Merge remote-tracking branch 'origin/master' into feature/hierarchical-multitenancy
Change-Id: I7e27d042575609e4107764c1ff2e1048e5a14a02
This commit is contained in:
commit
6f806bdc9b
|
@ -18,16 +18,496 @@
|
|||
Command Line Interface Examples
|
||||
===============================
|
||||
|
||||
The Keystone command line interface packaged in `python-keystoneclient`_ only
|
||||
supports the Identity v2.0 API. The OpenStack common command line interface
|
||||
packaged in `python-openstackclient`_ supports both v2.0 and v3 APIs.
|
||||
|
||||
.. NOTE::
|
||||
|
||||
As of the Juno release, it is recommended to use ``python-openstackclient``,
|
||||
as it suports both v2.0 and v3 APIs. For the purpose of backwards compatibility,
|
||||
the CLI packaged in ``python-keystoneclient`` is not being removed.
|
||||
|
||||
.. _`python-openstackclient`: http://docs.openstack.org/developer/python-openstackclient/
|
||||
.. _`python-keystoneclient`: http://docs.openstack.org/developer/python-keystoneclient/
|
||||
|
||||
Using python-openstackclient (v3)
|
||||
=================================
|
||||
|
||||
Note that if using ``python-openstackclient`` for v3 commands, the following
|
||||
environment variables must be updated:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ export OS_IDENTITY_API_VERSION=3 (Defaults to 2.0)
|
||||
$ export OS_AUTH_URL=http://localhost:5000/v3
|
||||
|
||||
Since Identity API v3 authentication is a bit more complex, there are additional
|
||||
options that may be set, either as command options or environment variables.
|
||||
The most common case will be a user supplying both user name and password, along
|
||||
with the project name; previously in v2.0 this would be sufficient, but since
|
||||
Identity API v3 has a ``Domain`` component, we need to tell the client in which
|
||||
domain the user and project exists.
|
||||
|
||||
If using a project name as authorization scope, set either of these:
|
||||
|
||||
* ``--os-project-domain-name OS_PROJECT_DOMAIN_NAME`` Domain name of the project
|
||||
which is the requested project-level authorization scope
|
||||
* ``--os-project-domain-id OS_PROJECT_DOMAIN_ID`` Domain ID of the project which
|
||||
is the requested project-level authorization scope
|
||||
|
||||
Note, if using a project ID as authorization scope, then it is not required to
|
||||
set ``OS_PROJECT_DOMAIN_NAME`` or ``OS_PROJECT_DOMAIN_ID``, the project ID is
|
||||
sufficient.
|
||||
|
||||
If using user name and password, set either of these:
|
||||
|
||||
* ``--os-user-domain-name OS_USER_DOMAIN_NAME`` Domain name of the user
|
||||
* ``--os-user-domain-id OS_USER_DOMAIN_ID`` Domain ID of the user
|
||||
|
||||
If using a domain as authorization scope, set either of these:
|
||||
|
||||
* ``--os-domain-name OS_DOMAIN_NAME``: Domain name of the requested domain-level
|
||||
authorization scope
|
||||
* ``--os-domain-id OS_DOMAIN_ID``: Domain ID of the requested domain-level
|
||||
authorization scope
|
||||
|
||||
In the examples below, the following are set:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ export OS_IDENTITY_API_VERSION=3
|
||||
$ export OS_AUTH_URL=http://localhost:5000/v3
|
||||
$ export OS_PROJECT_DOMAIN_ID=default
|
||||
$ export OS_USER_DOMAIN_ID=default
|
||||
$ export OS_USERNAME=admin
|
||||
$ export OS_PASSWORD=openstack
|
||||
$ export OS_PROJECT_NAME=admin
|
||||
|
||||
--------
|
||||
Projects
|
||||
--------
|
||||
|
||||
``project create``
|
||||
------------------
|
||||
|
||||
positional arguments::
|
||||
|
||||
<project-name> New project name
|
||||
|
||||
optional arguments::
|
||||
|
||||
--description <project-description> New project description
|
||||
--domain <project-domain> Domain owning the project (name or ID)
|
||||
|
||||
--enable Enable project (default)
|
||||
--disable Disable project
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack project create heat-project --domain heat
|
||||
|
||||
Other commands
|
||||
--------------
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack project delete
|
||||
$ openstack project list
|
||||
$ openstack project set
|
||||
$ openstack project show
|
||||
|
||||
-----
|
||||
Users
|
||||
-----
|
||||
|
||||
``user create``
|
||||
---------------
|
||||
|
||||
positional arguments::
|
||||
|
||||
<user-name> New user name
|
||||
|
||||
optional arguments::
|
||||
|
||||
--password <user-password> New user password
|
||||
--password-prompt Prompt interactively for password
|
||||
--email <user-email> New user email address
|
||||
--project <project> Set default project (name or ID)
|
||||
--domain <domain> New default domain name or ID
|
||||
--enable Enable user (default)
|
||||
--disable Disable user
|
||||
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack user create heat-user \
|
||||
--password secrete \
|
||||
--domain heat \
|
||||
--project demo \
|
||||
--email admin@example.com
|
||||
|
||||
Other commands
|
||||
--------------
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack user delete
|
||||
$ openstack user list
|
||||
$ openstack user set
|
||||
$ openstack user show
|
||||
|
||||
------
|
||||
Groups
|
||||
------
|
||||
|
||||
``group create``
|
||||
----------------
|
||||
|
||||
positional arguments::
|
||||
|
||||
<group-name> New group name
|
||||
|
||||
optional arguments::
|
||||
|
||||
--description <group-description> New group description
|
||||
--domain <group-domain> References the domain ID or name which owns the group
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack group create heat-group --domain heat
|
||||
|
||||
Other commands
|
||||
--------------
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack group delete
|
||||
$ openstack group list
|
||||
$ openstack group set
|
||||
$ openstack group show
|
||||
|
||||
-------
|
||||
Domains
|
||||
-------
|
||||
|
||||
``domain create``
|
||||
-----------------
|
||||
|
||||
positional arguments::
|
||||
|
||||
<domain-name> New domain name
|
||||
|
||||
optional arguments::
|
||||
|
||||
--description <domain-description> New domain description
|
||||
--enable Enable domain
|
||||
--disable Disable domain
|
||||
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack domain create heat --description "Heat domain for heat users"
|
||||
|
||||
Other commands
|
||||
--------------
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack domain delete
|
||||
$ openstack domain list
|
||||
$ openstack domain set
|
||||
$ openstack domain show
|
||||
|
||||
Using python-openstackclient (v2.0)
|
||||
===================================
|
||||
|
||||
--------
|
||||
Projects
|
||||
--------
|
||||
|
||||
``project create``
|
||||
------------------
|
||||
|
||||
positional arguments::
|
||||
|
||||
<project-name> New project name
|
||||
|
||||
optional arguments::
|
||||
|
||||
--description <project-description> New project description
|
||||
--enable Enable project (default)
|
||||
--disable Disable project
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack project create demo
|
||||
|
||||
|
||||
``project delete``
|
||||
------------------
|
||||
|
||||
positional arguments::
|
||||
|
||||
<project> Project to delete (name or ID)
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack project delete demo
|
||||
|
||||
-----
|
||||
Users
|
||||
-----
|
||||
|
||||
``user create``
|
||||
---------------
|
||||
|
||||
positional arguments::
|
||||
|
||||
<user-name> New user name
|
||||
|
||||
optional arguments::
|
||||
|
||||
--password <user-password> New user password
|
||||
--password-prompt Prompt interactively for password
|
||||
--email <user-email> New user email address
|
||||
--project <project> Set default project (name or ID)
|
||||
--enable Enable user (default)
|
||||
--disable Disable user
|
||||
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack user create heat-user \
|
||||
--password secrete \
|
||||
--project demo \
|
||||
--email admin@example.com
|
||||
|
||||
``user delete``
|
||||
---------------
|
||||
|
||||
positional arguments::
|
||||
|
||||
<user> User to delete (name or ID)
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack user delete heat-user
|
||||
|
||||
``user list``
|
||||
-------------
|
||||
|
||||
optional arguments::
|
||||
|
||||
--project <project> Filter users by project (name or ID)
|
||||
--long List additional fields in output
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack user list
|
||||
|
||||
``user set``
|
||||
------------
|
||||
|
||||
positional arguments::
|
||||
|
||||
<user> User to change (name or ID)
|
||||
|
||||
optional arguments::
|
||||
|
||||
--name <new-user-name> New user name
|
||||
--password <user-password> New user password
|
||||
--password-prompt Prompt interactively for password
|
||||
--email <user-email> New user email address
|
||||
--project <project> New default project (name or ID)
|
||||
--enable Enable user (default)
|
||||
--disable Disable user
|
||||
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack user set heat-user --email newemail@example.com
|
||||
|
||||
-----
|
||||
Roles
|
||||
-----
|
||||
|
||||
``role create``
|
||||
---------------
|
||||
|
||||
positional arguments::
|
||||
|
||||
<role-name> New role name
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack role create demo
|
||||
|
||||
``role delete``
|
||||
---------------
|
||||
|
||||
positional arguments::
|
||||
|
||||
<role> Name or ID of role to delete
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack role delete demo
|
||||
|
||||
``role list``
|
||||
-------------
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack role list
|
||||
|
||||
``role show``
|
||||
-------------
|
||||
|
||||
positional arguments::
|
||||
|
||||
<role> Name or ID of role to display
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack role show demo
|
||||
|
||||
|
||||
``role add``
|
||||
------------
|
||||
|
||||
positional arguments::
|
||||
|
||||
<role> Role name or ID to add to user
|
||||
|
||||
optional arguments::
|
||||
|
||||
--project <project> Include project (name or ID)
|
||||
--user <user> Name or ID of user to include
|
||||
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack user role add demo --user heat-user --project heat
|
||||
|
||||
``role remove``
|
||||
---------------
|
||||
|
||||
positional arguments::
|
||||
|
||||
<role> Role name or ID to remove from user
|
||||
|
||||
optional arguments::
|
||||
|
||||
--project <project> Project to include (name or ID)
|
||||
--user <user> Name or ID of user
|
||||
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack user role remove demo --user heat-user --project heat
|
||||
|
||||
--------
|
||||
Services
|
||||
--------
|
||||
|
||||
``service create``
|
||||
------------------
|
||||
|
||||
positional arguments::
|
||||
|
||||
<service-name> New service name
|
||||
|
||||
optional arguments::
|
||||
|
||||
--type <service-type> New service type (compute, image, identity, volume, etc)
|
||||
--description <service-description> New service description
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack service create nova --type compute --description "Nova Compute Service"
|
||||
|
||||
``service list``
|
||||
----------------
|
||||
|
||||
optional arguments::
|
||||
|
||||
--long List additional fields in output
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack service list
|
||||
|
||||
``service show``
|
||||
----------------
|
||||
|
||||
positional arguments::
|
||||
|
||||
<service> Service to display (type, name or ID)
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack service show nova
|
||||
|
||||
``service delete``
|
||||
------------------
|
||||
|
||||
positional arguments::
|
||||
|
||||
<service> Service to delete (name or ID)
|
||||
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack service delete nova
|
||||
|
||||
|
||||
Using python-keystoneclient (v2.0)
|
||||
==================================
|
||||
|
||||
-------
|
||||
Tenants
|
||||
-------
|
||||
|
||||
Tenants are the high level grouping within Keystone that represent groups of
|
||||
users. A tenant is the grouping that owns virtual machines within Nova, or
|
||||
containers within Swift. A tenant can have zero or more users, Users can be
|
||||
associated with more than one tenant, and each tenant - user pairing can have
|
||||
a role associated with it.
