* Update keystone-specs from branch 'master'
to 330200b4d8c6558a8ea2964d521b5d2f659a48c0
- Merge "External OAuth2.0 Authorization Server Support"
- External OAuth2.0 Authorization Server Support
This spec proposes to to add a new keystone middleware that implements
RFC7662 OAuth 2.0 Token Introspection [1] and allows users to optionally
use that middleware when using an external authorization server.
OpenStack services will be able to validate their OAuth2.0 client with
an external authorization server other than Keystone.
[1] https://datatracker.ietf.org/doc/html/rfc7662
Change-Id: Ie1066ab2735205fcb534e7697c3b9a5aa2d23eeb
* Update keystone-specs from branch 'master'
to 12f37d354808921834b4beb5193d95adae4aa3ad
- OAuth 2.0 Mutual-TLS Support
This spec proposes to Provide the option for users to
proof-of-possession of OAuth2.0 access token based on RFC8705 OAuth 2.0
Mutual-TLS Client Authentication and Certificate-Bound Access Tokens.
Users will be able to authenticate their OAuth2.0 client with a client
certificate instead of using Basic authentication with
client_id/client_secret to prevent a token from being used by a
malicious client. This protects Keystone Identity and other OpenStack
services from spoofed OAuth clients.
Change-Id: I67e030c183631bd421cc93ceb767f60fa178238a
* Update keystone-specs from branch 'master'
to 75b4fb25c5b6e2c6ef4b0157c98eeb17c777c054
- Describe the need for a default service role
Related-Bug: 1951632
Change-Id: Idef5ac4083a7070f272b3e15a464a8c9dc447d47
* Update keystone-specs from branch 'master'
to 7071cf3e949cd7bee726b0794b3585cfe25a7f96
- remove unicode from code
Change-Id: Iaba4a7f39fbc0ed26339cac4d5c693fa0684c7cb
* Update keystone-specs from branch 'master'
to 24b290674aa84a4834130daa8057ebb0c71ba084
- Use TOX_CONSTRAINTS_FILE
UPPER_CONSTRAINTS_FILE is old name and deprecated
This allows to use upper-constraints file as more
readable way instead of UPPER_CONSTRAINTS_FILE=<lower-constraints file>.
Change-Id: Ie0e9cdb7b5da013fcc61cc11722e5a5c412b63ac
* Update keystone-specs from branch 'master'
to 6df4f46055c64e877ce555123b5be7ab395429cc
- Disable auto-discovery for setuptools and update python testing
With setuptools release 61.0.0 docs build started to fail:
error: Multiple top-level packages discovered in a flat-layout:
['specs', 'attic', 'superseded'].
This bug is mentioned in setuptools issue 3197 [0], and the suggested
workaround is to disable auto-discovery by adding 'py_modules=[]' in
setup.py.
Also use recent python versions because the old ones are no longer available.
These 2 unrelated changes need to be merged together in order to unblock
the gate.
[0] https://github.com/pypa/setuptools/issues/3197
Change-Id: Iddc30b9521b61d9083c2b1f6e8a6707196ea0a57
* Update keystone-specs from branch 'master'
to f9f4e50737a01409391517b9b5be049419223554
- Describe the need for a default manager role
Related-Bug: 1951622
Change-Id: Ida889aa30d462443b801c0f524c51f54b8b756d5
* Update keystone-specs from branch 'master'
to 8145886d241a48e9dd418c4b56a3a200a0ffe736
- OAuth2.0 Client Credentials Grant Flow Support
This spec proposes to allow users to optionally use an OAuth2.0 Client
Credentials Grant flow to authorize an API client. In order to realize
this, we implement an OAuth2.0 authorization server as an extension of
keystone.
Implements: blueprint oauth2-client-credentials-ext
Change-Id: I4954c1e8f22199deb13031441c46a3565383412d
* Update keystone-specs from branch 'master'
- Switch to newer openstackdocstheme version
Switch to openstackdocstheme 2.2.1 version. Using
this version will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems
Update Sphinx version as well.
