Keystone had a problem where there was a memcached socket
opened very early on startup which then got shared between
worker processes when running under uwsgi. Since we don't have
a test or a way to ensure that no sockets are opened too early
for uwsgi, let's recommend setting lazy-apps to avoid issues.
Change-Id: I8b46c5424094d3abe9a986da4ee1143f72a91a4d
Related-Bug: 1600394
I ran some tests locally that showed that when using the uwsgi
deploy the keystone server wasn't using all the processes
available. When I switched from "threads" to "processes" the
concurrent performance improved considerably. So I'm proposing
that the docs use processes to improve performance.
Change-Id: I5375702f45ccb82c02ff2bba1eabda836d5d25eb
Web servers that are exposed to the Internet eventually gain a
security feature of limiting the amount of data in the request
body. In Apache Httpd, this is provided by the LimitRequestBody
directive. This is added to the sample Httpd config file.
The limit is set for only the keystone services so it won't
affect other services running in Httpd.
The value of 114688 was picked because it's the current limit
on request body that oslo.middleware's sizelimit function puts
on requests to keystone.
Use of oslo.middleware's sizelimit re-implementation can be
deprecated.
Docs:
- http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody
ReleaseNotesImpact
Closes-Bug: 1481048
Change-Id: I5509e4b65900c15dd0b5fda43b1d5bb4dc3ff5ff
Now that we have keystone-wsgi-admin and keystone-wsgi-public
we can deprecate httpd/keystone.py. These 2 are already defined
in setup.cfg pointing to wsgi.py to initialize the application.
Change-Id: Ifcdfcb31e7be18b511a7c586d9ca259bc15bec44
Closes-Bug: 1494922
Apache Httpd can be configured to accept keystone requests on all
sorts of interfaces. The sample config file is updated to show
how to configure Apache Httpd to also send requests on /identity
and /identity_admin to keystone.
Closes-Bug: 1496041
Change-Id: Ie7b829eff16c0e839f8dd1e4ecef7fdc06c3f561
The httpd/keystone.py file needed to be copied and then
symlinked when used by web servers to "admin" and "main".
pbr 1.4.0 added support for wsgi_scripts that creates scripts
for wsgi servers on install. Keystone will now specify
wsgi_scripts so that the admin (keystone-wsgi-admin) and
main (keystone-wsgi-public) scripts will be created on install.
See http://httpd.apache.org/docs/2.4/upgrading.html#access for
the apache docs with examples for the Allow/Deny/Require
directives.
DocImpact
Related-Bug: #1441733
Change-Id: Ic9c03e6c00408f3698c10012ca98cfc6ea9b6ace
The sample httpd config file was not using best practices for
apache configuration. The file is now a copy of the file that
devstack uses for keystone apache config
(files/apache-keystone.template), with the replacement strings
updated to the keystone defaults.
Also, the "Firewall" section is removed from the httpd config
docs because the sample config file isn't using port 443.
Change-Id: I1d10925b33ec7e70793e61db1cb99186f112ef3e
There was a lot of code in keystone-all and httpd/keystone.
Functions in keystone-all and http/keystone can't be called from the
tests, so this code should be in the keystone package.
This also allows some sharing of common code between keystone-all,
httpd/keystone, and the tests.
bp refactor-keystone-all-http
Change-Id: I1c4e59e253b1816ccfb4d5bf1d2aa40b49221b4f
The server wasn't returning a JSON Home response for GET / when the
Accept header is `application/json-home`. By returning the V3 JSON
Home response for GET / a V3 client that supports JSON Home can
GET either /v3 or / and use the response. The identity API should
be able to be set to /.
Closes-Bug: #1366589
Change-Id: I3191a85acf9d2f582f6b48a164cf5ac2bf84a8cf
Keystone was using the I18N functions from oslo-incubator. With
this change, Keystone uses the new oslo.i18n library.
The tests were adapted to not use internal symbols because these are
subject to change.
Change-Id: I1b13fcc630952695424fccd91bcd157d702851f1
Pecan uses thread local storage and so if we combine pecan and eventlet
we need to make sure that eventlet is monkey patched before pecan is
first loaded.
To keep the paste.ini file untouched we need to keep the app creation in
service.py but we can't load that from keystone-all because it has pecan
in it.
So we create a new file that can be safely imported before pecan is
loaded.
Change-Id: If7abf1db9859d66c06f7f223056c106292f256fa
blueprint: keystone-pecan
This allows strings being returned in an HTTP response to be translated
into the language specified in the HTTP requests headers.
Closes-bug: #1297922
Change-Id: I8a671277f861075deddd1ee4cf5daca62a43fff7
Previously `_` was monkeypatched in tests/core.py and bin/keystone-*.
This meant that if a developer was not running the tests exactly as
the documentation described they would not work. Even importing
certain modules in a interactive Python interpreter would fail unless
keystone.tests was imported first. Monkeypatching was removed and
explicit import for `_` was added.
Co-Authored-By: David Stanek <dstanek@dstanek.com>
Change-Id: I8b25b5b6d83fb873e25a8fab7686babf1d2261fa
Closes-Bug: #1255518
We don't need vim modelines in each source file, it can be set in
user's vimrc.
