657 Commits

Author SHA1 Message Date
Brant Knudson
debcbc9c61 Update access control configuration in httpd config
Not every distribution uses SELinux (some use AppArmor for
example). It's confusing to tell those deployers to use SELinux.

Co-Authored-By: Lin Hua Cheng
Change-Id: I4e80f47aada52fd555f30c55ae1996c56c2db59c
2015-03-25 08:33:51 -05:00
Steve Martinelli
b7e847d737 Update install.rst for Fedora
Remove refernces to Fedora 17, and link back to the official
install guide, and our documented configureservices.rst.

Change-Id: I500ce50340ef41de1393ce700e3fd59e47489ce0
Closes-Bug: 1426704
2015-03-25 01:04:14 -04:00
Brant Knudson
8aaaa64b17 Update sample httpd config file
The sample httpd config file was not using best practices for
apache configuration. The file is now a copy of the file that
devstack uses for keystone apache config
(files/apache-keystone.template), with the replacement strings
updated to the keystone defaults.

Also, the "Firewall" section is removed from the httpd config
docs because the sample config file isn't using port 443.

Change-Id: I1d10925b33ec7e70793e61db1cb99186f112ef3e
2015-03-18 19:33:42 +00:00
Brant Knudson
fcfd8fc00a Update Apache httpd config docs for token persistence
The Apache httpd config docs referred to the "token" driver, but
this is now known as the "token persistence" driver. Also, not
all token formats require token persistence now.

Change-Id: I42f0a227a9a665bc68dbc31d9a3ef64dc484ce05
2015-03-18 14:33:19 -05:00
Brant Knudson
b3e09b4c5d Remove SSL configuration instructions from HTTPd docs
Configuring SSL in Apache HTTPd is more complicated than the
instructions indicate. First, there's multiple mods for SSL and these
docs only mention mod_nss, where some deployers will find mod_ssl
the better option. Second, it doesn't say how to set up a server
certificate so they'll be using a self-signed certificate which is
useless.

Since this doc is only useful to an inexperienced deployers, and an
inexperienced deployer will be confused by these instructions, we're
better off not documenting it. Deployers should be reading the
excellent Apache docs for how to set up SSL.

Change-Id: I8e95cddd23ded0b07b21112c0827f9d1cd86eae8
2015-03-15 10:08:45 -05:00
Brant Knudson
e93550727a Wrap apache-httpd.rst
Wrap the lines in apache-httpd.rst at 79 chars.

Change-Id: I1bf7c5eef3a0b910cf1eff79304b8e06d4e2cd03
2015-03-15 10:00:51 -05:00
Jenkins
68e5d27202 Merge "Crosslink to other sites that are owned by Keystone" 2015-03-13 21:41:49 +00:00
Jenkins
b3e6cd28e7 Merge "Add documentation for key terms and basic authenticating" 2015-03-12 06:22:25 +00:00
Steve Martinelli
1fab5f0f4a Crosslink to other sites that are owned by Keystone
Add links to keystoneclient and keystonemiddleware to the landing
page. This indicates to the user that the three projects
are related.

Change-Id: I871f54ce424b352a206045fd6a78ee2e94ace242
Partial-Bug: #1428321
2015-03-11 19:21:57 +08:00
Steve Martinelli
fba0823e7d Add documentation for key terms and basic authenticating
When our infra folks have questions about what some concepts
are in Keystone, then it's past due for a glossary and helpful info.

DocImpact
Change-Id: Ia985723d788c66c7810d06a398f3ec7d48615fac
2015-03-06 22:32:09 -05:00
Jenkins
de18bceaf2 Merge "Add minimum release support notes for federation" 2015-03-06 22:37:12 +00:00
Jenkins
3683e36078 Merge "Update developer docs landing page" 2015-03-06 21:23:42 +00:00
Jenkins
31e0db3cee Merge "Fix nits from 157495" 2015-03-06 01:30:17 +00:00
Jenkins
4f37d29ca0 Merge "Make the LDAP dependency clear between identity, resource & assignment" 2015-03-05 16:44:36 +00:00
Steve Martinelli
164ec66f35 Update developer docs landing page
- update the specs link to point to specs.o.org
  - remove reference to the wiki since just before that, there
    is a sentence that directs the user to the 'getting started'
    page, which has plenty of wiki references.

Change-Id: Ia2de5060a260d85b73f1e0d368fc2397c9f82eda
2015-03-05 00:35:19 +00:00
Rodrigo Duarte Sousa
2ca23844b5 Fix nits from 157495
Use keystone instead of Keystone (according to OpenStack naming
conventions: https://wiki.openstack.org/wiki/Documentation/Conventions).

