diff options
Diffstat (limited to 'keystone-moon/doc/source/extensions')
-rw-r--r-- | keystone-moon/doc/source/extensions/endpoint_filter.rst | 44 | ||||
-rw-r--r-- | keystone-moon/doc/source/extensions/endpoint_policy.rst | 35 | ||||
-rw-r--r-- | keystone-moon/doc/source/extensions/federation.rst | 66 | ||||
-rw-r--r-- | keystone-moon/doc/source/extensions/moon/ExceptionHierarchy-v0.2.pptx | bin | 34159 -> 0 bytes | |||
-rw-r--r-- | keystone-moon/doc/source/extensions/moon/ExceptionHierarchy.pptx | bin | 34626 -> 0 bytes | |||
-rw-r--r-- | keystone-moon/doc/source/extensions/moon/moon.rst | 147 | ||||
-rw-r--r-- | keystone-moon/doc/source/extensions/moon/moon_api.rst | 863 | ||||
-rw-r--r-- | keystone-moon/doc/source/extensions/oauth1.rst | 49 | ||||
-rw-r--r-- | keystone-moon/doc/source/extensions/openidc.rst | 93 | ||||
-rw-r--r-- | keystone-moon/doc/source/extensions/revoke.rst | 45 | ||||
-rw-r--r-- | keystone-moon/doc/source/extensions/shibboleth.rst | 279 |
11 files changed, 0 insertions, 1621 deletions
diff --git a/keystone-moon/doc/source/extensions/endpoint_filter.rst b/keystone-moon/doc/source/extensions/endpoint_filter.rst deleted file mode 100644 index 4ab194b8..00000000 --- a/keystone-moon/doc/source/extensions/endpoint_filter.rst +++ /dev/null @@ -1,44 +0,0 @@ -.. - Copyright 2011-2013 OpenStack, Foundation - All Rights Reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); you may - not use this file except in compliance with the License. You may obtain - a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - -====================================== -Enabling the Endpoint Filter Extension -====================================== - -To enable the endpoint filter extension: - -1. Add the endpoint filter extension catalog driver to the ``[catalog]`` section - in ``keystone.conf``. For example:: - - [catalog] - driver = catalog_sql - -2. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in - ``keystone-paste.ini``. This must be added after ``json_body`` and before - the last entry in the pipeline. For example:: - - [pipeline:api_v3] - pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension endpoint_filter_extension service_v3 - -3. Create the endpoint filter extension tables if using the provided sql backend. For example:: - - ./bin/keystone-manage db_sync --extension endpoint_filter - -4. Optionally, change ``return_all_endpoints_if_no_filter`` the ``[endpoint_filter]`` section - in ``keystone.conf`` to return an empty catalog if no associations are made. For example:: - - [endpoint_filter] - return_all_endpoints_if_no_filter = False diff --git a/keystone-moon/doc/source/extensions/endpoint_policy.rst b/keystone-moon/doc/source/extensions/endpoint_policy.rst deleted file mode 100644 index ad403d50..00000000 --- a/keystone-moon/doc/source/extensions/endpoint_policy.rst +++ /dev/null @@ -1,35 +0,0 @@ -.. - Licensed under the Apache License, Version 2.0 (the "License"); you may - not use this file except in compliance with the License. You may obtain - a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - -====================================== -Enabling the Endpoint Policy Extension -====================================== - -To enable the endpoint policy extension: - -1. Optionally, add the endpoint policy extension driver to the - ``[endpoint_policy]`` section in ``keystone.conf``. For example:: - - [endpoint_policy] - driver = sql - -2. Add the ``endpoint_policy_extension`` policy to the ``api_v3`` pipeline in - ``keystone-paste.ini``. This must be added after ``json_body`` and before - the last entry in the pipeline. For example:: - - [pipeline:api_v3] - pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension service_v3 endpoint_policy_extension service_v3 - -3. Create the endpoint policy extension tables if using the provided SQL backend. For example:: - - ./bin/keystone-manage db_sync --extension endpoint_policy diff --git a/keystone-moon/doc/source/extensions/federation.rst b/keystone-moon/doc/source/extensions/federation.rst deleted file mode 100644 index f1b5baa9..00000000 --- a/keystone-moon/doc/source/extensions/federation.rst +++ /dev/null @@ -1,66 +0,0 @@ -.. - Copyright 2014 OpenStack, Foundation - All Rights Reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); you may - not use this file except in compliance with the License. You may obtain - a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - -================================== -Enabling the Federation Extension -================================== - -To enable the federation extension: - -1. Add the federation extension driver to the ``[federation]`` section in - ``keystone.conf``. For example:: - - [federation] - driver = keystone.contrib.federation.backends.sql.Federation - -2. Add the ``saml2`` and/or ``oidc`` authentication methods to the ``[auth]`` - section in ``keystone.conf``:: - - [auth] - methods = external,password,token,saml2,oidc - saml2 = keystone.auth.plugins.mapped.Mapped - oidc = keystone.auth.plugins.mapped.Mapped - -.. NOTE:: - The ``external`` method should be dropped to avoid any interference with - some Apache + Shibboleth SP setups, where a ``REMOTE_USER`` env variable is - always set, even as an empty value. - -3. Add the ``federation_extension`` middleware to the ``api_v3`` pipeline in - ``keystone-paste.ini``. This must be added after ``json_body`` and before - the last entry in the pipeline. For example:: - - [pipeline:api_v3] - pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension service_v3 - -4. Create the federation extension tables if using the