From b8c756ecdd7cced1db4300935484e8c83701c82e Mon Sep 17 00:00:00 2001 From: WuKong Date: Tue, 30 Jun 2015 18:47:29 +0200 Subject: migrate moon code from github to opnfv Change-Id: Ice53e368fd1114d56a75271aa9f2e598e3eba604 Signed-off-by: WuKong --- .../doc/source/extensions/endpoint_filter.rst | 44 ++ .../doc/source/extensions/endpoint_policy.rst | 35 ++ keystone-moon/doc/source/extensions/federation.rst | 66 +++ keystone-moon/doc/source/extensions/moon.rst | 145 +++++ keystone-moon/doc/source/extensions/moon_api.rst | 628 +++++++++++++++++++++ keystone-moon/doc/source/extensions/oauth1.rst | 50 ++ keystone-moon/doc/source/extensions/openidc.rst | 93 +++ keystone-moon/doc/source/extensions/revoke.rst | 45 ++ keystone-moon/doc/source/extensions/shibboleth.rst | 279 +++++++++ 9 files changed, 1385 insertions(+) create mode 100644 keystone-moon/doc/source/extensions/endpoint_filter.rst create mode 100644 keystone-moon/doc/source/extensions/endpoint_policy.rst create mode 100644 keystone-moon/doc/source/extensions/federation.rst create mode 100644 keystone-moon/doc/source/extensions/moon.rst create mode 100644 keystone-moon/doc/source/extensions/moon_api.rst create mode 100644 keystone-moon/doc/source/extensions/oauth1.rst create mode 100644 keystone-moon/doc/source/extensions/openidc.rst create mode 100644 keystone-moon/doc/source/extensions/revoke.rst create mode 100644 keystone-moon/doc/source/extensions/shibboleth.rst (limited to 'keystone-moon/doc/source/extensions') diff --git a/keystone-moon/doc/source/extensions/endpoint_filter.rst b/keystone-moon/doc/source/extensions/endpoint_filter.rst new file mode 100644 index 00000000..66198503 --- /dev/null +++ b/keystone-moon/doc/source/extensions/endpoint_filter.rst @@ -0,0 +1,44 @@ +.. + Copyright 2011-2013 OpenStack, Foundation + All Rights Reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + +====================================== +Enabling the Endpoint Filter Extension +====================================== + +To enable the endpoint filter extension: + +1. Add the endpoint filter extension catalog driver to the ``[catalog]`` section + in ``keystone.conf``. For example:: + + [catalog] + driver = keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCatalog + +2. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in + ``keystone-paste.ini``. This must be added after ``json_body`` and before + the last entry in the pipeline. For example:: + + [pipeline:api_v3] + pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension endpoint_filter_extension service_v3 + +3. Create the endpoint filter extension tables if using the provided sql backend. For example:: + + ./bin/keystone-manage db_sync --extension endpoint_filter + +4. Optionally, change ``return_all_endpoints_if_no_filter`` the ``[endpoint_filter]`` section + in ``keystone.conf`` to return an empty catalog if no associations are made. For example:: + + [endpoint_filter] + return_all_endpoints_if_no_filter = False diff --git a/keystone-moon/doc/source/extensions/endpoint_policy.rst b/keystone-moon/doc/source/extensions/endpoint_policy.rst new file mode 100644 index 00000000..86ff2264 --- /dev/null +++ b/keystone-moon/doc/source/extensions/endpoint_policy.rst @@ -0,0 +1,35 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + +====================================== +Enabling the Endpoint Policy Extension +====================================== + +To enable the endpoint policy extension: + +1. Optionally, add the endpoint policy extension driver to the + ``[endpoint_policy]`` section in ``keystone.conf``. For example:: + + [endpoint_policy] + driver = keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy + +2. Add the ``endpoint_policy_extension`` policy to the ``api_v3`` pipeline in + ``keystone-paste.ini``. This must be added after ``json_body`` and before + the last entry in the pipeline. For example:: + + [pipeline:api_v3] + pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension service_v3 endpoint_policy_extension service_v3 + +3. Create the endpoint policy extension tables if using the provided SQL backend. For example:: + + ./bin/keystone-manage db_sync --extension endpoint_policy diff --git