Commit Graph

1423 Commits

Author SHA1 Message Date
Zuul 993e589fa1 Merge "Keystone to honor the "domain" attribute mapping rules." 2024-01-26 17:37:09 +00:00
Rafael Weingärtner 14ac08431f Keystone to honor the "domain" attribute mapping rules.
We propose to extend Keystone identity provider (IdP) attribute mapping
schema to make Keystone honor the `domain` configuration that we have
on it.

Currently, that configuration is only used to define a default domain
for groups (and then each group there, could override it). It is
interesting to expand this configuration (as long as it is in the root
of the attribute mapping) to be also applied for users and projects.

Moreover, to facilitate the development and extension concerning
attribute mappings for IdPs, we changed the way the attribute mapping
schema is handled. We introduce a new configuration
`federation_attribute_mapping_schema_version`, which defaults to "1.0".
This attribute mapping schema version will then be used to control the
validation of attribute mapping, and also the rule processors used to
process the attributes that come from the IdP. So far, with this PR,
we introduce the attribute mapping schema "2.0", which enables
operators to also define a domain for the projects they want to assign
users. If no domain is defined either in the project or in the global
domain definition for the attribute mapping, we take the IdP domain
as the default.

Change-Id: Ia9583a254336fad7b302430a38b538c84338d13d
Implements: https://bugs.launchpad.net/keystone/+bug/1887515
Closes-Bug: #1887515
2024-01-16 08:54:56 -03:00
Takashi Kajinami e3b3df7974 Remove babel.cfg
Remove babel.cfg and the translation bits from setup.cfg, those are not
needed anymore.

Change-Id: I6c44c8e0b8bf16af2e91ba26b2dbe37c06ea1048
2023-12-21 02:16:12 +09:00
Zuul fe1a75cf3a Merge "doc: Update the installtion guide for RHEL8/CentOS8 and RHEL9/CentOS9" 2023-11-10 20:22:53 +00:00
Zuul 7ee35794e9 Merge "Fix presentation of OAuth2.0 user guides" 2023-10-06 17:10:29 +00:00
Zuul 02bbc665c4 Merge "Add an option to randomize LDAP urls list" 2023-08-25 16:28:33 +00:00
Zuul 677ac86bca Merge "Fix typo in openid federation diagram" 2023-08-10 16:13:31 +00:00
Zuul 56c1beee76 Merge "docs: Clarify lack of LDAP assignment back end" 2023-08-04 16:31:30 +00:00
Zuul 1ac30ab59f Merge "Add default service role support to boostrap command" 2023-08-04 08:07:44 +00:00
Taketani Ryo 5ec55ebe2b doc: Update the installtion guide for RHEL8/CentOS8 and RHEL9/CentOS9
The openstack Ussuri and Victoria versions no longer support the
RHEL7/CentOS7. Update the installtion guide for RHEL8/CentOS8 and RHEL9/CentOS9.

Change-Id: I6c9924c96c1f879b913b39f66878a8f9235ea18f
2023-07-31 04:36:14 +00:00
Stephen Finucane 8c789fbe73 doc: Correct typo
A contract migration will use the '--contract' flag, obviously.

Change-Id: I288bd0175834fdd3ee8d224f099e37b6294cb7ea
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
2023-07-13 10:03:47 +01:00
Mark Goddard dabaef7c33 docs: Clarify lack of LDAP assignment back end
The LDAP assignment backend was removed in Mitaka(!) [1] and should no
longer be referenced.

Change-Id: I14a4d7fdbaee81792a1ccf9b3bcf5f2d8e237da5
2023-07-04 13:38:40 +01:00
Zuul 8551ac4cb2 Merge "doc: Add minimal documentation on generating migrations" 2023-07-03 14:23:44 +00:00
Zuul 9995510160 Merge "sql: Add support for auto-generation" 2023-07-01 22:36:42 +00:00
Stephen Finucane 66d289f033 doc: Add minimal documentation on generating migrations
We can now auto-generate migrations. Document how this is done.

