This adds a section within the index file that describes what a
relationship link is and what it is used for in terms of each
operation within keystone. There will be a relationships section
in both v3 and v3-ext.
This should help clarify any confusion that may arise when a user is
viewing the api-ref about what the relationship links are.
Change-Id: I9c6b7959ed6ea682c565c515af0cf509b6a64e5d
Closes-Bug: #1674676
The controller is responsible for listing user projects based on role
assignments and would build a hints objects and pass it to the
assignment manager. This is a common pattern used across keystone's
APIs. But, the assignment API never actually passed the hints objects
to the backend implementation.
This commit removes the hints from being passed to the manager for
list_projects_for_user and list_domains_for_user because those
APIs never use the hints object. This should allow us to implement
caching to speed up those calls later.
Change-Id: I9b1c8c30ca6a78dd6e78add7de278e467ceea046
Related-Bug: 1700852
Make the error state message more explicit when the admin_token_auth
middleware is still in the paste-ini. This is an error, the operator
must remove the elements from their keystone paste ini or the deletion
of the code (in Queens release) will result keystone to fail to run.
This is an error in the config. If the operator is using the default
paste-ini form keystone, this error should not occur in Pike. If
the paste-ini is managed via CMS (e.g. Ansible) it is likely the
config must be changed.
Change-Id: Id40a7161574c879aa5c948b94173308a03d4c240
Added keystone-manage documentation from man pages
to the placeholder created for CLI Documentation.
Change-Id: I0e259c76d96c6479a6165c535bc49c032b2f41da
The identity backend registers a callback that listens for when a
project is deleted. When it receives a notification, it uses the
project ID send in the notification and removes all references to it
from the identity backend, where users might have it referenced in
their `default_project_id` attribute. The original fix for this did
not account for LDAP backends being read-only. This caused an issue
where DELETE /v3/projects/{project_id} actually caused an HTTP 403
Forbidden exception because the LDAP backend wasn't writeable,
despite that project actually being deleted.
This change makes the identity API manager handle the exception
and tests it specifically for LDAP, or read-only, backends.
Change-Id: I16f4fcb289dad2fe752f3188476329c95cf777c9
Closes-Bug: 1705081
In order for a federated user to be mapped to a local user that exists
in the identity backend, the user object in the local mapping rule must
have the property "type": "local" set, in addition to having a keystone
domain provided. This was probably not the original intention of the
local user mapping spec[1], but this is how it ended up being
implemented. We could choose to change the behavior of the code, but
it has been around long enough that it is possible that deployments are
depending on this behavior, and moreover making rules explicit rather
than implicit reduces the risk of bugs and mistakes.
This patch updates the api-ref documentation and the standard federation
documentation to include the "type" property when mapping to local
users. In addition, since we now have two keywords called "local" that
mean somewhat different things, we expand the context of some of the
mapping examples so that both the rule name "local" and the value
"local" of the attribute "type" appear in the example, for clarity.
Change-Id: Ib35e57e33903de14f9cac1f919c32dfe923ef884
Closes-bug: #1673157
Since Sphinx 1.6 released, pbr's build_sphinx extension has been broken.
Specifically, pbr's [build_sphinx]/builders option is ignored. Luckily,
sphinx itself ipmlemented the feature but called it just 'builder'[1].
This patch fixes the config setting name and then cleans up a Sphinx
extension inclusion that is now automatically included.
[1] http://lists.openstack.org/pipermail/openstack-dev/2017-July/119396.html
Change-Id: I5da6a996ed442524ddb108a890df2d024ee07c4d
Added end user specific content from API documentation
to the placeholder created for User Documentation.
Change-Id: I8dbeeabb992a93b8b18df812da983bc6ca434cc5
The eye-catchy-ness of the Important SELinux notice in the LDAP
integration documentation can cause confusion for users to whom the
notice is not applicable, such as Ubuntu or SUSE users. For them,
SELinux is not enabled by default and they may not even be aware of what
it is for, and so perceive a failure when they try to enable the SELinux
boolean as described in the document. This patch prepends a
clarification that the notice only applies to SELinux users, to
hopefully make it clearer that not being able to follow the directions
is just fine in many cases.
Change-Id: I65a34608f1a51ec923329065b6443bdd525a1ac7
The sample files were being rendered in two separate places. This
commit removes one of them and adjusts the references accordingly.
This commit also removes the sample files from the Operator guide
since they have their own dedicated section under configuration/.
Change-Id: I6da0843e2cb9dc7451d97af661a6cb4873eba671
The self-service password API was left intentionally
unprotected in a change during the stable/ocata cycle:
I4d3421c56642cfdbb25cb33b3aaaacbac4c64dd1
The default policy was not removed from the same config and as a
result it was migrated into code during the policy-in-code work.
This isn't necessary since it's not used to protect anything. Policy
should still be enforced on administrative password resets, but that
is done using the `update_user` API.
Change-Id: I431f5ef9d6d5d689a06736640d22997fbddb869c
Closes-Bug: 1705485
Now use domain_id_response_body in the request parameters of
creating role, but its required is true. When we create a role,
the domain id is optional.
This patch add role_domain_id_request_body in request parameters.
Change-Id: Ib384f2b074e86691223fbc3d480fbb82a903e209
This is part of an effort to consolidate all the content in the
Operator guide into the Administrator guide.
Change-Id: I3431ecbff399bf6ae7620996e4c4cce9bb3489eb
This commit merges two documents that were both attempting to
document integrating keystone with LDAP. Instead, we should have a
single document so that it's easier to operators to understand and
find.
Change-Id: I1b1927b498d93f39d57a03b60384de22f07ad2f2
The specification detailing the great documentation migration
requires a doc/source/cli/ directory be added to the project.
The directory is intended for cli documentation.
This commit add the directory so that we are in compliance with the
specification but doesn't move any content into the directory. It is
instead treated like a placeholder until we can migrate the right
content into the cli guide.
Change-Id: Ida5ffc979d3c596547e9664dce8933d2cf9a4486
Closes-Bug: 1694460
The specification detailing the great documentation migration
requires a doc/source/user/ directory be added to the project.
The directory is intended for end user documentation.
This commit add the directory so that we are in compliance with the
specification but doesn't move any content into the directory. It is
instead treated like a placeholder until we can migrate the right
content into the user guide.
Change-Id: I7d9cde958957bff20c7221f37cb0b03b61aa38f9
Partial-Bug: 1694460