Disable openstackdocs_auto_name to use 'project' variable as name.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Change-Id: I27fd7e7310b2a1be3b283d43f40436ba5e165bbf
* Update keystone-specs from branch 'master'
- Cleanup py27 support
Make a few cleanups:
- Remove obsolete sections from setup.cfg
- Update classifiers
- Update requirements, no need for python_version anymore
- Use newer openstackdocstheme version
- Remove install_command from tox.ini, the default is fine
- Remove py27 stanza from setup.py
Change-Id: I3f517a43fbc1689ac1627a0a7c802dd08a9e2630
* Update keystone-specs from branch 'master'
- Merge "[ussuri][goal] Drop python 2.7 support"
- [ussuri][goal] Drop python 2.7 support
OpenStack is dropping the py2.7 support in ussuri cycle.
specs repo either has py27 job or requirement or tox env.
Ussuri Communtiy-wide goal:
https://governance.openstack.org/tc/goals/selected/ussuri/drop-py27.html
Change-Id: Ie17b61301a941ff554de9fcb8985b5b1e4096113
* Update keystone-specs from branch 'master'
- Merge "Repropose Expiring Group Membership for Ussuri"
- Repropose Expiring Group Membership for Ussuri
Add federated users to the groups that they receive from the mapping rules.
This membership is only carried by the token and not persisted in the
database. The membership expires, but can be renewed when the user
authenticates with the same group.
Previously approved for Train, fell into backlog, reproposing for Ussuri.
Change-Id: Ie133c14ffba5e4189265920759bfb5e1391f1189
Partial-Bug: 1809116
* Update keystone-specs from branch 'master'
- Merge "Repropose federated attributes in the user API for Ussuri"
- Repropose federated attributes in the user API for Ussuri
Change-Id: I6872b67a254c12056c4484b53a5647618c37916d
Related-Bug: 1816076
* Update keystone-specs from branch 'master'
- Merge "OpenID Connect improved support"
- OpenID Connect improved support
OpenID Connect is supported in Keystone by leveraging the Apache
mod_auth_oidc module and the Keystone Federation plugin. OpenID Connect
works fine when accessing OpenStack thorugh the dashboard, but it
requires additional configuration steps to make it work when using the
OpenStack CLI tools. This spec aims at improving the support, so
that the same outcome is obtained, regardless of the way the user
accesses the cloud.
Implements blueprint: improved-oidc-support
Change-Id: I97f7a34d398ba673d7733fb2aaa490ebc9298afd
* Update keystone-specs from branch 'master'
- Set up for Ussuri
* Move uncompleted specs to the backlog (will discuss adding them to
Ussuri in planning meeting)
* Move Train section under "implemented"
* Create new empty section for Ussuri with new roadmap link
Change-Id: Id06bba1512364f8b4daeb3a594ff1e5b896f1b90
* Update keystone-specs from branch 'master'
- Update docstheme options
Update openstackdocstheme options so that "Report a bug" works.
Remove git settings for last update, the theme handles this now
by default.
Remove viewdocs and autodocs options, they are for source code but this
repo has no sourcecode.
Update minimal openstackdocstheme version so that these settings work.
Change-Id: I1dedf35825fd2fbd4dcbf8991affcd1f54d0ed70
* Update keystone-specs from branch 'master'
- Add Python 3 Train unit tests
This is a mechanically generated patch to ensure unit testing is in place
for all of the Tested Runtimes for Train.
See the Train python3-updates goal document for details:
https://governance.openstack.org/tc/goals/train/python3-updates.html
Change-Id: I29a89ee1abbbfaa7d9593923c17f8999b9323d25
Story: #2005924
Task: #34215
* Update keystone-specs from branch 'master'
- Sync sphinx requirement
This is needed to get the requirements check job to pass.
Change-Id: I5d03f407053ef5a4a6414e4aad4ec8f09fcf9ae3
* Update keystone-specs from branch 'master'
- Use upper-constraints
Using upper-constraints in the keystone-specs tox environment ensures
that libraries go through validation in the requirements project and
don't break our CI.
Change-Id: Ic38c11bec5fe50c7fff7c1f4dec86504a29ba222
* Update keystone-specs from branch 'master'
- Correct style errors
These style errors weren't caught before the specs merged because the
linter jobs weren't being run when only RST files were changed. Correct
them now so that a later patch can update the jobs.
Change-Id: I1c24cece2c64c9453698280cc365ac150d2474a4
* Update keystone-specs from branch 'master'
- Merge "Expiring Group Membership Through Mapping Rules"
- Expiring Group Membership Through Mapping Rules
Add federated users to the groups that they receive from the mapping rules.
This membership is only carried by the token and not persisted in the
database. The membership expires, but can be renewed when the user
authenticates with the same group.
