summaryrefslogtreecommitdiffstats
path: root/keystone/config.py
Commit message (Collapse)AuthorAgeFilesLines
* Implement domain specific Identity backendsHenry Nash2013-08-151-8/+1
| | | | | | | | | | | | | | | | | | | | | | | | A common scenario in shared clouds will be that a cloud provider will want to be able to offer larger customers the ability to interface to their chosen identity provider. In the base case, this might well be their own corporate LDAP/AD directory. A cloud provider might also want smaller customers to have their identity managed solely within the OpenStack cloud, perhaps in a shared SQL database. This patch allows domain specific backends for identity objects (namely user and groups), which are specified by creation of a domain configuration file for each domain that requires its own backend. A side benefit of this change is that it clearly separates the backends into those that are domain-aware and those that are not, allowing, for example, the removal of domain validation from the LDAP identity backend. Implements bp multiple-ldap-servers DocImpact Change-Id: I489e8e50035f88eca4235908ae8b1a532645daab
* separate paste-deploy configuration from parametersAlan Pevec2013-05-261-0/+31
| | | | | | | | | | | | PasteDeploy configuration contains class names which might change between releases. Keeping it separate from user-configurable parameters allows deployers to move paste-deploy ini file out of configuration directory to a place where it can be safely overwritten on updates e.g. under /usr/share/ DocImpact Change-Id: I9292ca6226c8430b93565dedd45cc842742a23e2
* Fix for configuring non-default auth plugins properlyDavanum Srinivas2013-04-091-0/+1
| | | | | | | | | Make sure we pick up CONF.auth.methods from configuration files. Added a test case to make sure the we don't regress Fixes LP# 1157515 Change-Id: I70290c37b2a5378b5247a14e3bfa20d50bf8fe74
* Wrap config module and require manual setup (bug 1143998)Dolph Mathews2013-03-201-330/+13
| | | | | | | | | | | | | | | | This moves keystone.config to keystone.common.config, which requires .configure() to be called manually in order for options to be registered. keystone.config preserves the existing behavior of automatically registering options when imported. keystone.middleware.auth_token and it's dependencies within keystone no longer cause config options to be automatically registered. This is an alternative to https://review.openstack.org/#/c/24251/ Change-Id: If9eb5799bf77595ecb71f2000f8b6d1610ea9700
* Support for LDAP groups (bug #1092187)Sahdev Zala2013-03-191-1/+15
| | | | | | | | Also covers Domain CRUD. Fixes Bug #1092187 Change-Id: If2266ed382edfedfad3eef450ce58640ca4b4657
* Remove duplicate password/token opts.Dan Prince2013-03-141-1/+7
| | | | | | | | | | | | | Consolidate the 'auth' method option registration in config.py. This makes it so we don't have to catch Exceptions when the default 'auth' options are registered twice and avoids some log WARNING messages as well. Fixes LP Bug #1154406. Change-Id: I301328ec3ec4823dd7fbec1e639e2841516352e5
* Merge "ports should be ints in config (bug 1137696)"Jenkins2013-03-071-3/+3
|\
| * ports should be ints in config (bug 1137696)Dolph Mathews2013-03-061-3/+3
| | | | | | | | Change-Id: I26c0481f1f8987f310e3c3710be49d541418e3fd
* | TrustsAdam Young2013-03-051-0/+2
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | Blueprint trusts creates a trust. Using a trust, one user (the trustee), can then create tokens with a subset of another user's (the trustor) roles and projects. If the impersonate flag in the trust is set, the token user_id is set to the trustor's user ID If the impersonate flag is not set, the token's user_is is set to the trustee's user ID check that both trustor and trustee are enabled prior to creating the trust token. sql and kvs backends sql upgrade scripts unit tests for backends, auth and v3 api modifications to the trust controller for creating tokens Authenticates that only user can be trustor in create Deleting a trust invalidates all tokens created from that trust Adds the trust id and the id of the trustee to the header of the token policy rules for trust This version has a workaround for testing against the KVS version of the Service catalog Change-Id: I5745f4d9a4180b59671a143a55ed87019e98ec76
