openstack/keystone
Code Issues Proposed changes
OpenStack Identity (Keystone)
14,082 Commits 10 Branches 45 Tags 235 MiB
Python 99.5%
Shell 0.5%
52da4d0e12
Go to file
Guang Yee 52da4d0e12 implement system scope for application credential 
Implement system scopes, namely 'admin', 'reader', and 'member' for
the application credential API. Thus, making it consistent with other
system-scoped policy definitions.

For the application credential API, the follow policies will be enforced:

- system admin can fetch, list, lookup, and delete user's application
  credentials.
- system member and reader can only fetch, list, and lookup user's application
  credentials. Deleting a user's application credential other their own is
  strictly prohibitted.
- domain and project admins can no longer touch user's application credentials
  other their own.
- domain and project readers cannot touch user's application credentials
  other their own.
- domain and project members cannot touch user's application credentials
  other their own.
- create an application credential can only be done by the owner. No one else
  can create an application credential on behalf of another user.

Test cases are added to guard the above policy changes.

Change-Id: I26ee11571b6d0f700a5fe3a62ad2e8fc7f5316fe
Closes-Bug: 1818725
Closes-Bug: 1750615
2019-07-19 17:53:16 -07:00
api-ref/source [api-ref] Fix nocatalog description for unscoped token 2019-06-19 17:11:35 +08:00
config-generator Move policy generator config to config-generator/ 2017-04-21 21:47:32 +00:00
devstack Added keystone identity provider installation to Devstack plugin 2019-03-19 11:22:38 -04:00
doc Fix keystone document 2019-07-09 14:21:33 +05:30
etc DRY: Remove redundant policies from policy.v3cloudsample.json 2019-04-02 19:09:53 +00:00
examples/pki Remove support for PKI and PKIz tokens 2016-11-01 22:05:01 +00:00
httpd Remove admin interface in sample Apache file 2018-03-24 12:56:02 +01:00
keystone implement system scope for application credential 2019-07-19 17:53:16 -07:00
keystone_tempest_plugin Replace git.openstack.org URLs with opendev.org URLs 2019-04-24 11:51:00 +08:00
playbooks/legacy/keystone-dsvm-grenade-multinode OpenDev Migration Patch 2019-04-19 19:30:29 +00:00
rally-jobs fix rally docs url 2018-05-21 16:24:51 +08:00
releasenotes implement system scope for application credential 2019-07-19 17:53:16 -07:00
tools Fix E731 flake8 2019-06-19 17:40:01 +05:30
.coveragerc Change ignore-errors to ignore_errors 2015-09-21 14:27:58 +00:00
.gitignore Ignore .eggs dir as well 2018-07-04 12:39:20 +00:00
.gitreview OpenDev Migration Patch 2019-04-19 19:30:29 +00:00
.mailmap update mailmap with gyee's new email 2015-11-03 16:12:01 -08:00
.stestr.conf Migrate to stestr 2017-09-22 11:07:09 -05:00
.zuul.yaml Update Python 3 test runtimes for Train 2019-05-09 17:35:22 +08:00
babel.cfg setting up babel for i18n work 2012-06-21 18:03:09 -07:00
bindep.txt Fix bindep for SUSE 2019-02-14 16:50:33 +01:00
CONTRIBUTING.rst Use https for docs.openstack.org references 2017-01-30 16:05:08 -08:00
HACKING.rst Merge "Update links in keystone" 2017-10-06 16:10:56 +00:00
LICENSE Added Apache 2.0 License information. 2012-02-15 17:48:33 -08:00
lower-constraints.txt Implement system scope and default roles for token API 2019-06-17 15:57:51 +00:00
README.rst Replace git.openstack.org URLs with opendev.org URLs 2019-04-24 11:51:00 +08:00
requirements.txt Implement system scope and default roles for token API 2019-06-17 15:57:51 +00:00
setup.cfg Revert "Add JSON driver for access rules config" 2019-05-28 08:38:42 -07:00
setup.py Updated from global requirements 2017-03-06 01:10:37 +00:00
test-requirements.txt Use pycodestyle in place of pep8 2018-11-20 17:16:01 +00:00
tox.ini Merge "Add Python 3 Train unit tests" 2019-07-02 02:30:02 +00:00

README.rst

Team and repository tags

image

OpenStack Keystone

Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.

Developer documentation, the source of which is in doc/source/, is published at:

https://docs.openstack.org/keystone/latest

The API reference and documentation are available at:

https://developer.openstack.org/api-ref/identity

The canonical client library is available at:

https://opendev.org/openstack/python-keystoneclient

Documentation for cloud administrators is available at:

https://docs.openstack.org/

The source of documentation for cloud administrators is available at:

https://opendev.org/openstack/openstack-manuals

Information about our team meeting is available at:

https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting

Release notes is available at:

https://docs.openstack.org/releasenotes/keystone

Bugs and feature requests are tracked on Launchpad at:

https://bugs.launchpad.net/keystone

Future design work is tracked at:

https://specs.openstack.org/openstack/keystone-specs

Contributors are encouraged to join IRC (#openstack-keystone on freenode):

https://wiki.openstack.org/wiki/IRC

For information on contributing to Keystone, see CONTRIBUTING.rst.