keystone/setup.cfg
Lance Bragstad 0edf1fe46c Implement encryption of credentials at rest
This commit implements credential encryption through the following changes:

 - additive schema change to store key hashes for credentials
 - database migration to encrypt all pre-existing credentials
 - contractive schema change to remove unencrypted credential column
 - added code to the credential Manager to handle credential encryption

All credentials will be encrypted by default. There will not be a way to store
unencrypted credentials in keystone from this point forward.

Note that this implementation uses database triggers in the migration process.
If operators use the traditional offline migration method, it would be more
reliable if we didn't try to setup and tear down triggers, as they'll never be
used anyway. This makes it so that expand and contract migrations can skip
anything related to triggers.

Co-Authored-By: Werner Mendizabal <nonameentername@gmail.com>

bp credential-encryption

Depends-On: I433da9a257daa21ec3b5996b2bca571211f1fbba
Depends-On: Id3e8922adc154cfec5f7a36613e22eb0b49eeffe
Change-Id: I31b7539db436ad270462cfaa3b14213e0ed1fc04
2016-09-02 04:25:49 +00:00

223 lines
7.0 KiB
INI

[metadata]
name = keystone
summary = OpenStack Identity
description-file =
README.rst
author = OpenStack
author-email = openstack-dev@lists.openstack.org
home-page = http://docs.openstack.org/developer/keystone/
classifier =
Environment :: OpenStack
Intended Audience :: Information Technology
Intended Audience :: System Administrators
License :: OSI Approved :: Apache Software License
Operating System :: POSIX :: Linux
Programming Language :: Python
Programming Language :: Python :: 2
Programming Language :: Python :: 2.7
Programming Language :: Python :: 3
Programming Language :: Python :: 3.4
Programming Language :: Python :: 3.5
[files]
packages =
keystone
keystone_tempest_plugin
[extras]
ldap =
pyldap>=2.4 # PSF
ldappool>=2.0.0 # MPL
memcache =
python-memcached>=1.56 # PSF
mongodb =
pymongo!=3.1,>=3.0.2 # Apache-2.0
bandit =
bandit>=1.1.0 # Apache-2.0
[global]
setup-hooks =
pbr.hooks.setup_hook
[egg_info]
tag_build =
tag_date = 0
tag_svn_revision = 0
[build_sphinx]
all_files = 1
build-dir = doc/build
source-dir = doc/source
[compile_catalog]
directory = keystone/locale
domain = keystone keystone-log-critical keystone-log-error keystone-log-info keystone-log-warning
[update_catalog]
domain = keystone
output_dir = keystone/locale
input_file = keystone/locale/keystone.pot
[extract_messages]
keywords = _ gettext ngettext l_ lazy_gettext
mapping_file = babel.cfg
output_file = keystone/locale/keystone.pot
copyright_holder = OpenStack Foundation
msgid_bugs_address = https://bugs.launchpad.net/keystone
[pbr]
# NOTE(jamielennox): warnerrors was not warning as it should and will be fixed
# in an upcoming PBR release, which means it may suddenly start warning and
# failing builds again. It's disabled until the release happens. Info:
# http://lists.openstack.org/pipermail/openstack-dev/2016-June/097849.html
#warnerrors = True
autodoc_tree_index_modules = True
[entry_points]
console_scripts =
keystone-manage = keystone.cmd.manage:main
wsgi_scripts =
keystone-wsgi-admin = keystone.server.wsgi:initialize_admin_application
keystone-wsgi-public = keystone.server.wsgi:initialize_public_application
keystone.assignment =
sql = keystone.assignment.backends.sql:Assignment
keystone.auth.external =
default = keystone.auth.plugins.external:DefaultDomain
DefaultDomain = keystone.auth.plugins.external:DefaultDomain
Domain = keystone.auth.plugins.external:Domain
keystone.auth.kerberos =
default = keystone.auth.plugins.external:KerberosDomain
keystone.auth.oauth1 =
default = keystone.auth.plugins.oauth1:OAuth
keystone.auth.openid =
default = keystone.auth.plugins.mapped:Mapped
keystone.auth.password =
default = keystone.auth.plugins.password:Password
keystone.auth.saml2 =
default = keystone.auth.plugins.mapped:Mapped
keystone.auth.token =