|
||||
|
||||
``tenant-create``
|
||||
-----------------
|
||||
|
||||
|
@ -112,7 +592,7 @@ example:
|
|||
$ keystone user-list
|
||||
|
||||
``user-update``
|
||||
---------------
|
||||
---------------------
|
||||
|
||||
arguments
|
||||
|
||||
|
|
|
@ -315,28 +315,27 @@ configuration option.
|
|||
|
||||
The drivers Keystone provides are:
|
||||
|
||||
* ``keystone.token.persistence.backends.sql.Token`` - The SQL-based (default)
|
||||
token persistence engine. This backend stores all token data in the same SQL
|
||||
store that is used for Identity/Assignment/etc.
|
||||
|
||||
* ``keystone.token.persistence.backends.memcache.Token`` - The memcached based
|
||||
token persistence backend. This backend relies on ``dogpile.cache`` and stores
|
||||
the token data in a set of memcached servers. The servers urls are specified
|
||||
in the ``[memcache]\servers`` configuration option in the Keystone config.
|
||||
|
||||
* ``keystone.token.persistence.backends.memcache_pool.Token`` - The pooled memcached
|
||||
token persistence engine. This backend supports the concept of pooled memcache
|
||||
client object (allowing for the re-use of the client objects). This backend has
|
||||
a number of extra tunable options in the ``[memcache]`` section of the config.
|
||||
|
||||
* ``keystone.token.persistence.backends.sql.Token`` - The SQL-based (default)
|
||||
token persistence engine.
|
||||
|
||||
* ``keystone.token.persistence.backends.memcache.Token`` - The memcached based
|
||||
token persistence backend. This backend relies on ``dogpile.cache`` and stores
|
||||
the token data in a set of memcached servers. The servers URLs are specified
|
||||
in the ``[memcache]\servers`` configuration option in the Keystone config.
|
||||
|
||||
|
||||
.. WARNING::
|
||||
It is recommended you use the ``keystone.token.persistence.backend.memcache_pool.Token``
|
||||
backend instead of ``keystone.token.persistence.backend.memcache.Token`` as the token
|
||||
persistence driver if you are deploying Keystone under eventlet instead of
|
||||
Apache + mod_wsgi. This recommendation are due to known issues with the use of
|
||||
``thread.local`` under eventlet that can allow the leaking of memcache client objects
|
||||
and consumption of extra sockets.
|
||||
Apache + mod_wsgi. This recommendation is due to known issues with the
|
||||
use of ``thread.local`` under eventlet that can allow the leaking of
|
||||
memcache client objects and consumption of extra sockets.
|
||||
|
||||
|
||||
Token Provider
|
||||
|
@ -650,9 +649,9 @@ To build your service catalog using this driver, see the built-in help:
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
$ keystone
|
||||
$ keystone help service-create
|
||||
$ keystone help endpoint-create
|
||||
$ openstack --help
|
||||
$ openstack help service create
|
||||
$ openstack help endpoint create
|
||||
|
||||
You can also refer to `an example in Keystone (tools/sample_data.sh)
|
||||
<https://github.com/openstack/keystone/blob/master/tools/sample_data.sh>`_.
|
||||
|
@ -666,8 +665,7 @@ service catalog will not change very much over time.
|
|||
|
||||
.. NOTE::
|
||||
|
||||
Attempting to manage your service catalog using keystoneclient commands
|
||||
(e.g. ``keystone endpoint-create``) against this driver will result in
|
||||
Attempting to change your service catalog against this driver will result in
|
||||
``HTTP 501 Not Implemented`` errors. This is the expected behavior. If you
|
||||
want to use these commands, you must instead use the SQL-based Service
|
||||
Catalog driver.
|
||||
|
@ -1014,12 +1012,12 @@ Ensure that your ``keystone.conf`` is configured to use a SQL driver:
|
|||
[identity]
|
||||
driver = keystone.identity.backends.sql.Identity
|
||||
|
||||
You may also want to configure your ``[sql]`` settings to better reflect your
|
||||
You may also want to configure your ``[database]`` settings to better reflect your
|
||||
environment:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[sql]
|
||||
[database]
|
||||
connection = sqlite:///keystone.db
|
||||
idle_timeout = 200
|
||||
|
||||
|
@ -1038,23 +1036,19 @@ You should now be ready to initialize your new database without error, using:
|
|||
$ keystone-manage db_sync
|
||||
|
||||
To test this, you should now be able to start ``keystone-all`` and use the
|
||||
Keystone Client to list your tenants (which should successfully return an
|
||||
OpenStack Client to list your projects (which should successfully return an
|
||||
empty list from your new database):
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ keystone --os-token ADMIN --os-endpoint http://127.0.0.1:35357/v2.0/ tenant-list
|
||||
+----+------+---------+
|
||||
| id | name | enabled |
|
||||
+----+------+---------+
|
||||
+----+------+---------+
|
||||
$ openstack --os-token ADMIN --os-url http://127.0.0.1:35357/v2.0/ project list
|
||||
|
||||
.. NOTE::
|
||||
|
||||
We're providing the default OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT values
|
||||
from ``keystone.conf`` to connect to the Keystone service. If you changed
|
||||
those values, or deployed Keystone to a different endpoint, you will need
|
||||
to change the provided command accordingly.
|
||||
We're providing the default OS_TOKEN and OS_URL values from ``keystone.conf``
|
||||
to connect to the Keystone service. If you changed those values, or deployed
|
||||
Keystone to a different endpoint, you will need to change the provided
|
||||
command accordingly.
|
||||
|
||||
Initializing Keystone
|
||||
=====================
|
||||
|
@ -1079,12 +1073,29 @@ prevents unauthorized users from spuriously signing tokens.
|
|||
be running the Keystone service to ensure proper ownership for the private key
|
||||
file and the associated certificates.
|
||||
|
||||
Adding Users, Tenants, and Roles with python-keystoneclient
|
||||
===========================================================
|
||||
Adding Users, Projects, and Roles via Command Line Interfaces
|
||||
=============================================================
|
||||
|
||||
Users, tenants, and roles must be administered using admin credentials.
|
||||
There are two ways to configure ``python-keystoneclient`` to use admin
|
||||
credentials, using the either an existing token or password credentials.
|
||||
Keystone APIs are protected by the rules in the policy file. The default policy
|
||||
rules require admin credentials to administer ``users``, ``projects``, and
|
||||
``roles``. See section `Keystone API protection with Role Based Access Control (RBAC)`_
|
||||
for more details on policy files.
|
||||
|
||||
The Keystone command line interface packaged in `python-keystoneclient`_ only
|
||||
supports the Identity v2.0 API. The OpenStack common command line interface
|
||||
packaged in `python-openstackclient`_ supports both v2.0 and v3 APIs.
|
||||
|
||||
With both command line interfaces there are two ways to configure the client to
|
||||
use admin credentials, using either an existing token or password credentials.
|
||||
|
||||
.. NOTE::
|
||||
|
||||
As of the Juno release, it is recommended to use ``python-openstackclient``,
|
||||
as it supports both v2.0 and v3 APIs. For the purpose of backwards compatibility,
|
||||
the CLI packaged in ``python-keystoneclient`` is not being removed.
|
||||
|
||||
.. _`python-openstackclient`: http://docs.openstack.org/developer/python-openstackclient/
|
||||
.. _`python-keystoneclient`: http://docs.openstack.org/developer/python-keystoneclient/
|
||||
|
||||
Authenticating with a Token
|
||||
---------------------------
|
||||
|
@ -1094,11 +1105,11 @@ Authenticating with a Token
|
|||
If your Keystone deployment is brand new, you will need to use this
|
||||
authentication method, along with your ``[DEFAULT] admin_token``.
|
||||
|
||||
To use Keystone with a token, set the following flags:
|
||||
To authenticate with Keystone using a token and ``python-openstackclient``, set
|
||||
the following flags.
|
||||
|
||||
* ``--os-endpoint OS_SERVICE_ENDPOINT``: allows you to specify the Keystone endpoint
|
||||
to communicate with. The default endpoint is ``http://localhost:35357/v2.0``
|
||||
* ``--os-token OS_SERVICE_TOKEN``: your service token
|
||||
* ``--os-url OS_URL``: Keystone endpoint the user communicates with
|
||||
* ``--os-token OS_TOKEN``: User's service token
|
||||
|
||||
To administer a Keystone endpoint, your token should be either belong to a user
|
||||
with the ``admin`` role, or, if you haven't created one yet, should be equal to
|
||||
|
@ -1109,20 +1120,27 @@ to be passed as arguments each time:
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
$ export OS_SERVICE_ENDPOINT=http://localhost:35357/v2.0
|
||||
$ export OS_SERVICE_TOKEN=ADMIN
|
||||
$ export OS_URL=http://localhost:35357/v2.0
|
||||
$ export OS_TOKEN=ADMIN
|
||||
|
||||
Instead of ``python-openstackclient``, if using ``python-keystoneclient``,
|
||||
set the following:
|
||||
|
||||
* ``--os-endpoint OS_SERVICE_ENDPOINT``: equivalent to ``--os-url OS_URL``
|
||||
* ``--os-service-token OS_SERVICE_TOKEN``: equivalent to ``--os-token OS_TOKEN``
|
||||
|
||||
|
||||
Authenticating with a Password
|
||||
------------------------------
|
||||
|
||||
To administer a Keystone endpoint, the following user referenced below should
|
||||
To authenticate with Keystone using a password and ``python-openstackclient``, set
|
||||
the following flags, note that the following user referenced below should
|
||||
be granted the ``admin`` role.
