Now that the admin guide is within keystone, we can remove all the
operator specific information we were maintaining in tree. This will
make it easier to operators to find all the information they need
related to tokens.
Change-Id: Iac2bf86a7b06b54fe8edea6ddbc62fe576b8959c
Divided the keystone docs into four categories, depending
upon the usage criteria: general information (which will
be common for all), developer documentation,
user documantation and operator documentation.
Change-Id: I2f5dd41acd9874739accc54c4f4fd69460b58334
The API specifications were moved out of the specs repo and into the
api-ref directory of the main keystone repo[1]. This patch updates some
of the straggler links in the configuration docs that still referenced
the old location.
[1] https://review.openstack.org/#/c/342399/
Change-Id: I883cfb4ab8b65873286f46194a8c8ccd7af97dd2
This patch just adds a note under the configuration section for
rolling upgrades to inform the user that
``keystone-manage db_sync --check`` is now available to run when
they would like information about the status of their upgrade.
Change-Id: I29e2ccd8973443daf592aaa45bb4e8167327c7cc
KVS Code (core) and items depending on it was deprecated in Newton slated
for removal in Pike.
implements bp removed-as-of-pike
Closes-Bug: 1077282
Change-Id: I6ed4e3688f2a63b0fc439527957bc027db8d5d66
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.
Change-Id: I30a462e03d1fd7852511e22cac34c6bc0e8917f4
Removed LDAP write support and removed the configuration options
*_allow_create, use_dumb_member, dumb_member, allow_subtree_delete.
Also removed the driver logic related to dumb_members, tree deletion
and their respective tests.
Write functionality is still present because our tests depend on it,
but it's hidden behind a toggle which the tests set to enable it.
Co-Authored-By: Gage Hugo <gagehugo@gmail.com>
Co-Authored-By: Steve Martinelli <s.martinelli@gmail.com>
Implements: bp removed-as-of-ocata
Change-Id: I13eada3d5c3a166223c3e3ce70b7054eaed1003a
CONF.os_inherit.enabled is planed to be removed in Ocata as the
deprecated message and this patch removes it.
Partially implements bp: removed-as-of-ocata
Change-Id: I9072419ba1cfcf3cefb814a224fc499c9067ae30
Needed-by: Id3dd322b3a0585ed95eb2dea4ad35a7949bb9b1f
A service user from auth_token middleware should be able to fetch a
token that has expired within a certain window so that long running
operations can finish.
Implements bp: allow-expired
Change-Id: I784f719be88481048f5aa7a79d34a54907438cf3
The content from configuringservices belongs in the general
configuration guide. This results in one less file that can
branch off and overlap.
Change-Id: I0490818f862d982072c0adfaa1f02d7ac9c8abe3
* landing page: increase toc depth for configuration for easier navigation
* landing page: move keystone-manage man page to bottom
* created common keystone-manage commands doc, so config and man page can
reference
* moved the sample config files section up near config file section
* moved fernet token section up near token section
* moved token flush near token section
* moved endpoint policy and endpoint filter near catalog
* removed references to devstack files that do not exist
* removed references to experimental and stable status for stable features
* removed references to keystoneclient CLI
* removed IANA portions, not config related
* removed section about user CRUD on v2.0 API, not config related
* lots of minor cleanup with syntax and wording
Change-Id: Id814b70d626299ba0717d6759ec6be5e97645a39
This introduces the oslo healt check middleware
http://docs.openstack.org/developer/oslo.middleware/healthcheck_plugins.html
into the pipelines. This middleware is useful for load balancers and
http servers, which can use it to validate that the keystone services are
operational. This middleware is being used in other services such as
glance and magnum. This patch provides it for keystone, in an effort to
spread the usage across all major projects.
This is one less item that operators will have to patch locally.
DocImpact
Change-Id: I19e4fc8f6c6a227068ba7191c1e9c453fc08f061
This is the first step of several to remove PKI token support in
keystone. A large issue in removing PKI support is support for the
revocation list must be maintained.
This patch removes support for the token format, it's surrounding tests
and examples that are generated. Additionally, some wording has been
changed around the CLI and config options to make the distinction
between keys and certs used for PKI tokens and those used for getting
the revocation list (a list of tokens that are revoked, which is signed).
Future patches will:
- Remove the keystone-manage commands for generating certs
- Modify the revocation list (at /auth/tokens/OS-PKI/revoked) to return
a 403 if pki is not configured (instead of raising a 500). We cannot
remove the API as that would break an API contract.
- Options to configure PKI will be marked as deprecated
- If PKI is configured a normal signed list will be returned (same
behavior as today)
- Follow up patch to keystonemiddleware will make sure auth_token does
not rely on the revocation api at all.
Related-Bug: 1626778
Related-Bug: 1626779
Co-Authored-By: Boris Bobrov <bbobrov@mirantis.com>
bp removed-as-of-ocata
Change-Id: Icf1ebced44a675c88fb66a6c0431208ff5181574
Our documentation doesn't really provide a clear explanation for the
difference between ``[memcache]`` and ``[cache]`` in keystone's
configuration file.
This commit attempts to makes this easier to understand for
deployers.
Change-Id: I77460220ef779fcdb16363a6da90898619afe467
In commit I4b8b88409abe8eea8f0a075aebbe9c569367c454, the memcache
and memcache_pool token persistence drivers were removed. However
the documentation still contains references to these drivers.
bp removed-as-of-ocata
Change-Id: I56f05c976c69c98a3bf3bd325fc3239cb9618a57
* Keystone -> keystone
* Remove mention of non-existant keystone.common.cache.backends.mongo
* Correct that global caching is enabled by default, not disabled.
