├── .coveragerc ├── .git-blame-ignore-revs ├── .gitignore ├── .gitreview ├── .mailmap ├── .pre-commit-config.yaml ├── .stestr.conf ├── .zuul.yaml ├── CONTRIBUTING.rst ├── HACKING.rst ├── LICENSE ├── README.rst ├── api-ref ├── requirements.txt └── source │ ├── conf.py │ ├── index.rst │ ├── openapi.rst │ ├── v2-ext │ ├── index.rst │ ├── ksec2-admin.inc │ ├── parameters.yaml │ └── samples │ │ └── OS-KSEC2 │ │ ├── authenticate-request.json │ │ ├── authenticate-response.json │ │ ├── credentials-show-response.json │ │ ├── credentialswithec2-list-response.json │ │ ├── ec2Credentials-create-request.json │ │ └── ec2Credentials-show-response.json │ ├── v3-ext │ ├── endpoint-policy.inc │ ├── ep-filter.inc │ ├── federation.inc │ ├── federation │ │ ├── assertion │ │ │ ├── assertion.inc │ │ │ ├── parameters.yaml │ │ │ └── samples │ │ │ │ ├── ecp-saml-assertion-request.json │ │ │ │ ├── ecp-saml-assertion-response.xml │ │ │ │ ├── metadata-response.xml │ │ │ │ ├── saml-assertion-request.json │ │ │ │ └── saml-assertion-response.xml │ │ ├── auth │ │ │ ├── auth.inc │ │ │ ├── parameters.yaml │ │ │ └── samples │ │ │ │ ├── scoped-token-request.json │ │ │ │ ├── scoped-token-response.json │ │ │ │ └── unscoped-token-response.json │ │ ├── identity-provider │ │ │ ├── idp.inc │ │ │ ├── parameters.yaml │ │ │ └── samples │ │ │ │ ├── add-protocol-request.json │ │ │ │ ├── add-protocol-response.json │ │ │ │ ├── get-protocol-response.json │ │ │ │ ├── get-response.json │ │ │ │ ├── list-protocol-response.json │ │ │ │ ├── list-response.json │ │ │ │ ├── register-request.json │ │ │ │ ├── register-response.json │ │ │ │ ├── update-protocol-request.json │ │ │ │ ├── update-protocol-response.json │ │ │ │ ├── update-request.json │ │ │ │ └── update-response.json │ │ ├── mapping │ │ │ ├── mapping.inc │ │ │ ├── parameters.yaml │ │ │ └── samples │ │ │ │ ├── create-request.json │ │ │ │ ├── create-response.json │ │ │ │ ├── get-response.json │ │ │ │ ├── list-response.json │ │ │ │ ├── update-request.json │ │ │ │ └── update-response.json │ │ ├── projects-domains │ │ │ ├── parameters.yaml │ │ │ ├── projects-domains.inc │ │ │ └── samples │ │ │ │ ├── domain-list-response.json │ │ │ │ └── project-list-response.json │ │ └── service-provider │ │ │ ├── parameters.yaml │ │ │ ├── samples │ │ │ ├── get-response.json │ │ │ ├── list-response.json │ │ │ ├── register-request.json │ │ │ ├── register-response.json │ │ │ ├── update-request.json │ │ │ └── update-response.json │ │ │ └── sp.inc │ ├── index.rst │ ├── oauth.inc │ ├── oauth2.inc │ ├── parameters.yaml │ ├── revoke.inc │ ├── samples │ │ ├── OS-ENDPOINT-POLICY │ │ │ ├── policy-endpoint-associations-list-response.json │ │ │ └── policy-show-response.json │ │ ├── OS-EP-FILTER │ │ │ ├── create-endpoint-group-request.json │ │ │ ├── endpoint-group-response.json │ │ │ ├── endpoint-groups-response.json │ │ │ ├── endpoint-project-response.json │ │ │ ├── list-associations-by-endpoint-response.json │ │ │ ├── list-associations-by-project-response.json │ │ │ ├── list-service-endpoints.json │ │ │ ├── update-endpoint-group-request.json │ │ │ └── update-endpoint-group-response.json │ │ ├── OS-OAUTH1 │ │ │ ├── access-token-create-response.txt │ │ │ ├── access-token-role-show-response.json │ │ │ ├── access-token-roles-list-response.json │ │ │ ├── access-token-show-response.json │ │ │ ├── access-tokens-list-response.json │ │ │ ├── authorize-request-token-request.json │ │ │ ├── authorize-request-token-response.json │ │ │ ├── consumer-create-request.json │ │ │ ├── consumer-create-response.json │ │ │ ├── consumer-show-response.json │ │ │ ├── consumer-update-request.json │ │ │ ├── consumer-update-response.json │ │ │ ├── consumers-list-response.json │ │ │ └── request-token-create-response.txt │ │ ├── OS-OAUTH2 │ │ │ ├── token-create-request.txt │ │ │ └── token-create-response.json │ │ ├── OS-REVOKE │ │ │ └── list-revoke-response.json │ │ ├── OS-SIMPLE-CERT │ │ │ ├── show-ca-certificate-response.txt │ │ │ └── show-signing-certificate-response.txt │ │ └── OS-TRUST │ │ │ ├── trust-auth-redelegated-response.json │ │ │ ├── trust-auth-request.json │ │ │ ├── trust-auth-trust-response.json │ │ │ ├── trust-create-request.json │ │ │ ├── trust-create-response.json │ │ │ ├── trust-get-response.json │ │ │ ├── trust-get-role-delegated-response.json │ │ │ ├── trust-list-response.json │ │ │ └── trust-list-roles-delegated-response.json │ ├── simple-cert.inc │ └── trust.inc │ └── v3 │ ├── application-credentials.inc │ ├── authenticate-v3.inc │ ├── credentials.inc │ ├── domains-config-v3.inc │ ├── domains.inc │ ├── groups.inc │ ├── index.rst │ ├── inherit.inc │ ├── os-pki.inc │ ├── parameters.yaml │ ├── policies.inc │ ├── project-tags.inc │ ├── projects.inc │ ├── regions-v3.inc │ ├── roles.inc │ ├── samples │ ├── admin │ │ ├── access-rule-get-response.json │ │ ├── access-rules-list-response.json │ │ ├── application-credential-create-request.json │ │ ├── application-credential-create-response.json │ │ ├── application-credential-get-response.json │ │ ├── application-credential-list-response.json │ │ ├── auth-application-credential-id-request.json │ │ ├── auth-application-credential-name-request.json │ │ ├── auth-application-credential-response.json │ │ ├── auth-password-explicit-unscoped-request.json │ │ ├── auth-password-explicit-unscoped-response.json │ │ ├── auth-password-project-scoped-response.json │ │ ├── auth-password-system-scoped-request-with-domain.json │ │ ├── auth-password-unscoped-request-with-domain.json │ │ ├── auth-password-unscoped-request.json │ │ ├── auth-password-unscoped-response.json │ │ ├── auth-password-user-name-unscoped-response-HTTP.txt │ │ ├── auth-token-explicit-unscoped-request.json │ │ ├── auth-token-scoped-request.json │ │ ├── auth-token-scoped-response.json │ │ ├── auth-token-unscoped-request.json │ │ ├── auth-token-unscoped-response.json │ │ ├── create-role-inferences-response.json │ │ ├── credential-create-request.json │ │ ├── credential-create-response.json │ │ ├── credential-show-response.json │ │ ├── credential-update-request.json │ │ ├── credential-update-response.json │ │ ├── credentials-list-response.json │ │ ├── domain-config-create-request.json │ │ ├── domain-config-create-response.json │ │ ├── domain-config-default-response.json │ │ ├── domain-config-group-default-response.json │ │ ├── domain-config-group-option-default-response.json │ │ ├── domain-config-group-option-show-response.json │ │ ├── domain-config-group-option-update-request.json │ │ ├── domain-config-group-option-update-response.json │ │ ├── domain-config-group-show-response.json │ │ ├── domain-config-group-update-request.json │ │ ├── domain-config-group-update-response.json │ │ ├── domain-config-show-response.json │ │ ├── domain-config-update-request.json │ │ ├── domain-config-update-response.json │ │ ├── domain-create-request.json │ │ ├── domain-create-response.json │ │ ├── domain-group-roles-list-response.json │ │ ├── domain-group-update-request.json │ │ ├── domain-show-response.json │ │ ├── domain-specific-role-create-request.json │ │ ├── domain-update-request.json │ │ ├── domain-update-response.json │ │ ├── domain-user-roles-list-response.json │ │ ├── domains-list-response.json │ │ ├── endpoint-create-request.json │ │ ├── endpoint-create-response.json │ │ ├── endpoint-show-response.json │ │ ├── endpoint-update-request.json │ │ ├── endpoint-update-response.json │ │ ├── endpoints-list-response.json │ │ ├── get-available-domain-scopes-response.json │ │ ├── get-available-project-scopes-response.json │ │ ├── get-available-system-scopes-response.json │ │ ├── get-role-inferences-response.json │ │ ├── get-service-catalog-response.json │ │ ├── group-create-request.json │ │ ├── group-create-response.json │ │ ├── group-roles-domain-list-response.json │ │ ├── group-show-response.json │ │ ├── group-update-request.json │ │ ├── group-update-response.json │ │ ├── group-users-list-response.json │ │ ├── groups-list-response.json │ │ ├── identity-version-response.json │ │ ├── identity-versions-response.json │ │ ├── limit-flat-model-response.json │ │ ├── limit-show-response.json │ │ ├── limits-create-request.json │ │ ├── limits-create-response.json │ │ ├── limits-list-response.json │ │ ├── limits-update-request.json │ │ ├── limits-update-response.json │ │ ├── list-implied-roles-for-role-response.json │ │ ├── list-system-roles-for-group-response.json │ │ ├── list-system-roles-for-user-response.json │ │ ├── policies-list-response.json │ │ ├── policy-create-request.json │ │ ├── policy-create-response.json │ │ ├── policy-show-response.json │ │ ├── policy-update-request.json │ │ ├── policy-update-response.json │ │ ├── project-create-domain-request.json │ │ ├── project-create-request.json │ │ ├── project-create-response.json │ │ ├── project-enable-request.json │ │ ├── project-group-roles-list-response.json │ │ ├── project-show-parents-response.json │ │ ├── project-show-response.json │ │ ├── project-show-subtree-response.json │ │ ├── project-tags-list-response.json │ │ ├── project-tags-update-request.json │ │ ├── project-tags-update-response.json │ │ ├── project-update-request.json │ │ ├── project-update-response.json │ │ ├── project-user-roles-list-response.json │ │ ├── projects-list-response.json │ │ ├── region-create-request.json │ │ ├── region-create-response.json │ │ ├── region-show-response.json │ │ ├── region-update-request.json │ │ ├── region-update-response.json │ │ ├── regions-list-response.json │ │ ├── registered-limit-show-response.json │ │ ├── registered-limits-create-request.json │ │ ├── registered-limits-create-response.json │ │ ├── registered-limits-list-response.json │ │ ├── registered-limits-update-request.json │ │ ├── registered-limits-update-response.json │ │ ├── role-assignments-effective-list-include-names-response.json │ │ ├── role-assignments-effective-list-response.json │ │ ├── role-assignments-effective-list-response.txt │ │ ├── role-assignments-list-include-subtree-response.json │ │ ├── role-assignments-list-response.json │ │ ├── role-assignments-list-response.txt │ │ ├── role-create-request.json │ │ ├── role-create-response.json │ │ ├── role-inferences-response.json │ │ ├── role-show-response.json │ │ ├── role-update-request.json │ │ ├── role-update-response.json │ │ ├── roles-list-response.json │ │ ├── service-create-request.json │ │ ├── service-create-response.json │ │ ├── service-show-response.json │ │ ├── service-update-request.json │ │ ├── service-update-response.json │ │ ├── services-list-response.json │ │ ├── token-validate-request.txt │ │ ├── user-create-request.json │ │ ├── user-create-response.json │ │ ├── user-groups-list-response.json │ │ ├── user-password-update-request.json │ │ ├── user-projects-list-response.json │ │ ├── user-roles-domain-list-response.json │ │ ├── user-show-response.json │ │ ├── user-update-request.json │ │ ├── user-update-response.json │ │ └── users-list-response.json │ └── auth │ │ ├── requests │ │ ├── domain-id-password.json │ │ ├── domain-id-token.json │ │ ├── domain-name-password.json │ │ ├── domain-name-token.json │ │ ├── project-id-password.json │ │ ├── project-id-token.json │ │ ├── project-id-totp.json │ │ ├── project-name-password.json │ │ ├── project-name-token.json │ │ ├── system-password.json │ │ └── system-token.json │ │ └── responses │ │ ├── auth-receipt-password.json │ │ ├── domain-scoped-password.json │ │ ├── domain-scoped-token.json │ │ ├── project-scoped-password-totp.json │ │ ├── project-scoped-password.json │ │ ├── project-scoped-token.json │ │ ├── system-scoped-password.json │ │ ├── system-scoped-token.json │ │ └── unscoped-password.json │ ├── service-catalog.inc │ ├── status.yaml │ ├── system-roles.inc │ ├── unified_limits.inc │ └── users.inc ├── bindep.txt ├── config-generator ├── keystone-policy-generator.conf └── keystone.conf ├── devstack ├── files │ ├── federation │ │ ├── attribute-map.xml │ │ ├── shib_apache_alias.txt │ │ ├── shib_apache_handler.txt │ │ └── shibboleth2.xml │ └── oidc │ │ └── apache_oidc.conf ├── lib │ ├── federation.sh │ ├── oidc.sh │ └── scope.sh ├── plugin.sh └── tools │ └── oidc │ ├── __init__.py │ ├── docker-compose.yaml │ └── setup_keycloak_client.py ├── doc ├── Makefile ├── README.rst ├── ext │ └── __init__.py ├── requirements.txt └── source │ ├── _static │ ├── horizon-login-idp.png │ └── horizon-login-sp.png │ ├── admin │ ├── auth-totp.rst │ ├── authentication-mechanisms.rst │ ├── bootstrap.rst │ ├── caching-layer.inc │ ├── case-insensitive.rst │ ├── cli-manage-projects-users-and-roles.rst │ ├── configuration.rst │ ├── configure-https.rst │ ├── configure_tokenless_x509.rst │ ├── credential-encryption.rst │ ├── domain-specific-config.inc │ ├── endpoint-filtering.inc │ ├── endpoint-policy.inc │ ├── event_notifications.rst │ ├── external-authentication.rst │ ├── federation │ │ ├── configure_federation.rst │ │ ├── federated_identity.rst │ │ ├── introduction.rst │ │ ├── mapping_combinations.rst │ │ ├── mellon.inc │ │ ├── openidc.inc │ │ └── shibboleth.inc │ ├── fernet-token-faq.rst │ ├── figures │ │ ├── keystone-federation.png │ │ └── keystone-federation.svg │ ├── getting-started.rst │ ├── health-check-middleware.rst │ ├── identity-concepts.rst │ ├── identity-sources.rst │ ├── identity-support-matrix.ini │ ├── index.rst │ ├── integrate-with-ldap.inc │ ├── jws-key-rotation.rst │ ├── keystone-features.rst │ ├── limit-list-size.inc │ ├── logging.inc │ ├── manage-services.rst │ ├── manage-trusts.rst │ ├── multi-factor-authentication.rst │ ├── oauth1.rst │ ├── oauth2-mtls-usage-guide.rst │ ├── oauth2-usage-guide.rst │ ├── operations.rst │ ├── performance.inc │ ├── resource-options.rst │ ├── security-compliance.inc │ ├── service-api-protection.rst │ ├── token-provider.rst │ ├── token-support-matrix.ini │ ├── tokens-overview.rst │ ├── tokens.rst │ ├── troubleshoot.inc │ ├── unified-limits.rst │ ├── upgrading.rst │ └── url-safe-naming.inc │ ├── api_curl_examples.rst │ ├── cli │ ├── commands.rst │ ├── index.rst │ ├── keystone-manage.rst │ └── keystone-status.rst │ ├── code_documentation.rst │ ├── conf.py │ ├── configuration │ ├── config-options.rst │ ├── index.rst │ ├── policy.rst │ └── samples │ │ ├── index.rst │ │ ├── keystone-conf.rst │ │ ├── logging-conf.rst │ │ └── policy-yaml.rst │ ├── contributor │ ├── api_change_tutorial.rst │ ├── architecture.rst │ ├── auth-plugins.rst │ ├── caching-layer.rst │ ├── contributing.rst │ ├── database-migrations.rst │ ├── developing-drivers.rst │ ├── doctor-checks.rst │ ├── filtering-responsibilities.rst │ ├── how-can-i-help.rst │ ├── http-api.rst │ ├── id-manage.rst │ ├── index.rst │ ├── list-truncation.rst │ ├── programming-exercises.rst │ ├── proposing-features.rst │ ├── release-notes.rst │ ├── service-catalog.rst │ ├── services.rst │ ├── set-up-keystone.rst │ ├── testing-keystone.rst │ └── vision-reflection.rst │ ├── getting-started │ ├── architecture.rst │ ├── community.rst │ ├── index.rst │ └── policy_mapping.rst │ ├── index.rst │ ├── indices-tables.rst │ ├── install │ ├── common │ │ ├── get-started-identity.inc │ │ ├── keystone-users.inc │ │ └── openrc.inc │ ├── get-started-rdo.rst │ ├── get-started-ubuntu.rst │ ├── index-rdo.rst │ ├── index-ubuntu.rst │ ├── index.rst │ ├── keystone-install-rdo.rst │ ├── keystone-install-ubuntu.rst │ ├── keystone-openrc-rdo.rst │ ├── keystone-openrc-ubuntu.rst │ ├── keystone-users-rdo.rst │ ├── keystone-users-ubuntu.rst │ ├── keystone-verify-rdo.rst │ ├── keystone-verify-ubuntu.rst │ └── shared │ │ └── note_configuration_vary_by_distribution.rst │ └── user │ ├── application_credentials.rst │ ├── domain-manager-usage.rst │ ├── index.rst │ ├── json_home.rst │ ├── multi-factor-authentication.rst │ ├── supported_clients.rst │ └── trusts.rst ├── etc ├── README.txt ├── logging.conf.sample └── sso_callback_template.html ├── examples └── pki │ ├── certs │ ├── cacert.pem │ ├── middleware.pem │ ├── signing_cert.pem │ └── ssl_cert.pem │ └── private │ ├── cakey.pem │ ├── signing_key.pem │ └── ssl_key.pem ├── httpd ├── README ├── keystone-uwsgi-admin.ini ├── keystone-uwsgi-public.ini └── uwsgi-keystone.conf ├── keystone ├── __init__.py ├── api │ ├── __init__.py │ ├── _shared │ │ ├── EC2_S3_Resource.py │ │ ├── __init__.py │ │ ├── authentication.py │ │ ├── implied_roles.py │ │ ├── json_home_relations.py │ │ └── saml.py │ ├── auth.py │ ├── credentials.py │ ├── discovery.py │ ├── domains.py │ ├── ec2tokens.py │ ├── endpoints.py │ ├── groups.py │ ├── limits.py │ ├── os_ep_filter.py │ ├── os_federation.py │ ├── os_inherit.py │ ├── os_oauth1.py │ ├── os_oauth2.py │ ├── os_revoke.py │ ├── os_simple_cert.py │ ├── policy.py │ ├── projects.py │ ├── regions.py │ ├── registered_limits.py │ ├── role_assignments.py │ ├── role_inferences.py │ ├── roles.py │ ├── s3tokens.py │ ├── services.py │ ├── system.py │ ├── trusts.py │ ├── users.py │ └── validation │ │ ├── __init__.py │ │ ├── parameter_types.py │ │ ├── response_types.py │ │ └── validators.py ├── application_credential │ ├── __init__.py │ ├── backends │ │ ├── __init__.py │ │ ├── base.py │ │ └── sql.py │ ├── core.py │ └── schema.py ├── assignment │ ├── __init__.py │ ├── backends │ │ ├── __init__.py │ │ ├── base.py │ │ └── sql.py │ ├── core.py │ ├── role_backends │ │ ├── __init__.py │ │ ├── base.py │ │ ├── resource_options.py │ │ ├── sql.py │ │ └── sql_model.py │ └── schema.py ├── auth │ ├── __init__.py │ ├── core.py │ ├── plugins │ │ ├── __init__.py │ │ ├── application_credential.py │ │ ├── base.py │ │ ├── core.py │ │ ├── external.py │ │ ├── mapped.py │ │ ├── oauth1.py │ │ ├── password.py │ │ ├── token.py │ │ └── totp.py │ └── schema.py ├── catalog │ ├── __init__.py │ ├── backends │ │ ├── __init__.py │ │ ├── base.py │ │ └── sql.py │ ├── core.py │ └── schema.py ├── cmd │ ├── __init__.py │ ├── bootstrap.py │ ├── cli.py │ ├── doctor │ │ ├── __init__.py │ │ ├── caching.py │ │ ├── credential.py │ │ ├── database.py │ │ ├── debug.py │ │ ├── federation.py │ │ ├── ldap.py │ │ ├── security_compliance.py │ │ ├── tokens.py │ │ └── tokens_fernet.py │ ├── idutils.py │ ├── manage.py │ └── status.py ├── common │ ├── __init__.py │ ├── authorization.py │ ├── cache │ │ ├── __init__.py │ │ ├── _context_cache.py │ │ └── core.py │ ├── context.py │ ├── driver_hints.py │ ├── fernet_utils.py │ ├── json_home.py │ ├── jwt_utils.py │ ├── manager.py │ ├── password_hashers │ │ ├── __init__.py │ │ ├── bcrypt.py │ │ ├── pbkdf2.py │ │ └── scrypt.py │ ├── password_hashing.py │ ├── policies │ │ ├── __init__.py │ │ ├── access_rule.py │ │ ├── access_token.py │ │ ├── application_credential.py │ │ ├── auth.py │ │ ├── base.py │ │ ├── consumer.py │ │ ├── credential.py │ │ ├── domain.py │ │ ├── domain_config.py │ │ ├── ec2_credential.py │ │ ├── endpoint.py │ │ ├── endpoint_group.py │ │ ├── grant.py │ │ ├── group.py │ │ ├── identity_provider.py │ │ ├── implied_role.py │ │ ├── limit.py │ │ ├── mapping.py │ │ ├── policy.py │ │ ├── policy_association.py │ │ ├── project.py │ │ ├── project_endpoint.py │ │ ├── protocol.py │ │ ├── region.py │ │ ├── registered_limit.py │ │ ├── revoke_event.py │ │ ├── role.py │ │ ├── role_assignment.py │ │ ├── service.py │ │ ├── service_provider.py │ │ ├── token.py │ │ ├── token_revocation.py │ │ ├── trust.py │ │ └── user.py │ ├── profiler.py │ ├── provider_api.py │ ├── rbac_enforcer │ │ ├── __init__.py │ │ ├── enforcer.py │ │ └── policy.py │ ├── render_token.py │ ├── resource_options │ │ ├── __init__.py │ │ ├── core.py │ │ └── options │ │ │ ├── __init__.py │ │ │ └── immutable.py │ ├── sql │ │ ├── __init__.py │ │ ├── alembic.ini │ │ ├── core.py │ │ ├── migrations │ │ │ ├── README.rst │ │ │ ├── __init__.py │ │ │ ├── autogen.py │ │ │ ├── env.py │ │ │ ├── manage.py │ │ │ ├── script.py.mako │ │ │ └── versions │ │ │ │ ├── 2024.01 │ │ │ │ └── expand │ │ │ │ │ └── 47147121_add_identity_federation_attribute_mapping_schema_version.py │ │ │ │ ├── 2025.02 │ │ │ │ └── expand │ │ │ │ │ └── e8725d6fa226_add_project_id_index_to_project_.py │ │ │ │ ├── 27e647c0fad4_initial_version.py │ │ │ │ ├── CONTRACT_HEAD │ │ │ │ ├── EXPAND_HEAD │ │ │ │ ├── bobcat │ │ │ │ ├── contract │ │ │ │ │ ├── 99de3849d860_fix_incorrect_constraints.py │ │ │ │ │ └── c88cdce8f248_remove_duplicate_constraints.py │ │ │ │ └── expand │ │ │ │ │ ├── 11c3b243b4cb_remove_service_provider_relay_state_server_default.py │ │ │ │ │ └── b4f8b3f584e0_fix_incorrect_constraints.py │ │ │ │ └── yoga │ │ │ │ ├── contract │ │ │ │ └── e25ffa003242_initial.py │ │ │ │ └── expand │ │ │ │ └── 29e87d24a316_initial.py │ │ └── upgrades.py │ ├── tokenless_auth.py │ ├── utils.py │ └── validation │ │ ├── __init__.py │ │ ├── parameter_types.py │ │ └── validators.py ├── conf │ ├── __init__.py │ ├── application_credential.py │ ├── assignment.py │ ├── auth.py │ ├── catalog.py │ ├── constants.py │ ├── credential.py │ ├── default.py │ ├── domain_config.py │ ├── endpoint_filter.py │ ├── endpoint_policy.py │ ├── federation.py │ ├── fernet_receipts.py │ ├── fernet_tokens.py │ ├── identity.py │ ├── identity_mapping.py │ ├── jwt_tokens.py │ ├── ldap.py │ ├── oauth1.py │ ├── oauth2.py │ ├── opts.py │ ├── policy.py │ ├── receipt.py │ ├── resource.py │ ├── revoke.py │ ├── role.py │ ├── saml.py │ ├── security_compliance.py │ ├── shadow_users.py │ ├── token.py │ ├── tokenless_auth.py │ ├── totp.py │ ├── trust.py │ ├── unified_limit.py │ ├── utils.py │ └── wsgi.py ├── credential │ ├── __init__.py │ ├── backends │ │ ├── __init__.py │ │ ├── base.py │ │ └── sql.py │ ├── core.py │ ├── provider.py │ ├── providers │ │ ├── __init__.py │ │ ├── core.py │ │ └── fernet │ │ │ ├── __init__.py │ │ │ └── core.py │ └── schema.py ├── endpoint_policy │ ├── __init__.py │ ├── backends │ │ ├── __init__.py │ │ ├── base.py │ │ └── sql.py │ └── core.py ├── exception.py ├── federation │ ├── __init__.py │ ├── backends │ │ ├── __init__.py │ │ ├── base.py │ │ └── sql.py │ ├── constants.py │ ├── core.py │ ├── idp.py │ ├── schema.py │ └── utils.py ├── i18n.py ├── identity │ ├── __init__.py │ ├── backends │ │ ├── __init__.py │ │ ├── base.py │ │ ├── ldap │ │ │ ├── __init__.py │ │ │ ├── common.py │ │ │ ├── core.py │ │ │ └── models.py │ │ ├── resource_options.py │ │ ├── sql.py │ │ └── sql_model.py │ ├── core.py │ ├── generator.py │ ├── id_generators │ │ ├── __init__.py │ │ └── sha256.py │ ├── mapping_backends │ │ ├── __init__.py │ │ ├── base.py │ │ ├── mapping.py │ │ └── sql.py │ ├── schema.py │ └── shadow_backends │ │ ├── __init__.py │ │ ├── base.py │ │ └── sql.py ├── limit │ ├── __init__.py │ ├── backends │ │ ├── __init__.py │ │ ├── base.py │ │ └── sql.py │ ├── core.py │ ├── models │ │ ├── __init__.py │ │ ├── base.py │ │ ├── flat.py │ │ └── strict_two_level.py │ └── schema.py ├── locale │ ├── de │ │ └── LC_MESSAGES │ │ │ └── keystone.po │ ├── en_GB │ │ └── LC_MESSAGES │ │ │ └── keystone.po │ ├── es │ │ └── LC_MESSAGES │ │ │ └── keystone.po │ ├── fr │ │ └── LC_MESSAGES │ │ │ └── keystone.po │ ├── it │ │ └── LC_MESSAGES │ │ │ └── keystone.po │ ├── ja │ │ └── LC_MESSAGES │ │ │ └── keystone.po │ ├── ko_KR │ │ └── LC_MESSAGES │ │ │ └── keystone.po │ ├── pt_BR │ │ └── LC_MESSAGES │ │ │ └── keystone.po │ ├── ru │ │ └── LC_MESSAGES │ │ │ └── keystone.po │ ├── zh_CN │ │ └── LC_MESSAGES │ │ │ └── keystone.po │ └── zh_TW │ │ └── LC_MESSAGES │ │ └── keystone.po ├── models │ ├── __init__.py │ ├── receipt_model.py │ ├── revoke_model.py │ └── token_model.py ├── notifications.py ├── oauth1 │ ├── __init__.py │ ├── backends │ │ ├── __init__.py │ │ ├── base.py │ │ └── sql.py │ ├── core.py │ ├── schema.py │ └── validator.py ├── oauth2 │ ├── __init__.py │ └── handlers.py ├── policy │ ├── __init__.py │ ├── backends │ │ ├── __init__.py │ │ ├── base.py │ │ ├── rules.py │ │ └── sql.py │ ├── core.py │ └── schema.py ├── receipt │ ├── __init__.py │ ├── handlers.py │ ├── provider.py │ ├── providers │ │ ├── __init__.py │ │ ├── base.py │ │ └── fernet │ │ │ ├── __init__.py │ │ │ └── core.py │ └── receipt_formatters.py ├── resource │ ├── __init__.py │ ├── backends │ │ ├── __init__.py │ │ ├── base.py │ │ ├── resource_options.py │ │ ├── sql.py │ │ └── sql_model.py │ ├── config_backends │ │ ├── __init__.py │ │ ├── base.py │ │ └── sql.py │ ├── core.py │ └── schema.py ├── revoke │ ├── __init__.py │ ├── backends │ │ ├── __init__.py │ │ ├── base.py │ │ └── sql.py │ ├── core.py │ └── model.py ├── server │ ├── __init__.py │ ├── backends.py │ ├── flask │ │ ├── __init__.py │ │ ├── application.py │ │ ├── common.py │ │ ├── core.py │ │ └── request_processing │ │ │ ├── __init__.py │ │ │ ├── json_body.py │ │ │ ├── middleware │ │ │ ├── __init__.py │ │ │ ├── auth_context.py │ │ │ └── url_normalize.py │ │ │ └── req_logging.py │ └── wsgi.py ├── tests │ ├── __init__.py │ ├── common │ │ ├── __init__.py │ │ └── auth.py │ ├── functional │ │ ├── __init__.py │ │ ├── core.py │ │ └── shared │ │ │ ├── __init__.py │ │ │ └── test_running.py │ ├── hacking │ │ ├── __init__.py │ │ └── checks.py │ ├── protection │ │ ├── __init__.py │ │ └── v3 │ │ │ ├── __init__.py │ │ │ ├── test_access_rules.py │ │ │ ├── test_application_credential.py │ │ │ ├── test_assignment.py │ │ │ ├── test_consumer.py │ │ │ ├── test_credentials.py │ │ │ ├── test_domain_config.py │ │ │ ├── test_domain_roles.py │ │ │ ├── test_domains.py │ │ │ ├── test_ec2_credential.py │ │ │ ├── test_endpoint_group.py │ │ │ ├── test_endpoints.py │ │ │ ├── test_grants.py │ │ │ ├── test_groups.py │ │ │ ├── test_identity_providers.py │ │ │ ├── test_implied_roles.py │ │ │ ├── test_limits.py │ │ │ ├── test_mappings.py │ │ │ ├── test_policy.py │ │ │ ├── test_policy_association.py │ │ │ ├── test_project_endpoint.py │ │ │ ├── test_project_tags.py │ │ │ ├── test_projects.py │ │ │ ├── test_protocols.py │ │ │ ├── test_regions.py │ │ │ ├── test_registered_limits.py │ │ │ ├── test_roles.py │ │ │ ├── test_service_providers.py │ │ │ ├── test_services.py │ │ │ ├── test_system_assignments.py │ │ │ ├── test_tokens.py │ │ │ ├── test_trusts.py │ │ │ └── test_users.py │ └── unit │ │ ├── __init__.py │ │ ├── application_credential │ │ ├── __init__.py │ │ ├── backends │ │ │ ├── __init__.py │ │ │ └── test_sql.py │ │ └── test_backends.py │ │ ├── assignment │ │ ├── __init__.py │ │ ├── role_backends │ │ │ ├── __init__.py │ │ │ └── test_sql.py │ │ ├── test_backends.py │ │ └── test_core.py │ │ ├── auth │ │ ├── __init__.py │ │ ├── plugins │ │ │ ├── __init__.py │ │ │ ├── test_core.py │ │ │ └── test_mapped.py │ │ ├── test_controllers.py │ │ └── test_schema.py │ │ ├── backend │ │ ├── __init__.py │ │ ├── core_ldap.py │ │ └── core_sql.py │ │ ├── base_classes.py │ │ ├── catalog │ │ ├── __init__.py │ │ ├── test_backends.py │ │ └── test_core.py │ │ ├── common │ │ ├── __init__.py │ │ ├── sql │ │ │ ├── __init__.py │ │ │ └── test_upgrades.py │ │ ├── test_cache.py │ │ ├── test_database_conflicts.py │ │ ├── test_json_home.py │ │ ├── test_notifications.py │ │ ├── test_password_hashing.py │ │ ├── test_provider_api.py │ │ ├── test_rbac_enforcer.py │ │ ├── test_resource_options_common.py │ │ ├── test_sql_core.py │ │ └── test_utils.py │ │ ├── config_files │ │ ├── backend_ldap.conf │ │ ├── backend_ldap_pool.conf │ │ ├── backend_ldap_sql.conf │ │ ├── backend_liveldap.conf │ │ ├── backend_multi_ldap_sql.conf │ │ ├── backend_pool_liveldap.conf │ │ ├── backend_sql.conf │ │ ├── backend_tls_liveldap.conf │ │ ├── domain_configs_default_ldap_one_sql │ │ │ └── keystone.domain1.conf │ │ ├── domain_configs_multi_ldap │ │ │ ├── keystone.Default.conf │ │ │ ├── keystone.domain1.conf │ │ │ └── keystone.domain2.conf │ │ ├── domain_configs_one_extra_sql │ │ │ └── keystone.domain2.conf │ │ ├── domain_configs_one_sql_one_ldap │ │ │ ├── keystone.Default.conf │ │ │ └── keystone.domain1.conf │ │ └── test_auth_plugin.conf │ │ ├── contrib │ │ ├── __init__.py │ │ └── federation │ │ │ ├── __init__.py │ │ │ └── test_utils.py │ │ ├── core.py │ │ ├── credential │ │ ├── __init__.py │ │ ├── test_backend_sql.py │ │ └── test_fernet_provider.py │ │ ├── default_fixtures.py │ │ ├── endpoint_policy │ │ ├── __init__.py │ │ └── backends │ │ │ ├── __init__.py │ │ │ ├── test_base.py │ │ │ └── test_sql.py │ │ ├── external │ │ ├── README.rst │ │ ├── __init__.py │ │ └── test_timeutils.py │ │ ├── fakeldap.py │ │ ├── federation │ │ ├── __init__.py │ │ ├── test_core.py │ │ └── test_utils.py │ │ ├── federation_fixtures.py │ │ ├── filtering.py │ │ ├── identity │ │ ├── __init__.py │ │ ├── backends │ │ │ ├── __init__.py │ │ │ ├── fake_driver.py │ │ │ ├── test_base.py │ │ │ ├── test_ldap.py │ │ │ ├── test_ldap_common.py │ │ │ └── test_sql.py │ │ ├── shadow_users │ │ │ ├── __init__.py │ │ │ ├── test_backend.py │ │ │ └── test_core.py │ │ ├── test_backend_sql.py │ │ ├── test_backends.py │ │ └── test_core.py │ │ ├── identity_mapping.py │ │ ├── ksfixtures │ │ ├── __init__.py │ │ ├── auth_plugins.py │ │ ├── backendloader.py │ │ ├── cache.py │ │ ├── database.py │ │ ├── hacking.py │ │ ├── jws_key_repository.py │ │ ├── key_repository.py │ │ ├── ldapdb.py │ │ ├── logging.py │ │ ├── policy.py │ │ ├── temporaryfile.py │ │ └── warnings.py │ │ ├── limit │ │ ├── __init__.py │ │ └── test_backends.py │ │ ├── mapping_fixtures.py │ │ ├── policy │ │ ├── __init__.py │ │ ├── backends │ │ │ ├── __init__.py │ │ │ ├── test_base.py │ │ │ └── test_sql.py │ │ └── test_backends.py │ │ ├── receipt │ │ ├── __init__.py │ │ ├── test_fernet_provider.py │ │ └── test_receipt_serialization.py │ │ ├── resource │ │ ├── __init__.py │ │ ├── backends │ │ │ ├── __init__.py │ │ │ └── test_sql.py │ │ ├── config_backends │ │ │ ├── __init__.py │ │ │ └── test_sql.py │ │ ├── test_backends.py │ │ └── test_core.py │ │ ├── rest.py │ │ ├── saml2 │ │ ├── idp_saml2_metadata.xml │ │ └── signed_saml2_assertion.xml │ │ ├── server │ │ ├── __init__.py │ │ └── test_keystone_flask.py │ │ ├── test_app_config.py │ │ ├── test_associate_project_endpoint_extension.py │ │ ├── test_auth_plugin.py │ │ ├── test_backend_endpoint_policy.py │ │ ├── test_backend_endpoint_policy_sql.py │ │ ├── test_backend_federation_sql.py │ │ ├── test_backend_id_mapping_sql.py │ │ ├── test_backend_ldap.py │ │ ├── test_backend_ldap_pool.py │ │ ├── test_backend_rules.py │ │ ├── test_backend_sql.py │ │ ├── test_cli.py │ │ ├── test_config.py │ │ ├── test_contrib_ec2_core.py │ │ ├── test_contrib_s3_core.py │ │ ├── test_contrib_simple_cert.py │ │ ├── test_driver_hints.py │ │ ├── test_entry_points.py │ │ ├── test_exception.py │ │ ├── test_hacking_checks.py │ │ ├── test_healthcheck.py │ │ ├── test_ldap_livetest.py │ │ ├── test_ldap_pool_livetest.py │ │ ├── test_ldap_tls_livetest.py │ │ ├── test_limits.py │ │ ├── test_middleware.py │ │ ├── test_policy.py │ │ ├── test_receipt_provider.py │ │ ├── test_revoke.py │ │ ├── test_shadow_users.py │ │ ├── test_sql_banned_operations.py │ │ ├── test_sql_upgrade.py │ │ ├── test_token_provider.py │ │ ├── test_url_middleware.py │ │ ├── test_v3.py │ │ ├── test_v3_application_credential.py │ │ ├── test_v3_assignment.py │ │ ├── test_v3_auth.py │ │ ├── test_v3_catalog.py │ │ ├── test_v3_credential.py │ │ ├── test_v3_domain_config.py │ │ ├── test_v3_endpoint_policy.py │ │ ├── test_v3_federation.py │ │ ├── test_v3_filters.py │ │ ├── test_v3_identity.py │ │ ├── test_v3_oauth1.py │ │ ├── test_v3_oauth2.py │ │ ├── test_v3_os_revoke.py │ │ ├── test_v3_policy.py │ │ ├── test_v3_resource.py │ │ ├── test_v3_trust.py │ │ ├── test_validation.py │ │ ├── test_versions.py │ │ ├── tests │ │ ├── __init__.py │ │ ├── test_core.py │ │ └── test_utils.py │ │ ├── token │ │ ├── __init__.py │ │ ├── test_fernet_provider.py │ │ ├── test_jws_provider.py │ │ └── test_token_serialization.py │ │ ├── trust │ │ ├── __init__.py │ │ └── test_backends.py │ │ └── utils.py ├── token │ ├── __init__.py │ ├── provider.py │ ├── providers │ │ ├── __init__.py │ │ ├── base.py │ │ ├── fernet │ │ │ ├── __init__.py │ │ │ └── core.py │ │ └── jws │ │ │ ├── __init__.py │ │ │ └── core.py │ └── token_formatters.py ├── trust │ ├── __init__.py │ ├── backends │ │ ├── __init__.py │ │ ├── base.py │ │ └── sql.py │ ├── core.py │ └── schema.py ├── version.py └── wsgi │ ├── __init__.py │ └── api.py ├── playbooks └── enable-fips.yaml ├── pyproject.toml ├── rally-jobs ├── README.rst └── keystone.yaml ├── releasenotes ├── notes │ ├── .placeholder │ ├── Assignment_V9_driver-c22be069f7baccb0.yaml │ ├── DomainSpecificRoles-fc5dd2ef74a1442c.yaml │ ├── Role_V9_driver-971c3aae14d9963d.yaml │ ├── V9ResourceDriver-26716f97c0cc1a80.yaml │ ├── add-bootstrap-cli-192500228cc6e574.yaml │ ├── add-description-to-role-88ab5bb8a96cc002.yaml │ ├── add-expires-at-int-to-trusts-60ae3c5d0c00808a.yaml │ ├── add-keystone-wsgi-module-afae3f86df07eca9.yaml │ ├── add-limit-description-c1f42641d9c6c33d.yaml │ ├── add-unified-limit-apis-c9ebc5116bc2cf93.yaml │ ├── add_bcrypt_sha256_algo-d6b146a59df9373c.yaml │ ├── add_password_expires_at_to_user_response-22f14ab629c48bc2.yaml │ ├── admin_token-a5678d712783c145.yaml │ ├── admin_token-c634ec12fc714255.yaml │ ├── bcrypt_truncation_fix-674dc5d7f1e776f2.yaml │ ├── bootstrap-update-endpoint-7a63a2329822b6e7.yaml │ ├── bp-allow-expired-f5d845b9601bc1ef.yaml │ ├── bp-application-credentials-c699f1f17c7d4e2f.yaml │ ├── bp-basic-default-roles-4ff6502b6ac57d48.yaml │ ├── bp-domain-config-as-stable-716ca5ab33c0cc42.yaml │ ├── bp-domain-config-default-82e42d946ee7cb43.yaml │ ├── bp-json-web-tokens-37ce3bcd1356cf1b.yaml │ ├── bp-manage-migration-c398963a943a89fe.yaml │ ├── bp-mfa-auth-receipt-8b459431c1f360ce.yaml │ ├── bp-oauth2-client-credentials-ext-c8933f00a7b45be8.yaml │ ├── bp-password-expires-validation-4b32fe7032595932.yaml │ ├── bp-pci-dss-notifications-808a205a637bac25.yaml │ ├── bp-pci-dss-password-requirements-api-87bc724b2aa554f7.yaml │ ├── bp-pci-dss-query-password-expired-users-a7c96a3843bb9abc.yaml │ ├── bp-per-user-auth-plugin-reqs-feb95fd907be4b40.yaml │ ├── bp-policy-in-code-722372a27291b9cd.yaml │ ├── bp-shadow-mapping-06fc7c71a401d707.yaml │ ├── bp-strict-two-level-model.yaml │ ├── bp-support-federated-attr-94084d4073f50280.yaml │ ├── bp-support-oauth2-mtls-8552892a8e0c72d2.yaml │ ├── bp-system-scope-7d236ee5992d4e20.yaml │ ├── bp-upgrade-checks-0dc692a392a96879.yaml │ ├── bp-url-safe-naming-ad90d6a659f5bf3c.yaml │ ├── bp-whitelist-extension-for-app-creds-90e5bcd7b2b78b02.yaml │ ├── bug-1017606-98313bb4c1edf250.yaml │ ├── bug-1291157-00b5c714a097e84c.yaml │ ├── bug-1332058-f25e2de40411b711.yaml │ ├── bug-1473292-c21481e6aec29ec2.yaml │ ├── bug-1490804-de58a9606edb31eb.yaml │ ├── bug-1519210-de76097c974f9c93.yaml │ ├── bug-1523369-4d42c841b6e7e54e.yaml │ ├── bug-1524030-0814724d5c2b7c8d.yaml │ ├── bug-1524030-ccff6b0ec9d1cbf2.yaml │ ├── bug-1535878-change-get_project-permission-e460af1256a2c056.yaml │ ├── bug-1542417-d630b7886bb0b369.yaml │ ├── bug-1547684-911aed68a0d3df17.yaml │ ├── bug-1561054-dbe88b552a936a05.yaml │ ├── bug-1563101-134df5b99ea48f00.yaml │ ├── bug-1571878-1bcaea5337905af0.yaml │ ├── bug-1582585-a368ac5a252ec84f.yaml │ ├── bug-1590587-domain-specific-role-assignment-8f120604a6625852.yaml │ ├── bug-1594482-52a5dd1d8477b694.yaml │ ├── bug-1611102-e1348cbec9b1110a.yaml │ ├── bug-1613466-credential-update-ec2-type-8fb51ff3ad3a449c.yaml │ ├── bug-1615014-b30f606a2d202428.yaml │ ├── bug-1616424-c46ba773f7ac40ae.yaml │ ├── bug-1622310-c501cf77437fdfa6.yaml │ ├── bug-1636950-8fa1a47fce440977.yaml │ ├── bug-1638603-354ee4167e6e.yaml │ ├── bug-1641625-fe463874dc5edb10.yaml │ ├── bug-1641639-b9accc163e61ca15.yaml │ ├── bug-1641645-516709f9da3de26f.yaml │ ├── bug-1641654-8630ce7bcde43a7e.yaml │ ├── bug-1641660-f938267e1ec54071.yaml │ ├── bug-1641816-8b39f3f73359c778.yaml │ ├── bug-1642212-9964dfd3af0184bd.yaml │ ├── bug-1642348-83d4c86ad3984d75.yaml │ ├── bug-1642457-4533f9810a8cd927.yaml │ ├── bug-1642687-5497fb56fe86806d.yaml │ ├── bug-1642687-c7ab1c9be152db20.yaml │ ├── bug-1642692-d669c8fcf9e171d9.yaml │ ├── bug-1645487-ca22c216ec26cc9b.yaml │ ├── bug-1649138-c53974f6bb0eab14.yaml │ ├── bug-1649446-efff94143823755d.yaml │ ├── bug-1649616-b835d1dac3401e8c.yaml │ ├── bug-1656076-c4422270f73b43b.yaml │ ├── bug-1659730-17834ba2dde668ae.yaml │ ├── bug-1659995-f3e716de743b7291.yaml │ ├── bug-1670382-ee851ba4f364d608.yaml │ ├── bug-1676497-92271e25f642e2de.yaml │ ├── bug-1684994-264fb8f182ced180.yaml │ ├── bug-1687593-95e1568291ecd70b.yaml │ ├── bug-1688137-e4203c9a728690a7.yaml │ ├── bug-1696574-15a728396350a95a.yaml │ ├── bug-1700852-de775d0eb2ddfdd1.yaml │ ├── bug-1701324-739a31f38037f77b.yaml │ ├── bug-1702211-abb59adda73fd78e.yaml │ ├── bug-1703369-9a901d627a1e0316.yaml │ ├── bug-1703666-b8a990f2bf5b62f0.yaml │ ├── bug-1704205-bc0570feeb3ec5c4.yaml │ ├── bug-1705485-7a1ad17b9cc99b9d.yaml │ ├── bug-1718747-50d39fa87bdbb12b.yaml │ ├── bug-1724645-a94659dfd0f45b9a.yaml │ ├── bug-1727099-1af277b35db34372.yaml │ ├── bug-1727726-0b47608811a2cd16.yaml │ ├── bug-1728907-bab6769ab46bd8aa.yaml │ ├── bug-1729933-4a09201e9dface2a.yaml │ ├── bug-1733754-4d9d3042b8501ec6.yaml │ ├── bug-1734244-1b4ea83baa72566d.yaml │ ├── bug-1735250-b60332a7f288cf94.yaml │ ├── bug-1736875-c790f568c5f4d671.yaml │ ├── bug-1738895-342864cd0285bc42.yaml │ ├── bug-1740951-82b7e4bd608742ab.yaml │ ├── bug-1744195-a7154ac2e8556efc.yaml │ ├── bug-1746599-848a1163e52ac0a6.yaml │ ├── bug-1747694-48c8caa4871300e3.yaml │ ├── bug-1748027-decc2e11154b97cf.yaml │ ├── bug-1748970-eb63ad2030e296f3.yaml │ ├── bug-1749264-676ca02902bcd169.yaml │ ├── bug-1749267-96153d2fa6868f67.yaml │ ├── bug-1750415-95ede3a9685b6e0c.yaml │ ├── bug-1750660-e2a360ddd6790fc4.yaml │ ├── bug-1750669-dfce859550126f03.yaml │ ├── bug-1750673-b53f74944d767ae9.yaml │ ├── bug-1750676-cf70c1a27b2c8de3.yaml │ ├── bug-1750678-88a38851ca80fc64.yaml │ ├── bug-1751045-f950e3fb85e2b573.yaml │ ├── bug-1753584-e052bc7805f001b4.yaml │ ├── bug-1753585-7e11213743754999.yaml │ ├── bug-1754048-correct-federated-domain-47cb889d88d7770a.yaml │ ├── bug-1754677-13ee75ed1b473f26.yaml │ ├── bug-1755874-9951f77c6d18431c.yaml │ ├── bug-1756190-0e5d86d334555931.yaml │ ├── bug-1757022-664d0b0db1242bf8.yaml │ ├── bug-1757151-43eb3baaa175f904.yaml │ ├── bug-1759289-466cdf4514de3498.yaml │ ├── bug-1760205-87dedd6d8812db3f.yaml │ ├── bug-1760521-fec5c88af214401f.yaml │ ├── bug-1760809-711df870a9d67c0d.yaml │ ├── bug-1763824-3d2f5169af9d42f.yaml │ ├── bug-1765193-b40318b9fb5d1c7b.yaml │ ├── bug-1773967-b59517a09e0e6141.yaml │ ├── bug-1774229-cb968e95c9d81c4d.yaml │ ├── bug-1776504-keystone-conversion-to-flask-372a5654a55675c6.yaml │ ├── bug-1778109-ea15ce6a8207f857.yaml │ ├── bug-1778945-b7f2db3052525ca8.yaml │ ├── bug-1779889-12eb5edf4cc93a1d.yaml │ ├── bug-1779903-f2b22cf23a9e01f9.yaml │ ├── bug-1780159-095ffa0e53be2464.yaml │ ├── bug-1780503-70ca1ba3f428dd41.yaml │ ├── bug-1782704-0b053eaf5d801dee.yaml │ ├── bug-1782922-db822fda486ac773.yaml │ ├── bug-1784536-9d1d1e149c605a1d.yaml │ ├── bug-1785164-2b7ed29266eb4792.yaml │ ├── bug-1787874-13499ec227b8e26c.yaml │ ├── bug-1788415-3190279e9c900f76.yaml │ ├── bug-1788694-4dc8b3ec47fc6084.yaml │ ├── bug-1789450-9dec1383ffd3de01.yaml │ ├── bug-1792026-2de8345a89e2256b.yaml │ ├── bug-1794376-53ce14528f00f01d.yaml │ ├── bug-1794527-866b1caff67977f3.yaml │ ├── bug-1794864-3116bf165a146be6.yaml │ ├── bug-1796887-eaea84e3f9a8ff9f.yaml │ ├── bug-1801095-6e28d7a86719da74.yaml │ ├── bug-1801873-0eb9a5ec3e801190.yaml │ ├── bug-1804292-0107869c7029f79e.yaml │ ├── bug-1804446-1a281eadbb044070.yaml │ ├── bug-1804462-59ad43f98242dea0.yaml │ ├── bug-1804463-74537652166cf656.yaml │ ├── bug-1804482-aa95619320d098fa.yaml │ ├── bug-1804483-1d9ccfcb24f25f51.yaml │ ├── bug-1804516-24b0b10ed6fe0589.yaml │ ├── bug-1804517-a351aec088fee066.yaml │ ├── bug-1804519-8384a9ead261d4c2.yaml │ ├── bug-1804520-d124599967923052.yaml │ ├── bug-1804521-3c0d9f567e8f532f.yaml │ ├── bug-1804522-00df902cd2d74ee3.yaml │ ├── bug-1804523-d1768909b13b167e.yaml │ ├── bug-1805363-0b85d71917ad09d1.yaml │ ├── bug-1805366-670867516c6fc4bc.yaml │ ├── bug-1805368-ea32c2db2ae57225.yaml │ ├── bug-1805369-ed98d3fcfafb5c43.yaml │ ├── bug-1805371-249c8c9b562ab371.yaml │ ├── bug-1805372-af4ebf4b19500b72.yaml │ ├── bug-1805400-c192be936d277ade.yaml │ ├── bug-1805402-75d0d93f31af620f.yaml │ ├── bug-1805403-c003627a64768716.yaml │ ├── bug-1805406-252b45d443af20b3.yaml │ ├── bug-1805409-8bc6cc9f1c5bc672.yaml │ ├── bug-1805880-0032024ea6b83563.yaml │ ├── bug-1805880-3fc6b30309a4370f.yaml │ ├── bug-1806713-cf5feab23fc78a23.yaml │ ├── bug-1806762-08ff9eecdc03c554.yaml │ ├── bug-1806762-09f414995924db23.yaml │ ├── bug-1806762-0b7356ace200a5d3.yaml │ ├── bug-1806762-2092fee9f6c87dc3.yaml │ ├── bug-1806762-c3bfc71cb9bb94f3.yaml │ ├── bug-1806762-daed3e27f58f0f6d.yaml │ ├── bug-1809116-b65502f3b606b060.yaml │ ├── bug-1810393-5a7d379842c51d9b.yaml │ ├── bug-1811605-9d23080d7e949c25.yaml │ ├── bug-1813085-cf24b204e95fd7f5.yaml │ ├── bug-1814589-f3e7f554bee1c317.yaml │ ├── bug-1815771-ae0e4118c552f01e.yaml │ ├── bug-1816076-ba39508e6ade529e.yaml │ ├── bug-1816927-e17f4e596e611380.yaml │ ├── bug-1817313-c11481e6eed29ec2.yaml │ ├── bug-1818725-96d698e22e648764.yaml │ ├── bug-1818734-d753bfae60ffd030.yaml │ ├── bug-1818736-98ea186a074056f4.yaml │ ├── bug-1818845-05f8c3af5ea9abc7.yaml │ ├── bug-1818846-d1a8c77d20659ad6.yaml │ ├── bug-1819036-e2d24655c70d0aad.yaml │ ├── bug-1820333-356dcc8bf9f73fed.yaml │ ├── bug-1823258-9649b56a440b5ae1.yaml │ ├── bug-1823258-9f93dbdc0fa8441d.yaml │ ├── bug-1827431-2f078c13dfc9a02a.yaml │ ├── bug-1831918-c70cf87ef086d871.yaml │ ├── bug-1832265-cb76ccf505c2d9d1.yaml │ ├── bug-1833739-f962e8caf3e22068.yaml │ ├── bug-1836568-66d853a1f22c5530.yaml │ ├── bug-1839133-24570c9fbacb530d.yaml │ ├── bug-1839577-1226d86ea0744055.yaml │ ├── bug-1840291-35af1ac7ba06e166.yaml │ ├── bug-1841486-425f367925f5e03f.yaml │ ├── bug-1843609-8498b132222596b7.yaml │ ├── bug-1844157-7808af9bcea0429d.yaml │ ├── bug-1844194-48ae60db49f91bd4.yaml │ ├── bug-1844207-x27a31f3403xfd7y.yaml │ ├── bug-1844461-08a8bdc5f613b88d.yaml │ ├── bug-1844664-905cf6cad2e032a7.yaml │ ├── bug-1848238-f6533644f7907358.yaml │ ├── bug-1848342-317c9e4afa65a3ff.yaml │ ├── bug-1855080-08b28181b7cb2470.yaml │ ├── bug-1856881-277103af343187f1.yaml │ ├── bug-1856904-101af15bb48eb3ca.yaml │ ├── bug-1856962-2c87d541da61c727.yaml │ ├── bug-1858012-584267ada7e33f2c.yaml │ ├── bug-1872732-7261816d0b170008.yaml │ ├── bug-1872733-2377f456a57ad32c.yaml │ ├── bug-1872735-0989e51d2248ce1e.yaml │ ├── bug-1872737-f8e1ad3b6705b766.yaml │ ├── bug-1872753-e2a934eac919ccde.yaml │ ├── bug-1872755-2c81d3267b89f124.yaml │ ├── bug-1873290-ff7f8e4cee15b75a.yaml │ ├── bug-1878938-70ee2af6fdf66004.yaml │ ├── bug-1880252-51036d5353125e15.yaml │ ├── bug-1885753-51df25f3ff1d9ae8.yaml │ ├── bug-1886017-bc2ad648d57101a2.yaml │ ├── bug-1889936-78d6853b5212b8f1.yaml │ ├── bug-1896125-b17a4d12730fe493.yaml │ ├── bug-1897280-e7065c4368a325ad.yaml │ ├── bug-1901207-13762f85b8a04481.yaml │ ├── bug-1901654-69b9f35d11cd0c75.yaml │ ├── bug-1926483-a77ab887e0e7f5c9.yaml │ ├── bug-1929066-6e741c9182620a37.yaml │ ├── bug-1941020-cleanup-541a2d372a1cf4cd.yaml │ ├── bug-1941020-f694395a9bcea72f.yaml │ ├── bug-1951632-11272e49e2fa439d.yaml │ ├── bug-2074018-28f7bbe8f28f5efe.yaml │ ├── bug1828565-0790c4c60ba34100.yaml │ ├── bug_1526462-df9a3f3974d9040f.yaml │ ├── bug_1543048_and_1668503-7ead4e15faaab778.yaml │ ├── bug_1674415-e8a7345aa2b05ab7.yaml │ ├── bug_1688188-256e3572295231a1.yaml │ ├── bug_1698900-f195125bf341d887.yaml │ ├── catalog-caching-12f2532cfb71325a.yaml │ ├── catalog_project_id-519f5a70f9f7c4c6.yaml │ ├── change_min_pool_retry_max-f5e7c8d315401426.yaml │ ├── convert-keystone-to-flask-80d980e239b662b0.yaml │ ├── deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml │ ├── deprecate-json-formatted-policy-file-95f6307f88358f58.yaml │ ├── deprecate-max-param-size-6e0770e0c9d21dd6.yaml │ ├── deprecate-memcache-token-persistence-eac88c80147ea241.yaml │ ├── deprecate-policies-api-b104fbd1d2367b1b.yaml │ ├── deprecate-templated-catalog-driver-f811a6040abdc4a8.yaml │ ├── deprecate-v2-apis-894284c17be881d2.yaml │ ├── deprecated-as-of-mitaka-8534e43fa40c1d09.yaml │ ├── deprecated-as-of-newton-be1d8dbcc6bdc68f.yaml │ ├── deprecated-as-of-ocata-a5b2f1e3e39f818e.yaml │ ├── deprecated-as-of-pike-506f9aca91674550.yaml │ ├── deprecated-as-of-queens-8ad7f826e4f08f57.yaml │ ├── deprecated-as-of-rocky-60b2fa05d07d3a28.yaml │ ├── deprecated-as-of-stein-0166965502cb3be2.yaml │ ├── deprecated-as-of-train-de3fe41ff2251385.yaml │ ├── deprecated-socket_timeout-option-d3358b4f2310706c.yaml │ ├── domain-level-limit-support-60e1e330d06227ed.yaml │ ├── domain-manager-persona-7921587ce2fab4fd.yaml │ ├── dont-enforce-get-s3tokens-ec2tokens-62b90b199e8075d8.yaml │ ├── drop-passlib-9b398c8f08f5e9ee.yaml │ ├── drop-project-id-fk-b683b414e1585be8.yaml │ ├── drop-python-3-6-and-3-7-dc90b86cedced92b.yaml │ ├── enable-filter-idp-d0135f4615178cfc.yaml │ ├── enable-inherit-on-default-54ac435230261a6a.yaml │ ├── endpoints-from-endpoint_group-project-association-7271fba600322fb6.yaml │ ├── eventlet-cleanup-f35fc5f83c16ea1c.yaml │ ├── extensions-to-core-a0d270d216d47276.yaml │ ├── federation-group-ids-mapping-6c56120d65a5cb22.yaml │ ├── filter-mappings-by-entity-77162a146d375385.yaml │ ├── fix_application_credentials_implied_roles-b445fa56cb335a4d.yaml │ ├── httpd-keystone-d51b7335559b09c8.yaml │ ├── identity_driver_new_change_password_method-e8c0e06795bca2d8.yaml │ ├── immutable-resource-options-bug-1807751-acc1e3c689484337.yaml │ ├── impl-templated-catalog-1d8f6333726b34f8.yaml │ ├── implied-roles-026f401adc0f7fb6.yaml │ ├── implied-roles-stable-8b293e187c5620ad.yaml │ ├── improve-driver-donfiguration-ecedaf6ad0c3f9d2.yaml │ ├── insecure_reponse-2a168230709bc8e7.yaml │ ├── integrate-osprofiler-ad0e16a542b12899.yaml │ ├── is-admin-24b34238c83b3a82.yaml │ ├── ldap-conn-pool-enabled-90df94652f1ded53.yaml │ ├── ldap-emulation-91c4d535eb9c3d10.yaml │ ├── limits-api-refactor-05abf9e6c2e75852.yaml │ ├── list_limit-ldap-support-5d31d51466fc49a6.yaml │ ├── list_role_assignment_names-33aedc1e521230b6.yaml │ ├── mapping_populate-521d92445505b8a3.yaml │ ├── max-password-length-truncation-and-warning-bd69090315ec18a7.yaml │ ├── migration_squash-f655329ddad7fc2a.yaml │ ├── no-default-domain-2161ada44bf7a3f7.yaml │ ├── notify-on-user-group-membership-8c0136ee0484e255.yaml │ ├── oauth1-headers-content-type-9a9245d9bbec8f8e.yaml │ ├── oslo.cache-a9ce47bfa8809efa.yaml │ ├── pagination-identity-b127b6d3042d3d3a.yaml │ ├── pagination-projects-ea311579da4bb83b.yaml │ ├── password-created_at-nullable-b3c284be50d93ef5.yaml │ ├── pci-dss-invalid-password-reporting-975955d2d79c21b3.yaml │ ├── policy_new_federated_projects_for_user-dcd7bd148efef049.yaml │ ├── pre-cache-tokens-73450934918af26b.yaml │ ├── project-tags-1e72a6779d9d02c5.yaml │ ├── projects_as_domains-3ea8a58b4c2965e1.yaml │ ├── python3-support-e4189e0a1a6e2e4f.yaml │ ├── randomize_urls-c0c19f48b2bfa299.yaml │ ├── remove-db_sync-extension-opt-2ab1f29340281215.yaml │ ├── remove-legacy-migrations-647f60019c8dd9e8.yaml │ ├── remove-py38-4e33bcf77029f0d0.yaml │ ├── remove-sha512_crypt-password-hashing-module-be4c5ed3f50017c0.yaml │ ├── remove-sqlalchemy-migrate-a4fa47685c7e28c6.yaml │ ├── remove-templated-catalog-driver-042dd821dbad684a.yaml │ ├── remove-token-auth-middleware-5ea3b3734ce1d9e6.yaml │ ├── remove-trust-auth-support-from-v2-de316c9ba46d556d.yaml │ ├── remove-wsgi-scripts-615b97ee4d6e0de2.yaml │ ├── removed-as-of-mitaka-9ff14f87d0b98e7e.yaml │ ├── removed-as-of-newton-721c06b5dcb1b34a.yaml │ ├── removed-as-of-ocata-436bb4b839e74494.yaml │ ├── removed-as-of-pike-deadbeefdeadbeef.yaml │ ├── removed-as-of-queens-94c04e88c08f89aa.yaml │ ├── removed-as-of-rocky-f44c3ba7c3e73d01.yaml │ ├── removed-as-of-stein-5eb23253b72ab54e.yaml │ ├── removed-as-of-train-92b2942a680eb859.yaml │ ├── removed-as-of-ussuri-d2f6ef8901ef54ed.yaml │ ├── request_context-e143ba9c446a5952.yaml │ ├── resource-backend-sql-only-03154d8712b36bd0.yaml │ ├── resource-driver-33793dd5080ee4d2.yaml │ ├── revert-v2-token-issued-for-non-default-domain-25ea5337f158ef13.yaml │ ├── s3-aws-v4-c6cb75ce8d2289d4.yaml │ ├── scope-and-default-roles-a733c235731bb558.yaml │ ├── sha512_crypt_deprecation-91a19080f1e884e4.yaml │ ├── support_encrypted_credentials_at_rest-93dcb67b3508e91a.yaml │ ├── switch-to-alembic-1fa5248f0ce824ae.yaml │ ├── tenant_id_to_project_id-42d95d93011785cb.yaml │ ├── token-formatter-ec58aba00fa83706.yaml │ ├── token-provider-refactor-a3a64146807daf36.yaml │ ├── token_expiration_to_match_application_credential-56d058355a9f240d.yaml │ ├── totp-40d93231714c6a20.yaml │ ├── unified-limit-api-improvment-b34d18769d18a0a7.yaml │ ├── use-correct-inspect-8142e317c1e39c2a.yaml │ ├── use-pyldap-6e811c28bf350d6d.yaml │ ├── use-python-ldap-0318ff7798bdd98d.yaml │ ├── v2-dep-d6e7ab2d08119549.yaml │ ├── v3-endpoints-in-v2-list-b0439816938713d6.yaml │ ├── v9FederationDriver-cbebcf5f97e1eae2.yaml │ └── x509-auth-df0a229780b8e3ff.yaml └── source │ ├── 2023.1.rst │ ├── 2023.2.rst │ ├── 2024.1.rst │ ├── 2024.2.rst │ ├── 2025.1.rst │ ├── _static │ └── .placeholder │ ├── _templates │ └── .placeholder │ ├── conf.py │ ├── index.rst │ ├── liberty.rst │ ├── locale │ ├── en_GB │ │ └── LC_MESSAGES │ │ │ └── releasenotes.po │ ├── fr │ │ └── LC_MESSAGES │ │ │ └── releasenotes.po │ ├── ja │ │ └── LC_MESSAGES │ │ │ └── releasenotes.po │ └── ko_KR │ │ └── LC_MESSAGES │ │ └── releasenotes.po │ ├── mitaka.rst │ ├── newton.rst │ ├── ocata.rst │ ├── pike.rst │ ├── queens.rst │ ├── rocky.rst │ ├── stein.rst │ ├── train.rst │ ├── unreleased.rst │ ├── ussuri.rst │ ├── victoria.rst │ ├── wallaby.rst │ ├── xena.rst │ ├── yoga.rst │ └── zed.rst ├── reno.yaml ├── requirements.txt ├── ruff.toml ├── setup.cfg ├── setup.py ├── test-requirements.txt ├── tools ├── cover.sh ├── fast8.sh ├── sample_data.sh └── test-setup.sh └── tox.ini /.coveragerc: -------------------------------------------------------------------------------- 1 | [run] 2 | branch = True 3 | source = keystone 4 | omit = keystone/tests/* 5 | 6 | [report] 7 | ignore_errors = True 8 | -------------------------------------------------------------------------------- /.git-blame-ignore-revs: -------------------------------------------------------------------------------- 1 | # You can configure git to automatically use this file with the following config: 2 | # git config --global blame.ignoreRevsFile .git-blame-ignore-revs 3 | 4 | a00839ca028304946e500cd14ddde322b6303ec8 # Blackify the keystone code base 5 | -------------------------------------------------------------------------------- /.gitreview: -------------------------------------------------------------------------------- 1 | [gerrit] 2 | host=review.opendev.org 3 | port=29418 4 | project=openstack/keystone.git 5 | -------------------------------------------------------------------------------- /.stestr.conf: -------------------------------------------------------------------------------- 1 | [DEFAULT] 2 | test_path=${OS_TEST_PATH:-./keystone/tests/unit} 3 | top_dir=./ 4 | group_regex=.*(test_cert_setup) 5 | -------------------------------------------------------------------------------- /api-ref/requirements.txt: -------------------------------------------------------------------------------- 1 | # os-openapi is installed directly from git since we do not do releases (yet?) 2 | os-openapi @ git+https://opendev.org/openstack/openapi 3 | 4 | os-api-ref>=1.4.0 # Apache-2.0 5 | -------------------------------------------------------------------------------- /api-ref/source/index.rst: -------------------------------------------------------------------------------- 1 | Welcome to keystone's documentation! 