Ubuntu
python-keystoneclient package

Merge lp:~zulcss/ubuntu/precise/python-keystoneclient/new into lp:~ubuntu-cloud-archive/ubuntu/precise/python-keystoneclient/trunk

Precise (12.04)
new
Merge into trunk

Proposed by Chuck Short on 2012-11-30

Status:

Merged

Merged at revision:

Proposed branch:

lp:~zulcss/ubuntu/precise/python-keystoneclient/new

Merge into:

lp:~ubuntu-cloud-archive/ubuntu/precise/python-keystoneclient/trunk

Diff against target:

11180 lines (+8589/-754)

109 files modified

.gitignore (+2/-0)
AUTHORS (+11/-0)
PKG-INFO (+93/-64)
README.rst (+90/-62)
babel.cfg (+1/-0)
debian/changelog (+23/-0)
debian/control (+3/-3)
doc/source/_theme/layout.html (+83/-0)
doc/source/_theme/theme.conf (+4/-0)
doc/source/conf.py (+22/-11)
doc/source/index.rst (+11/-10)
doc/source/ref/client.rst (+0/-8)
doc/source/ref/endpoints.rst (+0/-11)
doc/source/ref/exceptions.rst (+0/-8)
doc/source/ref/generic-client.rst (+0/-12)
doc/source/ref/index.rst (+0/-16)
doc/source/ref/roles.rst (+0/-9)
doc/source/ref/services.rst (+0/-11)
doc/source/ref/tenants.rst (+0/-11)
doc/source/ref/users.rst (+0/-9)
doc/source/releases.rst (+28/-101)
doc/source/shell.rst (+34/-13)
doc/source/static/basic.css (+416/-0)
doc/source/static/default.css (+230/-0)
doc/source/static/jquery.tweet.js (+154/-0)
doc/source/static/nature.css (+245/-0)
doc/source/static/tweaks.css (+94/-0)
doc/source/using-api.rst (+19/-15)
examples/pki/certs/cacert.pem (+18/-0)
examples/pki/certs/middleware.pem (+33/-0)
examples/pki/certs/signing_cert.pem (+17/-0)
examples/pki/certs/ssl_cert.pem (+17/-0)
examples/pki/cms/auth_token_revoked.json (+1/-0)
examples/pki/cms/auth_token_revoked.pem (+42/-0)
examples/pki/cms/auth_token_scoped.json (+1/-0)
examples/pki/cms/auth_token_scoped.pem (+41/-0)
examples/pki/cms/auth_token_unscoped.json (+1/-0)
examples/pki/cms/auth_token_unscoped.pem (+17/-0)
examples/pki/cms/revocation_list.json (+1/-0)
examples/pki/cms/revocation_list.pem (+12/-0)
examples/pki/gen_pki.sh (+222/-0)
examples/pki/private/cakey.pem (+16/-0)
examples/pki/private/signing_key.pem (+16/-0)
examples/pki/private/ssl_key.pem (+16/-0)
keystoneclient/access.py (+144/-0)
keystoneclient/base.py (+126/-4)
keystoneclient/client.py (+72/-41)
keystoneclient/common/cms.py (+169/-0)
keystoneclient/contrib/bootstrap/shell.py (+28/-0)
keystoneclient/exceptions.py (+19/-1)
keystoneclient/generic/shell.py (+9/-7)
keystoneclient/locale/keystoneclient.pot (+20/-0)
keystoneclient/middleware/auth_token.py (+864/-0)
keystoneclient/middleware/test.py (+67/-0)
keystoneclient/openstack/common/cfg.py (+1653/-0)
keystoneclient/openstack/common/iniparser.py (+130/-0)
keystoneclient/openstack/common/jsonutils.py (+148/-0)
keystoneclient/openstack/common/setup.py (+63/-39)
keystoneclient/openstack/common/timeutils.py (+137/-0)
keystoneclient/service_catalog.py (+17/-3)
keystoneclient/shell.py (+97/-75)
keystoneclient/utils.py (+25/-4)
keystoneclient/v2_0/client.py (+135/-37)
keystoneclient/v2_0/shell.py (+28/-7)
keystoneclient/v2_0/tenants.py (+15/-3)
keystoneclient/v2_0/tokens.py (+9/-1)
keystoneclient/v3/__init__.py (+1/-0)
keystoneclient/v3/client.py (+85/-0)
keystoneclient/v3/credentials.py (+57/-0)
keystoneclient/v3/domains.py (+55/-0)
keystoneclient/v3/endpoints.py (+86/-0)
keystoneclient/v3/policies.py (+77/-0)
keystoneclient/v3/projects.py (+82/-0)
keystoneclient/v3/roles.py (+110/-0)
keystoneclient/v3/services.py (+60/-0)
keystoneclient/v3/users.py (+70/-0)
keystoneclient/versioninfo (+1/-1)
openstack-common.conf (+1/-1)
python_keystoneclient.egg-info/PKG-INFO (+93/-64)
python_keystoneclient.egg-info/SOURCES.txt (+66/-9)
python_keystoneclient.egg-info/requires.txt (+1/-1)
run_tests.sh (+6/-1)
setup.cfg (+14/-0)
setup.py (+2/-1)
tests/client_fixtures.py (+72/-0)
tests/test_access.py (+56/-0)
tests/test_auth_token_middleware.py (+670/-0)
tests/test_client.py (+37/-0)
tests/test_http.py (+31/-19)
tests/test_https.py (+10/-16)
tests/v2_0/test_auth.py (+0/-6)
tests/v2_0/test_ec2.py (+1/-1)
tests/v2_0/test_endpoints.py (+1/-1)
tests/v2_0/test_roles.py (+15/-17)
tests/v2_0/test_tenants.py (+55/-17)
tests/v2_0/test_tokens.py (+1/-1)
tests/v2_0/test_users.py (+1/-1)
tests/v3/test_credentials.py (+22/-0)
tests/v3/test_domains.py (+20/-0)
tests/v3/test_endpoints.py (+78/-0)
tests/v3/test_policies.py (+21/-0)
tests/v3/test_projects.py (+69/-0)
tests/v3/test_roles.py (+252/-0)
tests/v3/test_services.py (+21/-0)
tests/v3/test_users.py (+23/-0)
tests/v3/utils.py (+227/-0)
tools/install_venv.py (+25/-0)
tools/pip-requires (+1/-1)
tools/test-requires (+4/-0)

