Commit Graph

13516 Commits

Author SHA1 Message Date
Colleen Murphy
0b29be3302 Move supported clients section to user guide
Additionally, correct examples to use proper v3-style credentials.

Change-Id: Ie64a691a12175ca74a5ac7ea90217f68607beb06
2018-12-10 16:53:02 +01:00
Colleen Murphy
4e39e2abe5 Move SSL recommendation to installation guide
As part of the docs consolidation effort, move the SSL recommendation to
the installation guides for each distro. This also corrects the wording:
"running in a web server" is not necessarily secure on its own, the web
server must be configured to use SSL.

Change-Id: If0b547680cbbea4c7f29d82de3f4fe96bd14b4ec
2018-12-10 15:55:13 +01:00
Colleen Murphy
c04756e0cd Move "Public ID Generators" to relevant docs
Currently, the section "Public ID Generators" is a subsection of
"Identity sources" but it reads as very out of place. Looking at the
commit that introduced the section (1a50986e7c), it's clear this was
meant to be part of the domain-specific-config section and was missed in
a reshuffle. This patch puts it back in place.

Change-Id: I2873f104adf6af4da4ba23f8c0d8afb0c1161da3
2018-12-10 13:52:47 +01:00
Zuul
e287f58fbb Merge "Add role tests for system member role" 2018-12-08 10:05:36 +00:00
Zuul
898d88520d Merge "Clarify docstrings for domain flask refactor" 2018-12-08 10:05:34 +00:00
Zuul
f2daf5e00c Merge "Consolidate catalog management guide" 2018-12-08 10:05:31 +00:00
Zuul
b43e0ba52c Merge "Update contributor doc" 2018-12-08 03:43:50 +00:00
Zuul
ed4cd65b77 Merge "Add missing translation import to common.auth.py" 2018-12-08 03:43:48 +00:00
Lance Bragstad
dd9d06c637 Add role tests for system member role
From keystone's perspective, the ``member`` and ``reader`` roles are
effectively the same, isolating writable role operations to the
``admin`` role.

This commit adds explicit testing to make sure the ``member`` role is
allowed to perform readable and not writable role operations.
Subsequent patches will incorporate:

 - system admin functionality
 - domain user test coverage
 - project user test coverage

Change-Id: I2bc3b65b6ef16adaa95e6299ac205b26797f7185
Related-Bug: 1805402
Related-Bug: 1806713
2018-12-07 17:01:57 +00:00
Colleen Murphy
fed5f52c8a Consolidate catalog management guide
We already have an admin guide on creating services in the catalog and
creating service users, so reduce the duplication in the configuration
guide.

Change-Id: I1de964753b8c6c95af10b8c84501e4f74ca382e4
2018-12-07 15:31:42 +01:00
Zuul
b25a655793 Merge "Update role policies for system reader" 2018-12-07 13:45:28 +00:00
Zuul
edec886dea Merge "Add registered limit tests for system member role" 2018-12-06 23:44:27 +00:00
Zuul
2afaa36348 Merge "Remove deprecated secure_proxy_ssl_header config" 2018-12-06 23:44:24 +00:00
Zuul
6448767a0d Merge "Add registered limit protection tests" 2018-12-06 07:41:28 +00:00
Zuul
95e60d599d Merge "Change openstack-dev to openstack-discuss" 2018-12-04 18:50:31 +00:00
Zuul
b77e539210 Merge "Don't emit a notification for the root domain" 2018-12-04 16:57:05 +00:00
Lance Bragstad
567f305b41 Update role policies for system reader
The role policies were not taking the default roles work we did last
release into account. This commit changes the default policies to rely
on the ``reader`` role for getting and listing roles. Subsequent
patches will incorporate:

 - system member test coverage
 - system admin functionality
 - domain user test coverage
 - project user test coverage

Change-Id: I3e373c437ff0ffddba10bde59fd7f18f8be6498c
Related-Bug: 1805402
Related-Bug: 1806713
2018-12-04 15:45:42 +00:00
ZhongShengping
6469f5c316 Change openstack-dev to openstack-discuss
Mailinglists have been updated. Openstack-discuss replaces openstack-dev.

