| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Key Distribution Service is used to register keys for services and
distribute tickets to contact othe services.
The KDS is used to digitally sign and optionally encrypt messages sent over the
message queue by the rpc modules.
It implements the service described in this document:
https://wiki.openstack.org/wiki/MessageSecurity#A_Key_Distribution_Server_in_Keystone
blueprint key-distribution-server
Change-Id: Ib47aca8f72623a07ff18f23d46d0af520e463fc9
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Implements an OAuth 1.0a service provider.
blueprint: delegated-auth-via-oauth
DocImpact
SecurityImpact
Change-Id: Ib5561593ab608f3b22fbcd7196e2171f95b735e8
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A common scenario in shared clouds will be that a cloud provider will
want to be able to offer larger customers the ability to interface to
their chosen identity provider. In the base case, this might well be
their own corporate LDAP/AD directory. A cloud provider might also
want smaller customers to have their identity managed solely
within the OpenStack cloud, perhaps in a shared SQL database.
This patch allows domain specific backends for identity objects
(namely user and groups), which are specified by creation of a domain
configuration file for each domain that requires its own backend.
A side benefit of this change is that it clearly separates the
backends into those that are domain-aware and those that are not,
allowing, for example, the removal of domain validation from the
LDAP identity backend.
Implements bp multiple-ldap-servers
DocImpact
Change-Id: I489e8e50035f88eca4235908ae8b1a532645daab
|
| |
|
|
|
|
| |
DocImpact
Change-Id: I1b1de8f7e07afe8af8a5cbb83de7f935cea04670
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The Keystone server would print a warning when both the token
format and provider were set to the default.
Also, the Keystone server would not start if the format was
commented out and the provider was set to the uuid.Provider.
Fixes: bug 1204314
Change-Id: Id7db33a1f27c4986af153efc73b22db8c6a8942e
|
| |
|
|
|
|
|
|
|
|
| |
There's a new config option [assignment].driver that wasn't included
in the sample config file. This makes it more difficult than necessary
for deployers to configure.
Fixes bug 1202778
Change-Id: I04b09c214b9ea997d8f540a72978ce9b19b4138d
|
| |
|
|
|
|
|
|
|
|
| |
The provider property in the [token] section will be unset by default. If
provider is not set, we will use token_format in the [signing] section to
determine to provider. If provider is set, it must agree with the token_format.
fixed bug 1202651
Change-Id: I15ff67490acbbacc9eefc7eee253400475704b04
|
| |
|
|
|
|
|
|
|
|
|
| |
Brings token binding to keystone server. There are a number of places
where the location or hardcoding of binding checks are not optimal
however fixing them will require having a proper authentication plugin
scheme so just assume that they will be moved when that happens.
DocImpact
Implements: blueprint authentication-tied-to-token
Change-Id: Ib34e5e0b6bd83837f6addbd45d4c5b828ce2f3bd
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Select the code to handle REMOTE_USER based on a config file option
Fixes the REMOTE_USER logic to get the domain name from
REALM, which is the least surprise option.
Disregards the auth_data passed in, as we should be using REMOTE_USER
to get the user name.
External Plugin is now executed in conjunction with the auth methods,
as opposed to in place of them.
DocImpact
blueprint pluggable-remote-user
Change-Id: I9dda6dbe073f03806bdf539db6faa01644109f1c
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This extension allows for project roles to be optionally
inherited from the owning domain. The v3 grant APIs are extended
to take an inherited_to_projects flag. The GET role_assignments
API will also include these roles in its response, either showing them
as inherited roles assigned to the domain or, if the 'effective'
query parameter is set, will interpret the inheritance and reflect
those role assignments on the projects.
The inherited_to_projects flag is encoded in the role list in
the metadata of the relevant entries in the grant tables. The
'roles' key in the metadata is now a list of dicts, as opposed
to a simple list, where each dict is either
{'id': role_id} for a regular role, or
{'id': role_id, 'inherited_to': 'projects'} for an inherited role
Remember that a previous patch had rationalized the way metadata is
handled so that its structure is entirely hidden within the driver
layer.
The extension can be enabled/disabled via a config setting.
Limitations:
- The extension is not yet discoverable via url, this will be added
as a separate patch when the v3/extensions work is complete.
A separate issue has been discovered with the fact that the v2
calls of 'get_projects_for_user()' and 'list_user_projects()'
should be rationalized and also honor both group (and inherited)
role assignments. This is being raised as a separate bug.