provided SQL backend. - For example:: - - ./bin/keystone-manage db_sync --extension federation - -5. As of the Juno release, multiple Keystone deployments can now be federated. - To do so, the `pysaml2 <https://pypi.python.org/pypi/pysaml2>`_ library is - required. Since OS-FEDERATION is an extension, ``pysaml2`` is not installed - by default, it must be installed manually. For example:: - - pip install --upgrade $(grep pysaml2 test-requirements.txt) - - Also, the `xmlsec1` command line tool is needed to sign the SAML assertions - generated by the Keystone Identity Provider: - - .. code-block:: bash - - $ apt-get install xmlsec1 diff --git a/keystone-moon/doc/source/extensions/moon/ExceptionHierarchy-v0.2.pptx b/keystone-moon/doc/source/extensions/moon/ExceptionHierarchy-v0.2.pptx Binary files differdeleted file mode 100644 index a512a98b..00000000 --- a/keystone-moon/doc/source/extensions/moon/ExceptionHierarchy-v0.2.pptx +++ /dev/null diff --git a/keystone-moon/doc/source/extensions/moon/ExceptionHierarchy.pptx b/keystone-moon/doc/source/extensions/moon/ExceptionHierarchy.pptx Binary files differdeleted file mode 100644 index af18d231..00000000 --- a/keystone-moon/doc/source/extensions/moon/ExceptionHierarchy.pptx +++ /dev/null diff --git a/keystone-moon/doc/source/extensions/moon/moon.rst b/keystone-moon/doc/source/extensions/moon/moon.rst deleted file mode 100644 index f2b3b0bc..00000000 --- a/keystone-moon/doc/source/extensions/moon/moon.rst +++ /dev/null @@ -1,147 +0,0 @@ -.. - Copyright 2015 Orange - All Rights Reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); you may - not use this file except in compliance with the License. You may obtain - a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - -============ -Moon backend -============ - -Before doing anything, you must test your installation and check that your infrastructure is working. -For example, check that you can create new virtual machines with admin and demo login. - -Configuration -------------- - -Moon is a contribute backend so you have to enable it by modifying /etc/keystone/keystone-paste.ini, like this: - -.. code-block:: ini - - [pipeline:moon_pipeline] - pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension moon_service - - [app:moon_service] - use = egg:keystone#moon_service - - ... - - [composite:main] - use = egg:Paste#urlmap - /moon = moon_pipeline - /v2.0 = public_api - /v3 = api_v3 - / = public_version_api - - [composite:admin] - use = egg:Paste#urlmap - /moon = moon_pipeline - /v2.0 = admin_api - /v3 = api_v3 - / = admin_version_api - - ... - -You must modify /etc/keystone/keystone.conf as you need (see at the end of the file) and copy the following directories: - -.. code-block:: sh - - cp -R /opt/stack/keystone/examples/moon/policies/ /etc/keystone/ - cp -R /opt/stack/keystone/examples/moon/super_extension/ /etc/keystone/ - -You can now update the Keystone database and create the directory for logs and restart the Keystone service: - -.. code-block:: sh - - cd /opt/stack/keystone - ./bin/keystone-manage db_sync --extension moon - sudo mkdir /var/log/moon/ - sudo chown vagrant /var/log/moon/ - sudo service apache2 restart - -You have to install our version of keystonemiddleware https://github.com/rebirthmonkey/keystonemiddleware : - -.. code-block:: sh - - cd - git clone https://github.com/rebirthmonkey/keystonemiddleware.git - cd keystonemiddleware - sudo python setup.py install - -At this time, the only method to configure Moon is to use the python-moonclient which is a console based client: - -.. code-block:: sh - - cd - git clone https://github.com/rebirthmonkey/moonclient.git - cd moonclient - sudo python setup.py install - -If afterwards, you have some problem restarting nova-api, try removing the package python-six: - -.. code-block:: sh - - sudo apt-get remove python-six - - -Nova must be configured to send request to Keystone, you have to modify /etc/nova/api-paste.ini : - -.. code-block:: ini - - ... - - [composite:openstack_compute_api_v2] - use = call:nova.api.auth:pipeline_factory - noauth = compute_req_id faultwrap sizelimit noauth ratelimit osapi_compute_app_v2 - noauth2 = compute_req_id faultwrap sizelimit noauth2 ratelimit osapi_compute_app_v2 - keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext moon ratelimit osapi_compute_app_v2 - keystone_nolimit = compute_req_id faultwrap sizelimit authtoken keystonecontext moon osapi_compute_app_v2 - - [composite:openstack_compute_api_v21] - use = call:nova.api.auth:pipeline_factory_v21 - noauth = compute_req_id faultwrap sizelimit noauth osapi_compute_app_v21 - noauth2 = compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21 - keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext moon osapi_compute_app_v21 - - [composite:openstack_compute_api_v3] - use = call:nova.api.auth:pipeline_factory_v21 - noauth = request_id faultwrap sizelimit noauth_v3 osapi_compute_app_v3 - noauth2 = request_id faultwrap sizelimit noauth_v3 osapi_compute_app_v3 - keystone = request_id faultwrap sizelimit authtoken keystonecontext moon osapi_compute_app_v3 - - ... - - [filter:moon] - paste.filter_factory = keystonemiddleware.authz:filter_factory - -If Swift is also installed, you have to configured it, in /etc/swift/proxy-server.conf : - -.. code-block:: ini - - ... - - [pipeline:main] - pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl ratelimit crossdomain authtoken keystoneauth tempauth formpost staticweb container-quotas account-quotas slo dlo proxy-logging moon proxy-server - - ... - - [filter:moon] - paste.filter_factory = keystonemiddleware.authz:filter_factory - -Nova and Swift must be restarted after that, depending on your configuration, you will have to use 'screen' (if using devstack) -or 'service' on those daemons : nova-api and swift-proxy - -Usage ------ - -TODO