* Enable a parameters on ldap to allow paged_search of ldap queriesJose Castro Leon2013-03-011-0/+1
| | | | | | This fixes bug 1083463 Change-Id: Ie7ec7f2214b51766d3108a4557c096d9e6989b6b
* domain_id_attributes in config.py have wrong default valueBrad Topol2013-02-251-2/+4
| | | | | | | | | | Also, as requested I put in this bug fix the related updates to keystone.conf.sample Fixes Bug1131443 Fixes Bug1131439 Change-Id: I3e973c8f8ad2783153a2ccb3d743b65eec47e749
* Merge "Change the default LDAP mapping for description."Jenkins2013-02-221-2/+2
|\
| * Change the default LDAP mapping for description.alatynskaya2013-02-201-2/+2
| | | | | | | | Change-Id: I361ec7fde2dde8b9a2091446d4d9f3b95d98f306
* | Merge "v3 token API"Jenkins2013-02-211-0/+8
|\ \
| * | v3 token APIGuang Yee2013-02-201-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Also implemented the following: blueprint pluggable-identity-authentication-handlers blueprint stop-ids-in-uris blueprint multi-factor-authn (just the plumbing) What's missing? * domain scoping (will be implemented by Henry?) Change-Id: I191c0b2cb3367b2a5f8a2dc674c284bb13ea97e3
* | | Merge "enabled attribute emulation support"Jenkins2013-02-211-0/+4
|\ \ \ | |/ / |/| |
| * | enabled attribute emulation supportalatynskaya2013-02-201-0/+4
| |/ | | | | | | | | | | | | Fixes bug 1063858 Implementation works as described in the second comment. Change-Id: Ib0aa85f05244044c9f40fa9634b5ed3e8afa1f37
* | Merge "make LDAP query scope configurable"Jenkins2013-02-201-0/+1
|\ \ | |/ |/|
| * make LDAP query scope configurableIonuț Arțăriși2013-02-181-0/+1
| | | | | | | | | | | | | | | | Get the DN from the LDAP server itself rather than hardcoding its format. Fixes bug 1122181 Change-Id: I6f70c480b5c6f1b064e74d3cbd2cd8ca5ee82b0a
* | Merge "Use oslo-config-2013.1b3"Jenkins2013-02-191-2/+2
|\ \
| * | Use oslo-config-2013.1b3Mark McLoughlin2013-02-181-2/+2
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | The cfg API is now available via the oslo-config library, so switch to it and remove the copied-and-pasted version. Add the 2013.1b3 tarball to tools/pip-requires - this will be changed to 'oslo-config>=2013.1' when oslo-config is published to pypi. This will happen in time for grizzly final. Remove the 'deps = pep8==1.3.3' from tox.ini as it means all the other deps get installed with easy_install which can't install oslo-config from the URL. Change-Id: I4815aeb8a9341a31a250e920157f15ee15cfc5bc
* / project membership to role conversionAdam Young2013-02-181-0/+4
|/ | | | | | | | | | | | | Changes the relationship between users and projects. There is no more direct membership in projects. Instead, all membership is now done via roles. A default role has been created called _member_ with a uuid (both configurable) that will be added in place of the group membership for databse upgrades. DocImpact: https://bugs.launchpad.net/openstack-manuals/+bug/1087483 Change-Id: I2482f9ef7b838e5dade5096d6d00e81db71604d1
* Merge "Cleaned up keystone-all --help output"Jenkins2013-02-161-9/+7
|\
| * Cleaned up keystone-all --help outputDolph Mathews2013-02-121-9/+7
| | | | | | | | | | | | | | | | | | - Added a missing space: mayuse -> may use - Removed default values from help messages, which were appearing as None, and should be added by argparse anyway - Updated man pages Change-Id: I471a1aaff40398488e19f91a16bd91d2d17db61d
* | Merge "Keystone backend preparation for domain-scoping"Jenkins2013-02-121-0/+3
|\ \
