191 Commits

Author SHA1 Message Date
Jenkins
86f5213f27 Merge "Sync latest cfg from oslo-incubator" 2013-02-11 20:26:42 +00:00
Jenkins
25e2a8e30d Merge "Document user group LDAP options" 2013-02-04 20:32:14 +00:00
Dolph Mathews
5bc46d861e Create a default domain (bp default-domain)
This changes rewrites some of our migration history since the folsom
release so that we can create a default domain prior to creating
non-nullable foreignkey's in the user and project tables in migration
9 (numbered according to this change).

DocImpact

Change-Id: I807f7b1dca1d6a895f7417c316bcbce24ada61c0
2013-01-31 21:48:39 +00:00
Dolph Mathews
378635224b Generate apache-style common access logs
Taking advantage of this middleware either requires enabling
verbose/debug or utilizing an external logging.conf which configures an
'access' logger.

Example output:

  127.0.0.1 - - [2013-01-29T17:15:02.752214] "GET http://localhost:5000/v3/projects HTTP/1.0" 200 16

This patch also revises etc/logging.conf.sample with some more practical
defaults (e.g. supporting externally-managed log rotations) in addition
to illustrating how to generate an 'access.log' file.

DocImpact

Change-Id: I2a6048fa5fbf8661a6859d9e3a259d4cfa5fc589
2013-01-31 08:16:21 -06:00
Jenkins
e4f8145173 Merge "public_endpoint & admin_endpoint configuration" 2013-01-28 16:02:29 +00:00
Dolph Mathews
0b2ef0d442 Document user group LDAP options
Change-Id: I859b0885a007271c3540a2b53ce9d4b30ab6494e
2013-01-22 13:58:22 -06:00
Mark McLoughlin
49447c26a4 Sync latest cfg from oslo-incubator
Changes include:

  c5984ba Move logging config options into the log module
  7cf016a Fixing the trim for ListOp when reading from config file

The most significant change is that cfg no longer provides logging
config options as these have been moved to the log module which
keystone does not yet use. Define these options in keystone.config
where they are used since pulling in oslo logging isn't appropriate
if we're not going to use it.

Change-Id: I3913ea54465658d93dc56e014dfe5d911b0541d6
2013-01-22 08:45:52 +00:00
Dan Prince
7691276b86 Limit the size of HTTP requests.
Adds a new RequestBodySizeLimiter middleware to guard against
really large HTTP requests. The default max request size is 112k
although this limit is configurable via the 'max_request_body_size'
config parameter.

Fixes LP Bug #1099025.

Change-Id: Id51be3d9a0d829d63d55a92dca61a39a17629785
2013-01-21 19:54:29 -05:00
Dolph Mathews
8eaa3ce990 public_endpoint & admin_endpoint configuration
Today we can use these configuration values to avoid having to guess
keystone's own endpoint URL from the service catalog backend, which may
contain more than one identity endpoint.

This is also the first step towards adding self-relational links to the v3 API.

Change-Id: I375ac0d1f9581592e437c67c17bf32022f652f66
2013-01-18 22:35:17 -06:00
Dolph Mathews
0e23490a66 Utilize policy.json by default (bug 1043758)
Change-Id: I03daf10aa4f689fe323e39537c312d1e783db313
2012-11-20 14:09:45 -06:00
Dolph Mathews
827fc4c731 v3 Policies
- v3 policy (bp rbac-keystone-api)
- v3 policy tests (bug 1023935)
- v3 policy implementation (bug 1023939)

Change-Id: I163fbb67726c295fe9ed09b68cd18d2273345d29
2012-11-19 14:50:26 -06:00
Jose Castro Leon
001f708e7d Provide config file fields for enable users in LDAP backend (bug1067516)
DocImpact

Change-Id: I1ee9a1e2505cdd8c9ee8acba5c0e89a4f25c7262
2012-11-13 10:37:17 -06:00
Dolph Mathews
86aaff4a50 Merge remote-tracking branch 'origin/feature/keystone-v3' into HEAD
Conflicts:
	keystone/catalog/core.py
	keystone/identity/core.py

Change-Id: Id47b9dd9c4da811d13454b539f78b751d40ed87d
2012-11-02 14:53:44 -05:00
Gabriel Hurley
fcab54b67a Removes duplicate flag for token_format.
The token_format settings defaults to PKI, but both the
"PKI" and "UUID" lines were still in the sample config file.
This patch removes the duplicate and leaves only the
correct default.

