mirror of
https://opendev.org/openstack/keystone.git
synced 2026-01-16 23:14:51 +00:00
OpenStack Identity (Keystone)
c63efe1df1
We support custom identity plugins. They (and also LDAP backend) may be considered as a read-only (not supporting user data modification through Keystone API). When a user of such backend is disabled in the remote system Keystone will never learn about that and as such tokens for those users will remain active. They cannot be renewed, but still they stay valid. In order to address this situation we need to do additional steps in the token validation and identify the current state of the user in the backend. Due to the use of the token caching it is not possible to reuse normal token validation functionality (it will never gets invalidated as such). In order to keep performance impact as low as possible modify the token validation as following: - regular checks - revocation check - if token is still active and revoke check passed fetch current user data. When user is disabled - log a warning (explaining the situation) and raise `UserDisabled` exception. Since Keystone also does not receive a message when user is reactivated (i.e. it was accidentally disabled) we cannot use the same approach as for regular user disabling and generate a token revocation event. This would cause the user to be locked out until the revocation event expires. Closes-bug: #2122615 Change-Id: If5b83feabc670ced54ef12fe7826267af7e3419d Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com> |
||
|---|---|---|
| api-ref | ||
| config-generator | ||
| devstack | ||
| doc | ||
| etc | ||
| examples/pki | ||
| httpd | ||
| keystone | ||
| playbooks | ||
| rally-jobs | ||
| releasenotes | ||
| tools | ||
| .coveragerc | ||
| .git-blame-ignore-revs | ||
| .gitignore | ||
| .gitreview | ||
| .mailmap | ||
| .pre-commit-config.yaml | ||
| .stestr.conf | ||
| .zuul.yaml | ||
| bindep.txt | ||
| CONTRIBUTING.rst | ||
| HACKING.rst | ||
| LICENSE | ||
| pyproject.toml | ||
| README.rst | ||
| reno.yaml | ||
| requirements.txt | ||
| ruff.toml | ||
| setup.cfg | ||
| setup.py | ||
| test-requirements.txt | ||
| tox.ini | ||
==================
OpenStack Keystone
==================
.. image:: https://governance.openstack.org/tc/badges/keystone.svg
.. Change things from this point on
OpenStack Keystone provides authentication, authorization and service discovery
mechanisms via HTTP primarily for use by projects in the OpenStack family. It
is most commonly deployed as an HTTP interface to existing identity systems,
such as LDAP.
Developer documentation, the source of which is in ``doc/source/``, is
published at:
https://docs.openstack.org/keystone/latest
The API reference and documentation are available at:
https://docs.openstack.org/api-ref/identity
The canonical client library is available at:
https://opendev.org/openstack/python-keystoneclient
Documentation for cloud administrators is available at:
https://docs.openstack.org/keystone/latest/
The source of documentation for cloud administrators is available at:
https://opendev.org/openstack/openstack-manuals
Information about our team meeting is available at:
https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting
Release notes is available at:
https://docs.openstack.org/releasenotes/keystone
Bugs and feature requests are tracked on Launchpad at:
https://bugs.launchpad.net/keystone
Future design work is tracked at:
https://specs.openstack.org/openstack/keystone-specs
Contributors are encouraged to join IRC (``#openstack-keystone`` on OFTC):
https://wiki.openstack.org/wiki/IRC
Source for the project:
https://opendev.org/openstack/keystone
For information on contributing to Keystone, see ``CONTRIBUTING.rst``.