|
||||
|
||||
* ``--os_username OS_USERNAME``: Name of your user
|
||||
* ``--os_password OS_PASSWORD``: Password for your user
|
||||
* ``--os_tenant_name OS_TENANT_NAME``: Name of your tenant
|
||||
* ``--os_auth_url OS_AUTH_URL``: URL of your Keystone auth server, e.g.
|
||||
``http://localhost:35357/v2.0``
|
||||
* ``--os-username OS_USERNAME``: Name of your user
|
||||
* ``--os-password OS_PASSWORD``: Password for your user
|
||||
* ``--os-project-name OS_PROJECT_NAME``: Name of your project
|
||||
* ``--os-auth-url OS_AUTH_URL``: URL of the Keystone authentication server
|
||||
|
||||
You can also set these variables in your environment so that they do not need
|
||||
to be passed as arguments each time:
|
||||
|
@ -1131,42 +1149,55 @@ to be passed as arguments each time:
|
|||
|
||||
$ export OS_USERNAME=my_username
|
||||
$ export OS_PASSWORD=my_password
|
||||
$ export OS_TENANT_NAME=my_tenant
|
||||
$ export OS_PROJECT_NAME=my_project
|
||||
$ export OS_AUTH_URL=http://localhost:35357/v2.0
|
||||
|
||||
If using ``python-keystoneclient``, set the following instead:
|
||||
|
||||
* ``--os-tenant-name OS_TENANT_NAME``: equivalent to ``--os-project-name OS_PROJECT_NAME``
|
||||
|
||||
|
||||
Example usage
|
||||
-------------
|
||||
|
||||
``keystone`` is set up to expect commands in the general form of
|
||||
``keystone`` ``command`` ``argument``, followed by flag-like keyword arguments to
|
||||
provide additional (often optional) information. For example, the command
|
||||
``user-list`` and ``tenant-create`` can be invoked as follows:
|
||||
``python-openstackclient`` is set up to expect commands in the general form of:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
# Using token auth env variables
|
||||
$ export OS_SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0/
|
||||
$ export OS_SERVICE_TOKEN=secrete_token
|
||||
$ keystone user-list
|
||||
$ keystone tenant-create --name=demo
|
||||
$ openstack [<global-options>] <object-1> <action> [<object-2>] [<command-arguments>]
|
||||
|
||||
# Using token auth flags
|
||||
$ keystone --os-token=secrete --os-endpoint=http://127.0.0.1:35357/v2.0/ user-list
|
||||
$ keystone --os-token=secrete --os-endpoint=http://127.0.0.1:35357/v2.0/ tenant-create --name=demo
|
||||
For example, the commands ``user list`` and ``project create`` can be invoked
|
||||
as follows:
|
||||
|
||||
# Using user + password + tenant_name env variables
|
||||
.. code-block:: bash
|
||||
|
||||
# Using token authentication, with environment variables
|
||||
$ export OS_URL=http://127.0.0.1:35357/v2.0/
|
||||
$ export OS_TOKEN=secrete_token
|
||||
$ openstack user list
|
||||
$ openstack project create demo
|
||||
|
||||
# Using token authentication, with flags
|
||||
$ openstack --os-token=secrete --os-url=http://127.0.0.1:35357/v2.0/ user list
|
||||
$ openstack --os-token=secrete --os-url=http://127.0.0.1:35357/v2.0/ project create demo
|
||||
|
||||
# Using password authentication, with environment variables
|
||||
$ export OS_USERNAME=admin
|
||||
$ export OS_PASSWORD=secrete
|
||||
$ export OS_TENANT_NAME=admin
|
||||
$ keystone user-list
|
||||
$ keystone tenant-create --name=demo
|
||||
$ export OS_PROJECT_NAME=admin
|
||||
$ export OS_AUTH_URL=http://localhost:35357/v2.0
|
||||
$ openstack user list
|
||||
$ openstack project create demo
|
||||
|
||||
# Using user + password + tenant_name flags
|
||||
$ keystone --os_username=admin --os_password=secrete --os_tenant_name=admin user-list
|
||||
$ keystone --os_username=admin --os_password=secrete --os_tenant_name=admin tenant-create --name=demo
|
||||
# Using password authentication, with flags
|
||||
$ openstack --os-username=admin --os-password=secrete --os-project-name=admin --os-auth-url=http://localhost:35357/v2.0 user list
|
||||
$ openstack --os-username=admin --os-password=secrete --os-project-name=admin --os-auth-url=http://localhost:35357/v2.0 project create demo
|
||||
|
||||
For additional examples refer to `CLI Examples`_.
|
||||
For additional examples using ``python-keystoneclient`` refer to `python-keystoneclient examples`_,
|
||||
likewise, for additional examples using ``python-openstackclient``, refer to `python-openstackclient examples`_.
|
||||
|
||||
.. _`CLI Examples`: cli_examples.html
|
||||
.. _`python-keystoneclient examples`: cli_examples.html#using-python-keystoneclient-v2-0
|
||||
.. _`python-openstackclient examples`: cli_examples.html#using-python-openstackclient-v3
|
||||
|
||||
|
||||
Removing Expired Tokens
|
||||
|
|
|
@ -32,7 +32,7 @@ In general:
|
|||
* The Keystone middleware will look for and validate that token, taking the
|
||||
appropriate action.
|
||||
* It will also retrieve additional information from the token such as user
|
||||
name, id, tenant name, id, roles, etc...
|
||||
name, user id, project name, project id, roles, etc...
|
||||
|
||||
The middleware will pass those data down to the service as headers. More
|
||||
details on the architecture of that setup is described in
|
||||
|
@ -57,10 +57,10 @@ represent a user, and carries no explicit authorization.
|
|||
To disable in production (highly recommended), remove AdminTokenAuthMiddleware
|
||||
from your paste application pipelines (for example, in keystone-paste.ini)
|
||||
|
||||
Setting up tenants, users, and roles
|
||||
------------------------------------
|
||||
Setting up projects, users, and roles
|
||||
-------------------------------------
|
||||
|
||||
You need to minimally define a tenant, user, and role to link the tenant and
|
||||
You need to minimally define a project, user, and role to link the project and
|
||||
user as the most basic set of details to get other services authenticating
|
||||
and authorizing with Keystone.
|
||||
|
||||
|
@ -69,7 +69,7 @@ be able to use to authenticate users against Keystone. The ``auth_token``
|
|||
middleware supports using either the shared secret described above as
|
||||
`admin_token` or users for each service.
|
||||
|
||||
See :doc:`configuration` for a walk through on how to create tenants, users,
|
||||
See :doc:`configuration` for a walk through on how to create projects, users,
|
||||
and roles.
|
||||
|
||||
Setting up services
|
||||
|
@ -79,53 +79,44 @@ Creating Service Users
|
|||
----------------------
|
||||
|
||||
To configure the OpenStack services with service users, we need to create
|
||||
a tenant for all the services, and then users for each of the services. We
|
||||
then assign those service users an Admin role on the service tenant. This
|
||||
allows them to validate tokens - and authenticate and authorize other user
|
||||
a project for all the services, and then users for each of the services. We
|
||||
then assign those service users an ``admin`` role on the service project. This
|
||||
allows them to validate tokens - and to authenticate and authorize other user
|
||||
requests.
|
||||
|
||||
Create a tenant for the services, typically named 'service' (however, the
|
||||
Create a project for the services, typically named ``service`` (however, the
|
||||
name can be whatever you choose):
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ keystone tenant-create --name=service
|
||||
$ openstack project create service
|
||||
|
||||
This returns a UUID of the tenant - keep that, you'll need it when creating
|
||||
the users and specifying the roles.
|
||||
|
||||
Create service users for nova, glance, swift, and neutron (or whatever
|
||||
subset is relevant to your deployment):
|
||||
Create service users for ``nova``, ``glance``, ``swift``, and ``neutron``
|
||||
(or whatever subset is relevant to your deployment):
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ keystone user-create --name=nova \
|
||||
--pass=Sekr3tPass \
|
||||
--tenant_id=[the uuid of the tenant] \
|
||||
--email=nova@nothing.com
|
||||
$ openstack user create nova --password Sekr3tPass --project service
|
||||
|
||||
Repeat this for each service you want to enable. Email is a required field
|
||||
in Keystone right now, but not used in relation to the service accounts. Each
|
||||
of these commands will also return a UUID of the user. Keep those to assign
|
||||
the Admin role.
|
||||
Repeat this for each service you want to enable.
