86 Commits

Author SHA1 Message Date
Jenkins
68e94ff979 Merge "Add entrypoint for mapped auth method" 2016-08-22 23:19:41 +00:00
OpenStack Proposal Bot
8114a07283 Updated from global requirements
Change-Id: Ic6e656188528d17d7808d2744769cf66b152fe17
2016-08-22 03:08:34 +00:00
Colleen Murphy
fd2a4fa07e Add entrypoint for mapped auth method
The keystone federation documentation says to use the 'mapped' method
instead of the 'saml2' method[1]. However, that entrypoint was never
added, so trying to use it resulted in keystone not being able to load
its wsgi scripts and failing. This patch adds the entrypoint so that
keystone won't explode.

[1] http://docs.openstack.org/developer/keystone/federation/federated_identity.html#configuring-federation-in-keystone

Change-Id: I6dd8c219765728ecf01b50f35c3c0da3943f13b0
2016-08-19 19:44:55 -07:00
Eric Brown
32233609a0 Add Python 3.5 classifier
Since the Python 3.5 gate job builds cleanly now, we should claim
support for Python 3.5 in the metadata's classifier.

Change-Id: I215313560d6bb3501093c95870c12cde1f11b5a5
2016-07-19 20:53:06 +00:00
Jamie Lennox
36394a6417 Disable warnerrors in setup.cfg temporarily
PBR's warnerrors is supposed to fail a build job when warnings are
present in the documentation. Unfortunately that hasn't been working for
a while.

With an upcoming release of PBR this flag will be fixed and any
warnings will fail docs jobs again. There is therefore a coordinated
effort to disable this flag until the PBR release has been completed and
requirements updated. After which time we can reenable the flag and
ensure docs build successfully.

http://lists.openstack.org/pipermail/openstack-dev/2016-June/097849.html

Change-Id: I0043518bdd09d2b2db5be48a942ae91ffc74a524
2016-07-14 10:43:40 +10:00
Jenkins
0d3437b1a1 Merge "Revert "Install necessary files in etc/"" 2016-06-29 02:19:50 +00:00
Dolph Mathews
d9c6b50a3a Replace keystone.common.config with keystone.conf package
keystone.common.config is 1200+ lines of super dense, merge-conflict
prone, difficult to navigate, and finicky to maintain code. Let's follow
nova's lead and break it down into more manageable modules.

This patch creates a new Python package, keystone.conf, and moves all of
our configuration options into it, mirroring nova's nova.conf package.

There are a couple special modules in keystone.conf introduced here as
well:

- keystone.conf.__init__: This causes all of Keystone options to be
  registered on import, so consumers of keystone.conf don't have
  races with config initialization code while trying to use
  oslo_config.cfg.CONF directly (keystone.conf replaces all uses for
  oslo_config.cfg.CONF in keystone).

- keystone.conf.base: Keystone's [DEFAULT] group options. I'd prefer
  this to be called 'default.py', but I'm just copying nova's lead here.

- keystone.conf.opts: The entry point for oslo.config itself.

- keystone.conf.constants: There are a few constants (deprecation
  messages, default paths, etc) that are used by multiple configuration
  modules, so they need to live in a common place.

Change-Id: Ia3daffe3fef111b42de203762e966cd14d8927e2
2016-06-24 17:02:15 +00:00
Jenkins
8b415b645f Merge "Let setup.py compile_catalog process all language files" 2016-06-07 10:35:52 +00:00
Thomas Goirand
4db20470d1 Revert "Install necessary files in etc/"
This reverts commit 5486f0ae4a14a35138687fe7b20b66d33c380112.
The files installed this way are installed in /usr/etc when
running PBR in the context of distros.

Change-Id: I192864675a8b34082e34f60caac770da76ca02aa
2016-06-06 23:54:13 +02:00
Dolph Mathews
671cb9c5d9 Move stray notification options into config module
These are basically the only configuration options in keystone defined
outside of keystone/common/config.py, so the only goal here is to
centralize them into one place.

