In an effort to make 'configuration.rst' less bloated, move
common cli examples to their own section. Changed the titling
so they are no longer subtitles of another section.
Change-Id: I2785cbe8563e5adcae65aebf88152a5e055c28a9
When deleting a domain group assignment while using a non
domain-aware backend, such as LDAP, an AttributeError was being
raised when trying to find all the relevent tokens. This was due
to a hang over from when you had to pass domain scope to
list_user_in_group(). This only affected domain group grants,
by luck we got away with it for group project grants.
Change-Id: I47b61886698232a7d3dfb4b502d61723cb0eb786
Closes-Bug: 1373113
Lots of lines that were well over 80 characters; several code
examples were missing code-block syntax. General inconsistencies
between what is actually available vs. what is documented.
Change-Id: I726e13aa7c333973cf92bbe1550b939c634db493
This is a performance update to ensure that we are scanning the fewest
number of rows on a user delete (causing token revocations). Without
these indexes it is possible to scan all valid tokens, causing
significant overhead, to find the user or trust matching tokens.
Due to selecting the extra column (needed for other matches in
some cases) this can also cause issues with buffer pool sizes.
Change-Id: I202b5c87a221d8dba99d16b0a1baa7546fef093b
Closes-Bug: 1332666
The architecture docs are very dated, and have several references
to tenants, PAM backends, and controllers that don't exist.
Change-Id: I85de743006e7df4fcf8ddbc3afc1a4bcd69583e6
Raise an AttributeError for lookup on 'token_provider_api' within the
__getattr__ on the keystone.token.persistence.core.Manager class. The
__getattr__ will be called on dependency injection process dependencies
and attempt to do a lookup on .token_provider_api, which nets an
infinite recursion. If an AttributeError is raised the dependency
processor will set the value correctly. Once the 'token_provider_api'
attribute is set, __getattr__ is no longer called as the value is in
the instantiated object's __dict__.
Change-Id: I4af79f4568429dea27c1e11e5a77cefa5afc792c
Closes-Bug: #1373167
Instead of CONF.federation.idp_metadata_path a
CONF.saml.idp_metadata_path should be used since it's a SAML specific
parameter.
Change-Id: I524b6a67abd110b13d8a5c38cdd9031eed771af3
Closes-Bug: #1372956
The LDAP backend while generating 'dn' for ldapadd operations
does not add the id attribute in the attributes list
While newer versions of LDAP server support this operatoin,
older ones reported error. Eg. OpenLDAP 2.3
This change set fixes that error by adding the required
attribute in the list to make it compatible with older
LDAP versions
Change-Id: I1ed3f53d325eb280e036fbbf8e83d2e645db53cd
Closes-Bug: #1340041
This patchset adds a pool of memcache clients. This pool allows for reuse of
a client object, prevents too many client object from being instantiated, and
maintains proper tracking of dead servers so as to limit delays
when a server (or all servers) become unavailable.
The new memcache pool backend is available either by being set as the memcache
backend or by using keystone.token.persistence.backends.memcache_pool.Token for
the Token memcache persistence driver.
[memcache]
servers = 127.0.0.1:11211
dead_retry = 300
socket_timeout = 3
pool_maxsize = 10
pool_unused_timeout = 60
Where:
- servers - comma-separated list of host:port pairs (was already there);
- dead_retry - number of seconds memcached server is considered dead
before it is tried again;
- socket_timeout - timeout in seconds for every call to a server;
- pool_maxsize - max total number of open connections in the pool;
- pool_unused_timeout - number of seconds a connection is held unused in
the pool before it is closed;
The new memcache pool backend can be used as the driver for the Keystone
caching layer. To use it as caching driver, set
'keystone.cache.memcache_pool' as the value of the [cache]\backend option,
the other options are the same as above, but with 'memcache_' prefix:
[cache]
backend = keystone.cache.memcache_pool
memcache_servers = 127.0.0.1:11211
memcache_dead_retry = 300
memcache_socket_timeout = 3
memcache_pool_maxsize = 10
memcache_pool_unused_timeout = 60
Co-Authored-By: Morgan Fainberg <morgan.fainberg@gmail.com>
Closes-bug: #1332058
Closes-bug: #1360446
Change-Id: I3544894482b30a47fcd4fac8948d03136fd83f14
There is no reason to run both the KSC Master test and a locally
specified keystoneclient. If the local keystoneclient path is set
only use the KcOptTestCase not the KcMasterTestCase.
Change-Id: Ib9a1e06b2e760a97e3318263b85631c436e23141
Closes-bug: #1371428
pysaml2 is only required for Keystone2Keystone federation. Due to code
structure, ``pysaml2`` needs to be installed in order to enable
federation extension. Since federation is an extension all the
dependencies are not in the requirements.txt file and will not be
installed by default. This patch updates federation docs adding
information that the library must be installed by hand.
Change-Id: Icc0b3b5cc0e22950a85bb58bbd3631c911be8621
For some LDAP backends, the enable attribute is not
directly set. Since we have a wrapper function in identity/core,
we can use that instead.
Adds tests that disabling trustor or trustee prevents
trust execution.
Closes-Bug: 1367952
Change-Id: I6d3c26e0e6e6c0d27ea7b910340fae5792eaceda
Keystone now defaults to n-cpu as the number of workers under eventlet with
a minimum number of workers when auto-calculating the number of 2.
This behavior can be overridded by changing the `admin_workers` and
`public_workers` configuration values in the Keystone config file.
Change-Id: I482cfef7ee14e995c6fb206bcef412957c54f491
Closes-Bug: #1371154
This is a module specific add rather than a full sync. The processutils
module will be used to determine the default number of workers for keystone
running under eventlet.
Processutils sync'd from oslo commit hash 6a60f84258
Change-Id: I6cbca7d54ca97cce962d3cc1131388840ddf9a7c
Related-Bug: #1371154
Apache 2.4 becomes more and more popular version of HTTP server.
With its release some options required for proper Shibboleth Service
Provider have changed. This patch updates information about ``ShibRequireAll``
options that is no longer valid under Apache 2.4. It also adds
documentation reference so users can read more about configuring Apache
Virtual Hosts along with Shibboleth Service Provider.
Change-Id: Idbec6690fd1d75f078a6bdcaa6388b885387b45d
For an identity driver to be used with a domain-specific config file,
it must accept a ConfigOpts as an optional parameter. The ldap driver
already supported this - so this patch adds this to the sql driver.
The above change is trivial, but the rest of the patch is enhancing
our testing to validate this operation, as well as enforcing the
limitation listed below.
Limitation:
Currently Keystone only supports one SQL driver - this patch
does not change that. What it does enable is for that one SQL
driver to be assigned to a specific domain, as opposed to being just
a catch-all for domains without a specific configuration file.
This at least enables the (often requested) scenario of service users
to be stored in SQL in a predominantly LDAP installation.
Closes-Bug: 1217017
Change-Id: Ic531ebae28680fc518d8e036db516f5982241c40
Lance Bragstad