Use the egg form of the osprofiler filter middleware in the paste
pipeline. This gives osprofiler greater control over exactly where this
middleware is pointing.
It also moves the filter section up to where all the other filters are.
Change-Id: I330956c49167606ce8a8137139ee92bd603adceb
The requirement is not used anywhere and commented out, lets just
remove it. There is no reason to keep it in there.
Change-Id: I1da227911d04de4d9baadb92db324ce8590060e7
Fetching users from LDAP requires creating public ids for them.
id_mapping_api does that. Creating public ids is slow, because it
requires performing N INSERTs for N users, and there is no way to
work around that. It leads to very slow responses to queries like
"list users".
By pre-creating these public ids we improve API users' experience.
Add keystone-manage mapping_populate command that creates id mapping entries
for users.
bp ldap-preprocessing
Partial-Bug: 1582585
Change-Id: I98f795854aee26f9e7f668372c47572d2b6d4f0f
It was possible to create a credential without providing a project_id
and later updating it to the ec2 type.
This patch fixes the issue by adding a manual checking in the
manager layer since it needs to check the old credential contents
prior failing the request.
Change-Id: I1eb28a46c89e17d9c990cc798867d1a59714fe5f
Closes-Bug: #1613466
Just like underwear, key repositories shouldn't be shared. This commit adds a
check to `keystone-manage doctor` to make sure `[credential] key_repository`
and `[fernet_tokens] key_repository` are not pointing to the same location.
Change-Id: I652bdf940d82e7d2d93f115724ca42c99be63bab
Since the API docs have been moved to api-ref, and the docs maintained
in keystone-specs repo have been moved to attic. The href attribute
that points to old `specs.openstack.org` will not be a valid link, this
patch update them to point to the new site.
Change-Id: Idc4995509d262c74ce6d49c6c18b6452fae186d6
Also change the "authorized access token" to "access token" in
the doc since there are only request token, authorized request token,
and access token. "access token" itself has implied it has been
authorized. "authorized access token" is ambiguous.
The route of the API is defined here:
https://github.com/openstack/keystone/blob/master/keystone/oauth1/routers.py
Change-Id: I97a588c0ff08288995b266e9346c6b47f50caef6
This patch fixes a bug where when shadowing a nonlocal_user (LDAP,
custom driver) it also incorrectly creates a local_user. The error is
related to hybrid properties and calling the class from_dict method,
which set the local_user attributes.
Change-Id: I6e69cce5f337a330f2531ff71db3e931b785271c
Closes-Bug: #1615000
The keystone federation documentation says to use the 'mapped' method
instead of the 'saml2' method[1]. However, that entrypoint was never
added, so trying to use it resulted in keystone not being able to load
its wsgi scripts and failing. This patch adds the entrypoint so that
keystone won't explode.
[1] http://docs.openstack.org/developer/keystone/federation/federated_identity.html#configuring-federation-in-keystone
Change-Id: I6dd8c219765728ecf01b50f35c3c0da3943f13b0
This documentation conflicts a bit with the approach originally proposed
in bp manage-migration because it depends on the notion of having
database triggers to assist in the migration process.
Change-Id: Iec9269ab6d799b757451cb8afe7fa889fe7068b9
Previously, the credential controller would just call
``self.credential_api.<crud_method>`` which would just automatically call
the driver since the credential manager didn't implement any sort of business
logic around credentials.
With the implementation of encrypted credentials at rest, it makes sense to
have the encryption logic in the credential manager, instead of the driver or
controller layer. This commit creates those methods in the manager which will
be more useful for credential encryption in a subsequent commit.
bp credential-encryption
Change-Id: I22ec70aeaf12b5df9ed7d27985fc284c5c31533e
This commit introduces a fernet provider for the credential API. This new
provider isn't actually wired up to the existing credential implementation, so
it's functionality isn't exposed. We'll do that in a subsequent patch.
bp credential-encryption
Change-Id: I217004c5fb94191d397059b1333bebd385792fb7