Commit Graph

26 Commits

Author SHA1 Message Date
Colleen Murphy 151635e224 Consolidate tokenless X.509 docs
Move these to the admin guide and remove the empty "advanced topics"
section.

Change-Id: Iee9e5e622aa2f0c8a19d0114d51840b82f70fee3
2018-12-11 10:16:34 +01:00
Suramya Shah b3c89e8c3f Consolidate Keystone docs: admin/identity-external-authentication.rst
Consolidate advanced-topics/external-auth.rst into
admin/identity-external-authentication.rst.

Change-Id: Ic4e9c37f41c4998fbdfe4b21c7b57b2de4776432
2018-12-11 10:00:38 +01:00
Suramya Shah fdf7a5b66d Consolidate Keystone docs: federated-identity.rst
Consolidate advanced-topics/federation into the admin guide.

Change-Id: I35c3d261ecf7c042c30c1272d4af85a0916515e2
2018-12-08 19:09:21 +01:00
Suramya Shah dc3b8edaac Consolidate auth-totp.rst
Consolidate from advanced-topics/auth-totp.rst into admin/auth-totp.rst.

Change-Id: I5cbc2c7d87df5c4d4f3c5cffb238f9c91aa2724c
2018-11-22 19:51:40 +01:00
Suramya Shah 3daeeb4f21 Consolidate event_notifications.rst
Change-Id: I66afc49dac0ba8b9d90fe90715894042f469db20
2018-11-22 19:49:33 +01:00
Vishakha Agarwal 5e26466b22 Update more info of vhost file
The federation document talks about the
vhost file to be changed when configuring
shibboleth. As a user it is difficult to
understand where the file is located and
when configuring through devstack no
vhost file of name *keystone.conf* exists.

Thus this patch adds more information regarding
vhost file for more understandability.

Change-Id: Ifb43e6532e8d388bfcfee64d36e43e5120aab4c5
2018-11-09 07:18:44 +05:30
Zuul d9432328c9 Merge "Remove custom auth middleware documentation" 2018-10-29 02:18:15 +00:00
Colleen Murphy 9f4f0656d0 Remove custom auth middleware documentation
Keystone no longer supports adding custom middleware via the paste
pipeline, so delete the example to avoid confusing people.

Change-Id: I96ddbd833bce3859899905b3d264bee2f2e51939
2018-10-28 19:11:02 +01:00
Colleen Murphy 49a34948da Remove useless use of :orphan:
The federation docs have **orphan:** in bold printed on the published
pages. The :orphan: directive isn't needed for anything, so remove it to
keep it from showing up in the rendered docs.

The Caching Layer docs use the :orphan: directive as well and don't have
this issue, but also don't seem to need it there, so remove it from
there as well.

Change-Id: Icea1a89e04e4c249ba1d78f95ff5a66b9a297284
2018-10-28 17:57:01 +01:00
Lance Bragstad 3c6a124fa3 Update auto-provisioning example to use reader
The auto-provisioning documentation included an example for a
read-only role called observer. This work was done prior to the
default roles work done in Rocky. Let's update the reference to use
the canonicalized read-only term "reader" instead of "observer" for
the sake of presenting similar terminology everywhere.

Change-Id: I021ab6031e9fb18f0a1496759cf8fa36dd9c50ae
2018-09-26 17:55:29 +00:00
Colleen Murphy 22c22f2005 Use osc in k2k example
python-openstackclient now has proper support for a keystone-to-keystone
session, so document that instead of falling back to keystoneauth.

Change-Id: I3d78ea085b9cabc50681e5f878172a5efe3e7c43
2018-08-14 10:29:10 +02:00
Gage Hugo 4988bca4e4 Fix json indentation of notification sample
This change fixes the indentation of some of the fields in
the notification example of "Expired Password".

Change-Id: Icf67e4ab4eac0769c09db91d7017a3a067eaf684
2018-08-02 21:59:41 -05:00
Martin Chacon Piza a272b66181 Adding missing comma in docs
Change-Id: Icf3b2699429adf16fbd0b3657ebdf17b973432bf
2018-07-30 14:37:19 +02:00
Tovin Seven 1a5877f2ad Trivial: Update pypi url to new url
Pypi url changed from [1] to [2]

[1] https://pypi.python.org/pypi/<package>
[2] https://pypi.org/project/<package>

Change-Id: I3a389a2e03c09363494bd6a919804152391a17b8
2018-04-20 16:55:41 +07:00
Lance Bragstad f6b6691d2e Remove v2.0 from documentation guides
This commit removes all references to v2.0 from various guides found
under doc/source/.

Change-Id: I7c2ef1c9323faccc1ec371803f85f34890481f32
2018-02-06 22:19:37 +00:00
wangqiangbj 4fc045f820 remove "admin_token_auth" related content"
as "admin_token_auth" is removed from paste file. some related contents
are useless and shoud be removed also.

Change-Id: Ia2263eda93559603a31d9a492e5501424613188e
bp: removed-as-of-queens
2017-12-18 17:02:34 +08:00
wangxiyuan 10f4686b96 Remove apache-httpd related link
The apache-httpd doc file has been removed already.
We should remove the related link as well.

