Commit Graph

617 Commits

Author SHA1 Message Date
Rafael Weingärtner 2170b9176d Add schema version and support to "domain" attribute in mapping rules
As discussed in the Keystone meeting [1], I am proposing this spec, so
we can review and discuss the implementation proposed in [2].

[1] http://eavesdrop.openstack.org/meetings/keystone/2020/keystone.2020-08-25-16.59.log.txt
[2] https://review.opendev.org/#/c/739966/

Change-Id: I84426119a60c595eaf462662c6a24a990914c516
Implements: blueprint versioning-for-attribute-mapping-schema
RFE: https://bugs.launchpad.net/keystone/+bug/1887515
2023-11-20 17:40:45 -03:00
Zuul 330200b4d8 Merge "External OAuth2.0 Authorization Server Support" 2023-06-14 19:35:21 +00:00
Hiromu Asahina 4dd8dfab34 External OAuth2.0 Authorization Server Support
This spec proposes to to add a new keystone middleware that implements
RFC7662 OAuth 2.0 Token Introspection [1] and allows users to optionally
use that middleware when using an external authorization server.
OpenStack services will be able to validate their OAuth2.0 client with
an external authorization server other than Keystone.

[1] https://datatracker.ietf.org/doc/html/rfc7662

Change-Id: Ie1066ab2735205fcb534e7697c3b9a5aa2d23eeb
2023-05-31 00:55:29 +09:00
Hiromu Asahina 12f37d3548 OAuth 2.0 Mutual-TLS Support
This spec proposes to Provide the option for users to
proof-of-possession of OAuth2.0 access token based on RFC8705 OAuth 2.0
Mutual-TLS Client Authentication and Certificate-Bound Access Tokens.
Users will be able to authenticate their OAuth2.0 client with a client
certificate instead of using Basic authentication with
client_id/client_secret to prevent a token from being used by a
malicious client. This protects Keystone Identity and other OpenStack
services from spoofed OAuth clients.

Change-Id: I67e030c183631bd421cc93ceb767f60fa178238a
2022-12-13 23:54:11 +09:00
Lance Bragstad 75b4fb25c5 Describe the need for a default service role
Related-Bug: 1951632

Change-Id: Idef5ac4083a7070f272b3e15a464a8c9dc447d47
2022-11-13 19:03:58 -06:00
niuke 7071cf3e94 remove unicode from code
Change-Id: Iaba4a7f39fbc0ed26339cac4d5c693fa0684c7cb
2022-10-19 12:36:41 +00:00
jiaqi07 24b290674a Use TOX_CONSTRAINTS_FILE
UPPER_CONSTRAINTS_FILE is old name and deprecated
This allows to use upper-constraints file as more
readable way instead of UPPER_CONSTRAINTS_FILE=<lower-constraints file>.

Change-Id: Ie0e9cdb7b5da013fcc61cc11722e5a5c412b63ac
2022-07-25 11:16:47 +08:00
Dr. Jens Harbott 6df4f46055 Disable auto-discovery for setuptools and update python testing
With setuptools release 61.0.0 docs build started to fail:
error: Multiple top-level packages discovered in a flat-layout:
['specs', 'attic', 'superseded'].

This bug is mentioned in setuptools issue 3197 [0], and the suggested
workaround is to disable auto-discovery by adding 'py_modules=[]' in
setup.py.

Also use recent python versions because the old ones are no longer available.

These 2 unrelated changes need to be merged together in order to unblock
the gate.

[0] https://github.com/pypa/setuptools/issues/3197

Change-Id: Iddc30b9521b61d9083c2b1f6e8a6707196ea0a57
2022-06-07 12:16:12 +02:00
Lance Bragstad f9f4e50737 Describe the need for a default manager role
Related-Bug: 1951622
Change-Id: Ida889aa30d462443b801c0f524c51f54b8b756d5
2022-02-25 16:24:55 -06:00
Hiromu Asahina 8145886d24 OAuth2.0 Client Credentials Grant Flow Support
This spec proposes to allow users to optionally use an OAuth2.0 Client
Credentials Grant flow to authorize an API client. In order to realize
this, we implement an OAuth2.0 authorization server as an extension of
keystone.

Implements: blueprint oauth2-client-credentials-ext
Change-Id: I4954c1e8f22199deb13031441c46a3565383412d
2022-01-28 14:20:34 +09:00
Douglas Mendizábal 18760db9fc [spec] X-Project-Id Pass-through
Change-Id: Ice3ffd025a706a5e3c1c450bbe9813ac8f558a9e
2021-06-04 13:02:26 -05:00
Andreas Jaeger 70f9caa740 Switch to newer openstackdocstheme version
Switch to openstackdocstheme 2.2.1 version. Using
this version will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems

Update Sphinx version as well.

Disable openstackdocs_auto_name to use 'project' variable as name.

Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.

openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.

