1. 11 May, 2018 1 commit
    • Dmitrii Shcherbakov's avatar
      add support for Federated IDentity (FID) and WebSSO · 6f3751cc
      Dmitrii Shcherbakov authored
      * add support for relating with subordinate charms providing Service
      Provider functionality via apache2 authentication modules;
      * enable additional authentication methods on the keystone side to
      accept parsed assertion data provided via apache2 authentication module
      variables exported to WSGI environment;
      * move https frontend and WSGI API apache config files to keystone
      instead of relying on charm-helpers as modifications are needed there to
      add IncludeOptional directives. openstack_https_frontend.conf is added
      on purpose as ServerName cannot be correctly determined after ProxyPass
      which results in TLS errors during SAML exchange process;
      * add an additional relation to openstack-dashboard to provide URL
      information necessary to trust 'origin' parameter in WebSSO URLs used by
      horizon during the authentication process. Also add a context to render
      the federation section that is used to render this information in
      keystone.conf;
      
      Subordinates can choose to use different apache2 authentication modules.
      If those modules support vhost-level variables then multiple
      subordinates for the same module can be used. For example,
      mod_auth_mellon can be used multiple times in different vhosts to
      protect federated token endpoints related to different identity provider
      and protocol combinations).
      
      Trusted dashboard relation could be used to provide dashboard origin URL
      from a different site via cross-model relations.
      
      NOTE: this functionality will be triggered only on Ocata+ (inclusive)
      
      Change-Id: I1ef623b0b0e2a9f68cec4be550965c5e15e5f561
      6f3751cc
  2. 17 Oct, 2017 1 commit
    • Liam Young's avatar
      Add memcache backend · 4b00281b
      Liam Young authored
      Install and configure memcached on the keystone units and configure
      keystone to use the cache. This should speed up token access for
      existing tokens.
      
      Change-Id: I26af0a97660e5bbe293a32e6b9e3d209338f905a
      Closes-Bug: #1722541
      4b00281b
  3. 11 Oct, 2017 1 commit
    • James Page's avatar
      Use compatible uuid entry point for tokens backend · 9515a78c
      James Page authored
      Ensure that a valid entry point is used for the uuid token
      backend, resolving compatibility with later OpenStack releases.
      
      Change-Id: I566e6a2e9c0aa1fc1afe02dbc9f899cfb0c7a9f6
      Closes-Bug: 1722909
      9515a78c
  4. 28 Sep, 2017 1 commit
    • David Ames's avatar
      Snap install OpenStack in Charms · 8da85834
      David Ames authored
      Install OpenStack using snaps. By setting openstack-origin to
      snap:track/channel or snap:track the charm will use snaps to
      install rather than debs. If channel is left off it defaults to
      stable. For example: snap:ocata/edge will install the edge version of
      Ocata and snap:pike will install the stable version of Pike.
      
      Charm helpers sync for snap related helpers.
      
      Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac
      8da85834
  5. 21 Jun, 2017 1 commit
    • James Page's avatar
      Use 'uuid' token provide configuration · 681047f3
      James Page authored
      Use the 'uuid' entry point for token configuration; this has been
      supported for some time and future proofs the charm against changes
      in the internals of keystone.
      
      Change-Id: I9f16a4b38487069379069c698d713f5b498eb718
      681047f3
  6. 30 Jan, 2017 1 commit
    • James Page's avatar
      Enable domain specific drivers · 795ebdeb
      James Page authored
      Enable support for domain specific drivers, managed via
      configuration files (instead of directly using the API and
      database).
      
      Using multiple domains means that calls to users.list must
      be scoped to a specific domain; ensure that v3 calls to this
      method are appropriately scoped.
      
      Change-Id: I7ed84b7210597ab1633eba343a0c68741a5a8578
      Partial-Bug: 1645803
      795ebdeb
  7. 24 Nov, 2016 1 commit
    • Frode Nordahl's avatar
      Refresh keystone.conf and policy.json for Mitaka and Newton · 10e3d84e
      Frode Nordahl authored
      keystone.conf:
      - Change log_config to log_config_append DEPRECATED
      - Remove verbose DEPRECATED
      - Remove eventlet_server section DEPRECATED
      - Remove ec2 section, no longer available in Keystone
        It has been moved to the keystonemiddleware package
      - Update driver names. Using full module path is DEPRECATED
      - Add resource section and specify admin_project_domain_name
        and admin_project_name
      
      mitaka/policy.json:
      - Refresh from upstream stable/mitaka
      - Apply stricter rule:service_role
      - Allow identity:list_projects to rule:service_role
      
      newton/policy.json:
      - Refresh from upstream stable/newton
      - Apply stricter rule:service_role
      - Allow identity:list_projects to rule:service_role
      
      hooks/keystone_context.py:
      - Add admin_domain_name to Keystone context
      
      tests/basic_deployment.py:
      - Add config check for changes for Mitaka and newer releases
      
      Partial-Bug: 1636098
      Change-Id: Ib267418f34066eaf6e4885627010d2a18e312192
      10e3d84e
  8. 27 Sep, 2016 1 commit
    • Liam Young's avatar
      Add default_domain_id for Keystone v3 deploys · ccf15398
      Liam Young authored
      The default_domain_id is used to specify a domain when the client
      hasn't explicitly set one. It defaults to 'default' which is fine
      for liberty and previous because the id of the default domain is,
       oddly, 'default' rather than a uuid. On Mitaka and higher it is
      a uuid so when keystone assumes the default domains id is 'default'
      it fails.
      
      Change-Id: Iaa5e6a07a229815cf2281858cb68a4e120aa2af3
      Closes-Bug: 1626889
      ccf15398
  9. 07 Dec, 2015 1 commit
  10. 09 Jun, 2015 1 commit
    • Edward Hope-Morley's avatar
      [hopem,r=] · b37171ec
      Edward Hope-Morley authored
      Replace deprecated bind_host with admin_bind_host and
      public_bind_host in keystone.conf
      
      Closes-Bug: 1463305
      b37171ec
  11. 01 Apr, 2015 1 commit
  12. 24 Mar, 2015 2 commits
  13. 03 Feb, 2015 1 commit
  14. 07 Oct, 2014 1 commit
  15. 21 Sep, 2014 1 commit
  16. 12 Aug, 2014 1 commit
  17. 11 Aug, 2014 1 commit
  18. 04 Aug, 2014 1 commit
  19. 16 Apr, 2014 1 commit
  20. 02 Apr, 2014 1 commit
  21. 31 Mar, 2014 2 commits