Now that the admin guide is within keystone, we can remove all the
operator specific information we were maintaining in tree. This will
make it easier to operators to find all the information they need
related to tokens.
Change-Id: Iac2bf86a7b06b54fe8edea6ddbc62fe576b8959c
Currently the identity administrator guide docs are a part of
general OpenStack-manuals. Migrating those docs to keystone
documentation so that they can be reviewed effectively by
keystone developers too.
Partial-Bug #1694460
Depends-On: Ia750cb049c0f53a234ea70ce1f2bbbb7a2aa9454
Change-Id: Id121ae1dd5bce993b4ad1219b592527ef0047063
The keystone documentation has a super small statement about the
other projects the team supports, like keystoneauth and
keystonemiddleware. This was documented as its own section. This
commit moves it into the main document, just beneath the description
of the Identity Service.
Change-Id: I09e1177035dd31f07cdbc080d29510767d6d574e
Divided the keystone docs into four categories, depending
upon the usage criteria: general information (which will
be common for all), developer documentation,
user documantation and operator documentation.
Change-Id: I2f5dd41acd9874739accc54c4f4fd69460b58334
Changed the existing keystone documenatation html theme to the
new openstackdocstheme. For reference, the same theme is being
used here, https://docs.openstack.org/admin-guide/.
Closes-Bug: #1692031
Change-Id: Ibf1b018e8ed38afa04d02ab033762d6b0ceab89b
The option is called change_password_upon_first_use,
not change_password_after_first_use.
Change-Id: I69423b019ec1acade8eeb41c73625084f847b267
Closes-Bug: #1688119
It is nice to see a real example of a real test when trying to write a
new one. This patch adds a doc that gives an overview of writing new API
and Scenario tests for the keystone tempest plugin.
This also fixes a typo in the IdentityProdiversTest class name.
Change-Id: Icd631124b451f17df3d4de184e73f6223fdb7de3
This is a basic overview of the tempest and devstack plugins, this is
mostly intended to teach how to run these tests. Follow up patches
will describe implementation details.
Change-Id: I228842f9c15207c35e40ccb1fcacc72cf2225419
I think using qutation marks in http url is more regular, even though
the current examples in the doc have no problem without qutation marks.
The doc is a manual of api curl, a user is likely to refer to
the manual and curl an another api which not in the doc.
For example:
curl -s \
-H "X-Auth-Token:$OS_TOKEN" \
http://loaclhost:5000/v3/role_assignments?user.id=$USER_ID&scope.project.id=$PROJECT_ID
response:
[1] 22894
-bash: scope.project.id=4f91eb36955543c9826b705bc5a90c59:command not found
...
The url has special characters such as '&', which can not be handled correctly.
Using double quotation marks in http url will be ok, like this:
"http://loaclhost:5000/v3/role_assignments?user.id&scope.project.id"
Change-Id: Id8f4c3cc64d298975ad81f8fc08abbec920a1e09
The API specifications were moved out of the specs repo and into the
api-ref directory of the main keystone repo[1]. This patch updates some
of the straggler links in the configuration docs that still referenced
the old location.
[1] https://review.openstack.org/#/c/342399/
Change-Id: I883cfb4ab8b65873286f46194a8c8ccd7af97dd2
etc/ is for config files that should be installed on disk to support a
running keystone. config-generator/ is for files that
oslo-config-generator uses to generate sample config files and are not
needed by keystone in a live deployment.
Change-Id: I0614709ded739d77ec620150bcb6c2f456024b6f
Since we're moving all policy into code and documenting it there we
should generate those docs automatically, so they are less likely to
be out-of-date.
Change-Id: If00cd3bcc654a45944c0bc8b3f146c75bd970f9a
partially-implements: blueprint policy-docs
- Merged the "Writing Tests" and "Tests Structure" sections:
both had complementary information.
- Moved "Further Testing" to the end - the intention is to remove this
section and put details about keystone's tempest and devstack plugins
Change-Id: Ia27b094939a3c76e68ac8e87ef34b7ee611c1929
1. The html_last_updated_fmt sphinx setting was providing a byte string
where sphinx expected a str, which produced warnings (and therefore
failures):
WARNING: The config value `html_last_updated_fmt' has type `bytes', expected to ['str'].
The solution provided is copied from cinder's solution[1].
2. The .keys() method in python 3 returns a dict_keys object rather than
a list and it does not include a .sort() method. This patch swaps
.sort() out for the global function sorted() which works in both python
2 and python 3.
This came up because on some newer distros that don't install python 2
by default, virtualenv defaults to creating a python 3 environment when
none is specified.
[1] https://review.openstack.org/#/c/433081
Change-Id: I68b796fa2e33fd6c3df67b542def31e6ba620944
The current implementation of db_sync --expand automatically runs any
outstanding legacy operations to ensure it's safety. However, that
behavior also means that legacy migrations may violate the safety
assumptions around --expand.
This is only true for Mitaka to Newton upgrades, as there should not be
any newer migrations in the legacy repository to be triggered by this
behavior.
[1] 0ebd557325/keystone/common/sql/upgrades.py (L269-L271)
Change-Id: Ib175f7fce96011d77eb4783123cb2d265d60aa42
Closes-Bug: 1676925
This patch just adds a note under the configuration section for
rolling upgrades to inform the user that
``keystone-manage db_sync --check`` is now available to run when
they would like information about the status of their upgrade.