Change-Id: I1369fd7835b31e57a094d07deb6a1aacc1d314b5
2016-06-02 21:23:59 +00:00
Julien Danjou
7f3725f810 Simplify & fix configuration file copy in setup.cfg
This is a follow-up patch for 5486f0ae4a14a35138687fe7b20b66d33c380112.

This simplify the syntax as authorized by pbr, and makes sure that the
first value is a directory as expected.

Change-Id: I98fb657b9ca82515783060a07787658c9ecbeef2
2016-06-01 19:32:06 +00:00
Julien Danjou
5486f0ae4a Install necessary files in etc/
When installing Keystone e.g. in a virtualenv, no configuration files
are installed at all, making it impossible to run Keystone.

This patches solve that by carrying the necessary files as data_files.

Change-Id: I9bb94e73a8e0349a4f56a07dda5d657a2ac28ac1
2016-05-25 12:21:38 +02:00
Sean Perry
a12c254c3e Add Python 3 classification.
Change-Id: Ib2739bb4c1e722259acda43d66c5290ef562eaca
2016-05-20 19:29:58 +00:00
Sven Anderson
16d0cdba47 Let setup.py compile_catalog process all language files
Two years ago the translation files have been split into several
files, separating the log messages of different log levels from each
other, like X.pot, X-log-warning.pot, X-log-info.pot, and so on.
However, the setup.py command `compile_catalogs`, that comes from the
babel package and compiles the corresponding .po files into .mo
files, only supported one file per python package.  This means that
during packaging `compile_catalogs` never compiled the X-log-*.po
files, so the corresponding translations were always missing.

Since babel 2.3 the domain can be set to a space separated list of
domains.  This change adds the the additional log level files to the
domain list.

The obsolete check that .po and .pot files are valid is removed from
tox.ini.

Change-Id: I1f0bfb181e2b84ac6dd0ce61881cd2cc4400bdcb
Closes-Bug: #1536226
2016-05-20 17:55:27 +02:00
OpenStack Proposal Bot
7463a0cbce Updated from global requirements
Change-Id: Ic162a4ed28f2280de63a6ae1bcaac424a5badeb2
2016-05-18 12:06:32 -04:00
Morgan Fainberg
f6fdda62ae Use PyLDAP instead of python-ldap
For py3 compatibility use the pyldap library instead of python-ldap.

Change-Id: I01315fe6798eeebd7f5bf0c727dac780c9a1a12e
2016-05-18 02:38:34 -04:00
OpenStack Proposal Bot
f2b71ab464 Updated from global requirements
Change-Id: I69fe30527dafef97b9923651d79bbba0878f944e
2016-04-28 16:12:13 +00:00
Steve Martinelli
ac039414ce Remove eventlet support
Eventlet has been deprecated since the Kilo release and is
being removed in Newton.

A follow on patch will be proposed to remove the [ssl] section
since it is now redundant.

Co-Authored-By: Grzegorz Grasza <grzegorz.grasza@intel.com>
Partially implements: bp removed-as-of-newton

Change-Id: I963d94bbd188dbb6eba68623a42c5bc3f2289da4
2016-04-18 18:07:28 +00:00
Dina Belova
639e36adbf Integrate OSprofiler in Keystone
OSprofiler is an Oslo library dedicated to enable cross-service
OpenStack profiling. This makes possible to trace the OpenStack
request through all projects supporting the library, where the
profiling is enabled, and generate JSON and HTML human-readable
reports, describing what time was spent on which operation, e.g.
API or DB request.

This change inclues the following:

* Add settings for OSprofiler wsgi middleware
  This middleware is used for 2 things:
  1) It checks that person who want to trace is trusted and knows
     secret HMAC key (that is specified in paste.ini).
  2) It initalize profiler in case of proper trace headers
     and add first wsgi trace point, with info about HTTP request.
* Init profiler on start in both cases (httpd or eventlet)
* Adding new conf group for profiler (to enable/disable)
* By default osprofiler is disabled

TBD:
* Adding trace point for all DB (sql) calls. For proper format and
result oslo.db enginefacade module needs to be updated.

