Introduces domain-scoped policies for the 'manager' role to permit
domain-wide management capabilities in regards to users, groups,
projects and role assignments.
Defines a new base policy rule to restrict the roles assignable by
domain managers.
Closes-Bug: #2045974
Change-Id: I62742ed7d906c92d1132251080758bb54d0fc8e1
The current configuration for the OIDCRedirectURI results in
mod_auth_openidc masking the Keystone federation authentication
endpoint, which results in incorrect responses to requests for
Keystone tokens. This change updates the documentation to
recommend using a vanity URL that does not match a Keystone
API endpoint.
Closes-Bug: 2075349
Change-Id: I1dfba5c71da68522fdb6059f0dc03cddc74cb07d
With this black performs linter check even before the commit is created
allowing devs to spot issues before sending change to the CI.
With this we also switch from flake8 to pre-commit to ensure we run the
same tests locally and in the CI thus preventing accidential drift.
Change-Id: I121f55a2f00817dc4b6061933752b81e01d62cb4
As a starting point for the code renovation it makes sense to add
pre-commit with the same configuration as we spread across the other
services. For now comment out hooks that fail and address them one by
one.
At the end of the series we would have pre-commit executing all the
necessary checks (linting, flake, black, mypy, etc) and it will be
invoked directly in the `tox -e pep8` to unify all the processing. We
are going to re-format source code with `black` adding revisions to
git blame ignore to reduce amount of noise. This will help us to have
reasonable formatting of the code with possibility to just auto-format
the code.
Change-Id: Ia00f4209cde8f64828dc2d827d49bfc4bd6c1efa
This has been deprecated for removal [1]. Use the stdlib variant
instead.
[1] https://github.com/testing-cabal/testtools/commit/59b890db3c
Change-Id: I7701872d2de44bb7c8296501015c24d0741adc93
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
Official recommendation for operators is to develop out-of-tree drivers
for the missing functionality. While this is easily possible there are
hurdles for configuring such drivers. Configuring them using FS requires
restart of Keystone when i.e. adding new domains to be processed with
the custom driver. Using database is a much better and dynamical
approach, but it currently is not allowing drivers to have specific
configuration. This change improves this flaws and contains of 3
individual parts that are submitted together to make testing easier.
- Allowing driver to register supported configuration option before
loading the driver (invoke DriverManager without calling the driver
and search for specific method present).
- Allow changing driver specific configuration through API (add 2 more
configuration options enabling listed options in the API)
- Documentation changes.
Change-Id: I99fa798ef60cdb7a488fe55de76cd931c6db3e89
We propose to extend Keystone identity provider (IdP) attribute mapping
schema to make Keystone honor the `domain` configuration that we have
on it.
Currently, that configuration is only used to define a default domain
for groups (and then each group there, could override it). It is
interesting to expand this configuration (as long as it is in the root
of the attribute mapping) to be also applied for users and projects.
Moreover, to facilitate the development and extension concerning
attribute mappings for IdPs, we changed the way the attribute mapping
schema is handled. We introduce a new configuration
`federation_attribute_mapping_schema_version`, which defaults to "1.0".
This attribute mapping schema version will then be used to control the
validation of attribute mapping, and also the rule processors used to
process the attributes that come from the IdP. So far, with this PR,
we introduce the attribute mapping schema "2.0", which enables
operators to also define a domain for the projects they want to assign
users. If no domain is defined either in the project or in the global
domain definition for the attribute mapping, we take the IdP domain
as the default.
Change-Id: Ia9583a254336fad7b302430a38b538c84338d13d
Implements: https://bugs.launchpad.net/keystone/+bug/1887515
Closes-Bug: #1887515
The openstack Ussuri and Victoria versions no longer support the
RHEL7/CentOS7. Update the installtion guide for RHEL8/CentOS8 and RHEL9/CentOS9.
