Update git submodules
* Update keystone-specs from branch 'master'
- Update inaccurate details in JWS specification
Originally, when we were designing the implementation for a JWT
provider, we thought we would be able to use multiple signature
support in the JWS specification to allow tokens to have multiple
signatures. This would allow operators to specify multiple private
keys when rotating old/compromised keys off of a keystone server.
While that information is clearly documentedin the JWS specification:
https://tools.ietf.org/html/rfc7515#section-7
Support for signing tokens with multiple private keys doesn't exist
yet in the library we're consuming for JWT (PyJWT).
This commit updates the specification with those details and attempts
to preserve the context of why we're not taking a multi-signature
approach right now. I've opened an issue in the upstream library we
consume to track the discussion:
https://github.com/jpadilla/pyjwt/issues/390
bp json-web-tokens
Change-Id: I3c1d431241fab79d7c3feefeb978a977487e7bc0
- Merge "Delete the duplicate words in multi-backend-uuids.rst"
- Merge "Add domain level limit support"
- Merge "Add a note about crypto-agility with JWT"
- Merge "Repropose JWT specification for Stein"
- Add a note about crypto-agility with JWT
This is explicity calling out how Fernet should be used to
exercise crypto-agility in the event a security flaw is uncovered
in the JWT/JWS/JWE specifications or implementations. At least until
more algorithms are supported.
Change-Id: I5338c64f3a592768f70e3a4254b7bfeeb101102b
- Change openstack-dev to openstack-discuss
Mailinglists have been updated. Openstack-discuss replaces
openstack-dev.
Change-Id: Iba19dc4fa808624fbc59e3341ff1e5c55d58283e
- Add domain level limit support
This is the spec for domain level limit support.
Change-Id: Ie808328de03b19260574055f42007952e8b5a808
bp: domain-level-limit
- Delete the duplicate words in multi-backend-uuids.rst
Change-Id: I95adf24fcf4c2fe972f1b51c003269efb4a0eaa0
- Merge "Update policy security roadmap"
- Merge "fix misspelling of configuration"
- fix wrong spelling of "configuration"
Change-Id: I6f4b9df712b66da21ac0caffb503890b742df45f
- Repropose JWT specification for Stein
This spec was something we agreed upon as a team during the Queens
release. This commit reproposes it for Stein.
Major differences between this specification the original proposal
from Queens include:
- the algorithm targeted for the implementation
- the library being used to sign and validate JWTs
- the payload data and claim information
- asymmetric key rotation details
bp json-web-tokens
Change-Id: I598faca40a6d81dd58155165d4a323fb437f7a6c
- Update policy security roadmap
Some things have changed since this was originally written and this
patch attempts to update those things.
Change-Id: Ibc24b4192f5cec2efa4eef79e94bdbcf27ffc162
- Fix spelling in explicit domain id specification
Change-Id: I67bd84f69208348e7a7e8719d6e6f1acd00bf9db
- fix misspelling of configuration
Change-Id: If8571263a0240337ff94a270831b9ca5ec0149ae
- Clean up explicit domain IDs specification
Change-Id: I685e8aff8deda7a2bb6563989bf62252ecf05f25
- Merge "Explicit Domain Ids"
- Explicit Domain Ids
Change-Id: I49bdc1b051f0beb5e0c1fb19a749c8c6a546db92
- Update spec template
We no longer store the API reference in the specs directory. API changes
are proposed directly in the spec, and then documented in the api-ref/
directory in the keystone repository after the fact. This patch removes
these outdated instructions.
Change-Id: If22bb5404a083aa709860ad92a7409b2156079ec
- Merge "fix tox python3 overrides"
- Fix broken link to Stein roadmap
The link to the Stein roadmap was populated before we actually went
through the schedule for Stein. We actually used a copy of a previous
roadmap to build the Stein roadmap, making it easier to manage carry
over items. As a result, the original link isn't useful and was
abandoned.
This commit updates the link to point to the correct roadmap.
Change-Id: Ib02bd11b3604c366db873c0f74d739dd04d322e2
- fix tox python3 overrides
We want to default to running all tox environments under python 3, so
set the basepython value in each environment.
We do not want to specify a minor version number, because we do not
want to have to update the file every time we upgrade python.
We do not want to set the override once in testenv, because that
breaks the more specific versions used in default environments like
py35 and py36.
Change-Id: I8f4db75f30021fca61f7c073018a533b02316ece
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
- Fix grammatical error in policy goals spec
Change-Id: I40a9625dcb10f5506749fee170c9e4cc45ce348f
- Run python 3.6
Use python 3.6 for tests. Even though this repository is relatively
slim when it comes to tests, we should use an updated version of
python. This is also consistent with the Stein community goal to move
towards python3.
