191 Commits

Author SHA1 Message Date
Brant Knudson
8f7b87b2a7 Sync db, db.sqlalchemy, gettextutils from oslo-incubator 6ba44fd
This change sync's oslo-incubator's db module from commit hash
6ba44fd7f9d39a7930defb4e14c37b8b1046cbcb

 $ python update.py --nodeps --base keystone \
    --dest-dir ../keystone \
    --modules db,db.sqlalchemy,gettextutils

- Config options were moved from db.sqlalchemy.session to db.options
- db.sqlalchemy.session doesn't provide get_session, get_engine, or
  cleanup functions.
- db.sqlalchemy.migration.db_version() requires an engine parameter

Closes-Bug: #1227321

Change-Id: I742cef9dab68d9eed977df0039736cfe67ca493c
2014-03-06 11:48:50 -06:00
Jenkins
1017859b81 Merge "Add the last of the outstanding helpstrings to config" 2014-03-06 01:02:34 +00:00
Morgan Fainberg
81c49af0bd Add the last of the outstanding helpstrings to config
Add the last of the outstanding help strings to the options defined
in keystone.common.config.

Adds in periods to the end of the helpstrings that were missing
proper ending punctuation.

DocImpact

Related-Bug: #1229941
Change-Id: Iebe0358a19f645220eb7b3dfca0dc868716f5bc8
2014-03-04 12:14:47 -08:00
Adam Young
2e51473138 Token Revocation Extension
Base API for reporting revocation events.

The KVS Backend uses the Dogpile backed KVS stores.

Modifies the places that were directly deleting tokens to also generate
revocation events.

Where possible the revocations are triggered by listening to the notifications.
Some places, the callers have been modified instead.  This is usually due to
the need to iterate through a collection, such as users in a group.

Adds a config file option to disable the existing mechanisms that support
revoking a token by that token's id: revoke_by_id. This flag is necessary
to test that the revocation mechanism is working as defined, but will also
be part of the phased removal of the older mechanisms. TokenRevoke tests
have been extended to test both with and without revoke-by-id enabled.

Note: The links aren't populated in the list_events response.

SQL Backend for Revocation Events

Initializes the SQL Database for the revocation backend.
This patch refactors the sql migration call from the CLI
so that the test framework can use it as well. The sql
backend for revcations is exercized by test_notifications
and must be properly initialized.

Revoke By Search Tree

Co-Authored-By: Yuriy Taraday (Yoriksar)

create a set of nested maps for the events. Look up revocation by
traversing down the tree.

Blueprint: revocation-events

Change-Id: If76c8cd5d01a5b991c58a4d1a9d534b2a3da875a
2014-03-04 13:42:28 -05:00
Dolph Mathews
dd18e86ff6 drop key distribution from icehouse
key distribution is being continued in feature branch here:

  https://github.com/openstack/keystone/tree/feature/key-dist

Change-Id: I47504bec73dd7e1a6419a5509093a9d494d90108
2014-03-03 20:04:29 -08:00
Jenkins
e9c5a00cb2 Merge "Update oslo-incubator log.py to a01f79c" 2014-03-04 00:55:48 +00:00
Morgan Fainberg
3be2975626 Remove "test-only" pam config options
Remove the "pam" configuration options that were only ever used for
testing purposes. Removes the test config file "backend_pam.conf"
by moving test_backend_pam.py to utilize proper configuration fixture
for identity driver. Since we no longer need the "pam.user" and
"pam.password" config options.

DocImpact

Related-Bug: #1229941
Change-Id: I3759ff7974948432900e3a73f3d87e5eed6e9828
2014-03-01 23:21:55 -08:00
Morgan Fainberg
d53945c779 Cleanup and add more config help strings
Cleanup and add expanded helpstrings for the auto generated sample
config.

