Not every distribution uses SELinux (some use AppArmor for
example). It's confusing to tell those deployers to use SELinux.
Co-Authored-By: Lin Hua Cheng
Change-Id: I4e80f47aada52fd555f30c55ae1996c56c2db59c
Remove refernces to Fedora 17, and link back to the official
install guide, and our documented configureservices.rst.
Change-Id: I500ce50340ef41de1393ce700e3fd59e47489ce0
Closes-Bug: 1426704
The sample httpd config file was not using best practices for
apache configuration. The file is now a copy of the file that
devstack uses for keystone apache config
(files/apache-keystone.template), with the replacement strings
updated to the keystone defaults.
Also, the "Firewall" section is removed from the httpd config
docs because the sample config file isn't using port 443.
Change-Id: I1d10925b33ec7e70793e61db1cb99186f112ef3e
The Apache httpd config docs referred to the "token" driver, but
this is now known as the "token persistence" driver. Also, not
all token formats require token persistence now.
Change-Id: I42f0a227a9a665bc68dbc31d9a3ef64dc484ce05
Configuring SSL in Apache HTTPd is more complicated than the
instructions indicate. First, there's multiple mods for SSL and these
docs only mention mod_nss, where some deployers will find mod_ssl
the better option. Second, it doesn't say how to set up a server
certificate so they'll be using a self-signed certificate which is
useless.
Since this doc is only useful to an inexperienced deployers, and an
inexperienced deployer will be confused by these instructions, we're
better off not documenting it. Deployers should be reading the
excellent Apache docs for how to set up SSL.
Change-Id: I8e95cddd23ded0b07b21112c0827f9d1cd86eae8
Add links to keystoneclient and keystonemiddleware to the landing
page. This indicates to the user that the three projects
are related.
Change-Id: I871f54ce424b352a206045fd6a78ee2e94ace242
Partial-Bug: #1428321
When our infra folks have questions about what some concepts
are in Keystone, then it's past due for a glossary and helpful info.
DocImpact
Change-Id: Ia985723d788c66c7810d06a398f3ec7d48615fac
- update the specs link to point to specs.o.org
- remove reference to the wiki since just before that, there
is a sentence that directs the user to the 'getting started'
page, which has plenty of wiki references.
Change-Id: Ia2de5060a260d85b73f1e0d368fc2397c9f82eda
This deprecates Eventlet support in documentation and on invocation
of keystone-all.
Change-Id: I0806ec5e9fe106ba307ecc726700d57f44d25f9c
bp: deprecated-as-of-kilo
Reasoning:
- We generally name tokens after the technology used in their transport
format. For example, we also don't refer to UUID tokens as "UUID4
tokens" nor PKI tokens as "JSON tokens", both of which would describe
their payload. We also don't refer to PKI tokens as "Keystone
HeavyWeight Tokens (KHWT)" because that would be arbitrary and
redundant. And besides, UUID tokens are smaller ("lighter") than KLWT
tokens anyway.
- The payload in KLWT tokens (read: Automated Teller Machine machine) is
a MessagePacked tuple. Referring to these tokens as either
"MessagePacked tokens" or "tuple tokens" does nothing to describe the
end user's experience with them, and would oddly preclude other tokens
from using the same underlying technologies. There's no reason that
a future version of PKI tokens couldn't carry a MessagePacked payload.
- Fernet is actually a well defined specification intended for use as
API tokens: https://github.com/fernet/spec
Change-Id: I6d7aca0ef23df6932544f5dcf6eb1fac0af012ae
This includes a KLW token provider and keystone-manage commands to
initialize a key repository and perform key rotation.
Co-Authored-By: Dolph Mathews <dolph.mathews@gmail.com>
Change-Id: Ibca4b1765d06f239df113aa3ec367e60de61a225
Implements: bp klw-tokens
OSC was updated to make type a mandatory field, and a service name
made optional. Though the current examples still work, OSC will
deprecate the supported syntax eventually. Update the docs now
before I forget to do it later.
Change-Id: I56f3e3e8601b2df488e8a45015a53f184d107b3a
Related-Bug: #1404073
Reference the openstackclient's documentation rather than keeping
our own examples, since it's the canonical source.
Change-Id: I47c7c9201fdebe9905ca06c1d5e1ef97fd6c7523
Closes-Bug: #1418830
Hopefully make the docs more clear on the two types of
notifications that keystone emits. Provide several examples
of the new CADF events.
partially implements bp: cadf-everywhere
Change-Id: I5c34b1ffffb594bd0f13fe0763439a64c03a48f2
Both of the test modules that perform functional (*cough* integration
*cough*) tests with python-keystoneclient are primarily focused on API
coverage for v2. All the analogous coverage for v3 is in the test_v3*
modules, so these two modules should be renamed so that they're easier
for new contributors to find.
Change-Id: Ib4264e5b9914177c48a63d239c1d05c743d62a26
A first hack at classifying our current extensions, and defining
a graduation and removal process.
implements bp: replace-extensions
Change-Id: Ia1b0a21de53087578183fb8c6d43d358fce318ca
Keystone can run in an eventlet server (keystone-all), or it can
run in a WSGI container (Apache Httpd). There are several
configuration options that are only used to configure the eventlet
server and are ignored when running in a WSGI container. Having
all the eventlet server options in the default section makes it
difficult for deployers to know what can be ignored when running
in WSGI mode. The options that are only used by the eventlet
server are moved into an [eventlet_server] section, and the SSL
options are moved into [eventlet_server_ssl].
bp eventlet-server-config
Change-Id: I6dd718c4d54056d0e29978f393ec45f7291f802d
In the doc string, it clearly states that we ensure backwards
compatibility for Conf.signing.token_format until Havana + 2.