|
||||
|
||||
For adding the Admin role to the service accounts, you'll need to know the UUID
|
||||
of the role you want to add. If you don't have them handy, you can look it
|
||||
Create an administrative role for the service accounts, typically named
|
||||
``admin`` (however the name can be whatever you choose). For adding the
|
||||
administrative role to the service accounts, you'll need to know the
|
||||
name of the role you want to add. If you don't have it handy, you can look it
|
||||
up quickly with:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ keystone role-list
|
||||
$ openstack role list
|
||||
|
||||
Once you have it, assign the service users to the Admin role. This is all
|
||||
assuming that you've already created the basic roles and settings as described
|
||||
in :doc:`configuration`:
|
||||
Once you have it, grant the administrative role to the service users. This is
|
||||
all assuming that you've already created the basic roles and settings as
|
||||
described in :doc:`configuration`:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ keystone user-role-add --tenant_id=[uuid of the service tenant] \
|
||||
--user=[uuid of the service account] \
|
||||
--role=[uuid of the Admin role]
|
||||
$ openstack role add admin --project service --user nova
|
||||
|
||||
Defining Services
|
||||
-----------------
|
||||
|
@ -147,21 +138,16 @@ Keystone is online, you need to add the services to the catalog:
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
$ keystone service-create --name=nova \
|
||||
--type=compute \
|
||||
--description="Nova Compute Service"
|
||||
$ keystone service-create --name=ec2 \
|
||||
--type=ec2 \
|
||||
--description="EC2 Compatibility Layer"
|
||||
$ keystone service-create --name=glance \
|
||||
--type=image \
|
||||
--description="Glance Image Service"
|
||||
$ keystone service-create --name=keystone \
|
||||
--type=identity \
|
||||
--description="Keystone Identity Service"
|
||||
$ keystone service-create --name=swift \
|
||||
--type=object-store \
|
||||
--description="Swift Service"
|
||||
$ openstack service create nova --type compute \
|
||||
--description "Nova Compute Service"
|
||||
$ openstack service create ec2 --type ec2 \
|
||||
--description "EC2 Compatibility Layer"
|
||||
$ openstack service create glance --type image \
|
||||
--description "Glance Image Service"
|
||||
$ openstack service create keystone --type identity \
|
||||
--description "Keystone Identity Service"
|
||||
$ openstack service create swift --type object-store \
|
||||
--description "Swift Service"
|
||||
|
||||
|
||||
Setting Up Middleware
|
||||
|
@ -209,9 +195,9 @@ Here is an example paste config filter that makes use of the 'admin_user' and
|
|||
admin_user = admin
|
||||
admin_password = keystone123
|
||||
|
||||
It should be noted that when using this option an admin tenant/role
|
||||
relationship is required. The admin user is granted access to the 'Admin'
|
||||
role to the 'admin' tenant.
|
||||
It should be noted that when using this option an admin project/role
|
||||
relationship is required. The admin user is granted access to the 'admin'
|
||||
role to the 'admin' project.
|
||||
|
||||
The auth_token middleware can also be configured in nova.conf
|
||||
[keystone_authtoken] section to keep paste config clean of site-specific
|
||||
|
|
|
@ -45,7 +45,9 @@ file. You are advised to examine `Shibboleth Service Provider Configuration docu
|
|||
|
||||
An example of your ``/etc/shibboleth/shibboleth2.xml`` may look like
|
||||
(The example shown below is for reference only, not to be used in a production
|
||||
environment)::
|
||||
environment):
|
||||
|
||||
.. code-block:: xml
|
||||
|
||||
<!--
|
||||
File configuration courtesy of http://testshib.org
|
||||
|
|
|
@ -81,17 +81,16 @@
|
|||
# token values. (integer value)
|
||||
#max_token_size=8192
|
||||
|
||||
# During a SQL upgrade member_role_id will be used to create a
|
||||
# new role that will replace records in the assignment table
|
||||
# with explicit role grants. After migration, the
|
||||
# member_role_id will be used in the API add_user_to_project.
|
||||
# (string value)
|
||||
# Similar to the member_role_name option, this represents the
|
||||
# default role ID used to associate users with their default
|
||||
# projects in the v2 API. This will be used as the explicit
|
||||
# role where one is not specified by the v2 API. (string
|
||||
# value)
|
||||
#member_role_id=9fe2ff9ee4384b1894a90878d3e92bab
|
||||
|
||||
# During a SQL upgrade member_role_name will be used to create
|
||||
# a new role that will replace records in the assignment table
|
||||
# with explicit role grants. After migration, member_role_name
|
||||
# will be ignored. (string value)
|
||||
# This is the role name used in combination with the
|
||||
# member_role_id option; see that option for more detail.
|
||||
# (string value)
|
||||
#member_role_name=_member_
|
||||
|
||||
# The value passed as the keyword "rounds" to passlib's
|
||||
|
@ -536,27 +535,27 @@
|
|||
|
||||
# Memcache servers in the format of "host:port".
|
||||
# (dogpile.cache.memcache and keystone.cache.memcache_pool
|
||||
# backends only) (list value)
|
||||
# backends only). (list value)
|
||||
#memcache_servers=localhost:11211
|
||||
|
||||
# Number of seconds memcached server is considered dead before
|
||||
# it is tried again. (dogpile.cache.memcache and
|
||||
# keystone.cache.memcache_pool backends only) (integer value)
|
||||
# keystone.cache.memcache_pool backends only). (integer value)
|
||||
#memcache_dead_retry=300
|
||||
|
||||
# Timeout in seconds for every call to a server.
|
||||
# (dogpile.cache.memcache and keystone.cache.memcache_pool
|
||||
# backends only) (integer value)
|
||||
# backends only). (integer value)
|
||||
#memcache_socket_timeout=3
|
||||
|
||||
# Max total number of open connections to every memcached
|
||||
# server. (keystone.cache.memcache_pool backend only) (integer
|
||||
# value)
|
||||
# server. (keystone.cache.memcache_pool backend only).
|
||||
# (integer value)
|
||||
#memcache_pool_maxsize=10
|
||||
|
||||
# Number of seconds a connection to memcached is held unused
|
||||
# in the pool before it is closed.
|
||||
# (keystone.cache.memcache_pool backend only) (integer value)
|
||||
# (keystone.cache.memcache_pool backend only). (integer value)
|
||||
#memcache_pool_unused_timeout=60
|
||||
|
||||
# Number of seconds that an operation will wait to get a
|
||||
|
|
|
@ -12,9 +12,9 @@
|
|||
|
||||
"identity:get_region": "",
|
||||
"identity:list_regions": "",
|
||||
"identity:create_region": "rule:admin_or_cloud_admin",
|
||||
"identity:update_region": "rule:admin_or_cloud_admin",
|
||||
"identity:delete_region": "rule:admin_or_cloud_admin",
|
||||
"identity:create_region": "rule:cloud_admin",
|
||||
"identity:update_region": "rule:cloud_admin",
|
||||
"identity:delete_region": "rule:cloud_admin",
|
||||
|
||||
"identity:get_service": "rule:admin_or_cloud_admin",
|
||||
"identity:list_services": "rule:admin_or_cloud_admin",
|
||||
|
@ -143,23 +143,23 @@
|
|||
"identity:add_endpoint_group_to_project": "rule:admin_required",
|
||||
"identity:remove_endpoint_group_from_project": "rule:admin_required",
|
||||
|
||||
"identity:create_identity_provider": "rule:admin_required",
|
||||
"identity:list_identity_providers": "rule:admin_required",
|
||||
"identity:get_identity_providers": "rule:admin_required",
|
||||
"identity:update_identity_provider": "rule:admin_required",
|
||||
"identity:delete_identity_provider": "rule:admin_required",
|
||||
"identity:create_identity_provider": "rule:cloud_admin",
|
||||
"identity:list_identity_providers": "rule:cloud_admin",
|
||||
"identity:get_identity_providers": "rule:cloud_admin",
|
||||
"identity:update_identity_provider": "rule:cloud_admin",
|
||||
"identity:delete_identity_provider": "rule:cloud_admin",
|
||||
|
||||
"identity:create_protocol": "rule:admin_required",
|
||||
"identity:update_protocol": "rule:admin_required",
|
||||
"identity:get_protocol": "rule:admin_required",
|
||||
"identity:list_protocols": "rule:admin_required",
|
||||
"identity:delete_protocol": "rule:admin_required",
|
||||
"identity:create_protocol": "rule:cloud_admin",
|
||||
"identity:update_protocol": "rule:cloud_admin",
|
||||
"identity:get_protocol": "rule:cloud_admin",
|
||||
"identity:list_protocols": "rule:cloud_admin",
|
||||
"identity:delete_protocol": "rule:cloud_admin",
|
||||
|
||||
"identity:create_mapping": "rule:admin_required",
|
||||
"identity:get_mapping": "rule:admin_required",
|
||||
"identity:list_mappings": "rule:admin_required",
|
||||
"identity:delete_mapping": "rule:admin_required",
|
||||
"identity:update_mapping": "rule:admin_required",
|
||||
"identity:create_mapping": "rule:cloud_admin",
|
||||
"identity:get_mapping": "rule:cloud_admin",
|
||||
"identity:list_mappings": "rule:cloud_admin",
|
||||
"identity:delete_mapping": "rule:cloud_admin",
|
||||
"identity:update_mapping": "rule:cloud_admin",
|
||||
|
||||
"identity:get_auth_catalog": "",
|
||||
"identity:get_auth_projects": "",
|
||||
|
|
|
@ -15,6 +15,8 @@
|
|||
import sys
|
||||
|
||||
from keystoneclient.common import cms
|
||||
from oslo.serialization import jsonutils
|
||||
from oslo.utils import importutils
|
||||
from oslo.utils import timeutils
|
||||
import six
|
||||
|
||||
|
@ -27,8 +29,6 @@ from keystone import config
|
|||
from keystone.contrib import federation
|
||||
from keystone import exception
|
||||
from keystone.i18n import _, _LI
|
||||
from keystone.openstack.common import importutils
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone.openstack.common import log
|
||||
|
||||
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
|
||||
import functools
|
||||
|
||||
from oslo.serialization import jsonutils
|
||||
from pycadf import cadftaxonomy as taxonomy
|
||||
from six.moves.urllib import parse
|
||||
|
||||
|
@ -21,7 +22,6 @@ from keystone.contrib import federation
|
|||
from keystone.contrib.federation import utils
|
||||
from keystone.models import token_model
|
||||
from keystone import notifications
|
||||
from keystone.openstack.common import jsonutils
|
||||
|
||||
|
||||
@dependency.requires('federation_api', 'identity_api', 'token_provider_api')
|
||||
|
@ -58,7 +58,7 @@ class Mapped(auth.AuthMethodHandler):
|
|||
token_audit_id = token_ref.audit_id
|
||||
identity_provider = token_ref.federation_idp_id
|
||||
protocol = token_ref.federation_protocol_id
|
||||
user_id = token_ref['user']['id']
|
||||
user_id = token_ref.user_id
|
||||
group_ids = token_ref.federation_group_ids
|
||||
send_notification = functools.partial(
|
||||
notifications.send_saml_audit_notification, 'authenticate',
|
||||
|
@ -92,8 +92,8 @@ class Mapped(auth.AuthMethodHandler):
|
|||
identity_provider = auth_payload['identity_provider']
|
||||
protocol = auth_payload['protocol']
|
||||
group_ids = None
|
||||
# NOTE(topol): Since the user is coming in from an IdP with a SAML doc
|
||||
# instead of from a token we set token_id to None
|
||||
# NOTE(topol): The user is coming in from an IdP with a SAML assertion
|
||||
# instead of from a token, so we set token_id to None
|
||||
token_id = None
|
||||
|
||||
try:
|
||||
|
|
|
@ -22,7 +22,6 @@ from keystone import config
|
|||
from keystone import exception
|
||||
from keystone.i18n import _LC
|
||||
from keystone.openstack.common import log
|
||||
from keystone.openstack.common import versionutils
|
||||
|
||||
|
||||
LOG = log.getLogger(__name__)
|
||||
|
@ -123,11 +122,3 @@ class Catalog(kvs.Catalog):
|
|||
catalog[region][service] = service_data
|
||||
|
||||
return catalog
|
||||
|
||||
|
||||
@versionutils.deprecated(
|
||||
versionutils.deprecated.ICEHOUSE,
|
||||
in_favor_of='keystone.catalog.backends.templated.Catalog',
|
||||
remove_in=+2)
|
||||
class TemplatedCatalog(Catalog):
|
||||
pass
|
||||
|
|
|
@ -35,11 +35,6 @@ from keystone.openstack.common import log
|
|||
|
||||
LOG = log.getLogger(__name__)
