252 Commits

Author SHA1 Message Date
Lance Bragstad
935c43b6c8 Remove duplicate token docs
Now that the admin guide is within keystone, we can remove all the
operator specific information we were maintaining in tree. This will
make it easier to operators to find all the information they need
related to tokens.

Change-Id: Iac2bf86a7b06b54fe8edea6ddbc62fe576b8959c
2017-07-05 15:56:13 +00:00
Samriddhi Jain
459f078d0c Reorganised keystone documentation structure
Divided the keystone docs into four categories, depending
upon the usage criteria: general information (which will
be common for all), developer documentation,
user documantation and operator documentation.

Change-Id: I2f5dd41acd9874739accc54c4f4fd69460b58334
2017-06-22 13:26:46 +05:30
Colleen Murphy
dd298f66f7 Update dead API spec links
The API specifications were moved out of the specs repo and into the
api-ref directory of the main keystone repo[1]. This patch updates some
of the straggler links in the configuration docs that still referenced
the old location.

[1] https://review.openstack.org/#/c/342399/

Change-Id: I883cfb4ab8b65873286f46194a8c8ccd7af97dd2
2017-05-01 21:15:02 +02:00
David Stanek
928d23db02 Removed the deprecated pki_setup command
bp removed-as-of-pike

Change-Id: Ib39d21ed547e3be7a3a2c333a7193f990043a80b
2017-03-29 00:15:09 +00:00
Ubuntu
62c4897092 Add a note to db_sync configuration section
This patch just adds a note under the configuration section for
rolling upgrades to inform the user that
``keystone-manage db_sync --check`` is now available to run when
they would like information about the status of their upgrade.

Change-Id: I29e2ccd8973443daf592aaa45bb4e8167327c7cc
2017-03-24 17:23:09 +00:00
jolie
6748673948 Fix typo in config doc
Change-Id: I3095fe4bd7dbe6a6fb056819cd68d952570a0f02
2017-02-20 10:32:30 +08:00
Morgan Fainberg
b8b1e18930 Remove KVS code
KVS Code (core) and items depending on it was deprecated in Newton slated
for removal in Pike.

implements bp removed-as-of-pike
Closes-Bug: 1077282
Change-Id: I6ed4e3688f2a63b0fc439527957bc027db8d5d66
2017-02-03 02:25:19 +00:00
Eric Brown
30d9095d28 Use https for docs.openstack.org references
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.

Change-Id: I30a462e03d1fd7852511e22cac34c6bc0e8917f4
2017-01-30 16:05:08 -08:00
Kristi Nikolla
a7b393b1f6 Remove LDAP write support
Removed LDAP write support and removed the configuration options
*_allow_create, use_dumb_member, dumb_member, allow_subtree_delete.

Also removed the driver logic related to dumb_members, tree deletion
and their respective tests.

Write functionality is still present because our tests depend on it,
but it's hidden behind a toggle which the tests set to enable it.

Co-Authored-By: Gage Hugo <gagehugo@gmail.com>
Co-Authored-By: Steve Martinelli <s.martinelli@gmail.com>

Implements: bp removed-as-of-ocata

Change-Id: I13eada3d5c3a166223c3e3ce70b7054eaed1003a
2017-01-21 21:32:07 -05:00
Dougal Matthews
f12f83ba9a Correct missspellings of secret
Change-Id: Ib60746ddd19cdf5f9a65498a9a627a321fdad2c7
2016-12-08 13:25:05 +00:00
Ken'ichi Ohmichi
3e5ead0a45 Remove CONF.os_inherit.enabled
CONF.os_inherit.enabled is planed to be removed in Ocata as the
deprecated message and this patch removes it.

Partially implements bp: removed-as-of-ocata

Change-Id: I9072419ba1cfcf3cefb814a224fc499c9067ae30
Needed-by: Id3dd322b3a0585ed95eb2dea4ad35a7949bb9b1f
2016-12-05 10:52:35 -08:00
Jamie Lennox
fcebc2fa8d Allow fetching an expired token
A service user from auth_token middleware should be able to fetch a
token that has expired within a certain window so that long running
operations can finish.

Implements bp: allow-expired
Change-Id: I784f719be88481048f5aa7a79d34a54907438cf3
2016-11-28 04:07:26 +00:00
Steve Martinelli
0a9051bcc1 move content from configuringservices to configuration
The content from configuringservices belongs in the general
configuration guide. This results in one less file that can
branch off and overlap.