a/keystone-moon/doc/source/extensions/federation.rst b/keystone-moon/doc/source/extensions/federation.rst new file mode 100644 index 00000000..f1b5baa9 --- /dev/null +++ b/keystone-moon/doc/source/extensions/federation.rst @@ -0,0 +1,66 @@ +.. + Copyright 2014 OpenStack, Foundation + All Rights Reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + +================================== +Enabling the Federation Extension +================================== + +To enable the federation extension: + +1. Add the federation extension driver to the ``[federation]`` section in + ``keystone.conf``. For example:: + + [federation] + driver = keystone.contrib.federation.backends.sql.Federation + +2. Add the ``saml2`` and/or ``oidc`` authentication methods to the ``[auth]`` + section in ``keystone.conf``:: + + [auth] + methods = external,password,token,saml2,oidc + saml2 = keystone.auth.plugins.mapped.Mapped + oidc = keystone.auth.plugins.mapped.Mapped + +.. NOTE:: + The ``external`` method should be dropped to avoid any interference with + some Apache + Shibboleth SP setups, where a ``REMOTE_USER`` env variable is + always set, even as an empty value. + +3. Add the ``federation_extension`` middleware to the ``api_v3`` pipeline in + ``keystone-paste.ini``. This must be added after ``json_body`` and before + the last entry in the pipeline. For example:: + + [pipeline:api_v3] + pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension service_v3 + +4. Create the federation extension tables if using the provided SQL backend. + For example:: + + ./bin/keystone-manage db_sync --extension federation + +5. As of the Juno release, multiple Keystone deployments can now be federated. + To do so, the `pysaml2 `_ library is + required. Since OS-FEDERATION is an extension, ``pysaml2`` is not installed + by default, it must be installed manually. For example:: + + pip install --upgrade $(grep pysaml2 test-requirements.txt) + + Also, the `xmlsec1` command line tool is needed to sign the SAML assertions + generated by the Keystone Identity Provider: + + .. code-block:: bash + + $ apt-get install xmlsec1 diff --git a/keystone-moon/doc/source/extensions/moon.rst b/keystone-moon/doc/source/extensions/moon.rst new file mode 100644 index 00000000..fc862675 --- /dev/null +++ b/keystone-moon/doc/source/extensions/moon.rst @@ -0,0 +1,145 @@ +.. + Copyright 2015 Orange + All Rights Reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + +============ +Moon backend +============ + +Before doing anything, you must test your installation and check that your infrastructure is working. +For example, check that you can create new virtual machines with admin and demo login. + +Configuration +------------- + +Moon is a contribute backend so you have to enable it by modifying /etc/keystone/keystone-paste.ini, like this: + +.. code-block:: ini + + [filter:moon] + paste.filter_factory = keystone.contrib.moon.routers:Admin.factory + + ... + + [pipeline:public_api] + # The last item in this pipeline must be public_service or an equivalent + # application. It cannot be a filter. + pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension moon public_service + + [pipeline:admin_api] + # The last item in this pipeline must be admin_service or an equivalent + # application. It cannot be a filter. + pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension moon admin_service + + [pipeline:api_v3] + # The last item in this pipeline must be service_v3 or an equivalent + # application. It cannot be a filter. + pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension moon service_v3 + + ... + +You must modify /etc/keystone/keystone.conf as you need (see at the end of the file) and copy the following directories: + +.. code-block:: sh + + cp -R /opt/stack/keystone/examples/moon/policies/ /etc/keystone/ + cp -R /opt/stack/keystone/examples/moon/super_extension/ /etc/keystone/ + +You can now update the Keystone database and create the directory for logs and restart the Keystone service: + +.. code-block:: sh + + cd /opt/stack/keystone + ./bin/keystone-manage db_sync --extension moon + sudo mkdir /var/log/moon/ + sudo chown vagrant /var/log/moon/ + sudo service apache2 restart + +You have to install our