To merge this branch:

bzr merge lp:~zulcss/ubuntu/precise/python-keystoneclient/new

Related bugs:

Bug #960350: Cleanup Keystone package descriptions	Low	Fix Released
Bug #1071032: python-keystoneclient package missing dependency on python-pkg-resources	Medium	Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
James Page		2012-11-30	Approve on 2012-11-30
Review via email: mp+137202@code.launchpad.net

James Page (james-page) wrote on 2012-11-30:

LGTM; please upload with -v to ensure change history maintained.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Chuck Short

Ubuntu Cloud Archive Team

Ubuntu
python-keystoneclient package

Merge lp:~zulcss/ubuntu/precise/python-keystoneclient/new into lp:~ubuntu-cloud-archive/ubuntu/precise/python-keystoneclient/trunk

Commit Message

Description of the Change

Preview Diff

Subscribers

 === modified file '.gitignore'
 --- .gitignore	2012-08-16 12:34:22 +0000
 +++ .gitignore	2012-11-30 14:11:19 +0000
@@ -6,8 +6,10 @@
  .idea
  *.swp
  *~
++.tox
  AUTHORS
  build
  dist
  python_keystoneclient.egg-info
  keystoneclient/versioninfo
++doc/source/api
 === modified file 'AUTHORS'
 --- AUTHORS	2012-09-07 13:13:18 +0000
 +++ AUTHORS	2012-11-30 14:11:19 +0000
@@ -1,5 +1,7 @@
  Adam Gandelman <adamg@canonical.com>
++Adam Young <ayoung@redhat.com>
  Alan Pevec <apevec@redhat.com>
++Alex Meade <alex.meade@rackspace.com>
  Anthony Young <sleepsonthefloor@gmail.com>
  Bhuvan Arumugam <bhuvan@apache.org>
  Brian Waldon <bcwaldon@gmail.com>
@@ -8,20 +10,29 @@
  Dean Troyer <dtroyer@gmail.com>
  Dolph Mathews <dolph.mathews@gmail.com>
  Dominik Heidler <dheidler@suse.de>
++Doug Hellmann <doug.hellmann@dreamhost.com>
  Everett Toews <everett.toews@gmail.com>
  Gabriel Hurley <gabriel@strikeawe.com>
  Ghe Rivero <ghe@debian.org>
  Hengqing Hu <hudayou@hotmail.com>
++Henry Nash <henryn@linux.vnet.ibm.com>
++Ionuț Arțăriși <iartarisi@suse.cz>
  jakedahn <jake@ansolabs.com>
++Jay Pipes <jaypipes@gmail.com>
  Jesse Andrews <anotherjesse@gmail.com>
++Joe Gordon <jogo@cloudscaling.com>
  Joe Heck <heckj@mac.com>
++Joseph W. Breu <breu@breu.org>
  Josh Kearney <josh@jk0.org>
  Ken Thomas <krt@yahoo-inc.com>
++Kevin L. Mitchell <kevin.mitchell@rackspace.com>
++Laurence Miao <laurence.miao@gmail.com>
  Liem Nguyen <liem.m.nguyen@gmail.com>
  Lorin Hochstein <lorin@nimbisservices.com>
  lrqrun <lrqrun@gmail.com>
  Monty Taylor <mordred@inaugust.com>
  Peng Yong <ppyy@pubyun.com>
++Sam Morrison <sorrison@gmail.com>
  Sascha Peilicke <saschpe@suse.de>
  termie <github@anarkystic.com>
  Thierry Carrez <thierry@openstack.org>
 === modified file 'PKG-INFO'
 --- PKG-INFO	2012-09-07 13:13:18 +0000
 +++ PKG-INFO	2012-11-30 14:11:19 +0000
@@ -1,28 +1,27 @@
  Metadata-Version: 1.1
  Name: python-keystoneclient
--Version: 0.1.3
--Summary: Client library for OpenStack Keystone API
++Version: 0.2.0
++Summary: Client library for OpenStack Identity API (Keystone)
  Home-page: https://github.com/openstack/python-keystoneclient
  Author: Nebula Inc, based on work by Rackspace and Jacob Kaplan-Moss
  Author-email: gabriel.hurley@nebula.com
  License: Apache
--Description: Python bindings to the OpenStack Keystone API
--        =============================================
--
--        This is a client for the OpenStack Keystone API. There's a Python API (the
--        ``keystoneclient`` module), and a command-line script (``keystone``). The
--        Keystone 2.0 API is still a moving target, so this module will remain in
--        "Beta" status until the API is finalized and fully implemented.
--
--        Development takes place via the usual OpenStack processes as outlined in
--        the `OpenStack wiki`_.  The master repository is on GitHub__.
++Description: Python bindings to the OpenStack Identity API (Keystone)
++        ========================================================
++
++        This is a client for the OpenStack Identity API, implemented by Keystone.
++        There's a Python API (the ``keystoneclient`` module), and a command-line script
++        (``keystone``).
++
++        Development takes place via the usual OpenStack processes as outlined in the
++        `OpenStack wiki`_.  The master repository is on GitHub__.
          __ http://wiki.openstack.org/HowToContribute
          __ http://github.com/openstack/python-keystoneclient
--        This code a fork of `Rackspace's python-novaclient`__ which is in turn a fork of