2 | ==================================== 3 | 4 | Contents: 5 | 6 | .. toctree:: 7 | :maxdepth: 2 8 | 9 | v2-ext/index 10 | v3/index 11 | v3-ext/index 12 | 13 | .. toctree:: 14 | :maxdepth: 1 15 | 16 | openapi 17 | 18 | Indices and tables 19 | ================== 20 | 21 | * :ref:`genindex` 22 | * :ref:`search` 23 | -------------------------------------------------------------------------------- /api-ref/source/openapi.rst: -------------------------------------------------------------------------------- 1 | Keystone OpenAPI specification (preview) 2 | ======================================== 3 | 4 | .. openapi:: openapi/v3.yaml 5 | :service_type: identity 6 | -------------------------------------------------------------------------------- /api-ref/source/v2-ext/index.rst: -------------------------------------------------------------------------------- 1 | :tocdepth: 3 2 | 3 | ------------------------------------------- 4 | Identity API v2.0 extensions (DEPRECATED) 5 | ------------------------------------------- 6 | 7 | .. rest_expand_all:: 8 | 9 | .. include:: ksec2-admin.inc 10 | -------------------------------------------------------------------------------- /api-ref/source/v2-ext/samples/OS-KSEC2/credentials-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "credentials": [ 3 | { 4 | "passwordCredentials": { 5 | "username": "test_user", 6 | "password": "secretsecret" 7 | } 8 | } 9 | ], 10 | "credentials_links": [] 11 | } 12 | -------------------------------------------------------------------------------- /api-ref/source/v2-ext/samples/OS-KSEC2/credentialswithec2-list-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "credentials": [ 3 | { 4 | "passwordCredentials": { 5 | "username": "test_user", 6 | "password": "secretsecret" 7 | } 8 | }, 9 | { 10 | "OS-KSEC2-ec2Credentials": { 11 | "username": "test_user", 12 | "secret": "secretsecret", 13 | "signature": "bbb" 14 | } 15 | } 16 | ], 17 | "credentials_links": [] 18 | } 19 | -------------------------------------------------------------------------------- /api-ref/source/v2-ext/samples/OS-KSEC2/ec2Credentials-create-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "OS-KSEC2-ec2Credentials": { 3 | "username": "test_user", 4 | "secret": "secretsecret", 5 | "signature": "bbb" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /api-ref/source/v2-ext/samples/OS-KSEC2/ec2Credentials-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "OS-KSEC2-ec2Credentials": { 3 | "username": "test_user", 4 | "secret": "secretsecret", 5 | "signature": "bbb" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/federation/assertion/samples/ecp-saml-assertion-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "token" 6 | ], 7 | "token": { 8 | "id": "--token_id--" 9 | } 10 | }, 11 | "scope": { 12 | "service_provider": { 13 | "id": "--sp_id--" 14 | } 15 | } 16 | } 17 | } -------------------------------------------------------------------------------- /api-ref/source/v3-ext/federation/assertion/samples/saml-assertion-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "token" 6 | ], 7 | "token": { 8 | "id": "--token_id--" 9 | } 10 | }, 11 | "scope": { 12 | "service_provider": { 13 | "id": "--sp_id--" 14 | } 15 | } 16 | } 17 | } -------------------------------------------------------------------------------- /api-ref/source/v3-ext/federation/auth/samples/scoped-token-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "token" 6 | ], 7 | "token": { 8 | "id": "--federated-token-id--" 9 | } 10 | }, 11 | "scope": { 12 | "project": { 13 | "id": "263fd9" 14 | } 15 | } 16 | } 17 | } -------------------------------------------------------------------------------- /api-ref/source/v3-ext/federation/identity-provider/samples/add-protocol-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "protocol": { 3 | "mapping_id": "xyz234" 4 | } 5 | } -------------------------------------------------------------------------------- /api-ref/source/v3-ext/federation/identity-provider/samples/add-protocol-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "protocol": { 3 | "id": "saml2", 4 | "links": { 5 | "identity_provider": "http://example.com/identity/v3/OS-FEDERATION/identity_providers/ACME", 6 | "self": "http://example.com/identity/v3/OS-FEDERATION/identity_providers/ACME/protocols/saml2" 7 | }, 8 | "mapping_id": "xyz234" 9 | } 10 | } -------------------------------------------------------------------------------- /api-ref/source/v3-ext/federation/identity-provider/samples/get-protocol-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "protocol": { 3 | "id": "saml2", 4 | "links": { 5 | "identity_provider": "http://example.com/identity/v3/OS-FEDERATION/identity_providers/ACME", 6 | "self": "http://example.com/identity/v3/OS-FEDERATION/identity_providers/ACME/protocols/saml2" 7 | }, 8 | "mapping_id": "xyz234" 9 | } 10 | } -------------------------------------------------------------------------------- /api-ref/source/v3-ext/federation/identity-provider/samples/register-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "identity_provider": { 3 | "domain_id": "1789d1", 4 | "description": "Stores ACME identities.", 5 | "remote_ids": ["acme_id_1", "acme_id_2"], 6 | "enabled": true 7 | } 8 | } -------------------------------------------------------------------------------- /api-ref/source/v3-ext/federation/identity-provider/samples/register-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "identity_provider": { 3 | "domain_id": "1789d1", 4 | "description": "Stores ACME identities", 5 | "remote_ids": ["acme_id_1", "acme_id_2"], 6 | "enabled": true, 7 | "id": "ACME", 8 | "links": { 9 | "protocols": "http://example.com/identity/v3/OS-FEDERATION/identity_providers/ACME/protocols", 10 | "self": "http://example.com/identity/v3/OS-FEDERATION/identity_providers/ACME" 11 | } 12 | } 13 | } -------------------------------------------------------------------------------- /api-ref/source/v3-ext/federation/identity-provider/samples/update-protocol-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "protocol": { 3 | "mapping_id": "xyz234" 4 | } 5 | } -------------------------------------------------------------------------------- /api-ref/source/v3-ext/federation/identity-provider/samples/update-protocol-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "protocol": { 3 | "id": "saml2", 4 | "links": { 5 | "identity_provider": "http://example.com/identity/v3/OS-FEDERATION/identity_providers/ACME", 6 | "self": "http://example.com/identity/v3/OS-FEDERATION/identity_providers/ACME/protocols/saml2" 7 | }, 8 | "mapping_id": "xyz234" 9 | } 10 | } -------------------------------------------------------------------------------- /api-ref/source/v3-ext/federation/identity-provider/samples/update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "identity_provider": { 3 | "remote_ids": ["beta_id_1", "beta_id_2"], 4 | "enabled": true 5 | } 6 | } -------------------------------------------------------------------------------- /api-ref/source/v3-ext/federation/projects-domains/samples/domain-list-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "domains": [ 3 | { 4 | "description": "desc of domain", 5 | "enabled": true, 6 | "id": "37ef61", 7 | "links": { 8 | "self": "http://example.com/identity/v3/domains/37ef61" 9 | }, 10 | "name": "my domain" 11 | } 12 | ], 13 | "links": { 14 | "self": "http://example.com/identity/v3/OS-FEDERATION/domains", 15 | "previous": null, 16 | "next": null 17 | } 18 | } -------------------------------------------------------------------------------- /api-ref/source/v3-ext/federation/service-provider/samples/register-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "service_provider": { 3 | "auth_url": "https://example.com/identity/v3/OS-FEDERATION/identity_providers/acme/protocols/saml2/auth", 4 | "description": "Remote Service Provider", 5 | "enabled": true, 6 | "sp_url": "https://example.com/identity/Shibboleth.sso/SAML2/ECP" 7 | } 8 | } -------------------------------------------------------------------------------- /api-ref/source/v3-ext/federation/service-provider/samples/update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "service_provider": { 3 | "auth_url": "https://new.example.com/identity/v3/OS-FEDERATION/identity_providers/protocol/saml2/auth", 4 | "enabled": true, 5 | "relay_state_prefix": "ss:temp:", 6 | "sp_auth": "https://new.example.com/identity/Shibboleth.sso/SAML2/ECP" 7 | } 8 | } -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-ENDPOINT-POLICY/policy-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy": { 3 | "blob": { 4 | "foobar_user": [ 5 | "role:compute-user" 6 | ] 7 | }, 8 | "id": "13c92821e4c4476a878d3aae7444f52f", 9 | "links": { 10 | "self": "http://example.com/identity/v3/policies/13c92821e4c4476a878d3aae7444f52f" 11 | }, 12 | "type": "application/json" 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-EP-FILTER/create-endpoint-group-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "endpoint_group": { 3 | "description": "endpoint group description", 4 | "filters": { 5 | "interface": "admin", 6 | "service_id": "1b501a" 7 | }, 8 | "name": "endpoint group name" 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-EP-FILTER/endpoint-group-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "endpoint_group": { 3 | "description": "endpoint group description", 4 | "filters": { 5 | "interface": "admin", 6 | "service_id": "1b501a" 7 | }, 8 | "id": "ac4861", 9 | "links": { 10 | "self": "http://example.com/identity/v3/OS-EP-FILTER/endpoint_groups/ac4861" 11 | }, 12 | "name": "endpoint group name" 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-EP-FILTER/endpoint-project-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "project": { 3 | "domain_id": "1789d1", 4 | "enabled": true, 5 | "id": "263fd9", 6 | "links": { 7 | "self": "http://example.com/identity/v3/projects/263fd9" 8 | }, 9 | "name": "project name #1", 10 | "description": "project description #1" 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-EP-FILTER/update-endpoint-group-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "endpoint_group": { 3 | "filters": { 4 | "interface": "public" 5 | } 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-EP-FILTER/update-endpoint-group-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "endpoint_group": { 3 | "description": "endpoint group description", 4 | "filters": { 5 | "interface": "public", 6 | "service_id": "1b501a" 7 | }, 8 | "id": "ac4861", 9 | "links": { 10 | "self": "http://example.com/identity/v3/OS-EP-FILTER/endpoint_groups/ac4861" 11 | }, 12 | "name": "endpoint group name" 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-OAUTH1/access-token-create-response.txt: -------------------------------------------------------------------------------- 1 | oauth_token=accd36&oauth_token_secret=aa47da&oauth_expires_at=2013-09-11T06:07:51.501805Z -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-OAUTH1/access-token-role-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "role": { 3 | "id": "5ad150", 4 | "domain_id": "7cf37b", 5 | "links": { 6 | "self": "http://example.com/identity/v3/roles/5ad150" 7 | }, 8 | "name": "admin" 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-OAUTH1/access-token-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "access_token": { 3 | "consumer_id": "7fea2d", 4 | "id": "6be26a", 5 | "expires_at": "2013-09-11T06:07:51.501805Z", 6 | "links": { 7 | "roles": "http://example.com/identity/v3/users/ce9e07/OS-OAUTH1/access_tokens/6be26a/roles", 8 | "self": "http://example.com/identity/v3/users/ce9e07/OS-OAUTH1/access_tokens/6be26a" 9 | }, 10 | "project_id": "b9fca3", 11 | "authorizing_user_id": "ce9e07" 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-OAUTH1/authorize-request-token-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "roles": [ 3 | { 4 | "id": "a3b29b" 5 | }, 6 | { 7 | "id": "49993e" 8 | } 9 | ] 10 | } -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-OAUTH1/authorize-request-token-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "token": { 3 | "oauth_verifier": "8171" 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-OAUTH1/consumer-create-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "consumer": { 3 | "description": "My consumer" 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-OAUTH1/consumer-create-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "consumer": { 3 | "secret": "secretsecret", 4 | "description": "My consumer", 5 | "id": "7fea2d", 6 | "links": { 7 | "self": "http://example.com/identity/v3/OS-OAUTH1/consumers/7fea2d" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-OAUTH1/consumer-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "consumer": { 3 | "id": "7fea2d", 4 | "description": "My consumer", 5 | "links": { 6 | "self": "http://example.com/identity/v3/OS-OAUTH1/consumers/7fea2d" 7 | } 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-OAUTH1/consumer-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "consumer": { 3 | "description": "My new consumer" 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-OAUTH1/consumer-update-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "consumer": { 3 | "description": "My new consumer", 4 | "id": "7fea2d", 5 | "links": { 6 | "self": "http://example.com/identity/v3/OS-OAUTH1/consumers/7fea2d" 7 | } 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-OAUTH1/request-token-create-response.txt: -------------------------------------------------------------------------------- 1 | oauth_token=29971f&oauth_token_secret=238eb8&oauth_expires_at=2013-09-11T06:07:51.501805Z -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-OAUTH2/token-create-request.txt: -------------------------------------------------------------------------------- 1 | grant_type=client_credentials&client_id=12d31647289c45e1b69e57273fce78b4 -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-OAUTH2/token-create-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "access_token": "gAAAAABhi1cMynG89h8t6TJrxNiZuNzjcIUIxNctoVfuqTw7BpUedLKxjPymClVEnj9GhIT5u2mpjaJATlEAtaa3D6_t8jk_fV-mqo2IUlsmTPTnMwkcjh5FSHQVRdqvDxgY3nSqLA_Hfv-zPmjS5KWX3hmyDE5YWO1ztX6QNVQb4wTPyNL1-7I", 3 | "token_type": "Bearer", 4 | "expires_in": 3600 5 | } -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-TRUST/trust-auth-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "token" 6 | ], 7 | "token": { 8 | "id": "e80b74" 9 | } 10 | }, 11 | "scope": { 12 | "OS-TRUST:trust": { 13 | "id": "de0945a" 14 | } 15 | } 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-TRUST/trust-create-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "trust": { 3 | "expires_at": "2013-02-27T18:30:59.999999Z", 4 | "impersonation": true, 5 | "allow_redelegation": true, 6 | "project_id": "ddef321", 7 | "roles": [ 8 | { 9 | "name": "member" 10 | } 11 | ], 12 | "trustee_user_id": "86c0d5", 13 | "trustor_user_id": "a0fdfd" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-TRUST/trust-get-role-delegated-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "role": { 3 | "id": "c1648e", 4 | "links": { 5 | "self": "http://example.com/identity/v3/roles/c1648e" 6 | }, 7 | "name": "manager" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /api-ref/source/v3-ext/samples/OS-TRUST/trust-list-roles-delegated-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "roles": [ 3 | { 4 | "id": "c1648e", 5 | "links": { 6 | "self": "http://example.com/identity/v3/roles/c1648e" 7 | }, 8 | "name": "manager" 9 | }, 10 | { 11 | "id": "ed7b78", 12 | "links": { 13 | "self": "http://example.com/identity/v3/roles/ed7b78" 14 | }, 15 | "name": "member" 16 | } 17 | ] 18 | } 19 | -------------------------------------------------------------------------------- /api-ref/source/v3/os-pki.inc: -------------------------------------------------------------------------------- 1 | .. -*- rst -*- 2 | 3 | =================== 4 | OS-PKI (DEPRECATED) 5 | =================== 6 | 7 | List revoked tokens 8 | =================== 9 | 10 | .. rest_method:: GET /v3/auth/tokens/OS-PKI/revoked 11 | 12 | Lists revoked PKI tokens. 13 | 14 | Relationship: 15 | ``https://docs.openstack.org/api/openstack-identity/3/rel/tokens/OS-PKI/revoked`` 16 | 17 | Response 18 | -------- 19 | 20 | Status Codes 21 | ~~~~~~~~~~~~ 22 | 23 | .. rest_status_code:: error status.yaml 24 | 25 | - 410 26 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/access-rule-get-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "access_rule": { 3 | "path": "/v2.0/metrics", 4 | "links": { 5 | "self": "https://example.com/identity/v3/access_rules/07d719df00f349ef8de77d542edf010c" 6 | }, 7 | "id": "07d719df00f349ef8de77d542edf010c", 8 | "service": "monitoring", 9 | "method": "GET" 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/auth-application-credential-id-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "application_credential" 6 | ], 7 | "application_credential": { 8 | "id": "423f19a4ac1e4f48bbb4180756e6eb6c", 9 | "secret": "rEaqvJka48mpv" 10 | } 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/auth-application-credential-name-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "application_credential" 6 | ], 7 | "application_credential": { 8 | "name": "monitoring", 9 | "secret": "rEaqvJka48mpv", 10 | "user": { 11 | "id": "423f19a4ac1e4f48bbb4180756e6eb6c" 12 | } 13 | } 14 | } 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/auth-password-explicit-unscoped-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "password" 6 | ], 7 | "password": { 8 | "user": { 9 | "id": "ee4dfb6e5540447cb3741905149d9b6e", 10 | "password": "devstacker" 11 | } 12 | } 13 | }, 14 | "scope": "unscoped" 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/auth-password-unscoped-request-with-domain.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "password" 6 | ], 7 | "password": { 8 | "user": { 9 | "name": "admin", 10 | "domain": { 11 | "name": "Default" 12 | }, 13 | "password": "devstacker" 14 | } 15 | } 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/auth-password-unscoped-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "password" 6 | ], 7 | "password": { 8 | "user": { 9 | "id": "423f19a4ac1e4f48bbb4180756e6eb6c", 10 | "password": "devstacker" 11 | } 12 | } 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/auth-password-user-name-unscoped-response-HTTP.txt: -------------------------------------------------------------------------------- 1 | HTTP/1.1 201 Created 2 | Date: Fri, 06 Nov 2015 14:29:56 GMT 3 | Server: Apache/2.4.7 (Ubuntu) 4 | X-Subject-Token: ffe47524401e4d61adc7310f7e5b6191 5 | Vary: X-Auth-Token 6 | x-openstack-request-id: req-f2f3f6ca-e342-4cd8-bc12-71a5436ef5fc 7 | Content-Length: 297 8 | Content-Type: application/json 9 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/auth-token-explicit-unscoped-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "token" 6 | ], 7 | "token": { 8 | "id": "'$OS_TOKEN'" 9 | } 10 | }, 11 | "scope": "unscoped" 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/auth-token-scoped-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "token" 6 | ], 7 | "token": { 8 | "id": "'$OS_TOKEN'" 9 | } 10 | }, 11 | "scope": { 12 | "project": { 13 | "id": "5b50efd009b540559104ee3c03bbb2b7" 14 | } 15 | } 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/auth-token-unscoped-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "token" 6 | ], 7 | "token": { 8 | "id": "'$OS_TOKEN'" 9 | } 10 | } 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/credential-create-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "credential": { 3 | "blob": "{\"access\":\"181920\",\"secret\":\"secretKey\"}", 4 | "project_id": "731fc6f265cd486d900f16e84c5cb594", 5 | "type": "ec2", 6 | "user_id": "bb5476fd12884539b41d5a88f838d773" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/credential-create-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "credential": { 3 | "user_id": "bb5476fd12884539b41d5a88f838d773", 4 | "links": { 5 | "self": "http://example.com/identity/v3/credentials/3d3367228f9c7665266604462ec60029bcd83ad89614021a80b2eb879c572510" 6 | }, 7 | "blob": "{\"access\":\"181920\",\"secret\":\"secretKey\"}", 8 | "project_id": "731fc6f265cd486d900f16e84c5cb594", 9 | "type": "ec2", 10 | "id": "3d3367228f9c7665266604462ec60029bcd83ad89614021a80b2eb879c572510" 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/credential-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "credential": { 3 | "blob": "{\"access\":\"181920\",\"secret\":\"secretKey\"}", 4 | "project_id": "731fc6f265cd486d900f16e84c5cb594", 5 | "type": "ec2", 6 | "user_id": "bb5476fd12884539b41d5a88f838d773" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/credential-update-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "credential": { 3 | "user_id": "bb5476fd12884539b41d5a88f838d773", 4 | "links": { 5 | "self": "http://example.com/identity/v3/credentials/207e9b76935efc03804d3dd6ab52d22e9b22a0711e4ada4ff8b76165a07311d7" 6 | }, 7 | "blob": "{\"access\":\"181920\",\"secret\":\"secretKey\"}", 8 | "project_id": "731fc6f265cd486d900f16e84c5cb594", 9 | "type": "ec2", 10 | "id": "207e9b76935efc03804d3dd6ab52d22e9b22a0711e4ada4ff8b76165a07311d7" 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-config-create-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "config": { 3 | "identity": { 4 | "driver": "ldap" 5 | }, 6 | "ldap": { 7 | "url": "ldap://myldap.com:389/", 8 | "user_tree_dn": "ou=Users,dc=my_new_root,dc=org" 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-config-create-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "config": { 3 | "identity": { 4 | "driver": "ldap" 5 | }, 6 | "ldap": { 7 | "url": "ldap://myldap.com:389/", 8 | "user_tree_dn": "ou=Users,dc=my_new_root,dc=org" 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-config-default-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "config": { 3 | "identity": { 4 | "driver": "ldap" 5 | }, 6 | "ldap": { 7 | "url": "ldap://localhost", 8 | "user": "", 9 | "suffix": "cn=example,cn=com", 10 | .... 11 | } 12 | } 13 | } -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-config-group-default-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "ldap": { 3 | "url": "ldap://localhost", 4 | "user": "", 5 | "suffix": "cn=example,cn=com". 6 | .... 7 | } 8 | } -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-config-group-option-default-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "driver": "ldap" 3 | } 4 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-config-group-option-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "url": "http://myldap/root" 3 | } 4 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-config-group-option-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "url": "http://myldap/my_other_root" 3 | } 4 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-config-group-option-update-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "config": { 3 | "identity": { 4 | "driver": "ldap" 5 | }, 6 | "ldap": { 7 | "url": "http://myldap/my_other_root", 8 | "user_tree_dn": "ou=Users,dc=my_new_root,dc=org" 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-config-group-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "ldap": { 3 | "url": "http://myldap/root", 4 | "user_tree_dn": "ou=Users,dc=root,dc=org" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-config-group-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "config": { 3 | "ldap": { 4 | "url": "http://myldap/my_new_root", 5 | "user_tree_dn": "ou=Users,dc=my_new_root,dc=org" 6 | } 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-config-group-update-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "config": { 3 | "identity": { 4 | "driver": "ldap" 5 | }, 6 | "ldap": { 7 | "url": "http://myldap/my_new_root", 8 | "user_tree_dn": "ou=Users,dc=my_new_root,dc=org" 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-config-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "config": { 3 | "identity": { 4 | "driver": "ldap" 5 | }, 6 | "ldap": { 7 | "url": "http://myldap/root", 8 | "user_tree_dn": "ou=Users,dc=root,dc=org" 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-config-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "config": { 3 | "ldap": { 4 | "url": "http://myldap/my_new_root", 5 | "user_tree_dn": "ou=Users,dc=my_new_root,dc=org" 6 | } 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-config-update-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "config": { 3 | "identity": { 4 | "driver": "ldap" 5 | }, 6 | "ldap": { 7 | "url": "http://myldap/my_new_root", 8 | "user_tree_dn": "ou=Users,dc=my_new_root,dc=org" 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-create-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "domain": { 3 | "description": "Domain description", 4 | "enabled": true, 5 | "name": "myDomain" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-create-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "domain": { 3 | "description": "Domain description", 4 | "enabled": true, 5 | "id": "161718", 6 | "links": { 7 | "self": "http://example.com/identity/v3/domains/161718" 8 | }, 9 | "name": "myDomain", 10 | "options": {} 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-group-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "config": { 3 | "ldap": { 4 | "url": "http://myldap/my_new_root", 5 | "user_tree_dn": "ou=Users,dc=my_new_root,dc=org" 6 | } 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "domain": { 3 | "description": "Owns users and tenants (i.e. projects) available on Identity API v2.", 4 | "enabled": true, 5 | "id": "default", 6 | "links": { 7 | "self": "http://example.com/identity/v3/domains/default" 8 | }, 9 | "name": "Default", 10 | "options": {} 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-specific-role-create-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "role": { 3 | "description": "My new role" 4 | "domain_id": "92e782c4988642d783a95f4a87c3fdd7", 5 | "name": "developer" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "domain": { 3 | "description": "Owns users and projects on Identity API v2." 