diff options
| author | Morgan Fainberg <morgan.fainberg@gmail.com> | 2014-10-17 13:05:21 -0700 |
|---|---|---|
| committer | Morgan Fainberg <morgan.fainberg@gmail.com> | 2014-10-17 13:05:25 -0700 |
| commit | 6f806bdc9b58206ecccf29f79df1257e737e9f5b (patch) | |
| tree | 65b8eec064040c93e10f00753c383d553ecc2203 | |
| parent | a5520bc8d39338f4c28af91e2775058adbe1b670 (diff) | |
| parent | fdbad9f530ea4478d96437b021c9b5cc6d338901 (diff) | |
| download | keystone-6f806bdc9b58206ecccf29f79df1257e737e9f5b.tar.gz | |
Merge remote-tracking branch 'origin/master' into feature/hierarchical-multitenancy
Change-Id: I7e27d042575609e4107764c1ff2e1048e5a14a02
57 files changed, 796 insertions, 426 deletions
diff --git a/doc/source/cli_examples.rst b/doc/source/cli_examples.rst index b76f575c8..25c5c1566 100644 --- a/doc/source/cli_examples.rst +++ b/doc/source/cli_examples.rst @@ -18,15 +18,495 @@ Command Line Interface Examples =============================== +The Keystone command line interface packaged in `python-keystoneclient`_ only +supports the Identity v2.0 API. The OpenStack common command line interface +packaged in `python-openstackclient`_ supports both v2.0 and v3 APIs. + +.. NOTE:: + + As of the Juno release, it is recommended to use ``python-openstackclient``, + as it suports both v2.0 and v3 APIs. For the purpose of backwards compatibility, + the CLI packaged in ``python-keystoneclient`` is not being removed. + +.. _`python-openstackclient`: http://docs.openstack.org/developer/python-openstackclient/ +.. _`python-keystoneclient`: http://docs.openstack.org/developer/python-keystoneclient/ + +Using python-openstackclient (v3) +================================= + +Note that if using ``python-openstackclient`` for v3 commands, the following +environment variables must be updated: + +.. code-block:: bash + + $ export OS_IDENTITY_API_VERSION=3 (Defaults to 2.0) + $ export OS_AUTH_URL=http://localhost:5000/v3 + +Since Identity API v3 authentication is a bit more complex, there are additional +options that may be set, either as command options or environment variables. +The most common case will be a user supplying both user name and password, along +with the project name; previously in v2.0 this would be sufficient, but since +Identity API v3 has a ``Domain`` component, we need to tell the client in which +domain the user and project exists. + +If using a project name as authorization scope, set either of these: + + * ``--os-project-domain-name OS_PROJECT_DOMAIN_NAME`` Domain name of the project + which is the requested project-level authorization scope + * ``--os-project-domain-id OS_PROJECT_DOMAIN_ID`` Domain ID of the project which + is the requested project-level authorization scope + +Note, if using a project ID as authorization scope, then it is not required to +set ``OS_PROJECT_DOMAIN_NAME`` or ``OS_PROJECT_DOMAIN_ID``, the project ID is +sufficient. + +If using user name and password, set either of these: + + * ``--os-user-domain-name OS_USER_DOMAIN_NAME`` Domain name of the user + * ``--os-user-domain-id OS_USER_DOMAIN_ID`` Domain ID of the user + +If using a domain as authorization scope, set either of these: + + * ``--os-domain-name OS_DOMAIN_NAME``: Domain name of the requested domain-level + authorization scope + * ``--os-domain-id OS_DOMAIN_ID``: Domain ID of the requested domain-level + authorization scope + +In the examples below, the following are set: + +.. code-block:: bash + + $ export OS_IDENTITY_API_VERSION=3 + $ export OS_AUTH_URL=http://localhost:5000/v3 + $ export OS_PROJECT_DOMAIN_ID=default + $ export OS_USER_DOMAIN_ID=default + $ export OS_USERNAME=admin + $ export OS_PASSWORD=openstack + $ export OS_PROJECT_NAME=admin + +-------- +Projects +-------- + +``project create`` +------------------ + +positional arguments:: + + <project-name> New project name + +optional arguments:: + + --description <project-description> New project description + --domain <project-domain> Domain owning the project (name or ID) + + --enable Enable project (default) + --disable Disable project + +example: + +.. code-block:: bash + + $ openstack project create heat-project --domain heat + +Other commands +-------------- + +.. code-block:: bash + + $ openstack project delete + $ openstack project list + $ openstack project set + $ openstack project show + +----- +Users +----- + +``user create`` +--------------- + +positional arguments:: + + <user-name> New user name + +optional arguments:: + + --password <user-password> New user password + --password-prompt Prompt interactively for password + --email <user-email> New user email address + --project <project> Set default project (name or ID) + --domain <domain> New default domain name or ID + --enable Enable user (default) + --disable Disable user + + +example: + +.. code-block:: bash + + $ openstack user create heat-user \ + --password secrete \ + --domain heat \ + --project demo \ + --email admin@example.com + +Other commands +-------------- + +.. code-block:: bash + + $ openstack user delete + $ openstack user list + $ openstack user set + $ openstack user show + +------ +Groups +------ + +``group create`` +---------------- + +positional arguments:: + + <group-name> New group name + +optional arguments:: + + --description <group-description> New group description + --domain <group-domain> References the domain ID or name which owns the group + +example: + +.. code-block:: bash + + $ openstack group create heat-group --domain heat + +Other commands +-------------- + +.. code-block:: bash + + $ openstack group delete + $ openstack group list + $ openstack group set + $ openstack group show + ------- -Tenants +Domains ------- -Tenants are the high level grouping within Keystone that represent groups of -users. A tenant is the grouping that owns virtual machines within Nova, or -containers within Swift. A tenant can have zero or more users, Users can be -associated with more than one tenant, and each tenant - user pairing can have -a role associated with it. +``domain create`` +----------------- + +positional arguments:: + + <domain-name> New domain name + +optional arguments:: + + --description <domain-description> New domain description + --enable Enable domain + --disable Disable domain + + +example: + +.. code-block:: bash + + $ openstack domain create heat --description "Heat domain for heat users" + +Other commands +-------------- + +.. code-block:: bash + + $ openstack domain delete + $ openstack domain list + $ openstack domain set + $ openstack domain show + +Using python-openstackclient (v2.0) +=================================== + +-------- +Projects +-------- + +``project create`` +------------------ + +positional arguments:: + + <project-name> New project name + +optional arguments:: + + --description <project-description> New project description + --enable Enable project (default) + --disable Disable project + +example: + +.. code-block:: bash + + $ openstack project create demo + + +``project delete`` +------------------ + +positional arguments:: + + <project> Project to delete (name or ID) + +example: + +.. code-block:: bash + + $ openstack project delete demo + +----- +Users +----- + +``user create`` +--------------- + +positional arguments:: + + <user-name> New user name + +optional arguments:: + + --password <user-password> New user password + --password-prompt Prompt interactively for password + --email <user-email> New user email address + --project <project> Set default project (name or ID) + --enable Enable user (default) + --disable Disable user + + +example: + +.. code-block:: bash + + $ openstack user create heat-user \ + --password secrete \ + --project demo \ + --email admin@example.com + +``user delete`` +--------------- + +positional arguments:: + + <user> User to delete (name or ID) + +example: + +.. code-block:: bash + + $ openstack user delete heat-user + +``user list`` +------------- + +optional arguments:: + + --project <project> Filter users by project (name or ID) + --long List additional fields in output + +example: + +.. code-block:: bash + + $ openstack user list + +``user set`` +------------ + +positional arguments:: + + <user> User to change (name or ID) + +optional arguments:: + + --name <new-user-name> New user name + --password <user-password> New user password + --password-prompt Prompt interactively for password + --email <user-email> New user email address + --project <project> New default project (name or ID) + --enable Enable user (default) + --disable Disable user + + +example: + +.. code-block:: bash + + $ openstack user set heat-user --email newemail@example.com + +----- +Roles +----- + +``role create`` +--------------- + +positional arguments:: + + <role-name> New role name + +example: + +.. code-block:: bash + + $ openstack role create demo + +``role delete`` +--------------- + +positional arguments:: + + <role> Name or ID of role to delete + +example: + +.. code-block:: bash + + $ openstack role delete demo + +``role list`` +------------- + +example: + +.. code-block:: bash + + $ openstack role list + +``role show`` +------------- + +positional arguments:: + + <role> Name or ID of role to display + +example: + +.. code-block:: bash + + $ openstack role show demo + + +``role add`` +------------ + +positional arguments:: + + <role> Role name or ID to add to user + +optional arguments:: + + --project <project> Include project (name or ID) + --user <user> Name or ID of user to include + + +example: + +.. code-block:: bash + + $ openstack user role add demo --user heat-user --project heat + +``role remove`` +--------------- + +positional arguments:: + + <role> Role