Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge "Implement auth receipts spec"
- Loading branch information
Showing
27 changed files
with
2,032 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
# Copyright 2018 Catalyst Cloud Ltd | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); you may | ||
# not use this file except in compliance with the License. You may obtain | ||
# a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
# License for the specific language governing permissions and limitations | ||
# under the License. | ||
|
||
from oslo_config import cfg | ||
|
||
from keystone.conf import utils | ||
|
||
|
||
key_repository = cfg.StrOpt( | ||
'key_repository', | ||
default='/etc/keystone/fernet-keys/', | ||
help=utils.fmt(""" | ||
Directory containing Fernet receipt keys. This directory must exist before | ||
using `keystone-manage fernet_setup` for the first time, must be writable by | ||
the user running `keystone-manage fernet_setup` or `keystone-manage | ||
fernet_rotate`, and of course must be readable by keystone's server process. | ||
The repository may contain keys in one of three states: a single staged key | ||
(always index 0) used for receipt validation, a single primary key (always the | ||
highest index) used for receipt creation and validation, and any number of | ||
secondary keys (all other index values) used for receipt validation. With | ||
multiple keystone nodes, each node must share the same key repository contents, | ||
with the exception of the staged key (index 0). It is safe to run | ||
`keystone-manage fernet_rotate` once on any one node to promote a staged key | ||
(index 0) to be the new primary (incremented from the previous highest index), | ||
and produce a new staged key (a new key with index 0); the resulting repository | ||
can then be atomically replicated to other nodes without any risk of race | ||
conditions (for example, it is safe to run `keystone-manage fernet_rotate` on | ||
host A, wait any amount of time, create a tarball of the directory on host A, | ||
unpack it on host B to a temporary location, and atomically move (`mv`) the | ||
directory into place on host B). Running `keystone-manage fernet_rotate` | ||
*twice* on a key repository without syncing other nodes will result in receipts | ||
that can not be validated by all nodes. | ||
""")) | ||
|
||
max_active_keys = cfg.IntOpt( | ||
'max_active_keys', | ||
default=3, | ||
min=1, | ||
help=utils.fmt(""" | ||
This controls how many keys are held in rotation by `keystone-manage | ||
fernet_rotate` before they are discarded. The default value of 3 means that | ||
keystone will maintain one staged key (always index 0), one primary key (the | ||
highest numerical index), and one secondary key (every other index). Increasing | ||
this value means that additional secondary keys will be kept in the rotation. | ||
""")) | ||
|
||
|
||
GROUP_NAME = __name__.split('.')[-1] | ||
ALL_OPTS = [ | ||
key_repository, | ||
max_active_keys, | ||
] | ||
|
||
|
||
def register_opts(conf): | ||
conf.register_opts(ALL_OPTS, group=GROUP_NAME) | ||
|
||
|
||
def list_opts(): | ||
return {GROUP_NAME: ALL_OPTS} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
# Copyright 2018 Catalyst Cloud Ltd | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); you may | ||
# not use this file except in compliance with the License. You may obtain | ||
# a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
# License for the specific language governing permissions and limitations | ||
# under the License. | ||
|
||
from oslo_config import cfg | ||
|
||
from keystone.conf import utils | ||
|
||
|
||
expiration = cfg.IntOpt( | ||
'expiration', | ||
default=300, | ||
min=0, | ||
max=86400, | ||
help=utils.fmt(""" | ||
The amount of time that a receipt should remain valid (in seconds). This value | ||
should always be very short, as it represents how long a user has to reattempt | ||
auth with the missing auth methods. | ||
""")) | ||
|
||
provider = cfg.StrOpt( | ||
'provider', | ||
default='fernet', | ||
help=utils.fmt(""" | ||
Entry point for the receipt provider in the `keystone.receipt.provider` | ||
namespace. The receipt provider controls the receipt construction and | ||
validation operations. Keystone includes just the `fernet` receipt provider for | ||
now. `fernet` receipts do not need to be persisted at all, but require that you | ||
run `keystone-manage fernet_setup` (also see the `keystone-manage | ||
fernet_rotate` command). | ||
""")) | ||
|
||
caching = cfg.BoolOpt( | ||
'caching', | ||
default=True, | ||
help=utils.fmt(""" | ||
Toggle for caching receipt creation and validation data. This has no effect | ||
unless global caching is enabled, or if cache_on_issue is disabled as we only | ||
cache receipts on issue. | ||
""")) | ||
|
||
cache_time = cfg.IntOpt( | ||
'cache_time', | ||
default=300, | ||
min=0, | ||
help=utils.fmt(""" | ||
The number of seconds to cache receipt creation and validation data. This has | ||
no effect unless both global and `[receipt] caching` are enabled. | ||
""")) | ||
|
||
cache_on_issue = cfg.BoolOpt( | ||
'cache_on_issue', | ||
default=True, | ||
help=utils.fmt(""" | ||
Enable storing issued receipt data to receipt validation cache so that first | ||
receipt validation doesn't actually cause full validation cycle. This option | ||
has no effect unless global caching and receipt caching are enabled. | ||
""")) | ||
|
||
|
||
GROUP_NAME = __name__.split('.')[-1] | ||
ALL_OPTS = [ | ||
expiration, | ||
provider, | ||
caching, | ||
cache_time, | ||
cache_on_issue, | ||
] | ||
|
||
|
||
def register_opts(conf): | ||
conf.register_opts(ALL_OPTS, group=GROUP_NAME) | ||
|
||
|
||
def list_opts(): | ||
return {GROUP_NAME: ALL_OPTS} |
Oops, something went wrong.