Change-Id: Ib8560952ec2aee6d6b6eda944c6ec1f96fdc5c4c
2012-10-26 14:47:34 -07:00
Jose Castro Leon
a4a97eabb8 Extract hardcoded configuration in ldap backend (bug 1052111)
Change-Id: I128b0ccdb32694a4fc2f660e73c367aa8b01f257
2012-10-16 23:25:03 +02:00
Jose Castro Leon
df8d6cc719 Filter users in LDAP backend (bug 1052925)
Change-Id: I004e569756698098bf073f5516945f356f88bfea
2012-10-10 08:50:57 +02:00
Jenkins
b0eb94dbc0 Merge "Unable to delete tenant if contains roles in LDAP backend (bug 1057407)" 2012-10-09 18:51:39 +00:00
Jose Castro Leon
8152c2cb86 Configurable actions on LDAP backend in users Active Directory (bug 1052929)
Change-Id: I99092eb4aee3b3b1b9cf297561577f1915c0e886
2012-10-05 16:26:59 +02:00
Jose Castro Leon
ee48c24184 Unable to delete tenant if contains roles in LDAP backend (bug 1057407)
Change-Id: I5e2746827bd66c6c4aebc28da1b24933fdc261f7
2012-10-05 14:16:37 +02:00
Dolph Mathews
399cb4cc71 Identity API v3 Config, Routers, Controllers
Provides configuration to deploy the v3 API identically across both:

http://[...]:5000/v3/
http://[...]:35357/v3/

Change-Id: I97c5a2f7a84e3fca0adaea020697f958e04f5753
2012-09-05 13:07:49 -05:00
Jenkins
84da6be591 Merge "Fix auth_token middleware to fetch revocation list as admin." 2012-08-23 17:10:21 +00:00
Jenkins
76ec7bbb5d Merge "change verbose and debug to Fasle in keystone.conf.sample" 2012-08-23 16:26:02 +00:00
Adam Young
3fa4ba537e Fix auth_token middleware to fetch revocation list as admin.
Make the revocation list into a JSON document and get the Vary header.
This will also allow the revocation list to carry additional
information in the future, to include sufficient information for the
calling application to figure out how to get the certificates it
requires.

Bug 1038309

Change-Id: I4a41cbd8a7352e5b5f951027d6f2063b169bce89
2012-08-23 10:51:20 -04:00
monsterxx03
1698094697 change verbose and debug to Fasle in keystone.conf.sample
fix bug #1039857

verbose and debug is False by default, but they display True in
keystone.conf.sample. It may confuse people who cp
keystone.conf.sample to keystone.conf

Change-Id: I62031b879196da1633a198b6ae1f116485fe783b
2012-08-22 11:55:56 +08:00
monsterxx03
ddc8995217 add token_format=UUID to keystone.conf.sample
Change-Id: I535ddb9e7437cd80e692db13615cbfdc1b918e46
2012-08-22 10:35:50 +08:00
Jenkins
fa60ef0a6e Merge "Set example key_size to 1024." 2012-08-13 16:44:16 +00:00
Adam Young
4f3dcb6c9b Allow overloading of username and tenant name in the config files.
Includes documentation and sample config file values.

Bug 997700

Patchset adds DocImpact flag for notifying doc team about these new
config file values.

Change-Id: Ibd3fade3f233a3b89a1c2feaa0a6b5a9569ad86c
2012-08-07 14:40:20 -05:00
Dan Prince
bc12215b2f Set example key_size to 1024.
Updates the default key_size and config file example to 1024.
Using the previous value of 2048 would cause database truncation
and/or column size errors because the 'id' column isn't big enough
to hold that much data.

Works around LP Bug #1031191.

Change-Id: Ic28bf0945a65fb80a4b610a4de7afa485d09e2bb
2012-07-31 09:57:12 -04:00
Dolph Mathews
0abf6ba254 Debug output may include passwords (bug 1004114)
Change-Id: If0a7704ff578162d6b7fa8b68c0e0ed37e72cb73
2012-07-17 16:23:52 -05:00
Derek Higgins
4ab47ad224 Adding user password setting api call
Fixes bug 996922

This commit adds a user_crud module that can be used in the public wsgi
pipeline, currently the only operation included allows a user to update
their own password.