version of keystonemiddleware https://github.com/rebirthmonkey/keystonemiddleware : + +.. code-block:: sh + + cd + git clone https://github.com/rebirthmonkey/keystonemiddleware.git + cd keystonemiddleware + sudo python setup.py install + +At this time, the only method to configure Moon is to use the python-moonclient which is a console based client: + +.. code-block:: sh + + cd + git clone https://github.com/rebirthmonkey/moonclient.git + cd moonclient + sudo python setup.py install + +If afterwards, you have some problem restarting nova-api, try removing the package python-six: + +.. code-block:: sh + + sudo apt-get remove python-six + + +Nova must be configured to send request to Keystone, you have to modify /etc/nova/api-paste.ini : + +.. code-block:: ini + + ... + + [composite:openstack_compute_api_v2] + use = call:nova.api.auth:pipeline_factory + noauth = compute_req_id faultwrap sizelimit noauth ratelimit osapi_compute_app_v2 + noauth2 = compute_req_id faultwrap sizelimit noauth2 ratelimit osapi_compute_app_v2 + keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext moon ratelimit osapi_compute_app_v2 + keystone_nolimit = compute_req_id faultwrap sizelimit authtoken keystonecontext moon osapi_compute_app_v2 + + [composite:openstack_compute_api_v21] + use = call:nova.api.auth:pipeline_factory_v21 + noauth = compute_req_id faultwrap sizelimit noauth osapi_compute_app_v21 + noauth2 = compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21 + keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext moon osapi_compute_app_v21 + + [composite:openstack_compute_api_v3] + use = call:nova.api.auth:pipeline_factory_v21 + noauth = request_id faultwrap sizelimit noauth_v3 osapi_compute_app_v3 + noauth2 = request_id faultwrap sizelimit noauth_v3 osapi_compute_app_v3 + keystone = request_id faultwrap sizelimit authtoken keystonecontext moon osapi_compute_app_v3 + + ... + + [filter:moon] + paste.filter_factory = keystonemiddleware.authz:filter_factory + +If Swift is also installed, you have to configured it, in /etc/swift/proxy-server.conf : + +.. code-block:: ini + + ... + + [pipeline:main] + pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl ratelimit crossdomain authtoken keystoneauth tempauth formpost staticweb container-quotas account-quotas slo dlo proxy-logging moon proxy-server + + ... + + [filter:moon] + paste.filter_factory = keystonemiddleware.authz:filter_factory + +Nova and Swift must be restarted after that, depending on your configuration, you will have to use 'screen' (if using devstack) +or 'service' on those daemons : nova-api and swift-proxy + +Usage +----- + +TODO \ No newline at end of file diff --git a/keystone-moon/doc/source/extensions/moon_api.rst b/keystone-moon/doc/source/extensions/moon_api.rst new file mode 100644 index 00000000..1f7ad10b --- /dev/null +++ b/keystone-moon/doc/source/extensions/moon_api.rst @@ -0,0 +1,628 @@ +Moon API +======== + +Here are Moon API with some examples of posted data and returned data. + +Intra-Extension API +------------------- + +Authz +~~~~~ + +* ``GET /OS-MOON/authz/{tenant_id}/{subject_id}/{object_id}/{action_id}`` + +.. code-block:: json + + return = { + "authz": "OK/KO/OutOfScope", + "tenant_id": "tenant_id", + "subject_id": "subject_id", + "object_id": "object_id", + "action_id": "action_id" + } + +Intra_Extension +~~~~~~~~~~~~~~~ + +* ``GET /OS-MOON/authz_policies`` + +.. code-block:: json + + return = { + "authz_policies": ["policy_name1", "policy_name2"] + } + +* ``GET /OS-MOON/intra_extensions`` + +.. code-block:: json + + return = { + "intra_extensions": ["ie_uuid1", "ie_uuid2"] + } + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}`` + +.. code-block:: json + + return = { + "intra_extensions": { + "id": "uuid1", + "description": "", + "tenant": "tenant_uuid", + "model": "", + "genre": "", + "authz": {}, + "admin": {} + } + } + +* ``POST /OS-MOON/intra_extensions`` + +.. code-block:: json + + post = { + "name" : "", + "policymodel": "", + "description": "" + } + return = { + "id": "uuid1", + "description": "", + "tenant": "tenant_uuid", + "model": "", + "genre": "", + "authz": {}, + "admin": {} + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/tenant`` + +.. code-block:: json + + return = { + "tenant": "tenant_id" + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/tenant`` + +.. code-block:: json + + post = { + "tenant_id": "tenant_id" + } + return = { + "tenant": "tenant_id" + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/tenant/{tenant_id}`` + +Perimeter +~~~~~~~~~ + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/subjects`` + +.. code-block:: json + + return = { + "subjects": ["sub_uuid1", "sub_uuid2"] + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/subjects`` + +.. code-block:: json + + post = { + "subject_id" : "" + } + return = { + "subjects": ["sub_uuid1", "sub_uuid2"] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/subject/{subject_id}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/objects`` + +.. code-block:: json + + return = { + "objects": ["obj_uuid1", "obj_uuid2"] + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/objects`` + +.. code-block:: json + + post = { + "object_id" : "" + } + return = { + "objects": ["obj_uuid1", "obj_uuid2"] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/object/{object_id}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/actions`` + +.. code-block:: json + + return = { + "actions": ["act_uuid1", "act_uuid2"] + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/actions`` + +.. code-block:: json + + post = { + "action_id" : "" + } + return = { + "actions": ["act_uuid1", "act_uuid2"] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/actions/{action_id}`` + +Assignment +~~~~~~~~~~ + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/subject_assignments`` + +.. code-block:: json + + return = { + "subject_assignments": { + "subject_security_level":{ + "user1": ["low"], + "user2": ["medium"], + "user3": ["high"] + } + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/subject_assignments`` + +.. code-block:: json + + post = { + "subject_id" : "", + "subject_category_id" : "", + "subject_category_scope_id" : "" + } + return = { + "subject_assignments": { + "subject_security_level":{ + "user1": ["low"], + "user2": ["medium"], + "user3": ["high"] + } + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/subject_assignments/{subject_category}/{subject_id}/{subject_scope}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/object_assignments`` + +.. code-block:: json + + return = { + "object_assignments": { + "object_security_level":{ + "vm1": ["low"], + "vm2": ["medium"], + "vm3": ["high"] + } + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/object_assignments`` + +.. code-block:: json + + post = { + "object_id" : "", + "object_category_id" : "", + "object_category_scope_id" : "" + } + return = { + "object_assignments": { + "object_security_level":{ + "vm1": ["low"], + "vm2": ["medium"], + "vm3": ["high"] + } + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/object_assignments/{object_category}/{object_id}/{object_scope}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/action_assignments`` + +.. code-block:: json + + return = { + "action_assignments": { + "computing_action":{ + "pause": ["vm_admin"], + "unpause": ["vm_admin"], + "start": ["vm_admin"], + "stop": ["vm_admin"] + } + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/action_assignments`` + +.. code-block:: json + + post = { + "action_id" : "", + "action_category_id" : "", + "action_category_scope_id" : "" + } + return = { + "action_assignments": { + "computing_action":{ + "pause": ["vm_admin"], + "unpause": ["vm_admin"], + "start": ["vm_admin"], + "stop": ["vm_admin"] + } + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/action_assignments/{action_category}/{action_id}/{action_scope}`` + +Metadata +~~~~~~~~ + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/subject_categories`` + +.. code-block:: json + + return = { + "subject_categories": [ "subject_security_level" ] + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/subject_categories`` + +.. code-block:: json + + post = { + "subject_category_id" : "" + } + return = { + "subject_categories": [ "subject_security_level" ] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/subject_categories/{subject_category_id}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/object_categories`` + +.. code-block:: json + + return = { + "object_categories": [ "object_security_level" ] + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/object_categories`` + +.. code-block:: json + + post = { + "object_category_id" : "" + } + return = { + "object_categories": [ "object_security_level" ] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/object_categories/{object_category_id}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/action_categories`` + +.. code-block:: json + + return = { + "action_categories": [ "computing_action" ] + } + + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/action_categories`` + +.. code-block:: json + + post = { + "action_category_id" : "" + } + return = { + "action_categories": [ "computing_action" ] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/action_categories/{action_category_id}`` + +Scope +~~~~~ + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/subject_category_scope`` + +.. code-block:: json + + return = { + "subject_security_level": [ "high", "medium", "low" ] + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/subject_category_scope`` + +.. code-block:: json + + post = { + "subject_category_id" : "", + "subject_category_scope_id" : "" + } + return = { + "subject_security_level": [ "high", "medium", "low" ] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/subject_category_scope/{subject_category}/{subject_scope}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/object_category_scope`` + +.. code-block:: json + + return = { + "object_security_level": [ "high", "medium", "low" ] + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/object_category_scope`` + +.. code-block:: json + + post = { + "object_category_id" : "", + "object_category_scope_id" : "" + } + return = { + "object_security_level": [ "high", "medium", "low" ] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/object_category_scope/{object_category}/{object_scope}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/action_category_scope`` + +.. code-block:: json + + return = { + "computing_action": [ "vm_admin", "vm_access" ] + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/action_category_scope`` + +.. code-block:: json + + post = { + "action_id" : "", + "action_category_id" : "", + "action_category_scope_id" : "" + } + return = { + "computing_action": [ "vm_admin", "vm_access" ] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/action_category_scope/{action_category}/{action_scope}`` + +Metarule +~~~~~~~~ + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/aggregation_algorithms`` + +.. code-block:: json + + return = { + "aggregation_algorithms": [ "and_true_aggregation", "..."] + } + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/aggregation_algorithm`` + +.. code-block:: json + + return = { + "aggregation_algorithm": "and_true_aggregation" + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/aggregation_algorithm`` + +.. code-block:: json + + post = { + "aggregation": "and_true_aggregation" + } + return = { + "aggregation_algorithm": "and_true_aggregation" + } + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/sub_meta_rule`` + +.. code-block:: json + + return = { + "sub_meta_rule": { + "subject_categories": ["role"], + "action_categories": ["ie_action"], + "object_categories": ["id"], + "relation": "relation_super" + } + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/sub_meta_rule`` + +.. code-block:: json + + post = { + "relation_super": { + "subject_categories": ["role"], + "action_categories": ["ie_action"], + "object_categories": ["id"], + } + } + return = { + "sub_meta_rule": { + "subject_categories": ["role"], + "action_categories": ["ie_action"], + "object_categories": ["id"], + "relation": "relation_super" + } + } + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/sub_meta_rule_relations`` + +.. code-block:: json + + return = { + "sub_meta_rule_relations": ["relation_super", ] + } + +Rules +~~~~~ + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/sub_rules`` + +.. code-block:: json + + return = { + "sub_rules": { + "relation_super": [ + ["high", "vm_admin", "medium"], + ["high", "vm_admin", "low"], + ["medium", "vm_admin", "low"], + ["high", "vm_access", "high"], + ["high", "vm_access", "medium"], + ["high", "vm_access", "low"], + ["medium", "vm_access", "medium"], + ["medium", "vm_access", "low"], + ["low", "vm_access", "low"] + ] + } + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/sub_rules`` + +.. code-block:: json + + post = { + "rules": ["admin", "vm_admin", "servers"], + "relation": "relation_super" + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/sub_rules/{relation_name}/{rule}`` + + +Tenant mapping API +------------------ + +* ``GET /OS-MOON/tenants`` + +.. code-block:: json + + return = { + "tenant": { + "uuid1": { + "name": "tenant1", + "authz": "intra_extension_uuid1", + "admin": "intra_extension_uuid2" + }, + "uuid2": { + "name": "tenant2", + "authz": "intra_extension_uuid1", + "admin": "intra_extension_uuid2" + } + } + } + +* ``GET /OS-MOON/tenant/{tenant_uuid}`` + +.. code-block:: json + + return = { + "tenant": { + "uuid": { + "name": "tenant1", + "authz": "intra_extension_uuid1", + "admin": "intra_extension_uuid2" + } + } + } + +* ``POST /OS-MOON/tenant`` + +.. code-block:: json + + post = { + "id": "uuid", + "name": "tenant1", + "authz": "intra_extension_uuid1", + "admin": "intra_extension_uuid2" + } + return = { + "tenant": { + "uuid": { + "name": "tenant1", + "authz": "intra_extension_uuid1", + "admin": "intra_extension_uuid2" + } + } + } + +* ``DELETE /OS-MOON/tenant/{tenant_uuid}/{intra_extension_uuid}`` + +.. code-block:: json + + return = {} + +Logs API +-------- + +* ``GET /OS-MOON/logs`` + +InterExtension API +------------------ + +* ``GET /OS-MOON/inter_extensions`` + +.. code-block:: json + + return = { + "inter_extensions": ["ie_uuid1", "ie_uuid2"] + } + +* ``GET /OS-MOON/inter_extensions/{inter_extensions_id}`` + +.. code-block:: json + + return = { + "inter_extensions": { + "id": "uuid1", + "description": "", + "requesting_intra_extension_uuid": "uuid1", + "requested_intra_extension_uuid": "uuid2", + "genre": "trust_OR_coordinate", + "virtual_entity_uuid": "ve_uuid1" + } + } + +* ``POST /OS-MOON/inter_extensions`` + +.. code-block:: json + + post = { + "description": "", + "requesting_intra_extension_uuid": uuid1, + "requested_intra_extension_uuid": uuid2, + "genre": "trust_OR_coordinate", + "virtual_entity_uuid": "ve_uuid1" + } + return = { + "id": "uuid1", + "description": "", + "requesting_intra_extension_uuid": uuid1, + "requested_intra_extension_uuid": uuid2, + "genre": "trust_OR_coordinate", + "virtual_entity_uuid": "ve_uuid1" + } + +* ``DELETE /OS-MOON/inter_extensions/{inter_extensions_id}`` + diff --git a/keystone-moon/doc/source/extensions/oauth1.rst b/keystone-moon/doc/source/extensions/oauth1.rst new file mode 100644 index 00000000..c89ee126 --- /dev/null +++ b/keystone-moon/doc/source/extensions/oauth1.rst @@ -0,0 +1,50 @@ +.. + Copyright 2011-2013 OpenStack, Foundation + All Rights Reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + +============================= +Enabling the OAuth1 Extension +============================= + +To enable the OAuth1 extension: + +1. Optionally, add the oauth1 extension driver to the ``[oauth1]`` section in ``keystone.conf``. For example:: + + [oauth1] + driver = keystone.contrib.oauth1.backends.sql.OAuth1 + +2. Add the ``oauth1`` authentication method to the ``[auth]`` section in ``keystone.conf``:: + + [auth] + methods = external,password,token,oauth1 + oauth1 = keystone.auth.plugins.oauth1.OAuth + +3. Add the ``oauth1_extension`` filter to the ``api_v3`` pipeline in + ``keystone-paste.ini``. This must be added after ``json_body`` and before + the last entry in the pipeline. For example:: + + [pipeline:api_v3] + pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension oauth1_extension service_v3 + +4. Create the OAuth1 extension tables if using the provided SQL backend. For example:: + + ./bin/keystone-manage db_sync --extension oauth1 + +5. Optionally, if deploying under an HTTPD server (i.e. Apache), set the + `WSGIPassAuthorization` to allow the OAuth Authorization headers to + pass through `mod_wsgi`. For example, add the following to the Keystone + virtual host file:: + + WSGIPassAuthorization On diff --git a/keystone-moon/doc/source/extensions/openidc.rst