Partial-Bug: 1809116
Change-Id: If376a1ce18f9b628f429f3cac957c76dacd00a34
* Update keystone-specs from branch 'master'
- Merge "Add spec for immutable resources"
- Add spec for immutable resources
This spec proposes to allow roles, users, projects, and domains to be
marked as "immutable", and further elaborates on the migration procedure
to make the admin role immutable by default.
Co-authored-by: Lance Bragstad <lbragstad@gmail.com>
Change-Id: I9b537ef7a70fa7e61c8cf0d6811120198a01ab37
* Update keystone-specs from branch 'master'
- Merge "Combine policy roadmap documents"
- Combine policy roadmap documents
The Goals document and the Roadmap document are closely related to each
other and both cover long-term, ongoing work. This change combines the
specs so that a view of the whole policy story can be found in one
document.
Change-Id: Ib6ff52bf6d337bc0390da168ee960644137ef40a
* Update keystone-specs from branch 'master'
- Merge "Move unified model spec from ongoing to backlog"
- Move unified model spec from ongoing to backlog
Since there is no active work happening on this improvement, but we
still generally think it's the right direction, move the spec from
"ongoing" to "backlog" so that it can be picked up when we are ready to
plan it into a cycle.
Change-Id: I69403a035bf4540a93f4728f8b795d9c7a85cc6f
* Update keystone-specs from branch 'master'
- Merge "Move SP endpoint filters spec to attic"
- Move SP endpoint filters spec to attic
As discussed at the PTG, we don't want to focus on expanding the scope
of endpoint filtering, so rather than keep it in the backlog to wait for
someone to pick it up, move it to the attic to signal that this is not
something we want to prioritize. If we decide this is valuable and
someone is willing to pick it up, we can always move it back out of the
attic.
Change-Id: I95c094f4d4df2e44cd23d2715275199a4e6c8200
* Update keystone-specs from branch 'master'
- Merge "Update tracking reference for federated attrs spec"
- Update tracking reference for federated attrs spec
The blueprint was ported to a bug, so update the reference in the spec.
Change-Id: I2a0eb685532d5d2fcf7a434745d67d365cdac47f
* Update keystone-specs from branch 'master'
- Merge "Repropose federated attributes in the user API for Train"
- Repropose federated attributes in the user API for Train
Most of the work for this has already been done, and with the move
towards predictable IDs, there is a real need for a mechanism
to prepopulate the users as part of the synchronization process.
https://review.openstack.org/#/c/612099/
Related-Bug: 1816076
Change-Id: I9906a9d76479364134ef21a0cf578ff6d5cf07b9
* Update keystone-specs from branch 'master'
- Merge "Move Object Depencency Lifecycle spec to Rocky"
- Move Object Depencency Lifecycle spec to Rocky
The work around the object dependency lifecycle spec was completed rocky
when the @depends and associated magic attribute handling for the
managers was eliminated for the single-instnatiation set of managers
directly referenced instead of self.XXXX_api
Change-Id: I5469195ff97bf1a36ce3936c2ad497f70b42470f
* Update keystone-specs from branch 'master'
- Merge "Move 'functional testing' spec to attic"
- Move 'functional testing' spec to attic
As discussed at the Denver (2019) PTG, this spec is not super useful as
proposed. We have started work to improve our testing in a number of
ways. If the specific use-case of functional testing as proposed in the
spec receives interest the spec can be retrieved from the attic.
Change-Id: I238b16a30f131bf9d6a754c4dda48ac8e83a51b0
* Update keystone-specs from branch 'master'
- Merge "Add info resource-option-for-all spec"
- Add info resource-option-for-all spec
Resource options for all needed a little more
information about the end user impact. This
change adds that information.
Change-Id: I6131c08cf5730077ab74a47f2806f1d0b0456995
* Update keystone-specs from branch 'master'
- Merge "Move the request-helpers spec for keystonemiddleware to attic"
- Move the request-helpers spec for keystonemiddleware to attic
Move the request-helpers backlog spec for keystonemiddleware to the
attic. At the Denver PTG (2019) we discussed this spec. We are in a
very different space from where we were at the time of proposal, and
if there is a desire to revisit this specific specification it can
be brought back from the attic.