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/domain-update-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "domain": { 3 | "links": { 4 | "self": "http://example.com/identity/v3/domains/default" 5 | }, 6 | "enabled": true, 7 | "description": "Owns users and projects on Identity API v2.", 8 | "name": "Default", 9 | "id": "default", 10 | "options": {} 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/endpoint-create-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "endpoint": { 3 | "interface": "public", 4 | "region_id": "RegionOne", 5 | "url": "http://example.com/identity/v3/endpoints/828384", 6 | "service_id": "9242e05f0c23467bbd1cf1f7a6e5e596" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/endpoint-create-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "endpoint": { 3 | "region_id": "RegionOne", 4 | "links": { 5 | "self": "http://example.com/identity/v3/endpoints/e9b475a8742d4ff1a81b353c5a37e138" 6 | }, 7 | "url": "http://example.com/identity/v3/endpoints/828384", 8 | "region": "RegionOne", 9 | "enabled": true, 10 | "interface": "public", 11 | "service_id": "9242e05f0c23467bbd1cf1f7a6e5e596", 12 | "id": "e9b475a8742d4ff1a81b353c5a37e138" 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/endpoint-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "endpoint": { 3 | "enabled": true, 4 | "id": "01c3d5b92f7841ac83fb4b26173c12c7", 5 | "interface": "admin", 6 | "links": { 7 | "self": "http://example.com/identity/v3/endpoints/01c3d5b92f7841ac83fb4b26173c12c7" 8 | }, 9 | "region": "RegionOne", 10 | "region_id": "RegionOne", 11 | "service_id": "3b2d6ad7e02c4cde8498a547601f1b8f", 12 | "url": "http://23.253.211.234:9696/" 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/endpoint-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "endpoint": { 3 | "interface": "public", 4 | "region_id": "north", 5 | "url": "http://example.com/identity/v3/endpoints/828384", 6 | "service_id": "345678" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/endpoint-update-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "endpoint": { 3 | "id": "828384", 4 | "interface": "internal", 5 | "links": { 6 | "self": "http://example.com/identity/v3/endpoints/828384" 7 | }, 8 | "region_id": "north", 9 | "service_id": "686766", 10 | "url": "http://example.com/identity/v3/endpoints/828384" 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/get-available-system-scopes-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "system": [ 3 | { 4 | "all": true 5 | } 6 | ], 7 | "links": { 8 | "self": "https://example.com/identity/v3/auth/system" 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/group-create-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "group": { 3 | "description": "Contract developers", 4 | "domain_id": "default", 5 | "name": "Contract developers" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/group-create-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "group": { 3 | "domain_id": "default", 4 | "description": "Contract developers", 5 | "id": "c0d675eac29945ad9dfd08aa1bb75751", 6 | "links": { 7 | "self": "http://example.com/identity/v3/groups/c0d675eac29945ad9dfd08aa1bb75751" 8 | }, 9 | "name": "Contract developers" 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/group-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "group": { 3 | "description": "Contract developers", 4 | "domain_id": "default", 5 | "id": "c0d675eac29945ad9dfd08aa1bb75751", 6 | "links": { 7 | "self": "http://example.com/identity/v3/groups/c0d675eac29945ad9dfd08aa1bb75751" 8 | }, 9 | "name": "Contract developers" 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/group-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "group": { 3 | "description": "Contract developers 2016", 4 | "name": "Contract developers 2016" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/group-update-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "group": { 3 | "description": "Contract developers 2016", 4 | "domain_id": "default", 5 | "id": "c0d675eac29945ad9dfd08aa1bb75751", 6 | "links": { 7 | "self": "http://example.com/identity/v3/groups/c0d675eac29945ad9dfd08aa1bb75751" 8 | }, 9 | "name": "Contract developers 2016" 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/identity-version-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": { 3 | "id": "v3.4", 4 | "links": [ 5 | { 6 | "href": "http://example.com/identity/v3/", 7 | "rel": "self" 8 | } 9 | ], 10 | "media-types": [ 11 | { 12 | "base": "application/json", 13 | "type": "application/vnd.openstack.identity-v3+json" 14 | } 15 | ], 16 | "status": "stable", 17 | "updated": "2015-03-30T00:00:00Z" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/limit-flat-model-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "model": { 3 | "description": "Limit enforcement and validation does not take project hierarchy into consideration.", 4 | "name": "flat" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/limit-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "limit": { 3 | "resource_name": "volume", 4 | "region_id": null, 5 | "links": { 6 | "self": "http://10.3.150.25/identity/v3/limits/25a04c7a065c430590881c646cdcdd58" 7 | }, 8 | "service_id": "9408080f1970482aa0e38bc2d4ea34b7", 9 | "project_id": "3a705b9f56bb439381b43c4fe59dccce", 10 | "domain_id": null, 11 | "id": "25a04c7a065c430590881c646cdcdd58", 12 | "resource_limit": 11, 13 | "description": null 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/limits-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "limit": { 3 | "resource_limit": 5, 4 | "description": "Number of snapshots for project 3a705b9f56bb439381b43c4fe59dccce" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/policy-create-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy": { 3 | "blob": "{'foobar_user': 'role:compute-user'}", 4 | "type": "application/json" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/policy-create-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy": { 3 | "links": { 4 | "self": "http://example.com/identity/v3/policies/88f5b83f8f8e41daba4c25eed1a7bbc6" 5 | }, 6 | "blob": "{'foobar_user': 'role:compute-user'}", 7 | "type": "application/json", 8 | "id": "88f5b83f8f8e41daba4c25eed1a7bbc6" 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/policy-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy": { 3 | "blob": { 4 | "foobar_user": [ 5 | "role:compute-user" 6 | ] 7 | }, 8 | "id": "717273", 9 | "links": { 10 | "self": "http://example.com/identity/v3/policies/717273" 11 | }, 12 | "type": "application/json" 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/policy-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy": { 3 | "blob": { 4 | "foobar_user": [ 5 | "role:compute-user" 6 | ] 7 | }, 8 | "type": "application/json" 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/policy-update-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy": { 3 | "blob": { 4 | "foobar_user": [ 5 | "role:compute-user" 6 | ] 7 | }, 8 | "id": "717273", 9 | "links": { 10 | "self": "http://example.com/identity/v3/policies/717273" 11 | }, 12 | "type": "application/json" 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/project-create-domain-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "project": { 3 | "description": "My new domain", 4 | "enabled": true, 5 | "is_domain": true, 6 | "name": "myNewDomain" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/project-create-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "project": { 3 | "description": "My new project", 4 | "domain_id": "default", 5 | "enabled": true, 6 | "is_domain": false, 7 | "name": "myNewProject", 8 | "options": {} 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/project-create-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "project": { 3 | "description": "My new project", 4 | "domain_id": "default", 5 | "enabled": true, 6 | "id": "93ebbcc35335488b96ff9cd7d18cbb2e", 7 | "is_domain": false, 8 | "links": { 9 | "self": "http://example.com/identity/v3/projects/93ebbcc35335488b96ff9cd7d18cbb2e" 10 | }, 11 | "name": "myNewProject", 12 | "parent_id": "default", 13 | "tags": [], 14 | "options": {} 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/project-enable-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "project": { 3 | "enabled": true 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/project-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "project": { 3 | "is_domain": false, 4 | "description": null, 5 | "domain_id": "default", 6 | "enabled": true, 7 | "id": "0c4e939acacf4376bdcd1129f1a054ad", 8 | "links": { 9 | "self": "http://example.com/identity/v3/projects/0c4e939acacf4376bdcd1129f1a054ad" 10 | }, 11 | "name": "admin", 12 | "parent_id": "default", 13 | "options": {} 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/project-tags-list-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "tags": ["foo", "bar"] 3 | } 4 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/project-tags-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "tags": ["foo", "bar"] 3 | } 4 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/project-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "project": { 3 | "description": "My updated project", 4 | "name": "myUpdatedProject" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/project-update-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "project": { 3 | "description": "My updated project", 4 | "domain_id": null, 5 | "links": { 6 | "self": "http://example.com/identity/v3/projects/93ebbcc35335488b96ff9cd7d18cbb2e" 7 | }, 8 | "enabled": true, 9 | "id": "93ebbcc35335488b96ff9cd7d18cbb2e", 10 | "is_domain": true, 11 | "name": "myUpdatedProject", 12 | "parent_id": null, 13 | "tags": [], 14 | "options": {} 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/region-create-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "region": { 3 | "description": "My subregion", 4 | "id": "RegionOneSubRegion", 5 | "parent_region_id": "RegionOne" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/region-create-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "region": { 3 | "parent_region_id": "RegionOne", 4 | "id": "RegionOneSubRegion", 5 | "links": { 6 | "self": "http://example.com/identity/v3/regions/RegionOneSubRegion" 7 | }, 8 | "description": "My subregion" 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/region-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "region": { 3 | "description": "My subregion 3", 4 | "id": "RegionThree", 5 | "links": { 6 | "self": "http://example.com/identity/v3/regions/RegionThree" 7 | }, 8 | "parent_region_id": "RegionOne" 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/region-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "region": { 3 | "description": "My subregion 3" 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/region-update-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "region": { 3 | "parent_region_id": "RegionOne", 4 | "id": "RegionThree", 5 | "links": { 6 | "self": "http://example.com/identity/v3/regions/RegionThree" 7 | }, 8 | "description": "My subregion 3" 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/regions-list-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "links": { 3 | "next": null, 4 | "previous": null, 5 | "self": "http://example.com/identity/v3/regions" 6 | }, 7 | "regions": [ 8 | { 9 | "description": "", 10 | "id": "RegionOne", 11 | "links": { 12 | "self": "http://example.com/identity/v3/regions/RegionOne" 13 | }, 14 | "parent_region_id": null 15 | } 16 | ] 17 | } 18 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/registered-limit-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "registered_limit": { 3 | "resource_name": "volume", 4 | "region_id": null, 5 | "links": { 6 | "self": "http://10.3.150.25/identity/v3/registered_limits/773147dd53cd4a17b921d555cf17c633" 7 | }, 8 | "service_id": "9408080f1970482aa0e38bc2d4ea34b7", 9 | "default_limit": 10, 10 | "id": "773147dd53cd4a17b921d555cf17c633", 11 | "description": "Number of volumes" 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/registered-limits-create-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "registered_limits":[ 3 | { 4 | "service_id": "9408080f1970482aa0e38bc2d4ea34b7", 5 | "region_id": "RegionOne", 6 | "resource_name": "snapshot", 7 | "default_limit": 5 8 | }, 9 | { 10 | "service_id": "9408080f1970482aa0e38bc2d4ea34b7", 11 | "resource_name": "volume", 12 | "default_limit": 10, 13 | "description": "Number of volumes" 14 | } 15 | ] 16 | } 17 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/registered-limits-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "registered_limit": { 3 | "service_id": "9408080f1970482aa0e38bc2d4ea34b7", 4 | "region_id": "RegionOne", 5 | "resource_name": "snapshot", 6 | "default_limit": 5, 7 | "description": "Number of snapshots" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/registered-limits-update-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "registered_limit": { 3 | "resource_name": "snapshot", 4 | "region_id": "RegionOne", 5 | "links": { 6 | "self": "http://10.3.150.25/identity/v3/registered_limits/e35a965b2b244209bb0c2b193c55955f" 7 | }, 8 | "service_id": "9408080f1970482aa0e38bc2d4ea34b7", 9 | "default_limit": 5, 10 | "id": "e35a965b2b244209bb0c2b193c55955f", 11 | "description": "Number of snapshots" 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/role-assignments-effective-list-response.txt: -------------------------------------------------------------------------------- 1 | GET /role_assignments?user.id={user_id}&scope.project.id={project_id}&effective 2 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/role-assignments-list-response.txt: -------------------------------------------------------------------------------- 1 | GET /role_assignments?user.id={user_id}&scope.project.id={project_id}&effective 2 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/role-create-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "role": { 3 | "description": "My new role", 4 | "name": "developer" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/role-create-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "role": { 3 | "id": "1e443fa8cee3482a8a2b6954dd5c8f12", 4 | "links": { 5 | "self": "http://example.com/identity/v3/roles/1e443fa8cee3482a8a2b6954dd5c8f12" 6 | }, 7 | "description": "My new role", 8 | "name": "developer", 9 | "options": {} 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/role-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "role": { 3 | "domain_id": "d07792fd66ac4ed881723ab9f1c9925f", 4 | "id": "1e443fa8cee3482a8a2b6954dd5c8f12", 5 | "links": { 6 | "self": "http://example.com/identity/v3/roles/1e443fa8cee3482a8a2b6954dd5c8f12" 7 | }, 8 | "description": "My new role", 9 | "name": "Developer", 10 | "options": {} 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/role-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "role": { 3 | "description": "My new role", 4 | "name": "Developer" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/role-update-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "role": { 3 | "domain_id": "73748865fb964ded9e836d491d32dcfb", 4 | "id": "1e443fa8cee3482a8a2b6954dd5c8f12", 5 | "links": { 6 | "self": "http://example.com/identity/v3/roles/1e443fa8cee3482a8a2b6954dd5c8f12" 7 | }, 8 | "description": "My new role", 9 | "name": "Developer", 10 | "options": {} 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/service-create-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "service": { 3 | "type": "compute", 4 | "name": "compute2", 5 | "description": "Compute service 2" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/service-create-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "service": { 3 | "name": "compute2", 4 | "links": { 5 | "self": "http://example.com/identity/v3/services/3f552eb79c48436db2868e948d8cf330" 6 | }, 7 | "enabled": true, 8 | "type": "compute", 9 | "id": "3f552eb79c48436db2868e948d8cf330", 10 | "description": "Compute service 2" 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/service-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "service": { 3 | "description": "Keystone Identity Service", 4 | "enabled": true, 5 | "id": "686766", 6 | "links": { 7 | "self": "http://example.com/identity/v3/services/686766" 8 | }, 9 | "name": "keystone", 10 | "type": "identity" 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/service-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "service": { 3 | "description": "Block Storage Service V2" 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/service-update-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "service": { 3 | "name": "cinderv2", 4 | "links": { 5 | "self": "http://example.com/identity/v3/services/5789da9864004dd088fce14c1c626a4b" 6 | }, 7 | "enabled": true, 8 | "type": "volumev2", 9 | "id": "5789da9864004dd088fce14c1c626a4b", 10 | "description": "Block Storage Service V2" 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/token-validate-request.txt: -------------------------------------------------------------------------------- 1 | Headers: 2 | X-Auth-Token: 1dd7e3 3 | X-Subject-Token: c67580 4 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/user-password-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "user": { 3 | "password": "new_secretsecret", 4 | "original_password": "secretsecret" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/user-show-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "user": { 3 | "default_project_id": "263fd9", 4 | "domain_id": "1789d1", 5 | "enabled": true, 6 | "federated": [], 7 | "id": "9fe1d3", 8 | "links": { 9 | "self": "https://example.com/identity/v3/users/9fe1d3" 10 | }, 11 | "name": "jsmith", 12 | "password_expires_at": "2016-11-06T15:32:17.000000" 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/user-update-request.json: -------------------------------------------------------------------------------- 1 | { 2 | "user": { 3 | "default_project_id": "263fd9", 4 | "enabled": true, 5 | "options": { 6 | "ignore_lockout_failure_attempts": true 7 | } 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/admin/user-update-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "user": { 3 | "default_project_id": "263fd9", 4 | "domain_id": "1789d1", 5 | "enabled": true, 6 | "federated": [], 7 | "id": "ff4e51", 8 | "links": { 9 | "self": "https://example.com/identity/v3/users/ff4e51" 10 | }, 11 | "name": "jamesdoe", 12 | "options": { 13 | "ignore_lockout_failure_attempts": true 14 | }, 15 | "password_expires_at": "2016-11-06T15:32:17.000000" 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/auth/requests/domain-id-password.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "password" 6 | ], 7 | "password": { 8 | "user": { 9 | "id": "ee4dfb6e5540447cb3741905149d9b6e", 10 | "password": "devstacker" 11 | } 12 | } 13 | }, 14 | "scope": { 15 | "domain": { 16 | "id": "default" 17 | } 18 | } 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/auth/requests/domain-id-token.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "token" 6 | ], 7 | "token": { 8 | "id": "'$OS_TOKEN'" 9 | } 10 | }, 11 | "scope": { 12 | "domain": { 13 | "id": "default" 14 | } 15 | } 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/auth/requests/domain-name-password.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "password" 6 | ], 7 | "password": { 8 | "user": { 9 | "id": "ee4dfb6e5540447cb3741905149d9b6e", 10 | "password": "devstacker" 11 | } 12 | } 13 | }, 14 | "scope": { 15 | "domain": { 16 | "name": "Default" 17 | } 18 | } 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/auth/requests/domain-name-token.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "token" 6 | ], 7 | "token": { 8 | "id": "'$OS_TOKEN'" 9 | } 10 | }, 11 | "scope": { 12 | "domain": { 13 | "name": "Default" 14 | } 15 | } 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/auth/requests/project-id-token.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "token" 6 | ], 7 | "token": { 8 | "id": "'$OS_TOKEN'" 9 | } 10 | }, 11 | "scope": { 12 | "project": { 13 | "id": "a6944d763bf64ee6a275f1263fae0352" 14 | } 15 | } 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/auth/requests/project-id-totp.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "totp" 6 | ], 7 | "totp": { 8 | "user": { 9 | "id": "ee4dfb6e5540447cb3741905149d9b6e", 10 | "passcode": "123456" 11 | } 12 | } 13 | }, 14 | "scope": { 15 | "project": { 16 | "id": "a6944d763bf64ee6a275f1263fae0352" 17 | } 18 | } 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/auth/requests/project-name-token.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "token" 6 | ], 7 | "token": { 8 | "id": "'$OS_TOKEN'" 9 | } 10 | }, 11 | "scope": { 12 | "project": { 13 | "domain": { 14 | "id": "default" 15 | }, 16 | "name": "admin" 17 | } 18 | } 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/auth/requests/system-password.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "password" 6 | ], 7 | "password": { 8 | "user": { 9 | "id": "ee4dfb6e5540447cb3741905149d9b6e", 10 | "password": "devstacker" 11 | } 12 | } 13 | }, 14 | "scope": { 15 | "system": { 16 | "all": true 17 | } 18 | } 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /api-ref/source/v3/samples/auth/requests/system-token.json: -------------------------------------------------------------------------------- 1 | { 2 | "auth": { 3 | "identity": { 4 | "methods": [ 5 | "token" 6 | ], 7 | "token": { 8 | "id": "'$OS_TOKEN'" 9 | } 10 | }, 11 | "scope": { 12 | "system": { 13 | "all": true 14 | } 15 | } 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /config-generator/keystone-policy-generator.conf: -------------------------------------------------------------------------------- 1 | [DEFAULT] 2 | output_file = etc/keystone.policy.yaml.sample 3 | namespace = keystone 4 | -------------------------------------------------------------------------------- /config-generator/keystone.conf: -------------------------------------------------------------------------------- 1 | [DEFAULT] 2 | output_file = etc/keystone.conf.sample 3 | wrap_width = 79 4 | namespace = keystone 5 | namespace = oslo.cache 6 | namespace = oslo.log 7 | namespace = oslo.messaging 8 | namespace = oslo.policy 9 | namespace = oslo.db 10 | namespace = oslo.middleware 11 | namespace = osprofiler 12 | # We don't use oslo.concurrency config options in 13 | # keystone now, just in case it slips through unnoticed. 14 | #namespace = oslo.concurrency 15 | -------------------------------------------------------------------------------- /devstack/files/federation/shib_apache_alias.txt: -------------------------------------------------------------------------------- 1 | WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/keystone/main/$1 2 | -------------------------------------------------------------------------------- /devstack/tools/oidc/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/devstack/tools/oidc/__init__.py -------------------------------------------------------------------------------- /doc/README.rst: -------------------------------------------------------------------------------- 1 | Building Docs 2 | ============= 3 | 4 | Developer documentation is generated using Sphinx. To build this documentation, 5 | run the following from the root of the repository:: 6 | 7 | $ tox -e docs 8 | 9 | The documentation will be built at ``doc/build/``. 10 | -------------------------------------------------------------------------------- /doc/ext/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/doc/ext/__init__.py -------------------------------------------------------------------------------- /doc/requirements.txt: -------------------------------------------------------------------------------- 1 | # The order of packages is significant, because pip processes them in the order 2 | # of appearance. Changing the order has an impact on the overall integration 3 | # process, which may cause wedges in the gate later. 4 | openstackdocstheme>=2.2.1 # Apache-2.0 5 | sphinx>=2.0.0,!=2.1.0 # BSD 6 | sphinxcontrib-apidoc>=0.2.0 # BSD 7 | sphinx-feature-classification>=0.3.2 # Apache-2.0 8 | reno>=3.1.0 # Apache-2.0 9 | python-ldap>=3.0.0 # PSF 10 | ldappool>=2.0.0 # MPL 11 | -------------------------------------------------------------------------------- /doc/source/_static/horizon-login-idp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/doc/source/_static/horizon-login-idp.png -------------------------------------------------------------------------------- /doc/source/_static/horizon-login-sp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/doc/source/_static/horizon-login-sp.png -------------------------------------------------------------------------------- /doc/source/admin/authentication-mechanisms.rst: -------------------------------------------------------------------------------- 1 | ========================= 2 | Authentication Mechanisms 3 | ========================= 4 | 5 | Keystone supports various methods of authentication beyond the standard local 6 | user and password method. 7 | 8 | .. toctree:: 9 | :maxdepth: 2 10 | 11 | multi-factor-authentication 12 | auth-totp 13 | federation/federated_identity 14 | external-authentication 15 | configure_tokenless_x509 16 | oauth1 17 | -------------------------------------------------------------------------------- /doc/source/admin/federation/federated_identity.rst: -------------------------------------------------------------------------------- 1 | ================== 2 | Federated Identity 3 | ================== 4 | 5 | .. toctree:: 6 | :maxdepth: 2 7 | 8 | introduction.rst 9 | configure_federation.rst 10 | mapping_combinations.rst 11 | -------------------------------------------------------------------------------- /doc/source/admin/figures/keystone-federation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/doc/source/admin/figures/keystone-federation.png -------------------------------------------------------------------------------- /doc/source/admin/getting-started.rst: -------------------------------------------------------------------------------- 1 | =============== 2 | Getting Started 3 | =============== 4 | 5 | Everything you need to get started administering a keystone deployment. 6 | 7 | .. toctree:: 8 | :maxdepth: 1 9 | 10 | identity-concepts 11 | identity-sources 12 | bootstrap 13 | cli-manage-projects-users-and-roles 14 | manage-services 15 | -------------------------------------------------------------------------------- /doc/source/admin/keystone-features.rst: -------------------------------------------------------------------------------- 1 | ========================== 2 | Advanced Keystone Features 3 | ========================== 4 | 5 | Guides to lesser-known features of keystone. 6 | 7 | .. toctree:: 8 | :maxdepth: 2 9 | 10 | unified-limits 11 | resource-options 12 | credential-encryption 13 | health-check-middleware 14 | event_notifications 15 | -------------------------------------------------------------------------------- /doc/source/admin/operations.rst: -------------------------------------------------------------------------------- 1 | =================== 2 | Keystone Operations 3 | =================== 4 | 5 | Guides for managing day-to-day operations of keystone and understanding your 6 | deployment. 7 | 8 | .. toctree:: 9 | :maxdepth: 1 10 | 11 | upgrading 12 | case-insensitive 13 | manage-trusts 14 | -------------------------------------------------------------------------------- /doc/source/admin/tokens.rst: -------------------------------------------------------------------------------- 1 | ========================= 2 | All about keystone tokens 3 | ========================= 4 | 5 | Everything you need to know about keystone tokens. 6 | 7 | .. toctree:: 8 | :maxdepth: 2 9 | 10 | tokens-overview 11 | fernet-token-faq 12 | jws-key-rotation 13 | token-provider 14 | -------------------------------------------------------------------------------- /doc/source/code_documentation.rst: -------------------------------------------------------------------------------- 1 | Code Documentation 2 | ================== 3 | .. toctree:: 4 | :maxdepth: 1 5 | 6 | api/modules -------------------------------------------------------------------------------- /doc/source/configuration/samples/index.rst: -------------------------------------------------------------------------------- 1 | ========================== 2 | Sample configuration files 3 | ========================== 4 | 5 | Configuration files can alter how keystone behaves at runtime and by default 6 | are located in ``/etc/keystone/``. Links to sample configuration files can be 7 | found below: 8 | 9 | .. toctree:: 10 | 11 | keystone-conf.rst 12 | logging-conf.rst 13 | policy-yaml.rst 14 | -------------------------------------------------------------------------------- /doc/source/configuration/samples/keystone-conf.rst: -------------------------------------------------------------------------------- 1 | ============= 2 | keystone.conf 3 | ============= 4 | 5 | Use the ``keystone.conf`` file to configure most Identity service 6 | options. This sample configuration can also be viewed in `raw 7 | format <../../_static/keystone.conf.sample>`_. 8 | 9 | 10 | .. literalinclude:: ../../_static/keystone.conf.sample 11 | -------------------------------------------------------------------------------- /doc/source/configuration/samples/logging-conf.rst: -------------------------------------------------------------------------------- 1 | ============ 2 | logging.conf 3 | ============ 4 | 5 | You can specify a special logging configuration file in the ``keystone.conf`` 6 | configuration file. For example, ``/etc/keystone/logging.conf``. 7 | 8 | For details, see the `Python logging module documentation 9 | `__. 