Change-Id: Ie14de3ef537a613b36b854c1119678f007c6545c
2017-11-23 14:05:17 +08:00
Colleen Murphy cbdc84ac7f Partially clarify federation auth plugins
Federation protocols in keystone are very confusing due to the way they
have evolved since the original service provider implementation where
the auth plugin was defined in saml2.py. We renamed saml2.py to
mapped.py[1] and now we can effectively support any federation protocol
as long as there is some kind of Apache module that can understand it
and pass certain IdP and user attributes through to keystone. So we
started recommending not using the 'saml2' auth plugin and instead using
the 'mapped' plugin, eventually removing the the notice when we removed
the plugin[2]. Since the name of the federation protocol resource
created in keystone must match one of the [auth]/methods, we also
changed the documentation to start creating the 'mapped' protocol and
use 'mapped' in the Apache settings[3]. This was really the wrong
course. 'mapped' is not a protocol. Using only 'mapped' prevents us from
defining multiple remote_id_attributes for different protocols.

This patch changes references to the 'mapped' protocol and 'mapped'
plugin back to 'saml2' (we never changed the openid ones). While the
saml2 plugin does not itself exist, it is defined as an entrypoint to
the mapped plugin, so it all works out. This doesn't solve the problem
for if we want to define different remote_id_attributes for different
SAML2.0 implementations, but there is a workaround for that[4]. Using
'saml2' as the protocol name is just much more intuitive than 'mapped'.

[1] https://git.openstack.org/cgit/openstack/keystone-specs/tree/specs/keystone/juno/generic-mapping-federation.rst
[2] https://review.openstack.org/#/c/397456/
[3] https://review.openstack.org/#/c/371210/
[4] https://bugs.launchpad.net/keystone/+bug/1724645/comments/1

Change-Id: I23fc3f1f651c12c4e3c1987dc71008e6e97b4ed8
Related-bug: #1724645
2017-10-24 11:52:33 +02:00
Colleen Murphy 11d1894c42 Fix initial mapping example
The first example of federation mapping rules that appears in the
Configure Federation docs is incorrect. The "any_one_of" matcher returns
a boolean, not the value of the match, and so it would not map to a
local rule like "name": "{0}". This patch fixes the example so that it
works properly but still has the intended meaning, which is to filter on
username.

Change-Id: I1f69f5cdde470811045fc60a72e50c2bd688be53
2017-10-15 22:03:39 +02:00
Samriddhi Jain 82785553dd Updated URLs in docs
With the docs migration and re-arrangement, some docs
have been shifted to new places, however the referenced
links are still old. Some of them give 404 error or
just point to the home page. This patch fixes those URLs.

Change-Id: Ie6b18ab3d4aa346dac8436dd426277fee4f07fcd
2017-08-09 23:46:33 +05:30
Colleen Murphy d10908caa9 Document required `type` mapping attribute
In order for a federated user to be mapped to a local user that exists
in the identity backend, the user object in the local mapping rule must
have the property "type": "local" set, in addition to having a keystone
domain provided. This was probably not the original intention of the
local user mapping spec[1], but this is how it ended up being
implemented. We could choose to change the behavior of the code, but
it has been around long enough that it is possible that deployments are
depending on this behavior, and moreover making rules explicit rather
than implicit reduces the risk of bugs and mistakes.

This patch updates the api-ref documentation and the standard federation
documentation to include the "type" property when mapping to local
users. In addition, since we now have two keywords called "local" that
mean somewhat different things, we expand the context of some of the
mapping examples so that both the rule name "local" and the value
"local" of the attribute "type" appear in the example, for clarity.

Change-Id: Ib35e57e33903de14f9cac1f919c32dfe923ef884
Closes-bug: #1673157
2017-08-07 18:02:56 +02:00
Lance Bragstad 0331a11842 Clarify documentation on whitelists and blacklists
Some references to whitelisting and blacklisting was confusing in the
mapping documentation. This commit attempts to clarify the wording
and purpose for both whitelists and blacklists.

Change-Id: I09f4762f03824acc689600c8561fe99ea113ad9a
Closes-Bug: 1693690
2017-07-26 20:48:19 +00:00
Jenkins 2fd8b52b7f Merge "Update security compliance documentation" 2017-07-07 05:29:04 +00:00
Samriddhi Jain 71f714e551 Removed apache-httpd guide from docs
After addition of installation guides from openstack-manuals,
this doc contains redundant informantion and can be removed.
This commit removes the apache-httpd guide and its references.

Change-Id: Ibffb99538214843500936bf6af843fe01bda2bc3
2017-07-06 20:16:13 +00:00
Gage Hugo 55108b2fee Update security compliance documentation
The security compliance settings in the admin guide
referenced configuration options that no longer work.
The functionality to exclude users from password expiry
or password changing was moved to per user resource options.

This change also consolidates the duplicate documentation
between the advanced topics in the operator guide into the
admin-guide.

Closes-Bug: #1701389
Change-Id: I36be658f0a1efb25c55b24596bf67639c69c89d9
2017-07-06 10:26:01 -05:00
Samriddhi Jain 459f078d0c Reorganised keystone documentation structure
Divided the keystone docs into four categories, depending
upon the usage criteria: general information (which will
be common for all), developer documentation,
user documantation and operator documentation.

Change-Id: I2f5dd41acd9874739accc54c4f4fd69460b58334
2017-06-22 13:26:46 +05:30