| Commit message (Collapse) | Author | Age | Files | Lines |
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Allow each of the extensions to have their own
sql migration repository instead of mixing them into
the common repo. db_sync must be called explicitly on the extension.
In the past, it was assumed that only migrations for backends backed in
sql would be run. In practice, however, all of the migrations were run
every time. The code has been modified to reflect this.
Adds parameter --extension to the cli for db_sync and db_version
to test out the migrations
bin/keystone-manage db_sync --extension example
will migrate to version 1 and
bin/keystone-manage db_sync --extension example 0
will migrate it back to 0
to check the version
bin/keystone-manage db_version --extension example
blueprint multiple-sql-migrate-repos
DocImpact
Change-Id: I6852d75bde6506c535fa3d74537e3c1bbd6578d8
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Use the new oslo.sphinx version of the OpenStack doc
theme instead of copying it into this repo.
blueprint oslo.sphinx
Signed-off-by: Doug Hellmann <doug.hellmann@dreamhost.com>
Change-Id: I0bd91f7bb43f97b99051fed65b75fc05d5149cc8
|
|\ \ \
| |_|/
|/| | |
|
| | |
| | |
| | |
| | | |
Change-Id: I3cbef892af708368bffe8f503299be3cf8f3c030
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Yesterday, openstack@lists.launchpad.org was migrated with
all users to openstack@list.openstack.org.
This patch updates references to the old mailing list with the
new, to ensure that people encountering them don't accidentally
try and join the old list!
Change-Id: I0f8a91a361647a87fab9a1392d56a815f4d66eac
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This backend is not usable in any production environment. All OpenStack
environments will already have a SQL DB, and if someone does not want to
use the DB they can use the memcache backend.
Fixes bug 1188301 and bug 1188370
DocImpact This backend should not be mentioned in documentation, as it
is not production grade and is deprecated.
Change-Id: I41b147bcc70b79b4fc6df50b242a73cfcad33114
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Brings token binding to keystone server. There are a number of places
where the location or hardcoding of binding checks are not optimal
however fixing them will require having a proper authentication plugin
scheme so just assume that they will be moved when that happens.
DocImpact
Implements: blueprint authentication-tied-to-token
Change-Id: Ib34e5e0b6bd83837f6addbd45d4c5b828ce2f3bd
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Select the code to handle REMOTE_USER based on a config file option
Fixes the REMOTE_USER logic to get the domain name from
REALM, which is the least surprise option.
Disregards the auth_data passed in, as we should be using REMOTE_USER
to get the user name.
External Plugin is now executed in conjunction with the auth methods,
as opposed to in place of them.
DocImpact
blueprint pluggable-remote-user
Change-Id: I9dda6dbe073f03806bdf539db6faa01644109f1c
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This extension allows for project roles to be optionally
inherited from the owning domain. The v3 grant APIs are extended
to take an inherited_to_projects flag. The GET role_assignments
API will also include these roles in its response, either showing them
as inherited roles assigned to the domain or, if the 'effective'
query parameter is set, will interpret the inheritance and reflect
those role assignments on the projects.
The inherited_to_projects flag is encoded in the role list in
the metadata of the relevant entries in the grant tables. The
'roles' key in the metadata is now a list of dicts, as opposed
to a simple list, where each dict is either
{'id': role_id} for a regular role, or
{'id': role_id, 'inherited_to': 'projects'} for an inherited role
Remember that a previous patch had rationalized the way metadata is
handled so that its structure is entirely hidden within the driver
layer.
The extension can be enabled/disabled via a config setting.
Limitations:
- The extension is not yet discoverable via url, this will be added
as a separate patch when the v3/extensions work is complete.
A separate issue has been discovered with the fact that the v2
calls of 'get_projects_for_user()' and 'list_user_projects()'
should be rationalized and also honor both group (and inherited)
role assignments. This is being raised as a separate bug.
DocImpact
Implements bp inherited-domain-roles
Change-Id: I35b57ce0df668f12462e96b3467cef0239594e97
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes Bug1200241
Changes variable value in keystone doc to proper a domain component and make it
consistent.
Change-Id: I0a9ac381d2da14c957df5aa50cb8f9dfadade1ac
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Abstract V3 token provider backend to make token provider pluggable. It enables
deployers to customize token management to add their own capabilities.
Token provider is responsible for issuing, checking, validating, and
revoking tokens. Note the distinction between token 'driver' and 'provider'.
Token 'driver' simply provides token persistence. It does not issue or
interpret tokens.
Token provider is specified by the 'provider' property in the '[token]'
section of the Keystone configuration file.
Partially implemented blueprint pluggable-token-format.
This patch also fixes bug 1186061.
Change-Id: I755fb850765ea99e5237626a2e645e6ceb42a9d3
|
|
|
|
|
|
| |
implements bug: 1197208
Change-Id: Icb7e7d4212e53cd55281a42fb2cd26b243d79eb8
|
|
|
|
|
|
|
| |
This change fixes warnings and errors from
doc/source/man/keystone-all.rst when generating documentation.