Change-Id: I2106d8efee9934e6a48e5d0184c5a63754816a74
2014-02-27 00:13:10 +00:00
Lance Bragstad
6b2bb82ef9 Remove oslo rpc
The rpc module was a dependency that was needed for the notifier module.
Since the notifier and rpc modules have been incorporated into oslo.messaging,
there is no need for the sync'd versions from oslo-incubator. This change
removes the oslo-incubator rpc module.

Change-Id: I00f7ae3e71c0df0de22e1371c6eee372230384f2
Blueprint: oslo-messaging
2014-02-24 13:13:17 +00:00
Jamie Lennox
8160e95c80 Remove oslo notifier
Change-Id: I5e11b8bb19b7fbd4118b274c97aba69e90f3ea0d
Blueprint: oslo-messaging
2014-02-21 22:16:28 +00:00
Brant Knudson
40cff90166 Update oslo-incubator log.py to a01f79c
This updates the log module from oslo-incubator to
a01f79c3050962fd744239956e9654407d14ea1f

 $ git checkout a01f79c3050962fd744239956e9654407d14ea1f
 $ python update.py --nodeps --base keystone \
     --dest-dir ../keystone --modules log

This includes a fix for the deprecated logger that caused the
deprecated message to be printed multiple times rather than once.

Change-Id: I6174b064205adcdc9fb966a9e01eb5190b5b730e
Closes-Bug: #904307
Closes-Bug: #1266812
2014-02-21 10:10:54 -06:00
Morgan Fainberg
23a4fe9ec7 Update config options with helpstrings and generate sample
Restructure the common config to include many help strings to
support using the oslo.config auto-generated sample config file.

Closes-Bug: #1229941
Change-Id: If352b3b816b1e7dc8b5fc3b9c1cb2adab187ffda
2014-02-20 19:18:49 -08:00
Jamie Lennox
de812c5e5d Replace notifier with oslo.messaging
Oslo messaging works slightly differently in that you create a Notifier
object once which contains config such as publisher_id and then you
re-use that object when issuing messages.

DocImpact: The options for setting up RPC and notifications have changed
to reflect oslo.messaging.

Blueprint: oslo-messaging
Change-Id: I2d08fb405e68df37866b3799ab7339ebd9894f05
2014-02-17 17:35:45 -06:00
Dirk Mueller
7848b9d040 Set sensible default for keystone's paste
The https://review.openstack.org/#/c/66247/ change introduced
the requirement to set config_file before keystone would start
up. Restore the old setting as default to allow a smooth
transition for users.

Change-Id: I935c5144728d04c59abaee9a515e249ef0d24477
2014-02-15 00:51:03 +01:00
Jenkins
541de98301 Merge "Reference dogpile.cache.memcached backend properly" 2014-02-13 03:33:57 +00:00
Jenkins
bbe2c3a82a Merge "Update db.sqlalchemy.session from oslo-incubator 018138" 2014-02-12 19:38:44 +00:00
Jenkins
92ce4a1542 Merge "Cleanup sample config" 2014-02-12 19:38:25 +00:00
Jenkins
f4e52af01c Merge "Implement list limiting support in driver backends" 2014-02-11 19:40:04 +00:00
Jenkins
a2a7df1ed8 Merge "Update the default_log_levels defaults" 2014-02-11 19:39:46 +00:00
Jenkins
065eaade53 Merge "Correct sample config default log levels" 2014-02-11 19:27:11 +00:00
Jenkins
18ee7b4524 Merge "rename templated.TemplatedCatalog to templated.Catalog" 2014-02-08 01:14:20 +00:00
Henry Nash
0dec4c8be9 Implement list limiting support in driver backends
Provides an optional limit to the number of rows that will be
returned by a backend from a list_{entity} call.  The limit is specified
in the configuration file, and allows for an overall general limit as
well as an individual limit for a given driver.  By default, there is
no limit.