\ No newline at end of file diff --git a/keystone-moon/doc/source/extensions/moon/moon_api.rst b/keystone-moon/doc/source/extensions/moon/moon_api.rst deleted file mode 100644 index 210093a1..00000000 --- a/keystone-moon/doc/source/extensions/moon/moon_api.rst +++ /dev/null @@ -1,863 +0,0 @@ -Moon API -======== - -Here are Moon API with some examples of posted data and returned data. - -All requests must be prefixed with the host and port, for example: http://localhost:35357/moon/authz/123456789/123456789/servers/list - -Authz ------ - -**GET /moon/authz/{tenant_id}/{subject_k_id}/{object_name}/{action_name}** - Authorization API. - -.. code-block:: json - - return = { - "authz": "True or False" - } - - -Intra-Extension API -------------------- - -Configuration -~~~~~~~~~~~~~ - -**GET /moon/configuration/templates** - - List all policy templates. - -.. code-block:: json - - return = { - "template_id": { - "name": "name of the template", - "description": "description of the template", - } - } - - -**GET /moon/configuration/aggregation_algorithms** - - List all aggregation algorithms. - -.. code-block:: json - - return = { - "algorithm_id": { - "name": "name of the algorithm", - "description": "description of the algorithm", - } - } - - -**GET /moon/configuration/sub_meta_rule_algorithms** - - List all sub meta rule algorithms. - -.. code-block:: json - - return = { - "algorithm_id": { - "name": "name of the algorithm", - "description": "description of the algorithm", - } - } - - -Tenants -~~~~~~~ - -**GET /moon/tenants** - - List all tenants. - -.. code-block:: json - - return = { - "tenant_id": { - "name": "name of the tenant", - "description": "description of the tenant", - "intra_authz_extension_id": "id of the intra extension authz", - "intra_admin_extension_id": "id of the intra extension authz" - } - } - - -**POST /moon/tenants** - - Add a tenant. - -.. code-block:: json - - post = { - "tenant_name": "name of the tenant", - "tenant_description": "description of the tenant", - "tenant_intra_authz_extension_id": "id of the intra extension authz", - "tenant_intra_admin_extension_id": "id of the intra extension admin" - } - return = { - "tenant_id": { - "name": "name of the tenant", - "description": "description of the tenant", - "intra_authz_extension_id": "id of the intra extension authz", - "intra_admin_extension_id": "id of the intra extension authz" - } - } - - -**POST /moon/tenants/{tenant_id}** - - Show information of one tenant. - -.. code-block:: json - - return = { - "tenant_id": { - "name": "name of the tenant", - "description": "description of the tenant", - "intra_authz_extension_id": "id of the intra extension authz", - "intra_admin_extension_id": "id of the intra extension authz" - } - } - - -**POST /moon/tenants/{tenant_id}** - - Modify a tenant. - -.. code-block:: json - - post = { - "tenant_name": "name of the tenant", - "tenant_description": "description of the tenant", - "tenant_intra_authz_extension_id": "id of the intra extension authz", - "tenant_intra_admin_extension_id": "id of the intra extension admin" - } - return = { - "tenant_id": { - "name": "name of the tenant", - "description": "description of the tenant", - "intra_authz_extension_id": "id of the intra extension authz", - "intra_admin_extension_id": "id of the intra extension authz" - } - } - - -**DELETE /moon/tenants/{tenant_id}** - - Delete a tenant. - -.. code-block:: json - - return = {} - - -Intra-Extension -~~~~~~~~~~~~~~~ - -**GET /moon/intra_extensions/init** - - Initialize the root Intra_Extension (if needed). - -.. code-block:: json - - return = {} - - -**GET /moon/intra_extensions** - - List all Intra_Extensions. - -.. code-block:: json - - return = { - "intra_extension_id": { - "name": "name of the intra extension", - "model": "model of the intra extension" - } - } - - -**POST /moon/intra_extensions** - - Create a new Intra_Extension. - -.. code-block:: json - - post = { - "intra_extension_name": "name of the intra extension", - "intra_extension_model": "model of the intra extension (taken from /configuration/templates)", - "intra_extension_description": "description of the intra extension", - - } - return = {} - - -**GET /moon/intra_extensions/{intra_extension_id}/** - - Show details about one Intra_Extension. - -.. code-block:: json - - return = { - "id": "intra_extension_id", - "name": "name of the intra extension", - "model": "model of the intra extension", - "genre": "genre of the intra extension", - "description": "model of the intra extension" - } - - -**DELETE /moon/intra_extensions/{intra_extension_id}/** - - Delete an Intra_Extension. - -.. code-block:: json - - return = {} - - -Intra-Extension Subjects -~~~~~~~~~~~~~~~~~~~~~~~~ - -**GET /moon/intra_extensions/{intra_extension_id}/subjects** - - List all subjects. - -.. code-block:: json - - return = { - "subject_id": { - "name": "name of the subject", - "keystone_id": "keystone id of the subject" - } - } - - -**POST /moon/intra_extensions/{intra_extension_id}/subjects** - - List all subjects. - -.. code-block:: json - - post = { - "subject_name": "name of the subject", - "subject_description": "description of the subject", - "subject_password": "password for the subject", - "subject_email": "email address of the subject" - } - return = { - "subject_id": { - "name": "name of the