This introduces the oslo healt check middleware
http://docs.openstack.org/developer/oslo.middleware/healthcheck_plugins.html
into the pipelines. This middleware is useful for load balancers and
http servers, which can use it to validate that the keystone services are
operational. This middleware is being used in other services such as
glance and magnum. This patch provides it for keystone, in an effort to
spread the usage across all major projects.
This is one less item that operators will have to patch locally.
DocImpact
Change-Id: I19e4fc8f6c6a227068ba7191c1e9c453fc08f061
The new keystone upgrade features (keystone-manage db_sync --expand)
requires for MySQL deployments that the keystone user is granted SUPER
privilege or that set global log_bin_trust function_creators=1; is run.
Adding a warning message to notify reader.
Change-Id: I78738a335d14c6ad824c348a7385bb1ee8ad75bf
Closes-Bug: 1638368
looks like commit [1] accidentally renamed the file to something
nonsense. rename it correctly this time
[1] I2e6fde1696e44f1b9456737f7c643e757cd3b758
Change-Id: I6b32bb34482cdb65f344dc5c0e8ba531c2bda6af
Closes-Bug: 1639131
This will make automation with tools such as puppet easier. Since
keystone-manage will enforce the ordering of expand and migrate.
Change-Id: Ic69b642cfd7b04ca012f1c91781c7f6335d0b747
The recent change [1] caused the removal of a certain class that
looked specific to PKI and PKIz testing and implementation, however,
actually was being used to test all supported token providers. This
caused a chunk of tests to simply not run at all and therefore be
overlooked. This change adds support for both UUID and Fernet so that
all tests are being run once again and for all available token
providers.
[1]: Icf1ebced44a675c88fb66a6c0431208ff5181574
Change-Id: I5365e2ed74ea55377729d0910cc2892d2bb8889c
This is the first step of several to remove PKI token support in
keystone. A large issue in removing PKI support is support for the
revocation list must be maintained.
This patch removes support for the token format, it's surrounding tests
and examples that are generated. Additionally, some wording has been
changed around the CLI and config options to make the distinction
between keys and certs used for PKI tokens and those used for getting
the revocation list (a list of tokens that are revoked, which is signed).
Future patches will:
- Remove the keystone-manage commands for generating certs
- Modify the revocation list (at /auth/tokens/OS-PKI/revoked) to return
a 403 if pki is not configured (instead of raising a 500). We cannot
remove the API as that would break an API contract.
- Options to configure PKI will be marked as deprecated
- If PKI is configured a normal signed list will be returned (same
behavior as today)
- Follow up patch to keystonemiddleware will make sure auth_token does
not rely on the revocation api at all.
Related-Bug: 1626778
Related-Bug: 1626779
Co-Authored-By: Boris Bobrov <bbobrov@mirantis.com>
bp removed-as-of-ocata
Change-Id: Icf1ebced44a675c88fb66a6c0431208ff5181574
Our documentation doesn't really provide a clear explanation for the
difference between ``[memcache]`` and ``[cache]`` in keystone's
configuration file.
This commit attempts to makes this easier to understand for
deployers.
Change-Id: I77460220ef779fcdb16363a6da90898619afe467
Log some authentication issues that were not logged
before, but are still useful to be aware of when
diagnosing authentication issues.
Related-Bug #1595513
Change-Id: Ifca425eadba21cc8d4ff6f6e5c2376af6a1ddbe5
The v3 endpoint documentation /v3/auth/tokens/OS-PKI/revoked is missing
in /api-ref. This patch set adds the documentation for v3.
A separate patch set will be submitted for v2.
Change-Id: I3db3356d24cc8885012756016a90a0996fcf14f5
Partial-Bug: #1626778
This review creates the structure for the Devstack plugin and
prints to the console to ensure its execution in the gate.
Follow-up reviews will do more useful stuff like setting up
the environment for our functional testing (ldap, federation).
Change-Id: I820ae355ae8f3183fee2b8207e3c17e8bd10dc17
`user_attribute_ignore` or `group_attribute_ignore` are both needed
by identity ldap backend to judge whether a specific attribute could
be returned for read user or group operations.
Closes-Bug: #1637135
Change-Id: If623e1e4d3c827d00f17203652f33b74ac138d62