name or ID to remove from user + +optional arguments:: + + --project <project> Project to include (name or ID) + --user <user> Name or ID of user + + +example: + +.. code-block:: bash + + $ openstack user role remove demo --user heat-user --project heat + +-------- +Services +-------- + +``service create`` +------------------ + +positional arguments:: + + <service-name> New service name + +optional arguments:: + + --type <service-type> New service type (compute, image, identity, volume, etc) + --description <service-description> New service description + +example: + +.. code-block:: bash + + $ openstack service create nova --type compute --description "Nova Compute Service" + +``service list`` +---------------- + +optional arguments:: + + --long List additional fields in output + +example: + +.. code-block:: bash + + $ openstack service list + +``service show`` +---------------- + +positional arguments:: + + <service> Service to display (type, name or ID) + +example: + +.. code-block:: bash + + $ openstack service show nova + +``service delete`` +------------------ + +positional arguments:: + + <service> Service to delete (name or ID) + +example: + +.. code-block:: bash + + $ openstack service delete nova + + +Using python-keystoneclient (v2.0) +================================== + +------- +Tenants +------- ``tenant-create`` ----------------- @@ -112,7 +592,7 @@ example: $ keystone user-list ``user-update`` ---------------- +--------------------- arguments diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index b41337a5e..bd2c914d5 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -315,28 +315,27 @@ configuration option. The drivers Keystone provides are: +* ``keystone.token.persistence.backends.memcache_pool.Token`` - The pooled memcached + token persistence engine. This backend supports the concept of pooled memcache + client object (allowing for the re-use of the client objects). This backend has + a number of extra tunable options in the ``[memcache]`` section of the config. + * ``keystone.token.persistence.backends.sql.Token`` - The SQL-based (default) - token persistence engine. This backend stores all token data in the same SQL - store that is used for Identity/Assignment/etc. + token persistence engine. * ``keystone.token.persistence.backends.memcache.Token`` - The memcached based token persistence backend. This backend relies on ``dogpile.cache`` and stores - the token data in a set of memcached servers. The servers urls are specified + the token data in a set of memcached servers. The servers URLs are specified in the ``[memcache]\servers`` configuration option in the Keystone config. -* ``keystone.token.persistence.backends.memcache_pool.Token`` - The pooled memcached - token persistence engine. This backend supports the concept of pooled memcache - client object (allowing for the re-use of the client objects). This backend has - a number of extra tunable options in the ``[memcache]`` section of the config. - .. WARNING:: It is recommended you use the ``keystone.token.persistence.backend.memcache_pool.Token`` backend instead of ``keystone.token.persistence.backend.memcache.Token`` as the token persistence driver if you are deploying Keystone under eventlet instead of - Apache + mod_wsgi. This recommendation are due to known issues with the use of - ``thread.local`` under eventlet that can allow the leaking of memcache client objects - and consumption of extra sockets. + Apache + mod_wsgi. This recommendation is due to known issues with the + use of ``thread.local`` under eventlet that can allow the leaking of + memcache client objects and consumption of extra sockets. Token Provider @@ -650,9 +649,9 @@ To build your service catalog using this driver, see the built-in help: .. code-block:: bash - $ keystone - $ keystone help service-create - $ keystone help endpoint-create + $ openstack --help + $ openstack help service create + $ openstack help endpoint create You can also refer to `an example in Keystone (tools/sample_data.sh) <https://github.com/openstack/keystone/blob/master/tools/sample_data.sh>`_. @@ -666,8 +665,7 @@ service catalog will not change very much over time. .. NOTE:: - Attempting to manage your service catalog using keystoneclient commands - (e.g. ``keystone endpoint-create``) against this driver will result in + Attempting to change your service catalog against this driver will result in ``HTTP 501 Not Implemented`` errors. This is the expected behavior. If you want to use these commands, you must instead use the SQL-based Service Catalog driver. @@ -1014,12 +1012,12 @@ Ensure that your ``keystone.conf`` is configured to use a SQL driver: [identity] driver = keystone.identity.backends.sql.Identity -You may also want to configure your ``[sql]`` settings to better reflect your +You may also want to configure your ``[database]`` settings to better reflect your environment: .. code-block:: ini - [sql] + [database] connection = sqlite:///keystone.db idle_timeout = 200 @@ -1038,23 +1036,19 @@ You should now be ready to initialize your new database without error, using: $ keystone-manage db_sync To test this, you should now be able to start ``keystone-all`` and use the -Keystone Client to list your tenants (which should successfully return an +OpenStack Client to list your projects (which should successfully return an empty list from your new database): .. code-block:: bash - $ keystone --os-token ADMIN --os-endpoint http://127.0.0.1:35357/v2.0/ tenant-list - +----+------+---------+ - | id | name | enabled | - +----+------+---------+ - +----+------+---------+ + $ openstack --os-token ADMIN --os-url http://127.0.0.1:35357/v2.0/ project list .. NOTE:: - We're providing the default OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT values - from ``keystone.conf`` to connect to the Keystone service. If you changed - those values, or deployed Keystone to a different endpoint, you will need - to change the provided command accordingly. + We're providing the default OS_TOKEN and OS_URL values from ``keystone.conf`` + to connect to the Keystone service. If you changed those values, or deployed + Keystone to a different endpoint, you will need to change the provided + command accordingly. Initializing Keystone ===================== @@ -1079,12 +1073,29 @@ prevents unauthorized users from spuriously signing tokens. be running the Keystone service to ensure proper ownership for the private key file and the associated certificates. -Adding Users, Tenants, and Roles with python-keystoneclient -=========================================================== +Adding Users, Projects, and Roles via Command Line Interfaces +============================================================= -Users, tenants, and roles must be administered using admin credentials. -There are two ways to configure ``python-keystoneclient`` to use admin -credentials, using the either an existing token or password credentials. +Keystone APIs are protected by the rules in the policy file. The default policy +rules require admin credentials to administer ``users``, ``projects``, and +``roles``. See section `Keystone API protection with Role Based Access Control (RBAC)`_ +for more details on policy files. + +The Keystone command line interface packaged in `python-keystoneclient`_ only +supports the Identity v2.0 API. The OpenStack common command line interface +packaged in `python-openstackclient`_ supports both v2.0 and v3 APIs. + +With both command line interfaces there are two ways to configure the client to +use admin credentials, using either an existing token or password credentials. + +.. NOTE:: + + As of the Juno release, it is recommended to use ``python-openstackclient``, + as it supports both v2.0 and v3 APIs. For the purpose of backwards compatibility, + the CLI packaged in ``python-keystoneclient`` is not being removed. + +.. _`python-openstackclient`: http://docs.openstack.org/developer/python-openstackclient/ +.. _`python-keystoneclient`: http://docs.openstack.org/developer/python-keystoneclient/ Authenticating with a Token --------------------------- @@ -1094,11 +1105,11 @@ Authenticating with a Token If your Keystone deployment is brand new, you will need to use this authentication method, along with your ``[DEFAULT] admin_token``. -To use Keystone with a token, set the following flags: +To authenticate with Keystone using a token and ``python-openstackclient``, set +the following flags. -* ``--os-endpoint OS_SERVICE_ENDPOINT``: allows you to specify the Keystone endpoint - to communicate with. The default endpoint is ``http://localhost:35357/v2.0`` -* ``--os-token OS_SERVICE_TOKEN``: your service token +* ``--os-url OS_URL``: Keystone endpoint the user communicates with +* ``--os-token OS_TOKEN``: User's service token To administer a Keystone endpoint, your token should be either belong to a user with the ``admin`` role, or, if you haven't created one yet, should be equal to @@ -1109,20 +1120,27 @@ to be passed as arguments each time: .. code-block:: bash - $ export OS_SERVICE_ENDPOINT=http://localhost:35357/v2.0 - $ export OS_SERVICE_TOKEN=ADMIN + $ export OS_URL=http://localhost:35357/v2.0 + $ export OS_TOKEN=ADMIN + +Instead of ``python-openstackclient``, if using ``python-keystoneclient``, +set the following: + +* ``--os-endpoint OS_SERVICE_ENDPOINT``: equivalent to ``--os-url OS_URL`` +* ``--os-service-token OS_SERVICE_TOKEN``: equivalent to ``--os-token OS_TOKEN`` + Authenticating with a Password ------------------------------ -To administer a Keystone endpoint, the following user referenced below should +To authenticate with Keystone using a password