default = keystone.auth.plugins.token:Token
keystone.auth.totp =
default = keystone.auth.plugins.totp:TOTP
keystone.auth.x509 =
default = keystone.auth.plugins.mapped:Mapped
keystone.auth.mapped =
default = keystone.auth.plugins.mapped:Mapped
keystone.catalog =
sql = keystone.catalog.backends.sql:Catalog
templated = keystone.catalog.backends.templated:Catalog
endpoint_filter.sql = keystone.contrib.endpoint_filter.backends.catalog_sql:EndpointFilterCatalog
keystone.credential =
sql = keystone.credential.backends.sql:Credential
keystone.credential.provider =
fernet = keystone.credential.providers.fernet:Provider
keystone.identity =
ldap = keystone.identity.backends.ldap:Identity
sql = keystone.identity.backends.sql:Identity
keystone.identity.id_generator =
sha256 = keystone.identity.id_generators.sha256:Generator
keystone.identity.id_mapping =
sql = keystone.identity.mapping_backends.sql:Mapping
keystone.identity.shadow_users =
sql = keystone.identity.shadow_backends.sql:ShadowUsers
keystone.policy =
rules = keystone.policy.backends.rules:Policy
sql = keystone.policy.backends.sql:Policy
keystone.resource =
sql = keystone.resource.backends.sql:Resource
keystone.resource.domain_config =
sql = keystone.resource.config_backends.sql:DomainConfig
keystone.role =
sql = keystone.assignment.role_backends.sql:Role
keystone.token.persistence =
kvs = keystone.token.persistence.backends.kvs:Token
memcache = keystone.token.persistence.backends.memcache:Token
memcache_pool = keystone.token.persistence.backends.memcache_pool:Token
sql = keystone.token.persistence.backends.sql:Token
keystone.token.provider =
fernet = keystone.token.providers.fernet:Provider
uuid = keystone.token.providers.uuid:Provider
pki = keystone.token.providers.pki:Provider
pkiz = keystone.token.providers.pkiz:Provider
keystone.trust =
sql = keystone.trust.backends.sql:Trust
keystone.endpoint_filter =
sql = keystone.catalog.backends.sql:Catalog
keystone.endpoint_policy =
sql = keystone.endpoint_policy.backends.sql:EndpointPolicy
keystone.federation =
sql = keystone.federation.backends.sql:Federation
keystone.oauth1 =
sql = keystone.oauth1.backends.sql:OAuth1
keystone.revoke =
sql = keystone.revoke.backends.sql:Revoke
oslo.config.opts =
keystone = keystone.conf.opts:list_opts
oslo.config.opts.defaults =
keystone = keystone.conf:set_external_opts_defaults
paste.filter_factory =
admin_token_auth = keystone.middleware:AdminTokenAuthMiddleware.factory
build_auth_context = keystone.middleware:AuthContextMiddleware.factory
crud_extension = keystone.contrib.admin_crud:CrudExtension.factory
debug = oslo_middleware:Debug.factory
endpoint_filter_extension = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
ec2_extension = keystone.contrib.ec2:Ec2Extension.factory
ec2_extension_v3 = keystone.contrib.ec2:Ec2ExtensionV3.factory
federation_extension = keystone.contrib.federation.routers:FederationExtension.factory
json_body = keystone.middleware:JsonBodyMiddleware.factory
oauth1_extension = keystone.contrib.oauth1.routers:OAuth1Extension.factory
request_id = oslo_middleware:RequestId.factory
revoke_extension = keystone.contrib.revoke.routers:RevokeExtension.factory
s3_extension = keystone.contrib.s3:S3Extension.factory
simple_cert_extension = keystone.contrib.simple_cert:SimpleCertExtension.factory
sizelimit = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
token_auth = keystone.middleware:TokenAuthMiddleware.factory
url_normalize = keystone.middleware:NormalizingFilter.factory
user_crud_extension = keystone.contrib.user_crud:CrudExtension.factory
paste.app_factory =
admin_service = keystone.version.service:admin_app_factory
admin_version_service = keystone.version.service:admin_version_app_factory
public_service = keystone.version.service:public_app_factory
public_version_service = keystone.version.service:public_version_app_factory
service_v3 = keystone.version.service:v3_app_factory
tempest.test_plugins =
keystone_tests = keystone_tempest_plugin.plugin:KeystoneTempestPlugin