Change-Id: I447cca1b13c8da7a1ff362274b3e3f75cd6b9e48
2018-12-04 10:00:29 +08:00
Zuul
aa8b236514 Merge "Keep federation jobs running on Xenial" 2018-12-03 12:26:11 +00:00
Lance Bragstad
8658011e41 Add registered limit tests for system member role
From keystone-perspective, the ``member`` and ``reader`` roles are
effectively the same, isolating writeable registered limit operations
to the ``admin`` role.

This commit adds explicit testing to make sure the ``member`` role
is allowed to perform readable and not writable registered limits
operations. Subsequent patches will incorporate:

 - system admin functionality
 - testing for domain users
 - testing for project users

Change-Id: I6c428422f09e788faf2179d24cc01eb1ab623b64
Related-Bug: 1805372
Related-Bug: 1805880
2018-11-30 23:19:44 +00:00
Lance Bragstad
216a4d5fc9 Add registered limit protection tests
This commit creates a set of sets that we can reuse across different
default roles and scopes to ensure everyone has access to registered
limit information. Subsequent patches will make sure we build on this
by incorporating default roles for:

 - system member test coverage
 - system admin functionality
 - domain user test coverage
 - project users test coverage

Change-Id: Ibb28ec8f85bad6df531cffc7ba2c5f879e96d297
Related-Bug: 1805372
Related-Bug: 1805880
2018-11-30 23:19:31 +00:00
Zuul
c9755685ff Merge "Move to password validation schema" 2018-11-30 09:43:25 +00:00
Jens Harbott
c3ee5e9ca8 Keep federation jobs running on Xenial
Devstack/Tempest are going to migrate to the latest Ubuntu LTS release
18.04 aka Bionic, but there is an issue with the apache shibboleth
module, see [1] and [2].

As a workaround we keep the federation jobs running on Xenial for now.

[0] https://etherpad.openstack.org/p/devstack-bionic
[1] https://bugs.launchpad.net/keystone/+bug/1802901
[2] https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1776489

Change-Id: I8ad93577b1e5a5084e2a65cb1377eb7b0d353cb7
Depends-On: https://review.openstack.org/620906
2018-11-29 12:59:45 +00:00
Gage Hugo
bc2f0d03b6 Clarify docstrings for domain flask refactor
This change addresses a comment from a previous change[0] to
clarify in the docstring about the APIs that each flask resource
class utilizes from the base class.

[0] https://review.openstack.org/#/c/613182/

Change-Id: Ia21b506726c1f75ff580bddd6b2bf18e2f5660c3
2018-11-28 21:36:01 -06:00
Lance Bragstad
cb5a1fe036 Move test utility to common location
Several of the test clases for testing the service provider API were
duplicating a method to build a request body. Instead of duplicating
a common and useful utility, we can move it to a generic place and
share it.

This commit creates a new method in keystone.tests.unit.core for
building service provider entities to be used in API and backend
tests. A subsequent patch will rely on this for testing policy
protection of the service provider API.

Change-Id: I78e697f9f5fb975b4694ab1a61f608a6dce0fd3b
2018-11-28 14:53:30 +00:00
Lance Bragstad
e5d1eba024 Add missing translation import to common.auth.py
This utility was refactored, but the refactor didn't include a
required import statement:

  Ie7e156a83006c1578c87d862cb4d1d948a800809

This wasn't caught because non of our unit tests were trying to
build authentication payloads with a bogus scope.

Change-Id: I43f72d12f3eb57af69c4b40258baa3b11d0a6a54
2018-11-28 14:23:41 +00:00
Zuul
ffeb6b3ad7 Merge "Bump sqlalchemy minimum version to 1.1.0" 2018-11-27 21:56:16 +00:00
Gage Hugo
dec8c717c9 Move to password validation schema
This change moves the user api change password value check to
JSON schema, rather than manually checking for empty/invalid
values. After this, more of the password validation can
be moved up to schema from code.

Change-Id: I15b1df51af53d56293a7b1b2a06fda7f4e5d45eb
2018-11-27 14:57:44 -06:00
Zuul
abb811f6d2 Merge "Pass context objects to policy enforcement" 2018-11-27 20:52:50 +00:00
Gage Hugo
5d1a97394d Don't emit a notification for the root domain
This change stops keystone from emitting a notification when the
resource is the root domain <<keystone.domain.root>>. Currently
nothing should be invoking the root domain as an initiator outside
of tests, once the root domain is properly exposed this can be
removed.

