Commit Graph

49 Commits

Author SHA1 Message Date
Artem Goncharov
57c6b3187f Add new keystone.wsgi module
This allows deployment tooling to easily switch from passing a binary
path to passing a Python module path. We'll use it shortly.

Change-Id: I36bb9ab43c3263b5064f35f4fc550722a0e83279
2024-11-13 15:14:52 +00:00
Colleen Murphy
dc825c9543 Remove admin interface in sample Apache file
We provide a sample Apache file for mod_wsgi that references the admin
port 35357. This is consumed by distributors such as RDO[1]. To bring
consumers of this example file in line with the other distributors,
this patch removes the vhost for the admin port from the example.

[1] https://review.rdoproject.org/r/gitweb?p=openstack/keystone-distgit.git;a=blob;f=openstack-keystone.spec;h=b59c2a7c1ca546d205dafe278e035da5ee829728;hb=refs/heads/queens-rdo#l209

Change-Id: I86b5a43beb18e730c2b18a36316d51751e6c1696
2018-03-24 12:56:02 +01:00
wangxiyuan
10f4686b96 Remove apache-httpd related link
The apache-httpd doc file has been removed already.
We should remove the related link as well.

Change-Id: Ie14de3ef537a613b36b854c1119678f007c6545c
2017-11-23 14:05:17 +08:00
Steve Martinelli
2388cef976 remove httpd/keystone.py
bp removed-as-of-ocata

Change-Id: I08cde7331816eeaafaec72fa792b2454458ca296
2016-09-21 22:35:52 -04:00
Brant Knudson
cc3e797bca Update sample uwsgi config for lazy-apps
Keystone had a problem where there was a memcached socket
opened very early on startup which then got shared between
worker processes when running under uwsgi. Since we don't have
a test or a way to ensure that no sockets are opened too early
for uwsgi, let's recommend setting lazy-apps to avoid issues.

Change-Id: I8b46c5424094d3abe9a986da4ee1143f72a91a4d
Related-Bug: 1600394
2016-08-31 15:41:21 -05:00
Brant Knudson
d03ed967dd Keystone uwsgi performance tuning
I ran some tests locally that showed that when using the uwsgi
deploy the keystone server wasn't using all the processes
available. When I switched from "threads" to "processes" the
concurrent performance improved considerably. So I'm proposing
that the docs use processes to improve performance.

Change-Id: I5375702f45ccb82c02ff2bba1eabda836d5d25eb
2016-06-05 18:47:30 -05:00
Brant Knudson
07c8ecdff2 Document running in uwsgi proxied by apache
Add documentation for how to run uwsgi proxied by uwsgi.

Change-Id: I3d307a953bbe1ba78745c0846cd4c5a78010b6cb
2016-03-15 15:04:13 -05:00
Jenkins
c043818cad Merge "Document httpd for accept on /identity, /identity_admin" 2015-10-08 05:09:18 +00:00
Jenkins
617f6dbd04 Merge "Deprecate httpd/keystone.py" 2015-10-07 23:43:26 +00:00
Brant Knudson
f5e256b422 Add LimitRequestBody to sample httpd config
Web servers that are exposed to the Internet eventually gain a
security feature of limiting the amount of data in the request
body. In Apache Httpd, this is provided by the LimitRequestBody
directive. This is added to the sample Httpd config file.

The limit is set for only the keystone services so it won't
affect other services running in Httpd.

The value of 114688 was picked because it's the current limit
on request body that oslo.middleware's sizelimit function puts
on requests to keystone.

Use of oslo.middleware's sizelimit re-implementation can be
deprecated.

Docs:
- http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody

ReleaseNotesImpact

Closes-Bug: 1481048
Change-Id: I5509e4b65900c15dd0b5fda43b1d5bb4dc3ff5ff
2015-09-30 17:19:26 -05:00
Tom Cocozzello
70a42e7a82 Deprecate httpd/keystone.py
Now that we have keystone-wsgi-admin and keystone-wsgi-public
we can deprecate httpd/keystone.py. These 2 are already defined
in setup.cfg pointing to wsgi.py to initialize the application.

Change-Id: Ifcdfcb31e7be18b511a7c586d9ca259bc15bec44
Closes-Bug: 1494922
2015-09-30 12:15:53 -05:00
Brant Knudson
4a034326ff Document httpd for accept on /identity, /identity_admin
Apache Httpd can be configured to accept keystone requests on all
sorts of interfaces. The sample config file is updated to show
how to configure Apache Httpd to also send requests on /identity
and /identity_admin to keystone.