and ``python-openstackclient``, set +the following flags, note that the following user referenced below should be granted the ``admin`` role. -* ``--os_username OS_USERNAME``: Name of your user -* ``--os_password OS_PASSWORD``: Password for your user -* ``--os_tenant_name OS_TENANT_NAME``: Name of your tenant -* ``--os_auth_url OS_AUTH_URL``: URL of your Keystone auth server, e.g. - ``http://localhost:35357/v2.0`` +* ``--os-username OS_USERNAME``: Name of your user +* ``--os-password OS_PASSWORD``: Password for your user +* ``--os-project-name OS_PROJECT_NAME``: Name of your project +* ``--os-auth-url OS_AUTH_URL``: URL of the Keystone authentication server You can also set these variables in your environment so that they do not need to be passed as arguments each time: @@ -1131,42 +1149,55 @@ to be passed as arguments each time: $ export OS_USERNAME=my_username $ export OS_PASSWORD=my_password - $ export OS_TENANT_NAME=my_tenant + $ export OS_PROJECT_NAME=my_project + $ export OS_AUTH_URL=http://localhost:35357/v2.0 + +If using ``python-keystoneclient``, set the following instead: + +* ``--os-tenant-name OS_TENANT_NAME``: equivalent to ``--os-project-name OS_PROJECT_NAME`` + Example usage ------------- -``keystone`` is set up to expect commands in the general form of -``keystone`` ``command`` ``argument``, followed by flag-like keyword arguments to -provide additional (often optional) information. For example, the command -``user-list`` and ``tenant-create`` can be invoked as follows: +``python-openstackclient`` is set up to expect commands in the general form of: + +.. code-block:: bash + + $ openstack [<global-options>] <object-1> <action> [<object-2>] [<command-arguments>] + +For example, the commands ``user list`` and ``project create`` can be invoked +as follows: .. code-block:: bash - # Using token auth env variables - $ export OS_SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0/ - $ export OS_SERVICE_TOKEN=secrete_token - $ keystone user-list - $ keystone tenant-create --name=demo + # Using token authentication, with environment variables + $ export OS_URL=http://127.0.0.1:35357/v2.0/ + $ export OS_TOKEN=secrete_token + $ openstack user list + $ openstack project create demo - # Using token auth flags - $ keystone --os-token=secrete --os-endpoint=http://127.0.0.1:35357/v2.0/ user-list - $ keystone --os-token=secrete --os-endpoint=http://127.0.0.1:35357/v2.0/ tenant-create --name=demo + # Using token authentication, with flags + $ openstack --os-token=secrete --os-url=http://127.0.0.1:35357/v2.0/ user list + $ openstack --os-token=secrete --os-url=http://127.0.0.1:35357/v2.0/ project create demo - # Using user + password + tenant_name env variables + # Using password authentication, with environment variables $ export OS_USERNAME=admin $ export OS_PASSWORD=secrete - $ export OS_TENANT_NAME=admin - $ keystone user-list - $ keystone tenant-create --name=demo + $ export OS_PROJECT_NAME=admin + $ export OS_AUTH_URL=http://localhost:35357/v2.0 + $ openstack user list + $ openstack project create demo - # Using user + password + tenant_name flags - $ keystone --os_username=admin --os_password=secrete --os_tenant_name=admin user-list - $ keystone --os_username=admin --os_password=secrete --os_tenant_name=admin tenant-create --name=demo + # Using password authentication, with flags + $ openstack --os-username=admin --os-password=secrete --os-project-name=admin --os-auth-url=http://localhost:35357/v2.0 user list + $ openstack --os-username=admin --os-password=secrete --os-project-name=admin --os-auth-url=http://localhost:35357/v2.0 project create demo -For additional examples refer to `CLI Examples`_. +For additional examples using ``python-keystoneclient`` refer to `python-keystoneclient examples`_, +likewise, for additional examples using ``python-openstackclient``, refer to `python-openstackclient examples`_. -.. _`CLI Examples`: cli_examples.html +.. _`python-keystoneclient examples`: cli_examples.html#using-python-keystoneclient-v2-0 +.. _`python-openstackclient examples`: cli_examples.html#using-python-openstackclient-v3 Removing Expired Tokens diff --git a/doc/source/configuringservices.rst b/doc/source/configuringservices.rst index 7509af148..d14d05823 100644 --- a/doc/source/configuringservices.rst +++ b/doc/source/configuringservices.rst @@ -32,7 +32,7 @@ In general: * The Keystone middleware will look for and validate that token, taking the appropriate action. * It will also retrieve additional information from the token such as user - name, id, tenant name, id, roles, etc... + name, user id, project name, project id, roles, etc... The middleware will pass those data down to the service as headers. More details on the architecture of that setup is described in @@ -57,10 +57,10 @@ represent a user, and carries no explicit authorization. To disable in production (highly recommended), remove AdminTokenAuthMiddleware from your paste application pipelines (for example, in keystone-paste.ini) -Setting up tenants, users, and roles ------------------------------------- +Setting up projects, users, and roles +------------------------------------- -You need to minimally define a tenant, user, and role to link the tenant and +You need to minimally define a project, user, and role to link the project and user as the most basic set of details to get other services authenticating and authorizing with Keystone. @@ -69,7 +69,7 @@ be able to use to authenticate users against Keystone. The ``auth_token`` middleware supports using either the shared secret described above as `admin_token` or users for each service. -See :doc:`configuration` for a walk through on how to create tenants, users, +See :doc:`configuration` for a walk through on how to create projects, users, and roles. Setting up services @@ -79,53 +79,44 @@ Creating Service Users ---------------------- To configure the OpenStack services with service users, we need to create -a tenant for all the services, and then users for each of the services. We -then assign those service users an Admin role on the service tenant. This -allows them to validate tokens - and authenticate and authorize other user +a project for all the services, and then users for each of the services. We +then assign those service users an ``admin`` role on the service project. This +allows them to validate tokens - and to authenticate and authorize other user requests. -Create a tenant for the services, typically named 'service' (however, the +Create a project for the services, typically named ``service`` (however, the name can be whatever you choose): .. code-block:: bash - $ keystone tenant-create --name=service + $ openstack project create service -This returns a UUID of the tenant - keep that, you'll need it when creating -the users and specifying the roles. - -Create service users for nova, glance, swift, and neutron (or whatever -subset is relevant to your deployment): +Create service users for ``nova``, ``glance``, ``swift``, and ``neutron`` +(or whatever subset is relevant to your deployment): .. code-block:: bash - $ keystone user-create --name=nova \ - --pass=Sekr3tPass \ - --tenant_id=[the uuid of the tenant] \ - --email=nova@nothing.com + $ openstack user create nova --password Sekr3tPass --project service -Repeat this for each service you want to enable. Email is a required field -in Keystone right now, but not used in relation to the service accounts. Each -of these commands will also return a UUID of the user. Keep those to assign -the Admin role. +Repeat this for each service you want to enable. -For adding the Admin role to the service accounts, you'll need to know the UUID -of the role you want to add. If you don't have them handy, you can look it +Create an administrative role for the service accounts, typically named +``admin`` (however the name can be whatever you choose). For adding the +administrative role to the service accounts, you'll need to know the +name of the role you want to add. If you don't have it handy, you can look it up quickly with: .. code-block:: bash - $ keystone role-list + $ openstack role list -Once you have it, assign the service users to the Admin role. This is all -assuming that you've already created the basic roles and settings as described -in :doc:`configuration`: +Once you have it, grant the administrative role to the service users. This is +all assuming that you've already created the basic roles and settings as +described in :doc:`configuration`: .. code-block:: bash - $ keystone user-role-add --tenant_id=[uuid of the service tenant] \ - --user=[uuid of the service account] \ - --role=[uuid of the Admin role] + $ openstack role add admin --project service --user nova Defining Services ----------------- @@ -147,21 +138,16 @@ Keystone is online, you need to add the services to the catalog: .. code-block:: bash - $ keystone service-create --name=nova \ - --type=compute \ - --description="Nova Compute Service" - $ keystone service-create --name=ec2 \ - --type=ec2 \ - --description="EC2 Compatibility Layer" - $ keystone service-create --name=glance \ - --type=image \ - --description="Glance Image Service" - $ keystone service-create --name=keystone \ - --type=identity \ - --description="Keystone Identity Service" - $ keystone service-create --name=swift \ - --type=object-store \ - --description="Swift Service" + $ openstack service create nova --type compute \ + --description "Nova Compute Service" + $ openstack service create ec2 --type ec2 \ + --description "EC2 Compatibility Layer" + $ openstack service create glance --type image \ + --description "Glance Image Service" + $ openstack service create keystone --type identity \ + --description "Keystone Identity Service" + $ openstack service create swift --type object-store \ + --description "Swift Service" Setting Up Middleware @@ -209,9 +195,9 @@ Here is an example paste config filter that makes use of the 'admin_user' and admin_user = admin admin_password = keystone123 -It should be noted that when using this option an admin tenant/role -relationship is required. The admin user is granted access to the 'Admin' -role to the 'admin' tenant. +It should be noted that when using this option an admin project/role +relationship is required. The admin user is granted access to the 'admin' +role to the 'admin' project. The auth_token middleware can also be configured in nova.conf [keystone_authtoken] section to keep paste config clean of site-specific diff --git a/doc/source/extensions/shibboleth.rst b/doc/source/extensions/shibboleth.rst index 1f3a80139..97999d258 100644 --- a/doc/source/extensions/shibboleth.rst +++ b/doc/source/extensions/shibboleth.rst @@ -45,7 +45,9 @@ file. You are advised to examine `Shibboleth Service Provider Configuration docu An example of your ``/etc/shibboleth/shibboleth2.xml`` may look like (The example shown below is for reference only, not to be used in a production -environment):: +environment): + +.. code-block:: xml <!