Change-Id: Ie51ad62946afdf39eadcd59edaf8134ec10265c6
Closes-Bug: #1229324
The default for default_log_levels didn't set the log levels
for some packages that Keystone uses (for example, dogpile). This
caused the server to output a lot of extra logs when debug=True
is used.
You can get the debug output for dogpile and routes by setting
default_log_levels explicitly in your keystone.conf file.
Change-Id: Ib797fa7b98f0e501047b72b094d07ad204385cc6
Related-bug: #1245629
Closes-Bug: #1269987
The keystone.config package called config.configure() at import-
time.
This will make it obvious that developers can't use config
options at import-time because packages that do that will fail on
import.
Change-Id: I9306f67609d782e3f49fd43908448daf1287d51c
Related-Bug: #1265108
Related-Bug: #1265670
Closes-Bug: #1269785
This change makes it so that if the user makes a request with an
Accept-Language header and the response is an error where the
message is translatable, then the message will be translated to
the requested language (or the most appropriate language
available).
completes bp user-locale-api
Change-Id: I5b0b02e0459a6a444baa12f8722adb829b7e152b
When trying to authenticate with the oauth plugin, it is
possible that the dependency is not yet loaded, and as a result
the user will receive an error message: "Oauth is disabled"
This patch will ensure the dependency is loaded after the pipeline
Fixes: bug #1264803
Change-Id: I37484bf844896b1a1b560923a8afaf99e91635e4
Keystone was using its own keystone.common.sql module for
database access. oslo-incubator's db.sqlalchemy module provides
the same or better functionality, so use that instead.
DocImpact
- The options that were in the [sql] section are deprecated and
replaced by options in the [database] section. There are
also several new options in this section. If database
configuration is described for another project that uses
oslo-incubator's db.sqlalchemy module the docs can be shared.
Part of bp use-common-oslo-db-code
Change-Id: I25b717d9616e9d31316441ae3671d2f86229c2bf
Backend creation was happening at import time. This changes the
code so that backend creation time is controlled by calling a
function.
This also allows sharing the backend creation code between the
server and the tests.
Change-Id: Ib817aa341de510a46faa8ed0bc24ef9268fa944b
This change just cleans up the setup_logging function. It was
defined in keystone.common.config and then also exported from
keystone.config. Also, it had extra parameters that were unused.
This takes care of a NOTE (which probably should have been a
TODO) in the code.
Change-Id: I1a46c8974cbd68a5bf708d253adfadc1fdb76dcd
This change disables lazy gettext functionality in Keystone,
due to problems with character encoding and logging
detailed in bug 1225099.
It is part of a series of commits across all projects with
lazy gettext enabled.
Change-Id: Ia934a7df9386baf6ae8eb9ff48c24386c47ecd23
Partial-bug: 1225099
When updating to the oslo logging module, it appears that this script
was missed, and erroneously still references .DEBUG, which is not
available in the oslo logging module. This commit corrects the issue
and updates the reference to oslo log module to not be aliased to
"logging".
The extra logic to set the debug on the instantiated logger is still
needed to ensure all logging is seen (startup config logging, etc).
fixes-bug: 1220012
Change-Id: If5b4f9f28cb9d05f914848cbdb54b10c2c5f3b2d
Fixed H102 errors
Hacking 0.6 already pins down pep8, pyflakes and flake8 so they can be
removed from test-requirements as they are indirect dependencies.
Co-author: Joe Gordon <joe.gordon0@gmail.com>
Change-Id: If7e79c70fe44d7e42a14cd6c710fd9986f995446
Messages created statically (during import) were not being
translated in responses when the Accept-Language header was
used to set the expected language in the response. The static
messages were being created before the _ built-in had been
installed by gettextutils.install().
Change-Id: Ie56b1d3a836bc5f2262d7af68f803a08ebdf016f
Resolves-Bug: #1215192
A couple references to this module were missed, and a few new ones were
created while it was in the process of being deprecated. This change
removes outstanding references to the module.
blueprint unified-logging-in-keystone
Change-Id: I4cc7614b3f74caaec9dfa100202d9d6db4ebfc36
Add support for doing language resolution for a request, based on the
Accept-Language HTTP header.
Using the lazy gettext functionality from oslo gettextutils, it is
possible to use the resolved language to translate an exception message
to the user requested language and return that translation from the API.
Co-authored-by: Luis A. Garcia <luis@linux.vnet.ibm.com>
Co-authored-by: Mathew Odden <mrodden@us.ibm.com>
Implements bp user-locale-api
Change-Id: Id8e92a42039d2f0b01d5c2dada733d068b2bdfeb
The environment module will be configured once, during code initialization.
Subsequently all other possibly-evented modules will retrieve from
environment and transparently obtain either the eventlet or standard
library modules.
If eventlet, httplib, subprocess or other environment dependant module
is referenced outside of the environment module it should be considered
a bug.
The changes to tests are required to ensure that test is imported first
to setup the environment. Hopefully these can all be replaced with an
__init__.py in a post-nose keystone.
Implements: blueprint extract-eventlet
Change-Id: Icacd6f2ee0906ac5d303777c1f87a184f38283bf
PasteDeploy configuration contains class names which might change
between releases. Keeping it separate from user-configurable
parameters allows deployers to move paste-deploy ini file out of
configuration directory to a place where it can be safely overwritten
on updates e.g. under /usr/share/
DocImpact
Change-Id: I9292ca6226c8430b93565dedd45cc842742a23e2