Closes-Bug: 1496041
Change-Id: Ie7b829eff16c0e839f8dd1e4ecef7fdc06c3f561
2015-09-15 11:00:32 -05:00
Brant Knudson
3624c2f5ad Use wsgi_scripts to create admin and public httpd files
The httpd/keystone.py file needed to be copied and then
symlinked when used by web servers to "admin" and "main".

pbr 1.4.0 added support for wsgi_scripts that creates scripts
for wsgi servers on install. Keystone will now specify
wsgi_scripts so that the admin (keystone-wsgi-admin) and
main (keystone-wsgi-public) scripts will be created on install.

See http://httpd.apache.org/docs/2.4/upgrading.html#access for
the apache docs with examples for the Allow/Deny/Require
directives.

DocImpact

Related-Bug: #1441733
Change-Id: Ic9c03e6c00408f3698c10012ca98cfc6ea9b6ace
2015-08-18 09:33:23 -05:00
David Stanek
b98c51fd4f Fixes grammar in the httpd README
Change-Id: Ic84d70b7ae9427e6a1d02353facf199774f0ac12
2015-07-10 12:07:13 +00:00
Alan Pevec
0058b6e64f Run WSGI with group=keystone
This matches puppet-keystone[*] and is required for distributions
which properly restricted access to /etc/keystone

[*] https://github.com/stackforge/puppet-keystone/blob/master/manifests/wsgi/apache.pp#L167

Closes-Bug: #1456441

Change-Id: I7a80bdf1c1efaedfeba7d2834a858e3617f6529e
2015-06-03 19:29:08 +00:00
Brant Knudson
8aaaa64b17 Update sample httpd config file
The sample httpd config file was not using best practices for
apache configuration. The file is now a copy of the file that
devstack uses for keystone apache config
(files/apache-keystone.template), with the replacement strings
updated to the keystone defaults.

Also, the "Firewall" section is removed from the httpd config
docs because the sample config file isn't using port 443.

Change-Id: I1d10925b33ec7e70793e61db1cb99186f112ef3e
2015-03-18 19:33:42 +00:00
Brant Knudson
ea8845a48f Refactor keystone-all and http/keystone
There was a lot of code in keystone-all and httpd/keystone.
Functions in keystone-all and http/keystone can't be called from the
tests, so this code should be in the keystone package.

This also allows some sharing of common code between keystone-all,
httpd/keystone, and the tests.

bp refactor-keystone-all-http

Change-Id: I1c4e59e253b1816ccfb4d5bf1d2aa40b49221b4f
2015-01-16 12:26:23 -06:00
Brant Knudson
0b67673034 Add V3 JSON Home support to GET /
The server wasn't returning a JSON Home response for GET / when the
Accept header is `application/json-home`. By returning the V3 JSON
Home response for GET / a V3 client that supports JSON Home can
GET either /v3 or / and use the response. The identity API should
be able to be set to /.

Closes-Bug: #1366589
Change-Id: I3191a85acf9d2f582f6b48a164cf5ac2bf84a8cf
2014-09-10 16:49:21 -05:00
Brant Knudson
e527802f68 Use oslo.i18n
Keystone was using the I18N functions from oslo-incubator. With
this change, Keystone uses the new oslo.i18n library.

The tests were adapted to not use internal symbols because these are
subject to change.

Change-Id: I1b13fcc630952695424fccd91bcd157d702851f1
2014-07-13 10:29:41 -05:00
Jamie Lennox
22b734fa60 Isolate backend loading
Pecan uses thread local storage and so if we combine pecan and eventlet
we need to make sure that eventlet is monkey patched before pecan is
first loaded.

To keep the paste.ini file untouched we need to keep the app creation in
service.py but we can't load that from keystone-all because it has pecan
in it.

So we create a new file that can be safely imported before pecan is
loaded.

Change-Id: If7abf1db9859d66c06f7f223056c106292f256fa
blueprint: keystone-pecan
2014-04-16 15:13:20 +10:00
David Stanek
7a1c13aec3 Enable lazy translations in httpd/keystone.py
This allows strings being returned in an HTTP response to be translated
into the language specified in the HTTP requests headers.

Closes-bug: #1297922
Change-Id: I8a671277f861075deddd1ee4cf5daca62a43fff7
2014-03-26 16:09:40 +00:00
Ilya Pekelny
5f3fcf1123 Uses explicit imports for _
Previously `_` was monkeypatched in tests/core.py and bin/keystone-*.
This meant that if a developer was not running the tests exactly as
the documentation described they would not work. Even importing
certain modules in a interactive Python interpreter would fail unless
keystone.tests was imported first. Monkeypatching was removed and
explicit import for `_` was added.

Co-Authored-By: David Stanek <dstanek@dstanek.com>
Change-Id: I8b25b5b6d83fb873e25a8fab7686babf1d2261fa
Closes-Bug: #1255518
2014-03-18 01:23:21 -07:00
Jenkins
a39b815cf7 Merge "Remove vim header" 2014-02-13 03:43:19 +00:00
Eric Guo
263b27f2cd Remove vim header
We don't need vim modelines in each source file, it can be set in
user's vimrc.