Change-Id: I754b0eb9eb74cd31f22440c64187d292c19ce4fa
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
2023-06-28 11:14:24 +01:00
Zuul 8304eefb97 Merge "Add doc of OAuth2.0 Client Credentials Grant Flow" 2023-06-27 16:23:30 +00:00
Hiromu Asahina f6ab28218e Fix presentation of OAuth2.0 user guides
Applied remining comments to the first OAuth2.0 documentation patch [1].

[1] https://review.opendev.org/c/openstack/keystone/+/838108

Change-Id: I95aac0b4ac4e887b79ef5b15ac5cb3d356c26735
2023-06-27 23:55:18 +09:00
Arvid Requate 1195c38b8b Fix typo in openid federation diagram
Section "OpenID Connect with keystone and horizon"
should use openid endpoint instead of saml2.

Change-Id: I147f3888c42e2d8d25a0ddd20f4e3974c8a38632
Signed-off-by: Arvid Requate <requate@univention.de>
2023-05-09 13:08:11 +02:00
Yusuke Niimi b438bf1efe Add doc of OAuth2.0 Client Credentials Grant Flow
This patch provides Keystone documents for OAuth2.0 client
authorization. The specification about new API is added to API
Reference. Also OAuth2.0 client credentials grant flow is added to
admin guide.

Implement: blueprint oauth2-client-credentials-ext
Change-Id: I6ac5835fb64a4e81f34f7b8631d255b2bb7f66da
2023-04-17 08:04:36 +00:00
Abhishek Kekane d0eacc4729 Add default service role support to boostrap command
Added service role support to bootstrap command.

Closes-Bug: #1951632
Change-Id: I9cb25a111c84ecb3a09158cbe44b0954df89096c
2023-03-28 17:51:17 +00:00
Stephen Finucane 1bcf8cee0d sql: Add support for auto-generation
Add the ability to autogenerate migrations. Because we need to support
different types of migration (expand and contract), this ends up being
significantly more complicated than what was needed in nova and cinder
and more akin to what was done in neutron. The key feature is here is
the use of an alembic hook called 'process_revision_directives', which
is called whenever one calls 'alembic revision --autogenerate'. We
extend this to allow us to hook into the autogeneration process and
ensure we only spit out directives for the relevant phase.

While we're here, we open up the Bobcat DB branch. This is similar to
what Neutron do (e.g. change I13ba740d245a46c41a969ff198e08ddff896eb1a).
Documentation will follow.

Change-Id: I17c9ff9508c5e2bd9521c18973af093d7550ab5a
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2023-02-28 17:47:57 +00:00
Grzegorz Grasza 36d57d2a83 Add an option to randomize LDAP urls list
Since LDAP is now readonly, the current behavior might be
unexpected. By randomizing the list, we assure a more gradual
failure scenario if the first server on the list (as specified
by the user) fails.

Change-Id: I23f31bd85443784013a6aa158d80c7aeeb343993
Closes-Bug: #1953622
Resolves: rhbz#2024602
2022-10-07 17:56:02 +02:00
niuke eae6adf00b remove unicode prefix from code
Change-Id: I0de3c786fa2617a44094c37827ebd93a8dfcf3b6
2022-08-15 10:53:41 +08:00
Stephen Finucane d88439c6a9 docs: Update docs to reflect migration to Alembic
Change-Id: Iabc8cd0746871ea6ab81af9d3f0149644a489f3d
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2022-06-20 13:29:58 +01:00
Nikita Koltsov fc62bbc06a Fix typo in documentation
Change-Id: I92a8cfaef350bb61330d9ef02c0fd9e6f6c5854a
2022-05-16 12:50:37 +02:00
Marcin Wilk 3856cbf10d Add service_type config info for access rules
The service_type config param is crucial to successfully use
application credentials with access rules.

Closes-Bug: #1950464
Change-Id: I98d1cfcbd229f2939d900861f453efa996466c32
2022-04-25 07:57:30 +00:00
Zuul 01e1a083d5 Merge "Update TOTP example code for python 3" 2022-04-22 16:30:04 +00:00
Han Guangyu 644deedda5 Remove the note of training-labs
Training-labs had been officially retired as no maintainer.
The information of training-labs has been deleting in the openstack
documentatioan. It is not appropriate to continue the presentation in
note form here.

