This change adds some more detail to the roles section of the
casing documentation for keystone, as well as clarifying the
examples given for users and projects. Also added project tags
casing.
Change-Id: I55447c8b599ab48021bd95204c4bf3c5bc7e690c
python-openstackclient now has proper support for a keystone-to-keystone
session, so document that instead of falling back to keystoneauth.
Change-Id: I3d78ea085b9cabc50681e5f878172a5efe3e7c43
This change fixes the indentation of some of the fields in
the notification example of "Expired Password".
Change-Id: Icf67e4ab4eac0769c09db91d7017a3a067eaf684
Originally, the "extra" in token data is generated by auth plugin
and then will be return to users within token data.
In Kilo, the "extra" in token data was deprecated[1], after that
if the auth plugin generate the "extra", a warning log will be
raised. To stop the warning, the auth plugins should stop
generating "extra" field.
After two releases, in Mitaka, the "extra" in token data was
removed[2], but the "extra" was still created by default as an
empty dict {}. Actually, "extra" should not be created any more
in Mitaka because Keystone has warned the auth plugins for two
releases.
Now in Rocky, it's safe enough to remove the "extra" from token
issue flow at all since it has never been used from Mitaka. The
only concern for the out tree plugins about the removal is that
if they still put "extra" into auth_context, Keystone will raise
KeyError. But can it be happened? Only if the out tree plugins
ignore the warning in Kilo, and still contain "extra" but never
use them from Mitaka. For most auth plugins which follow the
Keystone deprecation step, this patch is a silent change.
[1]: https://review.openstack.org/#/c/162662
[2]: https://review.openstack.org/#/c/249480
Change-Id: I828cc0ad3ac265abdfea2e1571806add128ae51e
This adds a new page of documentation to describe how keystone handles
case sensitivity (or the lack of) depending on the resource and
backend used.
Change-Id: I868b43e6be7809648f9260e1b272f5626b30a95d
Installation of tempest itself and the installation of the
keystone-tempest-plugin is missing from the description.
This change adds them.
Change-Id: I76c4199429b9bffc606928fb32fe87805b7eac24
Signed-off-by: Gergely Csatari <gergely.csatari@nokia.com>
We see a lot of very small patches from new contributors to do things
like fix typos, correct grammar, switch to HTTPS URLs, and similar
trivial changes. Many of these changes are technically correct, but the
value they provide to the project is very low. Assuming the best of
intentions, the obvious conclusion is that these contributors very much
want to help, but don't know where to start and haven't been given
proper guidance.
This patch introduces a new guide that lists some ongoing tasks that we
always want help with. These should be tasks that someone with no
historical context in the keystone project should be able to pick up,
but by starting a few steps above typo fixes will be able to learn
enough to eventually make more significant contributions. When typo fix
patches come in, we can use this guide to gently encourage new people to
make more valuable contributions.
Change-Id: I2a003bbef3ffbde1818fddcb840905eac6f0618c
We plan to expose the enforcement model a deployment is using via
the limit API. This commit prepares for that implementation by
introducing the policy for it.
Change-Id: I03c9cec3646ee354ebcdd4ddc1168e00d611171b
Related-Bug: 1765193
According to the API-WG's suggestion, the update registered
limit/project limit APIs should be refactored as:
1. Change PUT to PATCH
2. Remove batch update limits support for PATCH
Closes-Bug: #1754184
Change-Id: I1102166ab425a55d8eaf85c75d8fd3a7dfbaceb6
This patchset removes the lingering code that supported paste.deploy
that is obsolted by the loader wrapped around keystone's use of Flask.
* The keystone-paste.ini file has been removed.
* All options have been removed (without deprecation) as they are no
longer referenced.
* The TokenAuthMiddleware code (with deprecation warning) has been
removed as it was only provided to ensure compatibility with paste.ini
files that were not updated (ensuring not breaking a deployer that
did not update paste.ini file to remove it from the pipeline).
* Paste deploy entrypoints have been removed.