Change-Id: Ie51ad62946afdf39eadcd59edaf8134ec10265c6
Closes-Bug: #1229324
2014-02-08 23:54:04 +08:00
Brant Knudson
27f9221722 Update the default_log_levels defaults
The default for default_log_levels didn't set the log levels
for some packages that Keystone uses (for example, dogpile). This
caused the server to output a lot of extra logs when debug=True
is used.

You can get the debug output for dogpile and routes by setting
default_log_levels explicitly in your keystone.conf file.

Change-Id: Ib797fa7b98f0e501047b72b094d07ad204385cc6
Related-bug: #1245629
Closes-Bug: #1269987
2014-01-27 11:43:27 -06:00
Brant Knudson
d542caa47e Don't configure on import
The keystone.config package called config.configure() at import-
time.

This will make it obvious that developers can't use config
options at import-time because packages that do that will fail on
import.

Change-Id: I9306f67609d782e3f49fd43908448daf1287d51c
Related-Bug: #1265108
Related-Bug: #1265670
Closes-Bug: #1269785
2014-01-24 07:00:45 -06:00
Brant Knudson
2167e3612c Enable lazy translation
This change makes it so that if the user makes a request with an
Accept-Language header and the response is an error where the
message is translatable, then the message will be translated to
the requested language (or the most appropriate language
available).

completes bp user-locale-api

Change-Id: I5b0b02e0459a6a444baa12f8722adb829b7e152b
2014-01-14 14:01:22 -06:00
Steve Martinelli
8bf22c34fa Resolve oauth dependency after paste pipeline is loaded
When trying to authenticate with the oauth plugin, it is
possible that the dependency is not yet loaded, and as a result
the user will receive an error message: "Oauth is disabled"

This patch will ensure the dependency is loaded after the pipeline

Fixes: bug #1264803

Change-Id: I37484bf844896b1a1b560923a8afaf99e91635e4
2014-01-08 13:21:16 -06:00
Brant Knudson
44ceda2816 Use oslo.db sessions
Keystone was using its own keystone.common.sql module for
database access. oslo-incubator's db.sqlalchemy module provides
the same or better functionality, so use that instead.

DocImpact
- The options that were in the [sql] section are deprecated and
  replaced by options in the [database] section. There are
  also several new options in this section. If database
  configuration is described for another project that uses
  oslo-incubator's db.sqlalchemy module the docs can be shared.

Part of bp use-common-oslo-db-code

Change-Id: I25b717d9616e9d31316441ae3671d2f86229c2bf
2013-12-18 16:17:26 -06:00
Jenkins
2f10188457 Merge "Cleanup backend loading" 2013-12-15 08:53:54 +00:00
Brant Knudson
d5211b6e26 Cleanup backend loading
Backend creation was happening at import time. This changes the
code so that backend creation time is controlled by calling a
function.

This also allows sharing the backend creation code between the
server and the tests.

Change-Id: Ib817aa341de510a46faa8ed0bc24ef9268fa944b
2013-12-14 21:07:23 -08:00
Brant Knudson
9b07e20dee Refactor setup_logging
This change just cleans up the setup_logging function. It was
defined in keystone.common.config and then also exported from
keystone.config. Also, it had extra parameters that were unused.

This takes care of a NOTE (which probably should have been a
TODO) in the code.

Change-Id: I1a46c8974cbd68a5bf708d253adfadc1fdb76dcd
2013-12-13 13:08:12 -06:00
Matt Odden
c3b92295b7 Disable lazy gettext
This change disables lazy gettext functionality in Keystone,
due to problems with character encoding and logging
detailed in bug 1225099.

It is part of a series of commits across all projects with
lazy gettext enabled.

Change-Id: Ia934a7df9386baf6ae8eb9ff48c24386c47ecd23
Partial-bug: 1225099
2013-10-03 12:23:24 +00:00
Morgan Fainberg
d98dca9f98 Update keystone wsgi httpd script for oslo logging
When updating to the oslo logging module, it appears that this script
was missed, and erroneously still references .DEBUG, which is not
available in the oslo logging module.  This commit corrects the issue
and updates the reference to oslo log module to not be aliased to
"logging".

The extra logic to set the debug on the instantiated logger is still
needed to ensure all logging is seen (startup config logging, etc).

fixes-bug: 1220012
Change-Id: If5b4f9f28cb9d05f914848cbdb54b10c2c5f3b2d
2013-09-02 20:49:01 -07:00
Zhongyue Luo
cf786220f9 Bump hacking to 0.7
Fixed H102 errors

Hacking 0.6 already pins down pep8, pyflakes and flake8 so they can be
removed from test-requirements as they are indirect dependencies.

