When is_domain is false, the project must contain a valid
domain_id and parent_id. We check the domain_id specified
is consistent with the domain of its parent.
The log messages is not very clear, this patch optimize it.
Change-Id: Ie83d295f036f94d36c9dfa88ae03e074cdfd9810
This change breaks the get-started-identity, keystone-users,
and keystone-openrc pages into multiple copies for each distribution
release in the keystone install guides. Before this change, sphinx
would not render the links correctly and these pages would be skipped
in both the RDO and Ubuntu guides.
To avoid unneccessary duplication of the same text, the files were
moved into common/ and are simply included into the newly created
files for each release.
Change-Id: I7b478504f1e68034ea993c0214705045da86bb6e
Closes-Bug: #1712335
This was discussed in today's keystone meeting. It was decided that
there should be some more clarification around release notes and how
to update them.
Change-Id: I4a06fda76dc8589a755438ccc12bc0bf2f575dcb
This was merged without a link to the bug that it fixed. This should
be backported to stable/pike so that it's rendered properly in the
release notes.
Change-Id: I7230b48ba232f3f6807689f82efda4a010924d1c
_trustor_trustee_only has been called in function
TrustV3::get_trust. It is not necessary to be called again.
Change-Id: Ice93b826fef4616801fd02bcf8175b7c8dc11839
If a method is defined with kwargs it should be called with
kwargs. Calling a method that has specified kwargs with positional
arguments is fragile and should be avoided. It leaves the caller
open to breakages if the method signature of the callee ever changes.
If the callee's signature changes, it requires the callers to be
updated, even if they aren't using the new functionality or if the
argument doesn't apply to them.
This change applies that practice to parts of the assignment API.
This will make it easier to reuse the existing assignment driver to
implement global role assignments.
bp global-roles
Change-Id: I0a228ec25cd88f456cacd5824082f1b322e0262d
We were using a one-liner to prune duplicate role references from a
list of roles, but it didn't work in all cases. This reworks the
logic to pass the existing test case. I also added a comment
explaining why the logic we used previously doesn't work so we can
hopefully avoid the pattern in the future.
Change-Id: Id786d6463364ad8f4f02c22bb83221baac4b83d0
Closes-Bug: 1701324
Two reasons for adding this step:
1. The title of this chapter named “Create a domain, projects, users,
and roles”,but there is no step to introduce how to create a
domain.
2. Explain to users where the domain 'default' comes from because the
default domain is used in later steps.
Change-Id: I5b627ce15f94f18fd538866a32b84e540090bfff
Closes-Bug: 1707130
Due to MySQL (in some versions) not storing datetime resolution below
one second, keystone occasionally ends up with weird behavior such as
a New password not being valid. The password created at and expires at
columns now store both datetime (for rolling upgrades) and integers.
Keystone from Pike and beyond leans on the new created_at_int column
and expires_at_int column.
Change-Id: I2c219b4b9b353f1e2cce6088849a773196f0e443
Closes-Bug: #1702211
This change has been implemented to avoid the need to backport
signficantly impactful Foreign Key dropping backports.
Resource is highly relational data and it makes sense to allow the
use of FKs from other subsystems to project/domains.
Change-Id: Ic3831d1c7ae41fe4d406d60a013770cc1258584f
Previously, the default behavior for the callback that unset
default project ids was to only call the method for the default
domain's identity driver. This meant that when a project was deleted,
only the default identity backend would have references to that
project removed. This means it would be possible for other identity
backends to still have references to a project that doesn't exist
because the callback wasn't invoked for that specific backend.
This commit ensures each backend clears project id from a user's
default_project_id attribute when a project is deleted.
Change-Id: Ibb5396f20101a3956fa91d6ff68155d4c00ab0f9
Closes-Bug: 1705072
This adds a section within the index file that describes what a
relationship link is and what it is used for in terms of each
operation within keystone. There will be a relationships section
in both v3 and v3-ext.
This should help clarify any confusion that may arise when a user is
viewing the api-ref about what the relationship links are.
Change-Id: I9c6b7959ed6ea682c565c515af0cf509b6a64e5d
Closes-Bug: #1674676
With the docs migration and re-arrangement, some docs
have been shifted to new places, however the referenced
links are still old. Some of them give 404 error or
just point to the home page. This patch fixes those URLs.
Change-Id: Ie6b18ab3d4aa346dac8436dd426277fee4f07fcd
Listing projects and domains for a user based on their role
assignments was noted as being really slow, especially when users
have a lot of assignments. This commit implements caching to mitigate
the issue while we continue to investigate ways to speed up the
assignment API.
Change-Id: I72e398c65f01aa4f9a37f817d184a13ed01089ce
Closes-Bug: 1700852
The controller is responsible for listing user projects based on role
assignments and would build a hints objects and pass it to the
assignment manager. This is a common pattern used across keystone's
APIs. But, the assignment API never actually passed the hints objects
to the backend implementation.
This commit removes the hints from being passed to the manager for
list_projects_for_user and list_domains_for_user because those
APIs never use the hints object. This should allow us to implement
caching to speed up those calls later.
Change-Id: I9b1c8c30ca6a78dd6e78add7de278e467ceea046
Related-Bug: 1700852
