keystone.common.config is 1200+ lines of super dense, merge-conflict
prone, difficult to navigate, and finicky to maintain code. Let's follow
nova's lead and break it down into more manageable modules.
This patch creates a new Python package, keystone.conf, and moves all of
our configuration options into it, mirroring nova's nova.conf package.
There are a couple special modules in keystone.conf introduced here as
well:
- keystone.conf.__init__: This causes all of Keystone options to be
registered on import, so consumers of keystone.conf don't have
races with config initialization code while trying to use
oslo_config.cfg.CONF directly (keystone.conf replaces all uses for
oslo_config.cfg.CONF in keystone).
- keystone.conf.base: Keystone's [DEFAULT] group options. I'd prefer
this to be called 'default.py', but I'm just copying nova's lead here.
- keystone.conf.opts: The entry point for oslo.config itself.
- keystone.conf.constants: There are a few constants (deprecation
messages, default paths, etc) that are used by multiple configuration
modules, so they need to live in a common place.
Change-Id: Ia3daffe3fef111b42de203762e966cd14d8927e2
Deprecate our custom usage of the HTTP_X_FORWARDED_PROTO header in
favour of a standard middleware shared across all services. This will
enable us to support the newer forwarding standards.
Closes-Bug: #1590608
Change-Id: Iad628a863e55cbf20c89ef23ebc7527ba8e1a835
Subsequent patches are adding caching to federated entities. This changes makes
it so that you can turn caching on for federation like you would for any of
keystone's other subsystems.
Change-Id: I403e09b6523023cf60c362da75cfb375625db2ba
These are basically the only configuration options in keystone defined
outside of keystone/common/config.py, so the only goal here is to
centralize them into one place.
Change-Id: I1369fd7835b31e57a094d07deb6a1aacc1d314b5
Configuration settings to support PCI-DSS:
1. Disable users based on given minimum number of days of inactivity.
2. Lockout a user if number of failed attempts exceeds given limit.
3. Lockout user for a given amount of time if locked out.
4. Expire a password after given amount of days has passed
5. Require the user to create passwords that do not match the past given
number of iterations.
6. Limit the number of times a password can be changed per day.
7. Require password complexity
Co-Authored-By: Ron De Rose ronald.de.rose@intel.com
Partially-Implements: blueprint pci-dss
Change-Id: I3ed5ca466ad15eab3c6e75aff3bb59543ecaabaa
these config options and it's supporting command are only useful
when deploying keystone under eventlet, with that removed these
are redundant.
Change-Id: I7c602805bba2c658d3280811ed8919f78ed3aa0d
implements: bp removed-as-of-newton
Eventlet has been deprecated since the Kilo release and is
being removed in Newton.
A follow on patch will be proposed to remove the [ssl] section
since it is now redundant.
Co-Authored-By: Grzegorz Grasza <grzegorz.grasza@intel.com>
Partially implements: bp removed-as-of-newton
Change-Id: I963d94bbd188dbb6eba68623a42c5bc3f2289da4
Default cache to be enabled for request.local caching.
Since the default cache backend is dogpile.null, it is
safe to turn on caching by default. This will enable the
request_local caching for all deployments that do not
explicitly disable caching, thereby limiting the traffic
to the backends on a per-request basis.
With caching (in memcache) the addition of request local
cache was noticable (~10% inprovement), it stands to reason
that it will provide even more when it is offloading the
requests directly to SQL/LDAP.
Change-Id: I47d40c36799645d6fdd7b71e14e774ad75aa55f7
The domain_id_immutable option will be deprecated in a future
release. Since the version 3.2, Oslo.config supports the
deprecation reason with the attribute "deprecated_reason".
But the domain_id_immutable doesn't have that attribute.
This commit will add a deprecation reason attribute to the
domain_id_immutable option.
Change-Id: If6e3abd361dc93045a038096770b616c61c221e8
Closes-Bug: #1564961
Currently tox ignores D401 (401: First line should be in imperative mood).
This change removes it and make keystoneauth docstring compliantwith it.
Change-Id: I136cf810f47c4c19f29216907a63f226930b5082
Partial-Bug: 1570049
OSprofiler is an Oslo library dedicated to enable cross-service
OpenStack profiling. This makes possible to trace the OpenStack
request through all projects supporting the library, where the
profiling is enabled, and generate JSON and HTML human-readable
reports, describing what time was spent on which operation, e.g.