| * | Keystone backend preparation for domain-scopingHenry Nash2013-02-121-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These changes lay the ground work for the implmentation of domain-scoping, but are benign in that they don't change the token. They include making domain_id a first-class attribute in the user and project entity (i.e. move it out of the 'extra' attribute), filling in domain grant and project support for the kvs backend and fixing a series of issues in the mirgation to make it work for both MySQL, Postgresql and sqlite. A further, separate, commit will actually provide the code to update the actual tokens once the v3 token support has been added. blueprint domain-scoping blueprint default-domain Change-Id: I55ab7947a6a1efbab003bd234856bd3805bb4a63
* | | Spell accommodate correctly.Dan Prince2013-02-121-1/+1
|/ / | | | | | | | | | | Fix spelling issue from 8ec247b (security patch). Change-Id: I16c048e40fd92c1978e93fe74a76b4303c253d65
* | Merge "allow unauthenticated connections to an LDAP server"Jenkins2013-02-121-7/+9
|\ \ | |/ |/|
| * allow unauthenticated connections to an LDAP serverIonuț Arțăriși2013-02-081-7/+9
| | | | | | | | | | | | Fixes: bug 1119495 Change-Id: I13cdc212752f212ecf59a6a83f8f32c042ccf6e0
* | Add missing log_format, log_file, log_dir opts.Dan Prince2013-02-111-0/+13
| | | | | | | | | | | | | | | | | | | | | | In 49447c2 we broke keystone in that config.py no longer provides the options it uses. This commit fixes that by adding back in conf.log_format, conf.log_file, and conf.log_dir ... all of which are used and required by config.py. Fixes LP Bug #1122403. Change-Id: I5015315724eab511f6c570fdd5b9be357777b4a0
* | Merge "Sync latest cfg from oslo-incubator"Jenkins2013-02-111-0/+38
|\ \ | |/ |/|
| * Sync latest cfg from oslo-incubatorMark McLoughlin2013-01-221-0/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes include: c5984ba Move logging config options into the log module 7cf016a Fixing the trim for ListOp when reading from config file The most significant change is that cfg no longer provides logging config options as these have been moved to the log module which keystone does not yet use. Define these options in keystone.config where they are used since pulling in oslo logging isn't appropriate if we're not going to use it. Change-Id: I3913ea54465658d93dc56e014dfe5d911b0541d6
* | Add size validations to token controller.Dan Prince2013-02-051-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | Updates token controller so that it explicitly checks the max size of userId, username, tenantId, tenantname, token, and password before continuing with a request. Previously, when used with the SQL keystone backend an unauthenticated user could send in *really* large requests which would ultimately log large SQL exceptions and could thus fill up keystone logs on the disk. Change-Id: Ie7e3a958829f99f080e66582bdf558cded70248c
* | Create a default domain (bp default-domain)Dolph Mathews2013-01-311-0/+3
| | | | | | | | | | | | | | | | | | | | | | This changes rewrites some of our migration history since the folsom release so that we can create a default domain prior to creating non-nullable foreignkey's in the user and project tables in migration 9 (numbered according to this change). DocImpact Change-Id: I807f7b1dca1d6a895f7417c316bcbce24ada61c0
* | Merge "public_endpoint & admin_endpoint configuration"Jenkins2013-01-281-0/+2
|\ \
| * | public_endpoint & admin_endpoint configurationDolph Mathews2013-01-181-0/+2
| |/ | | | | | | | | | | | | | | | | | | Today we can use these configuration values to avoid having to guess keystone's own endpoint URL from the service catalog backend, which may contain more than one identity endpoint. This is also the first step towards adding self-relational links to the v3 API. Change-Id: I375ac0d1f9581592e437c67c17bf32022f652f66
