d2cc4c83c0
This commit removes user policies from policy.v3cloudsample.json. By incorporating system-scope, domain-scope, project-scope, and default roles, we've effectively made these policies obsolete. We can simplify what we maintain and provide a more consistent, unified view of default user behavior by removing them. This commit also adds an important filter to the GET /v3/users API by making sure the users in the response are filtered properly if the API was called with a domain-scoped token. This is needed in case domain configuration isn't setup and short-circuits normalization of the domain ID, which sometimes comes from the token if it is domain-scoped. Regardless of domain configuration being used, we should protect against cases where data leaks across domains in the name of security. Finally, this commit moves a couple of tests from test_v3_protection to test_users protection tests that ensures we do reasonable filtering while normalizing domain IDs. The remaining tests from test_v3_protection have been removed because they are no longer applicable. These tests were testing an HTTP 403 was returned when a domain users attempted to filter users for domains they didn't have authorization on. We don't use this approach consistently in keystone. Most other places where filtering is implemented, we ignore invalid filters and instead return an empty list. For domain users attempting to fish information out of another domain, they will receive an empty list to be consistent with other parts of the API. Change-Id: I60b2e2b8af172c369eab0eb2c29f056f5c98ad16 Parial-Bug: 1806762 |
||
---|---|---|
api-ref/source | ||
config-generator | ||
devstack | ||
doc | ||
etc | ||
examples/pki | ||
httpd | ||
keystone | ||
keystone_tempest_plugin | ||
playbooks/legacy/keystone-dsvm-grenade-multinode | ||
rally-jobs | ||
releasenotes | ||
tools | ||
.coveragerc | ||
.gitignore | ||
.gitreview | ||
.mailmap | ||
.stestr.conf | ||
.zuul.yaml | ||
CONTRIBUTING.rst | ||
HACKING.rst | ||
LICENSE | ||
README.rst | ||
babel.cfg | ||
bindep.txt | ||
lower-constraints.txt | ||
requirements.txt | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
tox.ini |
README.rst
Team and repository tags
OpenStack Keystone
Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.
Developer documentation, the source of which is in
doc/source/
, is published at:
The API reference and documentation are available at:
The canonical client library is available at:
https://git.openstack.org/cgit/openstack/python-keystoneclient
Documentation for cloud administrators is available at:
The source of documentation for cloud administrators is available at:
Information about our team meeting is available at:
Release notes is available at:
Bugs and feature requests are tracked on Launchpad at:
Future design work is tracked at:
Contributors are encouraged to join IRC
(#openstack-keystone
on freenode):
For information on contributing to Keystone, see
CONTRIBUTING.rst
.