3ec7f2b1af63ff31572de2ce
With the removal of the v2 API, there is no reason to keep listening on
multiple ports. Update the OBS install guide to only mention the one
port. The openSUSE openstack-keystone package does not provide a default
vhost config file so we can update this independently of any package
changes in the distro. This also removes a few incorrect notes, one
claiming that the distro package installed and started the nonexistent
eventlet service and one claiming that port 5000 only allowed non-admin
access.
Change-Id: Ic06af94335598e0aadac20874d177e531069548a
The curl examples we keep in our documentation contain examples for
interacting with the now removed v2.0 APIs. This commit removes those
examples since we no long support v2.0, except for the ec2token API
until the T release. The curl examples didn't have any v2.0 ec2token
examples.
Change-Id: I7e16421873de1c2ebf13db971bef80a2d74e5823
This commit updates some of our contributor documentation to
accurately describe the v2.0 situation, now that we've removed
support for it.
Change-Id: Iffd59b81bc269ce67814199b024a034386d74e0c
This commit describes enforcement models and documents the only
enforcement model currently supported, which is flat enforcement.
bp unified-limits
Change-Id: I37aa7b57ce5e52e995a7ebc0db94dd0caccea461
This patch takes a first pass at including system-scope token in
the authentication/authorization documentation.
bp system-scope
Change-Id: I3f334bfe8286d3863610582e4c3d5942b755987d
Add the controller, router, schema, and policies for application
credentials. If a secret is not provided, one is generated at the
controller layer.
bp application-credentials
Depends-on: Id26a2790acae25f80bd28a8cb121c80cb5064645
Depends-on: Icbd58464182b082854fb5d73ccc93c900ede020c
Change-Id: I7a371d59c19a11e55f17baf12d92327c1258533d
The AdminTokenAuthMiddleware is removed already.
Remove the related doc and config help message to
avoid misleading.
Change-Id: I87f41b26776b351087f0bd89ba8f1a3cb3d4a062
The ``keystone-manage pki_setup`` command has been removed already.
This patch removes the related doc.
Change-Id: Ieba6848bd205e5f09267033490cd47fc4db30414
This commit add some high-level documentation from the unified limit
specification to the administrator guide. A subsequent patch will
elaborate on enforcement models.
bp unified-limits
Change-Id: Ic644a7073fb8eeed9427b8c702ba2fa15fd4a9d5
This commit lays down the policies needed to protect the unified limit
API. A subsequent patch will expose the implementation.
bp unified-limits
Change-Id: I952fe6213adce86a92d7d607c9b639076b279f6c
Curly quotes(Chinese punctuation) usually input from Chinese input method.
When read from english context, it makes some confusion.
Change-Id: I40fed2db58b87188c5c405f7d3b43d6ccd51016e
Keystone has APIs for retrieving projects and domains based on the
role assignments a user has on projects and domains. We should
introduce similar functionality for system assignments. This will
make discovering system access for users and client easier.
bp system-scope
Change-Id: Iab577fcd1b57b8b5593c3f9d50a772466383a999
It is no longer possible to authenticate with a service token, and
keystone v2 has been removed. Stop documenting it. Also correct
"secrete" misspelling that can cause some confusion to linguists.
Change-Id: Iac15360957f281643d20b5f3469ad56148e6d4f0
Some entries in the list were prepended with dashes while others were
not. This commit makes all of them consistent.
Change-Id: I80aaa5cfde4c9c111108700e736fb595f6a971e7
This commit introduces new policies that control RBAC for assigning
groups roles on the system. Since the management of system roles is a
system-level operation, each policy has `system` set for scope_types.
bp system-scope
Change-Id: Ide491be9563f74f758c5de55990916292228e0d9
This commit introduces new policies that control RBAC for assigning
users roles on the system. Since the management of system roles is a
system-level operation, each policy has `system` set as scope_types.
bp system-scope
Change-Id: Ie606e769427a5ca422997efe92402e712f3cf45f