subject", - "keystone_id": "keystone id of the subject" - } - } - - -**DELETE /moon/intra_extensions/{intra_extension_id}/subjects/{subject_id}** - - Delete a subject. - -.. code-block:: json - - return = {} - - -**GET /moon/intra_extensions/{intra_extension_id}/subject_categories** - - List all subject categories. - -.. code-block:: json - - return = { - "subject_category_id": { - "name": "name of the category", - "description": "description of the category" - } - } - - -**POST /moon/intra_extensions/{intra_extension_id}/subject_categories** - - Add a new subject category. - -.. code-block:: json - - post = { - "subject_category_name": "name of the category", - "subject_category_description": "description of the category" - } - return = { - "subject_category_id": { - "name": "name of the category", - "description": "description of the category" - } - } - - -**DELETE /moon/intra_extensions/{intra_extension_id}/subject_categories/{subject_category_id}** - - Delete a subject category. - -.. code-block:: json - - return = {} - - -**GET /moon/intra_extensions/{intra_extension_id}/subject_scopes/{subject_category_id}** - - List all subject scopes for a specific subject category. - -.. code-block:: json - - return = { - "subject_scope_id": { - "name": "name of the scope", - "description": "description of the scope" - } - } - - -**POST /moon/intra_extensions/{intra_extension_id}/subject_scopes/{subject_category_id}** - - Add a new subject scope for a specific subject category. - -.. code-block:: json - - post = { - "subject_scope_name": "name of the scope", - "subject_scope_description": "description of the scope" - } - return = { - "subject_scope_id": { - "name": "name of the scope", - "description": "description of the scope" - } - } - - -**DELETE /moon/intra_extensions/{intra_extension_id}/subject_scopes/{subject_category_id}/{subject_scope_id}** - - Delete a subject scope. - -.. code-block:: json - - return = {} - - -**GET /moon/intra_extensions/{intra_extension_id}/subject_assignments/{subject_id}/{subject_category_id}** - - List all subject assignments for a subject and for a subject category. - -.. code-block:: json - - return = [ - "subject_assignment_id1", "subject_assignment_id2" - ] - - -**POST /moon/intra_extensions/{intra_extension_id}/subject_assignments** - - Add an assignment. - -.. code-block:: json - - post = { - "subject_id": "id of the subject", - "subject_category_id": "id of the category", - "subject_scope_id": "id of the scope" - } - return = [ - "subject_assignment_id1", "subject_assignment_id2" - ] - - -**DELETE /moon/intra_extensions/{intra_extension_id}/subject_assignments/{subject_id}/{subject_category_id}/{subject_scope_id}** - - Delete a subject assignment. - -.. code-block:: json - - return = {} - - -Intra-Extension Objects -~~~~~~~~~~~~~~~~~~~~~~~ - -**GET /moon/intra_extensions/{intra_extension_id}/objects** - - List all objects. - -.. code-block:: json - - return = { - "object_id": { - "name": "name of the object", - "keystone_id": "keystone id of the object" - } - } - - -**POST /moon/intra_extensions/{intra_extension_id}/objects** - - List all objects. - -.. code-block:: json - - post = { - "object_name": "name of the object", - "object_description": "description of the object" - } - return = { - "object_id": { - "name": "name of the object", - "keystone_id": "keystone id of the object" - } - } - - -**DELETE /moon/intra_extensions/{intra_extension_id}/objects/{object_id}** - - Delete a object. - -.. code-block:: json - - return = {} - - -**GET /moon/intra_extensions/{intra_extension_id}/object_categories** - - List all object categories. - -.. code-block:: json - - return = { - "object_category_id": { - "name": "name of the category", - "description": "description of the category" - } - } - - -**POST /moon/intra_extensions/{intra_extension_id}/object_categories** - - Add a new object category. - -.. code-block:: json - - post = { - "object_category_name": "name of the category", - "object_category_description": "description of the category" - } - return = { - "object_category_id": { - "name": "name of the category", - "description": "description of the category" - } - } - - -**DELETE /moon/intra_extensions/{intra_extension_id}/object_categories/{object_category_id}** - - Delete a object category. - -.. code-block:: json - - return = {} - - -**GET /moon/intra_extensions/{intra_extension_id}/object_scopes/{object_category_id}** - - List all object scopes for a specific object category. - -.. code-block:: json - - return = { - "object_scope_id": { - "name": "name of the scope", - "description": "description of the scope" - } - } - - -**POST /moon/intra_extensions/{intra_extension_id}/object_scopes/{object_category_id}** - - Add a new object scope for a specific object category. - -.. code-block:: json - - post = { - "object_scope_name": "name of the scope", - "object_scope_description": "description of the scope" - } - return = { - "object_scope_id": { - "name": "name of the scope", - "description": "description of the scope" - } - } - - -**DELETE /moon/intra_extensions/{intra_extension_id}/object_scopes/{object_category_id}/{object_scope_id}** - - Delete a object scope. - -.. code-block:: json - - return = {} - - -**GET /moon/intra_extensions/{intra_extension_id}/object_assignments/{object_id}/{object_category_id}** - - List all object assignments for a object and for a object category. - -.. code-block:: json - - return = [ - "object_assignment_id1", "object_assignment_id2" - ] - - -**POST /moon/intra_extensions/{intra_extension_id}/object_assignments** - - Add an