911 Commits

Author SHA1 Message Date
Lance Bragstad
935c43b6c8 Remove duplicate token docs
Now that the admin guide is within keystone, we can remove all the
operator specific information we were maintaining in tree. This will
make it easier to operators to find all the information they need
related to tokens.

Change-Id: Iac2bf86a7b06b54fe8edea6ddbc62fe576b8959c
2017-07-05 15:56:13 +00:00
Samriddhi Jain
aba9267323 Added keystone admin guides to documentation
Currently the identity administrator guide docs are a part of
general OpenStack-manuals. Migrating those docs to keystone
documentation so that they can be reviewed effectively by
keystone developers too.

Partial-Bug #1694460
Depends-On: Ia750cb049c0f53a234ea70ce1f2bbbb7a2aa9454

Change-Id: Id121ae1dd5bce993b4ad1219b592527ef0047063
2017-06-24 00:42:14 +05:30
Lance Bragstad
88e45d7130 Move related project information into main doc
The keystone documentation has a super small statement about the
other projects the team supports, like keystoneauth and
keystonemiddleware. This was documented as its own section. This
commit moves it into the main document, just beneath the description
of the Identity Service.

Change-Id: I09e1177035dd31f07cdbc080d29510767d6d574e
2017-06-22 19:44:03 +00:00
Samriddhi Jain
459f078d0c Reorganised keystone documentation structure
Divided the keystone docs into four categories, depending
upon the usage criteria: general information (which will
be common for all), developer documentation,
user documantation and operator documentation.

Change-Id: I2f5dd41acd9874739accc54c4f4fd69460b58334
2017-06-22 13:26:46 +05:30
Samriddhi
f992b1ce42 Updated the keystone docs to follow the docs theme
Changed the existing keystone documenatation html theme to the
new openstackdocstheme. For reference, the same theme is being
used here, https://docs.openstack.org/admin-guide/.

Closes-Bug: #1692031
Change-Id: Ibf1b018e8ed38afa04d02ab033762d6b0ceab89b
2017-06-22 13:26:46 +05:30
Samuel de Medeiros Queiroz
080699d911 Fix PCI DSS docs on change_password_after_first_use
The option is called change_password_upon_first_use,
not change_password_after_first_use.

Change-Id: I69423b019ec1acade8eeb41c73625084f847b267
Closes-Bug: #1688119
2017-06-21 15:52:22 -04:00
Jenkins
c528539879 Merge "Quotation marks should be included in http url using curl" 2017-06-07 21:44:47 +00:00
Rodrigo Duarte Sousa
11712bc128 Writing API & Scenario Tests docs
It is nice to see a real example of a real test when trying to write a
new one. This patch adds a doc that gives an overview of writing new API
and Scenario tests for the keystone tempest plugin.

This also fixes a typo in the IdentityProdiversTest class name.

Change-Id: Icd631124b451f17df3d4de184e73f6223fdb7de3
2017-05-30 11:57:17 -03:00
Jenkins
e415fdcaad Merge "Basic overview of tempest and devstack plugins" 2017-05-26 01:01:21 +00:00
Rodrigo Duarte Sousa
eb5d053068 Basic overview of tempest and devstack plugins
This is a basic overview of the tempest and devstack plugins, this is
mostly intended to teach how to run these tests. Follow up patches
will describe implementation details.

Change-Id: I228842f9c15207c35e40ccb1fcacc72cf2225419
2017-05-24 20:16:50 -03:00
zlyqqq
14524e6717 Quotation marks should be included in http url using curl
I think using qutation marks in http url is more regular, even though
the current examples in the doc have no problem without qutation marks.
The doc is a manual of api curl, a user is likely to refer to
the manual and curl an another api which not in the doc.

For example:
curl -s \
     -H "X-Auth-Token:$OS_TOKEN" \
     http://loaclhost:5000/v3/role_assignments?user.id=$USER_ID&scope.project.id=$PROJECT_ID
response:
[1] 22894
-bash: scope.project.id=4f91eb36955543c9826b705bc5a90c59:command not found
...
The url has special characters such as '&', which can not be handled correctly.
Using double quotation marks in http url will be ok, like this:
"http://loaclhost:5000/v3/role_assignments?user.id&scope.project.id"

Change-Id: Id8f4c3cc64d298975ad81f8fc08abbec920a1e09
2017-05-22 02:48:06 +00:00
zlyqqq
f2c1b0bef6 Error api about grant collections in policy_mapping.rst
Change-Id: I5511790451a71adbcea95bd19204feb0f44d472b
2017-05-18 09:55:37 +08:00
zlyqqq
9fb8af1360 Role name is unique within the owning domain
The commit has not been modified completely.
https://review.openstack.org/#/c/457835/