|
||||
|
||||
# NOTE(morganfainberg): This is used as the maximum number of seconds a get
|
||||
# of a new connection will wait for before raising an exception indicating
|
||||
# a serious / most likely non-recoverable delay has occurred.
|
||||
CONNECTION_GET_TIMEOUT = 120
|
||||
|
||||
# This 'class' is taken from http://stackoverflow.com/a/22520633/238308
|
||||
# Don't inherit client from threading.local so that we can reuse clients in
|
||||
# different threads
|
||||
|
@ -78,9 +73,25 @@ class ConnectionPool(queue.Queue):
|
|||
self._acquired = 0
|
||||
|
||||
def _create_connection(self):
|
||||
"""Returns a connection instance.
|
||||
|
||||
This is called when the pool needs another instance created.
|
||||
|
||||
:returns: a new connection instance
|
||||
|
||||
"""
|
||||
raise NotImplementedError
|
||||
|
||||
def _destroy_connection(self, conn):
|
||||
"""Destroy and cleanup a connection instance.
|
||||
|
||||
This is called when the pool wishes to get rid of an existing
|
||||
connection. This is the opportunity for a subclass to free up
|
||||
resources and cleaup after itself.
|
||||
|
||||
:param conn: the connection object to destroy
|
||||
|
||||
"""
|
||||
raise NotImplementedError
|
||||
|
||||
def _debug_logger(self, msg, *args, **kwargs):
|
||||
|
@ -110,6 +121,9 @@ class ConnectionPool(queue.Queue):
|
|||
def _qsize(self):
|
||||
return self.maxsize - self._acquired
|
||||
|
||||
# NOTE(dstanek): stdlib and eventlet Queue implementations
|
||||
# have different names for the qsize method. This ensures
|
||||
# that we override both of them.
|
||||
if not hasattr(queue.Queue, '_qsize'):
|
||||
qsize = _qsize
|
||||
|
||||
|
@ -121,18 +135,24 @@ class ConnectionPool(queue.Queue):
|
|||
self._acquired += 1
|
||||
return conn
|
||||
|
||||
def _drop_expired_connections(self, conn):
|
||||
"""Drop all expired connections from the right end of the queue.
|
||||
|
||||
:param conn: connection object
|
||||
"""
|
||||
now = time.time()
|
||||
while self.queue and self.queue[0].ttl < now:
|
||||
conn = self.queue.popleft().connection
|
||||
self._debug_logger('Reaping connection %s', id(conn))
|
||||
self._destroy_connection(conn)
|
||||
|
||||
def _put(self, conn):
|
||||
self.queue.append(_PoolItem(
|
||||
ttl=time.time() + self._unused_timeout,
|
||||
connection=conn,
|
||||
))
|
||||
self._acquired -= 1
|
||||
# Drop all expired connections from the right end of the queue
|
||||
now = time.time()
|
||||
while self.queue and self.queue[0].ttl < now:
|
||||
conn = self.queue.popleft().connection
|
||||
self._debug_logger('Reaping connection %s', id(conn))
|
||||
self._destroy_connection(conn)
|
||||
self._drop_expired_connections(conn)
|
||||
|
||||
|
||||
class MemcacheClientPool(ConnectionPool):
|
||||
|
@ -173,9 +193,8 @@ class MemcacheClientPool(ConnectionPool):
|
|||
# If this client found that one of the hosts is dead, mark it as
|
||||
# such in our internal list
|
||||
now = time.time()
|
||||
for i, deaduntil, host in zip(itertools.count(),
|
||||
self._hosts_deaduntil,
|
||||
conn.servers):
|
||||
for i, host in zip(itertools.count(), conn.servers):
|
||||
deaduntil = self._hosts_deaduntil[i]
|
||||
# Do nothing if we already know this host is dead
|
||||
if deaduntil <= now:
|
||||
if host.deaduntil > now:
|
||||
|
|
|
@ -17,12 +17,12 @@ import datetime
|
|||
|
||||
from dogpile.cache import api
|
||||
from dogpile.cache import util as dp_util
|
||||
from oslo.utils import importutils
|
||||
from oslo.utils import timeutils
|
||||
import six
|
||||
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.openstack.common import importutils
|
||||
from keystone.openstack.common import log
|
||||
|
||||
|
||||
|
|
|
@ -17,11 +17,11 @@
|
|||
import dogpile.cache
|
||||
from dogpile.cache import proxy
|
||||
from dogpile.cache import util
|
||||
from oslo.utils import importutils
|
||||
|
||||
from keystone import config
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.openstack.common import importutils
|
||||
from keystone.openstack.common import log
|
||||
|
||||
|
||||
|
|
|
@ -97,16 +97,15 @@ FILE_OPTIONS = {
|
|||
'exception for token values.'),
|
||||
cfg.StrOpt('member_role_id',
|
||||
default='9fe2ff9ee4384b1894a90878d3e92bab',
|
||||
help='During a SQL upgrade member_role_id will be used '
|
||||
'to create a new role that will replace records in '
|
||||
'the assignment table with explicit role grants. '
|
||||
'After migration, the member_role_id will be used in '
|
||||
'the API add_user_to_project.'),
|
||||
help='Similar to the member_role_name option, this '
|
||||
'represents the default role ID used to associate '
|
||||
'users with their default projects in the v2 API. '
|
||||
'This will be used as the explicit role where one is '
|
||||
'not specified by the v2 API.'),
|
||||
cfg.StrOpt('member_role_name', default='_member_',
|
||||
help='During a SQL upgrade member_role_name will be used '
|
||||
'to create a new role that will replace records in '
|
||||
'the assignment table with explicit role grants. '
|
||||
'After migration, member_role_name will be ignored.'),
|
||||
help='This is the role name used in combination with the '
|
||||
'member_role_id option; see that option for more '
|
||||
'detail.'),
|
||||
cfg.IntOpt('crypt_strength', default=40000,
|
||||
help='The value passed as the keyword "rounds" to '
|
||||
'passlib\'s encrypt method.'),
|
||||
|
@ -336,27 +335,27 @@ FILE_OPTIONS = {
|
|||
cfg.ListOpt('memcache_servers', default=['localhost:11211'],
|
||||
help='Memcache servers in the format of "host:port".'
|
||||
' (dogpile.cache.memcache and keystone.cache.memcache_pool'
|
||||
' backends only)'),
|
||||
' backends only).'),
|
||||
cfg.IntOpt('memcache_dead_retry',
|
||||
default=5 * 60,
|
||||
help='Number of seconds memcached server is considered dead'
|
||||
' before it is tried again. (dogpile.cache.memcache and'
|
||||
' keystone.cache.memcache_pool backends only)'),
|
||||
' keystone.cache.memcache_pool backends only).'),
|
||||
cfg.IntOpt('memcache_socket_timeout',
|
||||
default=3,
|
||||
help='Timeout in seconds for every call to a server.'
|
||||
' (dogpile.cache.memcache and keystone.cache.memcache_pool'
|
||||
' backends only)'),
|
||||
' backends only).'),
|
||||
cfg.IntOpt('memcache_pool_maxsize',
|
||||
default=10,
|
||||
help='Max total number of open connections to every'
|
||||
' memcached server. (keystone.cache.memcache_pool backend'
|
||||
' only)'),
|
||||
' only).'),
|
||||
cfg.IntOpt('memcache_pool_unused_timeout',
|
||||
default=60,
|
||||
help='Number of seconds a connection to memcached is held'
|
||||
' unused in the pool before it is closed.'
|
||||
' (keystone.cache.memcache_pool backend only)'),
|
||||
' (keystone.cache.memcache_pool backend only).'),
|
||||
cfg.IntOpt('memcache_pool_connection_get_timeout',
|
||||
default=10,
|
||||
help='Number of seconds that an operation will wait to get '
|
||||
|
|
|
@ -22,6 +22,7 @@ from dogpile.cache import proxy
|
|||
from dogpile.cache import region
|
||||
from dogpile.cache import util as dogpile_util
|
||||
from dogpile.core import nameregistry
|
||||
from oslo.utils import importutils
|
||||
import six
|
||||
|
||||
from keystone.common import config
|
||||
|
@ -29,7 +30,6 @@ from keystone import exception
|
|||
from keystone.i18n import _
|
||||
from keystone.i18n import _LI
|
||||
from keystone.i18n import _LW
|
||||
from keystone.openstack.common import importutils
|
||||
from keystone.openstack.common import log
|
||||
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
|
||||
import functools
|
||||
|
||||
from keystone.openstack.common import importutils
|
||||
from oslo.utils import importutils
|
||||
|
||||
|
||||
def response_truncated(f):
|
||||
|
|
|
@ -26,6 +26,7 @@ from oslo.db import exception as db_exception
|
|||
from oslo.db import options as db_options
|
||||
from oslo.db.sqlalchemy import models
|
||||
from oslo.db.sqlalchemy import session as db_session
|
||||
from oslo.serialization import jsonutils
|
||||
import six
|
||||
import sqlalchemy as sql
|
||||
from sqlalchemy.ext import declarative
|
||||
|
@ -35,7 +36,6 @@ from sqlalchemy import types as sql_types
|
|||
from keystone.common import utils
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone.openstack.common import log
|
||||
|
||||
|
||||
|
|
|
@ -28,12 +28,11 @@ column.