API or DB request.
This change inclues the following:
* Add settings for OSprofiler wsgi middleware
This middleware is used for 2 things:
1) It checks that person who want to trace is trusted and knows
secret HMAC key (that is specified in paste.ini).
2) It initalize profiler in case of proper trace headers
and add first wsgi trace point, with info about HTTP request.
* Init profiler on start in both cases (httpd or eventlet)
* Adding new conf group for profiler (to enable/disable)
* By default osprofiler is disabled
TBD:
* Adding trace point for all DB (sql) calls. For proper format and
result oslo.db enginefacade module needs to be updated.
To test (old variant, will be changed with new commit to the
python-openstackclient):
$ . amdminrc # you should be admin user/tenant to fetch profiling data
$ keystone --profile SECRET_KEY user-list
$ osprofiler trace show --html --out result.html <TRACE_ID>
Old python-keystoneclient change: https://review.openstack.org/#/c/114856/
Python-openstack client change: https://review.openstack.org/#/c/255861/
Depends-On: I248b134e0e245bd4cece0ebe225b9b729eedaf78
Change-Id: I3d6eaa7a5ab7ee9ae177f3e1d6cc92f0a01e6a42
"Shadow users: unified identity" implementation:
Federated users have a idp_id, protocol_id, display name,
and a unique ID asserted by the identity provider. These
are the minimal pieces of data required to identify
returning users and provide them with a consistent identity.
Note: the following work items left will be completed in a
separate patch:
* Allow concrete role assignments for federated users
* Shadowing LDAP users
bp shadow-users
Change-Id: Ieb582947038b4a75ef4237939ad8a90079b38aa8
Moves all domain operations to project table, mapping domains
to projects that have the is_domain attribute set to True. Removes all
manager references to domain driver calls.
The V8 legacy wrapper ensures that manager calls for projects
acting as a domain end up calling the underlying driver domain
methods, so that older drivers are still be supported.
The domain driver methods and the domain table will be removed in
follow-up patches.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Rodrigo Duarte <rodrigods@lsd.ufcg.edu.br>
Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>
Co-Authored-By: Adam Young <ayoung@redhat.com>
Co-Authored-By: Henry Nash <henryn@linux.vnet.ibm.com>
Change-Id: Ib22a0f3007cb7ef6b4df6f48da5f4d018e905f55
Implements: bp reseller
Default values for CORS middleware have been moved from paste.ini
into oslo's config generator. All configuration options in use will
now live in one place.
Change-Id: I9d31c574de6af4c7598c90d7e128cd9fa7273672
There should be no reason to leave these settings disabled by default.
By enabling them, keystones runs faster and consumes fewer resources.
Change-Id: I9f8d27b1f6dba19067f38e940632dcf3420c2bfa
Add back in support for ASSIGNMENT driver to be selected based upon
the IDENTITY driver and revert the changes to assert_backend
in test_backend_ldap based upon comments on commit
e6efbe62b8
Change-Id: Id6b753cb846204cf778971d60c2155f3416f8806
Since secure_proxy_ssl_header has a default, the code using it can
be simplified since there's no need to check if it's not set
anymore.
Also, corrected the " to ' since OpenStack guideline is to prefer '.
Change-Id: I494354062fce99375c38ef3ce710459423bc5ec4
The LDAP backend supports mapping between LDAP and keystone user
attributes via the 'user_<attribute_name>_attribute' settings in the
LDAP driver configuration.
The current implementation is incomplete, since there is no support for
specifying a 'user_description_attribute' setting for user get (read)
operations.
This change adds support to the LDAP backend for mapping of user
description attributes via a 'user_description_attribute' configuration
also during user retrieval.
Change-Id: I30b63306beae3379aa8c29d0df3f327369d3f2a6
Closes-Bug: #1542417
there is only one sensible default for secure_proxy_ssl_header,
so let's use it, one less step for deployers to configure.
Change-Id: I0cee5d6051b2c91bc87dc7eabcec57dd4852184c
Closes-Bug: 1528258
Restricts the update of a domain_id for a project, (even with the
'domain_id_immutable' property set to False), allowing it only for
root projects that have no children of its own. The update of the
domain_id of a project that has the is_domain field set True is not
allowed either. The update of this property may cause projects hierarchy
inconsistency and security issues.