b/keystone-moon/doc/source/extensions/openidc.rst new file mode 100644 index 00000000..f515309e --- /dev/null +++ b/keystone-moon/doc/source/extensions/openidc.rst @@ -0,0 +1,93 @@ +:orphan: + +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + +==================== +Setup OpenID Connect +==================== + +Configuring mod_auth_openidc +============================ + +Federate Keystone (SP) and an external IdP using OpenID Connect (`mod_auth_openidc`_) + +.. _`mod_auth_openidc`: https://github.com/pingidentity/mod_auth_openidc + +To install `mod_auth_openidc` on Ubuntu, perform the following: + +.. code-block:: bash + + sudo apt-get install libapache2-mod-auth-openidc + +Note that this module is not available on Fedora/CentOS/Red Hat. + +In the keystone Apache site file, add the following as a top level option, to +load the `mod_auth_openidc` module: + +.. code-block:: xml + + LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so + +Also within the same file, locate the virtual host entry and add the following +entries for OpenID Connect: + +.. code-block:: xml + + + + ... + + OIDCClaimPrefix "OIDC-" + OIDCResponseType "id_token" + OIDCScope "openid email profile" + OIDCProviderMetadataURL + OIDCClientID + OIDCClientSecret + OIDCCryptoPassphrase openstack + OIDCRedirectURI http://localhost:5000/v3/OS-FEDERATION/identity_providers//protocols/oidc/auth/redirect + + + AuthType openid-connect + Require valid-user + LogLevel debug + + + +Note an example of an `OIDCProviderMetadataURL` instance is: https://accounts.google.com/.well-known/openid-configuration +If not using `OIDCProviderMetadataURL`, then the following attributes +must be specified: `OIDCProviderIssuer`, `OIDCProviderAuthorizationEndpoint`, +`OIDCProviderTokenEndpoint`, `OIDCProviderTokenEndpointAuth`, +`OIDCProviderUserInfoEndpoint`, and `OIDCProviderJwksUri` + +Note, if using a mod_wsgi version less than 4.3.0, then the `OIDCClaimPrefix` +must be specified to have only alphanumerics or a dash ("-"). This is because +mod_wsgi blocks headers that do not fit this criteria. See http://modwsgi.readthedocs.org/en/latest/release-notes/version-4.3.0.html#bugs-fixed +for more details + +Once you are done, restart your Apache daemon: + +.. code-block:: bash + + $ service apache2 restart + +Tips +==== + +1. When creating a mapping, note that the 'remote' attributes will be prefixed, + with `HTTP_`, so for instance, if you set OIDCClaimPrefix to `OIDC-`, then a + typical remote value to check for is: `HTTP_OIDC_ISS`. + +2. Don't forget to add oidc as an [auth] plugin in keystone.conf, see `Step 2`_ + +.. _`Step 2`: federation.html \ No newline at end of file diff --git a/keystone-moon/doc/source/extensions/revoke.rst b/keystone-moon/doc/source/extensions/revoke.rst new file mode 100644 index 00000000..e8a25ce9 --- /dev/null +++ b/keystone-moon/doc/source/extensions/revoke.rst @@ -0,0 +1,45 @@ + .. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + +================================= +Enabling the Revocation Extension +================================= + +.. NOTE:: + + As of the Juno release, the example configuration files will have the + ``OS-REVOKE`` extension enabled by default, thus it is not necessary to + perform steps 1 and 2. + Also, for new installations, the revocation extension tables are already + migrated, thus it is not necessary to perform steps 3. + +1. Optionally, add the revoke extension driver to the ``[revoke]`` section + in ``keystone.conf``. For example:: + + [revoke] + driver = keystone.contrib.revoke.backends.sql.Revoke + +2. Add the required ``filter`` to the ``pipeline`` in ``keystone-paste.ini``. + This must be added after ``json_body`` and before the last entry in the + pipeline. For example:: + + [filter:revoke_extension] + paste.filter_factory = keystone.contrib.revoke.routers:RevokeExtension.factory + + [pipeline:api_v3] + pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension service_v3 + +3. Create the revocation extension tables if using the provided SQL backend. + For example:: + + ./bin/keystone-manage db_sync --extension revoke diff --git a/keystone-moon/doc/source/extensions/shibboleth.rst