In order to change their password a user should make a HTTP PATCH to
/v2.0/OS-KSCRUD/users/<userid>
with the json data fomated like this
{"user": {"password": "DCBA", "original_password": "ABCD"}}

in addition to changing the users password, all current tokens
will be cleared (for token backends that support listing) and
a new token id will be returned.

Change-Id: I0cbdafbb29a5b6531ad192f240efb9379f0efd2d
2012-07-10 11:06:11 +01:00
Jenkins
7318b1e496 Merge "notify calling process we are ready to serve" 2012-07-09 17:42:34 +00:00
Alan Pevec
abc06716d0 notify calling process we are ready to serve
Fixes bug 980037 again

Systemd notification should be sent in-process, otherwise systemd might
miss the subprocess sending notification.
See systemd bug https://bugzilla.redhat.com/show_bug.cgi?id=820448

Change-Id: Iccc51cf77af5598ee6b4c3cd69a12a7ee9fc2eb5
2012-07-04 00:36:20 +02:00
Adam Young
5ad80860fa keystone_manage certificate generation
Bug 1017554

paths now correspond with SSL
unit test for cert generation
Added mode config values
Explict about umask

replace string concat for paths with proper use of os.path.join
Change-Id: I8b3bec82d7b72993aa69653f63ff64c3f675f716
2012-07-02 15:12:03 -04:00
Dolph Mathews
ef58425b8e Basic request stats monitoring & reporting
Attributes are tracked seperately per interface (public API vs admin API):
- Request method (GETs, POSTs, etc)
- Requested resources
- Number of requests per remote address
- Response status codes

Retrieve statistics report:
  GET http://keystone:35357/v2.0/OS-STATS/stats
  e.g. http://paste.openstack.org/raw/18528/

Reset statistics report:
  DELETE http://keystone:35357/v2.0/OS-STATS/stats

Change-Id: Id21af755e5e25b8275dd55b7415bf4c421304807
2012-06-19 14:16:29 -05:00
Chmouel Boudjnah
b2aa620bc9 Add s3 extension in keystone.conf sample.
- Document S3 functionality along the way.

Change-Id: I5525cd084aa16a33176c2ed0c3df53e9743072fc
2012-06-08 15:15:18 +00:00
Liem Nguyen
f537a8259b blueprint 2-way-ssl
Implemented bp/2-way-ssl using eventlet-based SSL.

Change-Id: I5aeb622aded13b406e01c78a2d8c245543306180
2012-05-24 17:09:53 +00:00
Jenkins
fd9515e5b3 Merge "notify calling process we are ready to serve" 2012-05-18 17:34:20 +00:00
Rafael Durán Castañeda
05d6150fe9 Added 'NormalizingFilter' middleware.
Fixes bug 956954.

Change-Id: Ib5995a01439e564fcb27682976e8e27c8bb7d0d1
2012-05-15 13:39:10 +02:00
Derek Higgins
6c5f7d9e10 notify calling process we are ready to serve
Fixes bug 980037

Service managers starting keystone-all have no way of being notified
when the service is ready to accept connections. This commit allows
a configurable command to be called when we are ready e.g.
for systemd setting the statup type of a service unit to "notify" and setting
onready    = systemd-notify --ready
in keystone.conf, would notify a waiting systemd that we are ready to
serve

In an automated envirnment (e.g. puppet) this will allow the startup of
the keystone-all service (with systemctl for example) directly followed
by usage of the keystone client without the need for a sleep (or retry)
while we are waiting for the keystone service to be ready.

Change-Id: I3f7aafe9837be60a0f35cae1a7db892f6851cc47
2012-05-11 16:27:58 +01:00
Mark McLoughlin
cf1c5e1820 Improve the sample keystone.conf
Make sure all the available options are include in the file, add
some more documentation and, rather than set any of the defaults,
just include them as comments.

Change-Id: I2cb6060f47ea88349b1862d4d995c80cf9237066
2012-05-03 23:01:54 +01:00
Josh Kearney
f640093ba8 Rename keystone.conf to .sample.
Fixes bug 966670.

Change-Id: Ic57c9971c4f3a14c30e2382c58c3d0da6b2a7957
2012-04-10 12:38:50 -05:00