-- File configuration courtesy of http://testshib.org diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample index 9712f5d3f..fd3cebd1d 100644 --- a/etc/keystone.conf.sample +++ b/etc/keystone.conf.sample @@ -81,17 +81,16 @@ # token values. (integer value) #max_token_size=8192 -# During a SQL upgrade member_role_id will be used to create a -# new role that will replace records in the assignment table -# with explicit role grants. After migration, the -# member_role_id will be used in the API add_user_to_project. -# (string value) +# Similar to the member_role_name option, this represents the +# default role ID used to associate users with their default +# projects in the v2 API. This will be used as the explicit +# role where one is not specified by the v2 API. (string +# value) #member_role_id=9fe2ff9ee4384b1894a90878d3e92bab -# During a SQL upgrade member_role_name will be used to create -# a new role that will replace records in the assignment table -# with explicit role grants. After migration, member_role_name -# will be ignored. (string value) +# This is the role name used in combination with the +# member_role_id option; see that option for more detail. +# (string value) #member_role_name=_member_ # The value passed as the keyword "rounds" to passlib's @@ -536,27 +535,27 @@ # Memcache servers in the format of "host:port". # (dogpile.cache.memcache and keystone.cache.memcache_pool -# backends only) (list value) +# backends only). (list value) #memcache_servers=localhost:11211 # Number of seconds memcached server is considered dead before # it is tried again. (dogpile.cache.memcache and -# keystone.cache.memcache_pool backends only) (integer value) +# keystone.cache.memcache_pool backends only). (integer value) #memcache_dead_retry=300 # Timeout in seconds for every call to a server. # (dogpile.cache.memcache and keystone.cache.memcache_pool -# backends only) (integer value) +# backends only). (integer value) #memcache_socket_timeout=3 # Max total number of open connections to every memcached -# server. (keystone.cache.memcache_pool backend only) (integer -# value) +# server. (keystone.cache.memcache_pool backend only). +# (integer value) #memcache_pool_maxsize=10 # Number of seconds a connection to memcached is held unused # in the pool before it is closed. -# (keystone.cache.memcache_pool backend only) (integer value) +# (keystone.cache.memcache_pool backend only). (integer value) #memcache_pool_unused_timeout=60 # Number of seconds that an operation will wait to get a diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index f7463589e..ced0c96ff 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -12,9 +12,9 @@ "identity:get_region": "", "identity:list_regions": "", - "identity:create_region": "rule:admin_or_cloud_admin", - "identity:update_region": "rule:admin_or_cloud_admin", - "identity:delete_region": "rule:admin_or_cloud_admin", + "identity:create_region": "rule:cloud_admin", + "identity:update_region": "rule:cloud_admin", + "identity:delete_region": "rule:cloud_admin", "identity:get_service": "rule:admin_or_cloud_admin", "identity:list_services": "rule:admin_or_cloud_admin", @@ -143,23 +143,23 @@ "identity:add_endpoint_group_to_project": "rule:admin_required", "identity:remove_endpoint_group_from_project": "rule:admin_required", - "identity:create_identity_provider": "rule:admin_required", - "identity:list_identity_providers": "rule:admin_required", - "identity:get_identity_providers": "rule:admin_required", - "identity:update_identity_provider": "rule:admin_required", - "identity:delete_identity_provider": "rule:admin_required", - - "identity:create_protocol": "rule:admin_required", - "identity:update_protocol": "rule:admin_required", - "identity:get_protocol": "rule:admin_required", - "identity:list_protocols": "rule:admin_required", - "identity:delete_protocol": "rule:admin_required", - - "identity:create_mapping": "rule:admin_required", - "identity:get_mapping": "rule:admin_required", - "identity:list_mappings": "rule:admin_required", - "identity:delete_mapping": "rule:admin_required", - "identity:update_mapping": "rule:admin_required", + "identity:create_identity_provider": "rule:cloud_admin", + "identity:list_identity_providers": "rule:cloud_admin", + "identity:get_identity_providers": "rule:cloud_admin", + "identity:update_identity_provider": "rule:cloud_admin", + "identity:delete_identity_provider": "rule:cloud_admin", + + "identity:create_protocol": "rule:cloud_admin", + "identity:update_protocol": "rule:cloud_admin", + "identity:get_protocol": "rule:cloud_admin", + "identity:list_protocols": "rule:cloud_admin", + "identity:delete_protocol": "rule:cloud_admin", + + "identity:create_mapping": "rule:cloud_admin", + "identity:get_mapping": "rule:cloud_admin", + "identity:list_mappings": "rule:cloud_admin", + "identity:delete_mapping": "rule:cloud_admin", + "identity:update_mapping": "rule:cloud_admin", "identity:get_auth_catalog": "", "identity:get_auth_projects": "", diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py index 21e4c9bbd..3943c1f6a 100644 --- a/keystone/auth/controllers.py +++ b/keystone/auth/controllers.py @@ -15,6 +15,8 @@ import sys from keystoneclient.common import cms +from oslo.serialization import jsonutils +from oslo.utils import importutils from oslo.utils import timeutils import six @@ -27,8 +29,6 @@ from keystone import config from keystone.contrib import federation from keystone import exception from keystone.i18n import _, _LI -from keystone.openstack.common import importutils -from keystone.openstack.common import jsonutils from keystone.openstack.common import log diff --git a/keystone/auth/plugins/mapped.py b/keystone/auth/plugins/mapped.py index 80aa664df..91cd2d068 100644 --- a/keystone/auth/plugins/mapped.py +++ b/keystone/auth/plugins/mapped.py @@ -12,6 +12,7 @@ import functools +from oslo.serialization import jsonutils from pycadf import cadftaxonomy as taxonomy from six.moves.urllib import parse @@ -21,7 +22,6 @@ from keystone.contrib import federation from keystone.contrib.federation import utils from keystone.models import token_model from keystone import notifications -from keystone.openstack.common import jsonutils @dependency.requires('federation_api', 'identity_api', 'token_provider_api') @@ -58,7 +58,7 @@ class Mapped(auth.AuthMethodHandler): token_audit_id = token_ref.audit_id identity_provider = token_ref.federation_idp_id protocol = token_ref.federation_protocol_id - user_id = token_ref['user']['id'] + user_id = token_ref.user_id group_ids = token_ref.federation_group_ids send_notification = functools.partial( notifications.send_saml_audit_notification, 'authenticate', @@ -92,8 +92,8 @@ class Mapped(auth.AuthMethodHandler): identity_provider = auth_payload['identity_provider'] protocol = auth_payload['protocol'] group_ids = None - # NOTE(topol): Since the user is coming in from an IdP with a SAML doc - # instead of from a token we set token_id to None + # NOTE(topol): The user is coming in from an IdP with a SAML assertion + # instead of from a token, so we set token_id to None token_id = None try: diff --git a/keystone/catalog/backends/templated.py b/keystone/catalog/backends/templated.py index 1794414b6..68c1c0f86 100644 --- a/keystone/catalog/backends/templated.py +++ b/keystone/catalog/backends/templated.py @@ -22,7 +22,6 @@ from keystone import config from keystone import exception from keystone.i18n import _LC from keystone.openstack.common import log -from keystone.openstack.common import versionutils LOG = log.getLogger(__name__) @@ -123,11 +122,3 @@ class Catalog(kvs.Catalog): catalog[region][service] = service_data return catalog - - -@versionutils.deprecated( - versionutils.deprecated.ICEHOUSE, - in_favor_of='keystone.catalog.backends.templated.Catalog', - remove_in=+2) -class TemplatedCatalog(Catalog): - pass diff --git a/keystone/common/cache/_memcache_pool.py b/keystone/common/cache/_memcache_pool.py index 70b86b684..5b6422a33 100644 --- a/keystone/common/cache/_memcache_pool.py +++ b/keystone/common/cache/_memcache_pool.py @@ -35,11 +35,6 @@ from keystone.openstack.common import log LOG = log.getLogger(__name__) -# NOTE(morganfainberg): This is used as the maximum number of seconds a get -# of a new connection will wait for before raising