|
|||
|
||||
"""
|
||||
|
||||
from oslo.serialization import jsonutils
|
||||
from oslo.utils import strutils
|
||||
import sqlalchemy as sql
|
||||
from sqlalchemy.orm import Session
|
||||
|
||||
from keystone.openstack.common import jsonutils
|
||||
|
||||
|
||||
def _migrate_enabled_from_extra(migrate_engine, endpoint_table):
|
||||
"""Remove `enabled` from `extra`, put it in the `enabled` column."""
|
||||
|
|
|
@ -28,12 +28,11 @@ column.
|
|||
|
||||
"""
|
||||
|
||||
from oslo.serialization import jsonutils
|
||||
from oslo.utils import strutils
|
||||
import sqlalchemy as sql
|
||||
from sqlalchemy.orm import sessionmaker
|
||||
|
||||
from keystone.openstack.common import jsonutils
|
||||
|
||||
|
||||
def _migrate_enabled_from_extra(migrate_engine, service_table):
|
||||
"""Remove `enabled` from `extra`, put it in the `enabled` column."""
|
||||
|
|
|
@ -20,6 +20,8 @@ import sys
|
|||
import migrate
|
||||
from migrate import exceptions
|
||||
from oslo.db.sqlalchemy import migration
|
||||
from oslo.serialization import jsonutils
|
||||
from oslo.utils import importutils
|
||||
import six
|
||||
import sqlalchemy
|
||||
|
||||
|
@ -29,8 +31,6 @@ from keystone import config
|
|||
from keystone import contrib
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.openstack.common import importutils
|
||||
from keystone.openstack.common import jsonutils
|
||||
|
||||
|
||||
CONF = config.CONF
|
||||
|
|
|
@ -23,6 +23,7 @@ import hashlib
|
|||
import os
|
||||
import pwd
|
||||
|
||||
from oslo.serialization import jsonutils
|
||||
from oslo.utils import strutils
|
||||
import passlib.hash
|
||||
import six
|
||||
|
@ -32,7 +33,6 @@ from keystone.common import config
|
|||
from keystone.common import environment
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone.openstack.common import log
|
||||
|
||||
|
||||
|
|
|
@ -21,6 +21,8 @@
|
|||
import copy
|
||||
|
||||
from oslo import i18n
|
||||
from oslo.serialization import jsonutils
|
||||
from oslo.utils import importutils
|
||||
import routes.middleware
|
||||
import six
|
||||
import webob.dec
|
||||
|
@ -34,8 +36,6 @@ from keystone.i18n import _
|
|||
from keystone.i18n import _LI
|
||||
from keystone.i18n import _LW
|
||||
from keystone.models import token_model
|
||||
from keystone.openstack.common import importutils
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone.openstack.common import log
|
||||
|
||||
|
||||
|
|
|
@ -40,6 +40,7 @@ def set_default_for_default_log_levels():
|
|||
extra_log_level_defaults = [
|
||||
'dogpile=INFO',
|
||||
'routes=INFO',
|
||||
'keystone.common._memcache_pool=INFO',
|
||||
]
|
||||
|
||||
def find_default_log_levels_opt():
|
||||
|
|
|
@ -37,6 +37,7 @@ import sys
|
|||
import uuid
|
||||
|
||||
from keystoneclient.contrib.ec2 import utils as ec2_utils
|
||||
from oslo.serialization import jsonutils
|
||||
import six
|
||||
|
||||
from keystone.common import controller
|
||||
|
@ -46,7 +47,6 @@ from keystone.common import wsgi
|
|||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.models import token_model
|
||||
from keystone.openstack.common import jsonutils
|
||||
|
||||
|
||||
@dependency.requires('assignment_api', 'catalog_api', 'credential_api',
|
||||
|
|
|
@ -12,10 +12,11 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo.serialization import jsonutils
|
||||
|
||||
from keystone.common import sql
|
||||
from keystone.contrib.federation import core
|
||||
from keystone import exception
|
||||
from keystone.openstack.common import jsonutils
|
||||
|
||||
|
||||
class FederationProtocolModel(sql.ModelBase, sql.DictBase):
|
||||
|
|
|
@ -15,6 +15,7 @@ import os
|
|||
import subprocess
|
||||
import uuid
|
||||
|
||||
from oslo.utils import timeutils
|
||||
import saml2
|
||||
from saml2 import md
|
||||
from saml2 import saml
|
||||
|
@ -27,7 +28,6 @@ from keystone import exception
|
|||
from keystone.i18n import _, _LE
|
||||
from keystone.openstack.common import fileutils
|
||||
from keystone.openstack.common import log
|
||||
from keystone.openstack.common import timeutils
|
||||
|
||||
|
||||
LOG = log.getLogger(__name__)
|
||||
|
|
|
@ -16,6 +16,7 @@ import datetime
|
|||
import random
|
||||
import uuid
|
||||
|
||||
from oslo.serialization import jsonutils
|
||||
from oslo.utils import timeutils
|
||||
import six
|
||||
|
||||
|
@ -23,7 +24,6 @@ from keystone.common import sql
|
|||
from keystone.contrib.oauth1 import core
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.openstack.common import jsonutils
|
||||
|
||||
|
||||
class Consumer(sql.ModelBase, sql.DictBase):
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
|
||||
"""Extensions supporting OAuth1."""
|
||||
|
||||
from oslo.serialization import jsonutils
|
||||
from oslo.utils import timeutils
|
||||
|
||||
from keystone.common import controller
|
||||
|
@ -26,7 +27,6 @@ from keystone import exception
|
|||
from keystone.i18n import _
|
||||
from keystone.models import token_model
|
||||
from keystone import notifications
|
||||
from keystone.openstack.common import jsonutils
|
||||
|
||||
|
||||
CONF = config.CONF
|
||||
|
|
|
@ -12,13 +12,13 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo.serialization import jsonutils
|
||||
import webob
|
||||
|
||||
from keystone.common import extension
|
||||
from keystone.common import json_home
|
||||
from keystone.common import wsgi
|
||||
from keystone import exception
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone.openstack.common import log
|
||||
|
||||
|
||||
|
|
|
@ -14,13 +14,14 @@
|
|||
|
||||
import hashlib
|
||||
|
||||
from oslo.serialization import jsonutils
|
||||
|
||||
from keystone.common import controller
|
||||
from keystone.common import dependency
|
||||
from keystone.common import validation
|
||||
from keystone.credential import schema
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.openstack.common import jsonutils
|
||||
|
||||
|
||||
@dependency.requires('credential_api')
|
||||
|
|
|
@ -20,6 +20,7 @@ import os
|
|||
import uuid
|
||||
|
||||
from oslo.config import cfg
|
||||
from oslo.utils import importutils
|
||||
import six
|
||||
|
||||
from keystone import clean
|
||||
|
@ -31,7 +32,6 @@ from keystone import exception
|
|||
from keystone.i18n import _
|
||||
from keystone.identity.mapping_backends import mapping
|
||||
from keystone import notifications
|
||||
from keystone.openstack.common import importutils
|
||||
from keystone.openstack.common import log
|
||||
|
||||
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo.serialization import jsonutils
|
||||
import six
|
||||
import webob.dec
|
||||
|
||||
|
@ -23,7 +24,6 @@ from keystone.common import wsgi
|
|||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.models import token_model
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone.openstack.common import log
|
||||
from keystone.openstack.common import versionutils
|
||||
|
||||
|
|
|
@ -378,7 +378,7 @@ class TestCase(BaseTestCase):
|
|||
driver='keystone.token.persistence.backends.kvs.Token')
|
||||
self.config_fixture.config(
|
||||
group='trust',
|
||||
driver='keystone.trust.backends.kvs.Trust')
|
||||
driver='keystone.trust.backends.sql.Trust')
|
||||
self.config_fixture.config(
|
||||
group='saml', certfile=signing_certfile, keyfile=signing_keyfile)
|
||||
self.config_fixture.config(
|
||||
|
|
|
@ -327,18 +327,7 @@ class FakeLdap(core.LDAPHandler):
|
|||
|
||||
def delete_s(self, dn):
|
||||
"""Remove the ldap object at specified dn."""
|
||||
if server_fail:
|
||||
raise ldap.SERVER_DOWN
|
||||
|
||||
key = self.key(dn)
|
||||
LOG.debug('delete item: dn=%s', core.utf8_decode(dn))
|
||||
try:
|
||||
del self.db[key]
|
||||
except KeyError:
|
||||
LOG.debug('delete item failed: dn=%s not found.',
|
||||
core.utf8_decode(dn))
|
||||
raise ldap.NO_SUCH_OBJECT
|
||||
self.db.sync()
|
||||
return self.delete_ext_s(dn, serverctrls=[])
|
||||
|
||||
def _getChildren(self, dn):
|
||||
return [k for k, v in six.iteritems(self.db)
|
||||
|
@ -428,7 +417,7 @@ class FakeLdap(core.LDAPHandler):
|
|||
|
||||
Args:
|
||||
base -- dn to search under
|
||||
scope -- only SCOPE_BASE and SCOPE_SUBTREE are supported
|
||||
scope -- search scope (base, subtree, onelevel)
|
||||
filterstr -- filter objects by
|
||||
attrlist -- attrs to return. Returns all attrs if not specified
|
||||
|
||||
|
@ -483,9 +472,8 @@ class FakeLdap(core.LDAPHandler):
|
|||
results = list(get_entries())
|
||||
|
||||
else:
|
||||
LOG.debug('search fail: unknown scope %s', scope)
|
||||
raise NotImplementedError('Search scope %s not implemented.'
|
||||
% scope)
|
||||
# openldap client/server raises PROTOCOL_ERROR for unexpected scope
|
||||
raise ldap.PROTOCOL_ERROR
|
||||
|
||||
objects = []
|
||||
for dn, attrs in results:
|
||||
|
@ -569,9 +557,6 @@ class FakeLdapNoSubtreeDelete(FakeLdap):
|
|||
an entry that has children.