Change-Id: I29e2ccd8973443daf592aaa45bb4e8167327c7cc
We have a few undocumented keystone specific conventions for the
usage of release notes. We need to write this down so that they are
easy for new developers to find. This will also make our release
notes more consistent and easier to maintain.
Change-Id: Ibaaaaf7b9740ef88cf6b08d02b0f0cfd26df9d9a
This change removes the unused "warnerrors" setting that
was part of [pbr] which was replaced by "warning-is-error"
in sphinx 1.5 and above[0]. This also fixes any warnings
and errors that came up when running `tox -edocs` using
this new feature:
- Invalid code example highlighting
- Redundant loading of todo extension
[0] http://lists.openstack.org/pipermail/openstack-dev/2017-March/113085.html
Change-Id: I9a8789b448ffa199b4539f57e692bac251d75036
It can be easy, even for seasoned operators, to either forget to restart the
web server or to cautiously avoid restarting the webserver unless instructed
to do so. Since there are notes all over the rest of the documentation to
restart the web server after making configuration changes, add a similar note
to the WebSSO section for consistency.
Change-Id: I1d171a2f0ccc2b70fe3e2e48fe2f2303c515b9a6
python-openstackclient is friendlier than cURL and is able to handle
listing resources available to federated users as well as scoping
unscoped tokens, so let's use openstackclient in the examples for
performing federated authentication.
Change-Id: Ie4578d4a371b50ad8c2b2a6836caba580c120cd4
Make corrections and clarifications to the OpenID Connect federation
plugin documentation, including:
- Generalize the note about Remote IDs to include OpenID Connect
- Add the https:// scheme to the notes about Google's remote ID.
Originally Google's Issuer Identifier did not use the https://
scheme. It now claims to allow both[1] but in testing I often ran
into the error "Could not find Identity Provider:
https://accounts.google.com." when the remote-id was given as
"accounts.google.com".
- Make shell examples consistent with each other by including prompt
symbols and "sudo" where needed
- Fix the apache module configuration instructions: on Ubuntu, the
package installed in the earlier step already adds the LoadModule
config, but does not automatically enable the module
- Fix OIDCRedirectURI directive examples: fix typo and remove /redirect
ending, which would cause a 404 error
Also, this patch changes references to the 'oidc' plugin to 'openid'
since 'oidc' does not exist. 'mapped' could also be used as the name of
this plugin and protocol[2]. However, the documentation is structured in
a such a way that it demonstrates using both SAML And OIDC plugins side
by side, which is only possible when they have different names. Rather
than trying to decouple these examples this patch opts to keep the
openid plugin examples distinct from the SAML plugin examples.
[1] https://developers.google.com/identity/protocols/OpenIDConnect
[2] https://git.openstack.org/cgit/openstack/keystone-specs/tree/specs/keystone/juno/generic-mapping-federation.rst
Change-Id: Ie5a07f9d6f3571b0559f91c9620f5328e4c6d7cc
Make corrections to the mod_auth_mellon federation documentation for
consistency and clarity, including:
- Remove reference to shibboleth.xml when explaining the remote-id
attribute in the main federation configuration instructions, as this
does not generalize to all IdPs
- Change references from /etc/httpd to /etc/apache2 because the
document begins with an apt-get so it follows that the rest of the
examples should assume a Debian-like environment
- Change references to example IdP 'idp_1' to 'myidp' for consistency
with the shibboleth examples
- Change references to example protocol 'saml2' to 'mapped' since the
saml2 auth plugin was removed[1]
- Remove references to wsgi-keystone.conf since devstack just calls it
keystone.conf, and enabling this vhost is already covered in the
"Running Keystone in HTTPD" section
- Remove reference to the ssl mod: it's obviously recommended but not
strictly relevant to this topic
- Remove instruction to restart apache immediately after enabling
auth_mellon, as it would fail while Mellon is not yet fully
configured. The document already mentions restarting apache after
Mellon is configured.
- Add a link to the mellon_create_metadata.sh script, since this does not
come as an executable with the mod package.
- Add tip about the SP metadata file generated by mod_auth_mellon
- Move paragraph about fetching the IdP metadata to the end of the
section so that the information about generating and uploading the
SP metadata is grouped together
[1] https://review.openstack.org/#/c/374508/
Change-Id: I47255db5e762bd2d2901b78afba2b1efa0c0f224
Several example responses are not formatted
making them hard to read.
This patch formats them.
Change-Id: I35d890011107fe1414032ddc4b357066e0092ecd
Closes-Bug: #1665706
This patch fixes a bug and causes a log message along with an exit
code to be returned when a DBMigration error is raised.
Change-Id: Iba7aff606937561ad98e2ef551ca4005bd4f337d
Closes-Bug: #1663627
The documentation was originally written using imprecise language.
This resulted in lots of confusion when read.
Change-Id: I9f1af3cee3216c4c10c0bf6d91a6353a28f27dd5
This patch adds a new command to the db_sync upgrade commands. --check
will check the current state of the users upgrade repos and relay info
back to the user based on what version each command is currently at and
if the user has any outstanding db_sync commands left to run. It will
also notify the user if the db_sync commands were not upgraded in order
Closes-Bug: 1642212
Change-Id: I79d3640a780d624f14059fe311fafa0542c03357