Fetching users from LDAP requires creating public ids for them.
id_mapping_api does that. Creating public ids is slow, because it
requires performing N INSERTs for N users, and there is no way to
work around that. It leads to very slow responses to queries like
"list users".
By pre-creating these public ids we improve API users' experience.
Add keystone-manage mapping_populate command that creates id mapping entries
for users.
bp ldap-preprocessing
Partial-Bug: 1582585
Change-Id: I98f795854aee26f9e7f668372c47572d2b6d4f0f
This documentation conflicts a bit with the approach originally proposed
in bp manage-migration because it depends on the notion of having
database triggers to assist in the migration process.
Change-Id: Iec9269ab6d799b757451cb8afe7fa889fe7068b9
Now that we support other-requirements.txt and there is a Project Team
Guide doc [1] on how to set a Python environment up for development, we
can take benefit of them and make our docs more concise.
[1] http://docs.openstack.org/project-team-guide/project-setup/python.html
Co-Authored-By: Hidekazu Nakamura <hid-nakamura@vf.jp.nec.com>
Change-Id: Idcfadb7922b75464af430264e55aadc442e1b0a8
Rolling upgrades are being introduced in the Newton release, which will
substantially impact the process that deployers will have to follow to
upgrade keystone.
This will provide us a basis for documenting rolling upgrades (also,
it's about time we documented our current process).
bp manage-migration
Change-Id: I5a37c781b83967b12cda60b054c612df3c3cb697
Many releases ago, we supported the notion of having migration
repositories per backend interface. If a backend needed to use the
database, it could manage it's own migrations independently from the
rest of keystone. That functionality was removed long ago, and this
blurb of text should have been removed with it.
Change-Id: If90e25ec556cf42322509ef28878e96120b0baad
I made a few specific changes, hopefully for the better:
- Removed the "Welcome!" from the title, which is quite verbose in the
sidebar index (and reads awkwardly as a title, IMO).
- Revised the project description to match what's on our Launchpad page,
https://launchpad.net/keystone
- Revised the target audience to more accurately reflect who we actually
write for (it's still contributors first, but it's not fair to ignore
operators, etc).
Change-Id: I9955f31216e7a70fed10501f096001433609ac70
Added corresponding packages for postgresql libraries for various
distros to the development docs to avoid causing pip to fail when
installing dependencies within test-requirements.txt
Change-Id: Ie181cf01bb22366b80d0639e66d939aaa948490b
Closes-Bug: #1608653
As a follow-on to commit I7bf0a914be13f88313c14bc196369de49cc7413f,
the documentation should also reflect that the domain config API
is now stable. Previous releases are still considered experimental.
Change-Id: I6fb993ac678d0aeaa43547c4b24b62d1a784a615
There were still a couple references remaining for using keystone
under eventlet. These are no longer applicable since keystone is
no longer supported under eventlet.
Change-Id: If6d2013cc2396d6d1df43f7f2091b5fa02115ca4
This introduces a feature support matrix to illustrate which of our
various token providers supports which API operations and features. This
is intended to mirror Nova's feature support matrix documentation page,
found here:
http://docs.openstack.org/developer/nova/support-matrix.html
After running `tox -e docs`, the result is embedded in
`doc/build/html/configuration.html`.
Change-Id: I3dc896a2906e25827a9e01afc7de5a737831c336
This introduces a new keystone-manage command called 'doctor' which
attempts to diagnose and report on various ill-advised configurations
and deployment states.
The number of checks we could perform is basically endless, so this is
just a random sampling of checks to get the ball rolling. The idea is
that as new features are introduced, as default configurations change,
as we have new recommendations to make to deployers, etc, we can
implement new checks in keystone-manage doctor and communicate our
concerns directly to those operated affected deployments.
Change-Id: Ib6660c1a885c439ca03357870628b2ea52e39e9d
Implements: bp keystone-manage-doctor
The domain config via API is marked stable. Tests are updated
and the cli for updating domain configs is marked deprecated.
implements bp domain-config-as-stable
Change-Id: I7bf0a914be13f88313c14bc196369de49cc7413f
By default the external auth is enabled and can cause user_id conflict
when REMOTE_USER is set due to the fact that federation uses
REMOTE_USER as well. Therefore, the docs were updated to advise users
against using both external auth and federation on the same sequence.