an exception indicating -# a serious / most likely non-recoverable delay has occurred. -CONNECTION_GET_TIMEOUT = 120 - # This 'class' is taken from http://stackoverflow.com/a/22520633/238308 # Don't inherit client from threading.local so that we can reuse clients in # different threads @@ -78,9 +73,25 @@ class ConnectionPool(queue.Queue): self._acquired = 0 def _create_connection(self): + """Returns a connection instance. + + This is called when the pool needs another instance created. + + :returns: a new connection instance + + """ raise NotImplementedError def _destroy_connection(self, conn): + """Destroy and cleanup a connection instance. + + This is called when the pool wishes to get rid of an existing + connection. This is the opportunity for a subclass to free up + resources and cleaup after itself. + + :param conn: the connection object to destroy + + """ raise NotImplementedError def _debug_logger(self, msg, *args, **kwargs): @@ -110,6 +121,9 @@ class ConnectionPool(queue.Queue): def _qsize(self): return self.maxsize - self._acquired + # NOTE(dstanek): stdlib and eventlet Queue implementations + # have different names for the qsize method. This ensures + # that we override both of them. if not hasattr(queue.Queue, '_qsize'): qsize = _qsize @@ -121,18 +135,24 @@ class ConnectionPool(queue.Queue): self._acquired += 1 return conn + def _drop_expired_connections(self, conn): + """Drop all expired connections from the right end of the queue. + + :param conn: connection object + """ + now = time.time() + while self.queue and self.queue[0].ttl < now: + conn = self.queue.popleft().connection + self._debug_logger('Reaping connection %s', id(conn)) + self._destroy_connection(conn) + def _put(self, conn): self.queue.append(_PoolItem( ttl=time.time() + self._unused_timeout, connection=conn, )) self._acquired -= 1 - # Drop all expired connections from the right end of the queue - now = time.time() - while self.queue and self.queue[0].ttl < now: - conn = self.queue.popleft().connection - self._debug_logger('Reaping connection %s', id(conn)) - self._destroy_connection(conn) + self._drop_expired_connections(conn) class MemcacheClientPool(ConnectionPool): @@ -173,9 +193,8 @@ class MemcacheClientPool(ConnectionPool): # If this client found that one of the hosts is dead, mark it as # such in our internal list now = time.time() - for i, deaduntil, host in zip(itertools.count(), - self._hosts_deaduntil, - conn.servers): + for i, host in zip(itertools.count(), conn.servers): + deaduntil = self._hosts_deaduntil[i] # Do nothing if we already know this host is dead if deaduntil <= now: if host.deaduntil > now: diff --git a/keystone/common/cache/backends/mongo.py b/keystone/common/cache/backends/mongo.py index 0a30ea0bc..c9d25d1aa 100644 --- a/keystone/common/cache/backends/mongo.py +++ b/keystone/common/cache/backends/mongo.py @@ -17,12 +17,12 @@ import datetime from dogpile.cache import api from dogpile.cache import util as dp_util +from oslo.utils import importutils from oslo.utils import timeutils import six from keystone import exception from keystone.i18n import _ -from keystone.openstack.common import importutils from keystone.openstack.common import log diff --git a/keystone/common/cache/core.py b/keystone/common/cache/core.py index 3ba528747..46edb531d 100644 --- a/keystone/common/cache/core.py +++ b/keystone/common/cache/core.py @@ -17,11 +17,11 @@ import dogpile.cache from dogpile.cache import proxy from dogpile.cache import util +from oslo.utils import importutils from keystone import config from keystone import exception from keystone.i18n import _ -from keystone.openstack.common import importutils from keystone.openstack.common import log diff --git a/keystone/common/config.py b/keystone/common/config.py index b9c723f80..b43ee3866 100644 --- a/keystone/common/config.py +++ b/keystone/common/config.py @@ -97,16 +97,15 @@ FILE_OPTIONS = { 'exception for token values.'), cfg.StrOpt('member_role_id', default='9fe2ff9ee4384b1894a90878d3e92bab', - help='During a SQL upgrade member_role_id will be used ' - 'to create a new role that will replace records in ' - 'the assignment table with explicit role grants. ' - 'After migration, the member_role_id will be used in ' - 'the API add_user_to_project.'), + help='Similar to the member_role_name option, this ' + 'represents the default role ID used to associate ' + 'users with their default projects in the v2 API. ' + 'This will be used as the explicit role where one is ' + 'not specified by the v2 API.'), cfg.StrOpt('member_role_name', default='_member_', - help='During a SQL upgrade member_role_name will be used ' - 'to create a new role that will replace records in ' - 'the assignment table with explicit role grants. ' - 'After migration, member_role_name will be ignored.'), + help='This is the role name used in combination with the ' + 'member_role_id option; see that option for more ' + 'detail.'), cfg.IntOpt('crypt_strength', default=40000, help='The value passed as the keyword "rounds" to ' 'passlib\'s encrypt method.'), @@ -336,27 +335,27 @@ FILE_OPTIONS = { cfg.ListOpt('memcache_servers', default=['localhost:11211'], help='Memcache servers in the format of "host:port".' ' (dogpile.cache.memcache and keystone.cache.memcache_pool' - ' backends only)'), + ' backends only).'), cfg.IntOpt('memcache_dead_retry', default=5 * 60, help='Number of seconds memcached server is considered dead' ' before it is tried again. (dogpile.cache.memcache and' - ' keystone.cache.memcache_pool backends only)'), + ' keystone.cache.memcache_pool backends only).'), cfg.IntOpt('memcache_socket_timeout', default=3, help='Timeout in seconds for every call to a server.' ' (dogpile.cache.memcache and keystone.cache.memcache_pool' - ' backends only)'), + ' backends only).'), cfg.IntOpt('memcache_pool_maxsize', default=10, help='Max total number of open connections to every' ' memcached server. (keystone.cache.memcache_pool backend' - ' only)'), + ' only).'), cfg.IntOpt('memcache_pool_unused_timeout', default=60, help='Number of seconds a connection to memcached is held' ' unused in the pool before it is closed.' - ' (keystone.cache.memcache_pool backend only)'), + ' (keystone.cache.memcache_pool backend only).'), cfg.IntOpt('memcache_pool_connection_get_timeout', default=10, help='Number of seconds that an operation will wait to get ' diff --git a/keystone/common/kvs/core.py b/keystone/common/kvs/core.py index ea476cb8c..624dbfd88 100644 --- a/keystone/common/kvs/core.py +++ b/keystone/common/kvs/core.py @@ -22,6 +22,7 @@ from dogpile.cache import proxy from dogpile.cache import region from dogpile.cache import util as dogpile_util from dogpile.core import nameregistry +from oslo.utils import importutils import six from keystone.common import config @@ -29,7 +30,6 @@ from keystone import exception from keystone.i18n import _ from keystone.i18n import _LI from keystone.i18n import _LW -from keystone.openstack.common import importutils from keystone.openstack.common import log diff --git a/keystone/common/manager.py b/keystone/common/manager.py index c85a25f1d..02ec853d7 100644 --- a/keystone/common/manager.py +++ b/keystone/common/manager.py @@ -14,7 +14,7 @@ import functools -from keystone.openstack.common import importutils +from oslo.utils import importutils def response_truncated(f): diff --git a/keystone/common/sql/core.py b/keystone/common/sql/core.py index 872b701a8..6956c537b 100644 --- a/keystone/common/sql/core.py +++ b/keystone/common/sql/core.py @@ -26,6 +26,7 @@ from oslo.db import exception as db_exception from oslo.db import options as db_options from oslo.db.sqlalchemy import models from oslo.db.sqlalchemy import session as db_session +from oslo.serialization import jsonutils import six import sqlalchemy as sql from sqlalchemy.ext import declarative @@ -35,7 +36,6 @@ from sqlalchemy import types as sql_types from keystone.common import utils from keystone import exception from keystone.i18n import _ -from keystone.openstack.common import jsonutils from keystone.openstack.common import log diff --git a/keystone/common/sql/migrate_repo/versions/042_endpoint_enabled.py b/keystone/common/sql/migrate_repo/versions/042_endpoint_enabled.py index 158bca65a..ca080d7cc 100644 --- a/keystone/common/sql/migrate_repo/versions/042_endpoint_enabled.py +++ b/keystone/common/sql/migrate_repo/versions/042_endpoint_enabled.py @@ -28,12 +28,11 @@ column. """ +from oslo.serialization import jsonutils from oslo.utils import strutils import sqlalchemy as sql from sqlalchemy.orm import Session -from keystone.openstack.common import jsonutils - def _migrate_enabled_from_extra(migrate_engine, endpoint_table): """Remove `enabled` from `extra`, put it in the `enabled` column.""" diff --git a/keystone/common/sql/migrate_repo/versions/044_service_enabled.py b/keystone/common/sql/migrate_repo/versions/044_service_enabled.py index fcb04c73e..1c63f562e 100644 --- a/keystone/common/sql/migrate_repo/versions/044_service_enabled.py +++ b/keystone/common/sql/migrate_repo/versions/044_service_enabled.py @@ -28,12 +28,11 @@ column. """ +from oslo.serialization import jsonutils from oslo.utils import strutils import sqlalchemy as sql from sqlalchemy.orm import sessionmaker -from keystone.openstack.common import jsonutils - def _migrate_enabled_from_extra(migrate_engine, service_table): """Remove `enabled` from `extra`, put it in the `enabled` column.""" diff --git a/keystone/common/sql/migration_helpers.py b/keystone/common/sql/migration_helpers.py index ff9e7d2ce..10698d2a2 100644 --- a/keystone/common/sql/migration_helpers.py +++ b/keystone/common/sql/migration_helpers.py @@ -20,6 +20,8 @@ import sys import migrate from migrate import exceptions from oslo.db.sqlalchemy import migration +from oslo.serialization import jsonutils +from oslo.utils import importutils import six import sqlalchemy @@ -29,8 +31,6 @@ from keystone import config from keystone import contrib from keystone import exception from keystone.i18n import _ -from keystone.openstack.common import importutils -from keystone.openstack.common import jsonutils CONF = config.CONF diff --git a/keystone/common/utils.py b/keystone/common/utils.py index 08f9d8b21..11144e248 100644 --- a/keystone/common/utils.py +++ b/keystone/common/utils.py @@ -23,6 +23,7 @@ import hashlib import os import pwd +from oslo.serialization import jsonutils from oslo.utils import strutils import passlib.hash import six @@ -32,7 +33,6 @@ from keystone.common import config from keystone.common import environment from keystone import exception from keystone.i18n import _ -from keystone.openstack.common import jsonutils from keystone.openstack.common import log diff --git a/keystone/common/wsgi.py b/keystone/common/wsgi.py index 7d1d06d1a..9b678864a 100644 --- a/keystone/common/wsgi.py +++ b/keystone/common/wsgi.py @@ -21,6 +21,8 @@ import copy from oslo import i18n +from oslo.serialization import jsonutils +from oslo.utils import importutils import routes.middleware import six import webob.dec @@ -34,8 +36,6 @@ from keystone.i18n import _ from keystone.i18n import _LI from keystone.i18n import _LW from keystone.models import token_model -from keystone.openstack.common import importutils -from keystone.openstack.common import jsonutils from keystone.openstack.common import log diff --git a/keystone/config.py b/keystone/config.py index 8236afd45..c5c332a42 100644 --- a/keystone/config.py +++ b/keystone/config.py @@ -40,6 +40,7 @@ def set_default_for_default_log_levels(): extra_log_level_defaults = [ 'dogpile=INFO', 'routes=INFO', + 'keystone.common._memcache_pool=INFO', ] def find_default_log_levels_opt(): diff --git a/keystone/contrib/ec2/controllers.py b/keystone/contrib/ec2/controllers.py index eb3fd76d6..c8625a863 100644 --- a/keystone/contrib/ec2/controllers.py +++ b/keystone/contrib/ec2/controllers.py @@ -37,6 +37,7 @@ import sys import uuid from keystoneclient.contrib.ec2 import utils as ec2_utils +from oslo.serialization import jsonutils import six from keystone.common import controller @@ -46,7 +47,6 @@ from keystone.common import wsgi from keystone import exception from keystone.i18n import _ from keystone.models import token_model -from keystone.openstack.common import jsonutils @dependency.requires('assignment_api', 'catalog_api', 'credential_api', diff --git a/keystone/contrib/federation/backends/sql.py b/keystone/contrib/federation/backends/sql.py index 9a8d9655e..63afe0105 100644 --- a/keystone/contrib/federation/backends/sql.py +++ b/keystone/contrib/federation/backends/sql.py @@ -12,10 +12,11 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo.serialization import jsonutils + from keystone.common import sql from keystone.contrib.federation import core from keystone import exception -from keystone.openstack.common import jsonutils class FederationProtocolModel(sql.ModelBase, sql.DictBase): diff --git a/keystone/contrib/federation/idp.py b/keystone/contrib/federation/idp.py index c9c20c910..896129f01 100644 --- a/keystone/contrib/federation/idp.py +++ b/keystone/contrib/federation/idp.py @@ -15,6 +15,7 @@ import os import subprocess import uuid +from oslo.utils import timeutils import saml2 from saml2 import md from saml2 import saml @@ -27,7 +28,6 @@ from keystone import exception from keystone.i18n import _, _LE from keystone.openstack.common import fileutils from keystone.openstack.common import log -from keystone.openstack.common import timeutils LOG = log.getLogger(__name__) diff --git a/keystone/contrib/oauth1/backends/sql.py b/keystone/contrib/oauth1/backends/sql.py index 9ad6cd4d6..0da772864 100644 --- a/keystone/contrib/oauth1/backends/sql.py +++ b/keystone/contrib/oauth1/backends/sql.py @@ -16,6 +16,7 @@ import datetime import random import uuid +from oslo.serialization import jsonutils from oslo.utils import timeutils import six @@ -23,7 +24,6 @@ from keystone.common import sql from keystone.contrib.oauth1 import core from keystone import exception from keystone.i18n import _ -from keystone.openstack.common import jsonutils class Consumer(sql.ModelBase, sql.DictBase): diff --git a/keystone/contrib/oauth1/controllers.py b/keystone/contrib/oauth1/controllers.py index 837e5fd25..9316466f1 100644 --- a/keystone/contrib/oauth1/controllers.py +++ b/keystone/contrib/oauth1/controllers.py @@ -14,6 +14,7 @@ """Extensions supporting OAuth1.""" +from oslo.serialization import jsonutils from oslo.utils import timeutils from keystone.common import controller @@ -26,7 +27,6 @@ from keystone import exception from keystone.i18n import _ from keystone.models import token_model from keystone import notifications -from keystone.openstack.common import jsonutils CONF = config.CONF diff --git a/keystone/controllers.py b/keystone/controllers.py index 52514af18..7bf469127 100644 --- a/keystone/controllers.py +++ b/keystone/controllers.py @@ -12,13 +12,13 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo.serialization import jsonutils import webob from keystone.common import extension from keystone.common import json_home from keystone.common import wsgi from keystone import exception -from keystone.openstack.common import jsonutils from keystone.openstack.common import log diff --git a/keystone/credential/controllers.py b/keystone/credential/controllers.py index 03626a955..5c171e5a3 100644 --- a/keystone/credential/controllers.py +++ b/keystone/credential/controllers.py @@ -14,13 +14,14 @@ import hashlib +from oslo.serialization import jsonutils + from keystone.common import controller from keystone.common import dependency from keystone.common import validation from keystone.credential import schema from keystone import exception from keystone.i18n import _ -from keystone.openstack.common import jsonutils @dependency.requires('credential_api') diff --git a/keystone/identity/core.py b/keystone/identity/core.py index b363c47c2..ef0b36f6f 100644 --- a/keystone/identity/core.py +++ b/keystone/identity/core.py @@ -20,6 +20,7 @@ import os import uuid from oslo.config import cfg +from oslo.utils import importutils import six from keystone import clean @@ -31,7 +32,6 @@ from keystone import exception from keystone.i18n import _ from keystone.identity.mapping_backends import mapping from keystone import notifications -from keystone.openstack.common import importutils from keystone.openstack.common import log diff --git a/keystone/middleware/core.py b/keystone/middleware/core.py index 3d831b13c..83cd593dd 100644 --- a/keystone/middleware/core.py +++ b/keystone/middleware/core.py @@ -12,6 +12,7 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo.serialization import jsonutils import six import webob.dec @@ -23,7 +24,6 @@ from keystone.common import wsgi from keystone import exception from keystone.i18n import _ from keystone.models import token_model -from keystone.openstack.common import jsonutils from keystone.openstack.common import log from keystone.openstack.common import versionutils diff --git a/keystone/tests/core.py b/keystone/tests/core.py index a22afdff3..9e69f970c 100644 --- a/keystone/tests/core.py +++ b/keystone/tests/core.py @@ -378,7 +378,7 @@ class TestCase(BaseTestCase): driver='keystone.token.persistence.backends.kvs.Token') self.config_fixture.config( group='trust', - driver='keystone.trust.backends.kvs.Trust') + driver='keystone.trust.backends.sql.Trust') self.config_fixture.config( group='saml', certfile=signing_certfile, keyfile=signing_keyfile) self.config_fixture.config( diff --git a/keystone/tests/fakeldap.py b/keystone/tests/fakeldap.py index b1100dbb1..7ae8d9027 100644 --- a/keystone/tests/fakeldap.py +++ b/keystone/tests/fakeldap.py @@ -327,18 +327,7 @@ class FakeLdap(core.LDAPHandler): def delete_s(self, dn): """Remove the ldap object at specified dn.""" - if server_fail: - raise ldap.SERVER_DOWN - - key = self.key(dn) - LOG.debug('delete item: dn=%s', core.utf8_decode(dn)) - try: - del self.db[key] - except KeyError: - LOG.debug('delete item failed: dn=%s not found.', - core.utf8_decode(dn)) - raise ldap.NO_SUCH_OBJECT - self.db.sync() + return self.delete_ext_s(dn, serverctrls=[]) def _getChildren(self, dn): return [k for k, v in six.iteritems(self.db) @@ -428,7 +417,7 @@ class FakeLdap(core.LDAPHandler): Args: base -- dn to search under - scope -- only SCOPE_BASE and SCOPE_SUBTREE are supported + scope -- search scope (base, subtree, onelevel) filterstr -- filter objects by attrlist -- attrs to return. Returns all attrs if not specified @@ -483,9 +472,8 @@ class FakeLdap(core.LDAPHandler): results = list(get_entries()) else: - LOG.debug('search fail: unknown scope %s', scope) - raise NotImplementedError('Search scope %s not implemented.' - % scope) + # openldap client/server raises PROTOCOL_ERROR for unexpected scope + raise ldap.PROTOCOL_ERROR objects = [] for dn, attrs in results: @@ -569,9 +557,6 @@ class FakeLdapNoSubtreeDelete(FakeLdap): an entry that has children. """ - def delete_s(self, dn): - self.delete_ext_s(dn, [], None) - def delete_ext_s(self, dn, serverctrls, clientctrls=None): """Remove the ldap object at specified dn.""" if server_fail: diff --git a/keystone/tests/ksfixtures/hacking.py b/keystone/tests/ksfixtures/hacking.py index d70feca7a..62c481358 100644 --- a/keystone/tests/ksfixtures/hacking.py +++ b/keystone/tests/ksfixtures/hacking.py @@ -96,7 +96,7 @@ class HackingCode(fixtures.Fixture): import logging import logging as stlib_logging from keystone.i18n import _ - from keystone.i18n import _ as oslog_i18n + from keystone.i18n import _ as oslo_i18n from keystone.openstack.common import log from keystone.openstack.common import log as oslo_logging @@ -105,7 +105,7 @@ class HackingCode(fixtures.Fixture): L0.debug(_('text')) class C: def __init__(self): - L0.debug(oslog_i18n('text', {})) + L0.debug(oslo_i18n('text', {})) # stdlib logging w/ alias and specifying a logger class C: @@ -118,7 +118,7 @@ class HackingCode(fixtures.Fixture): # oslo logging and specifying a logger L2 = log.getLogger(__name__) - L2.debug(oslog_i18n('text')) + L2.debug(oslo_i18n('text')) # oslo logging w/ alias class C: diff --git a/keystone/tests/rest.py b/keystone/tests/rest.py index f90220cd1..c483fc606 100644 --- a/keystone/tests/rest.py +++ b/keystone/tests/rest.py @@ -15,12 +15,12 @@ import io from lxml import etree +from oslo.serialization import jsonutils import six import webtest from keystone.auth import controllers as auth_controllers from keystone.common import serializer -from keystone.openstack.common import jsonutils from keystone import tests from keystone.tests import default_fixtures from keystone.tests.ksfixtures import database diff --git a/keystone/tests/test_backend_kvs.py b/keystone/tests/test_backend_kvs.py index 1b70451ac..52b5003d9 100644 --- a/keystone/tests/test_backend_kvs.py +++ b/keystone/tests/test_backend_kvs.py @@ -20,8 +20,6 @@ import six from keystone import config from keystone import exception from keystone import tests -from keystone.tests import default_fixtures -from keystone.tests.ksfixtures import database from keystone.tests import test_backend @@ -104,24 +102,6 @@ class KvsToken(tests.TestCase, test_backend.TokenTests): self.assertEqual(expected_user_token_list, user_token_list) -class KvsTrust(tests.TestCase, test_backend.TrustTests): - def setUp(self): - super(KvsTrust, self).setUp() - # Need to load the SQL database support for the fixtures - self.useFixture(database.Database()) - self.load_backends() - self.load_fixtures(default_fixtures) - - def config_overrides(self): - super(KvsTrust, self).config_overrides() - self.config_fixture.config( - group='trust', - driver='keystone.trust.backends.kvs.Trust') - self.config_fixture.config( - group='catalog', - driver='keystone.catalog.backends.kvs.Catalog') - - class KvsCatalog(tests.TestCase, test_backend.CatalogTests): def setUp(self): super(KvsCatalog, self).setUp() @@ -131,9 +111,6 @@ class KvsCatalog(tests.TestCase, test_backend.CatalogTests): def config_overrides(self): super(KvsCatalog, self).config_overrides() self.config_fixture.config( - group='trust', - driver='keystone.trust.backends.kvs.Trust') - self.config_fixture.config( group='catalog', driver='keystone.catalog.backends.kvs.Catalog') diff --git a/keystone/tests/test_exception.py b/keystone/tests/test_exception.py index 4bdcd7576..9b88b6685 100644 --- a/keystone/tests/test_exception.py +++ b/keystone/tests/test_exception.py @@ -14,11 +14,11 @@ import uuid +from oslo.serialization import jsonutils import six from keystone.common import wsgi from keystone import exception -from keystone.openstack.common import jsonutils from keystone import tests diff --git a/keystone/tests/test_keystoneclient.py b/keystone/tests/test_keystoneclient.py index 72991a146..237906f84 100644 --- a/keystone/tests/test_keystoneclient.py +++ b/keystone/tests/test_keystoneclient.py @@ -17,11 +17,11 @@ import os import uuid import mock +from oslo.serialization import jsonutils from oslo.utils import timeutils import webob from keystone import config -from keystone.openstack.common import jsonutils from keystone import tests from keystone.tests import default_fixtures from keystone.tests.ksfixtures import appserver diff --git a/keystone/tests/test_middleware.py b/keystone/tests/test_middleware.py index cf0298984..e0bf101f3 100644 --- a/keystone/tests/test_middleware.py +++ b/keystone/tests/test_middleware.py @@ -12,11 +12,11 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo.serialization import jsonutils import webob from keystone import config from keystone import middleware -from keystone.openstack.common import jsonutils from keystone import tests diff --git a/keystone/tests/test_sql_migrate_extensions.py b/keystone/tests/test_sql_migrate_extensions.py index aff58dacf..599d1917c 100644 --- a/keystone/tests/test_sql_migrate_extensions.py +++ b/keystone/tests/test_sql_migrate_extensions.py @@ -151,17 +151,43 @@ class EndpointFilterExtension(test_sql_upgrade.SqlMigrateBase): def repo_package(self): return endpoint_filter + def upgrade(self, version): + super(EndpointFilterExtension, self).upgrade( + version, repository=self.repo_path) + + def downgrade(self, version): + super(EndpointFilterExtension, self).downgrade( + version, repository=self.repo_path) + + def _assert_v1_tables(self): + self.assertTableColumns('project_endpoint', + ['endpoint_id', 'project_id']) + self.assertTableDoesNotExist('endpoint_group') + self.assertTableDoesNotExist('project_endpoint_group') + + def _assert_v2_tables(self): + self.assertTableColumns('project_endpoint', + ['endpoint_id', 'project_id']) + self.assertTableColumns('endpoint_group', + ['id', 'name', 'description', 'filters']) + self.assertTableColumns('project_endpoint_group', + ['endpoint_group_id', 'project_id']) + def test_upgrade(self): self.assertTableDoesNotExist('project_endpoint') - self.upgrade(1, repository=self.repo_path) + self.upgrade(1) + self._assert_v1_tables() self.assertTableColumns('project_endpoint', ['endpoint_id', 'project_id']) + self.upgrade(2) + self._assert_v2_tables() def test_downgrade(self): - self.upgrade(1, repository=self.repo_path) - self.assertTableColumns('project_endpoint', - ['endpoint_id', 'project_id']) - self.downgrade(0, repository=self.repo_path) + self.upgrade(2) + self._assert_v2_tables() + self.downgrade(1) + self._assert_v1_tables() + self.downgrade(0) self.assertTableDoesNotExist('project_endpoint') diff --git a/keystone/tests/test_v3.py b/keystone/tests/test_v3.py index f18bd10f1..76acf0c49 100644 --- a/keystone/tests/test_v3.py +++ b/keystone/tests/test_v3.py @@ -16,6 +16,7 @@ import datetime import uuid from lxml import etree +from oslo.serialization import jsonutils from oslo.utils import timeutils import six from testtools import matchers @@ -27,7 +28,6 @@ from keystone.common import serializer from keystone import config from keystone import exception from keystone import middleware -from keystone.openstack.common import jsonutils from keystone.policy.backends import rules from keystone import tests from keystone.tests.ksfixtures import database @@ -1023,17 +1023,13 @@ class RestfulTestCase(tests.SQLDriverOverrides, rest.RestfulTestCase, self.assertEqual(ref['name'], entity['name']) return entity - def assertValidRoleAssignmentListResponse(self, resp, ref=None, - expected_length=None, + def assertValidRoleAssignmentListResponse(self, resp, expected_length=None, resource_url=None): entities = resp.result.get('role_assignments') if expected_length is not None: self.assertEqual(len(entities), expected_length) - elif ref is not None: - # we're at least expecting the ref - self.assertNotEmpty(entities) # collections should have relational links self.assertValidListLinks(resp.result.get('links'), @@ -1042,8 +1038,6 @@ class RestfulTestCase(tests.SQLDriverOverrides, rest.RestfulTestCase, for entity in entities: self.assertIsNotNone(entity) self.assertValidRoleAssignment(entity) - if ref: - self.assertValidRoleAssignment(entity, ref) return entities def assertValidRoleAssignment(self, entity, ref=None, url=None): diff --git a/keystone/tests/test_v3_federation.py b/keystone/tests/test_v3_federation.py index ae3f48dea..edcce0082 100644 --- a/keystone/tests/test_v3_federation.py +++ b/keystone/tests/test_v3_federation.py @@ -17,6 +17,7 @@ import uuid from lxml import etree import mock +from oslo.serialization import jsonutils from oslotest import mockpatch import saml2 from saml2 import saml @@ -32,7 +33,6 @@ from keystone.contrib.federation import idp as keystone_idp from keystone.contrib.federation import utils as mapping_utils from keystone import exception from keystone import notifications -from keystone.openstack.common import jsonutils from keystone.openstack.common import log from keystone.tests import federation_fixtures from keystone.tests import mapping_fixtures diff --git a/keystone/tests/test_v3_filters.py b/keystone/tests/test_v3_filters.py index c5421e6e9..c7c45b572 100644 --- a/keystone/tests/test_v3_filters.py +++ b/keystone/tests/test_v3_filters.py @@ -15,8 +15,9 @@ import uuid +from oslo.serialization import jsonutils + from keystone import config -from keystone.openstack.common import jsonutils from keystone.policy.backends import rules from keystone.tests import filtering from keystone.tests.ksfixtures import temporaryfile diff --git a/keystone/tests/test_v3_oauth1.py b/keystone/tests/test_v3_oauth1.py index 64a43de25..597ce7720 100644 --- a/keystone/tests/test_v3_oauth1.py +++ b/keystone/tests/test_v3_oauth1.py @@ -15,6 +15,7 @@ import copy import uuid +from oslo.serialization import jsonutils from six.moves import urllib from keystone import config @@ -22,7 +23,6 @@ from keystone.contrib import oauth1 from keystone.contrib.oauth1 import controllers from keystone.contrib.oauth1 import core from keystone import exception -from keystone.openstack.common import jsonutils from keystone.tests.ksfixtures import temporaryfile from keystone.tests import test_v3 diff --git a/keystone/tests/test_v3_protection.py