This spec proposes to to add a new keystone middleware that implements
RFC7662 OAuth 2.0 Token Introspection [1] and allows users to optionally
use that middleware when using an external authorization server.
OpenStack services will be able to validate their OAuth2.0 client with
an external authorization server other than Keystone.
[1] https://datatracker.ietf.org/doc/html/rfc7662
Change-Id: Ie1066ab2735205fcb534e7697c3b9a5aa2d23eeb
This spec proposes to Provide the option for users to
proof-of-possession of OAuth2.0 access token based on RFC8705 OAuth 2.0
Mutual-TLS Client Authentication and Certificate-Bound Access Tokens.
Users will be able to authenticate their OAuth2.0 client with a client
certificate instead of using Basic authentication with
client_id/client_secret to prevent a token from being used by a
malicious client. This protects Keystone Identity and other OpenStack
services from spoofed OAuth clients.
Change-Id: I67e030c183631bd421cc93ceb767f60fa178238a
UPPER_CONSTRAINTS_FILE is old name and deprecated
This allows to use upper-constraints file as more
readable way instead of UPPER_CONSTRAINTS_FILE=<lower-constraints file>.
Change-Id: Ie0e9cdb7b5da013fcc61cc11722e5a5c412b63ac
With setuptools release 61.0.0 docs build started to fail:
error: Multiple top-level packages discovered in a flat-layout:
['specs', 'attic', 'superseded'].
This bug is mentioned in setuptools issue 3197 [0], and the suggested
workaround is to disable auto-discovery by adding 'py_modules=[]' in
setup.py.
Also use recent python versions because the old ones are no longer available.
These 2 unrelated changes need to be merged together in order to unblock
the gate.
[0] https://github.com/pypa/setuptools/issues/3197
Change-Id: Iddc30b9521b61d9083c2b1f6e8a6707196ea0a57
This spec proposes to allow users to optionally use an OAuth2.0 Client
Credentials Grant flow to authorize an API client. In order to realize
this, we implement an OAuth2.0 authorization server as an extension of
keystone.
Implements: blueprint oauth2-client-credentials-ext
Change-Id: I4954c1e8f22199deb13031441c46a3565383412d
Switch to openstackdocstheme 2.2.1 version. Using
this version will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems
Update Sphinx version as well.
Disable openstackdocs_auto_name to use 'project' variable as name.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Change-Id: I27fd7e7310b2a1be3b283d43f40436ba5e165bbf
Make a few cleanups:
- Remove obsolete sections from setup.cfg
- Update classifiers
- Update requirements, no need for python_version anymore
- Use newer openstackdocstheme version
- Remove install_command from tox.ini, the default is fine
- Remove py27 stanza from setup.py
Change-Id: I3f517a43fbc1689ac1627a0a7c802dd08a9e2630
Add federated users to the groups that they receive from the mapping rules.
This membership is only carried by the token and not persisted in the
database. The membership expires, but can be renewed when the user
authenticates with the same group.
Previously approved for Train, fell into backlog, reproposing for Ussuri.
Change-Id: Ie133c14ffba5e4189265920759bfb5e1391f1189
Partial-Bug: 1809116
* Move uncompleted specs to the backlog (will discuss adding them to
Ussuri in planning meeting)
* Move Train section under "implemented"
* Create new empty section for Ussuri with new roadmap link
Change-Id: Id06bba1512364f8b4daeb3a594ff1e5b896f1b90
Update openstackdocstheme options so that "Report a bug" works.
Remove git settings for last update, the theme handles this now
by default.
Remove viewdocs and autodocs options, they are for source code but this
repo has no sourcecode.
Update minimal openstackdocstheme version so that these settings work.
Change-Id: I1dedf35825fd2fbd4dcbf8991affcd1f54d0ed70
Using upper-constraints in the keystone-specs tox environment ensures
that libraries go through validation in the requirements project and
don't break our CI.
Change-Id: Ic38c11bec5fe50c7fff7c1f4dec86504a29ba222
These style errors weren't caught before the specs merged because the
linter jobs weren't being run when only RST files were changed. Correct
them now so that a later patch can update the jobs.
Change-Id: I1c24cece2c64c9453698280cc365ac150d2474a4
Add federated users to the groups that they receive from the mapping rules.
This membership is only carried by the token and not persisted in the
database. The membership expires, but can be renewed when the user
authenticates with the same group.
Partial-Bug: 1809116
Change-Id: If376a1ce18f9b628f429f3cac957c76dacd00a34
This spec proposes to allow roles, users, projects, and domains to be
marked as "immutable", and further elaborates on the migration procedure
to make the admin role immutable by default.
Co-authored-by: Lance Bragstad <lbragstad@gmail.com>
Change-Id: I9b537ef7a70fa7e61c8cf0d6811120198a01ab37
The Goals document and the Roadmap document are closely related to each
other and both cover long-term, ongoing work. This change combines the
specs so that a view of the whole policy story can be found in one
document.
Change-Id: Ib6ff52bf6d337bc0390da168ee960644137ef40a
Since there is no active work happening on this improvement, but we
still generally think it's the right direction, move the spec from
"ongoing" to "backlog" so that it can be picked up when we are ready to
plan it into a cycle.
Change-Id: I69403a035bf4540a93f4728f8b795d9c7a85cc6f
As discussed at the PTG, we don't want to focus on expanding the scope
of endpoint filtering, so rather than keep it in the backlog to wait for
someone to pick it up, move it to the attic to signal that this is not
something we want to prioritize. If we decide this is valuable and
someone is willing to pick it up, we can always move it back out of the
attic.
Change-Id: I95c094f4d4df2e44cd23d2715275199a4e6c8200
Resource options for all needed a little more
information about the end user impact. This
change adds that information.
Change-Id: I6131c08cf5730077ab74a47f2806f1d0b0456995
Move the request-helpers backlog spec for keystonemiddleware to the
attic. At the Denver PTG (2019) we discussed this spec. We are in a
very different space from where we were at the time of proposal, and
if there is a desire to revisit this specific specification it can
be brought back from the attic.
Change-Id: I3e1ab025bb998b14c0a71854b9109d9f29b25ee9
As discussed at the Denver (2019) PTG, this spec is not super useful as
proposed. We have started work to improve our testing in a number of
ways. If the specific use-case of functional testing as proposed in the
spec receives interest the spec can be retrieved from the attic.
Change-Id: I238b16a30f131bf9d6a754c4dda48ac8e83a51b0