assignment. - -.. code-block:: json - - post = { - "object_id": "id of the object", - "object_category_id": "id of the category", - "object_scope_id": "id of the scope" - } - return = [ - "object_assignment_id1", "object_assignment_id2" - ] - - -**DELETE /moon/intra_extensions/{intra_extension_id}/object_assignments/{object_id}/{object_category_id}/{object_scope_id}** - - Delete a object assignment. - -.. code-block:: json - - return = {} - - -Intra-Extension Actions -~~~~~~~~~~~~~~~~~~~~~~~ - -**GET /moon/intra_extensions/{intra_extension_id}/actions** - - List all actions. - -.. code-block:: json - - return = { - "action_id": { - "name": "name of the action", - "keystone_id": "keystone id of the action" - } - } - - -**POST /moon/intra_extensions/{intra_extension_id}/actions** - - List all actions. - -.. code-block:: json - - post = { - "action_name": "name of the action", - "action_description": "description of the action", - "action_password": "password for the action", - "action_email": "email address of the action" - } - return = { - "action_id": { - "name": "name of the action", - "keystone_id": "keystone id of the action" - } - } - - -**DELETE /moon/intra_extensions/{intra_extension_id}/actions/{action_id}** - - Delete a action. - -.. code-block:: json - - return = {} - - -**GET /moon/intra_extensions/{intra_extension_id}/action_categories** - - List all action categories. - -.. code-block:: json - - return = { - "action_category_id": { - "name": "name of the category", - "description": "description of the category" - } - } - - -**POST /moon/intra_extensions/{intra_extension_id}/action_categories** - - Add a new action category. - -.. code-block:: json - - post = { - "action_category_name": "name of the category", - "action_category_description": "description of the category" - } - return = { - "action_category_id": { - "name": "name of the category", - "description": "description of the category" - } - } - - -**DELETE /moon/intra_extensions/{intra_extension_id}/action_categories/{action_category_id}** - - Delete a action category. - -.. code-block:: json - - return = {} - - -**GET /moon/intra_extensions/{intra_extension_id}/action_scopes/{action_category_id}** - - List all action scopes for a specific action category. - -.. code-block:: json - - return = { - "action_scope_id": { - "name": "name of the scope", - "description": "description of the scope" - } - } - - -**POST /moon/intra_extensions/{intra_extension_id}/action_scopes/{action_category_id}** - - Add a new action scope for a specific action category. - -.. code-block:: json - - post = { - "action_scope_name": "name of the scope", - "action_scope_description": "description of the scope" - } - return = { - "action_scope_id": { - "name": "name of the scope", - "description": "description of the scope" - } - } - - -**DELETE /moon/intra_extensions/{intra_extension_id}/action_scopes/{action_category_id}/{action_scope_id}** - - Delete a action scope. - -.. code-block:: json - - return = {} - - -**GET /moon/intra_extensions/{intra_extension_id}/action_assignments/{action_id}/{action_category_id}** - - List all action assignments for a action and for a action category. - -.. code-block:: json - - return = [ - "action_assignment_id1", "action_assignment_id2" - ] - - -**POST /moon/intra_extensions/{intra_extension_id}/action_assignments** - - Add an assignment. - -.. code-block:: json - - post = { - "action_id": "id of the action", - "action_category_id": "id of the category", - "action_scope_id": "id of the scope" - } - return = [ - "action_assignment_id1", "action_assignment_id2" - ] - - -**DELETE /moon/intra_extensions/{intra_extension_id}/action_assignments/{action_id}/{action_category_id}/{action_scope_id}** - - Delete a action assignment. - -.. code-block:: json - - return = {} - - -Intra-Extension Rules -~~~~~~~~~~~~~~~~~~~~~ - -**GET /moon/intra_extensions/{intra_extension_id}/aggregation_algorithm** - - List aggregation algorithm for an intra extension. - -.. code-block:: json - - return = { - "aggregation_algorithm_id": { - "name": "name of the aggregation algorithm", - "description": "description of the aggregation algorithm" - } - } - - -**POST /moon/intra_extensions/{intra_extension_id}/aggregation_algorithm** - - Set the current aggregation algorithm for an intra extension. - -.. code-block:: json - - post = { - "aggregation_algorithm_id": "id of the aggregation algorithm", - "aggregation_algorithm_description": "description of the aggregation algorithm" - } - return = { - "aggregation_algorithm_id": { - "name": "name of the aggregation algorithm", - "description": "description of the aggregation algorithm" - } - } - - -**GET /moon/intra_extensions/{intra_extension_id}/sub_meta_rules** - - Show the current sub meta rules. - -.. code-block:: json - - return = { - "sub_meta_rule_id": { - "name": "name of the aggregation algorithm", - "algorithm": "algorithm of the aggregation algorithm", - "subject_categories": ["subject_category_id1", "subject_category_id2"], - "object_categories": ["object_category_id1", "object_category_id2"], - "action_categories": ["action_category_id1", "action_category_id2"] - } - } - - -.. code-block:: json - - return = {} - - -**GET /moon/intra_extensions/{intra_extension_id}/rule/{sub_meta_rule_id}** - - Set the current sub meta rule. - -.. code-block:: json - - post = { - "sub_meta_rule_name": "name of the sub meta rule", - "sub_meta_rule_algorithm": "name of the sub meta rule