|
||||
"""
|
||||
|
||||
def delete_s(self, dn):
|
||||
self.delete_ext_s(dn, [], None)
|
||||
|
||||
def delete_ext_s(self, dn, serverctrls, clientctrls=None):
|
||||
"""Remove the ldap object at specified dn."""
|
||||
if server_fail:
|
||||
|
|
|
@ -96,7 +96,7 @@ class HackingCode(fixtures.Fixture):
|
|||
import logging
|
||||
import logging as stlib_logging
|
||||
from keystone.i18n import _
|
||||
from keystone.i18n import _ as oslog_i18n
|
||||
from keystone.i18n import _ as oslo_i18n
|
||||
from keystone.openstack.common import log
|
||||
from keystone.openstack.common import log as oslo_logging
|
||||
|
||||
|
@ -105,7 +105,7 @@ class HackingCode(fixtures.Fixture):
|
|||
L0.debug(_('text'))
|
||||
class C:
|
||||
def __init__(self):
|
||||
L0.debug(oslog_i18n('text', {}))
|
||||
L0.debug(oslo_i18n('text', {}))
|
||||
|
||||
# stdlib logging w/ alias and specifying a logger
|
||||
class C:
|
||||
|
@ -118,7 +118,7 @@ class HackingCode(fixtures.Fixture):
|
|||
|
||||
# oslo logging and specifying a logger
|
||||
L2 = log.getLogger(__name__)
|
||||
L2.debug(oslog_i18n('text'))
|
||||
L2.debug(oslo_i18n('text'))
|
||||
|
||||
# oslo logging w/ alias
|
||||
class C:
|
||||
|
|
|
@ -15,12 +15,12 @@
|
|||
import io
|
||||
|
||||
from lxml import etree
|
||||
from oslo.serialization import jsonutils
|
||||
import six
|
||||
import webtest
|
||||
|
||||
from keystone.auth import controllers as auth_controllers
|
||||
from keystone.common import serializer
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone import tests
|
||||
from keystone.tests import default_fixtures
|
||||
from keystone.tests.ksfixtures import database
|
||||
|
|
|
@ -20,8 +20,6 @@ import six
|
|||
from keystone import config
|
||||
from keystone import exception
|
||||
from keystone import tests
|
||||
from keystone.tests import default_fixtures
|
||||
from keystone.tests.ksfixtures import database
|
||||
from keystone.tests import test_backend
|
||||
|
||||
|
||||
|
@ -104,24 +102,6 @@ class KvsToken(tests.TestCase, test_backend.TokenTests):
|
|||
self.assertEqual(expected_user_token_list, user_token_list)
|
||||
|
||||
|
||||
class KvsTrust(tests.TestCase, test_backend.TrustTests):
|
||||
def setUp(self):
|
||||
super(KvsTrust, self).setUp()
|
||||
# Need to load the SQL database support for the fixtures
|
||||
self.useFixture(database.Database())
|
||||
self.load_backends()
|
||||
self.load_fixtures(default_fixtures)
|
||||
|
||||
def config_overrides(self):
|
||||
super(KvsTrust, self).config_overrides()
|
||||
self.config_fixture.config(
|
||||
group='trust',
|
||||
driver='keystone.trust.backends.kvs.Trust')
|
||||
self.config_fixture.config(
|
||||
group='catalog',
|
||||
driver='keystone.catalog.backends.kvs.Catalog')
|
||||
|
||||
|
||||
class KvsCatalog(tests.TestCase, test_backend.CatalogTests):
|
||||
def setUp(self):
|
||||
super(KvsCatalog, self).setUp()
|
||||
|
@ -130,9 +110,6 @@ class KvsCatalog(tests.TestCase, test_backend.CatalogTests):
|
|||
|
||||
def config_overrides(self):
|
||||
super(KvsCatalog, self).config_overrides()
|
||||
self.config_fixture.config(
|
||||
group='trust',
|
||||
driver='keystone.trust.backends.kvs.Trust')
|
||||
self.config_fixture.config(
|
||||
group='catalog',
|
||||
driver='keystone.catalog.backends.kvs.Catalog')
|
||||
|
|
|
@ -14,11 +14,11 @@
|
|||
|
||||
import uuid
|
||||
|
||||
from oslo.serialization import jsonutils
|
||||
import six
|
||||
|
||||
from keystone.common import wsgi
|
||||
from keystone import exception
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone import tests
|
||||
|
||||
|
||||
|
|
|
@ -17,11 +17,11 @@ import os
|
|||
import uuid
|
||||
|
||||
import mock
|
||||
from oslo.serialization import jsonutils
|
||||
from oslo.utils import timeutils
|
||||
import webob
|
||||
|
||||
from keystone import config
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone import tests
|
||||
from keystone.tests import default_fixtures
|
||||
from keystone.tests.ksfixtures import appserver
|
||||
|
|
|
@ -12,11 +12,11 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo.serialization import jsonutils
|
||||
import webob
|
||||
|
||||
from keystone import config
|
||||
from keystone import middleware
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone import tests
|
||||
|
||||
|
||||
|
|
|
@ -151,17 +151,43 @@ class EndpointFilterExtension(test_sql_upgrade.SqlMigrateBase):
|
|||
def repo_package(self):
|
||||
return endpoint_filter
|
||||
|
||||
def upgrade(self, version):
|
||||
super(EndpointFilterExtension, self).upgrade(
|
||||
version, repository=self.repo_path)
|
||||
|
||||
def downgrade(self, version):
|
||||
super(EndpointFilterExtension, self).downgrade(
|
||||
version, repository=self.repo_path)
|
||||
|
||||
def _assert_v1_tables(self):
|
||||
self.assertTableColumns('project_endpoint',
|
||||
['endpoint_id', 'project_id'])
|
||||
self.assertTableDoesNotExist('endpoint_group')
|
||||
self.assertTableDoesNotExist('project_endpoint_group')
|
||||
|
||||
def _assert_v2_tables(self):
|
||||
self.assertTableColumns('project_endpoint',
|
||||
['endpoint_id', 'project_id'])
|
||||
self.assertTableColumns('endpoint_group',
|
||||
['id', 'name', 'description', 'filters'])
|
||||
self.assertTableColumns('project_endpoint_group',
|
||||
['endpoint_group_id', 'project_id'])
|
||||
|
||||
def test_upgrade(self):
|
||||
self.assertTableDoesNotExist('project_endpoint')
|
||||
self.upgrade(1, repository=self.repo_path)
|
||||
self.upgrade(1)
|
||||
self._assert_v1_tables()
|
||||
self.assertTableColumns('project_endpoint',
|
||||
['endpoint_id', 'project_id'])
|
||||
self.upgrade(2)
|
||||
self._assert_v2_tables()
|
||||
|
||||
def test_downgrade(self):
|
||||
self.upgrade(1, repository=self.repo_path)
|
||||
self.assertTableColumns('project_endpoint',
|
||||
['endpoint_id', 'project_id'])
|
||||
self.downgrade(0, repository=self.repo_path)
|
||||
self.upgrade(2)
|
||||
self._assert_v2_tables()
|
||||
self.downgrade(1)
|
||||
self._assert_v1_tables()
|
||||
self.downgrade(0)
|
||||
self.assertTableDoesNotExist('project_endpoint')
|
||||
|
||||
|
||||
|
|
|
@ -16,6 +16,7 @@ import datetime
|
|||
import uuid
|
||||
|
||||
from lxml import etree
|
||||
from oslo.serialization import jsonutils
|
||||
from oslo.utils import timeutils
|
||||
import six
|
||||
from testtools import matchers
|
||||
|
@ -27,7 +28,6 @@ from keystone.common import serializer
|
|||
from keystone import config
|
||||
from keystone import exception
|
||||
from keystone import middleware
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone.policy.backends import rules
|
||||
from keystone import tests
|
||||
from keystone.tests.ksfixtures import database
|
||||
|
@ -1023,17 +1023,13 @@ class RestfulTestCase(tests.SQLDriverOverrides, rest.RestfulTestCase,
|
|||
self.assertEqual(ref['name'], entity['name'])
|
||||
return entity
|
||||
|
||||
def assertValidRoleAssignmentListResponse(self, resp, ref=None,
|
||||
expected_length=None,
|
||||
def assertValidRoleAssignmentListResponse(self, resp, expected_length=None,
|
||||
resource_url=None):
|
||||
|
||||
entities = resp.result.get('role_assignments')
|
||||
|
||||
if expected_length is not None:
|
||||
self.assertEqual(len(entities), expected_length)
|
||||
elif ref is not None:
|
||||
# we're at least expecting the ref
|
||||
self.assertNotEmpty(entities)
|
||||
|
||||
# collections should have relational links
|
||||
self.assertValidListLinks(resp.result.get('links'),
|
||||
|
@ -1042,8 +1038,6 @@ class RestfulTestCase(tests.SQLDriverOverrides, rest.RestfulTestCase,
|
|||
for entity in entities:
|
||||
self.assertIsNotNone(entity)
|
||||
self.assertValidRoleAssignment(entity)
|
||||
if ref:
|
||||
self.assertValidRoleAssignment(entity, ref)
|
||||
return entities
|
||||
|
||||
def assertValidRoleAssignment(self, entity, ref=None, url=None):
|
||||
|
|
|
@ -17,6 +17,7 @@ import uuid
|
|||
|
||||
from lxml import etree
|
||||
import mock
|
||||
from oslo.serialization import jsonutils
|
||||
from oslotest import mockpatch
|
||||
import saml2
|
||||
from saml2 import saml
|
||||
|
@ -32,7 +33,6 @@ from keystone.contrib.federation import idp as keystone_idp
|
|||
from keystone.contrib.federation import utils as mapping_utils
|
||||
from keystone import exception
|
||||
from keystone import notifications
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone.openstack.common import log
|
||||
from keystone.tests import federation_fixtures
|
||||
from keystone.tests import mapping_fixtures
|
||||
|
|
|
@ -15,8 +15,9 @@
|
|||
|
||||
import uuid
|
||||
|
||||
from oslo.serialization import jsonutils
|
||||
|
||||
from keystone import config
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone.policy.backends import rules
|
||||
from keystone.tests import filtering
|
||||
from keystone.tests.ksfixtures import temporaryfile
|
||||
|
|
|
@ -15,6 +15,7 @@
|
|||
import copy
|
||||
import uuid
|
||||
|
||||
from oslo.serialization import jsonutils
|
||||
from six.moves import urllib
|
||||
|
||||
from keystone import config
|
||||
|
@ -22,7 +23,6 @@ from keystone.contrib import oauth1
|
|||
from keystone.contrib.oauth1 import controllers
|
||||
from keystone.contrib.oauth1 import core
|
||||
from keystone import exception
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone.tests.ksfixtures import temporaryfile
|
||||
from keystone.tests import test_v3
|
||||
|
||||
|
|
|
@ -15,9 +15,10 @@
|
|||
|
||||
import uuid
|
||||
|
||||
from oslo.serialization import jsonutils
|
||||
|
||||
from keystone import config
|
||||
from keystone import exception
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone.policy.backends import rules