Change-Id: I91e2ec59d858c406cf18c513934a38bca5540369
2017-05-13 15:27:00 +08:00
Ngo Quoc Cuong
4a9a05b9c8 Trivial fix typo in doc
Change-Id: I3f8fd55408dfeed6933526dc2fe903eda1562c35
2017-05-08 13:10:08 +07:00
Jenkins
bc4d22d0c2 Merge "Role name is unique within the owning domain" 2017-05-06 07:02:31 +00:00
huangtianhua
b447b528a3 Role name is unique within the owning domain
Keytone supports to create roles with same name
in different domains, this fixes the doc nit.

Change-Id: I5da0bedef6cb9153054240502a09962cf3256fd2
2017-05-06 04:22:03 +00:00
Colleen Murphy
dd298f66f7 Update dead API spec links
The API specifications were moved out of the specs repo and into the
api-ref directory of the main keystone repo[1]. This patch updates some
of the straggler links in the configuration docs that still referenced
the old location.

[1] https://review.openstack.org/#/c/342399/

Change-Id: I883cfb4ab8b65873286f46194a8c8ccd7af97dd2
2017-05-01 21:15:02 +02:00
Jenkins
e18923daa1 Merge "Small refactoring in tests development docs" 2017-04-29 10:31:00 +00:00
Jenkins
95032518d8 Merge "Revise doc about python 3.4" 2017-04-28 17:08:30 +00:00
Jenkins
44df6b7745 Merge "Readability enhancements to architecture doc" 2017-04-28 03:48:28 +00:00
jolie
6fe69456ef Revise doc about python 3.4
Keystone has already dropped py34, and support python 3.5 as
the programming language.

Change-Id: I8b52a27c03487a1a19c40ed03d0f9c1d8deeb0ba
2017-04-27 11:52:19 +08:00
Kenny Johnston
d414418e9e Readability enhancements to architecture doc
Various readability and structure enhancements to
architecture.rst

Change-Id: I26985536168b775672f56ea3d597ae83950bcf2f
2017-04-25 13:09:47 +00:00
Colleen Murphy
4b77186a75 Move policy generator config to config-generator/
etc/ is for config files that should be installed on disk to support a
running keystone. config-generator/ is for files that
oslo-config-generator uses to generate sample config files and are not
needed by keystone in a live deployment.

Change-Id: I0614709ded739d77ec620150bcb6c2f456024b6f
2017-04-21 21:47:32 +00:00
Lance Bragstad
ca70982775 Include sample policy file in documentation
Since we're moving all policy into code and documenting it there we
should generate those docs automatically, so they are less likely to
be out-of-date.

Change-Id: If00cd3bcc654a45944c0bc8b3f146c75bd970f9a
partially-implements: blueprint policy-docs
2017-04-21 21:47:09 +00:00
Rodrigo Duarte Sousa
6a0d0fe97a Small refactoring in tests development docs
- Merged the "Writing Tests" and "Tests Structure" sections:
  both had complementary information.

- Moved "Further Testing" to the end - the intention is to remove this
  section and put details about keystone's tempest and devstack plugins

Change-Id: Ia27b094939a3c76e68ac8e87ef34b7ee611c1929
2017-04-18 10:35:27 -03:00
Colleen Murphy
c7ab7c5677 Fix doc generation for python 3
1. The html_last_updated_fmt sphinx setting was providing a byte string
   where sphinx expected a str, which produced  warnings (and therefore
   failures):

     WARNING: The config value `html_last_updated_fmt' has type `bytes', expected to ['str'].

   The solution provided is copied from cinder's solution[1].

2. The .keys() method in python 3 returns a dict_keys object rather than
   a list and it does not include a .sort() method. This patch swaps
   .sort() out for the global function sorted() which works in both python
   2 and python 3.

This came up because on some newer distros that don't install python 2
by default, virtualenv defaults to creating a python 3 environment when
none is specified.

