openstack
/
keystone
Code Issues Proposed changes
OpenStack Identity (Keystone)
13,933 Commits 9 Branches 40 Tags 231 MiB
Python 99.5%
Shell 0.5%
Go to file
Lance Bragstad d2cc4c83c0 Consolidate user protection tests 
This commit removes user policies from policy.v3cloudsample.json. By
incorporating system-scope, domain-scope, project-scope, and default
roles, we've effectively made these policies obsolete. We can simplify
what we maintain and provide a more consistent, unified view of
default user behavior by removing them.

This commit also adds an important filter to the GET /v3/users API by
making sure the users in the response are filtered properly if the API
was called with a domain-scoped token. This is needed in case domain
configuration isn't setup and short-circuits normalization of the
domain ID, which sometimes comes from the token if it is
domain-scoped.  Regardless of domain configuration being used, we
should protect against cases where data leaks across domains in the
name of security.

Finally, this commit moves a couple of tests from test_v3_protection
to test_users protection tests that ensures we do reasonable filtering
while normalizing domain IDs. The remaining tests from
test_v3_protection have been removed because they are no longer
applicable. These tests were testing an HTTP 403 was returned when a
domain users attempted to filter users for domains they didn't have
authorization on. We don't use this approach consistently in keystone.
Most other places where filtering is implemented, we ignore invalid
filters and instead return an empty list. For domain users attempting
to fish information out of another domain, they will receive an empty
list to be consistent with other parts of the API.

Change-Id: I60b2e2b8af172c369eab0eb2c29f056f5c98ad16
Parial-Bug: 1806762
 		2019-03-26 12:58:15 +00:00
api-ref/source trivial: fix broken link in trust API reference 2019-03-13 19:45:49 +00:00
config-generator Move policy generator config to config-generator/ 2017-04-21 21:47:32 +00:00
devstack Add OpenSUSE support in devstack federation plugin 2019-02-17 16:55:23 -03:00
doc Merge "Replace URL name to the correct one in Keystone Docs" 2019-03-26 06:42:44 +00:00
etc Consolidate user protection tests 2019-03-26 12:58:15 +00:00
examples/pki Remove support for PKI and PKIz tokens 2016-11-01 22:05:01 +00:00
httpd Remove admin interface in sample Apache file 2018-03-24 12:56:02 +01:00
keystone Consolidate user protection tests 2019-03-26 12:58:15 +00:00
keystone_tempest_plugin Remove the local tempest plugin 2017-06-06 11:48:37 +00:00
playbooks/legacy/keystone-dsvm-grenade-multinode Convert legacy functional jobs to Zuul-v3-native 2018-09-26 20:09:49 +02:00
rally-jobs fix rally docs url 2018-05-21 16:24:51 +08:00
releasenotes Consolidate user protection tests 2019-03-26 12:58:15 +00:00
tools changed port in tools/sample_data.sh 2018-11-15 20:45:59 +05:30
.coveragerc Change ignore-errors to ignore_errors 2015-09-21 14:27:58 +00:00
.gitignore Ignore .eggs dir as well 2018-07-04 12:39:20 +00:00
.gitreview Add .gitreview config file for gerrit. 2011-10-24 14:48:03 -04:00
.mailmap update mailmap with gyee's new email 2015-11-03 16:12:01 -08:00
.stestr.conf Migrate to stestr 2017-09-22 11:07:09 -05:00
.zuul.yaml Migrate keystone-dsvm-grenade-multinode job to Ubuntu Bionic 2019-03-13 03:09:12 +00:00
CONTRIBUTING.rst Use https for docs.openstack.org references 2017-01-30 16:05:08 -08:00
HACKING.rst Merge "Update links in keystone" 2017-10-06 16:10:56 +00:00
LICENSE Added Apache 2.0 License information. 2012-02-15 17:48:33 -08:00
README.rst Add release notes link to README 2018-06-12 15:30:45 +08:00
babel.cfg setting up babel for i18n work 2012-06-21 18:03:09 -07:00
bindep.txt Fix bindep for SUSE 2019-02-14 16:50:33 +01:00
lower-constraints.txt Pin Werkzeug in lower-constraints 2019-03-19 23:56:08 +01:00
requirements.txt Add PyJWT as a requirement 2019-01-31 19:42:09 +00:00
setup.cfg Merge "Add JSON driver for access rules config" 2019-03-07 09:43:33 +00:00
setup.py Updated from global requirements 2017-03-06 01:10:37 +00:00
test-requirements.txt Use pycodestyle in place of pep8 2018-11-20 17:16:01 +00:00
tox.ini Drop py35 jobs 2019-03-05 10:56:57 +05:30

README.rst

Team and repository tags

image

OpenStack Keystone

Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.

Developer documentation, the source of which is in doc/source/, is published at:

https://docs.openstack.org/keystone/latest

The API reference and documentation are available at:

https://developer.openstack.org/api-ref/identity

The canonical client library is available at:

https://git.openstack.org/cgit/openstack/python-keystoneclient

Documentation for cloud administrators is available at:

https://docs.openstack.org/

The source of documentation for cloud administrators is available at:

https://git.openstack.org/cgit/openstack/openstack-manuals

Information about our team meeting is available at:

https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting

Release notes is available at:

https://docs.openstack.org/releasenotes/keystone

Bugs and feature requests are tracked on Launchpad at:

https://bugs.launchpad.net/keystone

Future design work is tracked at:

https://specs.openstack.org/openstack/keystone-specs

Contributors are encouraged to join IRC (#openstack-keystone on freenode):

https://wiki.openstack.org/wiki/IRC

For information on contributing to Keystone, see CONTRIBUTING.rst.