algorithm", - "sub_meta_rule_subject_categories": ["subject_category_id1", "subject_category_id2"], - "sub_meta_rule_object_categories": ["object_category_id1", "object_category_id2"], - "sub_meta_rule_action_categories": ["action_category_id1", "action_category_id2"] - } - return = {} - - -**GET /moon/intra_extensions/{intra_extension_id}/rule/{sub_meta_rule_id}** - - List all rules. - -.. code-block:: json - - return = { - "rule_id1": ["subject_scope_id1", "object_scope_id1", "action_scope_id1"], - "rule_id2": ["subject_scope_id2", "object_scope_id2", "action_scope_id2"] - } - - -**POST /moon/intra_extensions/{intra_extension_id}/rule/{sub_meta_rule_id}** - - Add a new rule. - -.. code-block:: json - - post = { - "subject_categories": ["subject_scope_id1"], - "object_categories": ["object_scope_id1"], - "action_categories": ["action_scope_id1"], - "enabled": True - } - return = {} - - -**DELETE /moon/intra_extensions/{intra_extension_id}/rule/{sub_meta_rule_id}/{rule_id}** - - Delete a rule. - -.. code-block:: json - - return = {} - - -Logs -~~~~ - -**GET /moon/logs/{options}** - - List all logs. - Options can be: - - * ``filter=<filter_characters>`` - * ``from=<show logs from this date>`` - * ``to=<show logs to this date>`` - * ``event_number=<get n logs>`` - - Time format is '%Y-%m-%d-%H:%M:%S' (eg. "2015-04-15-13:45:20") - -.. code-block:: json - - return = [ - "2015-04-15-13:45:20 ...", - "2015-04-15-13:45:21 ...", - "2015-04-15-13:45:22 ...", - "2015-04-15-13:45:23 ..." - ] - -Auth -~~~~ - -**POST /moon/auth/tokens** - - Add a tenant. - -.. code-block:: json - - post = { - "username": "name of the user to authenticate", - "password": "password of the user to authenticate" - } - return = { - "token": "NEW_TOKEN", - "message": "if authentication failed..." - } - - diff --git a/keystone-moon/doc/source/extensions/oauth1.rst b/keystone-moon/doc/source/extensions/oauth1.rst deleted file mode 100644 index 29955d74..00000000 --- a/keystone-moon/doc/source/extensions/oauth1.rst +++ /dev/null @@ -1,49 +0,0 @@ -.. - Copyright 2011-2013 OpenStack, Foundation - All Rights Reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); you may - not use this file except in compliance with the License. You may obtain - a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - -============================= -Enabling the OAuth1 Extension -============================= - -To enable the OAuth1 extension: - -1. Optionally, add the oauth1 extension driver to the ``[oauth1]`` section in ``keystone.conf``. For example:: - - [oauth1] - driver = sql - -2. Add the ``oauth1`` authentication method to the ``[auth]`` section in ``keystone.conf``:: - - [auth] - methods = external,password,token,oauth1 - -3. Add the ``oauth1_extension`` filter to the ``api_v3`` pipeline in - ``keystone-paste.ini``. This must be added after ``json_body`` and before - the last entry in the pipeline. For example:: - - [pipeline:api_v3] - pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension oauth1_extension service_v3 - -4. Create the OAuth1 extension tables if using the provided SQL backend. For example:: - - ./bin/keystone-manage db_sync --extension oauth1 - -5. Optionally, if deploying under an HTTPD server (i.e. Apache), set the - `WSGIPassAuthorization` to allow the OAuth Authorization headers to - pass through `mod_wsgi`. For example, add the following to the Keystone - virtual host file:: - - WSGIPassAuthorization On diff --git a/keystone-moon/doc/source/extensions/openidc.rst b/keystone-moon/doc/source/extensions/openidc.rst deleted file mode 100644 index f515309e..00000000 --- a/keystone-moon/doc/source/extensions/openidc.rst +++ /dev/null @@ -1,93 +0,0 @@ -:orphan: - -.. - Licensed under the Apache License, Version 2.0 (the "License"); you may - not use this file except in compliance with the License. You may obtain - a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - -==================== -Setup OpenID Connect -==================== - -Configuring mod_auth_openidc -============================ - -Federate Keystone (SP) and an external IdP using OpenID Connect (`mod_auth_openidc`_) - -.. _`mod_auth_openidc`: https://github.com/pingidentity/mod_auth_openidc - -To install `mod_auth_openidc` on Ubuntu, perform the following: - -.. code-block:: bash - - sudo apt-get install libapache2-mod-auth-openidc - -Note that this module is not available on Fedora/CentOS/Red Hat. - -In the keystone Apache site file, add the following as a top level option, to -load the `mod_auth_openidc` module: - -.. code-block:: xml - - LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so - -Also within the same file, locate the virtual host entry and add the following -entries for OpenID Connect: - -.. code-block:: xml - - <VirtualHost *:5000> - - ... - - OIDCClaimPrefix "OIDC-" - OIDCResponseType "id_token" - OIDCScope "openid email profile" - OIDCProviderMetadataURL <url_of_provider_metadata> - OIDCClientID <openid_client_id> - OIDCClientSecret <openid_client_secret> - OIDCCryptoPassphrase openstack - OIDCRedirectURI http://localhost:5000/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/oidc/auth/redirect - - <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth> - AuthType openid-connect - Require valid-user - LogLevel debug - </LocationMatch> - </VirtualHost> - -Note an example of an `OIDCProviderMetadataURL` instance is: https://accounts.google.com/.well-known/openid-configuration -If not using `OIDCProviderMetadataURL`, then the following attributes -must be specified: `OIDCProviderIssuer`, `OIDCProviderAuthorizationEndpoint`, -`OIDCProviderTokenEndpoint`, `OIDCProviderTokenEndpointAuth`, -`OIDCProviderUserInfoEndpoint`, and `OIDCProviderJwksUri` - -Note, if using a mod_wsgi version less than 4.3.0, then the `OIDCClaimPrefix` -must be specified to have only alphanumerics or a dash ("-"). This is because -mod_wsgi blocks headers that do not fit this criteria. See http://modwsgi.readthedocs.org/en/latest/release-notes/version-4.3.0.html#bugs-fixed -for more details - -Once you are done, restart your Apache daemon: - -.. code-block:: bash - - $ service apache2 restart - -Tips -==== - -1. When creating a mapping, note that the 'remote' attributes will be prefixed, - with `HTTP_`, so for instance, if you set OIDCClaimPrefix to `OIDC-`, then a - typical remote value to check for is: `HTTP_OIDC_ISS`. - -2. Don't forget to add oidc as an [auth] plugin in keystone.conf, see `Step 2`_ - -.. _`Step 2`: federation.html