See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html

Change-Id: I27fd7e7310b2a1be3b283d43f40436ba5e165bbf
2020-05-30 18:31:09 +02:00
Andreas Jaeger de768578fc Cleanup py27 support
Make a few cleanups:
- Remove obsolete sections from setup.cfg
- Update classifiers
- Update requirements, no need for python_version anymore
- Use newer openstackdocstheme version
- Remove install_command from tox.ini, the default is fine
- Remove py27 stanza from setup.py

Change-Id: I3f517a43fbc1689ac1627a0a7c802dd08a9e2630
2020-04-10 10:50:16 +02:00
Zuul 2d4dd7fb7d Merge "[ussuri][goal] Drop python 2.7 support" 2020-02-06 18:15:07 +00:00
Zuul dd7cef239f Merge "Repropose Expiring Group Membership for Ussuri" 2020-01-28 17:16:53 +00:00
Zuul 0da0a2496d Merge "Repropose federated attributes in the user API for Ussuri" 2020-01-28 17:14:48 +00:00
Zuul 73b39916e7 Merge "OpenID Connect improved support" 2020-01-02 15:08:27 +00:00
Ghanshyam Mann 9680cbf5ca [ussuri][goal] Drop python 2.7 support
OpenStack is dropping the py2.7 support in ussuri cycle.

specs repo either has py27 job or requirement or tox env.

Ussuri Communtiy-wide goal:
https://governance.openstack.org/tc/goals/selected/ussuri/drop-py27.html

Change-Id: Ie17b61301a941ff554de9fcb8985b5b1e4096113
2019-12-23 20:44:49 +00:00
Kristi Nikolla 569101e9ab Repropose federated attributes in the user API for Ussuri
Change-Id: I6872b67a254c12056c4484b53a5647618c37916d
Related-Bug: 1816076
2019-12-17 10:12:08 -05:00
Kristi Nikolla 09f8b8b4b4 Repropose Expiring Group Membership for Ussuri
Add federated users to the groups that they receive from the mapping rules.
This membership is only carried by the token and not persisted in the
database. The membership expires, but can be renewed when the user
authenticates with the same group.

Previously approved for Train, fell into backlog, reproposing for Ussuri.

Change-Id: Ie133c14ffba5e4189265920759bfb5e1391f1189
Partial-Bug: 1809116
2019-12-17 10:09:31 -05:00
Colleen Murphy b90f7c8702 Set up for Ussuri
* Move uncompleted specs to the backlog (will discuss adding them to
  Ussuri in planning meeting)
* Move Train section under "implemented"
* Create new empty section for Ussuri with new roadmap link

Change-Id: Id06bba1512364f8b4daeb3a594ff1e5b896f1b90
2019-10-08 10:18:21 -07:00
Andreas Jaeger b0b0181ab8 Update docstheme options
Update openstackdocstheme options so that "Report a bug" works.
Remove git settings for last update, the theme handles this now
by default.
Remove viewdocs and autodocs options, they are for source code but this
repo has no sourcecode.

Update minimal openstackdocstheme version so that these settings work.

Change-Id: I1dedf35825fd2fbd4dcbf8991affcd1f54d0ed70
2019-09-18 19:24:54 +02:00
Corey Bryant 4095c1b5f7 Add Python 3 Train unit tests
This is a mechanically generated patch to ensure unit testing is in place
for all of the Tested Runtimes for Train.

See the Train python3-updates goal document for details:
https://governance.openstack.org/tc/goals/train/python3-updates.html

Change-Id: I29a89ee1abbbfaa7d9593923c17f8999b9323d25
Story: #2005924
Task: #34215
2019-07-22 13:11:36 -07:00
Colleen Murphy 6fd71d4a19 Sync sphinx requirement
This is needed to get the requirements check job to pass.

Change-Id: I5d03f407053ef5a4a6414e4aad4ec8f09fcf9ae3
2019-07-22 13:11:36 -07:00
Colleen Murphy 1114308f1a Use upper-constraints
Using upper-constraints in the keystone-specs tox environment ensures
that libraries go through validation in the requirements project and
don't break our CI.

Change-Id: Ic38c11bec5fe50c7fff7c1f4dec86504a29ba222
2019-07-22 13:11:36 -07:00
Colleen Murphy 4f1bf7ddef Correct style errors
These style errors weren't caught before the specs merged because the
linter jobs weren't being run when only RST files were changed. Correct
them now so that a later patch can update the jobs.

Change-Id: I1c24cece2c64c9453698280cc365ac150d2474a4
2019-07-22 13:11:36 -07:00
Zuul 5aab0c140e Merge "Expiring Group Membership Through Mapping Rules" 2019-07-19 21:14:20 +00:00
Kristi Nikolla 11885fcd92 Expiring Group Membership Through Mapping Rules
Add federated users to the groups that they receive from the mapping rules.
This membership is only carried by the token and not persisted in the
database. The membership expires, but can be renewed when the user
authenticates with the same group.