Change-Id: Ic8bfd57a7e6e44342cf3748a6be3824de5aed1a0
2018-11-27 18:58:18 +00:00
Zuul
d53ed61468 Merge "Move irrelevant-files to project definition" 2018-11-27 18:48:02 +00:00
Zuul
e8e9c7b37f Merge "Update api-ref to include user options" 2018-11-27 17:58:31 +00:00
Zuul
04bf2ce828 Merge "Add tempest-full-py3 job to zuul file" 2018-11-27 00:07:30 +00:00
Lance Bragstad
0dc5c4edab Pass context objects to policy enforcement
The oslo.policy library actually accepts context objects as a first
class citizen, instead of a hand-built `creds` dictionary. This is a
perferred approach because it's easier for services to use
oslo.context to generate a context object that they can automatically
pass to oslo.policy for enforcement instead of inspecting the context
object and building a dictionary manually to pass to oslo.policy.

This commit makes allows keystone to partake in this by pulling the
keystone request object, which is a subclass of oslo.context's
RequestContext object, and uses it in enforcement. Additionally,
we're overriding the to_policy_values() method of oslo.context
in order to make sure we port keystone-specific values to the policy
dict representation of a context object. This ensures we have values
present that we rely on with our default policies.

This commit also bumps the lower requirement for oslo.policy to
make sure we're always using a version that understands context
objects.

Change-Id: I63e713f4aebf3e8cf5189a6060569d2828bc364d
2018-11-26 19:48:10 +00:00
Zuul
c56fcf048b Merge "Consolidate auth-totp.rst" 2018-11-24 03:38:22 +00:00
Zuul
b46771dc62 Merge "Consolidate event_notifications.rst" 2018-11-24 03:37:48 +00:00
Zuul
f81e028ba7 Merge "Consolidate endpoint-policy.rst" 2018-11-24 03:37:47 +00:00
Zuul
5945d10b13 Merge "Consolidate service-catalog.rst" 2018-11-24 03:15:29 +00:00
Zuul
123de603b2 Merge "Consolidate identity-domain-specific-config.rst" 2018-11-24 03:15:27 +00:00
Zuul
4ba38a8124 Merge "Refactor flask domain config resources" 2018-11-23 03:22:16 +00:00
Suramya Shah
ed6366813d Consolidate identity-domain-specific-config.rst
Consolidate from configuration.rst into identity-domain-specific-config.rst.

Change-Id: Id989342e31be31a3c5cb946ff2177ffa5a8f47a8
2018-11-22 21:06:21 +01:00
Suramya Shah
dc3b8edaac Consolidate auth-totp.rst
Consolidate from advanced-topics/auth-totp.rst into admin/auth-totp.rst.

Change-Id: I5cbc2c7d87df5c4d4f3c5cffb238f9c91aa2724c
2018-11-22 19:51:40 +01:00
Suramya Shah
3daeeb4f21 Consolidate event_notifications.rst
Change-Id: I66afc49dac0ba8b9d90fe90715894042f469db20
2018-11-22 19:49:33 +01:00
Suramya Shah
f1ad6654db Consolidate endpoint-policy.rst
Consolidate from configuration.rst into endpoint-policy.rst.

Change-Id: I80184005cc70a1e769fd3507360aa7d795785f5c
2018-11-22 19:45:05 +01:00
Suramya Shah
53f0b62e8e Consolidate service-catalog.rst
Consolidate from configuration.rst into admin/service-catalog.rst.

Change-Id: I3446f5e8ac7dc5ea2db180b0039b9f66d3f703e7
2018-11-22 19:41:54 +01:00
Zuul
a32c596980 Merge "Region update extra support" 2018-11-21 21:20:05 +00:00
Zuul
fb73912d87 Merge "changed port in tools/sample_data.sh" 2018-11-21 06:01:42 +00:00
Zuul
6dd1c7dae8 Merge "Add missing ws seperator between words" 2018-11-21 05:35:53 +00:00
Zuul
98b8760980 Merge "Document user options" 2018-11-21 05:35:50 +00:00
wangxiyuan
58f7827ce7 Update contributor doc
1. Remove some invalid links
2. Remove `paste` related doc
3. Fix some nits.

Change-Id: Iefdc12dd3b93ff7b2d6df635bc849a0c9b42f171
2018-11-21 10:28:52 +08:00