As part of the docs consolidation effort, move the SSL recommendation to
the installation guides for each distro. This also corrects the wording:
"running in a web server" is not necessarily secure on its own, the web
server must be configured to use SSL.
Change-Id: If0b547680cbbea4c7f29d82de3f4fe96bd14b4ec
Currently, the section "Public ID Generators" is a subsection of
"Identity sources" but it reads as very out of place. Looking at the
commit that introduced the section (1a50986e7c), it's clear this was
meant to be part of the domain-specific-config section and was missed in
a reshuffle. This patch puts it back in place.
Change-Id: I2873f104adf6af4da4ba23f8c0d8afb0c1161da3
From keystone's perspective, the ``member`` and ``reader`` roles are
effectively the same, isolating writable role operations to the
``admin`` role.
This commit adds explicit testing to make sure the ``member`` role is
allowed to perform readable and not writable role operations.
Subsequent patches will incorporate:
- system admin functionality
- domain user test coverage
- project user test coverage
Change-Id: I2bc3b65b6ef16adaa95e6299ac205b26797f7185
Related-Bug: 1805402
Related-Bug: 1806713
We already have an admin guide on creating services in the catalog and
creating service users, so reduce the duplication in the configuration
guide.
Change-Id: I1de964753b8c6c95af10b8c84501e4f74ca382e4
The role policies were not taking the default roles work we did last
release into account. This commit changes the default policies to rely
on the ``reader`` role for getting and listing roles. Subsequent
patches will incorporate:
- system member test coverage
- system admin functionality
- domain user test coverage
- project user test coverage
Change-Id: I3e373c437ff0ffddba10bde59fd7f18f8be6498c
Related-Bug: 1805402
Related-Bug: 1806713
From keystone-perspective, the ``member`` and ``reader`` roles are
effectively the same, isolating writeable registered limit operations
to the ``admin`` role.
This commit adds explicit testing to make sure the ``member`` role
is allowed to perform readable and not writable registered limits
operations. Subsequent patches will incorporate:
- system admin functionality
- testing for domain users
- testing for project users
Change-Id: I6c428422f09e788faf2179d24cc01eb1ab623b64
Related-Bug: 1805372
Related-Bug: 1805880
This commit creates a set of sets that we can reuse across different
default roles and scopes to ensure everyone has access to registered
limit information. Subsequent patches will make sure we build on this
by incorporating default roles for:
- system member test coverage
- system admin functionality
- domain user test coverage
- project users test coverage
Change-Id: Ibb28ec8f85bad6df531cffc7ba2c5f879e96d297
Related-Bug: 1805372
Related-Bug: 1805880
This change addresses a comment from a previous change[0] to
clarify in the docstring about the APIs that each flask resource
class utilizes from the base class.
[0] https://review.openstack.org/#/c/613182/
Change-Id: Ia21b506726c1f75ff580bddd6b2bf18e2f5660c3
Several of the test clases for testing the service provider API were
duplicating a method to build a request body. Instead of duplicating
a common and useful utility, we can move it to a generic place and
share it.
This commit creates a new method in keystone.tests.unit.core for
building service provider entities to be used in API and backend
tests. A subsequent patch will rely on this for testing policy
protection of the service provider API.
Change-Id: I78e697f9f5fb975b4694ab1a61f608a6dce0fd3b
This utility was refactored, but the refactor didn't include a
required import statement:
Ie7e156a83006c1578c87d862cb4d1d948a800809
This wasn't caught because non of our unit tests were trying to
build authentication payloads with a bogus scope.
Change-Id: I43f72d12f3eb57af69c4b40258baa3b11d0a6a54
This change moves the user api change password value check to
JSON schema, rather than manually checking for empty/invalid
values. After this, more of the password validation can
be moved up to schema from code.
Change-Id: I15b1df51af53d56293a7b1b2a06fda7f4e5d45eb
This change stops keystone from emitting a notification when the
resource is the root domain <<keystone.domain.root>>. Currently
nothing should be invoking the root domain as an initiator outside
of tests, once the root domain is properly exposed this can be
removed.
Change-Id: Ic8bfd57a7e6e44342cf3748a6be3824de5aed1a0
The oslo.policy library actually accepts context objects as a first
class citizen, instead of a hand-built `creds` dictionary. This is a
perferred approach because it's easier for services to use
oslo.context to generate a context object that they can automatically
pass to oslo.policy for enforcement instead of inspecting the context
object and building a dictionary manually to pass to oslo.policy.
This commit makes allows keystone to partake in this by pulling the
keystone request object, which is a subclass of oslo.context's
RequestContext object, and uses it in enforcement. Additionally,
we're overriding the to_policy_values() method of oslo.context
in order to make sure we port keystone-specific values to the policy
dict representation of a context object. This ensures we have values
present that we rely on with our default policies.
This commit also bumps the lower requirement for oslo.policy to
make sure we're always using a version that understands context
objects.
Change-Id: I63e713f4aebf3e8cf5189a6060569d2828bc364d