To test (old variant, will be changed with new commit to the
python-openstackclient):

$ . amdminrc # you should be admin user/tenant to fetch profiling data
$ keystone --profile SECRET_KEY user-list
$ osprofiler trace show --html --out result.html <TRACE_ID>

Old python-keystoneclient change: https://review.openstack.org/#/c/114856/
Python-openstack client change: https://review.openstack.org/#/c/255861/

Depends-On: I248b134e0e245bd4cece0ebe225b9b729eedaf78
Change-Id: I3d6eaa7a5ab7ee9ae177f3e1d6cc92f0a01e6a42
2016-04-06 16:46:35 +03:00
Rodrigo Duarte
088393d521 Base for keystone tempest plugin
This patch adds the basic files and configs in order to enable the
keystone tempest plugin interface using tempest-plugin-cookiecutter.
Since we are adding them inside keystone's repository, they can be
installed alongside keystone and to run the tests (when we have one)
we simply use `testr run keystone_tempest_plugin` in tempest.

For more details about the tempest plugin interface see [1]

[1] http://docs.openstack.org/developer/tempest/plugin.html

Change-Id: Ia42e79246251e8af1010aa8eaf462aacf75644a7
Partially-Implements: bp keystone-tempest-plugin-tests
2016-03-31 11:41:13 -03:00
Doug Hellmann
16768058d0 register the config generator default hook with the right name
No config generator hooks should ever be registered with a name that
belongs to another project. In this case, using oslo.middleware.cors
means that *every other project* that loads the middleware gets this
application's defaults when the generator is run on a system with
everything installed (such as a dev box with devstack). Use the name
of the app instead, to ensure that the defaults are only set when this
app's sample config and documentation are being generated.

Change-Id: I6a8c7d44b9db9325003ff2fdb667b0ced7739e96
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
2016-03-11 15:49:37 -05:00
OpenStack Proposal Bot
16b7a3d903 Updated from global requirements
Change-Id: Iba3f5d9c66ca84d74485387d2654193bed7bc5c5
2016-03-09 16:47:30 +00:00
Jenkins
f39ac2e8a8 Merge "Moved CORS middleware configuration into oslo-config-generator" 2016-03-01 14:43:16 +00:00
Ronald De Rose
b764a4daa0 Shadow users - Shadow federated users
"Shadow users: unified identity" implementation:
Federated users have a idp_id, protocol_id, display name,
and a unique ID asserted by the identity provider. These
are the minimal pieces of data required to identify
returning users and provide them with a consistent identity.

Note: the following work items left will be completed in a
separate patch:
* Allow concrete role assignments for federated users
* Shadowing LDAP users

bp shadow-users

Change-Id: Ieb582947038b4a75ef4237939ad8a90079b38aa8
2016-02-29 21:05:54 -05:00
Michael Krotscheck
3b8668ca04 Moved CORS middleware configuration into oslo-config-generator
Default values for CORS middleware have been moved from paste.ini
into oslo's config generator. All configuration options in use will
now live in one place.

Change-Id: I9d31c574de6af4c7598c90d7e128cd9fa7273672
2016-02-29 13:32:52 -08:00
werner mendizabal
900c2a6d0b Time-based One-time Password
Support TOTP as a distinct authentication mechanism from Password.

bp totp-auth

Co-Authored-By: David Stanek <dstanek@dstanek.com>
Change-Id: Ic0ccf89b9f35d3167a413b10f43be43cf892aead
2016-02-19 10:42:29 -08:00
jinxingfang
0de3245e6f Update the home page
http://www.openstack.org ---> http://docs.openstack.org/developer/keystone/

Change-Id: I2b6f7a33673434b05ff3e6c5b1a083e584c93610
2016-02-05 17:30:36 +08:00
OpenStack Proposal Bot
2a2638e4e2 Updated from global requirements
Change-Id: If30edc1ac8951892e75c1fd2531af99b131aa2ed
2016-02-04 18:55:22 +00:00
David Stanek
2896901691 Removed deprecated revoke KVS backend
it has been deprecated since the Icehouse release

bp: removed-as-of-mitaka
Change-Id: I988fcd1f823fa82b197b3ca2c322d64da296fc9a
2016-01-25 01:08:15 -08:00
Morgan Fainberg
d78fcc361e Remove LDAP Role Backend
The LDAP Role Backend has been removed without the normal deprecation
notice in-code however, the Role backend was explicitly called out when
the deprecation announcement occured[1] and was explicitly included
as part of the deprecation of "assignment"-based LDAP. The LDAP Role
backend is not very useful without the other parts of the assignment
backend that were deprecated and removed.

