The saml2 auth plugin was already removed in this release (ocata)
and therefore is no longer a need to document that it'll be removed.
The patch that removed the plugin was:
https://review.openstack.org/#/c/374508/
bp removed-as-of-ocata
Change-Id: I19da4726fd83d70e01118ff4bf98802de584f7bb
The text in the architecture doc is somewhat out-of-date for the
current function level of keystone. Edits include:
* Removed references to domain, project, role information in LDAP.
* Removed capitialization of keystone objects
* Some line wrap adjustments
* Updated link on oslo.policy location
Change-Id: Iefcaf00c8844613b10a2cf77a820db7fe0934742
Active Directory has a very specific mechanism to
handle nested groups. LDAP queries need to look like this:
"(&(objectClass=group)
(member=member:1.2.840.113556.1.4.1941:=CN=nwalnut,OU=Users,DC=EXAMPLE,DC=COM))"
If a deployment is using nested groups, three queries need to be
modified to support it:
- list users in a group
- list groups for a user
- check if a user is in a group
Since all three are necessary, a single configuration value ensures
that the change is synchronized across all three calls.
Closed-Bug: #1638603
Change-Id: Ia66f81f86d7c43fbc5ba7f18ada91c77d047f7a2
This introduces the oslo healt check middleware
http://docs.openstack.org/developer/oslo.middleware/healthcheck_plugins.html
into the pipelines. This middleware is useful for load balancers and
http servers, which can use it to validate that the keystone services are
operational. This middleware is being used in other services such as
glance and magnum. This patch provides it for keystone, in an effort to
spread the usage across all major projects.
This is one less item that operators will have to patch locally.
DocImpact
Change-Id: I19e4fc8f6c6a227068ba7191c1e9c453fc08f061
The request context is kind of important. It has info like the
request cache and auth info for the request.
The request cache should not be modifying the request context. The
code here makes it look like the request cache needs to update the
thread's request context but it actually never does change it since
even if it creates a new RequestContext the new instance becomes
the new thread request context.
Change-Id: Ib824648fe7cb6b3614e03f7d2570fbbfc0c3a88d
The new keystone upgrade features (keystone-manage db_sync --expand)
requires for MySQL deployments that the keystone user is granted SUPER
privilege or that set global log_bin_trust function_creators=1; is run.
Adding a warning message to notify reader.
Change-Id: I78738a335d14c6ad824c348a7385bb1ee8ad75bf
Closes-Bug: 1638368
looks like commit [1] accidentally renamed the file to something
nonsense. rename it correctly this time
[1] I2e6fde1696e44f1b9456737f7c643e757cd3b758
Change-Id: I6b32bb34482cdb65f344dc5c0e8ba531c2bda6af
Closes-Bug: 1639131
This will make automation with tools such as puppet easier. Since
keystone-manage will enforce the ordering of expand and migrate.
Change-Id: Ic69b642cfd7b04ca012f1c91781c7f6335d0b747
The recent change [1] caused the removal of a certain class that
looked specific to PKI and PKIz testing and implementation, however,
actually was being used to test all supported token providers. This
caused a chunk of tests to simply not run at all and therefore be
overlooked. This change adds support for both UUID and Fernet so that
all tests are being run once again and for all available token
providers.
[1]: Icf1ebced44a675c88fb66a6c0431208ff5181574
Change-Id: I5365e2ed74ea55377729d0910cc2892d2bb8889c
This is the first step of several to remove PKI token support in
keystone. A large issue in removing PKI support is support for the
revocation list must be maintained.
This patch removes support for the token format, it's surrounding tests
and examples that are generated. Additionally, some wording has been
changed around the CLI and config options to make the distinction
between keys and certs used for PKI tokens and those used for getting
the revocation list (a list of tokens that are revoked, which is signed).
Future patches will:
- Remove the keystone-manage commands for generating certs
- Modify the revocation list (at /auth/tokens/OS-PKI/revoked) to return
a 403 if pki is not configured (instead of raising a 500). We cannot
remove the API as that would break an API contract.
- Options to configure PKI will be marked as deprecated
- If PKI is configured a normal signed list will be returned (same
behavior as today)
- Follow up patch to keystonemiddleware will make sure auth_token does
not rely on the revocation api at all.
Related-Bug: 1626778
Related-Bug: 1626779
Co-Authored-By: Boris Bobrov <bbobrov@mirantis.com>
bp removed-as-of-ocata
Change-Id: Icf1ebced44a675c88fb66a6c0431208ff5181574
Our documentation doesn't really provide a clear explanation for the
difference between ``[memcache]`` and ``[cache]`` in keystone's
configuration file.
This commit attempts to makes this easier to understand for
deployers.
Change-Id: I77460220ef779fcdb16363a6da90898619afe467
This was a leftover fix from a comment on:
https://review.openstack.org/#/c/361435
to filter out non-config files from being checked if their
contents were invalid.
Change-Id: I2b5222fa3fa8141f580f610b0e7d2d6721ae97fc
Log some authentication issues that were not logged
before, but are still useful to be aware of when
diagnosing authentication issues.
Related-Bug #1595513
Change-Id: Ifca425eadba21cc8d4ff6f6e5c2376af6a1ddbe5