[1] http://lists.openstack.org/pipermail/openstack-discuss/2021-October/025586.html
[2] e78d74f105

Change-Id: I0ac3d05389041ac58fe2347171541ffaaf151fdf
2022-04-22 15:15:21 +08:00
Jake Yip afec310e3f Update TOTP example code for python 3
Change-Id: I8e16fe1a002295753ab03cb8da74c0d43785f6d7
2022-03-18 16:01:52 +11:00
Eunyoung Kim c141e6164e trivial: Fix typo
Change-Id: I36f5eb44faf4c0e2ea7d68e8736e8fd34fdd5504
2022-03-16 01:23:33 +00:00
Zuul 3cbd374947 Merge "Fix API path in document" 2022-02-11 18:15:12 +00:00
Eunyoung Kim e833bd8478 Fix API path in document
GET /limits-model => GET /limits/model

Change-Id: Ib832a8a9257ecdc7bffcc81ee003d1f5a37588e0
2022-02-11 09:44:13 +00:00
Zuul f69a449a16 Merge "sql: Move migrations to 'legacy_migrations'" 2022-02-08 22:56:53 +00:00
Zuul ac3a779e10 Merge "sql: Remove legacy 'migrate_repo' migration repo" 2022-02-04 22:41:29 +00:00
Zuul 2961208028 Merge "Add details to bootstrap docs for system role assignments" 2022-02-04 18:49:30 +00:00
Stephen Finucane aebd037f50 sql: Move migrations to 'legacy_migrations'
We're going to add new alembic-based migrations shortly. These will live
in the 'keystone.common.sql.migrations' module. Prepare for this by
moving the existing migrations from ''keystone.common.sql' into a common
'keystone.common.sql.legacy_migrations' module.

Change-Id: I5ab7b010b21268977f73738e895bbd21442e9455
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2022-01-21 13:39:30 +00:00
Stephen Finucane 503421d3d4 sql: Remove legacy 'migrate_repo' migration repo
This is now folded into the initial migration of the 'expand_repo'
repository. Previously, this was a dummy migration. We simply move
things across and remove any code that was trying to work with the older
repo since it's no longer necessary.

A release note is added, even though it's not really necessary since
nothing will change for users. It's more of a heads up that things are
afoot.

Change-Id: I59882d88fe593ec1ae37415b2157584f7f3c85f8
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2022-01-10 18:31:09 +00:00
Ghanshyam Mann 8d18270863 Temporary exclude the common.sql.core.py from sphinx-apidoc target
With the new release of SQLAlchemy(1.4.27) TypeDecorator used
in common/sql/core.py file started failing (below error). I am not sure
if it is valid issue in SQLAlchemy or in our code base and we need to
blacklist the SQLAlchemy 1.4.27 version in requirements. But to unblock
the gate let's exclude it from sphinx-apidoc target.

Error:

Warning, treated as error:
/opt/stack/keystone/keystone/common/sql/core.py:docstring of keystone.common.sql.core.DateTimeInt.process_bind_param:19:undefined label: types_typedecorator

-https: //zuul.opendev.org/t/openstack/build/b2ee464fa1554cb89dc8873486865151
Change-Id: I7de055c2b266430bf886e200c3d8829a48ae9600
2021-11-19 16:24:23 -06:00
Zuul f03ff806c1 Merge "Update local_id limit to 255 characters" 2021-08-27 12:19:35 +00:00
Grzegorz Grasza ce6031ca12 Update local_id limit to 255 characters
This avoids the "String length exceeded." error, when using LDAP
domain specific backend in case the user uses a user id
attribute, which can exceed the previous constraint of 64 chars.