Change-Id: I3e1ab025bb998b14c0a71854b9109d9f29b25ee9
* Update keystone-specs from branch 'master'
- Merge "Move endpoint-enforcement-middleware spec to attic"
- Move endpoint-enforcement-middleware spec to attic
At the Denver PTG, it was agreed that the endpoint-enforcement spec for
the endforcement of endpoint filtering in middleware is not something
we are looking to implement. The spec can be recovered from the attic
if there is interest in the work.
Change-Id: I9e13969714f56a166c6394934514d7b95b849e05
* Update keystone-specs from branch 'master'
- Merge "Add resource-options-for-all specification"
- Add resource-options-for-all specification
Specification defining the addition of resource options for all
resources within Keystone isntead of just users.
Change-Id: I6228e503f908b4bc82aa55b908995314e3e6adf7
partial-bug: 1807751
* Update keystone-specs from branch 'master'
- Add role implication note to basic-default-roles
Expanding upon the Risk Mitigation section of the spec. Note that
role implications will be created admin->member->reader regardless of
whether or not a new role was created during bootstrap.
Change-Id: Ie5cfd122554ccb06be3a7b165209c6b9c3f453db
- OpenDev Migration Patch
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:
http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.htmlhttp://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html
Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.
* Update keystone-specs from branch 'master'
- Merge "NIT : Fix broken link"
- NIT : Fix broken link
This patch fixes the url of the flat
enforcement model in the spec
strict_two_level_enforcement_model.rst
Change-Id: Iec9d0a5dcfef268dce5f664075256806c93ee2a6
* Update keystone-specs from branch 'master'
- Merge "Repropose unfinished Stein specs to Train"
- Repropose unfinished Stein specs to Train
The explicit domain IDs and capabilities/access rules specs were not
finished in Stein but are already in progress and on target to finish
early in the Train cycle.
Change-Id: I052079fcdb11f8e11c854b11d8013fd460f421ec
* Update keystone-specs from branch 'master'
- Replace openstack.org git:// URLs with https://
This is a mechanically generated change to replace openstack.org
git:// URLs with https:// equivalents.
This is in aid of a planned future move of the git hosting
infrastructure to a self-hosted instance of gitea (https://gitea.io),
which does not support the git wire protocol at this stage.
This update should result in no functional change.
For more information see the thread at
http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003825.html
Change-Id: Idc8ee6859b7c3428014b2e9e905317121412550a
* Update keystone-specs from branch 'master'
- Update app cred capabilities spec
This change brings the spec, which was agreed upon nearly a year ago,
into alignment with the current proposed implementation. It also cleans
up some formatting and style issues.
Change-Id: I0bd99d24517b90f16557aadc3d721ecee9cd8eb5
* Update keystone-specs from branch 'master'
- Merge "Add note about boilerplate content"
- Add note about boilerplate content
Provide guidance in the template to remove the boilerplate
text. Many specs have much of the boiler plate remaining
including the description of how to use the spec template.
The boilerplate content should not be left in specs.
Change-Id: I974764f1534efd0530517bd74a52a5a5b70b898f
* Update keystone-specs from branch 'master'
- Merge "Update template with guidance for bugs over bp"
- Update template with guidance for bugs over bp
Change the template and provide guidance for using a LP bug instead
of the blueprints. This is due to the differences in blueprints and
bugs. Blueprints do not have comments and the entire body is mutable.
With the entire content being mutable (and having no real history
functionality) anyone can change the blueprint and lose all tracking
of patches proposed for the work.
When a bug is used instead of a blueprint, each patch proposal and
merge generates an immutable comment. Short of deleting the bug, the
tracking of the work that has been done cannot be lost.
Bugs can also be closed with a ``closes-bug`` line in the commit
messages where specs take extra human intervention to mark as complete.
Change-Id: Id575258f98baddc7e4fe1ebfe5c00e9ea3a87e9f
* Update keystone-specs from branch 'master'
- Update inaccurate details in JWS specification
Originally, when we were designing the implementation for a JWT
provider, we thought we would be able to use multiple signature
support in the JWS specification to allow tokens to have multiple
signatures. This would allow operators to specify multiple private
keys when rotating old/compromised keys off of a keystone server.
While that information is clearly documentedin the JWS specification:
https://tools.ietf.org/html/rfc7515#section-7
Support for signing tokens with multiple private keys doesn't exist
yet in the library we're consuming for JWT (PyJWT).