Closes-Bug: #1563454
Change-Id: I193f78ae0ad0232471b725d5700870c349703310
There is a recommendation in doc to use
backend = keystone.cache.memcache_pool
however this seems to be deprecated in the code
Change-Id: Ic029a8c6fd8a88cd0e73fb7b61ba8ad8625f5ee5
closes-bug:#1594371
This patch updates the service backends documentation, updating the
location for the abstract base classes (out of core and into
backends.base).
Closes-Bug: #1563101
Change-Id: I0b4ce448ba94ec09294b07f704ee07d433049ac8
This patch moves the auth plugins abstract base class out of core and
into plugins/base.py
This removes dependencies where backend code references code in the
core. The reasoning being that the core should know about the backend
interface, but the backends should not know anything about the core
(separation of concerns). And part of the risk here is a potential for
circular dependencies.
Partial-Bug: #1563101
Change-Id: I4413ef01523d02c30af97e306069229252cb4971
Currently, flake8 runs against doc related directories such as
releasenotes and api-ref. Might as well remove doc from the
flake8 exclude list. Each of these directories has only one
python file (conf.py).
Change-Id: I0445ad083d8d9167e0309950c200c9abb766bc1a
The refactor of code cause the inappropriate guide.
Code in tutorial is out of date.
Change-Id: Ic986af1072f158f0f0f5608a9754db9d3e507409
Closes-Bug: #1597196
"Shadow users: unified identity" implementation:
Allow concrete role assignments for federated users. Currently,
federated users get roles from mapped group assignments. However, with
the shadow users implementation, federated users are mapped to
identities in the backend; thus, can be assigned roles.
This patch returns locally assigned roles with the mapped group roles
for federated users; allowing for authorization for those roles.
bp shadow-users-newton
Change-Id: I9a150ded6c4b556627147d2671be15d6a3794ba5
This patch updates the Developing Keystone Drivers documentation,
removing support for driver versioning and updating the text.
Change-Id: I92318ecf83244ebbc575188a85f2594efc2c570e
Several of the command line options don't match the current output
from keystone-manage -h.
Here's the output of keystone-manage to compare with the new man
page content:
http://paste.openstack.org/show/508828/
Change-Id: I60d212c5930fcd450745b10155b578faff0e4654
I ran some tests locally that showed that when using the uwsgi
deploy the keystone server wasn't using all the processes
available. When I switched from "threads" to "processes" the
concurrent performance improved considerably. So I'm proposing
that the docs use processes to improve performance.
Change-Id: I5375702f45ccb82c02ff2bba1eabda836d5d25eb
This change adds a tutorial for making an API change. It describes from
the specification proposal to making real code changes in keystone.
Its goal is to help new contributors to get familiar with keystone code.
It simulates the addition of a 'description' field to role entities.
Change-Id: Ie6f302939f43e78f07183abf4bc5aadb6b50ef1c
keystone-all command was removed but no alternative for running
keystone in developer mode was added. Update documentation with uwsgi
command and update keystone-all reference.
Change-Id: Ia949620de21c1b05127769c6da249b38d83cda9c
When reviewing If74aaf07b77399f1648843280153c7523de5eb38 I noticed that
one of the examples was incorrect.
Change-Id: I4d5d88ea45c00fe874382c06a0626ea6aaeb87c9
Related-Bug: #1575057
When building packages if git is absent, then we should not set
html_last_updated_fmt. It can still be set via the -D switch
when building with sphinx-build.
Change-Id: Iea0fb01314e1c4a66a55841df07b9bdaf10153a6
Closes-Bug: #1552251
Running keystone as a wsgi application should allow the same kind of
customization as when run from the command line. Setting sys.argv for
wsgi applications is difficult so that environment variables need to
be used for this purpose.
Closes-Bug: #1552397
Change-Id: I1cd8c7c9f8d4c748384f9b72511b677176672791
these config options and it's supporting command are only useful
when deploying keystone under eventlet, with that removed these
are redundant.
Change-Id: I7c602805bba2c658d3280811ed8919f78ed3aa0d
implements: bp removed-as-of-newton
Eventlet has been deprecated since the Kilo release and is
being removed in Newton.
A follow on patch will be proposed to remove the [ssl] section
since it is now redundant.
Co-Authored-By: Grzegorz Grasza <grzegorz.grasza@intel.com>
Partially implements: bp removed-as-of-newton
Change-Id: I963d94bbd188dbb6eba68623a42c5bc3f2289da4