--        `Jacobian's python-cloudservers`__. The python-keystoneclient is licensed under
--        the Apache License like the rest of OpenStack.
++        This code a fork of `Rackspace's python-novaclient`__ which is in turn a fork
++        of `Jacobian's python-cloudservers`__. The python-keystoneclient is licensed
++        under the Apache License like the rest of OpenStack.
          __ http://github.com/rackspace/python-novaclient
          __ http://github.com/jacobian/python-cloudservers
@@ -35,7 +34,7 @@
          By way of a quick-start::
--            # use v2.0 auth with http://example.com:5000/v2.0")
++            # use v2.0 auth with http://example.com:5000/v2.0
              >>> from keystoneclient.v2_0 import client
              >>> keystone = client.Client(username=USERNAME, password=PASSWORD, tenant_name=TENANT, auth_url=AUTH_URL)
              >>> keystone.tenants.list()
@@ -46,40 +45,45 @@
          Command-line API
          ----------------
--        Installing this package gets you a shell command, ``keystone``, that you
--        can use to interact with Keystone's Identity API.
++        Installing this package gets you a shell command, ``keystone``, that you can
++        use to interact with OpenStack's Identity API.
--        You'll need to provide your OpenStack tenant, username and password. You can
--        do this with the ``--os-tenant-name``, ``--os-username`` and ``--os-password``
++        You'll need to provide your OpenStack tenant, username and password. You can do
++        this with the ``--os-tenant-name``, ``--os-username`` and ``--os-password``
          params, but it's easier to just set them as environment variables::
              export OS_TENANT_NAME=project
              export OS_USERNAME=user
              export OS_PASSWORD=pass
--        You will also need to define the authentication url with ``--os-auth-url`` and the
--        version of the API with ``--os-identity-api-version``.  Or set them as an environment
--        variables as well::
++        You will also need to define the authentication url with ``--os-auth-url`` and
++        the version of the API with ``--os-identity-api-version``.  Or set them as an
++        environment variables as well::
              export OS_AUTH_URL=http://example.com:5000/v2.0
              export OS_IDENTITY_API_VERSION=2.0
--        Alternatively, to authenticate to Keystone without a username/password,
--        such as when there are no users in the database yet, use the service
--        token and endpoint arguemnts.  The service token is set in keystone.conf as
--        ``admin_token``; set it with ``service_token``.  Note: keep the service token
--        secret as it allows total access to Keystone's database.  The admin endpoint is set
--        with ``--endpoint`` or ``SERVICE_ENDPOINT``::
--
--            export SERVICE_TOKEN=thequickbrownfox-jumpsover-thelazydog
--            export SERVICE_ENDPOINT=http://example.com:35357/v2.0
--
--        Since Keystone can return multiple regions in the Service Catalog, you
--        can specify the one you want with ``--region_name`` (or
--        ``export OS_REGION_NAME``). It defaults to the first in the list returned.
--
--        You'll find complete documentation on the shell by running
--        ``keystone help``::
++        Alternatively, to bypass username/password authentication, you can provide a
++        pre-established token. In Keystone, this approach is necessary to bootstrap the
++        service with an administrative user, tenant & role (to do so, provide the
++        client with the value of your ``admin_token`` defined in ``keystone.conf`` in
++        addition to the URL of your admin API deployment, typically on port 35357)::
++
++            export OS_SERVICE_TOKEN=thequickbrownfox-jumpsover-thelazydog
++            export OS_SERVICE_ENDPOINT=http://example.com:35357/v2.0
++
++        Since the Identity service can return multiple regions in the service catalog,
++        you can specify the one you want with ``--os-region-name`` (or ``export
++        OS_REGION_NAME``)::
++
++            export OS_REGION_NAME=north
++
++        .. WARNING::
++
++            If a region is not specified and multiple regions are returned by the
++            Identity service, the client may not access the same region consistently.
++