[1] https://review.openstack.org/#/c/433081

Change-Id: I68b796fa2e33fd6c3df67b542def31e6ba620944
2017-04-17 07:44:47 +02:00
Jenkins
39c6b0ff53 Merge "Make use of Dict-base including extras explicit" 2017-03-31 20:11:14 +00:00
Jenkins
df99a45276 Merge "Removed the deprecated pki_setup command" 2017-03-31 19:34:48 +00:00
David Stanek
928d23db02 Removed the deprecated pki_setup command
bp removed-as-of-pike

Change-Id: Ib39d21ed547e3be7a3a2c333a7193f990043a80b
2017-03-29 00:15:09 +00:00
Dolph Mathews
e6ef702f22 Doc db_sync --expand incurring downtime in upgrades to Newton
The current implementation of db_sync --expand automatically runs any
outstanding legacy operations to ensure it's safety. However, that
behavior also means that legacy migrations may violate the safety
assumptions around --expand.

This is only true for Mitaka to Newton upgrades, as there should not be
any newer migrations in the legacy repository to be triggered by this
behavior.

[1] 0ebd557325/keystone/common/sql/upgrades.py (L269-L271)

Change-Id: Ib175f7fce96011d77eb4783123cb2d265d60aa42
Closes-Bug: 1676925
2017-03-28 15:40:30 +00:00
Ubuntu
62c4897092 Add a note to db_sync configuration section
This patch just adds a note under the configuration section for
rolling upgrades to inform the user that
``keystone-manage db_sync --check`` is now available to run when
they would like information about the status of their upgrade.

Change-Id: I29e2ccd8973443daf592aaa45bb4e8167327c7cc
2017-03-24 17:23:09 +00:00
Jenkins
8f30ad3a0e Merge "Fix keystone.o.o URL" 2017-03-22 16:31:18 +00:00
Lance Bragstad
98433bbfc3 Add reno conventions to developer documentation
We have a few undocumented keystone specific conventions for the
usage of release notes. We need to write this down so that they are
easy for new developers to find. This will also make our release
notes more consistent and easier to maintain.

Change-Id: Ibaaaaf7b9740ef88cf6b08d02b0f0cfd26df9d9a
2017-03-15 14:04:56 +00:00
Jenkins
7048b6759b Merge "Remove pbr warnerrors in favor of sphinx check" 2017-03-09 01:21:36 +00:00
Andreas Jaeger
82ae54c765 Fix keystone.o.o URL
Use docs.o.o - keystone.o.o is obsolete.

Change-Id: If1cb2ac2e8fd007de92fbd929eedd46e6fb376a0
2017-03-08 17:05:39 +01:00
Gage Hugo
32da690e50 Remove pbr warnerrors in favor of sphinx check
This change removes the unused "warnerrors" setting that
was part of [pbr] which was replaced by "warning-is-error"
in sphinx 1.5 and above[0]. This also fixes any warnings
and errors that came up when running `tox -edocs` using
this new feature:

 - Invalid code example highlighting
 - Redundant loading of todo extension

[0] http://lists.openstack.org/pipermail/openstack-dev/2017-March/113085.html

Change-Id: I9a8789b448ffa199b4539f57e692bac251d75036
2017-03-03 14:04:10 -06:00
Jenkins
364285000e Merge "Exchange cURL examples for openstackclient" 2017-03-02 15:13:28 +00:00
Colleen Murphy
67b148f988 Add instruction to restart apache
It can be easy, even for seasoned operators, to either forget to restart the
web server or to cautiously avoid restarting the webserver unless instructed
to do so. Since there are notes all over the rest of the documentation to
restart the web server after making configuration changes, add a similar note
to the WebSSO section for consistency.

Change-Id: I1d171a2f0ccc2b70fe3e2e48fe2f2303c515b9a6
2017-02-28 08:55:27 +01:00
Jenkins
f89335b09d Merge "Correct and enhance OpenId Connect docs" 2017-02-27 22:00:40 +00:00
Jenkins
a4023a8a26 Merge "Correct and enhance Mellon federation docs" 2017-02-27 22:00:34 +00:00
Colleen Murphy
f5649079bb Exchange cURL examples for openstackclient
python-openstackclient is friendlier than cURL and is able to handle
listing resources available to federated users as well as scoping
unscoped tokens, so let's use openstackclient in the examples for
performing federated authentication.