Change-Id: I0490818f862d982072c0adfaa1f02d7ac9c8abe3
2016-11-21 15:43:37 +00:00
Steve Martinelli
2edc392567 Update configuration.rst documentation
* landing page: increase toc depth for configuration for easier navigation
* landing page: move keystone-manage man page to bottom

* created common keystone-manage commands doc, so config and man page can
  reference

* moved the sample config files section up near config file section
* moved fernet token section up near token section
* moved token flush near token section
* moved endpoint policy and endpoint filter near catalog

* removed references to devstack files that do not exist
* removed references to experimental and stable status for stable features
* removed references to keystoneclient CLI

* removed IANA portions, not config related
* removed section about user CRUD on v2.0 API, not config related

* lots of minor cleanup with syntax and wording

Change-Id: Id814b70d626299ba0717d6759ec6be5e97645a39
2016-11-21 10:40:41 -05:00
Jenkins
e70631edda Merge "Add healthcheck middleware to pipelines" 2016-11-09 22:52:13 +00:00
Jesse Keating
eeac2cb6d1 Add healthcheck middleware to pipelines
This introduces the oslo healt check middleware
http://docs.openstack.org/developer/oslo.middleware/healthcheck_plugins.html
into the pipelines. This middleware is useful for load balancers and
http servers, which can use it to validate that the keystone services are
operational. This middleware is being used in other services such as
glance and magnum. This patch provides it for keystone, in an effort to
spread the usage across all major projects.

This is one less item that operators will have to patch locally.

DocImpact

Change-Id: I19e4fc8f6c6a227068ba7191c1e9c453fc08f061
2016-11-09 19:39:41 +00:00
Lance Bragstad
57cc1e332f Switch fernet to be the default token provider.
Make Fernet the default token provider in keystone.

Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayoung@redhat.com>

Depends-On: I3b819ae8d2924f3bece03902e05d1a8c5e5923f1
Depends-On: I7bb6c2fa1fe83b70cb147e6ca4c68bea3028706b
Depends-On: Ia51f28a70ae099f1ec93851d271db8556aced836
Change-Id: I29b22be75525aed5c50b34dc343af36c9b94c18c
Closes-Bug: 1561054
2016-11-02 00:33:24 +00:00
Jenkins
142e9e760a Merge "Remove support for PKI and PKIz tokens" 2016-11-01 23:54:47 +00:00
Steve Martinelli
8a66ef6354 Remove support for PKI and PKIz tokens
This is the first step of several to remove PKI token support in
keystone. A large issue in removing PKI support is support for the
revocation list must be maintained.

This patch removes support for the token format, it's surrounding tests
and examples that are generated. Additionally, some wording has been
changed around the CLI and config options to make the distinction
between keys and certs used for PKI tokens and those used for getting
the revocation list (a list of tokens that are revoked, which is signed).

Future patches will:

- Remove the keystone-manage commands for generating certs

- Modify the revocation list (at /auth/tokens/OS-PKI/revoked) to return
a 403 if pki is not configured (instead of raising a 500). We cannot
remove the API as that would break an API contract.

- Options to configure PKI will be marked as deprecated

- If PKI is configured a normal signed list will be returned (same
behavior as today)

- Follow up patch to keystonemiddleware will make sure auth_token does
not rely on the revocation api at all.

Related-Bug: 1626778
Related-Bug: 1626779

Co-Authored-By: Boris Bobrov <bbobrov@mirantis.com>
bp removed-as-of-ocata
Change-Id: Icf1ebced44a675c88fb66a6c0431208ff5181574
2016-11-01 22:05:01 +00:00
Lance Bragstad
1a1c625acc Doc the difference between memcache and cache
Our documentation doesn't really provide a clear explanation for the
difference between ``[memcache]`` and ``[cache]`` in keystone's
configuration file.

This commit attempts to makes this easier to understand for
deployers.

Change-Id: I77460220ef779fcdb16363a6da90898619afe467
2016-11-01 17:19:29 +00:00
Eric Brown
bef14444e2 Follow-on of memcache token persistence removal
In commit I4b8b88409abe8eea8f0a075aebbe9c569367c454, the memcache
and memcache_pool token persistence drivers were removed. However
the documentation still contains references to these drivers.

bp removed-as-of-ocata

Change-Id: I56f05c976c69c98a3bf3bd325fc3239cb9618a57
2016-10-17 22:04:56 -07:00
Eric Brown
e3962e5f1b More configuration doc edits
* Keystone -> keystone
* Remove mention of non-existant keystone.common.cache.backends.mongo
* Correct that global caching is enabled by default, not disabled.
* Remove LDAP schema examples for Project and Roles
* Mark several tls config options as keywords using ``
* Update the example LDAP pooling config options to match keystone.conf

Change-Id: I1e3e896d447c1cbd187d21719f42dad6bf00b28b
2016-10-17 18:15:57 -07:00
Annapoornima Koppad
ac04a51db2 Updating the document regarding LDAP options
Closes-bug: #1274581

Change-Id: I3e334b7290745f3e0cdaaf05b07e942929acff04
2016-10-04 03:16:48 +05:30
Ronald De Rose
ba984dbd4b Fix 'API Specification for Endpoint Filtering' broken link
This patch fixes a broken link in the configuraton documentation.