b/keystone-moon/doc/source/extensions/shibboleth.rst new file mode 100644 index 00000000..d67cfa1a --- /dev/null +++ b/keystone-moon/doc/source/extensions/shibboleth.rst @@ -0,0 +1,279 @@ +:orphan: + +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + +================ +Setup Shibboleth +================ + +Configure Apache HTTPD for mod_shibboleth +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Follow the steps outlined at: `Running Keystone in HTTPD`_. + +.. _`Running Keystone in HTTPD`: ../apache-httpd.html + +You'll also need to install `Shibboleth `_, for +example: + +.. code-block:: bash + + $ apt-get install libapache2-mod-shib2 + +Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow: + +Add *WSGIScriptAlias* directive to your vhost configuration:: + + WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/keystone/main/$1 + +Make sure the *wsgi-keystone.conf* contains a ** directive for the Shibboleth module and +a ** directive for each identity provider:: + + + SetHandler shib + + + + ShibRequestSetting requireSession 1 + ShibRequestSetting applicationId idp_1 + AuthType shibboleth + ShibRequireAll On + ShibRequireSession On + ShibExportAssertion Off + Require valid-user + + +.. NOTE:: + * ``saml2`` may be different in your deployment, but do not use a wildcard value. + Otherwise *every* federated protocol will be handled by Shibboleth. + * ``idp_1`` has to be replaced with the name associated with the idp in Keystone. + The same name is used inside the shibboleth2.xml configuration file but they could + be different. + * The ``ShibRequireSession`` and ``ShibRequireAll`` rules are invalid in + Apache 2.4+ and should be dropped in that specific setup. + * You are advised to carefully examine `Shibboleth Apache configuration + documentation + `_ + +Enable the Keystone virtual host, for example: + +.. code-block:: bash + + $ a2ensite wsgi-keystone.conf + +Enable the ``ssl`` and ``shib2`` modules, for example: + +.. code-block:: bash + + $ a2enmod ssl + $ a2enmod shib2 + +Restart Apache, for example: + +.. code-block:: bash + + $ service apache2 restart + +Configuring shibboleth2.xml +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Once you have your Keystone vhost (virtual host) ready, it's then time to +configure Shibboleth and upload your Metadata to the Identity Provider. + +If new certificates are required, they can be easily created by executing: + +.. code-block:: bash + + $ shib-keygen -y + +The newly created file will be stored under ``/etc/shibboleth/sp-key.pem`` + +You should fetch your Service Provider's Metadata file. Typically this can be +achieved by simply fetching a Metadata file, for example: + +.. code-block:: bash + + $ wget --no-check-certificate -O https://service.example.org/Shibboleth.sso/Metadata + +Upload your Service Provider's Metadata file to your Identity Provider. +This step depends on your Identity Provider choice and is not covered here. + +Configure your Service Provider by editing ``/etc/shibboleth/shibboleth2.xml`` +file. You are advised to examine `Shibboleth Service Provider Configuration documentation `_ + +An example of your ``/etc/shibboleth/shibboleth2.xml`` may look like +(The example shown below is for reference only, not to be used in a production +environment): + +.. code-block:: xml + + + + + + + + + + + + + + + + SAML2 SAML1 + + + + + SAML2 Local + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SAML2 SAML1 + + + SAML2 Local + + + + + + + + + + + + SAML2 SAML1 + + + SAML2 Local + + + + + + + + + + + + + + + + +Keystone enforces `external authentication`_ when the ``REMOTE_USER`` +environment variable is present so make sure Shibboleth doesn't set the +``REMOTE_USER`` environment variable. To do so, scan through the +``/etc/shibboleth/shibboleth2.xml`` configuration file and remove the +``REMOTE_USER`` directives. + +Examine your attributes map file ``/etc/shibboleth/attributes-map.xml`` and adjust +your requirements if needed. For more information see +`attributes documentation `_ + +Once you are done, restart your Shibboleth daemon: + +.. _`external authentication`: ../external-auth.html + +.. code-block:: bash + + $ service shibd restart + $ service apache2 restart -- cgit 1.2.3-korg