The keystone federation documentation says to use the 'mapped' method
instead of the 'saml2' method[1]. However, that entrypoint was never
added, so trying to use it resulted in keystone not being able to load
its wsgi scripts and failing. This patch adds the entrypoint so that
keystone won't explode.
[1] http://docs.openstack.org/developer/keystone/federation/federated_identity.html#configuring-federation-in-keystone
Change-Id: I6dd8c219765728ecf01b50f35c3c0da3943f13b0
Since the Python 3.5 gate job builds cleanly now, we should claim
support for Python 3.5 in the metadata's classifier.
Change-Id: I215313560d6bb3501093c95870c12cde1f11b5a5
PBR's warnerrors is supposed to fail a build job when warnings are
present in the documentation. Unfortunately that hasn't been working for
a while.
With an upcoming release of PBR this flag will be fixed and any
warnings will fail docs jobs again. There is therefore a coordinated
effort to disable this flag until the PBR release has been completed and
requirements updated. After which time we can reenable the flag and
ensure docs build successfully.
http://lists.openstack.org/pipermail/openstack-dev/2016-June/097849.html
Change-Id: I0043518bdd09d2b2db5be48a942ae91ffc74a524
keystone.common.config is 1200+ lines of super dense, merge-conflict
prone, difficult to navigate, and finicky to maintain code. Let's follow
nova's lead and break it down into more manageable modules.
This patch creates a new Python package, keystone.conf, and moves all of
our configuration options into it, mirroring nova's nova.conf package.
There are a couple special modules in keystone.conf introduced here as
well:
- keystone.conf.__init__: This causes all of Keystone options to be
registered on import, so consumers of keystone.conf don't have
races with config initialization code while trying to use
oslo_config.cfg.CONF directly (keystone.conf replaces all uses for
oslo_config.cfg.CONF in keystone).
- keystone.conf.base: Keystone's [DEFAULT] group options. I'd prefer
this to be called 'default.py', but I'm just copying nova's lead here.
- keystone.conf.opts: The entry point for oslo.config itself.
- keystone.conf.constants: There are a few constants (deprecation
messages, default paths, etc) that are used by multiple configuration
modules, so they need to live in a common place.
Change-Id: Ia3daffe3fef111b42de203762e966cd14d8927e2
This reverts commit 5486f0ae4a14a35138687fe7b20b66d33c380112.
The files installed this way are installed in /usr/etc when
running PBR in the context of distros.
Change-Id: I192864675a8b34082e34f60caac770da76ca02aa
These are basically the only configuration options in keystone defined
outside of keystone/common/config.py, so the only goal here is to
centralize them into one place.
Change-Id: I1369fd7835b31e57a094d07deb6a1aacc1d314b5
This is a follow-up patch for 5486f0ae4a14a35138687fe7b20b66d33c380112.
This simplify the syntax as authorized by pbr, and makes sure that the
first value is a directory as expected.
Change-Id: I98fb657b9ca82515783060a07787658c9ecbeef2
When installing Keystone e.g. in a virtualenv, no configuration files
are installed at all, making it impossible to run Keystone.
This patches solve that by carrying the necessary files as data_files.
Change-Id: I9bb94e73a8e0349a4f56a07dda5d657a2ac28ac1
Two years ago the translation files have been split into several
files, separating the log messages of different log levels from each
other, like X.pot, X-log-warning.pot, X-log-info.pot, and so on.
However, the setup.py command `compile_catalogs`, that comes from the
babel package and compiles the corresponding .po files into .mo
files, only supported one file per python package. This means that
during packaging `compile_catalogs` never compiled the X-log-*.po
files, so the corresponding translations were always missing.
Since babel 2.3 the domain can be set to a space separated list of
domains. This change adds the the additional log level files to the
domain list.
The obsolete check that .po and .pot files are valid is removed from
tox.ini.
Change-Id: I1f0bfb181e2b84ac6dd0ce61881cd2cc4400bdcb
Closes-Bug: #1536226
Eventlet has been deprecated since the Kilo release and is
being removed in Newton.
A follow on patch will be proposed to remove the [ssl] section
since it is now redundant.