Change-Id: I2e6229d08b36f87e35bed2845121bdf4a71792fe
2015-03-03 18:38:29 +00:00
Morgan Fainberg
a336740d2e Deprecate Eventlet Deployment in favor of wsgi containers
This deprecates Eventlet support in documentation and on invocation
of keystone-all.

Change-Id: I0806ec5e9fe106ba307ecc726700d57f44d25f9c
bp: deprecated-as-of-kilo
2015-03-03 10:37:43 -08:00
Dolph Mathews
7abffad5a3 Rename "Keystone LightWeight Tokens" (KLWT) to "Fernet" tokens
Reasoning:

- We generally name tokens after the technology used in their transport
  format. For example, we also don't refer to UUID tokens as "UUID4
  tokens" nor PKI tokens as "JSON tokens", both of which would describe
  their payload. We also don't refer to PKI tokens as "Keystone
  HeavyWeight Tokens (KHWT)" because that would be arbitrary and
  redundant. And besides, UUID tokens are smaller ("lighter") than KLWT
  tokens anyway.

- The payload in KLWT tokens (read: Automated Teller Machine machine) is
  a MessagePacked tuple. Referring to these tokens as either
  "MessagePacked tokens" or "tuple tokens" does nothing to describe the
  end user's experience with them, and would oddly preclude other tokens
  from using the same underlying technologies. There's no reason that
  a future version of PKI tokens couldn't carry a MessagePacked payload.

- Fernet is actually a well defined specification intended for use as
  API tokens: https://github.com/fernet/spec

Change-Id: I6d7aca0ef23df6932544f5dcf6eb1fac0af012ae
2015-03-02 23:54:22 +00:00
Lance Bragstad
de12421653 Keystone Lightweight Tokens (KLWT)
This includes a KLW token provider and keystone-manage commands to
initialize a key repository and perform key rotation.

Co-Authored-By: Dolph Mathews <dolph.mathews@gmail.com>

Change-Id: Ibca4b1765d06f239df113aa3ec367e60de61a225
Implements: bp klw-tokens
2015-03-02 22:15:10 +00:00
Steve Martinelli
f9059fbd18 Add minimum release support notes for federation
Document which releases of keystone are supported for which
federation related task.

Change-Id: Ibcd349bdb4c4c21fec6bb71bac77f9d404e84dcf
2015-02-26 17:18:37 -05:00
Jenkins
d9427366ac Merge "Update os service create examples in config services" 2015-02-26 13:19:39 +00:00
Jenkins
6515a8583b Merge "Reference OSC docs in CLI examples" 2015-02-26 13:18:31 +00:00
Jenkins
1cdb1781e0 Merge "Add links to extensions that point to api specs" 2015-02-26 08:13:44 +00:00
Jenkins
095e40bd8b Merge "Revamp the documentation surrounding notifications" 2015-02-26 08:01:10 +00:00
Steve Martinelli
28a12d51b4 Update os service create examples in config services
OSC was updated to make type a mandatory field, and a service name
made optional. Though the current examples still work, OSC will
deprecate the supported syntax eventually. Update the docs now
before I forget to do it later.

Change-Id: I56f3e3e8601b2df488e8a45015a53f184d107b3a
Related-Bug: #1404073
2015-02-26 06:22:12 +00:00
Steve Martinelli
23fa79a318 Reference OSC docs in CLI examples
Reference the openstackclient's documentation rather than keeping
our own examples, since it's the canonical source.

Change-Id: I47c7c9201fdebe9905ca06c1d5e1ef97fd6c7523
Closes-Bug: #1418830
2015-02-26 01:21:52 -05:00
Steve Martinelli
7352e93777 Revamp the documentation surrounding notifications
Hopefully make the docs more clear on the two types of
notifications that keystone emits. Provide several examples
of the new CADF events.

partially implements bp: cadf-everywhere

Change-Id: I5c34b1ffffb594bd0f13fe0763439a64c03a48f2
2015-02-25 21:58:44 +00:00
Dolph Mathews
c0d56ecdf4 Rename test_keystoneclient*
Both of the test modules that perform functional (*cough* integration
*cough*) tests with python-keystoneclient are primarily focused on API
coverage for v2. All the analogous coverage for v3 is in the test_v3*
modules, so these two modules should be renamed so that they're easier
for new contributors to find.