\ No newline at end of file diff --git a/keystone-moon/doc/source/extensions/revoke.rst b/keystone-moon/doc/source/extensions/revoke.rst deleted file mode 100644 index a89e359d..00000000 --- a/keystone-moon/doc/source/extensions/revoke.rst +++ /dev/null @@ -1,45 +0,0 @@ - .. - Licensed under the Apache License, Version 2.0 (the "License"); you may - not use this file except in compliance with the License. You may obtain - a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - -================================= -Enabling the Revocation Extension -================================= - -.. NOTE:: - - As of the Juno release, the example configuration files will have the - ``OS-REVOKE`` extension enabled by default, thus it is not necessary to - perform steps 1 and 2. - Also, for new installations, the revocation extension tables are already - migrated, thus it is not necessary to perform steps 3. - -1. Optionally, add the revoke extension driver to the ``[revoke]`` section - in ``keystone.conf``. For example:: - - [revoke] - driver = sql - -2. Add the required ``filter`` to the ``pipeline`` in ``keystone-paste.ini``. - This must be added after ``json_body`` and before the last entry in the - pipeline. For example:: - - [filter:revoke_extension] - paste.filter_factory = keystone.contrib.revoke.routers:RevokeExtension.factory - - [pipeline:api_v3] - pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension service_v3 - -3. Create the revocation extension tables if using the provided SQL backend. - For example:: - - ./bin/keystone-manage db_sync --extension revoke diff --git a/keystone-moon/doc/source/extensions/shibboleth.rst b/keystone-moon/doc/source/extensions/shibboleth.rst deleted file mode 100644 index d67cfa1a..00000000 --- a/keystone-moon/doc/source/extensions/shibboleth.rst +++ /dev/null @@ -1,279 +0,0 @@ -:orphan: - -.. - Licensed under the Apache License, Version 2.0 (the "License"); you may - not use this file except in compliance with the License. You may obtain - a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - -================ -Setup Shibboleth -================ - -Configure Apache HTTPD for mod_shibboleth -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Follow the steps outlined at: `Running Keystone in HTTPD`_. - -.. _`Running Keystone in HTTPD`: ../apache-httpd.html - -You'll also need to install `Shibboleth <https://wiki.shibboleth.net/confluence/display/SHIB2/Home>`_, for -example: - -.. code-block:: bash - - $ apt-get install libapache2-mod-shib2 - -Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow: - -Add *WSGIScriptAlias* directive to your vhost configuration:: - - WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/keystone/main/$1 - -Make sure the *wsgi-keystone.conf* contains a *<Location>* directive for the Shibboleth module and -a *<Location>* directive for each identity provider:: - - <Location /Shibboleth.sso> - SetHandler shib - </Location> - - <Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth> - ShibRequestSetting requireSession 1 - ShibRequestSetting applicationId idp_1 - AuthType shibboleth - ShibRequireAll On - ShibRequireSession On - ShibExportAssertion Off - Require valid-user - </Location> - -.. NOTE:: - * ``saml2`` may be different in your deployment, but do not use a wildcard value. - Otherwise *every* federated protocol will be handled by Shibboleth. - * ``idp_1`` has to be replaced with the name associated with the idp in Keystone. - The same name is used inside the shibboleth2.xml configuration file but they could - be different. - * The ``ShibRequireSession`` and ``ShibRequireAll`` rules are invalid in - Apache 2.4+ and should be dropped in that specific setup. - * You are advised to carefully examine `Shibboleth Apache configuration - documentation - <https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig>`_ - -Enable the Keystone virtual host, for example: - -.. code-block:: bash - - $ a2ensite wsgi-keystone.conf - -Enable the ``ssl`` and ``shib2`` modules, for example: - -.. code-block:: bash - - $ a2enmod ssl - $ a2enmod shib2 - -Restart Apache, for example: - -.. code-block:: bash - - $ service apache2 restart - -Configuring shibboleth2.xml -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Once you have your Keystone vhost (virtual host) ready, it's then time to -configure Shibboleth and upload your Metadata to the Identity Provider. - -If new certificates are required, they can be easily created by executing: - -.. code-block:: bash - - $ shib-keygen -y <number of years> - -The newly created file will be stored under ``/etc/shibboleth/sp-key.pem`` - -You should fetch your Service Provider's Metadata file. Typically this can be -achieved by simply fetching a Metadata file, for example: - -.. code-block:: bash - - $ wget --no-check-certificate -O <name of the file> https://service.example.org/Shibboleth.sso/Metadata - -Upload your Service Provider's Metadata file to your Identity Provider. -This step depends on your Identity Provider choice and is not covered here. - -Configure your Service Provider by editing ``/etc/shibboleth/shibboleth2.xml`` -file. You are advised to examine `Shibboleth Service Provider Configuration documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/Configuration>`_ - -An example of your ``/etc/shibboleth/shibboleth2.xml`` may look like -(The example shown below is for reference only, not to be used in a production -environment): - -.. code-block:: xml - - <!