Change-Id: Ie33b2600f28c517644730b2371ce34ca2e73b7a5
|
|\ |
|
| |
| |
| |
| | |
Change-Id: I00667ca171d1be5acdacb472561cbf74baf6a852
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The default ou name for projects/tenants should be Projects, as we normally
use in devstack and ldap live test. Since multiple LDAP objects can
use groupOfNames, setting projects group to Groups is vague.
Fixes Bug1191807
Change-Id: I1718c76320da51a58abf6558a9b8560e908773cb
|
|\ \ |
|
| | |
| | |
| | |
| | | |
Change-Id: I5364d9d930ca0871bd839917b23ef3199eff3340
|
| |/
|/|
| |
| |
| |
| |
| |
| | |
Correct the wrong naming used for domain controller in the configuration doc.
Fixes Bug1190647
Change-Id: I10b138f319b309db7c2747920ab5bd9e727a4557
|
|\ \ |
|
| | |
| | |
| | |
| | | |
Change-Id: Id4a8f285b380478705e5518440b7ed602e7757d4
|
|\ \ \
| | |/
| |/| |
|
| | |
| | |
| | |
| | | |
Change-Id: Iab416c941c7db00d3fd725e1c0e12ed7fc193dd0
|
|\ \ \ |
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Extend RSA keylength to 2048 bits by default,
as the previous default of 1024 bit is considered
weak since 12/31/2010.
Also unify the message_md to the openssl builtin default.
Fixes bug 1103002
Change-Id: I70e90b7696f8a56073c3d6bdc9ed5d30cfa3401f
|
|/ /
| |
| |
| | |
Change-Id: I9403289012eea3b78f9bf02154827554d9e07462
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Rename tools/pip-requires to requirements.txt and tools/test-requires
to test-requirements.txt. These are standard files, and tools in the
general world are growing intelligence about them.
Fixes: bug #1179008
Change-Id: I1a19f0c73ab48987e2ff0dade1a57a68b65f0a22
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
PasteDeploy configuration contains class names which might change
between releases. Keeping it separate from user-configurable
parameters allows deployers to move paste-deploy ini file out of
configuration directory to a place where it can be safely overwritten
on updates e.g. under /usr/share/
DocImpact
Change-Id: I9292ca6226c8430b93565dedd45cc842742a23e2
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The initial configuration file and sample data are both are helpful in getting
setup with a keystone development environment.
Change-Id: Ic100177abe8dda1510a183463e61e0b757986e97
|
| |/
|/|
| |
| |
| |
| |
| |
| | |
Creates a cli entry 'token_flush' which removes all expired tokens.
Fixes: bug 1032633
Implements: blueprint keystone-manage-token-flush
Change-Id: I47eab99b577ff9e9ee74fee08e18fd07c4af5aad
|
|/
|
|
|
|
| |
A short blurb indicating how to do development for LDAP
Change-Id: Id75d9f9af8742b44158ed739d34dbdccb62eccf2
|
|\ |
|
| |
| |
| |
| | |
Change-Id: Iad8e63ab57c927032e4bafab79c1f22cb485173f
|
|\ \ |
|
| |/
| |
| |
| | |
Change-Id: I9ecb5d945d950e44c918469ab2ae0478e22bc1a8
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Extracts common OpenSSL functionality from pki_setup and adds a new cli
command ssl_setup which re-uses this base to generate SSL certificates
for https.
Change-Id: Ia34827583bcdfbd871133250681010e642271f07
Fixes: bug 1155361
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes Bug1040115
added several test cases, also provides a full ldap
regression suite. Also added supplemental (simple)
verification for CACERTFILE and CACERTDIR
added a TLS disable option when ldaps URLs are used
and did full regression tests using ldaps URLs
and with TLS
addresses ayoung's comments
addresses dolphm's and Mouad's comments
addresses gyee's doc request and bknudson's comments
Change-Id: I639f2853df0ce5c10ae85b06214b26430d872aca
|
|/
|
|
|
|
|
| |
The example lacked the import of keystone.common.wsgi that could be
misleading for new developers.
Change-Id: I20be59f5792507a775d033867a69d31c5216633c
|
|
|
|
| |
Change-Id: Ic6caf991cb3eda359658ea679b0fd2f75180c2a9
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also implemented the following:
blueprint pluggable-identity-authentication-handlers
blueprint stop-ids-in-uris
blueprint multi-factor-authn (just the plumbing)
What's missing?
* domain scoping (will be implemented by Henry?)
Change-Id: I191c0b2cb3367b2a5f8a2dc674c284bb13ea97e3
|
|
|
|
|
|
|
|
|
|
|
| |
The doc/source/old directory contained several docs
that were marked as 'old' and hadn't been updated for more
than a year.
This patch simply removes them - they aren't referred to in
any way noticable on keystone.openstack.org.
Change-Id: Ida57e0321be09aa8ddcb966f386132946017cdcb
|
|\ |
|
| |
| |
| |
| |
| |
| | |
This brings us tag-based versioning and aligned with the rest of the project.
Change-Id: I8c1f077125ee062e213d073492cfde07694cc254
|
|\ \
| |/
|/| |
|