Change-Id: Ibea0d1f964330f531e68321571c1be39d7235468
2016-09-23 18:08:08 +00:00
Jenkins
e69b839843 Merge "Add docs for the null key" 2016-09-08 14:05:33 +00:00
Eric Brown
85b2faa9cc Updates configuration doc with latest changes
* A number of the keystone.conf sections were missing from the
  documentation about configuration files.
* The object attributes were out-dated. The attribute
  password_expires_at and others were missing.

Change-Id: I7c87021aa7511ba9cb6ab3de93e74be7209b6ead
2016-09-07 17:28:35 -07:00
Lance Bragstad
407f08ec14 Add docs for the null key
Add information regarding the null key to the encrypted credentials
documentation.

Change-Id: Idbf4b1b15c9777b81d2a92d9c2e20a87e3eb6c53
Closes-Bug: 1619758
2016-09-07 18:38:55 +00:00
Eric Brown
32af31f509 Few new commands missing from docs
The configuration and man page docs are missing some commands
noting the available options to the keystone-manage command.

Change-Id: Iba5efcf94e70f70bac899b8db377960fd35567d4
2016-09-02 08:17:21 -07:00
Werner Mendizabal
0e7ab57241 Document credential encryption
Add documentation on how credential encryption work and a release note.

bp credential-encryption

Change-Id: Ib06c86a17e585f43bfa8aedf3d5e89d3163cc9da
2016-08-31 21:28:42 +00:00
Dolph Mathews
428a6e0faa Add a feature support matrix for identity sources
This introduces the various ways you can configure keystone to
authenticate users, and provides a little compare/contrast to help
people understand how each solution behaves at a high level before
diving deeper.

This patch covers:

- SQL
- LDAP (considering that all write operations are deprecated)
- External authentication (REMOTE_USER)
- OAuth 1.0a
- OpenID Connect
- SAMLv2

Change-Id: I86dfbd2c1f7fed199c612dd1456358e559da3fad
2016-08-29 13:56:47 -05:00
Boris Bobrov
b1fdad9875 Add mapping_populate command
Fetching users from LDAP requires creating public ids for them.
id_mapping_api does that. Creating public ids is slow, because it
requires performing N INSERTs for N users, and there is no way to
work around that. It leads to very slow responses to queries like
"list users".

By pre-creating these public ids we improve API users' experience.

Add keystone-manage mapping_populate command that creates id mapping entries
for users.

bp ldap-preprocessing
Partial-Bug: 1582585
Change-Id: I98f795854aee26f9e7f668372c47572d2b6d4f0f
2016-08-23 20:52:10 +00:00
Jenkins
b79e08b9bc Merge "Remove configuration references to eventlet" 2016-08-03 14:25:30 +00:00
Jenkins
41aa273f67 Merge "Add token feature support matrix to documentation" 2016-08-02 14:27:49 +00:00
Eric Brown
8cef8483e6 Document the domain config API as stable
As a follow-on to commit I7bf0a914be13f88313c14bc196369de49cc7413f,
the documentation should also reflect that the domain config API
is now stable. Previous releases are still considered experimental.

Change-Id: I6fb993ac678d0aeaa43547c4b24b62d1a784a615
2016-07-28 14:11:00 -07:00
Eric Brown
fc924f8e44 Remove configuration references to eventlet
There were still a couple references remaining for using keystone
under eventlet. These are no longer applicable since keystone is
no longer supported under eventlet.

Change-Id: If6d2013cc2396d6d1df43f7f2091b5fa02115ca4
2016-07-28 14:04:28 -07:00
Dolph Mathews
927b08bbf7 Add token feature support matrix to documentation
This introduces a feature support matrix to illustrate which of our
various token providers supports which API operations and features. This
is intended to mirror Nova's feature support matrix documentation page,
found here:

  http://docs.openstack.org/developer/nova/support-matrix.html

After running `tox -e docs`, the result is embedded in
`doc/build/html/configuration.html`.