|
||||
from keystone import tests
|
||||
from keystone.tests.ksfixtures import temporaryfile
|
||||
|
|
|
@ -18,12 +18,12 @@ import functools
|
|||
import random
|
||||
|
||||
import mock
|
||||
from oslo.serialization import jsonutils
|
||||
from testtools import matchers as tt_matchers
|
||||
|
||||
from keystone.common import json_home
|
||||
from keystone import config
|
||||
from keystone import controllers
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone import tests
|
||||
from keystone.tests import matchers
|
||||
|
||||
|
|
|
@ -18,6 +18,7 @@ import uuid
|
|||
|
||||
import mock
|
||||
from oslo import i18n
|
||||
from oslo.serialization import jsonutils
|
||||
import six
|
||||
from testtools import matchers
|
||||
import webob
|
||||
|
@ -25,7 +26,6 @@ import webob
|
|||
from keystone.common import environment
|
||||
from keystone.common import wsgi
|
||||
from keystone import exception
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone import tests
|
||||
|
||||
|
||||
|
|
|
@ -10,6 +10,6 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
# NOTE(morganfainberg): This module is for transition from the old token
|
||||
# backend package location to the new one. This module is slated for removal
|
||||
# NOTE(morganfainberg): This package is for transition from the old token
|
||||
# backend package location to the new one. This package is slated for removal
|
||||
# in the Kilo development cycle.
|
||||
|
|
|
@ -16,6 +16,7 @@ import datetime
|
|||
import sys
|
||||
|
||||
from keystoneclient.common import cms
|
||||
from oslo.serialization import jsonutils
|
||||
from oslo.utils import timeutils
|
||||
import six
|
||||
|
||||
|
@ -26,7 +27,6 @@ from keystone import config
|
|||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.models import token_model
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone.openstack.common import log
|
||||
from keystone.token import provider
|
||||
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo.serialization import jsonutils
|
||||
from oslo.utils import timeutils
|
||||
import six
|
||||
from six.moves.urllib import parse
|
||||
|
@ -21,7 +22,6 @@ from keystone import config
|
|||
from keystone.contrib import federation
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone.openstack.common import log
|
||||
from keystone import token
|
||||
from keystone.token import provider
|
||||
|
|
|
@ -15,12 +15,12 @@
|
|||
"""Keystone PKI Token Provider"""
|
||||
|
||||
from keystoneclient.common import cms
|
||||
from oslo.serialization import jsonutils
|
||||
|
||||
from keystone.common import environment
|
||||
from keystone import config
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone.openstack.common import log
|
||||
from keystone.token.providers import common
|
||||
|
||||
|
|
|
@ -13,12 +13,12 @@
|
|||
"""Keystone Compressed PKI Token Provider"""
|
||||
|
||||
from keystoneclient.common import cms
|
||||
from oslo.serialization import jsonutils
|
||||
|
||||
from keystone.common import environment
|
||||
from keystone import config
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone.openstack.common import log
|
||||
from keystone.token.providers import common
|
||||
|
||||
|
|
|
@ -1,121 +0,0 @@
|
|||
# Copyright 2012 OpenStack Foundation
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
"""
|
||||
An in memory implementation of the trusts API.
|
||||
only to be used for testing purposes
|
||||
"""
|
||||
import copy
|
||||
|
||||
from oslo.utils import timeutils
|
||||
|
||||
from keystone.common import kvs
|
||||
from keystone import exception
|
||||
from keystone.openstack.common import versionutils
|
||||
from keystone import trust as keystone_trust
|
||||
|
||||
|
||||
def _filter_trust(ref, deleted=False):
|
||||
if ref['deleted_at'] and not deleted:
|
||||
return None
|
||||
if (ref.get('expires_at') and timeutils.utcnow() > ref['expires_at'] and
|
||||
not deleted):
|
||||
return None
|
||||
remaining_uses = ref.get('remaining_uses')
|
||||
# Do not return trusts that can't be used anymore
|
||||
if remaining_uses is not None and not deleted:
|
||||
if remaining_uses <= 0:
|
||||
return None
|
||||
ref = copy.deepcopy(ref)
|
||||
return ref
|
||||
|
||||
|
||||
class Trust(kvs.Base, keystone_trust.Driver):
|
||||
|
||||
@versionutils.deprecated(versionutils.deprecated.JUNO,
|
||||
in_favor_of='keystone.trust.backends.sql',
|
||||
remove_in=+1,
|
||||
what='keystone.trust.backends.kvs')
|
||||
def __init__(self):
|
||||
super(Trust, self).__init__()
|
||||
|
||||
def create_trust(self, trust_id, trust, roles):
|
||||
trust_ref = copy.deepcopy(trust)
|
||||
trust_ref['id'] = trust_id
|
||||
trust_ref['deleted_at'] = None
|
||||
trust_ref['roles'] = roles
|
||||
if (trust_ref.get('expires_at') and
|
||||
trust_ref['expires_at'].tzinfo is not None):
|
||||
trust_ref['expires_at'] = (timeutils.normalize_time
|
||||
(trust_ref['expires_at']))
|
||||
|
||||
self.db.set('trust-%s' % trust_id, trust_ref)
|
||||
trustee_user_id = trust_ref['trustee_user_id']
|
||||
trustee_list = self.db.get('trustee-%s' % trustee_user_id, [])
|
||||
trustee_list.append(trust_id)
|
||||
self.db.set('trustee-%s' % trustee_user_id, trustee_list)
|
||||
trustor_user_id = trust_ref['trustor_user_id']
|
||||
trustor_list = self.db.get('trustor-%s' % trustor_user_id, [])
|
||||
trustor_list.append(trust_id)
|
||||
self.db.set('trustor-%s' % trustor_user_id, trustor_list)
|
||||
return trust_ref
|
||||
|
||||
def consume_use(self, trust_id):
|
||||
try:
|
||||
orig_ref = self.db.get('trust-%s' % trust_id)
|
||||
except exception.NotFound:
|
||||
raise exception.TrustNotFound(trust_id=trust_id)
|
||||
remaining_uses = orig_ref.get('remaining_uses')
|
||||
if remaining_uses is None:
|
||||
# unlimited uses, do nothing
|
||||
return
|
||||
elif remaining_uses > 0:
|
||||
ref = copy.deepcopy(orig_ref)
|
||||
ref['remaining_uses'] -= 1
|
||||
self.db.set('trust-%s' % trust_id, ref)
|
||||
else:
|
||||
raise exception.TrustUseLimitReached(trust_id=trust_id)
|
||||
|
||||
def get_trust(self, trust_id, deleted=False):
|
||||
try:
|
||||
ref = self.db.get('trust-%s' % trust_id)
|
||||
return _filter_trust(ref, deleted=deleted)
|
||||
except exception.NotFound:
|
||||
return None
|
||||
|
||||
def delete_trust(self, trust_id):
|
||||
try:
|
||||
ref = self.db.get('trust-%s' % trust_id)
|
||||
except exception.NotFound:
|
||||
raise exception.TrustNotFound(trust_id=trust_id)
|
||||
ref['deleted_at'] = timeutils.utcnow()
|
||||
self.db.set('trust-%s' % trust_id, ref)
|
||||
|
||||
def list_trusts(self):
|
||||
trusts = []
|
||||
for key, value in self.db.items():
|
||||
if key.startswith("trust-") and not value['deleted_at']:
|
||||
trusts.append(value)
|
||||
return trusts
|
||||
|
||||
def list_trusts_for_trustee(self, trustee_user_id):
|
||||
trusts = []
|
||||
for trust in self.db.get('trustee-%s' % trustee_user_id, []):
|
||||
trusts.append(self.get_trust(trust))
|
||||
return trusts
|
||||
|
||||
def list_trusts_for_trustor(self, trustor_user_id):
|
||||
trusts = []
|
||||
for trust in self.db.get('trustor-%s' % trustor_user_id, []):
|
||||
trusts.append(self.get_trust(trust))
|
||||
return trusts
|
|
@ -2,8 +2,6 @@
|
|||
|
||||
module=config
|
||||
module=gettextutils
|
||||
module=importutils
|
||||
module=jsonutils
|
||||
module=log
|
||||
module=policy
|
||||
module=processutils
|
||||
|
|
|
@ -22,6 +22,7 @@ oslo.config>=1.4.0 # Apache-2.0
|
|||
oslo.messaging>=1.4.0
|
||||
oslo.db>=1.0.0 # Apache-2.0
|
||||
oslo.i18n>=1.0.0 # Apache-2.0
|
||||
oslo.serialization>=1.0.0 # Apache-2.0
|
||||
oslo.utils>=1.0.0 # Apache-2.0
|
||||
Babel>=1.3
|
||||
oauthlib>=0.6
|
||||
|
|
|
@ -51,7 +51,7 @@ testscenarios>=0.4
|
|||
# keystoneclient <0.2.1
|
||||
httplib2>=0.7.5
|
||||
# replaces httplib2 in keystoneclient >=0.2.1
|
||||
requests>=1.2.1,!=2.4.0
|
||||
requests>=2.2.0,!=2.4.0
|
||||
keyring>=2.1,!=3.3
|
||||
|
||||
# For documentation
|
||||
|
|
|
@ -52,7 +52,7 @@ testscenarios>=0.4
|
|||
# keystoneclient <0.2.1
|
||||
httplib2>=0.7.5
|
||||
# replaces httplib2 in keystoneclient >=0.2.1
|
||||
requests>=1.2.1,!=2.4.0
|
||||
requests>=2.2.0,!=2.4.0
|
||||
keyring>=2.1,!=3.3
|
||||
|
||||
# For documentation
|
||||
|
|
Loading…
Reference in New Issue