Limitations:
    - The list limit is not yet handled by LDAP, rather this remains
      implemented in the final wrap collection - a subsequent patch
      will provide the support in the LDAP drivers

Implements bp list-limiting

Change-Id: I7ca76a8da4260242e578c44103b26257f7e2a5d5
2014-02-07 11:12:31 +00:00
Jenkins
1923a3f5ba Merge "Remove default_notification_level from conf" 2014-02-07 05:20:11 +00:00
Jamie Lennox
b30b06e008 Remove default_notification_level from conf
This config option is used when you use the notify_wrapper wrapper
function from openstack.common. As we don't use the wrapper we don't
ever require the config option so we shouldn't show it to users.

blueprint oslo-messaging

Change-Id: I95280af37a84c71131fb2fc92c9302b8926c95bd
2014-02-06 04:04:23 +00:00
Brant Knudson
96be7449ec Update db.sqlalchemy.session from oslo-incubator 018138
Keystone's db.sqlalchemy.session module was out of date. This
updates Keystone's version to oslo-incubator hash
01813871e2f6b9b01783f7da88998d9bc97d4a8c .

 $ python update.py --nodeps --base keystone \
    --dest-dir ../keystone --modules db.sqlalchemy.session

Among other changes, the newer db.sqlalchemy.session has fixes to
the docstring so there are fewer warnings issued during doc build
and rendering issues.

Change-Id: I70f6727adeb98142f8a9a1cea04c71ade27dfaba
2014-02-05 11:07:06 -06:00
Edward Hope-Morley
e71f615d9f Adds tcp_keepalive and tcp_keepidle config options
Currently the wsgi server will not close connections once requests
complete and will not enable keepalive on it's wsgi sockets. This can
be a problem for those who need to align the server keepalive with
load balancer timeouts without modifying system keepalive settings.

To remedy this we add new config options tcp_keepalive and
tcp_keepidle which are disabled by default to remain backwards
compatible.

DocImpact: "new config options for wsgi tcp_keepalive & tcp_keepidle"
Closes-bug: bug 1260406
Co-authored-by: Hirofumi Ichihara <ichihara.hirofumi@lab.ntt.co.jp>
Change-Id: Ic53402c57e1ebe44cde4c18e5e15200dcbbcb04b
2014-02-05 09:48:40 +00:00
Brant Knudson
dcb6bcbc4e Cleanup sample config
The sample config file had some options that were set rather than
documenting the defaults.

Change-Id: I53abba01b3683f3ad9c81d824ccf0b63c016dc87
2014-02-03 11:10:08 -06:00
Brant Knudson
27f9221722 Update the default_log_levels defaults
The default for default_log_levels didn't set the log levels
for some packages that Keystone uses (for example, dogpile). This
caused the server to output a lot of extra logs when debug=True
is used.

You can get the debug output for dogpile and routes by setting
default_log_levels explicitly in your keystone.conf file.

Change-Id: Ib797fa7b98f0e501047b72b094d07ad204385cc6
Related-bug: #1245629
Closes-Bug: #1269987
2014-01-27 11:43:27 -06:00
Brant Knudson
7ae2549edc Correct sample config default log levels
The documentation of the default_log_levels default value in the
sample keystone.conf file was out of date. The default value has
been updated to the current value in keystone.openstack.common.log.

Change-Id: I3edf2d5375413250de41f8cebb98a826dc5df8ce
2014-01-27 11:41:04 -06:00
Jenkins
2f2ef6d480 Merge "Identity Providers CRUD operations" 2014-01-24 02:29:07 +00:00
Dirk Mueller
f2309df098 Reference dogpile.cache.memcached backend properly
It is dogpile.cache.memcached, not dogpile.cache.memcache
see
http://dogpilecache.readthedocs.org/en/latest/api.html?highlight=memcache#module-dogpile.cache.backends.memcached

Change-Id: Ia2aded1be82453b87a7734441537a5976385616e
2014-01-23 14:15:38 +01:00
Marek Denis
20840199e6 Identity Providers CRUD operations
Implementation of CRUD operations for:

- Identity Providers
- Protocols used to authenticate remote users (SAML, OpenId, etc)

Change-Id: I0ce62e720e797718dbfde6bfcd4b22a213985867
Implements: blueprint identity-providers
2014-01-21 14:28:21 -06:00
Jenkins
ea08c8a5a2 Merge "Fix sample config external default doc" 2014-01-21 19:31:31 +00:00
Dolph Mathews
6670a48a17 rename templated.TemplatedCatalog to templated.Catalog
This addresses a long standing TODO for consistency across catalog
drivers, making it more intuitive to switch drivers.