10 | 11 | .. literalinclude:: ../../../../etc/logging.conf.sample 12 | -------------------------------------------------------------------------------- /doc/source/configuration/samples/policy-yaml.rst: -------------------------------------------------------------------------------- 1 | =========== 2 | policy.yaml 3 | =========== 4 | 5 | Use the ``policy.yaml`` file to define additional access controls that apply to 6 | the Identity service: 7 | 8 | .. literalinclude:: ../../_static/keystone.policy.yaml.sample 9 | -------------------------------------------------------------------------------- /doc/source/getting-started/index.rst: -------------------------------------------------------------------------------- 1 | =============== 2 | Getting Started 3 | =============== 4 | 5 | .. toctree:: 6 | :maxdepth: 1 7 | 8 | architecture.rst 9 | policy_mapping.rst 10 | community.rst 11 | -------------------------------------------------------------------------------- /doc/source/indices-tables.rst: -------------------------------------------------------------------------------- 1 | Indices and tables 2 | ================== 3 | 4 | * :ref:`genindex` 5 | * :ref:`modindex` 6 | * :ref:`search` -------------------------------------------------------------------------------- /doc/source/install/get-started-rdo.rst: -------------------------------------------------------------------------------- 1 | .. include:: common/get-started-identity.inc 2 | -------------------------------------------------------------------------------- /doc/source/install/get-started-ubuntu.rst: -------------------------------------------------------------------------------- 1 | .. include:: common/get-started-identity.inc 2 | -------------------------------------------------------------------------------- /doc/source/install/keystone-openrc-rdo.rst: -------------------------------------------------------------------------------- 1 | .. include:: common/openrc.inc 2 | -------------------------------------------------------------------------------- /doc/source/install/keystone-openrc-ubuntu.rst: -------------------------------------------------------------------------------- 1 | .. include:: common/openrc.inc 2 | -------------------------------------------------------------------------------- /doc/source/install/keystone-users-rdo.rst: -------------------------------------------------------------------------------- 1 | .. include:: common/keystone-users.inc 2 | -------------------------------------------------------------------------------- /doc/source/install/keystone-users-ubuntu.rst: -------------------------------------------------------------------------------- 1 | .. include:: common/keystone-users.inc 2 | -------------------------------------------------------------------------------- /doc/source/install/shared/note_configuration_vary_by_distribution.rst: -------------------------------------------------------------------------------- 1 | .. note:: 2 | 3 | Default configuration files vary by distribution. You might need 4 | to add these sections and options rather than modifying existing 5 | sections and options. Also, an ellipsis (``...``) in the configuration 6 | snippets indicates potential default configuration options that you 7 | should retain. 8 | -------------------------------------------------------------------------------- /etc/README.txt: -------------------------------------------------------------------------------- 1 | To generate the sample keystone.conf and keystone.policy.yaml files, run the 2 | following commands from the top level of the keystone directory: 3 | 4 | tox -egenconfig 5 | tox -egenpolicy 6 | 7 | For a pre-generated example of the latest files, see: 8 | 9 | https://docs.openstack.org/keystone/latest/configuration/samples/index.html 10 | -------------------------------------------------------------------------------- /httpd/README: -------------------------------------------------------------------------------- 1 | Documentation for running Keystone with Apache HTTPD is in 2 | doc/source/install/ 3 | -------------------------------------------------------------------------------- /httpd/uwsgi-keystone.conf: -------------------------------------------------------------------------------- 1 | Listen 5000 2 | Listen 35357 3 | 4 | 5 | ProxyPass / uwsgi://127.0.0.1:5001/ 6 | 7 | 8 | 9 | ProxyPass / uwsgi://127.0.0.1:35358/ 10 | 11 | 12 | ProxyPass /identity uwsgi://127.0.0.1:5001/ 13 | ProxyPass /identity_admin uwsgi://127.0.0.1:35358/ 14 | -------------------------------------------------------------------------------- /keystone/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/__init__.py -------------------------------------------------------------------------------- /keystone/api/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/api/__init__.py -------------------------------------------------------------------------------- /keystone/api/_shared/__init__.py: -------------------------------------------------------------------------------- 1 | # flake8: noqa 2 | 3 | # NOTE(morgan): The keystone.api._shared module is explicitly for shared code 4 | # between the APIs that should not be duplicated. This occurs infrequently. 5 | # For the most part adding a new file or code to anything in this module is 6 | # incorrect. If you are unsure of what you are doing, do not add code here. 7 | 8 | # WARNING: THIS FILE SHOULD CONTAIN NO CODE, it is explicitly ignored by 9 | # flake8 completely. 10 | -------------------------------------------------------------------------------- /keystone/application_credential/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/application_credential/backends/__init__.py -------------------------------------------------------------------------------- /keystone/assignment/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/assignment/backends/__init__.py -------------------------------------------------------------------------------- /keystone/assignment/role_backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/assignment/role_backends/__init__.py -------------------------------------------------------------------------------- /keystone/catalog/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/catalog/backends/__init__.py -------------------------------------------------------------------------------- /keystone/cmd/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/cmd/__init__.py -------------------------------------------------------------------------------- /keystone/common/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/common/__init__.py -------------------------------------------------------------------------------- /keystone/common/sql/migrations/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/common/sql/migrations/__init__.py -------------------------------------------------------------------------------- /keystone/common/sql/migrations/versions/CONTRACT_HEAD: -------------------------------------------------------------------------------- 1 | c88cdce8f248 2 | -------------------------------------------------------------------------------- /keystone/common/sql/migrations/versions/EXPAND_HEAD: -------------------------------------------------------------------------------- 1 | 47147121 2 | -------------------------------------------------------------------------------- /keystone/credential/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/credential/backends/__init__.py -------------------------------------------------------------------------------- /keystone/credential/providers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/credential/providers/__init__.py -------------------------------------------------------------------------------- /keystone/endpoint_policy/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/endpoint_policy/backends/__init__.py -------------------------------------------------------------------------------- /keystone/federation/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/federation/backends/__init__.py -------------------------------------------------------------------------------- /keystone/identity/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/identity/backends/__init__.py -------------------------------------------------------------------------------- /keystone/identity/id_generators/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/identity/id_generators/__init__.py -------------------------------------------------------------------------------- /keystone/identity/mapping_backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/identity/mapping_backends/__init__.py -------------------------------------------------------------------------------- /keystone/identity/shadow_backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/identity/shadow_backends/__init__.py -------------------------------------------------------------------------------- /keystone/limit/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/limit/backends/__init__.py -------------------------------------------------------------------------------- /keystone/limit/models/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/limit/models/__init__.py -------------------------------------------------------------------------------- /keystone/models/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/models/__init__.py -------------------------------------------------------------------------------- /keystone/oauth1/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/oauth1/backends/__init__.py -------------------------------------------------------------------------------- /keystone/oauth2/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/oauth2/__init__.py -------------------------------------------------------------------------------- /keystone/policy/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/policy/backends/__init__.py -------------------------------------------------------------------------------- /keystone/receipt/providers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/receipt/providers/__init__.py -------------------------------------------------------------------------------- /keystone/resource/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/resource/backends/__init__.py -------------------------------------------------------------------------------- /keystone/resource/config_backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/resource/config_backends/__init__.py -------------------------------------------------------------------------------- /keystone/revoke/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/revoke/backends/__init__.py -------------------------------------------------------------------------------- /keystone/server/flask/request_processing/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/server/flask/request_processing/__init__.py -------------------------------------------------------------------------------- /keystone/server/flask/request_processing/middleware/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/server/flask/request_processing/middleware/__init__.py -------------------------------------------------------------------------------- /keystone/tests/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/__init__.py -------------------------------------------------------------------------------- /keystone/tests/common/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/common/__init__.py -------------------------------------------------------------------------------- /keystone/tests/functional/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/functional/__init__.py -------------------------------------------------------------------------------- /keystone/tests/functional/shared/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/functional/shared/__init__.py -------------------------------------------------------------------------------- /keystone/tests/hacking/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/hacking/__init__.py -------------------------------------------------------------------------------- /keystone/tests/protection/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/protection/__init__.py -------------------------------------------------------------------------------- /keystone/tests/protection/v3/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/protection/v3/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/application_credential/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/application_credential/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/application_credential/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/application_credential/backends/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/assignment/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/assignment/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/assignment/role_backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/assignment/role_backends/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/auth/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/auth/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/auth/plugins/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/auth/plugins/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/backend/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/backend/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/catalog/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/catalog/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/common/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/common/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/common/sql/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/common/sql/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/config_files/backend_ldap.conf: -------------------------------------------------------------------------------- 1 | [ldap] 2 | url = fake://memory 3 | user = cn=Admin 4 | password = password 5 | suffix = cn=example,cn=com 6 | -------------------------------------------------------------------------------- /keystone/tests/unit/config_files/backend_ldap_sql.conf: -------------------------------------------------------------------------------- 1 | [database] 2 | #For a specific location file based SQLite use: 3 | #connection = sqlite:////tmp/keystone.db 4 | #To Test MySQL: 5 | #connection = mysql+pymysql://keystone:keystone@localhost/keystone?charset=utf8 6 | #To Test PostgreSQL: 7 | #connection = postgresql://keystone:keystone@localhost/keystone?client_encoding=utf8 8 | connection_recycle_time = 200 9 | 10 | [ldap] 11 | url = fake://memory 12 | user = cn=Admin 13 | password = password 14 | suffix = cn=example,cn=com 15 | -------------------------------------------------------------------------------- /keystone/tests/unit/config_files/backend_liveldap.conf: -------------------------------------------------------------------------------- 1 | [ldap] 2 | url = ldap://localhost 3 | user = cn=Manager,dc=openstack,dc=org 4 | password = test 5 | suffix = dc=openstack,dc=org 6 | group_tree_dn = ou=UserGroups,dc=openstack,dc=org 7 | user_tree_dn = ou=Users,dc=openstack,dc=org 8 | user_enabled_emulation = True 9 | user_mail_attribute = mail 10 | -------------------------------------------------------------------------------- /keystone/tests/unit/config_files/backend_multi_ldap_sql.conf: -------------------------------------------------------------------------------- 1 | [database] 2 | connection = sqlite:// 3 | #For a file based sqlite use 4 | #connection = sqlite:////tmp/keystone.db 5 | #To Test MySQL: 6 | #connection = mysql+pymysql://keystone:keystone@localhost/keystone?charset=utf8 7 | #To Test PostgreSQL: 8 | #connection = postgresql://keystone:keystone@localhost/keystone?client_encoding=utf8 9 | connection_recycle_time = 200 10 | -------------------------------------------------------------------------------- /keystone/tests/unit/config_files/backend_sql.conf: -------------------------------------------------------------------------------- 1 | [database] 2 | #For a specific location file based SQLite use: 3 | #connection = sqlite:////tmp/keystone.db 4 | #To Test MySQL: 5 | #connection = mysql+pymysql://keystone:keystone@localhost/keystone?charset=utf8 6 | #To Test PostgreSQL: 7 | #connection = postgresql://keystone:keystone@localhost/keystone?client_encoding=utf8 8 | connection_recycle_time = 200 9 | -------------------------------------------------------------------------------- /keystone/tests/unit/config_files/backend_tls_liveldap.conf: -------------------------------------------------------------------------------- 1 | [ldap] 2 | url = ldap:// 3 | user = dc=Manager,dc=openstack,dc=org 4 | password = test 5 | suffix = dc=openstack,dc=org 6 | group_tree_dn = ou=UserGroups,dc=openstack,dc=org 7 | user_tree_dn = ou=Users,dc=openstack,dc=org 8 | user_enabled_emulation = True 9 | user_mail_attribute = mail 10 | use_tls = True 11 | tls_cacertfile = /etc/keystone/ssl/certs/cacert.pem 12 | tls_cacertdir = /etc/keystone/ssl/certs/ 13 | tls_req_cert = demand 14 | -------------------------------------------------------------------------------- /keystone/tests/unit/config_files/domain_configs_default_ldap_one_sql/keystone.domain1.conf: -------------------------------------------------------------------------------- 1 | # The domain-specific configuration file for the test domain 2 | # 'domain1' for use with unit tests. 3 | 4 | [identity] 5 | driver = sql -------------------------------------------------------------------------------- /keystone/tests/unit/config_files/domain_configs_multi_ldap/keystone.Default.conf: -------------------------------------------------------------------------------- 1 | # The domain-specific configuration file for the default domain for 2 | # use with unit tests. 3 | # 4 | # The domain_name of the default domain is 'Default', hence the 5 | # strange mix of upper/lower case in the file name. 6 | 7 | [ldap] 8 | url = fake://memory 9 | user = cn=Admin 10 | password = password 11 | suffix = cn=example,cn=com 12 | 13 | [identity] 14 | driver = ldap 15 | -------------------------------------------------------------------------------- /keystone/tests/unit/config_files/domain_configs_multi_ldap/keystone.domain1.conf: -------------------------------------------------------------------------------- 1 | # The domain-specific configuration file for the test domain 2 | # 'domain1' for use with unit tests. 3 | 4 | [ldap] 5 | url = fake://memory1 6 | user = cn=Admin 7 | password = password 8 | suffix = cn=example,cn=com 9 | 10 | [identity] 11 | driver = ldap 12 | list_limit = 101 13 | -------------------------------------------------------------------------------- /keystone/tests/unit/config_files/domain_configs_multi_ldap/keystone.domain2.conf: -------------------------------------------------------------------------------- 1 | # The domain-specific configuration file for the test domain 2 | # 'domain2' for use with unit tests. 3 | 4 | [ldap] 5 | url = fake://memory 6 | user = cn=Admin 7 | password = password 8 | suffix = cn=myroot,cn=com 9 | group_tree_dn = ou=UserGroups,dc=myroot,dc=org 10 | user_tree_dn = ou=Users,dc=myroot,dc=org 11 | 12 | [identity] 13 | driver = ldap -------------------------------------------------------------------------------- /keystone/tests/unit/config_files/domain_configs_one_extra_sql/keystone.domain2.conf: -------------------------------------------------------------------------------- 1 | # The domain-specific configuration file for the test domain 2 | # 'domain2' for use with unit tests. 3 | 4 | [identity] 5 | driver = sql -------------------------------------------------------------------------------- /keystone/tests/unit/config_files/domain_configs_one_sql_one_ldap/keystone.Default.conf: -------------------------------------------------------------------------------- 1 | # The domain-specific configuration file for the default domain for 2 | # use with unit tests. 3 | # 4 | # The domain_name of the default domain is 'Default', hence the 5 | # strange mix of upper/lower case in the file name. 6 | 7 | [ldap] 8 | url = fake://memory 9 | user = cn=Admin 10 | password = password 11 | suffix = cn=example,cn=com 12 | 13 | [identity] 14 | driver = ldap -------------------------------------------------------------------------------- /keystone/tests/unit/config_files/domain_configs_one_sql_one_ldap/keystone.domain1.conf: -------------------------------------------------------------------------------- 1 | # The domain-specific configuration file for the test domain 2 | # 'domain1' for use with unit tests. 3 | 4 | [identity] 5 | driver = sql -------------------------------------------------------------------------------- /keystone/tests/unit/config_files/test_auth_plugin.conf: -------------------------------------------------------------------------------- 1 | [auth] 2 | methods = external,password,token,simple_challenge_response,saml2,openid,x509,mapped 3 | simple_challenge_response = keystone.tests.unit.test_auth_plugin.SimpleChallengeResponse 4 | 5 | -------------------------------------------------------------------------------- /keystone/tests/unit/contrib/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/contrib/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/contrib/federation/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/contrib/federation/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/credential/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/credential/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/endpoint_policy/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/endpoint_policy/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/endpoint_policy/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/endpoint_policy/backends/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/external/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/external/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/federation/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/federation/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/identity/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/identity/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/identity/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/identity/backends/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/identity/shadow_users/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/identity/shadow_users/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/limit/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/limit/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/policy/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/policy/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/policy/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/policy/backends/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/receipt/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/receipt/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/resource/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/resource/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/resource/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/resource/backends/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/resource/config_backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/resource/config_backends/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/server/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/server/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/tests/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/tests/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/token/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/token/__init__.py -------------------------------------------------------------------------------- /keystone/tests/unit/trust/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/tests/unit/trust/__init__.py -------------------------------------------------------------------------------- /keystone/token/providers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/token/providers/__init__.py -------------------------------------------------------------------------------- /keystone/trust/backends/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/trust/backends/__init__.py -------------------------------------------------------------------------------- /keystone/wsgi/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/keystone/wsgi/__init__.py -------------------------------------------------------------------------------- /playbooks/enable-fips.yaml: -------------------------------------------------------------------------------- 1 | - hosts: all 2 | tasks: 3 | - include_role: 4 | name: enable-fips 5 | -------------------------------------------------------------------------------- /pyproject.toml: -------------------------------------------------------------------------------- 1 | [build-system] 2 | requires = ["pbr>=6.1.1"] 3 | build-backend = "pbr.build" 4 | -------------------------------------------------------------------------------- /rally-jobs/README.rst: -------------------------------------------------------------------------------- 1 | This directory contains rally benchmark scenarios to be run by OpenStack CI. 2 | 3 | 4 | * more about rally: https://rally.readthedocs.io/en/latest/ 5 | * how to add rally-gates: https://rally.readthedocs.io/en/latest/quick_start/gates.html 6 | -------------------------------------------------------------------------------- /releasenotes/notes/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/releasenotes/notes/.placeholder -------------------------------------------------------------------------------- /releasenotes/notes/Role_V9_driver-971c3aae14d9963d.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - > 4 | [`blueprint deprecated-as-of-mitaka `_] 5 | The V8 Role driver interface is deprecated. Support for the V8 Role driver 6 | interface is planned to be removed in the 'O' release of OpenStack. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/V9ResourceDriver-26716f97c0cc1a80.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - The V8 Resource driver interface is deprecated. Support for the V8 4 | Resource driver interface is planned to be removed in the 'O' release of 5 | OpenStack. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/add-description-to-role-88ab5bb8a96cc002.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | [`bug 1669080 `_] 5 | Added support for a ``description`` attribute for V3 Identity Roles, see 6 | API docs for details. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/add-expires-at-int-to-trusts-60ae3c5d0c00808a.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | The trusts table now has an expires_at_int column that represents the 5 | expiration time as an integer instead of a datetime object. This will 6 | prevent rounding errors related to the way date objects are stored in some 7 | versions of MySQL. The expires_at column remains, but will be dropped in 8 | Rocky. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/add-limit-description-c1f42641d9c6c33d.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1754185 `_] 5 | Registered limits and project limits now support an optional, nullable 6 | property called `description`. Users can create/update a registered limit 7 | or project limit with `description` now. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/add_bcrypt_sha256_algo-d6b146a59df9373c.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | Added support for the ``bcrypt_sha256`` password hashing algorythm, which 5 | does workaround limitation on a password length BCrypt have by running the 6 | password through HMAC-SHA2-256 first. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/add_password_expires_at_to_user_response-22f14ab629c48bc2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - We have added the ``password_expires_at`` attribute to 4 | the user response object. 5 | -------------------------------------------------------------------------------- /releasenotes/notes/bcrypt_truncation_fix-674dc5d7f1e776f2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | Passwords that are hashed using bcrypt are now truncated properly to the 5 | maximum allowed length by the algorythm. This solves regression, when 6 | passwords longer then 54 symbols are getting invalidated after the 7 | Keystone upgrade. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bp-domain-config-default-82e42d946ee7cb43.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`blueprint domain-config-default `_] 5 | The Identity API now supports retrieving the default values for the 6 | configuration options that can be overridden via the domain specific 7 | configuration API. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bp-json-web-tokens-37ce3bcd1356cf1b.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | [`blueprint json-web-tokens `_] 5 | Keystone now supports a JSON Web Signature (JWS) token provider in addition 6 | to fernet tokens. Fernet token remain the default token provider. Full 7 | details can be found in the `specification 8 | `_. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/bp-manage-migration-c398963a943a89fe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`blueprint manage-migration `_] 5 | Upgrading keystone to a new version can now be undertaken as a rolling 6 | upgrade using the `--expand`, `--migrate` and `--contract` options of the 7 | `keystone-manage db_sync` command. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bp-support-federated-attr-94084d4073f50280.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`blueprint support-federated-attr `_] 5 | Added new filters to the `list user` API (``GET /v3/users``) to support 6 | querying federated identity attributes: ``idp_id``, ``protocol_id``, and 7 | ``unique_id``. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bp-upgrade-checks-0dc692a392a96879.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | [`Community Goal `_] 5 | Support has been added for developers to write pre-upgrade checks. 6 | Operators can run these checks using ``keystone-status upgrade check``. 7 | This allows operators to be more confident when upgrading their deployments 8 | by having a tool that automates programmable checks against the deployment 9 | configuration or dataset. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bp-url-safe-naming-ad90d6a659f5bf3c.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`blueprint url-safe-naming `_] 5 | The names of projects and domains can optionally be ensured to be url safe, 6 | to support the future ability to specify projects using hierarchical 7 | naming. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1291157-00b5c714a097e84c.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1291157 `_] 5 | Identity provider information is now validated in during token validation. 6 | If an identity provider is removed from a keystone service provider, tokens 7 | associated to that identity provider will be considered invalid. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1332058-f25e2de40411b711.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | [`bug 1332058 `_] 5 | ``keystone-manage doctor`` now checks that keystone can establish 6 | connections to Memcached, if configured. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1519210-de76097c974f9c93.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1519210 `_] 5 | A user may now opt-out of notifications by specifying a list of 6 | event types using the `notification_opt_out` option in `keystone.conf`. 7 | These events are never sent to a messaging service. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1524030-0814724d5c2b7c8d.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1524030 `_] 5 | Revocation records are no longer written to the ``revocation_event`` table 6 | when a domain or project is disabled. These records were only ever used 7 | during the token validation process. In favor of revocation events, the 8 | project or domain will be validated online when the token is validated. This 9 | results in less database bloat while maintaining security during token 10 | validation. 11 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1535878-change-get_project-permission-e460af1256a2c056.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - > 4 | [`bug 1535878 `_] 5 | Originally, to perform GET /projects/{project_id}, the provided policy 6 | files required a user to have at least project admin level of permission. 7 | They have been updated to allow it to be performed by any user who has a 8 | role on the project. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1563101-134df5b99ea48f00.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | other: 3 | - > 4 | [`bug 1563101 `_] 5 | The token provider driver interface has moved from 6 | ``keystone.token.provider.Provider`` to ``keystone.token.providers.base.Provider``. 7 | If implementing a custom token provider, subclass from the new location. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1571878-1bcaea5337905af0.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - > 4 | [`bug 1571878 `_] 5 | A valid ``mapping_id`` is now required when creating or updating a 6 | federation protocol. If the ``mapping_id`` does not exist, a 7 | ``400 - Bad Request`` will be returned. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1590587-domain-specific-role-assignment-8f120604a6625852.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - > 4 | [`bug 1590587 `_] 5 | When assigning Domain Specific Roles, the domain of the role and the 6 | domain of the project must match. This is now validated and the REST 7 | call will return a 403 Forbidden. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1594482-52a5dd1d8477b694.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - > 4 | [`bug 1594482 `_] 5 | When using list_limit config option, the GET /services?name={service_name} 6 | API was first truncating the list and afterwards filtering by name. 7 | The API was fixed to first filter by name and only afterwards truncate the 8 | result list to the desired limit. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1611102-e1348cbec9b1110a.yaml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | other: 4 | - > 5 | [`bug 1611102 `_] 6 | The methods ``list_endpoints_for_policy()`` and ``get_policy_for_endpoint()`` 7 | have been removed from the ``keystone.endpoint_policy.backends.base.EndpointPolicyDriverBase`` 8 | abstract class, they were unused. -------------------------------------------------------------------------------- /releasenotes/notes/bug-1613466-credential-update-ec2-type-8fb51ff3ad3a449c.yaml: -------------------------------------------------------------------------------- 1 | fixes: 2 | - > 3 | [`bug 1613466 `_] 4 | Credentials update to ec2 type originally accepted credentials with no 5 | project ID set, this would lead to an error when trying to use such credential. 6 | This behavior has been blocked, so creating a non-ec2 credential with no 7 | project ID and updating it to ec2 without providing a project ID will fail with 8 | a `400 Bad Request` error. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1615014-b30f606a2d202428.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1615014 `_] 5 | Migration order is now strictly enforced. The ensure upgrade process is 6 | done in the order it is officially documented and support, starting with 7 | `expand`, then `migrate`, and finishing with `contract`. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1616424-c46ba773f7ac40ae.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - > 4 | [`bug 1616424 `_] 5 | Provide better exception messages when creating OAuth request tokens and 6 | OAuth access tokens via the ``/v3/OS-OAUTH1/request_token`` and 7 | ``/v3/OS-OAUTH1/access_token`` APIs, respectively. -------------------------------------------------------------------------------- /releasenotes/notes/bug-1638603-354ee4167e6e.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1638603 `_] 5 | Add support for nested groups in Active Directory. A new boolean option 6 | ``[ldap] group_ad_nesting`` has been added, it defaults to ``False``. 7 | Enable the option is using Active Directory with nested groups. This 8 | option will impact the ``list_users_in_group``, ``list_groups_for_user``, 9 | and ``check_user_in_group`` operations. -------------------------------------------------------------------------------- /releasenotes/notes/bug-1641625-fe463874dc5edb10.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | [`bug 1641625 `_] 5 | The keystone configured as an identity provider now includes an additional 6 | attribute called `openstack_groups` in the assertion when generating SAML 7 | assertions. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1641645-516709f9da3de26f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | [`bug 1641645 `_] 5 | RBAC protection was removed from the `Self-service change user password` API 6 | (``/v3/user/$user_id/password``), meaning, a user can now change their password 7 | without a token specified in the ``X-Auth-Token`` header. This change will 8 | allow a user, with an expired password, to update their password without the 9 | need of an administrator. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1641816-8b39f3f73359c778.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1641816 `_] 5 | The ``[token] cache_on_issue`` option is now enabled by default. This option 6 | has no effect unless global caching and token caching are enabled. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1642212-9964dfd3af0184bd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - Added an option ``--check`` to ``keystone-manage db_sync``, the option will 4 | allow a user to check the status of rolling upgrades in the database. 5 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1642348-83d4c86ad3984d75.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1642348 `_] 5 | Added new option ``[security_compliance] lockout_ignored_user_ids`` to allow 6 | deployers to specify users that are exempt from PCI lockout rules. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1642457-4533f9810a8cd927.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1642457 `_] 5 | Handle disk write and IO failures when rotating keys for Fernet tokens. 6 | Rather than creating empty keys, properly catch and log errors when 7 | unable to write to disk. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1642692-d669c8fcf9e171d9.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1642692 `_] 5 | When a `federation protocol` is deleted, all users that authenticated with 6 | the `federation protocol` will also be deleted. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1645487-ca22c216ec26cc9b.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`Bug 1645487 `_] 5 | Added a new PCI-DSS feature that will require users to immediately change 6 | their password upon first use for new users and after an administrative 7 | password reset. The new feature can be enabled by setting 8 | [security_compliance] ``change_password_upon_first_use`` to ``True``. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1649138-c53974f6bb0eab14.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - > 4 | [`bug 1649138 `_] 5 | When using LDAP as an identity backend, the initial bind will now 6 | occur upon creation of a connection object, i.e. early on when 7 | performing LDAP queries, no matter whether the bind is 8 | authenticated or anonymous, so that any connection errors can be 9 | handled correctly and early. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1649616-b835d1dac3401e8c.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1689616 `_] 5 | Significant improvements have been made when performing a token flush 6 | on massive data sets. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1670382-ee851ba4f364d608.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - > 4 | [`bug 1670382 `_] 5 | The ldap config group_members_are_ids has been added to the whitelisted 6 | options allowing it to now be used in the domain config API and 7 | `keystone-manage domain_config_upload` 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1676497-92271e25f642e2de.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1676497 `_] 5 | `bindep` now correctly reports the `openssl-devel` binary dependency for 6 | rpm distros instead of `libssl-dev`. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1684994-264fb8f182ced180.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1684994 `_] 5 | This catches the ldap.INVALID_CREDENTIALS exception thrown when 6 | trying to connect to an LDAP backend with an invalid username 7 | or password, and emits a message back to the user instead of 8 | the default 500 error message. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1687593-95e1568291ecd70b.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1687593 `_] 5 | Ensure that the URL used to make the request when creating OAUTH1 request 6 | tokens is also the URL that verifies the request token. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1688137 `_] 5 | Fixed the AccountLocked exception being shown to the end user since 6 | it provides some information that could be exploited by a 7 | malicious user. The end user will now see Unauthorized instead of 8 | AccountLocked, preventing user info oracle exploitation. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1696574-15a728396350a95a.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1696574 `_] 5 | All GET APIs within keystone now have support for HEAD, if not already 6 | implemented. All new HEAD APIs have the same response codes and headers as 7 | their GET counterparts. This aids in client-side processing, especially 8 | caching. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1700852-de775d0eb2ddfdd1.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1700852 `_] 5 | Keystone now supports caching of the `GET|HEAD 6 | /v3/users/{user_id}/projects` API in an effort to improve performance. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1701324-739a31f38037f77b.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1701324 `_] 5 | Token bodies now contain only unique roles in the authentication response. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1702211-abb59adda73fd78e.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | [`bug 1702211 `_] 5 | Password `created_at` field under some versions/deployments of MySQL would 6 | lose sub-second precision. This means that it was possible for passwords to 7 | be returned out-of-order when changed within one second (especially common 8 | in testing). This change stores password `created_at` and `expires_at` as 9 | an integer instead of as a DATETIME data-type. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1703666-b8a990f2bf5b62f0.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1703666 `_] 5 | Fixing multi-region support for the templated v3 catalog by making sure 6 | that the catalog contains only one definition per endpoint, and that 7 | each region is listed under that endpoint. Previously each region 8 | and endpoint would have had its own definition. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1704205-bc0570feeb3ec5c4.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1704205 `_] 5 | All users and groups are required to have a name. Prior to this fix, 6 | Keystone was not properly enforcing this for LDAP users and groups. 7 | Keystone will now ignore users and groups that do not have a value for 8 | the LDAP attribute which Keystone has been configured to use for that 9 | entity's name. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1727099-1af277b35db34372.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1727099 `_] 5 | When users try to changes their password, the total number which 6 | includes the new password should not be greater or equal to the 7 | ``unique_last_password_count`` config options. But the help and error 8 | messages for this scenario are not described clearly. Now the messges 9 | are updated to be more clear. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1727726-0b47608811a2cd16.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1727726 `_] 5 | All users and groups are required to have a name. Prior to this fix, 6 | Keystone was allowing LDAP users and groups whose name has only empty 7 | white spaces. Keystone will now ignore users and groups that do have 8 | only white spaces as value for the LDAP attribute which Keystone has 9 | been configured to use for that entity's name. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1729933-4a09201e9dface2a.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1729933 `_] 5 | The Region Update API now correctly updates extra values. Previously 6 | adding any extra values to a region via the update API would discard 7 | any added values besides the default ones. Any extra values are now 8 | correctly added and returned. This fix was for consistency with other 9 | APIs in keystone that use 'extra' and the use of 'extra' in 10 | keystone is highly discouraged. 11 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1733754-4d9d3042b8501ec6.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1733754 `_] 5 | Keystone didn't validate the OS-TRUST:trust key of the authentication 6 | request is actually a dictionary. This results in a 500 Internal Server 7 | Error when it should really be a 400 Bad Request. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1734244-1b4ea83baa72566d.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1734244 `_] 5 | Return a 400 status code instead of a 500 when creating a trust with 6 | extra attributes in the roles parameter. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1735250-b60332a7f288cf94.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1734244 `_] 5 | Users can't set password longer than 128 if Keystone using 6 | `Sqlalchemy` < 1.1.0. Update `Sqlalchemy` to a higher version can solve 7 | this problem. 8 | [`Related Sqlalchemy Changelog `_]. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1736875-c790f568c5f4d671.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - > 4 | [`bug 1736875 `_] 5 | Add schema check to return a 400 status code instead of a 500 when 6 | authorize a request token with non-id attributes in the `roles` parameter. 7 | other: 8 | - > 9 | Keystone now supports authorizing a request token by providing a role name. 10 | A `role` in the `roles` parameter can include either a role name or role 11 | id, but not both. 12 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1738895-342864cd0285bc42.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1738895 `_] 5 | Fixed the bug that federated users can't be listed by `name` filter. Now 6 | when list users by `name`, Keystone will query both local user backend and 7 | shadow user backend. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1740951 `_] 5 | A new method was added that made it so oslo.policy sample generation 6 | scripts can be used with keystone. The ``oslopolicy-policy-generator`` 7 | script will now generate a policy file containing overrides and defaults 8 | registered in code. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1744195-a7154ac2e8556efc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1744195 `_] 5 | The SQL Foreign Key is enabled for Keystone unit tests now. This is not an 6 | end user impact fixed. But for the downstream teams, please take care of 7 | it for your private test code changes. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1746599-848a1163e52ac0a6.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1746599 `_] 5 | Fixes user email being set for federated shadow users, when the rule 6 | contains email in user. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1747694-48c8caa4871300e3.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1747694 `_] 5 | The trust API reference declared support for ``page`` and ``per_page`` 6 | query parameters, when the actual trust API didn't support them. The 7 | API reference has been updated accordingly. -------------------------------------------------------------------------------- /releasenotes/notes/bug-1748970-eb63ad2030e296f3.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1748970 `_] 5 | A bug was introduced in Queens that resulted in system role assignments 6 | being returned when querying the role assignments API for a specific role. 7 | The issue is fixed and the list of roles returned from 8 | ``GET /v3/role_assignments?role.id={role_id}`` respects system role 9 | assignments. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1749264-676ca02902bcd169.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1749264 `_] 5 | A user's system role assignment will be removed when the user is deleted. 6 | 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1749267-96153d2fa6868f67.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1749267 `_] 5 | A group's system role assignments are removed when the group is deleted. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1750415-95ede3a9685b6e0c.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1750415 `_] 5 | Fixes an implementation fault in application credentials where the 6 | application credential reference was not populated in the token data, 7 | causing problems with the token validation when caching was disabled. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1751045-f950e3fb85e2b573.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1751045 `_] 5 | It is now possible to clean up role assignments for groups that don't exist 6 | in the identity backend. This is relevant to deployments that are backed by 7 | LDAP and groups are removed directly by LDAP and not through keystone. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1753584-e052bc7805f001b4.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1753584 `_] 5 | Fix formatting of ImportError when using a driver not found in the list 6 | of token providers. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1753585-7e11213743754999.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | ['bug 1753585 '_] 5 | LDAP attribute names are now matched case insensitively to comply with 6 | LDAP implementations. -------------------------------------------------------------------------------- /releasenotes/notes/bug-1754048-correct-federated-domain-47cb889d88d7770a.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1754048 `_] 5 | The correct user domain is now reported when validating a federated token. 6 | Previously, the domain would always be validated as "Federated." -------------------------------------------------------------------------------- /releasenotes/notes/bug-1754677-13ee75ed1b473f26.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - > 4 | [`bug 1754677 `_] 5 | When you setup a user with a role assignment on a domain and then a role 6 | assignment on a project "acting as a domain", you can't actually remove them. 7 | This fixes it by filtering the query by "type" i.e either a USER_DOMAIN or 8 | a USER_PROJECT in role assignment table. -------------------------------------------------------------------------------- /releasenotes/notes/bug-1755874-9951f77c6d18431c.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1755874 `_] 5 | Users now can have the resource option ``lock_password`` set which prevents 6 | the user from utilizing the self-service password change API. Valid 7 | values are ``True``, ``False``, or "None" (where ``None`` clears the 8 | option). 9 | 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1756190-0e5d86d334555931.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1756190 `_] 5 | When filtering projects based on tags, the filtering will now be performed 6 | by matching a subset containing the given tags against projects, rather 7 | than exact matching. Providing more tags when performing a search will 8 | yield more exact results while less will return any projects that match 9 | the given tags but could contain other tags as well. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1757022-664d0b0db1242bf8.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1757022 `_] 5 | In previous releases, ``keystone-manage mapping_purge --type {user,group}`` 6 | command would purge all mapping incorrectly instead of only purging the 7 | specified type mappings. ``keystone-manage mapping_purge --type {user,group}`` 8 | now purges only specified type mappings as expected. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1757151-43eb3baaa175f904.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1757151 `_] 5 | More thorough documentation has been added for authorization and token 6 | scopes, which helps users and developers understand the purpose of scope 7 | and why it can be a useful tool for resource isolation and API protection. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1759289-466cdf4514de3498.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1759289 `_] 5 | The ``keystone-manage token_flush`` command no longer establishes a 6 | connection to a database, or persistence backend. It's usage should be 7 | removed if you're using a supported non-persistent token format. If you're 8 | relying on external token providers that write tokens to disk and would 9 | like to maintain this functionality, please consider porting it to a 10 | separate tool. 11 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1760521-fec5c88af214401f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1760521 `_] 5 | Fixed the bug that the result count for ``domain list`` may lack one if 6 | the config option ``list_limit`` in [resource] is set. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1760809-711df870a9d67c0d.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1760809 `_] 5 | Identity providers registered to domains will now be cleaned up when the 6 | domain is deleted. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1763824-3d2f5169af9d42f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1763824 `_] 5 | JSON Schema implementation ``nullable`` in keystone.common.validation now 6 | properly adds ``None`` to the enum if the enum exists. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1765193-b40318b9fb5d1c7b.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1765193 `_] 5 | The unified limit API now exposes a deployment's configured enforcement 6 | model via the ``GET /limits/model`` endpoint. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1773967 `_] 5 | Fixes an issue where users who had role assignments only via a group 6 | membership and not via direct assignment could create but not use 7 | application credentials. It is important to note that federated users who 8 | only have role assignments via a mapped group membership still cannot 9 | create application credentials. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1774229-cb968e95c9d81c4d.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1774229 `_] 5 | The API reference for token management now includes more specific examples 6 | for different token scopes. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1778109-ea15ce6a8207f857.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1778109 `_] 5 | Previously the token data for a trust-scoped token may have contained 6 | duplicate roles, when implied roles were present. This is no longer the 7 | case, for the sake of accuracy and to prevent the breaking of applications 8 | which may consume this role list. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1779889-12eb5edf4cc93a1d.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1779889 `_] 5 | Adds documentation about service tokens and configuring services to use 6 | service tokens for long running operations. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1779903-f2b22cf23a9e01f9.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1779903 `_] 5 | When a project is deleted, the limits which belong to it will be deleted 6 | as well. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1780159-095ffa0e53be2464.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1780159 `_] 5 | Revoke the `role` cache when creating a project. This removes the delay 6 | before making it appear in the list when a user has inherited role on it. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1780503-70ca1ba3f428dd41.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1780503 `_] 5 | The notification wrapper now sets the initiator's id to the given user 6 | id. This fixes an issue where identity.authentication event would result 7 | in the initiator id being a random default UUID, rather than the user's id 8 | when said user would authenticate against keystone. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1782704-0b053eaf5d801dee.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1782704 `_] 5 | Checking for non-existant configuration files is more robust to ensure 6 | proper logging to users when passing configuration information to 7 | ``keystone-manage``. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1782922-db822fda486ac773.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1782922 `_] 5 | Fixed the problem where Keystone indiscriminately return the first RDN 6 | as the user ID, regardless whether it matches the configured 7 | 'user_id_attribute' or not. This will break deployments where 8 | 'group_members_are_ids' are set to False and 'user_id_attribute' is not 9 | in the DN. This patch will perform a lookup by DN if the first RND does 10 | not match the configured 'user_id_attribute'. 11 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1784536-9d1d1e149c605a1d.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - > 4 | [`bug 1784536 `_] 5 | Keystone now return `401 Unauthorized` correctly when issuing a 6 | project-scoped token but the input project id is a domain id. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1785164-2b7ed29266eb4792.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1785164 `_] 5 | Setting resource limits on domains is explicitly unsupported. Previously, 6 | it was possible to set a limit on a domain and the response would include 7 | the domain ID as the project ID of the limit. This issue has been corrected 8 | by explicitly opting domains out of limit support. A later release may 9 | include functionality for domains to be associated to limit resources. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1788694-4dc8b3ec47fc6084.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1788694 `_] 5 | System-scoped tokens now support expanding role assignments to include 6 | implied roles in token creation and validation responses. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1789450-9dec1383ffd3de01.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1789450 `_] 5 | When a mapped group that does not exist in keystone is found, instead 6 | of throwing a 500 error, keystone will now log the instance and continue. 7 | This is expected behavior as an external IdP may specify a group that 8 | does not exist within keystone. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1792026-2de8345a89e2256b.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1792026 `_] 5 | Formal documentation for user resource options has been added to the 6 | administrator guide and the API reference. This documentation helps 7 | describe how user options can improve user experience, namely for 8 | deployments looking to offer flexibility around PCI-DSS security 9 | requirements, among other things. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1796887-eaea84e3f9a8ff9f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1796887 `_] 5 | Add caching on trust role validation to improve performance. Services 6 | relying heavily on trusts are impacted as the trusts are validated against 7 | the database. This adds caching on those operations to improve performance 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1801095-6e28d7a86719da74.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1801095 `_] 5 | Request ID and global request ID have been added to both basic and CADF 6 | notifications. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1801873 `_] 5 | This fixes an issue where an LDAP-backed domain could not be deleted due to 6 | the existence of shadow users in the SQL database. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1810393-5a7d379842c51d9b.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1810393 `_] 5 | Now when an identity provider protocol is deleted, the cache info for the 6 | related federated users will be invalidated as well. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1813085-cf24b204e95fd7f5.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1813085 `] 5 | Validation of federated domain-scoped tokens scoped to the ``default`` 6 | domain no longer results in an ``HTTP 404 Domain Not Found`` due 7 | to byte string conversion issues with msgpack in python 3. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1814589-f3e7f554bee1c317.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1814589 `_] 5 | Fixes incorrect parameters passed into 6 | keystone.federation.utils.transform_to_group_ids() which resulted 7 | in HTTP 500 internal error. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1815771-ae0e4118c552f01e.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1815771 `_] 5 | Allows operators to cache credentials to avoid lookups on the database. 6 | This operation can be turned on/off through the configuration parameter of 7 | keystone.conf [credential] caching. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1816927-e17f4e596e611380.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1816927 `_] 5 | It was discovered that the order in which fernet keys are distributed 6 | after fernet key rotation has impact on keystone service. 7 | All operators are advised to ensure that during fernet key distribution 8 | the new primary fernet key (with largest number) is distributed first. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1817313-c11481e6eed29ec2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1817313 `_] 5 | Raise METHOD NOT ALLOWED for OS-Federation protocols creation 6 | if the protocol_id is not in the URL. The corrective action was to split 7 | the LIST from CRUD resources so that the routing regexes can work as 8 | expected. -------------------------------------------------------------------------------- /releasenotes/notes/bug-1818845-05f8c3af5ea9abc7.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - | 4 | [`bug 1818845 `_] 5 | The ``identity:revocation_list`` policy has been deprecated for removal. 6 | This policy didn't actually protect the revocation list API since that API 7 | is unenforced and unprotected. It only returns an ``HTTP 410`` or ``HTTP 8 | 403`` depending on how keystone is configured. This policy can be safely 9 | removed. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1819036-e2d24655c70d0aad.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1819036 `_] 5 | Middleware that processes requests in front of keystone now caches tokens 6 | per request, eliminating unnecessary round trips to validate tokens on 7 | every request. This change doesn't require the usage of any configuration 8 | options to take effect. The fix for this bug improved performance ~20% during 9 | testing and impacts most of keystone's API. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1823258-9649b56a440b5ae1.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | [`bug 1823258 `_] 5 | The ``keystone-manage bootstrap`` command now defaults to making the 6 | default roles (`admin`, `member`, and `reader`) immutable. This has the 7 | consequence that if the bootstrap command is re-run on an existing 8 | deployment, those roles will become immutable if they were not before. To 9 | opt out of this behavior, add the ``--no-immutable-roles`` flag to the 10 | bootstrap command. 11 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1827431-2f078c13dfc9a02a.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | [`bug 1827431 `_] 5 | Added a new user option 'ignore_user_inactivity' (defaults to False). 6 | When set to True, it overrides disabling the user after being inactive 7 | for certain time as set in 8 | ``[security_compliance]disable_user_account_days_inactive`` option 9 | in Keystone configuration file. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1831918 `_] 5 | Credentials now logs cadf audit messages. 6 | 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1832265-cb76ccf505c2d9d1.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1832265 `_] 5 | Binary msgpack payload types are now consistently and correctly decoded 6 | when running Keystone under Python 3, avoiding any TypeErrors when 7 | attempting to convert binary encoded strings into UUID's. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1833739-f962e8caf3e22068.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1833739 `_] 5 | Fix PostgreSQL specifc issue with storing encrypted credentials. In 6 | Python 3 the psycopg2 module treats bytes strings as binary data. This 7 | causes issues when storing encrypted credentials in the Database. 8 | To fix this isseu the credentials sql backend is updated to encode the 9 | credential into a text string before handing it over to the database. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1839133-24570c9fbacb530d.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1839133 `_] 5 | Makes user_enabled_emulation_use_group_config honor group_members_are_ids. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1839577-1226d86ea0744055.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1839577 `_] 5 | TOTP now allows by default the code from the previous time window 6 | to be considered valid as part of auth. This can be disabled, or 7 | the extended up to ten previous windows. -------------------------------------------------------------------------------- /releasenotes/notes/bug-1840291-35af1ac7ba06e166.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1840291 `_] 5 | Adds retries for ``delete_credential_for_user`` method to avoid 6 | DBDeadlocks when deleting large number of credentials concurrently. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1841486-425f367925f5e03f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1841486 `_] 5 | The ``keystone-manage mapping_engine --engine-debug`` CLI tool now outputs 6 | useful information about the direct mappings from an assertion after 7 | processing mapping rules. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1843609-8498b132222596b7.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1843609 `] 5 | Fixed an issue where system-scoped tokens couldn't be used to list users 6 | and groups (e.g., GET /v3/users or GET /v3/groups) if ``keystone.conf 7 | [identity] domain_specific_drivers_enabled=True`` and the API would 8 | return an ``HTTP 401 Unauthorized``. These APIs now recognize 9 | system-scoped tokens when using domain-specific drivers. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1844207-x27a31f3403xfd7y.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1844207 `_] 5 | Fixes an issue with WebSSO auth where a server error was raised if a remote 6 | ID can't be found for the requested federation protocol, now correctly 7 | raises an Unauthorized client error. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1848238-f6533644f7907358.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1848238 `_] 5 | Allow deleting a domain when using the ldap driver for a domain. There was 6 | an attempt to delete the group on the ldap whereas this one is read-only. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1856881-277103af343187f1.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1856881 `_] 5 | ``keystone-manage bootstrap`` can be run in upgrade scenarios where 6 | pre-existing domain-specific roles exist named ``admin``, ``member``, and 7 | ``reader``. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1856904-101af15bb48eb3ca.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`Bug 1856904 `_] 5 | The initiator object for CADF notifications now will always contain the 6 | username for the user who initated the action. Previously, the initator 7 | object only contained the user_id, which lead to issues mapping to users 8 | when using LDAP-backed identity providers. This also helps the initiator 9 | object better conform to the OpenStack standard for CADF. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1856962-2c87d541da61c727.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1856962 `_] 5 | Fixes an issue where federated users could not authenticate if their 6 | mapped group membership was empty. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1858012-584267ada7e33f2c.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1858012 `_] 5 | Fixes a bug in the /v3/role_assignments filtering where the `role.id` query 6 | parameter didn't properly filter role assignments by role in cases where 7 | there were multiple system role assignments. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1872732-7261816d0b170008.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1872732 `_] 5 | 'user_limit' is added to config file of credentials that allows user to set 6 | maximum number of credentials a user is permitted to create. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1872753-e2a934eac919ccde.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - > 4 | [`bug 1872753 `_] 5 | Added validation to the EC2 credential API to prevent altering the ``access_id`` 6 | field in the blob attribute. This prevents accidentally orphaning an EC2 credential 7 | resource when an altered ``access_id`` no longer resolves to the credential's 8 | resource ID. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1880252-51036d5353125e15.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | Mappings can now specify "whitelist" and "blacklist" conditionals as 5 | regular expressions. Prior, only "not_any_of" and "any_one_of" conditionals 6 | supported regular expression matching. 7 | fixes: 8 | - | 9 | [`bug 1880252 `_] 10 | Regexes are not allowed in "whitelist" and "blacklist" conditionals 11 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1885753-51df25f3ff1d9ae8.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1885753 `_] 5 | Keystone's SQL identity backend now retries update user requests to safely 6 | handle stale data when two clients update a user at the same time. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1886017-bc2ad648d57101a2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1886017 `_] 5 | JWT validation now supports `allow_expired` query parameters. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1889936-78d6853b5212b8f1.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1889936 `_] 5 | Properly decode octet strings, or byte arrays, returned from LDAP. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1896125-b17a4d12730fe493.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1896125 `_] 5 | Introduced more robust connection handling for asynchronous LDAP requests 6 | to address memory leaks fetching data from LDAP backends with low page 7 | sizes. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1897280-e7065c4368a325ad.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [ `Bug 1897230 `_] 5 | Allows s3 tokens with service types sts and iam to authenticate. This 6 | is necessary when using assumed role features of Ceph object storage and 7 | keystone is providing the authentication service for Rados Gateway. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1901207-13762f85b8a04481.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | security: 3 | - | 4 | [`bug 1901207 `_] 5 | Policy enforcement for application credentials has been updated to protect 6 | against invalid ownership checks resulting in unauthorized users being able 7 | to get and delete application credentials for other users. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1926483-a77ab887e0e7f5c9.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1926483 `_] 5 | Keystone will only log warnings about token length for Fernet tokens when 6 | the token length exceeds the value of `keystone.conf [DEFAULT] 7 | max_token_size`. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1929066-6e741c9182620a37.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | [`bug 1929066 `_] 5 | Increase the length of the `local_id` column in the `id_mapping` table 6 | to accommodate LDAP group names that result in names greater than 7 | 64 characters. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1941020-cleanup-541a2d372a1cf4cd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | The following deprecated options in the ``[memcache]`` section have been 5 | removed. 6 | 7 | - ``dead_retry`` 8 | - ``pool_maxsize`` 9 | - ``pool_unused_timeout`` 10 | - ``pool_connection_get_timeout`` 11 | 12 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1941020-f694395a9bcea72f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - | 4 | The following options in the ``[memcache]`` section have been deprecated 5 | because these options have had no effect since Pike. Please use 6 | ``memcache_*`` options in the ``[cache]`` section instead. 7 | 8 | - ``dead_retry`` 9 | - ``pool_maxsize`` 10 | - ``pool_unused_timeout`` 11 | - ``pool_connection_get_timeout`` 12 | -------------------------------------------------------------------------------- /releasenotes/notes/bug1828565-0790c4c60ba34100.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1828565 `_] 5 | Fixes endpoint group listing by name. This allows the openstackclient 6 | command to search endpoint groups by name. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1526462 `_] 5 | Support for posixGroups with OpenDirectory and UNIX when using 6 | the LDAP identity driver. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/bug_1674415-e8a7345aa2b05ab7.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1674415 `_] 5 | Fixed issue with translation of keystone error messages which was not 6 | happening in case of any error messages from identity API with locale 7 | being set. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug_1688188-256e3572295231a1.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1688188 `_] 5 | When creating an IdP, if a domain was generated for it and a conflict 6 | was raised while effectively creating the IdP in the database, the 7 | auto-generated domain is now cleaned up. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/bug_1698900-f195125bf341d887.yaml: -------------------------------------------------------------------------------- 1 | fixes: 2 | - | 3 | [`bug 1698900 `_] 4 | The implementation for checking database state during an upgrade with the 5 | use of `keystone-manage db_sync --check` has been corrected. This allows 6 | users and automation to determine what step is next in a rolling upgrade 7 | based on logging and command status codes. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/catalog-caching-12f2532cfb71325a.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1489061 `_] 5 | Caching has been added to catalog retrieval on a per user ID and project 6 | ID basis. This affects both the v2 and v3 APIs. As a result this should 7 | provide a performance benefit to fernet-based deployments. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/catalog_project_id-519f5a70f9f7c4c6.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - Use of ``$(tenant_id)s`` in the catalog endpoints is deprecated in favor 4 | of ``$(project_id)s``. 5 | features: 6 | - Keystone supports ``$(project_id)s`` in the catalog. It works the same as 7 | ``$(tenant_id)s``. Use of ``$(tenant_id)s`` is deprecated and catalog 8 | endpoints should be updated to use ``$(project_id)s``. 9 | 10 | -------------------------------------------------------------------------------- /releasenotes/notes/change_min_pool_retry_max-f5e7c8d315401426.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | Change the min value of pool_retry_max to 1. Setting this value to 0 5 | caused the pool to fail before connecting to ldap, always raising 6 | MaxConnectionReachedError. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - > 4 | [`blueprint deprecated-as-of-mitaka `_] 5 | Deprecate the ``enabled`` option from ``[endpoint_policy]``, it will be 6 | removed in the 'O' release, and the extension will always be enabled. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/deprecate-max-param-size-6e0770e0c9d21dd6.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - | 4 | The ``[DEFAULT] max_param_size`` option has been deprecated. This option 5 | was used in identity v2 APU but identity v2 API was removed in 13.0.0 6 | release. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/deprecate-memcache-token-persistence-eac88c80147ea241.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - > 4 | [`blueprint deprecated-as-of-mitaka `_] 5 | The token memcache and memcache_pool persistence 6 | backends have been deprecated in favor of using 7 | Fernet tokens (which require no persistence). 8 | -------------------------------------------------------------------------------- /releasenotes/notes/deprecate-policies-api-b104fbd1d2367b1b.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - | 4 | The ``policies`` API is deprecated. Keystone is not a policy management 5 | service. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/deprecate-templated-catalog-driver-f811a6040abdc4a8.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - | 4 | The templated catalog driver has been deprecated and will be removed in 5 | a future release. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/deprecated-as-of-newton-be1d8dbcc6bdc68f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - > 4 | [`blueprint deprecated-as-of-newton `_] 5 | As of the Newton release, the class plugin `keystone.common.kvs.core.KeyValueStore` 6 | has been deprecated. It is recommended to use alternative backends instead. 7 | The ``KeyValueStore`` class will be removed in the 'P' release. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/deprecated-as-of-pike-506f9aca91674550.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - | 4 | * UUID token provider ``[token] provider=uuid`` has been deprecated in 5 | favor of Fernet tokens ``[token] provider=fernet``. With Fernet tokens 6 | becoming the default UUID tokens can be slated for removal in the R 7 | release. This also deprecates token-bind support as it was never 8 | implemented for fernet. 9 | 10 | * Token persistence driver/code (SQL) is deprecated with this patch since 11 | it is only used by the UUID token provider.. 12 | -------------------------------------------------------------------------------- /releasenotes/notes/deprecated-as-of-stein-0166965502cb3be2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - > 4 | The commandline options `standard-threads, `pydev-debug-host` and 5 | `pydev-debug-port` are only used by Keystone eventlet model in Newton 6 | release before. They are deprecated now and will be removed in the next 7 | release. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/deprecated-as-of-train-de3fe41ff2251385.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - | 4 | [`bug 1829454 `_] 5 | The `[federation] federated_domain_name` option is deprecated. All users 6 | live in the identity provider's domain now, and the option is no longer 7 | used. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/dont-enforce-get-s3tokens-ec2tokens-62b90b199e8075d8.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 2052916 `_] 5 | Fixed a bug where a HTTP GET request against ``/v3/s3tokens`` or 6 | ``/v3/ec2tokens`` would return HTTP 500 instead of HTTP 405. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/drop-passlib-9b398c8f08f5e9ee.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | Dependency on abandoned library `passlib` has been dropped in favor of 5 | using `bcrypt` and `cryptography` directly. It was ensured that passwords 6 | hashed with `passlib` are still supported, but absence of cornercases can 7 | not be guaranteed. If users are not able to login using old password such 8 | password must be rotated. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/drop-project-id-fk-b683b414e1585be8.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | The foreign key constraint between the ``user.domain_id`` column and the 5 | ``project.id`` column and between the ``identity_provider.domain_id`` 6 | column and the ``project.id`` column will be dropped upon running the 7 | keystone db_sync contraction step. These constraints are enforced in code 8 | and do not need to be enforced by the database. This should have no impact 9 | on users. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/drop-python-3-6-and-3-7-dc90b86cedced92b.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | Python 3.6 & 3.7 support has been dropped. The minimum version of Python now 5 | supported is Python 3.8. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/enable-filter-idp-d0135f4615178cfc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1525317 `_] 5 | Enable filtering of identity providers based on `id`, and `enabled` 6 | attributes. 7 | - > 8 | [`bug 1555830 `_] 9 | Enable filtering of service providers based on `id`, and `enabled` 10 | attributes. -------------------------------------------------------------------------------- /releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - > 4 | The default setting for the `os_inherit` configuration option is 5 | changed to True. If it is required to continue with this portion 6 | of the API disabled, then override the default setting by explicitly 7 | specifying the os_inherit option as False. 8 | deprecations: 9 | - The `os_inherit` configuration option is disabled. In the future, this 10 | option will be removed and this portion of the API will be always enabled. 11 | -------------------------------------------------------------------------------- /releasenotes/notes/endpoints-from-endpoint_group-project-association-7271fba600322fb6.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - > 4 | [`bug 1516469 `_] 5 | Endpoints filtered by endpoint_group project association will be 6 | included in the service catalog when a project scoped token is issued and 7 | ``endpoint_filter.sql`` is used for the catalog driver. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/federation-group-ids-mapping-6c56120d65a5cb22.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`blueprint federation-group-ids-mapped-without-domain-reference `_] 5 | Enhanced the federation mapping engine to allow for group IDs to be 6 | referenced without a domain ID. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/fix_application_credentials_implied_roles-b445fa56cb335a4d.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | Application credentials will also include all implied by the user roles 5 | upon their creation. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/httpd-keystone-d51b7335559b09c8.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - > 4 | [`blueprint deprecated-as-of-mitaka `_] 5 | The file ``httpd/keystone.py`` has been deprecated in favor of 6 | ``keystone-wsgi-admin`` and ``keystone-wsgi-public`` and may be 7 | removed in the 'O' release. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/identity_driver_new_change_password_method-e8c0e06795bca2d8.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - The identity backend driver interface has changed. We've added a new 4 | ``change_password()`` method for self service password changes. If you have a 5 | custom implementation for the identity driver, you will need to implement 6 | this new method. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/immutable-resource-options-bug-1807751-acc1e3c689484337.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1807751 `_] 5 | Keystone now implements the scaffolding for resource options in projects and 6 | roles. Functionally new options (such as "immutable" flags) will appear in 7 | returned JSON under the `options` field (dict) returned in the project, domain, 8 | and role structures. The `options` field will be empty until resource options 9 | are implemented for project, domain, and role. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/impl-templated-catalog-1d8f6333726b34f8.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | other: 3 | - > 4 | [`bug 1367113 `_] 5 | The "get entity" and "list entities" functionality for the KVS catalog 6 | backend has been reimplemented to use the data from the catalog template. 7 | Previously this would only act on temporary data that was created at 8 | runtime. The create, update and delete entity functionality now raises 9 | an exception. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/implied-roles-stable-8b293e187c5620ad.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | other: 3 | - | 4 | The `implied roles API `_ 5 | has been marked as stable. This API was originally implemented in Mitaka 6 | and marked as experimental. There haven't been any backwards incompatible 7 | updates since then. As a result, the API is being marked as stable. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/improve-driver-donfiguration-ecedaf6ad0c3f9d2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | Improve configuration management for the out-of-tree identity drivers. When 5 | driver implements a special method it is being invoked before instantiating 6 | the driver when reading configuration from the database. Also 2 new 7 | `domain_config` section configuration options are added to allow such 8 | driver specific parameters to be managed using the API. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/insecure_reponse-2a168230709bc8e7.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - A new config option, `insecure_debug`, is added to control whether debug 4 | information is returned to clients. This used to be controlled by the 5 | `debug` option. If you'd like to return extra information to clients 6 | set the value to ``true``. This extra information may help an attacker. 7 | 8 | -------------------------------------------------------------------------------- /releasenotes/notes/ldap-conn-pool-enabled-90df94652f1ded53.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - > 4 | The configuration options for LDAP connection pooling, `[ldap] use_pool` 5 | and `[ldap] use_auth_pool`, are now both enabled by default. Only 6 | deployments using LDAP drivers are affected. Additional configuration 7 | options are available in the `[ldap]` section to tune connection pool size, 8 | etc. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/ldap-emulation-91c4d535eb9c3d10.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1515302 `_] 5 | Two new configuration options have been added to the `[ldap]` section. 6 | `user_enabled_emulation_use_group_config` and 7 | `project_enabled_emulation_use_group_config`, which allow deployers to 8 | choose if they want to override the default group LDAP schema option. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/list_limit-ldap-support-5d31d51466fc49a6.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1501698 `_] 5 | Support parameter `list_limit` when LDAP is used as 6 | identity backend. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/list_role_assignment_names-33aedc1e521230b6.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1479569 `_] 5 | Names have been added to list role assignments 6 | (GET /role_assignments?include_names=True), rather than returning 7 | just the internal IDs of the objects the names are also returned. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/migration_squash-f655329ddad7fc2a.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - > 4 | [`bug 1541092 `_] 5 | Only database upgrades from Kilo and newer are supported. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/no-default-domain-2161ada44bf7a3f7.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | other: 3 | - > 4 | ``keystone-manage db_sync`` will no longer create the Default domain. This 5 | domain is used as the domain for any users created using the legacy v2.0 6 | API. A default domain is created by ``keystone-manage bootstrap`` and when 7 | a user or project is created using the legacy v2.0 API. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/notify-on-user-group-membership-8c0136ee0484e255.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - Support has now been added to send notification events 4 | on user/group membership. When a user is added or removed 5 | from a group a notification will be sent including the 6 | identifiers of both the user and the group. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/oauth1-headers-content-type-9a9245d9bbec8f8e.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | other: 3 | - > 4 | The response's content type for creating request token or access token 5 | is changed to `application/x-www-form-urlencoded`, the old value 6 | `application/x-www-urlformencoded` is invalid and will no longer be used. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/pagination-identity-b127b6d3042d3d3a.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | User and group listing supports pagination. Query parameters `limit` 5 | and `marker` are added and work as described in `API-SIG doc 6 | `_ 7 | -------------------------------------------------------------------------------- /releasenotes/notes/password-created_at-nullable-b3c284be50d93ef5.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - Fixes a bug related to the password create date. If you deployed master 4 | during Newton development, the password create date may be reset. This 5 | would only be apparent if you have security compliance features enabled. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/policy_new_federated_projects_for_user-dcd7bd148efef049.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - In the policy.json file, we changed `identity:list_projects_for_groups` 4 | to `identity:list_projects_for_user`. Likewise, we changed 5 | `identity:list_domains_for_groups` to `identity:list_domains_for_user`. If 6 | you have customized the policy.json file, you will need to make these 7 | changes. This was done to better support new features around federation. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/pre-cache-tokens-73450934918af26b.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | prelude: > 3 | Tokens can now be cached when issued. 4 | features: 5 | - Add ``cache_on_issue`` flag to ``[token]`` section that enables 6 | placing issued tokens to validation cache thus reducing the first 7 | validation time as if token is already validated and token data cached. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/projects_as_domains-3ea8a58b4c2965e1.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - Domains are now represented as top level projects with the attribute 4 | `is_domain` set to true. Such projects will appear as parents for any 5 | previous top level projects. Projects acting as domains can be created, 6 | read, updated, and deleted via either the project API or the domain API 7 | (V3 only). 8 | -------------------------------------------------------------------------------- /releasenotes/notes/python3-support-e4189e0a1a6e2e4f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | other: 3 | - Keystone now supports being run under Python 3. The 4 | Python 3 and Python 3.4 classifiers have been added. 5 | -------------------------------------------------------------------------------- /releasenotes/notes/randomize_urls-c0c19f48b2bfa299.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | A new option 'randomize_urls' can be used to randomize the order in which 5 | keystone connects to the LDAP servers in [ldap] 'url' list. 6 | It is false by default. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/remove-db_sync-extension-opt-2ab1f29340281215.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | The ``--extension`` option of ``keystone-manage db_sync`` has been 5 | deprecated since 10.0.0 (Newton) and raised an error when provided. It 6 | has now been removed entirely. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/remove-legacy-migrations-647f60019c8dd9e8.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | The legacy migrations that existed before the split into separate expand 5 | schema, contract schema, and data migration migration have now been 6 | removed. These have been deprecated since 10.0.0 (Newton). This should 7 | have no user-facing impact. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/remove-py38-4e33bcf77029f0d0.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | Python 3.8 support was dropped. The minimum version of Python now supported 5 | is Python 3.9. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/remove-sha512_crypt-password-hashing-module-be4c5ed3f50017c0.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | other: 3 | - | 4 | The sha512_crypt password hashing module has been removed, completing the 5 | deprecation process and dropping use of the crypt module which has been 6 | dropped in Python >= 3.13. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/remove-sqlalchemy-migrate-a4fa47685c7e28c6.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | The legacy ``sqlalchemy-migrate`` migrations, which have been deprecated 5 | since Zed, have been removed. There should be no end-user impact. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/remove-templated-catalog-driver-042dd821dbad684a.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | The templated catalog driver has been removed. 5 | The ``[catalog] template_file`` option, which was used by the templated 6 | catalog driver has also been removed. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/remove-trust-auth-support-from-v2-de316c9ba46d556d.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | other: 3 | - The ability to validate a trust-scoped token against the v2.0 API has been 4 | removed, in favor of using the version 3 of the API. 5 | -------------------------------------------------------------------------------- /releasenotes/notes/remove-wsgi-scripts-615b97ee4d6e0de2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | The WSGI scripts, ``keystone-wsgi-admin`` and ``keystone-wsgi-public``, 5 | have been removed. Deployment tooling should instead reference the Python 6 | module paths for the service, ``keystone.wsgi.api``, if their chosen WSGI 7 | server supports this (gunicorn, uWSGI) or implement a ``.wsgi`` script 8 | themselves if not (mod_wsgi). 9 | -------------------------------------------------------------------------------- /releasenotes/notes/removed-as-of-ussuri-d2f6ef8901ef54ed.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | Dropping the Python2 support in OpenStack Ussuri according to 5 | `the TC deprecation timeline 6 | `_ 7 | -------------------------------------------------------------------------------- /releasenotes/notes/request_context-e143ba9c446a5952.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1500222 `_] 5 | Added information such as: user ID, project ID, and domain ID to log 6 | entries. As a side effect of this change, both the user's domain ID and 7 | project's domain ID are now included in the auth context. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/resource-driver-33793dd5080ee4d2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | Restores the configurability of the resource driver, so it is now possible 5 | to create a custom resource driver if the built-in sql driver does not meet 6 | business requirements. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/s3-aws-v4-c6cb75ce8d2289d4.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`bug 1473042 `_] 5 | Keystone's S3 compatibility support can now authenticate using AWS 6 | Signature Version 4. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/sha512_crypt_deprecation-91a19080f1e884e4.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - | 4 | This is the last release where passwords hashed using sha512_crypt 5 | algorithm are supported. Since even support of that is being dropped in 6 | python 3.13 it would be physically dropped from Keystone in the next 7 | release (`Epoxy`). 8 | -------------------------------------------------------------------------------- /releasenotes/notes/tenant_id_to_project_id-42d95d93011785cb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - > 4 | The assignment driver interface has changed to use the named parameter 5 | 'project_id' instead of 'tenant_id'. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/token-formatter-ec58aba00fa83706.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | The token_formatter utility class has been moved from under fernet 5 | to the default token directory. This is to allow for the reuse of 6 | functionality with other token providers. Any deployments that are 7 | specifically using the fernet utils may be affected and will need 8 | to adjust accordingly. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/token-provider-refactor-a3a64146807daf36.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | The token provider API has removed the ``needs_persistence`` property from 5 | the abstract interface. Token providers are expected to handle persistence 6 | requirement if needed. This will require out-of-tree token providers to 7 | remove the unused property and handle token storage. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/totp-40d93231714c6a20.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`blueprint totp-auth `_] 5 | Keystone now supports authenticating via Time-based One-time Password (TOTP). 6 | To enable this feature, add the ``totp`` auth plugin to the `methods` 7 | option in the `[auth]` section of `keystone.conf`. More information 8 | about using TOTP can be found in `keystone's developer documentation 9 | `_. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/use-correct-inspect-8142e317c1e39c2a.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - > 4 | Replaced the usage of SQLAlchemy Inspector.from_engine() with the 5 | sqlalchemy.inspect() call, within several Alembic migration files as well 6 | as a test suite. SQLAlchemy will be deprecating the former syntax, 7 | so this change allows forwads compatibility with the next series of 8 | SQLAlchemy. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/use-pyldap-6e811c28bf350d6d.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - Keystone now relies on pyldap instead of python-ldap. 4 | The pyldap library is a fork of python-ldap and is 5 | a drop-in replacement with modifications to be py3 6 | compatible. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/use-python-ldap-0318ff7798bdd98d.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - Keystone now relies on python-ldap instead of pyldap. 4 | The pyldap library is a deprecated fork from python-ldap. Starting 5 | with python-ldap 3.0 release this has been merged and is maintained 6 | there. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/v2-dep-d6e7ab2d08119549.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - > 4 | [`blueprint deprecated-as-of-pike `_] 5 | The v2.0 ``auth`` and ``ec2`` APIs were already maked as deprecated in the Mitaka release, 6 | although no removal release had yet been identified. These APIs will now be removed in the 'T' release. 7 | The v3 APIs should be used instead. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/v3-endpoints-in-v2-list-b0439816938713d6.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - > 4 | [`bug 1480270 `_] 5 | Endpoints created when using v3 of the keystone REST API will now be 6 | included when listing endpoints via the v2.0 API. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/v9FederationDriver-cbebcf5f97e1eae2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - The V8 Federation driver interface is deprecated in favor of the V9 4 | Federation driver interface. Support for the V8 Federation driver 5 | interface is planned to be removed in the 'O' release of OpenStack. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/x509-auth-df0a229780b8e3ff.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - > 4 | [`blueprint x509-ssl-client-cert-authn `_] 5 | Keystone now supports tokenless client SSL x.509 certificate authentication 6 | and authorization. 7 | -------------------------------------------------------------------------------- /releasenotes/source/2023.1.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | 2023.1 Series Release Notes 3 | =========================== 4 | 5 | .. release-notes:: 6 | :branch: unmaintained/2023.1 7 | -------------------------------------------------------------------------------- /releasenotes/source/2023.2.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | 2023.2 Series Release Notes 3 | =========================== 4 | 5 | .. release-notes:: 6 | :branch: stable/2023.2 7 | -------------------------------------------------------------------------------- /releasenotes/source/2024.1.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | 2024.1 Series Release Notes 3 | =========================== 4 | 5 | .. release-notes:: 6 | :branch: stable/2024.1 7 | -------------------------------------------------------------------------------- /releasenotes/source/2024.2.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | 2024.2 Series Release Notes 3 | =========================== 4 | 5 | .. release-notes:: 6 | :branch: stable/2024.2 7 | -------------------------------------------------------------------------------- /releasenotes/source/2025.1.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | 2025.1 Series Release Notes 3 | =========================== 4 | 5 | .. release-notes:: 6 | :branch: stable/2025.1 7 | -------------------------------------------------------------------------------- /releasenotes/source/_static/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/releasenotes/source/_static/.placeholder -------------------------------------------------------------------------------- /releasenotes/source/_templates/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/keystone/b739fd6bcda31462f51955d9c756657bb7579480/releasenotes/source/_templates/.placeholder -------------------------------------------------------------------------------- /releasenotes/source/liberty.rst: -------------------------------------------------------------------------------- 1 | ============================== 2 | Liberty Series Release Notes 3 | ============================== 4 | 5 | .. release-notes:: 6 | :branch: origin/stable/liberty 7 | -------------------------------------------------------------------------------- /releasenotes/source/mitaka.rst: -------------------------------------------------------------------------------- 1 | ============================= 2 | Mitaka Series Release Notes 3 | ============================= 4 | 5 | .. release-notes:: 6 | :branch: origin/stable/mitaka 7 | -------------------------------------------------------------------------------- /releasenotes/source/newton.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Newton Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: origin/stable/newton 7 | -------------------------------------------------------------------------------- /releasenotes/source/ocata.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Ocata Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: origin/stable/ocata 7 | -------------------------------------------------------------------------------- /releasenotes/source/queens.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Queens Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: stable/queens 7 | -------------------------------------------------------------------------------- /releasenotes/source/rocky.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Rocky Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: stable/rocky 7 | -------------------------------------------------------------------------------- /releasenotes/source/stein.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Stein Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: stable/stein 7 | -------------------------------------------------------------------------------- /releasenotes/source/train.rst: -------------------------------------------------------------------------------- 1 | ========================== 2 | Train Series Release Notes 3 | ========================== 4 | 5 | .. release-notes:: 6 | :branch: stable/train 7 | -------------------------------------------------------------------------------- /releasenotes/source/ussuri.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | Ussuri Series Release Notes 3 | =========================== 4 | 5 | .. release-notes:: 6 | :branch: stable/ussuri 7 | -------------------------------------------------------------------------------- /releasenotes/source/victoria.rst: -------------------------------------------------------------------------------- 1 | ============================= 2 | Victoria Series Release Notes 3 | ============================= 4 | 5 | .. release-notes:: 6 | :branch: unmaintained/victoria 7 | -------------------------------------------------------------------------------- /releasenotes/source/wallaby.rst: -------------------------------------------------------------------------------- 1 | ============================ 2 | Wallaby Series Release Notes 3 | ============================ 4 | 5 | .. release-notes:: 6 | :branch: unmaintained/wallaby 7 | -------------------------------------------------------------------------------- /releasenotes/source/xena.rst: -------------------------------------------------------------------------------- 1 | ========================= 2 | Xena Series Release Notes 3 | ========================= 4 | 5 | .. release-notes:: 6 | :branch: unmaintained/xena 7 | -------------------------------------------------------------------------------- /releasenotes/source/yoga.rst: -------------------------------------------------------------------------------- 1 | ========================= 2 | Yoga Series Release Notes 3 | ========================= 4 | 5 | .. release-notes:: 6 | :branch: unmaintained/yoga 7 | -------------------------------------------------------------------------------- /releasenotes/source/zed.rst: -------------------------------------------------------------------------------- 1 | ======================== 2 | Zed Series Release Notes 3 | ======================== 4 | 5 | .. release-notes:: 6 | :branch: unmaintained/zed 7 | -------------------------------------------------------------------------------- /reno.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Ignore the kilo-eol tag because that branch does not work with reno 3 | # and contains no release notes. 4 | closed_branch_tag_re: "(.+)(?