-- - File configuration courtesy of http://testshib.org - - More information: - https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration - --> - - <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" - xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="1800 "> - - <!-- The entityID is the name TestShib made for your SP. --> - <ApplicationDefaults entityID="https://<yourhosthere>/shibboleth"> - - <!-- - You should use secure cookies if at all possible. - See cookieProps in this Wiki article. - --> - <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions --> - <Sessions lifetime="28800" timeout="3600" checkAddress="false" - relayState="ss:mem" handlerSSL="false"> - - <!-- Triggers a login request directly to the TestShib IdP. --> - <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO --> - <SSO entityID="https://<idp-url>/idp/shibboleth" ECP="true"> - SAML2 SAML1 - </SSO> - - <!-- SAML and local-only logout. --> - <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout --> - <Logout>SAML2 Local</Logout> - - <!-- - Handlers allow you to interact with the SP and gather - more information. Try them out! - Attribute value s received by the SP through SAML - will be visible at: - http://<yourhosthere>/Shibboleth.sso/Session - --> - - <!-- - Extension service that generates "approximate" metadata - based on SP configuration. - --> - <Handler type="MetadataGenerator" Location="/Metadata" - signing="false"/> - - <!-- Status reporting service. --> - <Handler type="Status" Location="/Status" - acl="127.0.0.1"/> - - <!-- Session diagnostic service. --> - <Handler type="Session" Location="/Session" - showAttributeValues="true"/> - <!-- JSON feed of discovery information. --> - <Handler type="DiscoveryFeed" Location="/DiscoFeed"/> - </Sessions> - - <!-- - Error pages to display to yourself if - something goes horribly wrong. - --> - <Errors supportContact ="<admin_email_address>" - logoLocation="/shibboleth-sp/logo.jpg" - styleSheet="/shibboleth-sp/main.css"/> - - <!-- - Loads and trusts a metadata file that describes only one IdP - and how to communicate with it. - --> - <MetadataProvider type="XML" uri="<idp-metadata-file>" - backingFilePath="<local idp metadata>" - reloadInterval="180000" /> - - <!-- Attribute and trust options you shouldn't need to change. --> - <AttributeExtractor type="XML" validate="true" - path="attribute-map.xml"/> - <AttributeResolver type="Query" subjectMatch="true"/> - <AttributeFilter type="XML" validate="true" - path="attribute-policy.xml"/> - - <!-- - Your SP generated these credentials. - They're used to talk to IdP's. - --> - <CredentialResolver type="File" key="sp-key.pem" - certificate="sp-cert.pem"/> - - <ApplicationOverride id="idp_1" entityID="https://<yourhosthere>/shibboleth"> - <Sessions lifetime="28800" timeout="3600" checkAddress="false" - relayState="ss:mem" handlerSSL="false"> - - <!-- Triggers a login request directly to the TestShib IdP. --> - <SSO entityID="https://<idp_1-url>/idp/shibboleth" ECP="true"> - SAML2 SAML1 - </SSO> - - <Logout>SAML2 Local</Logout> - </Sessions> - - <MetadataProvider type="XML" uri="<idp_1-metadata-file>" - backingFilePath="<local idp_1 metadata>" - reloadInterval="180000" /> - - </ApplicationOverride> - - <ApplicationOverride id="idp_2" entityID="https://<yourhosthere>/shibboleth"> - <Sessions lifetime="28800" timeout="3600" checkAddress="false" - relayState="ss:mem" handlerSSL="false"> - - <!-- Triggers a login request directly to the TestShib IdP. --> - <SSO entityID="https://<idp_2-url>/idp/shibboleth" ECP="true"> - SAML2 SAML1 - </SSO> - - <Logout>SAML2 Local</Logout> - </Sessions> - - <MetadataProvider type="XML" uri="<idp_2-metadata-file>" - backingFilePath="<local idp_2 metadata>" - reloadInterval="180000" /> - - </ApplicationOverride> - - </ApplicationDefaults> - - <!-- - Security policies you shouldn't change unless you - know what you're doing. - --> - <SecurityPolicyProvider type="XML" validate="true" - path="security-policy.xml"/> - - <!-- - Low-level configuration about protocols and bindings - available for use. - --> - <ProtocolProvider type="XML" validate="true" reloadChanges="false" - path="protocols.xml"/> - - </SPConfig> - -Keystone enforces `external authentication`_ when the ``REMOTE_USER`` -environment variable is present so make sure Shibboleth doesn't set the -``REMOTE_USER`` environment variable. To do so, scan through the -``/etc/shibboleth/shibboleth2.xml`` configuration file and remove the -``REMOTE_USER`` directives. - -Examine your attributes map file ``/etc/shibboleth/attributes-map.xml`` and adjust -your requirements if needed. For more information see -`attributes documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAddAttribute>`_ - -Once you are done, restart your Shibboleth daemon: - -.. _`external authentication`: ../external-auth.html - -.. code-block:: bash - - $ service shibd restart - $ service apache2 restart |