Change-Id: I35064a440ef718f50c7e644e8b2d56a99c3ec74f
A recent change defaults the warning-as-error to True:
https://review.openstack.org/#/c/559348/
Which is causing our documentation jobs to fail locally and in the
gate/check queues.
This commit fixes both issues that are causing failures so that
we can get the doc jobs passing again.
Closes-Bug: 1774508
Change-Id: Ic1eff48a6f40aa315cc5e566a0f9e930a20b9837
- the policy service was never finished
- it's overall design doesn't contribute to the architecture of keystone
- it's mostly boilerplate code
- it's marked as deprecated in the API reference
- people trying to understand the architecture document don't need to
fill a register with this information when there are other more
meaningful things to parse
Change-Id: Ie4f5b992e277eb79041fd6211a171ca90057fd69
During the Liberty summit in Vancouver, there was a session on
the standardization of the service catalog:
https://etherpad.openstack.org/p/service-catalog-cross-project-vancouver
As a result, Dolph put together a really good post condensing that
information for client developers as well as developers working
on integrating their services into the OpenStack ecosystem:
https://blog.dolphm.com/openstack-keystone-service-catalog/
This commit massages some of the wording and proposes the guide as a
section of our own contributor documentation.
Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>
Change-Id: Ie3328a8f7e093e894903a48809761fcbad279154
Closes-Bug: 1459402
User option ``lock_password`` has been implemented. This
option when set to ``True`` will prevent the usage of the
self-service password change API. If the ``lock_password``
option is set to ``False`` or ``None`` (to remove the
option from the user-data structure) normal password
change operations are allowed
Closes-Bug: #1755874
Change-Id: Icf1776c5fe625c2e9292bfcf40a8a9f17a002656
Added prerequisite package note and associated link to the main Install Guide
to the Keystone install guide. This is to ensure commands further down the
Keystone guide don't fail unexpectedly.
Change-Id: I189854fbc7f1e05945ab0002c08ee84f7bfad196
Closes-Bug: 1754413
Closes-Bug: 1754417
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: Iefad7ba17f01d2982567e7f1f207ecb29d093e83
- Ensure myproject and myuser are used throughout the guide
consistently
- Add note that connection's host in keystone.conf must be resolveable
Change-Id: Icaaf6c1b7583ed75b7a6204d7fb1f3506e4e8937
This change fixes the 3 occurrences of "accommodate" being misspelled
in the keystone install documentation.
Change-Id: I2eb50fd1aedb8e7cb7530d640aaa8f183134945c
Bring the RDO install guide into alignment with the Ubuntu and SUSE
guides by removing references to the admin port 35357 that was used for
the keystone v2 API.
Change-Id: Ic2c5452dae0c142ce3311f6b5e6d9590d618fc22
The external developer document we have attempts to clarify various
concepts in keystone and make it easier for other developers writing
other services. Now that we've removed the v2.0 API, it makes sense
to update this documentation to refer to v2.0 in the past tense. Some
parts of the document seemed specific to operator documentation, which
has been either removed or reworked to the intended operators, other
service developers.
Change-Id: I809150f8b77a813e2300760fdcb1d11cfa8ca732
Support for the UUID token provider was removed when the Rocky cycle
opened for development:
I76d5c29f6b1572ee3ec7f2b1af63ff31572de2ce
This commit removes references to the UUID token provider from the
token provider documentation.
Change-Id: I85aa4eac1098628f090b3e95a9234bc5777d274d
Partial-Bug: 1757151
A lot of people are very surprised that we no longer reference port
35357 in our Ubuntu (and SUSE) install guides. Add a note to clarify
that this is not a bug and we do really mean it.
This does not change the RDO install guide because our guide still
instructs users to use port 35357 because the RDO package still includes
an Apache vhost file that uses 35357.
Change-Id: I334ba888190705a345d50cebe577b832753f202c
Related-bug: #1755026
Related-bug: #1755511
Related-bug: #1756178