Co-Authored-By: Grzegorz Grasza <grzegorz.grasza@intel.com>
Partially implements: bp removed-as-of-newton
Change-Id: I963d94bbd188dbb6eba68623a42c5bc3f2289da4
OSprofiler is an Oslo library dedicated to enable cross-service
OpenStack profiling. This makes possible to trace the OpenStack
request through all projects supporting the library, where the
profiling is enabled, and generate JSON and HTML human-readable
reports, describing what time was spent on which operation, e.g.
API or DB request.
This change inclues the following:
* Add settings for OSprofiler wsgi middleware
This middleware is used for 2 things:
1) It checks that person who want to trace is trusted and knows
secret HMAC key (that is specified in paste.ini).
2) It initalize profiler in case of proper trace headers
and add first wsgi trace point, with info about HTTP request.
* Init profiler on start in both cases (httpd or eventlet)
* Adding new conf group for profiler (to enable/disable)
* By default osprofiler is disabled
TBD:
* Adding trace point for all DB (sql) calls. For proper format and
result oslo.db enginefacade module needs to be updated.
To test (old variant, will be changed with new commit to the
python-openstackclient):
$ . amdminrc # you should be admin user/tenant to fetch profiling data
$ keystone --profile SECRET_KEY user-list
$ osprofiler trace show --html --out result.html <TRACE_ID>
Old python-keystoneclient change: https://review.openstack.org/#/c/114856/
Python-openstack client change: https://review.openstack.org/#/c/255861/
Depends-On: I248b134e0e245bd4cece0ebe225b9b729eedaf78
Change-Id: I3d6eaa7a5ab7ee9ae177f3e1d6cc92f0a01e6a42
This patch adds the basic files and configs in order to enable the
keystone tempest plugin interface using tempest-plugin-cookiecutter.
Since we are adding them inside keystone's repository, they can be
installed alongside keystone and to run the tests (when we have one)
we simply use `testr run keystone_tempest_plugin` in tempest.
For more details about the tempest plugin interface see [1]
[1] http://docs.openstack.org/developer/tempest/plugin.html
Change-Id: Ia42e79246251e8af1010aa8eaf462aacf75644a7
Partially-Implements: bp keystone-tempest-plugin-tests
No config generator hooks should ever be registered with a name that
belongs to another project. In this case, using oslo.middleware.cors
means that *every other project* that loads the middleware gets this
application's defaults when the generator is run on a system with
everything installed (such as a dev box with devstack). Use the name
of the app instead, to ensure that the defaults are only set when this
app's sample config and documentation are being generated.
Change-Id: I6a8c7d44b9db9325003ff2fdb667b0ced7739e96
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
"Shadow users: unified identity" implementation:
Federated users have a idp_id, protocol_id, display name,
and a unique ID asserted by the identity provider. These
are the minimal pieces of data required to identify
returning users and provide them with a consistent identity.
Note: the following work items left will be completed in a
separate patch:
* Allow concrete role assignments for federated users
* Shadowing LDAP users
bp shadow-users
Change-Id: Ieb582947038b4a75ef4237939ad8a90079b38aa8
Default values for CORS middleware have been moved from paste.ini
into oslo's config generator. All configuration options in use will
now live in one place.
Change-Id: I9d31c574de6af4c7598c90d7e128cd9fa7273672
Support TOTP as a distinct authentication mechanism from Password.
bp totp-auth
Co-Authored-By: David Stanek <dstanek@dstanek.com>
Change-Id: Ic0ccf89b9f35d3167a413b10f43be43cf892aead
The LDAP Role Backend has been removed without the normal deprecation
notice in-code however, the Role backend was explicitly called out when
the deprecation announcement occured[1] and was explicitly included
as part of the deprecation of "assignment"-based LDAP. The LDAP Role
backend is not very useful without the other parts of the assignment
backend that were deprecated and removed.
[1] http://lists.openstack.org/pipermail/openstack/2015-January/011337.html
Change-Id: I1bd02d5834814959a93601fe53f115d0f9cc08a8
bp: removed-as-of-mitaka
LDAP Resource and LDAP Assignment backends have been slated for removal
in the Mitaka release. This patchset removes support for the deprecated
LDAP backends.