This commit updates the specification with those details and attempts
to preserve the context of why we're not taking a multi-signature
approach right now. I've opened an issue in the upstream library we
consume to track the discussion:
https://github.com/jpadilla/pyjwt/issues/390
bp json-web-tokens
Change-Id: I3c1d431241fab79d7c3feefeb978a977487e7bc0
- Merge "Delete the duplicate words in multi-backend-uuids.rst"
- Merge "Add domain level limit support"
- Merge "Add a note about crypto-agility with JWT"
- Merge "Repropose JWT specification for Stein"
- Add a note about crypto-agility with JWT
This is explicity calling out how Fernet should be used to
exercise crypto-agility in the event a security flaw is uncovered
in the JWT/JWS/JWE specifications or implementations. At least until
more algorithms are supported.
Change-Id: I5338c64f3a592768f70e3a4254b7bfeeb101102b
- Change openstack-dev to openstack-discuss
Mailinglists have been updated. Openstack-discuss replaces
openstack-dev.
Change-Id: Iba19dc4fa808624fbc59e3341ff1e5c55d58283e
- Add domain level limit support
This is the spec for domain level limit support.
Change-Id: Ie808328de03b19260574055f42007952e8b5a808
bp: domain-level-limit
- Delete the duplicate words in multi-backend-uuids.rst
Change-Id: I95adf24fcf4c2fe972f1b51c003269efb4a0eaa0
- Merge "Update policy security roadmap"
- Merge "fix misspelling of configuration"
- fix wrong spelling of "configuration"
Change-Id: I6f4b9df712b66da21ac0caffb503890b742df45f
- Repropose JWT specification for Stein
This spec was something we agreed upon as a team during the Queens
release. This commit reproposes it for Stein.
Major differences between this specification the original proposal
from Queens include:
- the algorithm targeted for the implementation
- the library being used to sign and validate JWTs
- the payload data and claim information
- asymmetric key rotation details
bp json-web-tokens
Change-Id: I598faca40a6d81dd58155165d4a323fb437f7a6c
- Update policy security roadmap
Some things have changed since this was originally written and this
patch attempts to update those things.
Change-Id: Ibc24b4192f5cec2efa4eef79e94bdbcf27ffc162
- Fix spelling in explicit domain id specification
Change-Id: I67bd84f69208348e7a7e8719d6e6f1acd00bf9db
- fix misspelling of configuration
Change-Id: If8571263a0240337ff94a270831b9ca5ec0149ae
- Clean up explicit domain IDs specification
Change-Id: I685e8aff8deda7a2bb6563989bf62252ecf05f25
- Merge "Explicit Domain Ids"
- Explicit Domain Ids
Change-Id: I49bdc1b051f0beb5e0c1fb19a749c8c6a546db92
- Update spec template
We no longer store the API reference in the specs directory. API changes
are proposed directly in the spec, and then documented in the api-ref/
directory in the keystone repository after the fact. This patch removes
these outdated instructions.
Change-Id: If22bb5404a083aa709860ad92a7409b2156079ec
- Merge "fix tox python3 overrides"
- Fix broken link to Stein roadmap
The link to the Stein roadmap was populated before we actually went
through the schedule for Stein. We actually used a copy of a previous
roadmap to build the Stein roadmap, making it easier to manage carry
over items. As a result, the original link isn't useful and was
abandoned.
This commit updates the link to point to the correct roadmap.
Change-Id: Ib02bd11b3604c366db873c0f74d739dd04d322e2
- fix tox python3 overrides
We want to default to running all tox environments under python 3, so
set the basepython value in each environment.
We do not want to specify a minor version number, because we do not
want to have to update the file every time we upgrade python.
We do not want to set the override once in testenv, because that
breaks the more specific versions used in default environments like
py35 and py36.
Change-Id: I8f4db75f30021fca61f7c073018a533b02316ece
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
- Fix grammatical error in policy goals spec
Change-Id: I40a9625dcb10f5506749fee170c9e4cc45ce348f
- Run python 3.6
Use python 3.6 for tests. Even though this repository is relatively
slim when it comes to tests, we should use an updated version of
python. This is also consistent with the Stein community goal to move
towards python3.
Change-Id: I816cd684bacd1aefb19600d44c8bbf1609a0b79d
- import zuul job settings from project-config
This is a mechanically generated patch to complete step 1 of moving
the zuul job settings out of project-config and into each project
repository.
Because there will be a separate patch on each branch, the branch
specifiers for branch-specific jobs have been removed.
