This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
import logging | |
from oslo_config import cfg | |
import oslo_i18n | |
oslo_i18n.enable_lazy() | |
from keystone.common import environment |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Prerequisites: | |
# It runs on devstack using Mitaka release of OpenStack | |
# Some OS_ environment valiables are required, so run "# source openrc" before benchmarking | |
STACK_USER='stack' | |
CHECKOUT='git fetch git://git.openstack.org/openstack/keystone refs/changes/46/309146/14 && git checkout FETCH_HEAD' | |
AUTH_DATA='{"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"'$OS_USERNAME'","domain":{"id":"default"},"password":"'$OS_PASSWORD'"}}},"scope":{"project":{"name":"'$OS_PROJECT_NAME'","domain":{"id":"default"}}}}}' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Here and below "resource" means a project and whatever else that can be protected by policy enforcement. | |
Enforce means checking if the requested action is permitted on the resource. | |
Policy means a rule describing access requirement based on role permissions to act on a resource. | |
Role means an identity's assignable attribute serving for access control purposes. | |
Identity is an image of an actor that assosiates himself to identity through authentication. | |
There are 2 parts doing it: oslo.policy.enforce and keystone token stuff. | |
Enforce checks if the scope provided along with identity in the token contains a role and resource matching role and resource | |
in the policy in order to allow access to perform certain operation. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add new driver versions for assignment and trust backends as in https://review.openstack.org/#/c/305315/ | |
Think about tokens that can't be stolen | |
Federation: agreed to add API calls to check for user existence, "dry-run", pre-create shadow user | |
Delegation chain should be repaired during a token validation. | |
Add reparent operation (if admin is fired) | |
Closure table for tree. | |
Joining delegations is prohibited (should reparent). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import abc | |
import six | |
import importlib | |
@six.add_metaclass(abc.ABCMeta) | |
class Interface(object): | |
@abc.abstractmethod | |
def meth(self, int_parameter, string_parameter='default'): |