* Remove LDAP schema examples for Project and Roles
* Mark several tls config options as keywords using ``
* Update the example LDAP pooling config options to match keystone.conf
Change-Id: I1e3e896d447c1cbd187d21719f42dad6bf00b28b
* A number of the keystone.conf sections were missing from the
documentation about configuration files.
* The object attributes were out-dated. The attribute
password_expires_at and others were missing.
Change-Id: I7c87021aa7511ba9cb6ab3de93e74be7209b6ead
Add information regarding the null key to the encrypted credentials
documentation.
Change-Id: Idbf4b1b15c9777b81d2a92d9c2e20a87e3eb6c53
Closes-Bug: 1619758
The configuration and man page docs are missing some commands
noting the available options to the keystone-manage command.
Change-Id: Iba5efcf94e70f70bac899b8db377960fd35567d4
This introduces the various ways you can configure keystone to
authenticate users, and provides a little compare/contrast to help
people understand how each solution behaves at a high level before
diving deeper.
This patch covers:
- SQL
- LDAP (considering that all write operations are deprecated)
- External authentication (REMOTE_USER)
- OAuth 1.0a
- OpenID Connect
- SAMLv2
Change-Id: I86dfbd2c1f7fed199c612dd1456358e559da3fad
Fetching users from LDAP requires creating public ids for them.
id_mapping_api does that. Creating public ids is slow, because it
requires performing N INSERTs for N users, and there is no way to
work around that. It leads to very slow responses to queries like
"list users".
By pre-creating these public ids we improve API users' experience.
Add keystone-manage mapping_populate command that creates id mapping entries
for users.
bp ldap-preprocessing
Partial-Bug: 1582585
Change-Id: I98f795854aee26f9e7f668372c47572d2b6d4f0f
As a follow-on to commit I7bf0a914be13f88313c14bc196369de49cc7413f,
the documentation should also reflect that the domain config API
is now stable. Previous releases are still considered experimental.
Change-Id: I6fb993ac678d0aeaa43547c4b24b62d1a784a615
There were still a couple references remaining for using keystone
under eventlet. These are no longer applicable since keystone is
no longer supported under eventlet.
Change-Id: If6d2013cc2396d6d1df43f7f2091b5fa02115ca4
This introduces a feature support matrix to illustrate which of our
various token providers supports which API operations and features. This
is intended to mirror Nova's feature support matrix documentation page,
found here:
http://docs.openstack.org/developer/nova/support-matrix.html
After running `tox -e docs`, the result is embedded in
`doc/build/html/configuration.html`.
Change-Id: I3dc896a2906e25827a9e01afc7de5a737831c336
The domain config via API is marked stable. Tests are updated
and the cli for updating domain configs is marked deprecated.
implements bp domain-config-as-stable
Change-Id: I7bf0a914be13f88313c14bc196369de49cc7413f
There is a recommendation in doc to use
backend = keystone.cache.memcache_pool
however this seems to be deprecated in the code
Change-Id: Ic029a8c6fd8a88cd0e73fb7b61ba8ad8625f5ee5
closes-bug:#1594371
This patch moves the auth plugins abstract base class out of core and
into plugins/base.py
This removes dependencies where backend code references code in the
core. The reasoning being that the core should know about the backend
interface, but the backends should not know anything about the core
(separation of concerns). And part of the risk here is a potential for
circular dependencies.
Partial-Bug: #1563101
Change-Id: I4413ef01523d02c30af97e306069229252cb4971
keystone-all command was removed but no alternative for running
keystone in developer mode was added. Update documentation with uwsgi
command and update keystone-all reference.
Change-Id: Ia949620de21c1b05127769c6da249b38d83cda9c
these config options and it's supporting command are only useful
when deploying keystone under eventlet, with that removed these
are redundant.
Change-Id: I7c602805bba2c658d3280811ed8919f78ed3aa0d
implements: bp removed-as-of-newton
Eventlet has been deprecated since the Kilo release and is
being removed in Newton.
A follow on patch will be proposed to remove the [ssl] section
since it is now redundant.
Co-Authored-By: Grzegorz Grasza <grzegorz.grasza@intel.com>
Partially implements: bp removed-as-of-newton
Change-Id: I963d94bbd188dbb6eba68623a42c5bc3f2289da4
Fixes error:
# sysctl -w 'sys.net.ipv4.ip_local_reserved_ports=35357'
sysctl: cannot stat /proc/sys/sys/net/ipv4/ip_local_reserved_ports: No such file or directory
The new command works:
# sysctl -w 'net.ipv4.ip_local_reserved_ports=35357'
net.ipv4.ip_local_reserved_ports = 35357
Closes-Bug: #1571555
Change-Id: I9665f56c23f50d45e4303f78046dc46becb59ec5
python-keystoneclient CLI was removed in patch #258181.
This patch updates removes file that had examples of
keystone CLI usage.
Change-Id: Ie7d3624149f15ee806aee3db4f64f542414b4728
* Replaced Url with URL
* Corrected dead link to 'Python logging module'
* Replaced deprecated reference to log_config with log_config_append
* Removed non-referenced link for 'PyMongo API'
* Added etc/ssl_callback_template.html as an example setting file
Change-Id: Ic24c000e3cab848b03cdd709d1d7f94deef6fb81