Bring the RDO install guide into alignment with the Ubuntu and SUSE
guides by removing references to the admin port 35357 that was used for
the keystone v2 API.
Change-Id: Ic2c5452dae0c142ce3311f6b5e6d9590d618fc22
The external developer document we have attempts to clarify various
concepts in keystone and make it easier for other developers writing
other services. Now that we've removed the v2.0 API, it makes sense
to update this documentation to refer to v2.0 in the past tense. Some
parts of the document seemed specific to operator documentation, which
has been either removed or reworked to the intended operators, other
service developers.
Change-Id: I809150f8b77a813e2300760fdcb1d11cfa8ca732
Support for the UUID token provider was removed when the Rocky cycle
opened for development:
I76d5c29f6b1572ee3ec7f2b1af63ff31572de2ce
This commit removes references to the UUID token provider from the
token provider documentation.
Change-Id: I85aa4eac1098628f090b3e95a9234bc5777d274d
Partial-Bug: 1757151
A lot of people are very surprised that we no longer reference port
35357 in our Ubuntu (and SUSE) install guides. Add a note to clarify
that this is not a bug and we do really mean it.
This does not change the RDO install guide because our guide still
instructs users to use port 35357 because the RDO package still includes
an Apache vhost file that uses 35357.
Change-Id: I334ba888190705a345d50cebe577b832753f202c
Related-bug: #1755026
Related-bug: #1755511
Related-bug: #1756178
Modify the Install Guide to use different labels for user, role, and project
names.
Change-Id: I14303ae708e47a8782d4ccc2a8c2ee076bc071b8
Closes-Bug: 1746302
Keystone has supported JSON Home documents since Juno, but we never
had any user-facing documentation for the API. This commit adds a
section to the user guide that describes what JSON Home is and adds
an example of how users can get it.
Change-Id: Ib0793f6af4f65e5549ba0543b87d20f3f1a8a62d
In queens the v2.0 APIs were removed. This commit removes the
leftover v2.0 policies documented in the sample policy file.
Change-Id: Ibb841bcbc12d0be365ddb2681310a0eee6724782
With support for application credentials landed on
python-openstackclient, update the documentation to use this more
user-friendly method of managing application credentials.
Change-Id: I0c05d5a276a6aeb6cc464420ca8c529ed00e4b45
Depends-on: https://review.openstack.org/536163
Add documentation in the User section on managing, using, and rotating
application credentials.
Since application credential support didn't make it into
python-openstackclient in the Queens release, show examples using
python-keystoneclient.
Change-Id: I24bc51d2f3741771ba321fc05d49fd111aa76c15
Both of these drivers were staged for removal in Rocky. Now that
Rocky is open for development we can remove them. This commit removes
just the bare-bones aspects of each. Subsequent patches will do the
following:
- Remove test class that were only meant for sql or uuid scenarios
- Refactor the notification framework to not hint at token storage
- Refactor the token provider API interfaces to be simpler and
cleaner
- Remove the needs_persistence property from the token provider API
and document the ability to push that logic into individual
providers that require it
- Return 403 Forbidden for all requests to fetch a revocation list
- Remove the signing directory configuration options
These changes will result in simpler interfaces which will be
important for people implementing their own token providers and
storage layers.
bp removed-as-of-rocky
Change-Id: I76d5c29f6b1572ee3ec7f2b1af63ff31572de2ce
With the removal of the v2 API, there is no reason to keep listening on
multiple ports. Update the OBS install guide to only mention the one
port. The openSUSE openstack-keystone package does not provide a default
vhost config file so we can update this independently of any package
changes in the distro. This also removes a few incorrect notes, one
claiming that the distro package installed and started the nonexistent
eventlet service and one claiming that port 5000 only allowed non-admin
access.
Change-Id: Ic06af94335598e0aadac20874d177e531069548a
The curl examples we keep in our documentation contain examples for
interacting with the now removed v2.0 APIs. This commit removes those
examples since we no long support v2.0, except for the ec2token API
until the T release. The curl examples didn't have any v2.0 ec2token
examples.
Change-Id: I7e16421873de1c2ebf13db971bef80a2d74e5823
This commit updates some of our contributor documentation to
accurately describe the v2.0 situation, now that we've removed
support for it.
Change-Id: Iffd59b81bc269ce67814199b024a034386d74e0c
This commit describes enforcement models and documents the only
enforcement model currently supported, which is flat enforcement.
bp unified-limits
Change-Id: I37aa7b57ce5e52e995a7ebc0db94dd0caccea461
This patch takes a first pass at including system-scope token in
the authentication/authorization documentation.
bp system-scope
Change-Id: I3f334bfe8286d3863610582e4c3d5942b755987d
Add the controller, router, schema, and policies for application
credentials. If a secret is not provided, one is generated at the
controller layer.
bp application-credentials
Depends-on: Id26a2790acae25f80bd28a8cb121c80cb5064645
Depends-on: Icbd58464182b082854fb5d73ccc93c900ede020c
Change-Id: I7a371d59c19a11e55f17baf12d92327c1258533d
The AdminTokenAuthMiddleware is removed already.
Remove the related doc and config help message to
avoid misleading.
Change-Id: I87f41b26776b351087f0bd89ba8f1a3cb3d4a062
The ``keystone-manage pki_setup`` command has been removed already.
This patch removes the related doc.
Change-Id: Ieba6848bd205e5f09267033490cd47fc4db30414
This commit add some high-level documentation from the unified limit
specification to the administrator guide. A subsequent patch will
elaborate on enforcement models.
bp unified-limits
Change-Id: Ic644a7073fb8eeed9427b8c702ba2fa15fd4a9d5
This commit lays down the policies needed to protect the unified limit
API. A subsequent patch will expose the implementation.
bp unified-limits
Change-Id: I952fe6213adce86a92d7d607c9b639076b279f6c
Curly quotes(Chinese punctuation) usually input from Chinese input method.
When read from english context, it makes some confusion.
Change-Id: I40fed2db58b87188c5c405f7d3b43d6ccd51016e
Keystone has APIs for retrieving projects and domains based on the
role assignments a user has on projects and domains. We should
introduce similar functionality for system assignments. This will
make discovering system access for users and client easier.
bp system-scope
Change-Id: Iab577fcd1b57b8b5593c3f9d50a772466383a999