[1] http://lists.openstack.org/pipermail/openstack/2015-January/011337.html

Change-Id: I1bd02d5834814959a93601fe53f115d0f9cc08a8
bp: removed-as-of-mitaka
2016-01-19 21:27:42 -05:00
Morgan Fainberg
e6efbe62b8 Remove LDAP Resource and LDAP Assignment backends
LDAP Resource and LDAP Assignment backends have been slated for removal
in the Mitaka release. This patchset removes support for the deprecated
LDAP backends.

Change-Id: I848bf41022224fec65cd9555a6e82790b296dcbe
bp: removed-as-of-mitaka
2016-01-19 21:26:30 -05:00
David Stanek
b1b4350017 Removes KVS catalog backend
The templated backend relied on the KVS backend to implement some
functionality. The functionality (CRUD for endpoint, services, etc.) is
arguably incorrect since it won't actually change the contents of the
catalog. The read only methods have been fixed to use the templated data
and the write methods raise NotImplemented.

bp: removed-as-of-mitaka
Partial-Bug: #1077282
Closes-Bug: #1367113
Closes-Bug: #1269789
Change-Id: Iaa68b18f0b6d7e9f5dc0cbf7d21a3d90dcdc1ea4
2016-01-19 21:26:30 -05:00
OpenStack Proposal Bot
3198b67ced Updated from global requirements
Change-Id: I51dc1466729ca74f807a117995b2796a380209cb
2016-01-17 01:11:13 +00:00
zhang.lei
5fe12468cf Define paste entrypoints
Define filter factories so other projects can reference them by name
and can take advantage of the python egg instead of referencing
by the direct path.

Change-Id: I8f2b409e35b44323ef1a4488de5964a0f1bd7cdc
Closes-Bug: 1500509
2016-01-05 06:50:53 +00:00
Steve Martinelli
836c11cafc remove version from setup.cfg
Following the instructions that are provided in the mailing list [0].
We need to remove the version line from setup.cfg, as from now
on releases will be tagged using the release tools rather
than version being set in setup.cfg

[0] http://lists.openstack.org/pipermail/openstack-dev/2015-November/080692.html

Change-Id: I3be169b5cbc8040585486137dafaf6eafd16bc58
Depends-On: I658a63bdd47633ff35066e61e874c67a3ac02d92
2015-12-03 06:19:12 +00:00
Dave Chen
dafbf5b8b2 Move endpoint filter into keystone core
Remove endpoint_filter as an extension and move it to a core resource,
i.e. consolidate endpoint_filter extension into catalog.
For now we leave the database migrations in the extension directory,
this will address in a separate patch.

DocImpact: Remove the endpoint_filter extension from keystone's
paste pipeline.
Co-Authored-By: Jamie Lennox <jamielennox@redhat.com>
Partially implements: bp move-extensions

Change-Id: Ib8969d584f6be053aaad6e6051fde5e3b7ef7485
2015-11-18 15:28:41 +00:00
Steve Martinelli
32b70d15c4 Move revoke extension into core
Remove revoke as an extension and move it to a core resource.
For now we leave the database migrations in the extension directory
until we have a general policy for merging these into core.

DocImpact: update keystone-paste and remove revoke from pipeline

Change-Id: I2d6f425a508b7acb4b4d079e4387f25bf7555683
Implements: bp move-extensions
2015-11-18 15:14:07 +00:00
Steve Martinelli
78e256273a Move oauth1 extension into core
Remove oauth1 as an extension and move it to a core resource.
For now we leave the database migrations in the extension directory
until we have a general policy for merging these into core.

DocImpact: update keystone-paste and remove oauth1 from pipeline

Change-Id: I0ed1ec44d42c3b379a5c2a40e3e6298842dfc01d
Implements: bp move-extensions
2015-11-18 15:13:40 +00:00
Steve Martinelli
cbefe7c7b8 Move federation extension into keystone core
Remove federation as an extension and move it to a core resource.
For now we leave the database migrations in the extension directory
until we have a general policy for merging these into core.