Change-Id: I848bf41022224fec65cd9555a6e82790b296dcbe
bp: removed-as-of-mitaka
The templated backend relied on the KVS backend to implement some
functionality. The functionality (CRUD for endpoint, services, etc.) is
arguably incorrect since it won't actually change the contents of the
catalog. The read only methods have been fixed to use the templated data
and the write methods raise NotImplemented.
bp: removed-as-of-mitaka
Partial-Bug: #1077282
Closes-Bug: #1367113
Closes-Bug: #1269789
Change-Id: Iaa68b18f0b6d7e9f5dc0cbf7d21a3d90dcdc1ea4
Define filter factories so other projects can reference them by name
and can take advantage of the python egg instead of referencing
by the direct path.
Change-Id: I8f2b409e35b44323ef1a4488de5964a0f1bd7cdc
Closes-Bug: 1500509
Following the instructions that are provided in the mailing list [0].
We need to remove the version line from setup.cfg, as from now
on releases will be tagged using the release tools rather
than version being set in setup.cfg
[0] http://lists.openstack.org/pipermail/openstack-dev/2015-November/080692.html
Change-Id: I3be169b5cbc8040585486137dafaf6eafd16bc58
Depends-On: I658a63bdd47633ff35066e61e874c67a3ac02d92
Remove endpoint_filter as an extension and move it to a core resource,
i.e. consolidate endpoint_filter extension into catalog.
For now we leave the database migrations in the extension directory,
this will address in a separate patch.
DocImpact: Remove the endpoint_filter extension from keystone's
paste pipeline.
Co-Authored-By: Jamie Lennox <jamielennox@redhat.com>
Partially implements: bp move-extensions
Change-Id: Ib8969d584f6be053aaad6e6051fde5e3b7ef7485
Remove revoke as an extension and move it to a core resource.
For now we leave the database migrations in the extension directory
until we have a general policy for merging these into core.
DocImpact: update keystone-paste and remove revoke from pipeline
Change-Id: I2d6f425a508b7acb4b4d079e4387f25bf7555683
Implements: bp move-extensions
Remove oauth1 as an extension and move it to a core resource.
For now we leave the database migrations in the extension directory
until we have a general policy for merging these into core.
DocImpact: update keystone-paste and remove oauth1 from pipeline
Change-Id: I0ed1ec44d42c3b379a5c2a40e3e6298842dfc01d
Implements: bp move-extensions
Remove federation as an extension and move it to a core resource.
For now we leave the database migrations in the extension directory
until we have a general policy for merging these into core.
Some instances of federation constants were removed because
they were causing a circular dependency, these can be refactored in
a later patch.
DocImpact: You should no longer run the migrations for this extension
Implements: bp move-extensions
Co-Authored-By: Nithya Renganathan <narengan@us.ibm.com>
Change-Id: If5857a6ee4c7c527929069b25beab40f4c5d87e2
There are files hanging around the top level directory that only
handle the versioning routes of keystone (/v2.0 and /v3).
These should be moved to their own package to further isolate
these APIs.
Closes-Bug: #1504892
DocImpact
Change-Id: Ica0ddcbeb6f7fc00a4ad3919fa16bf135637a607
Bump preversion to mark the start of the Mitaka development branch.
The liberty release branch will be cut from the previous commit.
Change-Id: I1ed49e0ba8dcd0c1211951742045e488bf3f5f87
This allows deployers to install packages that are required for
memcache and MongoDB using keystone['memcache'] and
keystone['MongoDB'], respectively.
Change-Id: Ie11a3017664015f1048cbedd5f727dd50f704055
Partial-Bug: 1479962
The httpd/keystone.py file needed to be copied and then
symlinked when used by web servers to "admin" and "main".
pbr 1.4.0 added support for wsgi_scripts that creates scripts
for wsgi servers on install. Keystone will now specify
wsgi_scripts so that the admin (keystone-wsgi-admin) and
main (keystone-wsgi-public) scripts will be created on install.
See http://httpd.apache.org/docs/2.4/upgrading.html#access for
the apache docs with examples for the Allow/Deny/Require
directives.
DocImpact
Related-Bug: #1441733
Change-Id: Ic9c03e6c00408f3698c10012ca98cfc6ea9b6ace