Divided the keystone docs into four categories, depending
upon the usage criteria: general information (which will
be common for all), developer documentation,
user documantation and operator documentation.
Change-Id: I2f5dd41acd9874739accc54c4f4fd69460b58334
By default the external auth is enabled and can cause user_id conflict
when REMOTE_USER is set due to the fact that federation uses
REMOTE_USER as well. Therefore, the docs were updated to advise users
against using both external auth and federation on the same sequence.
Closes-Bug: #1563454
Change-Id: I193f78ae0ad0232471b725d5700870c349703310
A "default" entrypoint is defined for each auth method. The
default driver will be used if there's no config option for the
method, or the config option is not set, or if the config option
is set to "default".
For the external methods, since there's several of them, each gets
a short name that can be used rather than the qualified class.
bp stevedore
DocImpact
Change-Id: I2484af32e9eb3703869cf441e4f9851b54b0db2b
Several examples were either missing code-blocks entirely,
this patch added either bash or python, so the rendered HTML
is nicer.
Change-Id: Ia145dc78a871dc27cf0926ea1ef9cf9b6df564b7
Minor fixes to the external authentication example given in the
documentation.
Change-Id: I2bef7da8bf8278349fec80a513095637ea49f19a
Closes-Bug: #1308634
Co-Authored-By: Florent Flament <florent.flament-ext@cloudwatt.com>
Add the appropriate styling macro for the code snippets in the
documentation. This change highlights the language syntax making
the documentation more readable.
Closes-Bug: #1276299
Change-Id: Id331be204f688ccbb6e9f2c7ab9287310477312b
According to the WSGI specification "REMOTE_USER should be the string
username of the user, nothing more" [1], therefore no modifications
should be made to the REMOTE_USER variable and it should be fully
considered as the username. Otherwise the expected semantics of the
REMOTE_USER variable change, and an site administrator could get
undesirable side-effects.
[1] http://wsgi.readthedocs.org/en/latest/specifications/simple_authentication.html#specification
Moreover, it is important to have a consistent behaviour regarding
external authentication in V2 (not domain aware), V3 with default
domain and V3 with domain (see Bug #1253484) so that we produce similar
results with the three methods.
This change aims to solve this issues by removing the split of the
REMOTE_USER variable by "@" at all:
- In external.DefaultDomain, we cannot split REMOTE_USER by "@". This split
will cause errors for remote users containing an "@" (not only
emails, but also X.509 subjects, etc). The external.DefaultDomain plugin
considers the REMOTE_USER variable as the username, and the configured
default domain as the domain
- In external.Domain we should not split also the REMOTE_USER by "@". A
new environment variable (REMOTE_DOMAIN) is introduced, so that any
external plugin can pass down the right domain for the user. The
external.Domain plugin considers the REMOTE_USER as the username, the
REMOTE_DOMAIN as the domain if it is present, otherwise it takes the
configured default domain.
- Two legacy plugins are also provided with the same behaviour as the
Havana shipped ones. This plugins should not be used and are provided
for compatibility reasons (see Bug #1254619)
Closes-Bug: #1254619
Closes-Bug: #1211233
Closes-Bug: #1253484
DocImpact: This change breaks backwards compatibility in favour of
security (see bug #1254619), therefore an upgrade not is needed. It is
needed to document the new plugins and state clearly the semantics of
the REMOTE_USER and REMOTE_DOMAIN variable for the WSGI filters. The
default external authentication plugin has been changed from
exernal.ExternalDefault to external.Default.
Change-Id: I1b2521a526fa976146dfe2fcf4d4c1851416d8ae
PasteDeploy configuration contains class names which might change
between releases. Keeping it separate from user-configurable
parameters allows deployers to move paste-deploy ini file out of
configuration directory to a place where it can be safely overwritten
on updates e.g. under /usr/share/
DocImpact
Change-Id: I9292ca6226c8430b93565dedd45cc842742a23e2
The example lacked the import of keystone.common.wsgi that could be
misleading for new developers.
Change-Id: I20be59f5792507a775d033867a69d31c5216633c
This covers given authentication using REMOTE_USER and also the way to
implement custom auth with WSGI middleware.
DocImpact
blueprint: pluggable-identity-authentication-handlers
Change-Id: Idbac8c38d1f0be1febbbc8056c929bada6bbb07e