UpgradeImpact

Change-Id: I109513695e60867d1111795ab958a3cc4240e831
2014-01-16 08:18:15 -06:00
Dolph Mathews
7494f93dc3 reduce default token duration to one hour
- reduces number of active tokens that have to be persisted, especially
  where clients are needlessly regenerating tokens
- reduces the window of publishing token revocation events (you only
  have to publish events from the last hour)
- reduces the window of the token revocation list (similar to the above)

DocImpact
UpgradeImpact

Implements: bp reduce-default-token-duration
Change-Id: Ia548f7e981690edab56c51fdcab9102245aced3e
2014-01-14 15:25:19 -06:00
Brant Knudson
55b9948157 Fix sample config external default doc
The sample config file documented the incorrect default for the
[auth].external value as defined in keystone.common.config.

Change-Id: I6f9454f35eaade5fa35738a9ba3f74a388bf5099
2014-01-12 19:08:26 -06:00
Jenkins
b09dad0d81 Merge "Re-write comment for ADMIN_TOKEN" 2013-12-20 23:42:00 +00:00
Steve Martinelli
d9116abae0 Re-write comment for ADMIN_TOKEN
It seems that there is a misconception around the ADMIN_TOKEN in
keystone. Currently the comment read that it is a "shared secret"
and can be used between openstack services.

However this token has no user associated with it, and no
authorization. It's a method to bootstrap into keystone, that's
all.

Closes-Bug: 1261622
Co-Authored-By: Dolph Mathews <dolph.mathews@gmail.com>

Change-Id: I6c913a8079bb84b56ac69249e7d25bc94cf32dd0
2013-12-19 22:45:54 -06:00
Brant Knudson
44ceda2816 Use oslo.db sessions
Keystone was using its own keystone.common.sql module for
database access. oslo-incubator's db.sqlalchemy module provides
the same or better functionality, so use that instead.

DocImpact
- The options that were in the [sql] section are deprecated and
  replaced by options in the [database] section. There are
  also several new options in this section. If database
  configuration is described for another project that uses
  oslo-incubator's db.sqlalchemy module the docs can be shared.

Part of bp use-common-oslo-db-code

Change-Id: I25b717d9616e9d31316441ae3671d2f86229c2bf
2013-12-18 16:17:26 -06:00
Morgan Fainberg
5a52ff8560 Base Implementation of KVS Dogpile Refactor
This changeset implements a KVS interface that makes use of
dogpile's backends.  Included is an in-memory database (primarily
to be used for testing) that isolates data from modification via
liberal use of copy.deepcopy.  The memcached backend is a manager
pivot to allow the use of the various dogpile.cache memcache
backends while maintaining a simplified interface.

The KVS system implements a Distributed-Capable locking system that
hooks into the dogpile.cache backend mutexes. Locking can be
toggled at configuration time for a given KeyValueStore
instantiation.

The original kvs implementation has been moved to
keystone.common.kvs.legacy.  For compatibility all elements of the
old keystone.common.kvs namespace have been made available at
keystone.common.kvs.  The legacy kvs implementation has been marked
for deprecation after the release of ICEHOUSE.

DocImpact

bp: dogpile-kvs-backends
Change-Id: I8af1adfcb181f9118a1f21aada2e000c6cc0c201
2013-12-11 17:43:53 -08:00
Brant Knudson
036fd43b44 Add memcache options to sample config
The memcache options from keystone.common.config weren't included
in the sample config file (keystone.conf.sample).

Having these options in the sample config file makes it easier to
update them when using the memcache token backend.