Some instances of federation constants were removed because
they were causing a circular dependency, these can be refactored in
a later patch.

DocImpact: You should no longer run the migrations for this extension
Implements: bp move-extensions

Co-Authored-By: Nithya Renganathan <narengan@us.ibm.com>

Change-Id: If5857a6ee4c7c527929069b25beab40f4c5d87e2
2015-11-18 15:11:30 +00:00
Steve Martinelli
64c491f932 Create a version package
There are files hanging around the top level directory that only
handle the versioning routes of keystone (/v2.0 and /v3).

These should be moved to their own package to further isolate
these APIs.

Closes-Bug: #1504892
DocImpact

Change-Id: Ica0ddcbeb6f7fc00a4ad3919fa16bf135637a607
2015-10-12 23:59:16 +00:00
Thierry Carrez
7f6a10dbb4 Open Mitaka development
Bump preversion to mark the start of the Mitaka development branch.
The liberty release branch will be cut from the previous commit.

Change-Id: I1ed49e0ba8dcd0c1211951742045e488bf3f5f87
2015-09-22 16:41:17 +02:00
OpenStack Proposal Bot
db6c7d9779 Updated from global requirements
Change-Id: I3676402795c3a5e276aca787c163d02bcd09cb0d
2015-09-15 14:15:00 +00:00
Jenkins
fa967420a0 Merge "Change mongodb extras to lowercase" 2015-08-29 02:44:07 +00:00
Jenkins
03e4cb62e9 Merge "Use entrypoints for paste middleware and apps" 2015-08-27 00:25:31 +00:00
Jenkins
bf98cc7c4f Merge "Use wsgi_scripts to create admin and public httpd files" 2015-08-27 00:08:11 +00:00
Brant Knudson
fab1cb6beb Change mongodb extras to lowercase
There's a bug[1] in setuptools where extra names with mixed case
aren't handled correctly. Rather than wait for a fix in setuptools
just change the name to lowercase.

[1] https://bitbucket.org/pypa/setuptools/issues/362/case-sensitive-extras-not-handled-for-dist

DocImpact

Related-Bug: 1479962
Change-Id: I605f1769d85eb18d24783ea25d4c6bedd27cb42d
2015-08-26 09:22:31 -05:00
David Stanek
4bda26a7e3 Use entrypoints for paste middleware and apps
This will allow us to get the code paths out of our paste.ini!

Change-Id: Ie361d1be7d01d0d2398f5fc528da3fe6170d1353
2015-08-19 19:59:48 +00:00
Brant Knudson
2d96d3467a Extras for bandit
Rather than put bandit in test-requirements.txt, put it in its
own section in [extras].

Change-Id: I53ac219ac8b7be077edb2a2ce5d4ed5f69d0a8e4
2015-08-18 09:40:05 -05:00
Brant Knudson
62058ae458 Use extras for memcache and MongoDB packages
This allows deployers to install packages that are required for
memcache and MongoDB using keystone['memcache'] and
keystone['MongoDB'], respectively.

Change-Id: Ie11a3017664015f1048cbedd5f727dd50f704055
Partial-Bug: 1479962
2015-08-18 09:38:58 -05:00
Brant Knudson
3624c2f5ad Use wsgi_scripts to create admin and public httpd files
The httpd/keystone.py file needed to be copied and then
symlinked when used by web servers to "admin" and "main".

pbr 1.4.0 added support for wsgi_scripts that creates scripts
for wsgi servers on install. Keystone will now specify
wsgi_scripts so that the admin (keystone-wsgi-admin) and
main (keystone-wsgi-public) scripts will be created on install.

See http://httpd.apache.org/docs/2.4/upgrading.html#access for
the apache docs with examples for the Allow/Deny/Require
directives.

DocImpact

Related-Bug: #1441733
Change-Id: Ic9c03e6c00408f3698c10012ca98cfc6ea9b6ace
2015-08-18 09:33:23 -05:00