Change-Id: Ie4578d4a371b50ad8c2b2a6836caba580c120cd4
2017-02-27 21:35:20 +01:00
Colleen Murphy
6f4e31e4f4 Correct and enhance OpenId Connect docs
Make corrections and clarifications to the OpenID Connect federation
plugin documentation, including:

 - Generalize the note about Remote IDs to include OpenID Connect
 - Add the https:// scheme to the notes about Google's remote ID.
   Originally Google's Issuer Identifier did not use the https://
   scheme. It now claims to allow both[1] but in testing I often ran
   into the error "Could not find Identity Provider:
   https://accounts.google.com." when the remote-id was given as
   "accounts.google.com".
 - Make shell examples consistent with each other by including prompt
   symbols and "sudo" where needed
 - Fix the apache module configuration instructions: on Ubuntu, the
   package installed in the earlier step already adds the LoadModule
   config, but does not automatically enable the module
 - Fix OIDCRedirectURI directive examples: fix typo and remove /redirect
   ending, which would cause a 404 error

Also, this patch changes references to the 'oidc' plugin to 'openid'
since 'oidc' does not exist. 'mapped' could also be used as the name of
this plugin and protocol[2]. However, the documentation is structured in
a such a way that it demonstrates using both SAML And OIDC plugins side
by side, which is only possible when they have different names. Rather
than trying to decouple these examples this patch opts to keep the
openid plugin examples distinct from the SAML plugin examples.

[1] https://developers.google.com/identity/protocols/OpenIDConnect
[2] https://git.openstack.org/cgit/openstack/keystone-specs/tree/specs/keystone/juno/generic-mapping-federation.rst

Change-Id: Ie5a07f9d6f3571b0559f91c9620f5328e4c6d7cc
2017-02-25 11:39:06 +01:00
Colleen Murphy
95afd48fde Correct and enhance Mellon federation docs
Make corrections to the mod_auth_mellon federation documentation for
consistency and clarity, including:

 - Remove reference to shibboleth.xml when explaining the remote-id
   attribute in the main federation configuration instructions, as this
   does not generalize to all IdPs
 - Change references from /etc/httpd to /etc/apache2 because the
   document begins with an apt-get so it follows that the rest of the
   examples should assume a Debian-like environment
 - Change references to example IdP 'idp_1' to 'myidp' for consistency
   with the shibboleth examples
 - Change references to example protocol 'saml2' to 'mapped' since the
   saml2 auth plugin was removed[1]
 - Remove references to wsgi-keystone.conf since devstack just calls it
   keystone.conf, and enabling this vhost is already covered in the
   "Running Keystone in HTTPD" section
 - Remove reference to the ssl mod: it's obviously recommended but not
   strictly relevant to this topic
 - Remove instruction to restart apache immediately after enabling
   auth_mellon, as it would fail while Mellon is not yet fully
   configured. The document already mentions restarting apache after
   Mellon is configured.
 - Add a link to the mellon_create_metadata.sh script, since this does not
   come as an executable with the mod package.
 - Add tip about the SP metadata file generated by mod_auth_mellon
 - Move paragraph about fetching the IdP metadata to the end of the
   section so that the information about generating and uploading the
   SP metadata is grouped together

[1] https://review.openstack.org/#/c/374508/

Change-Id: I47255db5e762bd2d2901b78afba2b1efa0c0f224
2017-02-24 21:32:12 +01:00
Jenkins
66c8612fb1 Merge "Address db_sync check against new install" 2017-02-24 17:41:49 +00:00
jolie
6748673948 Fix typo in config doc
Change-Id: I3095fe4bd7dbe6a6fb056819cd68d952570a0f02
2017-02-20 10:32:30 +08:00
Travis Tripp
f51b7ca7d1 Fix example response formatting
Several example responses are not formatted
making them hard to read.

This patch formats them.

Change-Id: I35d890011107fe1414032ddc4b357066e0092ecd
Closes-Bug: #1665706
2017-02-17 10:06:16 -07:00
Richard Avelar
99db3c83e0 Address db_sync check against new install
This patch fixes a bug and causes a log message along with an exit
code to be returned when a DBMigration error is raised.

Change-Id: Iba7aff606937561ad98e2ef551ca4005bd4f337d
Closes-Bug: #1663627
2017-02-14 16:10:19 +00:00
Jenkins
d0fc3f604a Merge "Federated mapping doc improvements" 2017-02-10 19:42:38 +00:00
David Stanek
0015e1a41e Federated mapping doc improvements
The documentation was originally written using imprecise language.
This resulted in lots of confusion when read.

Change-Id: I9f1af3cee3216c4c10c0bf6d91a6353a28f27dd5
2017-02-10 00:03:59 +00:00
“Richard
d5ce8ea0ed Add --check to keystone-manage db_sync command
This patch adds a new command to the db_sync upgrade commands. --check
will check the current state of the users upgrade repos and relay info
back to the user based on what version each command is currently at and
if the user has any outstanding db_sync commands left to run. It will
also notify the user if the db_sync commands were not upgraded in order

Closes-Bug: 1642212
Change-Id: I79d3640a780d624f14059fe311fafa0542c03357
2017-02-09 19:45:02 +00:00