Change-Id: I49b5c928bcc7f170f049277c7dad0bae58b1504e
2013-11-19 14:52:35 -06:00
Jenkins
2ab2c62435 Merge "Sync log module from oslo" 2013-11-15 22:50:04 +00:00
Chen Li
f5159fb238 use different bind addresses for admin and public
Keystone supports configuration of an admin_port and a public_port.
Applications may well want the admin port to be open on a different private network.
This patch change single bind_host to public_bind_host and admin_bind_host in the configuration.

DocImpact

Change-Id: Ic91aade987724c8f7c9276ca94e27681ae590662
Closes-Bug: #1035326
2013-11-11 15:27:29 +08:00
Chang Bo Guo
75906adde5 Sync log module from oslo
This patch sync latest log module from oslo, bases on oslo-incubator
commit f06276bbdabd408549ecefa377b1349b57f5ac82.

DocImpact: Deprecate option log_config in favor of log_config_append.
Change option default_log_levels's default value.

Change-Id: Id2f7cf245499394554f6aa2c8d846cc9e2c2133a
2013-11-10 19:57:57 -08:00
Jenkins
2df1b7cba4 Merge "Move CA key from certs directory to private directory" 2013-10-19 03:21:22 +00:00
Morgan Fainberg
668ee71812 Remove ldap identity domain attribute options
LDAP Identity backend is not domain aware, and therefore does not
need mappings for the domain attributes for user and group.

closes-bug: 1209440
Change-Id: Ib7b77b90134322d04b5826b151d05535b9b8b7c7
2013-09-23 04:14:21 +00:00
Morgan Fainberg
dda19c3977 Cleanup of tenantId, tenant_id, and default_project_id
This patchset normalizes the use of tenantId, tenant_id, and
default_project_id across the Identity backend.  This includes
making default_project_id no longer part of the "extra" json blob
on the user object and migrating all "tenantId" "tenant_id" and
"default_project_id" into the new column (SQL).

In the LDAP driver, None is set as the mapping for
default_project_id.  This means that use of default_project_id with
LDAP Identity will require an explicit mapping to be defined by the
cloud operator.

"default_project_id" remains (by default) configured to be in the
"ignore" attributes for the LDAP driver, so 'tenantId' and
'default_project_id' will not be saved on the user_object during
update or create unless Keystone is explicitly configured to do so.

closes-bug: 1219739
closes-bug: 1226475
related-bug: 1201251
Change-Id: I07f9dfe111646884ac5efd42fc8c2974188b3b94
2013-09-22 17:36:02 -07:00
Jenkins
5a5023bea0 Merge "Include new notification options in sample config" 2013-09-18 00:15:00 +00:00
Brant Knudson
bdd97c1c7a Include new notification options in sample config
Some new configuration options were added with the change to add
notifications to Keystone, but these new options weren't added
to the sample config file.

This change adds the new options to the sample configuration
file along with the descriptions from
keystone.openstack.common.notifier.api.

Also, if the Keystone server uses the RPC options from
keystone/openstack/common/rpc/__init__.py if using the RPC
notification driver, so these options are also added to the
sample config file.

Having these options in the config file will make it easier for
administrators to update the configuration values.

DocImpact
Change-Id: I85f2450a6fb68d51453adbb5413ad48fe00ca17e
2013-09-16 15:25:57 -05:00
John Dennis
baa57f3efa Remove CA key password from cert setup
Password protection in the current implementation is not actually
applied despite the presence of the ca_password config
option. Password protection is of marginal benefit because the
password must be stored in a file using the same protections afforded
to the key file. Password protection currently is not utilized with
externally provided keys.

Remove the ca_password config option and remove the use of the various
password related options to the OpenSSL commands whose net effect was
not actually accomplishing anything.

See the bug report for a thorough description of the issues.

Change-Id: Iaeb97f2338c4d3c6e770b410dee8f1b62778b561
Fixes: Bug #1214016
2013-09-09 12:07:35 -04:00