Update git submodules
* Update keystone-specs from branch 'master' - Update inaccurate details in JWS specification Originally, when we were designing the implementation for a JWT provider, we thought we would be able to use multiple signature support in the JWS specification to allow tokens to have multiple signatures. This would allow operators to specify multiple private keys when rotating old/compromised keys off of a keystone server. While that information is clearly documentedin the JWS specification: https://tools.ietf.org/html/rfc7515#section-7 Support for signing tokens with multiple private keys doesn't exist yet in the library we're consuming for JWT (PyJWT). This commit updates the specification with those details and attempts to preserve the context of why we're not taking a multi-signature approach right now. I've opened an issue in the upstream library we consume to track the discussion: https://github.com/jpadilla/pyjwt/issues/390 bp json-web-tokens Change-Id: I3c1d431241fab79d7c3feefeb978a977487e7bc0 - Merge "Delete the duplicate words in multi-backend-uuids.rst" - Merge "Add domain level limit support" - Merge "Add a note about crypto-agility with JWT" - Merge "Repropose JWT specification for Stein" - Add a note about crypto-agility with JWT This is explicity calling out how Fernet should be used to exercise crypto-agility in the event a security flaw is uncovered in the JWT/JWS/JWE specifications or implementations. At least until more algorithms are supported. Change-Id: I5338c64f3a592768f70e3a4254b7bfeeb101102b - Change openstack-dev to openstack-discuss Mailinglists have been updated. Openstack-discuss replaces openstack-dev. Change-Id: Iba19dc4fa808624fbc59e3341ff1e5c55d58283e - Add domain level limit support This is the spec for domain level limit support. Change-Id: Ie808328de03b19260574055f42007952e8b5a808 bp: domain-level-limit - Delete the duplicate words in multi-backend-uuids.rst Change-Id: I95adf24fcf4c2fe972f1b51c003269efb4a0eaa0 - Merge "Update policy security roadmap" - Merge "fix misspelling of configuration" - fix wrong spelling of "configuration" Change-Id: I6f4b9df712b66da21ac0caffb503890b742df45f - Repropose JWT specification for Stein This spec was something we agreed upon as a team during the Queens release. This commit reproposes it for Stein. Major differences between this specification the original proposal from Queens include: - the algorithm targeted for the implementation - the library being used to sign and validate JWTs - the payload data and claim information - asymmetric key rotation details bp json-web-tokens Change-Id: I598faca40a6d81dd58155165d4a323fb437f7a6c - Update policy security roadmap Some things have changed since this was originally written and this patch attempts to update those things. Change-Id: Ibc24b4192f5cec2efa4eef79e94bdbcf27ffc162 - Fix spelling in explicit domain id specification Change-Id: I67bd84f69208348e7a7e8719d6e6f1acd00bf9db - fix misspelling of configuration Change-Id: If8571263a0240337ff94a270831b9ca5ec0149ae - Clean up explicit domain IDs specification Change-Id: I685e8aff8deda7a2bb6563989bf62252ecf05f25 - Merge "Explicit Domain Ids" - Explicit Domain Ids Change-Id: I49bdc1b051f0beb5e0c1fb19a749c8c6a546db92 - Update spec template We no longer store the API reference in the specs directory. API changes are proposed directly in the spec, and then documented in the api-ref/ directory in the keystone repository after the fact. This patch removes these outdated instructions. Change-Id: If22bb5404a083aa709860ad92a7409b2156079ec - Merge "fix tox python3 overrides" - Fix broken link to Stein roadmap The link to the Stein roadmap was populated before we actually went through the schedule for Stein. We actually used a copy of a previous roadmap to build the Stein roadmap, making it easier to manage carry over items. As a result, the original link isn't useful and was abandoned. This commit updates the link to point to the correct roadmap. Change-Id: Ib02bd11b3604c366db873c0f74d739dd04d322e2 - fix tox python3 overrides We want to default to running all tox environments under python 3, so set the basepython value in each environment. We do not want to specify a minor version number, because we do not want to have to update the file every time we upgrade python. We do not want to set the override once in testenv, because that breaks the more specific versions used in default environments like py35 and py36. Change-Id: I8f4db75f30021fca61f7c073018a533b02316ece Signed-off-by: Doug Hellmann <doug@doughellmann.com> - Fix grammatical error in policy goals spec Change-Id: I40a9625dcb10f5506749fee170c9e4cc45ce348f - Run python 3.6 Use python 3.6 for tests. Even though this repository is relatively slim when it comes to tests, we should use an updated version of python. This is also consistent with the Stein community goal to move towards python3. Change-Id: I816cd684bacd1aefb19600d44c8bbf1609a0b79d - import zuul job settings from project-config This is a mechanically generated patch to complete step 1 of moving the zuul job settings out of project-config and into each project repository. Because there will be a separate patch on each branch, the branch specifiers for branch-specific jobs have been removed. Because this patch is generated by a script, there may be some cosmetic changes to the layout of the YAML file(s) as the contents are normalized. See the python3-first goal document for details: https://governance.openstack.org/tc/goals/stein/python3-first.html Change-Id: Iaa10c8f02b1c21071c3d30643fb8e772d00e2682 Story: #2002586 Task: #24304 - Move MFA receipt specification to Stein This work was staged for Rocky but wasn't completed. This commit reproposes it to Stein to keep the Rocky specs directory accurate. Change-Id: Ia5317137eabcc1199659f05eee076a4bb11b5b6c - Repropose capability lists to Stein This work wasn't completed in Rocky, but the specification was targeted to the release. This commit bumps it to the Stein release. Change-Id: I2147f3cfb68b719666544fb1a7a7393a67c7bb2b - Switch to stestr According to Openstack summit session [1], stestr is maintained project to which all Openstack projects should migrate. Let's switch to stestr as other projects have already moved to it. This change also fixes a bunch of D001 violations where lines are too long in .rst documents. [1] https://etherpad.openstack.org/p/YVR-python-pti Change-Id: Ic20ae60d9020896690c5e7f07124d7500ffd3d2d - Update the default roles spec to include Rocky details Since we're not going to get everything details in this specification done in Rocky, we should update the spec to clarify why we did get done and what we plan to pick in subsequent releases. Change-Id: Ife2089167354b9e1c918dd9219aff5e5ff66e856 - Merge "Update links in README" - Update links in README Change the outdated links to the latest links in README Change-Id: Iab2c5601014dc4ae06ba1568758afdb48642a62b - Address follow-on comments in strict-two-level spec This change addresses concerns raised in the original review of the strict two level enforcement model: Ibfb2ba2ffb0115fa7cf81d30bf9a025652d9ba42 bp strict-two-level-enforcement-model Change-Id: I7190443de8be189eac06a6f01f99a5e5bfabbbc9 - Strict Two-Level Limits Enforcement Model This spec talks about that how the hierarchical unified limits will work in Keystone and its consumers. In rocky, we'd like to add the strict two level enforcement model as the base one for hierarchical unified limits. Co-Authored-By: John Garbutt <john@johngarbutt.com> Co-Authored-By: Lance Bragstad <lbragstad@gmail.com> Co-Authored-By: Morgan Fainberg <morgan.fainberg@gmail.com> Change-Id: Ibfb2ba2ffb0115fa7cf81d30bf9a025652d9ba42 bp: strict-two-level-enforcement-model - Update blueprint link in default roles specification The link for the blueprint was pointing 404'ing because it was pointing to a different namespace. This commit updates the specification to point to the the blueprint tracked within keystone for the default roles work. Change-Id: I6a22dcc81c382a7e9ce559b7bf8bda2685023b87 - Follow-up -- replace 'auditor' role with 'reader' Follow-up patch after Vancouver summit. After discussion the term 'reader' was determined to be more appropriate than 'auditor' as a default name for roles. Change-Id: Ia99807952d4f1025a69e9c94edf1ea949afb7d09 - Define a set of basic default roles With the recent work to keystone and oslo.policy, we should be able to offer tooling to project development teams so they can start evolving their policies. Before we start changing things, we should come to consensus on a set of defaults we should offer out of the box. Moving towards a set of known defaults will make maintenance for operators much easier. It will also build the foundation for a more robust RBAC system that is better at modeling complex organization, ultimately being more useful in the real-world. Change-Id: Ia6ddf64b4483a73ab79c86d5d794cce561aa19e0 Co-authored-By: Lance Bragstad <lbragstad@gmail.com> Co-Authored-By: Jamie Lennox <jamielennox@gmail.com>
This commit is contained in:
parent
356a2f3997
commit
90b748d465
|
@ -1 +1 @@
|
|||
Subproject commit dfeb67c789a010f00459d3c1aa93749e43529b4f
|
||||
Subproject commit 312c034e9b6358948c36a50cc1fd7b9a82f9c2de
|
Loading…
Reference in New Issue