0edf1fe46c
This commit implements credential encryption through the following changes: - additive schema change to store key hashes for credentials - database migration to encrypt all pre-existing credentials - contractive schema change to remove unencrypted credential column - added code to the credential Manager to handle credential encryption All credentials will be encrypted by default. There will not be a way to store unencrypted credentials in keystone from this point forward. Note that this implementation uses database triggers in the migration process. If operators use the traditional offline migration method, it would be more reliable if we didn't try to setup and tear down triggers, as they'll never be used anyway. This makes it so that expand and contract migrations can skip anything related to triggers. Co-Authored-By: Werner Mendizabal <nonameentername@gmail.com> bp credential-encryption Depends-On: I433da9a257daa21ec3b5996b2bca571211f1fbba Depends-On: Id3e8922adc154cfec5f7a36613e22eb0b49eeffe Change-Id: I31b7539db436ad270462cfaa3b14213e0ed1fc04
223 lines
7.0 KiB
INI
223 lines
7.0 KiB
INI
[metadata]
|
|
name = keystone
|
|
summary = OpenStack Identity
|
|
description-file =
|
|
README.rst
|
|
author = OpenStack
|
|
author-email = openstack-dev@lists.openstack.org
|
|
home-page = http://docs.openstack.org/developer/keystone/
|
|
classifier =
|
|
Environment :: OpenStack
|
|
Intended Audience :: Information Technology
|
|
Intended Audience :: System Administrators
|
|
License :: OSI Approved :: Apache Software License
|
|
Operating System :: POSIX :: Linux
|
|
Programming Language :: Python
|
|
Programming Language :: Python :: 2
|
|
Programming Language :: Python :: 2.7
|
|
Programming Language :: Python :: 3
|
|
Programming Language :: Python :: 3.4
|
|
Programming Language :: Python :: 3.5
|
|
|
|
[files]
|
|
packages =
|
|
keystone
|
|
keystone_tempest_plugin
|
|
|
|
[extras]
|
|
ldap =
|
|
pyldap>=2.4 # PSF
|
|
ldappool>=2.0.0 # MPL
|
|
memcache =
|
|
python-memcached>=1.56 # PSF
|
|
mongodb =
|
|
pymongo!=3.1,>=3.0.2 # Apache-2.0
|
|
bandit =
|
|
bandit>=1.1.0 # Apache-2.0
|
|
|
|
[global]
|
|
setup-hooks =
|
|
pbr.hooks.setup_hook
|
|
|
|
|
|
[egg_info]
|
|
tag_build =
|
|
tag_date = 0
|
|
tag_svn_revision = 0
|
|
|
|
[build_sphinx]
|
|
all_files = 1
|
|
build-dir = doc/build
|
|
source-dir = doc/source
|
|
|
|
[compile_catalog]
|
|
directory = keystone/locale
|
|
domain = keystone keystone-log-critical keystone-log-error keystone-log-info keystone-log-warning
|
|
|
|
[update_catalog]
|
|
domain = keystone
|
|
output_dir = keystone/locale
|
|
input_file = keystone/locale/keystone.pot
|
|
|
|
[extract_messages]
|
|
keywords = _ gettext ngettext l_ lazy_gettext
|
|
mapping_file = babel.cfg
|
|
output_file = keystone/locale/keystone.pot
|
|
copyright_holder = OpenStack Foundation
|
|
msgid_bugs_address = https://bugs.launchpad.net/keystone
|
|
|
|
[pbr]
|
|
# NOTE(jamielennox): warnerrors was not warning as it should and will be fixed
|
|
# in an upcoming PBR release, which means it may suddenly start warning and
|
|
# failing builds again. It's disabled until the release happens. Info:
|
|
# http://lists.openstack.org/pipermail/openstack-dev/2016-June/097849.html
|
|
#warnerrors = True
|
|
autodoc_tree_index_modules = True
|
|
|
|
[entry_points]
|
|
console_scripts =
|
|
keystone-manage = keystone.cmd.manage:main
|
|
|
|
wsgi_scripts =
|
|
keystone-wsgi-admin = keystone.server.wsgi:initialize_admin_application
|
|
keystone-wsgi-public = keystone.server.wsgi:initialize_public_application
|
|
|
|
keystone.assignment =
|
|
sql = keystone.assignment.backends.sql:Assignment
|
|
|
|
keystone.auth.external =
|
|
default = keystone.auth.plugins.external:DefaultDomain
|
|
DefaultDomain = keystone.auth.plugins.external:DefaultDomain
|
|
Domain = keystone.auth.plugins.external:Domain
|
|
|
|
keystone.auth.kerberos =
|
|
default = keystone.auth.plugins.external:KerberosDomain
|
|
|
|
keystone.auth.oauth1 =
|
|
default = keystone.auth.plugins.oauth1:OAuth
|
|
|
|
keystone.auth.openid =
|
|
default = keystone.auth.plugins.mapped:Mapped
|
|
|
|
keystone.auth.password =
|
|
default = keystone.auth.plugins.password:Password
|
|
|
|
keystone.auth.saml2 =
|
|
default = keystone.auth.plugins.mapped:Mapped
|
|
|
|
keystone.auth.token =
|
|
default = keystone.auth.plugins.token:Token
|
|
|
|
keystone.auth.totp =
