"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/conf/federation.py" (13 May 2020, 4094 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "federation.py" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 16.0.1_vs_17.0.0.

    1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 # not use this file except in compliance with the License. You may obtain
    3 # a copy of the License at
    4 #
    5 #      http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 # Unless required by applicable law or agreed to in writing, software
    8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 # License for the specific language governing permissions and limitations
   11 # under the License.
   12 
   13 from oslo_config import cfg
   14 from oslo_log import versionutils
   15 
   16 from keystone.conf import utils
   17 
   18 
   19 _DEPRECATED_MSG = utils.fmt("""
   20 This option has been superseded by ephemeral users existing in the domain
   21 of their identity provider.
   22 """)
   23 
   24 driver = cfg.StrOpt(
   25     'driver',
   26     default='sql',
   27     help=utils.fmt("""
   28 Entry point for the federation backend driver in the `keystone.federation`
   29 namespace. Keystone only provides a `sql` driver, so there is no reason to set
   30 this option unless you are providing a custom entry point.
   31 """))
   32 
   33 assertion_prefix = cfg.StrOpt(
   34     'assertion_prefix',
   35     default='',
   36     help=utils.fmt("""
   37 Prefix to use when filtering environment variable names for federated
   38 assertions. Matched variables are passed into the federated mapping engine.
   39 """))
   40 
   41 remote_id_attribute = cfg.StrOpt(
   42     'remote_id_attribute',
   43     help=utils.fmt("""
   44 Default value for all protocols to be used to obtain the entity ID of the
   45 Identity Provider from the environment. For `mod_shib`, this would be
   46 `Shib-Identity-Provider`. For `mod_auth_openidc`, this could be
   47 `HTTP_OIDC_ISS`. For `mod_auth_mellon`, this could be `MELLON_IDP`. This can be
   48 overridden on a per-protocol basis by providing a `remote_id_attribute` to the
   49 federation protocol using the API.
   50 """))
   51 
   52 federated_domain_name = cfg.StrOpt(
   53     'federated_domain_name',
   54     default='Federated',
   55     deprecated_for_removal=True,
   56     deprecated_reason=_DEPRECATED_MSG,
   57     deprecated_since=versionutils.deprecated.TRAIN,
   58     help=utils.fmt("""
   59 An arbitrary domain name that is reserved to allow federated ephemeral users to
   60 have a domain concept. Note that an admin will not be able to create a domain
   61 with this name or update an existing domain to this name. You are not advised
   62 to change this value unless you really have to.
   63 """))
   64 
   65 trusted_dashboard = cfg.MultiStrOpt(
   66     'trusted_dashboard',
   67     default=[],
   68     help=utils.fmt("""
   69 A list of trusted dashboard hosts. Before accepting a Single Sign-On request to
   70 return a token, the origin host must be a member of this list. This
   71 configuration option may be repeated for multiple values. You must set this in
   72 order to use web-based SSO flows. For example:
   73 trusted_dashboard=https://acme.example.com/auth/websso
   74 trusted_dashboard=https://beta.example.com/auth/websso
   75 """))
   76 
   77 sso_callback_template = cfg.StrOpt(
   78     'sso_callback_template',
   79     default='/etc/keystone/sso_callback_template.html',
   80     help=utils.fmt("""
   81 Absolute path to an HTML file used as a Single Sign-On callback handler. This
   82 page is expected to redirect the user from keystone back to a trusted dashboard
   83 host, by form encoding a token in a POST request. Keystone's default value
   84 should be sufficient for most deployments.
   85 """))
   86 
   87 
   88 caching = cfg.BoolOpt(
   89     'caching',
   90     default=True,
   91     help=utils.fmt("""
   92 Toggle for federation caching. This has no effect unless global caching is
   93 enabled. There is typically no reason to disable this.
   94 """))
   95 
   96 
   97 default_authorization_ttl = cfg.IntOpt(
   98     'default_authorization_ttl',
   99     default=0,
  100     help=utils.fmt("""
  101 Default time in minutes for the validity of group memberships carried over
  102 from a mapping. Default is 0, which means disabled.
  103 """))
  104 
  105 
  106 GROUP_NAME = __name__.split('.')[-1]
  107 ALL_OPTS = [
  108     driver,
  109     assertion_prefix,
  110     remote_id_attribute,
  111     federated_domain_name,
  112     trusted_dashboard,
  113     sso_callback_template,
  114     caching,
  115     default_authorization_ttl,
  116 ]
  117 
  118 
  119 def register_opts(conf):
  120     conf.register_opts(ALL_OPTS, group=GROUP_NAME)
  121 
  122 
  123 def list_opts():
  124     return {GROUP_NAME: ALL_OPTS}