Partial-Bug: 1809116

Change-Id: If376a1ce18f9b628f429f3cac957c76dacd00a34
2019-07-16 11:55:32 -04:00
Zuul 27e583f044 Merge "Add spec for immutable resources" 2019-07-09 16:32:26 +00:00
Zuul 8d946ecedb Merge "Update access rules spec with decisions from PTG" 2019-07-02 17:38:38 +00:00
Zuul cb73c3c881 Merge "Combine policy roadmap documents" 2019-06-18 17:46:38 +00:00
Zuul cb9bca5064 Merge "Move unified model spec from ongoing to backlog" 2019-06-18 17:44:18 +00:00
Zuul 8a91d0d2b3 Merge "Move SP endpoint filters spec to attic" 2019-06-18 17:40:46 +00:00
Colleen Murphy 94df8711bc Update access rules spec with decisions from PTG
Change-Id: I58b1b57febaea7f8bc75bf9e737e2d42f7823cf6
2019-06-05 13:15:40 -07:00
Colleen Murphy 4d2b9daa8e Add spec for immutable resources
This spec proposes to allow roles, users, projects, and domains to be
marked as "immutable", and further elaborates on the migration procedure
to make the admin role immutable by default.

Co-authored-by: Lance Bragstad <lbragstad@gmail.com>
Change-Id: I9b537ef7a70fa7e61c8cf0d6811120198a01ab37
2019-05-29 11:03:52 -07:00
Zuul ec1c5b8579 Merge "Update tracking reference for federated attrs spec" 2019-05-29 13:58:55 +00:00
Zuul 7837c2031e Merge "Repropose federated attributes in the user API for Train" 2019-05-17 20:21:57 +00:00
Colleen Murphy 30701e99dd Update tracking reference for federated attrs spec
The blueprint was ported to a bug, so update the reference in the spec.

Change-Id: I2a0eb685532d5d2fcf7a434745d67d365cdac47f
2019-05-17 13:14:00 -07:00
Colleen Murphy 1dde77c034 Combine policy roadmap documents
The Goals document and the Roadmap document are closely related to each
other and both cover long-term, ongoing work. This change combines the
specs so that a view of the whole policy story can be found in one
document.

Change-Id: Ib6ff52bf6d337bc0390da168ee960644137ef40a
2019-05-14 13:36:47 -07:00
Colleen Murphy 62ce366330 Move unified model spec from ongoing to backlog
Since there is no active work happening on this improvement, but we
still generally think it's the right direction, move the spec from
"ongoing" to "backlog" so that it can be picked up when we are ready to
plan it into a cycle.

Change-Id: I69403a035bf4540a93f4728f8b795d9c7a85cc6f
2019-05-13 11:52:49 -07:00
Colleen Murphy 3d575d2d9d Move SP endpoint filters spec to attic
As discussed at the PTG, we don't want to focus on expanding the scope
of endpoint filtering, so rather than keep it in the backlog to wait for
someone to pick it up, move it to the attic to signal that this is not
something we want to prioritize. If we decide this is valuable and
someone is willing to pick it up, we can always move it back out of the
attic.

Change-Id: I95c094f4d4df2e44cd23d2715275199a4e6c8200
2019-05-13 11:46:20 -07:00
Zuul 8119859479 Merge "Move Object Depencency Lifecycle spec to Rocky" 2019-05-13 17:44:17 +00:00
Zuul 0eb11a38e5 Merge "Move 'functional testing' spec to attic" 2019-05-13 17:44:16 +00:00
Zuul cb1f237a3a Merge "Add info resource-option-for-all spec" 2019-05-13 17:43:18 +00:00
Zuul e7066c3a28 Merge "Move the request-helpers spec for keystonemiddleware to attic" 2019-05-13 17:31:57 +00:00
Zuul 148c69cd3b Merge "Move endpoint-enforcement-middleware spec to attic" 2019-05-13 17:31:51 +00:00
Zuul 213b31540a Merge "Add resource-options-for-all specification" 2019-05-06 15:59:33 +00:00
Morgan Fainberg 444bfb4160 Add info resource-option-for-all spec
Resource options for all needed a little more
information about the end user impact. This
change adds that information.

Change-Id: I6131c08cf5730077ab74a47f2806f1d0b0456995
2019-05-04 17:09:39 +00:00
morgan fainberg d41918f3e9 Move the request-helpers spec for keystonemiddleware to attic
Move the request-helpers backlog spec for keystonemiddleware to the
attic. At the Denver PTG (2019) we discussed this spec. We are in a
very different space from where we were at the time of proposal, and
if there is a desire to revisit this specific specification it can
be brought back from the attic.

Change-Id: I3e1ab025bb998b14c0a71854b9109d9f29b25ee9
2019-05-04 09:46:46 -07:00
morgan fainberg 60e79f7c5a Move 'functional testing' spec to attic
As discussed at the Denver (2019) PTG, this spec is not super useful as
proposed. We have started work to improve our testing in a number of
ways. If the specific use-case of functional testing as proposed in the
spec receives interest the spec can be retrieved from the attic.

Change-Id: I238b16a30f131bf9d6a754c4dda48ac8e83a51b0
2019-05-04 09:31:44 -07:00