++        You'll find complete documentation on the shell by running ``keystone help``::
              usage: keystone [--os-username <auth-user-name>]
                              [--os-password <auth-password>]
@@ -87,14 +91,17 @@
                              [--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>]
                              [--os-region-name <region-name>]
                              [--os-identity-api-version <identity-api-version>]
--                            [--token <service-token>] [--endpoint <service-endpoint>]
++                            [--os-token <service-token>]
++                            [--os-endpoint <service-endpoint>]
++                            [--os-cacert <ca-certificate>] [--os-cert <certificate>]
++                            [--os-key <key>] [--insecure]
                              <subcommand> ...
              Command-line interface to the OpenStack Identity API.
              Positional arguments:
--              <subcommand>
--                catalog             List service catalog, possibly filtered by service.
++            <subcommand>
++                catalog
                  ec2-credentials-create
                                      Create EC2-compatibile credentials for user per tenant
                  ec2-credentials-delete
@@ -105,13 +112,12 @@
                                      List EC2-compatibile credentials for a user
                  endpoint-create     Create a new endpoint associated with a service
                  endpoint-delete     Delete a service endpoint
--                endpoint-get        Find endpoint filtered by a specific attribute or
--                                    service type
++                endpoint-get
                  endpoint-list       List configured service endpoints
                  role-create         Create new role
                  role-delete         Delete role
                  role-get            Display role details
--                role-list           List all available roles
++                role-list           List all roles
                  service-create      Add service to Service Catalog
                  service-delete      Delete service from Service Catalog
                  service-get         Display service from Service Catalog
@@ -121,46 +127,69 @@
                  tenant-get          Display tenant details
                  tenant-list         List all tenants
                  tenant-update       Update tenant name, description, enabled status
--                token-get           Display the current user token
++                token-get
                  user-create         Create new user
                  user-delete         Delete user
++                user-get            Display user details.
                  user-list           List users
                  user-password-update
                                      Update user password
                  user-role-add       Add role to user
++                user-role-list      List roles granted to a user
                  user-role-remove    Remove role from user
--                user-role-list      List roles for user
                  user-update         Update user's name, email, and enabled status
                  discover            Discover Keystone servers and show authentication
                                      protocols and
++                bootstrap           Grants a new role to a new user on a new tenant, after
++                                    creating each.
++                bash-completion     Prints all of the commands and options to stdout.
                  help                Display help about this program or one of its
                                      subcommands.
              Optional arguments:
--              --os-username <auth-user-name>
--                                    Defaults to env[OS_USERNAME]
--              --os-password <auth-password>
--                                    Defaults to env[OS_PASSWORD]
--              --os-tenant-name <auth-tenant-name>
--                                    Defaults to env[OS_TENANT_NAME]
--              --os-tenant-id <tenant-id>
--                                    Defaults to env[OS_TENANT_ID]
--              --os-auth-url <auth-url>
--                                    Defaults to env[OS_AUTH_URL]
--              --os-region-name <region-name>