Change-Id: Ib4264e5b9914177c48a63d239c1d05c743d62a26
2015-02-24 20:27:36 +00:00
Jenkins
291326288e Merge "Classifying extensions and defining process" 2015-02-24 09:10:29 +00:00
Steve Martinelli
ca6e5d5783 Add links to extensions that point to api specs
implements bp replace_extensions

Change-Id: I5c302f3e478ffaa2654e66b7d85c079e92cc91a5
2015-02-24 01:58:21 -05:00
Steve Martinelli
5264f6f7e3 Classifying extensions and defining process
A first hack at classifying our current extensions, and defining
a graduation and removal process.

implements bp: replace-extensions

Change-Id: Ia1b0a21de53087578183fb8c6d43d358fce318ca
2015-02-24 01:57:09 -05:00
Jenkins
b9748e9e81 Merge "Move eventlet server options to a config section" 2015-02-20 00:34:20 +00:00
Brant Knudson
2ed5069958 Move eventlet server options to a config section
Keystone can run in an eventlet server (keystone-all), or it can
run in a WSGI container (Apache Httpd). There are several
configuration options that are only used to configure the eventlet
server and are ignored when running in a WSGI container. Having
all the eventlet server options in the default section makes it
difficult for deployers to know what can be ignored when running
in WSGI mode. The options that are only used by the eventlet
server are moved into an [eventlet_server] section, and the SSL
options are moved into [eventlet_server_ssl].

bp eventlet-server-config

Change-Id: I6dd718c4d54056d0e29978f393ec45f7291f802d
2015-02-18 20:24:32 -06:00
wanghong
5774f29799 remove the Conf.signing.token_format option support
In the doc string, it clearly states that we ensure backwards
compatibility for Conf.signing.token_format until Havana + 2.
Now, we are in the Kilo development cycle, we can remove this
support.

partially-implements blueprint removed-as-of-kilo
Closes-Bug: #1406172
Change-Id: I3cd1e2e5a51c4a87edf00647bc1b95a0347e3316
2015-02-15 09:04:17 +08:00
Brant Knudson
56e3a0fb43 Update policy doc to use new rule format
The policy documentation was using the old rule format when the
new format is preferred.

Change-Id: Ie06210ca7d2cd5ecb0757dd8db3857be2b57242b
2015-02-12 07:57:23 -06:00
Henry Nash
f01cd89bd0 Split the assignments controller
This is the final part of the more comprehensive split of
assignments, which rationalizes both the backend and controllers.
In order to make this change easier for reviewers, it is divided
into a number of smaller patches. This patch divides up the
assignment controller, giving resource its own controller.

Previous patches have:
- Moved role management into its own manager and drivers
- Fixed incorrect doc strings for grant driver methods
- Updated controllers to call the new role manager
- Updated unit tests to call the new role manager
- Refactored the assignment manager and drivers enabling
  projects/domains to be split out
- Fixed incorrect comment about circular dependency between
  assignment and identity
- Moved the logically separated project and domain
  functionality into their own manager/backend (called resource).
- Removes unused pointer to assignment from identity driver
- Uddated controllers and managers to call the new resource
  manager
- Updated tests to call the new resource manager

Partially implements: bp pluggable-assignments
Change-Id: Ic7a4dbe9e39c1910ecc23b37d0b798955544fde4
2015-02-10 14:34:42 +00:00
Lance Bragstad
2ef3cdf307 Remove unused test case
Getting a user's roles isn't going to be implemted according to bug reports
(bug 1418015 and bug 933565). This commit removes the test case from
test_content_types.py and removes documentation from example curl calls.

Change-Id: Id317cc28d961316be6a7b8278c5242382784f10f
Related-Bug: 933565
Related-Bug: 1418015
2015-02-09 21:19:25 +00:00
Jenkins
aa613dfb0d Merge "Adds a wip decorator for tests" 2015-02-03 20:56:17 +00:00
Jenkins
50fe87c712 Merge "Remove local conf information from paste-ini" 2015-02-03 07:28:31 +00:00
Rodrigo Duarte Sousa
f74c8c95a2 Update federation config to use Service Providers
Currently, the documentation shows an example using the regions
table, which has been removed in favor of the Service Provider
object.

bp k2k-service-providers

Change-Id: I9ea0e28b4847eacaa072deb3246e7897e09a097e
2015-02-02 18:13:56 -05:00
Henry Nash
74c50bde07 Make the LDAP dependency clear between identity, resource & assignment
We currently hint at the fact that there is dependency on LDAP for
identity if we are using it for resource and/or assignment, but we
don't make it clear enough. This patch fixes this.

