Alexander Makarov x-eye
x-eye
/ print-keystone-api.py
Created
August 26, 2016 08:25
Traverse paste app tree to extract URL schema
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import logging | |
| from oslo_config import cfg | |
| import oslo_i18n | |
| oslo_i18n.enable_lazy() | |
| from keystone.common import environment |
x-eye
/ pre-cache-tokens-benchmark.sh
Last active
August 17, 2016 17:37
Performance benchmark for https://review.openstack.org/#/c/309146/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Prerequisites: | |
| # It runs on devstack using Mitaka release of OpenStack | |
| # Some OS_ environment valiables are required, so run "# source openrc" before benchmarking | |
| STACK_USER='stack' | |
| CHECKOUT='git fetch git://git.openstack.org/openstack/keystone refs/changes/46/309146/14 && git checkout FETCH_HEAD' | |
| AUTH_DATA='{"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"'$OS_USERNAME'","domain":{"id":"default"},"password":"'$OS_PASSWORD'"}}},"scope":{"project":{"name":"'$OS_PROJECT_NAME'","domain":{"id":"default"}}}}}' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Here and below "resource" means a project and whatever else that can be protected by policy enforcement. | |
| Enforce means checking if the requested action is permitted on the resource. | |
| Policy means a rule describing access requirement based on role permissions to act on a resource. | |
| Role means an identity's assignable attribute serving for access control purposes. | |
| Identity is an image of an actor that assosiates himself to identity through authentication. | |
| There are 2 parts doing it: oslo.policy.enforce and keystone token stuff. | |
| Enforce checks if the scope provided along with identity in the token contains a role and resource matching role and resource | |
| in the policy in order to allow access to perform certain operation. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Add new driver versions for assignment and trust backends as in https://review.openstack.org/#/c/305315/ | |
| Think about tokens that can't be stolen | |
| Federation: agreed to add API calls to check for user existence, "dry-run", pre-create shadow user | |
| Delegation chain should be repaired during a token validation. | |
| Add reparent operation (if admin is fired) | |
| Closure table for tree. | |
| Joining delegations is prohibited (should reparent). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import abc | |
| import six | |
| import importlib | |
| @six.add_metaclass(abc.ABCMeta) | |
| class Interface(object): | |
| @abc.abstractmethod | |
| def meth(self, int_parameter, string_parameter='default'): |