DocImpact
Implements bp inherited-domain-roles
Change-Id: I35b57ce0df668f12462e96b3467cef0239594e97
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Abstract V3 token provider backend to make token provider pluggable. It enables
deployers to customize token management to add their own capabilities.
Token provider is responsible for issuing, checking, validating, and
revoking tokens. Note the distinction between token 'driver' and 'provider'.
Token 'driver' simply provides token persistence. It does not issue or
interpret tokens.
Token provider is specified by the 'provider' property in the '[token]'
section of the Keystone configuration file.
Partially implemented blueprint pluggable-token-format.
This patch also fixes bug 1186061.
Change-Id: I755fb850765ea99e5237626a2e645e6ceb42a9d3
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add support for the GET /role_assignment call as a first step
to making role_assignment a first class entity.
This patch also enables v3 collection filtering to match against
attributes of entities being returned in the list, using the same
dot notation (e.g. user.id) that we already support for policy file
checking against filters.
Limitations:
- The current implementation uses the standard v3 collections wrapper
mechanism for filtering. Given the potential numbers of role
assignments in a large system, this may have performance and resource
impacts. A future improvement would pass the filters into the
driver layer to keep the internal assignment processing to a minimum.
- The LDAP backend is not currently supported
Implements bp get-role-assignments
Change-Id: I6ff2ea780e39d7097a88214fbb3ddee1b924c30c
|
| |/
|
|
|
|
|
|
| |
Location of *.pem files were changed without synchronization with
keystone.conf.sample.
Change-Id: I99a61230b06eb43046e543c0d0663c49aa21d558
Fixes: bug #1197743
|
| |
|
|
|
|
|
| |
admin_or_owner rule has already defined at the beginning for the file.
Make use of it.
Change-Id: I18f1d96aaba095d05e770b3d564a255659de23ce
|
| |
|
|
|
|
|
|
|
|
| |
The default ou name for projects/tenants should be Projects, as we normally
use in devstack and ldap live test. Since multiple LDAP objects can
use groupOfNames, setting projects group to Groups is vague.
Fixes Bug1191807
Change-Id: I1718c76320da51a58abf6558a9b8560e908773cb
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
kvs driver for tokens is not a production quality storage method.
The shortcomings of using kvs as storage driver for tokens:
1. It requires load balancer to persist connections to a single
keystone server by token.
2. The memory will grow out of control until token_flush is run.
3. At some point kvs lookups get very slow because there are millions
of keys in the dict.
4. Process restart invalidates all tokens.
Fixes: bug #1188370
Change-Id: Ic726e12d798b843412158a7b92f5e3e3a654811f
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
this gives end-users a clue that they also have to set
ca_key for using ssl certificates other than the default
place /etc/ssl.
Change-Id: I41c4118d02723730c0ba183add866a0e0fa67e7b
Fixes: Bug #1188956
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
change `admin_or_owner` to `admin_required`
bug #1188457
Change-Id: I26b1617eadf12fcf1572bb382f4cdfbcbb275cc4
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
Extend RSA keylength to 2048 bits by default,
as the previous default of 1024 bit is considered
weak since 12/31/2010.
Also unify the message_md to the openssl builtin default.
Fixes bug 1103002
Change-Id: I70e90b7696f8a56073c3d6bdc9ed5d30cfa3401f
|
| |\ |
|
| | |
| |
| |
| | |
Change-Id: I4327593fc970bd977d9fb2c48ab9eafd5586f1d0
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Before this patch auth_token middleware required admin user credentials
stored in assorted config files. With this patch only non-admin user
credentials are needed. The revocation_list and validate_token commands
use an policy.json rule, to only allow these commands if you are in have the
service role.
Rule used:
"service_role": [["role:service"]],
"service_or_admin": [["rule:admin_required"], ["rule:service_role"]],
Added the policy wrapper on the validate functions.
Fixes bug 1153789
Change-Id: I43986e26b16aa5213ad2536a0d07d942bf3dbbbb
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
PasteDeploy configuration contains class names which might change
between releases. Keeping it separate from user-configurable
parameters allows deployers to move paste-deploy ini file out of
configuration directory to a place where it can be safely overwritten
on updates e.g. under /usr/share/
DocImpact
Change-Id: I9292ca6226c8430b93565dedd45cc842742a23e2
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Moves the credentials API into its own backend.