Change-Id: I816cd684bacd1aefb19600d44c8bbf1609a0b79d
- import zuul job settings from project-config
This is a mechanically generated patch to complete step 1 of moving
the zuul job settings out of project-config and into each project
repository.
Because there will be a separate patch on each branch, the branch
specifiers for branch-specific jobs have been removed.
Because this patch is generated by a script, there may be some
cosmetic changes to the layout of the YAML file(s) as the contents are
normalized.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Change-Id: Iaa10c8f02b1c21071c3d30643fb8e772d00e2682
Story: #2002586
Task: #24304
- Move MFA receipt specification to Stein
This work was staged for Rocky but wasn't completed. This commit
reproposes it to Stein to keep the Rocky specs directory accurate.
Change-Id: Ia5317137eabcc1199659f05eee076a4bb11b5b6c
- Repropose capability lists to Stein
This work wasn't completed in Rocky, but the specification was
targeted to the release. This commit bumps it to the Stein release.
Change-Id: I2147f3cfb68b719666544fb1a7a7393a67c7bb2b
- Switch to stestr
According to Openstack summit session [1],
stestr is maintained project to which all Openstack projects should migrate.
Let's switch to stestr as other projects have already moved to it.
This change also fixes a bunch of D001 violations where lines are too
long in .rst documents.
[1] https://etherpad.openstack.org/p/YVR-python-pti
Change-Id: Ic20ae60d9020896690c5e7f07124d7500ffd3d2d
- Update the default roles spec to include Rocky details
Since we're not going to get everything details in this specification
done in Rocky, we should update the spec to clarify why we did get
done and what we plan to pick in subsequent releases.
Change-Id: Ife2089167354b9e1c918dd9219aff5e5ff66e856
- Merge "Update links in README"
- Update links in README
Change the outdated links to the latest links in README
Change-Id: Iab2c5601014dc4ae06ba1568758afdb48642a62b
- Address follow-on comments in strict-two-level spec
This change addresses concerns raised in the original review of the
strict two level enforcement model:
Ibfb2ba2ffb0115fa7cf81d30bf9a025652d9ba42
bp strict-two-level-enforcement-model
Change-Id: I7190443de8be189eac06a6f01f99a5e5bfabbbc9
- Strict Two-Level Limits Enforcement Model
This spec talks about that how the hierarchical unified limits
will work in Keystone and its consumers.
In rocky, we'd like to add the strict two level enforcement model
as the base one for hierarchical unified limits.
Co-Authored-By: John Garbutt <john@johngarbutt.com>
Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>
Co-Authored-By: Morgan Fainberg <morgan.fainberg@gmail.com>
Change-Id: Ibfb2ba2ffb0115fa7cf81d30bf9a025652d9ba42
bp: strict-two-level-enforcement-model
- Update blueprint link in default roles specification
The link for the blueprint was pointing 404'ing because it was
pointing to a different namespace. This commit updates the
specification to point to the the blueprint tracked within
keystone for the default roles work.
Change-Id: I6a22dcc81c382a7e9ce559b7bf8bda2685023b87
- Follow-up -- replace 'auditor' role with 'reader'
Follow-up patch after Vancouver summit. After discussion the term
'reader' was determined to be more appropriate than 'auditor' as
a default name for roles.
Change-Id: Ia99807952d4f1025a69e9c94edf1ea949afb7d09
- Define a set of basic default roles
With the recent work to keystone and oslo.policy, we should be able to
offer tooling to project development teams so they can start evolving
their policies. Before we start changing things, we should come to
consensus on a set of defaults we should offer out of the box.
Moving towards a set of known defaults will make maintenance for
operators much easier. It will also build the foundation for a more
robust RBAC system that is better at modeling complex
organization, ultimately being more useful in the real-world.
Change-Id: Ia6ddf64b4483a73ab79c86d5d794cce561aa19e0
Co-authored-By: Lance Bragstad <lbragstad@gmail.com>
Co-Authored-By: Jamie Lennox <jamielennox@gmail.com>
This commit is contained in:
Lance Bragstad
Gerrit Code Review
parent
356a2f3997
commit
90b748d465
|
|
@ -1 +1 @@
|
|||
Subproject commit dfeb67c789a010f00459d3c1aa93749e43529b4f
|
||||
Subproject commit 312c034e9b6358948c36a50cc1fd7b9a82f9c2de
|
||||
Loading…
Reference in New Issue