Now, we are in the Kilo development cycle, we can remove this
support.
partially-implements blueprint removed-as-of-kilo
Closes-Bug: #1406172
Change-Id: I3cd1e2e5a51c4a87edf00647bc1b95a0347e3316
This is the final part of the more comprehensive split of
assignments, which rationalizes both the backend and controllers.
In order to make this change easier for reviewers, it is divided
into a number of smaller patches. This patch divides up the
assignment controller, giving resource its own controller.
Previous patches have:
- Moved role management into its own manager and drivers
- Fixed incorrect doc strings for grant driver methods
- Updated controllers to call the new role manager
- Updated unit tests to call the new role manager
- Refactored the assignment manager and drivers enabling
projects/domains to be split out
- Fixed incorrect comment about circular dependency between
assignment and identity
- Moved the logically separated project and domain
functionality into their own manager/backend (called resource).
- Removes unused pointer to assignment from identity driver
- Uddated controllers and managers to call the new resource
manager
- Updated tests to call the new resource manager
Partially implements: bp pluggable-assignments
Change-Id: Ic7a4dbe9e39c1910ecc23b37d0b798955544fde4
Getting a user's roles isn't going to be implemted according to bug reports
(bug 1418015 and bug 933565). This commit removes the test case from
test_content_types.py and removes documentation from example curl calls.
Change-Id: Id317cc28d961316be6a7b8278c5242382784f10f
Related-Bug: 933565
Related-Bug: 1418015
Currently, the documentation shows an example using the regions
table, which has been removed in favor of the Service Provider
object.
bp k2k-service-providers
Change-Id: I9ea0e28b4847eacaa072deb3246e7897e09a097e
We currently hint at the fact that there is dependency on LDAP for
identity if we are using it for resource and/or assignment, but we
don't make it clear enough. This patch fixes this.
Change-Id: Ic6cbffbcd390c48ee40dd97f70403c6981dc951e
Closes-Bug: 1415169
This is the part of the more comprehensive split of
assignments, which rationalizes both the backend and controllers.
In order to make this change easier for reviewers, it is divided
into a number of smaller patches.
Previous patches:
- Move role management into its own manager and drivers
(see: https://review.openstack.org/#/c/144239/)
- Fix incorrect doc strings for grant driver methods
(see: https://review.openstack.org/#/c/144403/)
- Make controllers call the new, split out, role manager
(see: https://review.openstack.org/#/c/144494/)
- Make unit tests call the new, split out, role manager
(see: https://review.openstack.org/#/c/144548/)
- Refactor the assignment manager and drivers, enabling
projects/domains to be split out
(see: https://review.openstack.org/#/c/144650/)
- Fix incorrect comment about circular dependency between
assignment and identity
(see: https://review.openstack.org/#/c/144850/)
This patch moves the now logically separated project and domain
functionality into their own manager/backend (called resource).
Future patches will:
- Remove unused pointer to assignment in identity driver
- Update the controllers to call the new resource manager
- Update the tests to call the new resource manager
- Split the assignment controller, giving projects/domains
their own controller
Partially implements: bp pluggable-assignments
Change-Id: I0ff1c2fa30237734d0a25d03dad5be03eb166367
During reading the Keystone Architecture documentation I've found a nit
issue under the Service Backends section. There is a missing "be" in the
sentence "Each of the services can configured to". Additionally double
space has been removed from LDAP backend session.
Change-Id: Ie9044cb251edf24ec3d6263769461ed9ff922e86
Since keystone's PasteDeploy configuration file has been separated
from the main keystone configuration file, "keystone.conf", all
local configuration or driver-specific configuration parameters
must go in the main keystone configuration file instead of PasteDeploy
conf file, i.e. configuration in "keystone-paste.ini" is not supported.
This patch is doc specific changes in order to make usage more
clear, code specific change is submitted in another
patch(https://review.openstack.org/#/c/134124/).
DocImpact
Partial-Bug: #1369388
Change-Id: Ie81eaa621b4517da1a00a723503ea4b8cbe84b8e
This decorator can be used to commit failing tests while they are still
in development. It can also be used by people to show how an issue can
be reproduced without them having to make the code changes necessary to
make the test pass.
This is nicer than just raising TestSkipped because there is a built in
reminder to remove the decorator when the test starts passing.
Implements: blueprint failing-tests
Change-Id: I9ded266b368e7955b1e295950df394823b1a4088
This is the first part of the more comprehensive split of
assignments, which rationalizes both the backend and controllers.
In order to make this change easier for reviewers, it is divided
into a number of smaller patches.
Follow-on patches will:
- Fix incorrect doc strings for grant driver methods
- Update unit tests to call the new role manager
- Update the assignment controller to call the role manager
- Refactor assignment manager and driver methods to logically
separate project/domains from the actual assignments
- Split projects and domains into their own backend
- Split the controllers so they call the correct manager
- Update the tests to call the new correct manager
Partially implements: bp pluggable-assignments
Change-Id: I41fc23a049c26e514222a966c1847e183448be00
This patch updates the section which explains
inherited role assignments in order to include
information about role inheritance in a project
hierarchy.
Closes-Bug: #1409205
Change-Id: Ie3d8e1f16ee0b65b4886ae8e7866deb558238702