++            --os-username <auth-user-name>
++                                    Name used for authentication with the OpenStack
++                                    Identity service. Defaults to env[OS_USERNAME]
++            --os-password <auth-password>
++                                    Password used for authentication with the OpenStack
++                                    Identity service. Defaults to env[OS_PASSWORD]
++            --os-tenant-name <auth-tenant-name>
++                                    Tenant to request authorization on. Defaults to
++                                    env[OS_TENANT_NAME]
++            --os-tenant-id <tenant-id>
++                                    Tenant to request authorization on. Defaults to
++                                    env[OS_TENANT_ID]
++            --os-auth-url <auth-url>
++                                    Specify the Identity endpoint to use for
++                                    authentication. Defaults to env[OS_AUTH_URL]
++            --os-region-name <region-name>
                                      Defaults to env[OS_REGION_NAME]
--              --os-identity-api-version <identity-api-version>
++            --os-identity-api-version <identity-api-version>
                                      Defaults to env[OS_IDENTITY_API_VERSION] or 2.0
--              --token <service-token>
--                                    Defaults to env[SERVICE_TOKEN]
--              --endpoint <service-endpoint>
--                                    Defaults to env[SERVICE_ENDPOINT]
++            --os-token <service-token>
++                                    Specify an existing token to use instead of retrieving
++                                    one via authentication (e.g. with username &
++                                    password). Defaults to env[OS_SERVICE_TOKEN]
++            --os-endpoint <service-endpoint>
++                                    Specify an endpoint to use instead of retrieving one
++                                    from the service catalog (via authentication).
++                                    Defaults to env[OS_SERVICE_ENDPOINT]
++            --os-cacert <ca-certificate>
++                                    Defaults to env[OS_CACERT]
++            --os-cert <certificate>
++                                    Defaults to env[OS_CERT]
++            --os-key <key>        Defaults to env[OS_KEY]
++            --insecure            Explicitly allow keystoneclient to perform "insecure"
++                                    SSL (https) requests. The server's certificate will
++                                    not be verified against any certificate authorities.
++                                    This option should be used with caution.
--        See "keystone help COMMAND" for help on a specific command.
++            See "keystone help COMMAND" for help on a specific command.
  Platform: UNKNOWN
  Classifier: Development Status :: 4 - Beta
  Classifier: Environment :: Console
++Classifier: Environment :: OpenStack
  Classifier: Intended Audience :: Developers
  Classifier: Intended Audience :: Information Technology
  Classifier: License :: OSI Approved :: Apache Software License
 === modified file 'README.rst'
 --- README.rst	2012-08-16 12:34:22 +0000
 +++ README.rst	2012-11-30 14:11:19 +0000
@@ -1,20 +1,19 @@
--Python bindings to the OpenStack Keystone API
--=============================================
--
--This is a client for the OpenStack Keystone API. There's a Python API (the
--``keystoneclient`` module), and a command-line script (``keystone``). The
--Keystone 2.0 API is still a moving target, so this module will remain in
--"Beta" status until the API is finalized and fully implemented.
--
--Development takes place via the usual OpenStack processes as outlined in
--the `OpenStack wiki`_.  The master repository is on GitHub__.
++Python bindings to the OpenStack Identity API (Keystone)
++========================================================
++
++This is a client for the OpenStack Identity API, implemented by Keystone.
++There's a Python API (the ``keystoneclient`` module), and a command-line script
++(``keystone``).
++
++Development takes place via the usual OpenStack processes as outlined in the
++`OpenStack wiki`_.  The master repository is on GitHub__.