Change-Id: I923a2a2a5e79c8f265ff436e96258288dddb867b
Closes-Bug: #1929066
Resolves: rhbz#1959345
2021-08-09 20:40:52 +02:00
Ghanshyam Mann f8cd58da90 Moving IRC network reference to OFTC
Change-Id: I3e4944d47ba8192b4a1f0350347e4dc68d811895
2021-07-16 13:58:33 +00:00
Zuul 0acd650d08 Merge "trivial: Update minor wording nit in RBAC persona documentation" 2021-02-27 05:23:24 +00:00
Zuul 4c1c2793f2 Merge "Clarify top-level personas in RBAC documentation" 2021-02-27 05:23:08 +00:00
Zuul f7c5a38881 Merge "Clarify ``reader`` role implementation in persona admin guide" 2021-02-27 05:23:02 +00:00
Lance Bragstad 9707673b34 trivial: Update minor wording nit in RBAC persona documentation
After reading through the documentation, I thought this sentence sounded
funny using 'within' and 'in' so close to each other. I updated it so
that it isn't quite so jarring.

Change-Id: I2619108216035a37823e53efb5a3f9fe6cfe5cbb
2021-02-05 15:00:02 +00:00
Lance Bragstad a0ae615ab9 Clarify top-level personas in RBAC documentation
This commit updates the documentation for service api protection to
better describe the overall personas for system, domain, and project
users. It also adds some examples that show operators how to list users
with all role assignments on a particular target, which include a
superset of the existing examples.

Change-Id: I40dd33fc0afa0240c6b1cd48322fd988fc5524af
2021-02-05 14:54:32 +00:00
Lance Bragstad 4df1130e12 Clarify ``reader`` role implementation in persona admin guide
The secure RBAC work propogating throughout the community has led to
some interesting discussions about how to implement support for
``reader``. Specifically, should ``reader`` be used for auditing
deployments?

Some compliance targets, verified by third-party auditors, require
access to sensitive information (e.g., thinking about license keys in
glance images or volume type encryption metadata in cinder). The concern
raised among developers updating their default policies to use
``reader`` roles is if they should be using that role to protect
sensitive information, especially if it's the least-authoritative role
in the hierarchy between reader, member, and admin.

This documentation is supposed to assist deployers in understanding the
various personas that developers are implementing by default, but it
doesn't call out the complicated relationship we have with ``reader``
and auditing.

The change here proposes that we explicitly say that ``reader``
shouldn't be used to protect sensitive information, regardless of the
scope, because ``reader`` was designed to be the least-authoritative
role provided by keystone, by default. Instead, service developers
working to implement these personas consistently in other services
should keep sensitive information, if applicable to their API or
resources, at the ``admin`` tier of the hierarchy. This provides better
protection of sensitive information by not exposing is implicitly.

We can consider supporting a formal default role for auditing in the
future, but building it outside the default implied role tree so that
it's not implied to anyone with a role assignment. This will come at
another time and we can use implied roles to re-use all the work we've
done across OpenStack to implement support for ``reader``.

For now, ``reader`` should be viewed from the perspective of the
least-authoritative permissions grant-able to a given scope (e.g.,
system, domain, or project). Even if ``reader`` has limited use in
auditing deployments, it's still incredibly useful for operators
because they have a role they can grant to users with minimal trust, or
minimal permissions in the deployment.

This commit acknowledges the use-case for an elevated auditor role and
that it's something we can implement as a formal role in keystone in the
future.

Change-Id: Iea28faf1b3e63c7ab07e90808d2bc76ee3ee0612
2021-02-05 14:31:51 +00:00
Ghanshyam Mann 256160b849 [goal] Deprecate the JSON formatted policy file
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:

1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.

2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.

Also replace policy.json to policy.yaml ref from doc and tests.

[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Change-Id: Ic65d2fd6ce7215b4a47a6fb41b9cbf991f27773b
2021-02-01 17:36:29 +00:00
Lance Bragstad 876ee4b01a Add details to bootstrap docs for system role assignments
In queens we added support for `keystone-manage bootstrap` to
populate a system admin role assignment:

  I6b7196a28867d9a699716c8fef2609d608a5b2a2

The end-user/deployer facing documentation doesn't mention this though
and it should because it ensures deployers have a user for system-level
APIs.

Change-Id: I07616c1470cd89130250cc89635a508f48c2be06
2021-01-13 17:34:00 +00:00
Zuul dc68ee4816 Merge "Support regexes in whitelists/blacklists" 2020-07-16 20:03:47 +00:00