Because this patch is generated by a script, there may be some
cosmetic changes to the layout of the YAML file(s) as the contents are
normalized.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Change-Id: Iaa10c8f02b1c21071c3d30643fb8e772d00e2682
Story: #2002586
Task: #24304
- Move MFA receipt specification to Stein
This work was staged for Rocky but wasn't completed. This commit
reproposes it to Stein to keep the Rocky specs directory accurate.
Change-Id: Ia5317137eabcc1199659f05eee076a4bb11b5b6c
- Repropose capability lists to Stein
This work wasn't completed in Rocky, but the specification was
targeted to the release. This commit bumps it to the Stein release.
Change-Id: I2147f3cfb68b719666544fb1a7a7393a67c7bb2b
- Switch to stestr
According to Openstack summit session [1],
stestr is maintained project to which all Openstack projects should migrate.
Let's switch to stestr as other projects have already moved to it.
This change also fixes a bunch of D001 violations where lines are too
long in .rst documents.
[1] https://etherpad.openstack.org/p/YVR-python-pti
Change-Id: Ic20ae60d9020896690c5e7f07124d7500ffd3d2d
- Update the default roles spec to include Rocky details
Since we're not going to get everything details in this specification
done in Rocky, we should update the spec to clarify why we did get
done and what we plan to pick in subsequent releases.
Change-Id: Ife2089167354b9e1c918dd9219aff5e5ff66e856
- Merge "Update links in README"
- Update links in README
Change the outdated links to the latest links in README
Change-Id: Iab2c5601014dc4ae06ba1568758afdb48642a62b
- Address follow-on comments in strict-two-level spec
This change addresses concerns raised in the original review of the
strict two level enforcement model:
Ibfb2ba2ffb0115fa7cf81d30bf9a025652d9ba42
bp strict-two-level-enforcement-model
Change-Id: I7190443de8be189eac06a6f01f99a5e5bfabbbc9
- Strict Two-Level Limits Enforcement Model
This spec talks about that how the hierarchical unified limits
will work in Keystone and its consumers.
In rocky, we'd like to add the strict two level enforcement model
as the base one for hierarchical unified limits.
Co-Authored-By: John Garbutt <john@johngarbutt.com>
Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>
Co-Authored-By: Morgan Fainberg <morgan.fainberg@gmail.com>
Change-Id: Ibfb2ba2ffb0115fa7cf81d30bf9a025652d9ba42
bp: strict-two-level-enforcement-model
- Update blueprint link in default roles specification
The link for the blueprint was pointing 404'ing because it was
pointing to a different namespace. This commit updates the
specification to point to the the blueprint tracked within
keystone for the default roles work.
Change-Id: I6a22dcc81c382a7e9ce559b7bf8bda2685023b87
- Follow-up -- replace 'auditor' role with 'reader'
Follow-up patch after Vancouver summit. After discussion the term
'reader' was determined to be more appropriate than 'auditor' as
a default name for roles.
Change-Id: Ia99807952d4f1025a69e9c94edf1ea949afb7d09
- Define a set of basic default roles
With the recent work to keystone and oslo.policy, we should be able to
offer tooling to project development teams so they can start evolving
their policies. Before we start changing things, we should come to
consensus on a set of defaults we should offer out of the box.
Moving towards a set of known defaults will make maintenance for
operators much easier. It will also build the foundation for a more
robust RBAC system that is better at modeling complex
organization, ultimately being more useful in the real-world.
Change-Id: Ia6ddf64b4483a73ab79c86d5d794cce561aa19e0
Co-authored-By: Lance Bragstad <lbragstad@gmail.com>
Co-Authored-By: Jamie Lennox <jamielennox@gmail.com>
* Update keystone-specs from branch 'master'
- Add capabilities to application credentials
This spec describes a capability list extension for
application credentials that allows their creator to restrict
their usage to a white list of capabilities, each of which
consists of HTTP methods and permitted URL paths. Any request
using the application credential must match an entry in this
list. All other requests are rejected.
Change-Id: Iffc853971e909bd3ca8829b410a7014929c8b7e6
* Update keystone-specs from branch 'master'
- Merge "Log queens specifications with previous releases"
- Log queens specifications with previous releases
Now that Rocky is open for development, let's put the Queens specs
with the rest of the releases.
Change-Id: Iee77aa0b507dbf0e5b37db2a376c36ede39bd3db