|
|
default = keystone.auth.plugins.totp:TOTP
|
|
|
|
keystone.auth.x509 =
|
|
default = keystone.auth.plugins.mapped:Mapped
|
|
|
|
keystone.auth.mapped =
|
|
default = keystone.auth.plugins.mapped:Mapped
|
|
|
|
keystone.catalog =
|
|
sql = keystone.catalog.backends.sql:Catalog
|
|
templated = keystone.catalog.backends.templated:Catalog
|
|
endpoint_filter.sql = keystone.contrib.endpoint_filter.backends.catalog_sql:EndpointFilterCatalog
|
|
|
|
keystone.credential =
|
|
sql = keystone.credential.backends.sql:Credential
|
|
|
|
keystone.credential.provider =
|
|
fernet = keystone.credential.providers.fernet:Provider
|
|
|
|
keystone.identity =
|
|
ldap = keystone.identity.backends.ldap:Identity
|
|
sql = keystone.identity.backends.sql:Identity
|
|
|
|
keystone.identity.id_generator =
|
|
sha256 = keystone.identity.id_generators.sha256:Generator
|
|
|
|
keystone.identity.id_mapping =
|
|
sql = keystone.identity.mapping_backends.sql:Mapping
|
|
|
|
keystone.identity.shadow_users =
|
|
sql = keystone.identity.shadow_backends.sql:ShadowUsers
|
|
|
|
keystone.policy =
|
|
rules = keystone.policy.backends.rules:Policy
|
|
sql = keystone.policy.backends.sql:Policy
|
|
|
|
keystone.resource =
|
|
sql = keystone.resource.backends.sql:Resource
|
|
|
|
keystone.resource.domain_config =
|
|
sql = keystone.resource.config_backends.sql:DomainConfig
|
|
|
|
keystone.role =
|
|
sql = keystone.assignment.role_backends.sql:Role
|
|
|
|
keystone.token.persistence =
|
|
kvs = keystone.token.persistence.backends.kvs:Token
|
|
memcache = keystone.token.persistence.backends.memcache:Token
|
|
memcache_pool = keystone.token.persistence.backends.memcache_pool:Token
|
|
sql = keystone.token.persistence.backends.sql:Token
|
|
|
|
keystone.token.provider =
|
|
fernet = keystone.token.providers.fernet:Provider
|
|
uuid = keystone.token.providers.uuid:Provider
|
|
pki = keystone.token.providers.pki:Provider
|
|
pkiz = keystone.token.providers.pkiz:Provider
|
|
|
|
keystone.trust =
|
|
sql = keystone.trust.backends.sql:Trust
|
|
|
|
keystone.endpoint_filter =
|
|
sql = keystone.catalog.backends.sql:Catalog
|
|
|
|
keystone.endpoint_policy =
|
|
sql = keystone.endpoint_policy.backends.sql:EndpointPolicy
|
|
|
|
keystone.federation =
|
|
sql = keystone.federation.backends.sql:Federation
|
|
|
|
keystone.oauth1 =
|
|
sql = keystone.oauth1.backends.sql:OAuth1
|
|
|
|
keystone.revoke =
|
|
sql = keystone.revoke.backends.sql:Revoke
|
|
|
|
oslo.config.opts =
|
|
keystone = keystone.conf.opts:list_opts
|
|
|
|
oslo.config.opts.defaults =
|
|
keystone = keystone.conf:set_external_opts_defaults
|
|
|
|
paste.filter_factory =
|
|
admin_token_auth = keystone.middleware:AdminTokenAuthMiddleware.factory
|
|
build_auth_context = keystone.middleware:AuthContextMiddleware.factory
|
|
crud_extension = keystone.contrib.admin_crud:CrudExtension.factory
|
|
debug = oslo_middleware:Debug.factory
|
|
endpoint_filter_extension = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
|
|
ec2_extension = keystone.contrib.ec2:Ec2Extension.factory
|
|
ec2_extension_v3 = keystone.contrib.ec2:Ec2ExtensionV3.factory
|
|
federation_extension = keystone.contrib.federation.routers:FederationExtension.factory
|
|
json_body = keystone.middleware:JsonBodyMiddleware.factory
|
|
oauth1_extension = keystone.contrib.oauth1.routers:OAuth1Extension.factory
|
|
request_id = oslo_middleware:RequestId.factory
|
|
revoke_extension = keystone.contrib.revoke.routers:RevokeExtension.factory
|
|
s3_extension = keystone.contrib.s3:S3Extension.factory
|
|
simple_cert_extension = keystone.contrib.simple_cert:SimpleCertExtension.factory
|
|
sizelimit = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
|
|
token_auth = keystone.middleware:TokenAuthMiddleware.factory
|
|
url_normalize = keystone.middleware:NormalizingFilter.factory
|
|
user_crud_extension = keystone.contrib.user_crud:CrudExtension.factory
|
|
|
|
paste.app_factory =
|
|
admin_service = keystone.version.service:admin_app_factory
|
|
admin_version_service = keystone.version.service:admin_version_app_factory
|
|
public_service = keystone.version.service:public_app_factory
|
|
public_version_service = keystone.version.service:public_version_app_factory
|
|
service_v3 = keystone.version.service:v3_app_factory
|
|
|
|
tempest.test_plugins =
|
|
keystone_tests = keystone_tempest_plugin.plugin:KeystoneTempestPlugin
|
|
|