LDAP was not going to be able to support credentials.
Even with a custom schema, many people are using LDAP in read only
mode, which means that they would not be able to use the credentials
API at all. By splitting it out, we have a workable solution for
both SQL and LDAP Identity backends.
Drops the Foreign Key constraints off the Credentials table, as there
is now no guaranttee that users are stored in the same backend.
Blueprint extract-credentials-id
Change-Id: I10ad4b36c6f03d1712621eaffcfefa48a5453aff
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This is needed as a work around for objectclasses that require additional
attributes other than just what is supplied in user_id_attribute and
user_name_attribute.
Change-Id: Ie6cdd0534b8389f62f98fdca7d19bc0feb9c131f
Fixes: bug #1158077
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Providing an initial policy rule for the list_groups_for_user
operation in the sample policy.json file for the ease of
configuration.
Fixes bug #1167836
Change-Id: Id253729098a95d3b129babde1b3706f409a095dd
|
| | |/
|/|
| |
| | |
Change-Id: I0326ae38c359c7c11901e1dd08f81acd73fa74ff
|
| |\ \ |
|
| | | |
| | |
| | |
| | | |
Change-Id: I940f331eee14e449333e5d0ba5d071836a496653
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| | |
Extracts common OpenSSL functionality from pki_setup and adds a new cli
command ssl_setup which re-uses this base to generate SSL certificates
for https.
Change-Id: Ia34827583bcdfbd871133250681010e642271f07
Fixes: bug 1155361
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes Bug1040115
added several test cases, also provides a full ldap
regression suite. Also added supplemental (simple)
verification for CACERTFILE and CACERTDIR
added a TLS disable option when ldaps URLs are used
and did full regression tests using ldaps URLs
and with TLS
addresses ayoung's comments
addresses dolphm's and Mouad's comments
addresses gyee's doc request and bknudson's comments
Change-Id: I639f2853df0ce5c10ae85b06214b26430d872aca
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This allows proper dereferencing of aliased objects in an LDAP tree.
Fixes Bug #1153786
Change-Id: Ia09a99b7bca1ab055eb0c6dfa34138beca15bff0
|
| |/
|
|
| |
Change-Id: I76ab6ddac70cccece46bc36d7592d840599c893b
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
These fields are used for queries, and may need to be indexed
Also moves the delete token for... functions into the base class
for controllers.
Removed the token API revoke token call as that needed access to other
APIs. Logic was moved into the controller.
Bug 1152801
Change-Id: I59c360fe5aef905dfa30cb55ee54ff1fbe64dc58
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This was intended to be removed during grizzly by utilizing centralized
policy storage on /v3/policies -- but such a feature hasn't been
implemented yet beyond the API.
Change-Id: Ie696bc671fc1d6fd05cc1dda376d2be945097845
|
| |\ \ |
|
| | | |
| | |
| | |
| | | |
Change-Id: If7746bf92c29e824369777764877a414dc7a5d6e
|
| | | |
| | |
| | |
| | | |
Change-Id: I8c72ee99695b0c039a91f807a13a832ce2c3ff74
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Blueprint trusts
creates a trust. Using a trust, one user (the trustee), can then
create tokens with a subset of another user's (the trustor) roles and
projects.
If the impersonate flag in the trust is set, the token user_id is set
to the trustor's user ID
If the impersonate flag is not set, the token's user_is is set to the
trustee's user ID
check that both trustor and trustee are enabled prior to creating
the trust token.
sql and kvs backends
sql upgrade scripts
unit tests for backends, auth and v3 api
modifications to the trust controller for creating tokens
Authenticates that only user can be trustor in create
Deleting a trust invalidates all tokens created from that trust
Adds the trust id and the id of the trustee to the header of the token
policy rules for trust
This version has a workaround for testing against the KVS version
of the Service catalog
Change-Id: I5745f4d9a4180b59671a143a55ed87019e98ec76
|
| |/
|
|
|
|
| |
This fixes bug 1083463
Change-Id: Ie7ec7f2214b51766d3108a4557c096d9e6989b6b
|
| |
|
|
|
|
|
|
|
|
| |
Also, as requested I put in this bug fix the related updates
to keystone.conf.sample
Fixes Bug1131443
Fixes Bug1131439
Change-Id: I3e973c8f8ad2783153a2ccb3d743b65eec47e749
|