Change-Id: Ic6cbffbcd390c48ee40dd97f70403c6981dc951e
Closes-Bug: 1415169
2015-02-01 23:33:25 +00:00
Jenkins
ab627dae92 Merge "Move projects and domains to their own backend" 2015-01-30 22:01:57 +00:00
Jenkins
7466a5701c Merge "Documentation fix for Keystone Architecture" 2015-01-29 23:48:16 +00:00
Henry Nash
0e05353d09 Move projects and domains to their own backend
This is the part of the more comprehensive split of
assignments, which rationalizes both the backend and controllers.
In order to make this change easier for reviewers, it is divided
into a number of smaller patches.

Previous patches:

- Move role management into its own manager and drivers
  (see: https://review.openstack.org/#/c/144239/)
- Fix incorrect doc strings for grant driver methods
  (see: https://review.openstack.org/#/c/144403/)
- Make controllers call the new, split out, role manager
  (see: https://review.openstack.org/#/c/144494/)
- Make unit tests call the new, split out, role manager
  (see: https://review.openstack.org/#/c/144548/)
- Refactor the assignment manager and drivers, enabling
  projects/domains to be split out
  (see: https://review.openstack.org/#/c/144650/)
- Fix incorrect comment about circular dependency between
  assignment and identity
  (see: https://review.openstack.org/#/c/144850/)

This patch moves the now logically separated project and domain
functionality into their own manager/backend (called resource).

Future patches will:

- Remove unused pointer to assignment in identity driver
- Update the controllers to call the new resource manager
- Update the tests to call the new resource manager
- Split the assignment controller, giving projects/domains
  their own controller

Partially implements: bp pluggable-assignments

Change-Id: I0ff1c2fa30237734d0a25d03dad5be03eb166367
2015-01-29 16:40:24 +00:00
Kamil Rykowski
abeb6c48f0 Documentation fix for Keystone Architecture
During reading the Keystone Architecture documentation I've found a nit
issue under the Service Backends section. There is a missing "be" in the
sentence "Each of the services can configured to". Additionally double
space has been removed from LDAP backend session.

Change-Id: Ie9044cb251edf24ec3d6263769461ed9ff922e86
2015-01-29 17:08:47 +01:00
Dave Chen
fd92c3848b Remove local conf information from paste-ini
Since keystone's PasteDeploy configuration file has been separated
from the main keystone configuration file, "keystone.conf", all
local configuration or driver-specific configuration parameters
must go in the main keystone configuration file instead of PasteDeploy
conf file, i.e. configuration in "keystone-paste.ini" is not supported.

This patch is doc specific changes in order to make usage more
clear, code specific change is submitted in another
patch(https://review.openstack.org/#/c/134124/).

DocImpact
Partial-Bug: #1369388

Change-Id: Ie81eaa621b4517da1a00a723503ea4b8cbe84b8e
2015-01-29 00:41:00 +08:00
David Stanek
3b7988f45d Adds a wip decorator for tests
This decorator can be used to commit failing tests while they are still
in development. It can also be used by people to show how an issue can
be reproduced without them having to make the code changes necessary to
make the test pass.

This is nicer than just raising TestSkipped because there is a built in
reminder to remove the decorator when the test starts passing.

Implements: blueprint failing-tests
Change-Id: I9ded266b368e7955b1e295950df394823b1a4088
2015-01-27 21:42:27 +00:00
Jenkins
3a37b54840 Merge "Change /POST to /ECP at federation config" 2015-01-27 19:50:18 +00:00
Henry Nash
3408515e8c Split roles into their own backend within assignments
This is the first part of the more comprehensive split of
assignments, which rationalizes both the backend and controllers.
In order to make this change easier for reviewers, it is divided
into a number of smaller patches.

Follow-on patches will:

- Fix incorrect doc strings for grant driver methods
- Update unit tests to call the new role manager
- Update the assignment controller to call the role manager
- Refactor assignment manager and driver methods to logically
  separate project/domains from the actual assignments
- Split projects and domains into their own backend
- Split the controllers so they call the correct manager
- Update the tests to call the new correct manager

Partially implements: bp pluggable-assignments

Change-Id: I41fc23a049c26e514222a966c1847e183448be00
2015-01-14 04:36:49 +00:00
Samuel de Medeiros Queiroz
984fdbc38e Update Inherited Role Assignment Extension section
This patch updates the section which explains
inherited role assignments in order to include
information about role inheritance in a project
hierarchy.

Closes-Bug: #1409205
Change-Id: Ie3d8e1f16ee0b65b4886ae8e7866deb558238702
2015-01-13 17:12:22 -03:00