Change-Id: I6c9924c96c1f879b913b39f66878a8f9235ea18f
A contract migration will use the '--contract' flag, obviously.
Change-Id: I288bd0175834fdd3ee8d224f099e37b6294cb7ea
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
We can now auto-generate migrations. Document how this is done.
Change-Id: I754b0eb9eb74cd31f22440c64187d292c19ce4fa
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
Section "OpenID Connect with keystone and horizon"
should use openid endpoint instead of saml2.
Change-Id: I147f3888c42e2d8d25a0ddd20f4e3974c8a38632
Signed-off-by: Arvid Requate <requate@univention.de>
This patch provides Keystone documents for OAuth2.0 client
authorization. The specification about new API is added to API
Reference. Also OAuth2.0 client credentials grant flow is added to
admin guide.
Implement: blueprint oauth2-client-credentials-ext
Change-Id: I6ac5835fb64a4e81f34f7b8631d255b2bb7f66da
Add the ability to autogenerate migrations. Because we need to support
different types of migration (expand and contract), this ends up being
significantly more complicated than what was needed in nova and cinder
and more akin to what was done in neutron. The key feature is here is
the use of an alembic hook called 'process_revision_directives', which
is called whenever one calls 'alembic revision --autogenerate'. We
extend this to allow us to hook into the autogeneration process and
ensure we only spit out directives for the relevant phase.
While we're here, we open up the Bobcat DB branch. This is similar to
what Neutron do (e.g. change I13ba740d245a46c41a969ff198e08ddff896eb1a).
Documentation will follow.
Change-Id: I17c9ff9508c5e2bd9521c18973af093d7550ab5a
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Since LDAP is now readonly, the current behavior might be
unexpected. By randomizing the list, we assure a more gradual
failure scenario if the first server on the list (as specified
by the user) fails.
Change-Id: I23f31bd85443784013a6aa158d80c7aeeb343993
Closes-Bug: #1953622
Resolves: rhbz#2024602
The service_type config param is crucial to successfully use
application credentials with access rules.
Closes-Bug: #1950464
Change-Id: I98d1cfcbd229f2939d900861f453efa996466c32
Training-labs had been officially retired as no maintainer.
The information of training-labs has been deleting in the openstack
documentatioan. It is not appropriate to continue the presentation in
note form here.
[1] http://lists.openstack.org/pipermail/openstack-discuss/2021-October/025586.html
[2] e78d74f105
Change-Id: I0ac3d05389041ac58fe2347171541ffaaf151fdf
We're going to add new alembic-based migrations shortly. These will live
in the 'keystone.common.sql.migrations' module. Prepare for this by
moving the existing migrations from ''keystone.common.sql' into a common
'keystone.common.sql.legacy_migrations' module.
Change-Id: I5ab7b010b21268977f73738e895bbd21442e9455
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This is now folded into the initial migration of the 'expand_repo'
repository. Previously, this was a dummy migration. We simply move
things across and remove any code that was trying to work with the older
repo since it's no longer necessary.
A release note is added, even though it's not really necessary since
nothing will change for users. It's more of a heads up that things are
afoot.
Change-Id: I59882d88fe593ec1ae37415b2157584f7f3c85f8
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
With the new release of SQLAlchemy(1.4.27) TypeDecorator used
in common/sql/core.py file started failing (below error). I am not sure
if it is valid issue in SQLAlchemy or in our code base and we need to
blacklist the SQLAlchemy 1.4.27 version in requirements. But to unblock
the gate let's exclude it from sphinx-apidoc target.
Error:
Warning, treated as error:
/opt/stack/keystone/keystone/common/sql/core.py:docstring of keystone.common.sql.core.DateTimeInt.process_bind_param:19:undefined label: types_typedecorator
-https: //zuul.opendev.org/t/openstack/build/b2ee464fa1554cb89dc8873486865151
Change-Id: I7de055c2b266430bf886e200c3d8829a48ae9600