This patch also sets the 'domain_id_immutable' as deprecated and emits
a WARN in case it is set False, when updating the domain_id of
users, groups or projects.
Closes-bug: 1479452
Related-bug: 1502157
Change-Id: Ib53f2173d4e4694d7ed2ecd330878664f8199371
The assigment.root_role config option was previously a single string
which specified a role name that was prohibited from being added as an
implied role. By default it was 'admin'. For greater flexibility we
now permit a list of role names that are prohibited from being
implied.
Summary of changes:
* Change assigment.root_role from cfg.StrOpt to cfg.ListOpt.
ListOpt is preferred over MultiStrOpt because of config file formatting.
Update help for option.
* Change assigment.root_role name to assignment.prohibited_implied_role
* Change test for implied role name from string equality to
membership in list of strings.
* Expand ImpliedRolesTests.test_root_role_as_implied_role_forbidden()
unit test to test 2 prohibited implied role names and 1 valid
implied. role name.
Change-Id: Idfe14080e2f1ec1e89b85d8f5f00aad187f1fd22
Closes-Bug: #1541540
Signed-off-by: John Dennis <jdennis@redhat.com>
A couple typos were noted in the review of commit
I523dcfc1701a6f7c725c4aa11482bfc15a3515a5 after the patch was
already about to be merged.
Change-Id: I28ee5a74a23265dda3f3339e2cba36e626b06de9
python-ldap calls out to openldap which can handle multiple URLs for
ldap servers (for the purpose of high availability). openldap expects
these urls to be separated by a comma or whitespace.
Change the help text to specify a comma separated list of URLs is
allowed.
Change-Id: I523dcfc1701a6f7c725c4aa11482bfc15a3515a5
Closes-Bug: #1500631
version 3.2.0 of oslo.config supports a deprecated_reason to
help explain to deployers why an option will soon be removed.
This patch aims to provide a good explanation to the currently
deprecated options.
Note: The eventlet related options that are deprecated for removal
were not changed since they are slated for removal in Mitaka.
Change-Id: I1befef16e1266b9e08c83ba5beb498f669d066ae
Use the documented oslo.log [1] method for altering the
default_log_levels to be consistent with TC approved projects.
[1] http://docs.openstack.org/developer/oslo.log/usage.html
Closes-Bug: 1542470
Change-Id: I4999c218e963764bd7c35f813941450b11dc9aa1
Updated the relevant config options for Token signing
and deprecated the simple_signing_cert extension that
is only used for support of the PKI/PKIz providers.
This patch makes the public facing Router used in
the PASTE-INI emit a deprecation warning and moves
the login into the token subsection and always
attaches it to the V3 Service object this is part
of the effort to move all extensions (deprecated
or not) into core.
Change-Id: I15a58c07d769045ad61e9d600dbf943987993353
bp: deprecated-as-of-mitaka
CRD for implied roles.
Iplied roles are expanded in token issue and validation responses.
Explicitly forbids creating a rule with admin as the implied role to
avoid escalation of privileges.
Co-Authored-By: Henry Nash <henryn@linux.vnet.ibm.com>
implements: blueprint implied-roles
Change-Id: I812843adb9a1748fb471325797dad80e1baea565
This patch addresses most of the comments from patch:
https://review.openstack.org/#/c/264260/
Changes:
- fix nits on documentation
- minor refactor in get and delete of implied
roles SQL backend
- added tests for CRD of implied role and ImpliedRoleNotFound
Change-Id: I96ce922d94826cc985af4f4b4acff3be24b35aad
At the previous summit, we decided to deprecate write support for
idenity LPAP. It'll be removed in 2 releases. Several config
options were affected, and those operations should now have
deprecation warnings.
implements bp: deprecated-as-of-mitaka
Change-Id: I1e989d6c5e85ba303609c7bb36116a8bdedce9e4
The PKI and PKIz drivers are now deprecated, but one of the
config options that only works for PKI has not been deprecated.
implements bp: deprecated-as-of-mitaka
Change-Id: I55d5fb2a2678dccd8638b0460921ba6f8e76da6a