As we use federation protocol, assign authorization to ephemeral
users by mapping to groups. Setting this mapping does not add the
ephemeral user to the group and the user is not a member of the group.
Only authorization for the user is same as role assignments to the
group on a project or domain.
This patch add explain about the group mapping
Change-Id: I9faa7d57037af3c2cf6ccfda8d853693fa5eb628
If a federated user is ephemeral, the user will become a member of
identity provider's domain. The identity provider and service
provider are different entities, this patch correct the note and
make it more distinct.
Change-Id: I71a8b339e2e8f176761a36a4effe09afcf5388a6
This adds a section within the index file that describes what a
relationship link is and what it is used for in terms of each
operation within keystone. There will be a relationships section
in both v3 and v3-ext.
This should help clarify any confusion that may arise when a user is
viewing the api-ref about what the relationship links are.
Change-Id: I9c6b7959ed6ea682c565c515af0cf509b6a64e5d
Closes-Bug: #1674676
In order for a federated user to be mapped to a local user that exists
in the identity backend, the user object in the local mapping rule must
have the property "type": "local" set, in addition to having a keystone
domain provided. This was probably not the original intention of the
local user mapping spec[1], but this is how it ended up being
implemented. We could choose to change the behavior of the code, but
it has been around long enough that it is possible that deployments are
depending on this behavior, and moreover making rules explicit rather
than implicit reduces the risk of bugs and mistakes.
This patch updates the api-ref documentation and the standard federation
documentation to include the "type" property when mapping to local
users. In addition, since we now have two keywords called "local" that
mean somewhat different things, we expand the context of some of the
mapping examples so that both the rule name "local" and the value
"local" of the attribute "type" appear in the example, for clarity.
Change-Id: Ib35e57e33903de14f9cac1f919c32dfe923ef884
Closes-bug: #1673157
The OS-EP-FILTER api-ref request sample is malformed; it is missing a comma
for it to be proper json. This patchset fixes the issue.
trivial fix
Change-Id: Ia26fc67affde11335a825dcff7063716f09d071b
Currently in the keystone API documentation page located at,
https://developer.openstack.org/api-ref/identity/index.html
all the sections and sub-sections appear at the same depth.
This makes the ordering very untidy and confusing.
This patch reorganises the appearance of sections and
sub-sections at the index page.
Change-Id: I55ae0102236805591e653c153618dec2af510c63
I was going through some of the federation documentation and noticed
a couple areas we could improve. This commit does the following:
- Removes error codes that are vague
- Fixes entity casing (Identity Provider -> identity provider)
- Makes wording consistent across entity operations
Change-Id: I7c7ba16bdd33872915809612308c8c3d5578f6ba
Add response examples to API documentation for following API
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
Change-Id: I380348d149fd917d636ef4e0e6589fffdedee2ab
Closes-Bug: #1686015
Sphinx 1.5 complains about "Could not lex literal_block as "json".
Highlighting skipped." - and fails to build.
Change the problematic code to use javascript for highlighting - it's
only a json snippet, not a full json file.
Change-Id: I65558119dcc166bd25f12568b480498cac80c653
This patch removes any unused parameters in the v2 and v3 api's.
In order to find which parameters were unused, I wrote a script
that found all the parameters used in the `parameters.yaml` files,
then is searched the same api directory (ex: v3/, v3-ext/, etc.)
for any reference to these parameters. Anything unreferenced was
flagged and then removed.
Script: http://cdn.pasteraw.com/8cdh0e76aqhtliuh874veautr7as8k7
Change-Id: I1558ac94e1041f9fbb1d6713b394c4f97f997ada
Some parameters of similar name would follow the convention
such as `region_id` and `region_id_1` which gave no good
information as to the differences.
This patch changes these names to help give such information.
Change-Id: I2dec61ed06042990ff54e86c02dc3fca9d566366
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.
Change-Id: I30a462e03d1fd7852511e22cac34c6bc0e8917f4
This change builds on the previous one by cleaning up all the wording
around associations and makes them consistent regardless of the
associations being direct or via endpoint groups.
Change-Id: I9582c5e8dbb83c37abcb432835dd7b609bd7841c
Closes-Bug: 1654613
The OS-EP-FILTER documentation needed some work. The wording around
several of the examples didn't make a whole lot of sense. And some of
the requests were copy/pastes from other examples.
This change attempts to clarify the need for endpoint groups and how
they can be useful. This patch also moves the endpoint group CRUD
documentation to the beginning of the section, which leaves the rest
of the section to explain how to associate projects to endpoints
directly or use endpoint groups. Previously, the endpoint group CRUD
was in the middle of the section and made the flow the document jump
around a bit.
Change-Id: I1f6cbecc5c3a4c8e86a73a3cfed4b9a09e43b31f
Partial-Bug: 1654613
An Identity Provider (IdP) should be mapped to a domain. This patch
updates the documentation and creates a release note recommending the
domain_id parameter.
Depends-On: Id18b8b2fe853b97631bc990df8188ed64a6e1275
Partial-Bug: #1642687
Change-Id: I1cb749371175169662dbb5fa8feafe403fb1c39b
The ability to list endpoint associations for projects only requires
the project ID as a parameter. The documentation was advertising that
the endpoint ID was also required, which seems like a rogue
copy/paste.
Change-Id: I2101ebaab0bdcbc9347e854dbe7f522c1c6320e8
The sample request and simplified representation was incorrect.
Change the sample to match the result, the sample was used in
other spots but did not affect the other APIs.
Also fixed the sentence describing valid filters that can be
used; only `region_id` is supported, not `region` [1].
[1] e49a95ff6e/keystone/catalog/controllers.py (L484)
Change-Id: Id460b85d37acc0cba9246ace6a338a315080b10b
When reading the OS-FEDERATION API documentation, it is not clear how
to find the ID of the token when requesting either an unscoped or
scoped token. Token requests for the OS-FEDERATION API work the same
way as for the standard API, which is that the token ID is returned in
the X-Subject-Token header, so let's just mention that in the
OS-FEDERATION API documentation.
Change-Id: I6e9743d9001684f0d05ace119509f643c8b8e363
This patch validates that a mapping exists when adding or updating
a federation protocol.
Change-Id: I996f94d26eb0f2c679542ba13a03bbaa4442486a
Closes-Bug: #1571878
This patch corrects some parameter's type such as 'type: list'
to 'type: array' or 'type: array of...' to 'type: array' because we
don't have 'type: list' in 'JSON Schema primitive types' [1]
[1] http://json-schema.org/latest/json-schema-core.html#anchor8
Change-Id: Ic638ef48fcf0f60c55cec975ee20a71d1830b319