b/keystone/tests/test_v3_protection.py index f06ecffed..b425b2b1c 100644 --- a/keystone/tests/test_v3_protection.py +++ b/keystone/tests/test_v3_protection.py @@ -15,9 +15,10 @@ import uuid +from oslo.serialization import jsonutils + from keystone import config from keystone import exception -from keystone.openstack.common import jsonutils from keystone.policy.backends import rules from keystone import tests from keystone.tests.ksfixtures import temporaryfile diff --git a/keystone/tests/test_versions.py b/keystone/tests/test_versions.py index 6954da33b..582d50c4e 100644 --- a/keystone/tests/test_versions.py +++ b/keystone/tests/test_versions.py @@ -18,12 +18,12 @@ import functools import random import mock +from oslo.serialization import jsonutils from testtools import matchers as tt_matchers from keystone.common import json_home from keystone import config from keystone import controllers -from keystone.openstack.common import jsonutils from keystone import tests from keystone.tests import matchers diff --git a/keystone/tests/test_wsgi.py b/keystone/tests/test_wsgi.py index 11dfb133b..761e91e72 100644 --- a/keystone/tests/test_wsgi.py +++ b/keystone/tests/test_wsgi.py @@ -18,6 +18,7 @@ import uuid import mock from oslo import i18n +from oslo.serialization import jsonutils import six from testtools import matchers import webob @@ -25,7 +26,6 @@ import webob from keystone.common import environment from keystone.common import wsgi from keystone import exception -from keystone.openstack.common import jsonutils from keystone import tests diff --git a/keystone/token/backends/__init__.py b/keystone/token/backends/__init__.py index 606588765..927ecc97d 100644 --- a/keystone/token/backends/__init__.py +++ b/keystone/token/backends/__init__.py @@ -10,6 +10,6 @@ # License for the specific language governing permissions and limitations # under the License. -# NOTE(morganfainberg): This module is for transition from the old token -# backend package location to the new one. This module is slated for removal +# NOTE(morganfainberg): This package is for transition from the old token +# backend package location to the new one. This package is slated for removal # in the Kilo development cycle. diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py index 12d8ab6b8..16ced0ed9 100644 --- a/keystone/token/controllers.py +++ b/keystone/token/controllers.py @@ -16,6 +16,7 @@ import datetime import sys from keystoneclient.common import cms +from oslo.serialization import jsonutils from oslo.utils import timeutils import six @@ -26,7 +27,6 @@ from keystone import config from keystone import exception from keystone.i18n import _ from keystone.models import token_model -from keystone.openstack.common import jsonutils from keystone.openstack.common import log from keystone.token import provider diff --git a/keystone/token/providers/common.py b/keystone/token/providers/common.py index b313fc712..ddd7d69e6 100644 --- a/keystone/token/providers/common.py +++ b/keystone/token/providers/common.py @@ -12,6 +12,7 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo.serialization import jsonutils from oslo.utils import timeutils import six from six.moves.urllib import parse @@ -21,7 +22,6 @@ from keystone import config from keystone.contrib import federation from keystone import exception from keystone.i18n import _ -from keystone.openstack.common import jsonutils from keystone.openstack.common import log from keystone import token from keystone.token import provider diff --git a/keystone/token/providers/pki.py b/keystone/token/providers/pki.py index 2156e43ad..8069886bb 100644 --- a/keystone/token/providers/pki.py +++ b/keystone/token/providers/pki.py @@ -15,12 +15,12 @@ """Keystone PKI Token Provider""" from keystoneclient.common import cms +from oslo.serialization import jsonutils from keystone.common import environment from keystone import config from keystone import exception from keystone.i18n import _ -from keystone.openstack.common import jsonutils from keystone.openstack.common import log from keystone.token.providers import common diff --git a/keystone/token/providers/pkiz.py b/keystone/token/providers/pkiz.py index a343b7edd..0460e192a 100644 --- a/keystone/token/providers/pkiz.py +++ b/keystone/token/providers/pkiz.py @@ -13,12 +13,12 @@ """Keystone Compressed PKI Token Provider""" from keystoneclient.common import cms +from oslo.serialization import jsonutils from keystone.common import environment from keystone import config from keystone import exception from keystone.i18n import _ -from keystone.openstack.common import jsonutils from keystone.openstack.common import log from keystone.token.providers import common diff --git a/keystone/trust/backends/kvs.py b/keystone/trust/backends/kvs.py deleted file mode 100644 index e5b049fed..000000000 --- a/keystone/trust/backends/kvs.py +++ /dev/null @@ -1,121 +0,0 @@ -# Copyright 2012 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -""" -An in memory implementation of the trusts API. -only to be used for testing purposes -""" -import copy - -from oslo.utils import timeutils - -from keystone.common import kvs -from keystone import exception -from keystone.openstack.common import versionutils -from keystone import trust as keystone_trust - - -def _filter_trust(ref, deleted=False): - if ref['deleted_at'] and not deleted: - return None - if (ref.get('expires_at') and timeutils.utcnow() > ref['expires_at'] and - not deleted): - return None - remaining_uses = ref.get('remaining_uses') - # Do not return trusts that can't be used anymore - if remaining_uses is not None and not deleted: - if remaining_uses <= 0: - return None - ref = copy.deepcopy(ref) - return ref - - -class Trust(kvs.Base, keystone_trust.Driver): - - @versionutils.deprecated(versionutils.deprecated.JUNO, - in_favor_of='keystone.trust.backends.sql', - remove_in=+1, - what='keystone.trust.backends.kvs') - def __init__(self): - super(Trust, self).__init__() - - def create_trust(self, trust_id, trust, roles): - trust_ref = copy.deepcopy(trust) - trust_ref['id'] = trust_id - trust_ref['deleted_at'] = None - trust_ref['roles'] = roles - if (trust_ref.get('expires_at') and - trust_ref['expires_at'].tzinfo is not None): - trust_ref['expires_at'] = (timeutils.normalize_time - (trust_ref['expires_at'])) - - self.db.set('trust-%s' % trust_id, trust_ref) - trustee_user_id = trust_ref['trustee_user_id'] - trustee_list = self.db.get('trustee-%s' % trustee_user_id, []) - trustee_list.append(trust_id) - self.db.set('trustee-%s' % trustee_user_id, trustee_list) - trustor_user_id = trust_ref['trustor_user_id'] - trustor_list = self.db.get('trustor-%s' % trustor_user_id, []) - trustor_list.append(trust_id) - self.db.set('trustor-%s' % trustor_user_id, trustor_list) - return trust_ref - - def consume_use(self, trust_id): - try: - orig_ref = self.db.get('trust-%s' % trust_id) - except exception.NotFound: - raise exception.TrustNotFound(trust_id=trust_id) - remaining_uses = orig_ref.get('remaining_uses') - if remaining_uses is None: - # unlimited uses, do nothing - return - elif remaining_uses > 0: - ref = copy.deepcopy(orig_ref) - ref['remaining_uses'] -= 1 - self.db.set('trust-%s' % trust_id, ref) - else: - raise exception.TrustUseLimitReached(trust_id=trust_id) - - def get_trust(self, trust_id, deleted=False): - try: - ref = self.db.get('trust-%s' % trust_id) - return _filter_trust(ref, deleted=deleted) - except exception.NotFound: - return None - - def delete_trust(self, trust_id): - try: - ref = self.db.get('trust-%s' % trust_id) - except exception.NotFound: - raise exception.TrustNotFound(trust_id=trust_id) - ref['deleted_at'] = timeutils.utcnow() - self.db.set('trust-%s' % trust_id, ref) - - def list_trusts(self): - trusts = [] - for key, value in self.db.items(): - if key.startswith("trust-") and not value['deleted_at']: - trusts.append(value) - return trusts - - def list_trusts_for_trustee(self, trustee_user_id): - trusts = [] - for trust in self.db.get('trustee-%s' % trustee_user_id, []): - trusts.append(self.get_trust(trust)) - return trusts - - def list_trusts_for_trustor(self, trustor_user_id): - trusts = [] - for trust in self.db.get('trustor-%s' % trustor_user_id, []): - trusts.append(self.get_trust(trust)) - return trusts diff --git a/openstack-common.conf b/openstack-common.conf index 15be48a62..a16499a70 100644 --- a/openstack-common.conf +++ b/openstack-common.conf @@ -2,8 +2,6 @@ module=config module=gettextutils -module=importutils -module=jsonutils module=log module=policy module=processutils diff --git a/requirements.txt b/requirements.txt index db8ef51c4..994acb39a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -22,6 +22,7 @@ oslo.config>=1.4.0 # Apache-2.0 oslo.messaging>=1.4.0 oslo.db>=1.0.0 # Apache-2.0 oslo.i18n>=1.0.0 # Apache-2.0 +oslo.serialization>=1.0.0 # Apache-2.0 oslo.utils>=1.0.0 # Apache-2.0 Babel>=1.3 oauthlib>=0.6 diff --git a/test-requirements-py3.txt b/test-requirements-py3.txt index 2aacbb3db..30fc13c07 100644 --- a/test-requirements-py3.txt +++ b/test-requirements-py3.txt @@ -51,7 +51,7 @@ testscenarios>=0.4 # keystoneclient <0.2.1 httplib2>=0.7.5 # replaces httplib2 in keystoneclient >=0.2.1 -requests>=1.2.1,!=2.4.0 +requests>=2.2.0,!=2.4.0 keyring>=2.1,!=3.3 # For documentation diff --git a/test-requirements.txt b/test-requirements.txt index 957961ae0..9bc654297 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -52,7 +52,7 @@ testscenarios>=0.4 # keystoneclient <0.2.1 httplib2>=0.7.5 # replaces httplib2 in keystoneclient >=0.2.1 -requests>=1.2.1,!=2.4.0 +requests>=2.2.0,!=2.4.0 keyring>=2.1,!=3.3 # For documentation |