* / Limit the size of HTTP requests.Dan Prince2013-01-211-0/+2
|/ | | | | | | | | | | Adds a new RequestBodySizeLimiter middleware to guard against really large HTTP requests. The default max request size is 112k although this limit is configurable via the 'max_request_body_size' config parameter. Fixes LP Bug #1099025. Change-Id: Id51be3d9a0d829d63d55a92dca61a39a17629785
* Keystone server support for user groupsHenry Nash2013-01-081-0/+11
| | | | | | | | | | | | | | | | | | | | | | | This implements the server side of groups of users. This set of code provides all the crud functionality for groups as well as the corresponding support for role assignments. blueprint user-groups The following deficiencies existing with the current version and will be corrected ahead of the final Grizzly release: 1) There is only placeholder support for LDAP (Bug #1092187) 2) Domain role grants are accepted but not yet honored (Bug #1093248) 3) Token invalidation does not occur with group changes (Bug #1093493) This update also fills in missing v3 grant unit testing and v3 grant support within the kvs backend. In addition, there is a fix for Bug #1092200 (uncaught exception when listing grants) DocImpact Change-Id: Ibd1783b04b2d7804eff90312e5ef591dca4d0695
* Adding a means to connect back to a pydevd debugger.John Bresnahan2012-12-211-0/+3
| | | | | | | | | | | | | | | That patch allows a developer to remotely run a pydev debugger and have the keystone-all process connect back to it. Two command line options are introduced: --pydev-debug-host <host> --pydev-debug-port <port> both of the above options are required to enable this behavior. This patch only enables this behavior when the service is started with keystone-all. In the future parts of this patch can be used to enable this behavior when running in Apache. Change-Id: I92f99fa34112336a96e42e8261b7313f23ee994e
* Bug 1075090 -- Fixing log messages in python source code to support ↵Nachiappan VR N2012-12-041-2/+2
| | | | | | internationalization. Change-Id: I6b50abaa82effad8feaaac8d85086ca8b5d42590
* Stop using cfg's internal implementation detailsMark McLoughlin2012-11-261-1/+3
| | | | | | | | | | | | | The fact that a cfg opt register using register_opt() is available via the command line is actually a bug (see bug #1082279). Also, using the _cli_values attribute is clearly poking into private implementation details. Fix both issues by registering the opt using register_cli_opt() and accessing its value the normal way. Change-Id: If170dcd96daae5b4c3d7cdebed914df417c2209b
* Utilize policy.json by default (bug 1043758)Dolph Mathews2012-11-201-0/+2
| | | | Change-Id: I03daf10aa4f689fe323e39537c312d1e783db313
* v3 PoliciesDolph Mathews2012-11-191-1/+1
| | | | | | | | - v3 policy (bp rbac-keystone-api) - v3 policy tests (bug 1023935) - v3 policy implementation (bug 1023939) Change-Id: I163fbb67726c295fe9ed09b68cd18d2273345d29
* Provide config file fields for enable users in LDAP backend (bug1067516)Jose Castro Leon2012-11-131-2/+6
| | | | | | DocImpact Change-Id: I1ee9a1e2505cdd8c9ee8acba5c0e89a4f25c7262
* Merge "making PKI default token type"Jenkins2012-10-241-1/+1
|\
| * making PKI default token typeJoe Heck2012-10-191-1/+1
| | | | | | | | Change-Id: I136a1ff1d9dc4bd6423522684123ce33dc695415
* | Extract hardcoded configuration in ldap backend (bug 1052111)Jose Castro Leon2012-10-161-1/+23
|/ | | | Change-Id: I128b0ccdb32694a4fc2f660e73c367aa8b01f257
* Filter users in LDAP backend (bug 1052925)Jose Castro Leon2012-10-101-0/+3
| | | | Change-Id: I004e569756698098bf073f5516945f356f88bfea
* Merge "Unable to delete tenant if contains roles in LDAP backend (bug 1057407)"Jenkins2012-10-091-0/+1
|\
| * Unable to delete tenant if contains roles in LDAP backend (bug 1057407)Jose Castro Leon2012-10-051-0/+1
| | | | | | | | Change-Id: I5e2746827bd66c6c4aebc28da1b24933fdc261f7
generated by cgit (git 2.34.1) at 2024-06-21 17:53:24 +0000