Co-author: Joe Gordon <joe.gordon0@gmail.com>

Change-Id: If7e79c70fe44d7e42a14cd6c710fd9986f995446
2013-08-29 09:30:55 +09:00
Brant Knudson
2fe72a0d57 Fix translate static messages in response
Messages created statically (during import) were not being
translated in responses when the Accept-Language header was
used to set the expected language in the response. The static
messages were being created before the _ built-in had been
installed by gettextutils.install().

Change-Id: Ie56b1d3a836bc5f2262d7af68f803a08ebdf016f
Resolves-Bug: #1215192
2013-08-22 16:28:39 -05:00
Dolph Mathews
f64ca65ad4 remove refs to keystone.common.logging
A couple references to this module were missed, and a few new ones were
created while it was in the process of being deprecated. This change
removes outstanding references to the module.

blueprint unified-logging-in-keystone

Change-Id: I4cc7614b3f74caaec9dfa100202d9d6db4ebfc36
2013-08-19 11:27:26 -05:00
Brant Knudson
760856e966 Add support for API message localization
Add support for doing language resolution for a request, based on the
Accept-Language HTTP header.

Using the lazy gettext functionality from oslo gettextutils, it is
possible to use the resolved language to translate an exception message
to the user requested language and return that translation from the API.

Co-authored-by: Luis A. Garcia <luis@linux.vnet.ibm.com>
Co-authored-by: Mathew Odden <mrodden@us.ibm.com>

Implements bp user-locale-api

Change-Id: Id8e92a42039d2f0b01d5c2dada733d068b2bdfeb
2013-08-14 18:09:01 -05:00
Haneef Ali
6767cc6612 Install locales for httpd.
Change-Id: Ia5886b98070f3e3b2df4e94bf2a3db7c57bf870e
2013-07-01 12:28:12 -07:00
Lance Bragstad
59ea70655d Add 'application' to keystone.py for WSGI
This adds WSGI application to keystone/httpd/keystone.py, fixing
bug 1194494.

Change-Id: I921fe1332dc9dd25e917f02f583b5b597cf35c26
2013-06-29 01:05:23 +00:00
Jenkins
bc063e554f Merge "Initialize logging from HTTPD." 2013-06-23 16:32:28 +00:00
Jamie Lennox
3afd9791ef Isolate eventlet code into environment.
The environment module will be configured once, during code initialization.
Subsequently all other possibly-evented modules will retrieve from
environment and transparently obtain either the eventlet or standard
library modules.

If eventlet, httplib, subprocess or other environment dependant module
is referenced outside of the environment module it should be considered
a bug.

The changes to tests are required to ensure that test is imported first
to setup the environment. Hopefully these can all be replaced with an
__init__.py in a post-nose keystone.

Implements: blueprint extract-eventlet
Change-Id: Icacd6f2ee0906ac5d303777c1f87a184f38283bf
2013-06-18 14:10:36 -04:00
Jamie Lennox
86eab682fc Initialize logging from HTTPD.
Fixes bug 1190324

Change-Id: I6031c26c4917bd526c5918d815bff3bd060301c8
2013-06-12 16:29:29 -05:00
Alan Pevec
64738924b8 separate paste-deploy configuration from parameters
PasteDeploy configuration contains class names which might change
between releases. Keeping it separate from user-configurable
parameters allows deployers to move paste-deploy ini file out of
configuration directory to a place where it can be safely overwritten
on updates e.g. under /usr/share/

DocImpact

Change-Id: I9292ca6226c8430b93565dedd45cc842742a23e2
2013-05-26 17:36:08 +02:00
Dolph Mathews
0be3c0e997 imports not in alphabetical order (flake8 H306)
Change-Id: I0f6c5fc27b0bb2da553e9345a8ac4949ce46e685
2013-05-24 01:25:32 +00:00
Dan Prince
8dcafd81df Various pep8 fixes for keystone.
Change-Id: Id94b76d30658e75a805301b1c30b1aa28138b823
2012-11-09 22:34:35 -05:00
Adam Young
19c0e8d856 Fix wsgi config file access for HTTPD
Bug 1051081

Change-Id: Ie1690c9b1b98ed3f5a78d935878369b7520b35c9
2012-09-14 17:23:38 -04:00
Joe Heck
861670e091 pep8 1.3.3 cleanup
removing unused imports

Change-Id: I0472fd074bbe0b2ec07f1548f3930df339523465
2012-08-24 01:19:45 +00:00
Adam Young
9b31383c7d Files for Apache-HTTPD
files required for running Keystone in Apache-HTTPD and instructions to set it up

Change-Id: Ib3fdf873ea3816186e6bb63307028ba3aa2edaa9
2012-07-16 16:53:58 -04:00