Change-Id: I3dc896a2906e25827a9e01afc7de5a737831c336
2016-07-28 15:44:28 +00:00
Jenkins
e2f230a089 Merge "Mark the domain config via API as stable" 2016-07-09 09:09:31 +00:00
Jenkins
6e15e49f6d Merge "keystone recommend deprecated memcache backend" 2016-07-09 04:15:51 +00:00
Brad Topol
a5c5f5bce8 Mark the domain config via API as stable
The domain config via API is marked stable. Tests are updated
and the cli for updating domain configs is marked deprecated.

implements bp domain-config-as-stable

Change-Id: I7bf0a914be13f88313c14bc196369de49cc7413f
2016-07-08 14:44:30 -07:00
jolie
b278f03a78 keystone recommend deprecated memcache backend
There is a recommendation in doc to use
backend = keystone.cache.memcache_pool
however this seems to be deprecated in the code

Change-Id: Ic029a8c6fd8a88cd0e73fb7b61ba8ad8625f5ee5
closes-bug:#1594371
2016-07-08 11:06:07 +08:00
Ronald De Rose
5d707d510d Move the auth plugins abstract base class out of core
This patch moves the auth plugins abstract base class out of core and
into plugins/base.py

This removes dependencies where backend code references code in the
core. The reasoning being that the core should know about the backend
interface, but the backends should not know anything about the core
(separation of concerns). And part of the risk here is a potential for
circular dependencies.

Partial-Bug: #1563101

Change-Id: I4413ef01523d02c30af97e306069229252cb4971
2016-07-07 16:32:07 +00:00
nonameentername
f6ac0661bf Update documentation to remove keystone-all
keystone-all command was removed but no alternative for running
keystone in developer mode was added.  Update documentation with uwsgi
command and update keystone-all reference.

Change-Id: Ia949620de21c1b05127769c6da249b38d83cda9c
2016-05-10 17:06:49 -05:00
Steve Martinelli
20b851b240 Remove support for generating ssl certs
these config options and it's supporting command are only useful
when deploying keystone under eventlet, with that removed these
are redundant.

Change-Id: I7c602805bba2c658d3280811ed8919f78ed3aa0d
implements: bp removed-as-of-newton
2016-04-19 08:58:36 -03:00
Jenkins
23bb657369 Merge "Remove eventlet support" 2016-04-19 07:29:42 +00:00
Steve Martinelli
ac039414ce Remove eventlet support
Eventlet has been deprecated since the Kilo release and is
being removed in Newton.

A follow on patch will be proposed to remove the [ssl] section
since it is now redundant.

Co-Authored-By: Grzegorz Grasza <grzegorz.grasza@intel.com>
Partially implements: bp removed-as-of-newton

Change-Id: I963d94bbd188dbb6eba68623a42c5bc3f2289da4
2016-04-18 18:07:28 +00:00
jpic
e641f79155 Typo in sysctl command example Edit
Fixes error:

    # sysctl -w 'sys.net.ipv4.ip_local_reserved_ports=35357'
    sysctl: cannot stat /proc/sys/sys/net/ipv4/ip_local_reserved_ports: No such file or directory

The new command works:

    # sysctl -w 'net.ipv4.ip_local_reserved_ports=35357'
    net.ipv4.ip_local_reserved_ports = 35357

Closes-Bug: #1571555
Change-Id: I9665f56c23f50d45e4303f78046dc46becb59ec5
2016-04-18 11:20:32 +02:00
Henrique Truta
42810fe46e Remove reference to keystoneclient CLI
python-keystoneclient CLI was removed in patch #258181.
This patch updates removes file that had examples of
keystone CLI  usage.

Change-Id: Ie7d3624149f15ee806aee3db4f64f542414b4728
2016-03-15 22:23:15 -04:00
Eric Brown
045e3588c1 Minor edits to the configuration doc
* Replaced Url with URL
* Corrected dead link to 'Python logging module'
* Replaced deprecated reference to log_config with log_config_append
* Removed non-referenced link for 'PyMongo API'
* Added etc/ssl_callback_template.html as an example setting file

Change-Id: Ic24c000e3cab848b03cdd709d1d7f94deef6fb81
2016-02-25 20:45:01 -08:00
Jenkins
66fef6491e Merge "Tidy up configuration documentation for inherited assignments" 2016-02-22 18:05:56 +00:00
Jenkins
303f681b16 Merge "Adds user_description_attribute mapping support to the LDAP backend" 2016-02-19 00:20:36 +00:00