  __ http://wiki.openstack.org/HowToContribute
  __ http://github.com/openstack/python-keystoneclient
--This code a fork of `Rackspace's python-novaclient`__ which is in turn a fork of
--`Jacobian's python-cloudservers`__. The python-keystoneclient is licensed under
--the Apache License like the rest of OpenStack.
++This code a fork of `Rackspace's python-novaclient`__ which is in turn a fork
++of `Jacobian's python-cloudservers`__. The python-keystoneclient is licensed
++under the Apache License like the rest of OpenStack.
  __ http://github.com/rackspace/python-novaclient
  __ http://github.com/jacobian/python-cloudservers
@@ -27,7 +26,7 @@
  By way of a quick-start::
--    # use v2.0 auth with http://example.com:5000/v2.0")
++    # use v2.0 auth with http://example.com:5000/v2.0
      >>> from keystoneclient.v2_0 import client
      >>> keystone = client.Client(username=USERNAME, password=PASSWORD, tenant_name=TENANT, auth_url=AUTH_URL)
      >>> keystone.tenants.list()
@@ -38,40 +37,45 @@
  Command-line API
  ----------------
--Installing this package gets you a shell command, ``keystone``, that you
--can use to interact with Keystone's Identity API.
++Installing this package gets you a shell command, ``keystone``, that you can
++use to interact with OpenStack's Identity API.
--You'll need to provide your OpenStack tenant, username and password. You can
--do this with the ``--os-tenant-name``, ``--os-username`` and ``--os-password``
++You'll need to provide your OpenStack tenant, username and password. You can do
++this with the ``--os-tenant-name``, ``--os-username`` and ``--os-password``
  params, but it's easier to just set them as environment variables::
      export OS_TENANT_NAME=project
      export OS_USERNAME=user
      export OS_PASSWORD=pass
--You will also need to define the authentication url with ``--os-auth-url`` and the
--version of the API with ``--os-identity-api-version``.  Or set them as an environment
--variables as well::
++You will also need to define the authentication url with ``--os-auth-url`` and
++the version of the API with ``--os-identity-api-version``.  Or set them as an
++environment variables as well::
      export OS_AUTH_URL=http://example.com:5000/v2.0
      export OS_IDENTITY_API_VERSION=2.0
--Alternatively, to authenticate to Keystone without a username/password,
--such as when there are no users in the database yet, use the service
--token and endpoint arguemnts.  The service token is set in keystone.conf as
--``admin_token``; set it with ``service_token``.  Note: keep the service token
--secret as it allows total access to Keystone's database.  The admin endpoint is set
--with ``--endpoint`` or ``SERVICE_ENDPOINT``::
--
--    export SERVICE_TOKEN=thequickbrownfox-jumpsover-thelazydog
--    export SERVICE_ENDPOINT=http://example.com:35357/v2.0
--
--Since Keystone can return multiple regions in the Service Catalog, you
--can specify the one you want with ``--region_name`` (or
--``export OS_REGION_NAME``). It defaults to the first in the list returned.
--
--You'll find complete documentation on the shell by running
--``keystone help``::
++Alternatively, to bypass username/password authentication, you can provide a
++pre-established token. In Keystone, this approach is necessary to bootstrap the
++service with an administrative user, tenant & role (to do so, provide the
++client with the value of your ``admin_token`` defined in ``keystone.conf`` in
++addition to the URL of your admin API deployment, typically on port 35357)::
++
++    export OS_SERVICE_TOKEN=thequickbrownfox-jumpsover-thelazydog
++    export OS_SERVICE_ENDPOINT=http://example.com:35357/v2.0
++
++Since the Identity service can return multiple regions in the service catalog,
++you can specify the one you want with ``--os-region-name`` (or ``export
++OS_REGION_NAME``)::
++
++    export OS_REGION_NAME=north
++
++.. WARNING::
++
++    If a region is not specified and multiple regions are returned by the
++    Identity service, the client may not access the same region consistently.
++
++You'll find complete documentation on the shell by running ``keystone help``::
      usage: keystone [--os-username <auth-user-name>]
                      [--os-password <auth-password>]
@@ -79,14 +83,17 @@
                      [--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>]
                      [--os-region-name <region-name>]
                      [--os-identity-api-version <identity-api-version>]
--                    [--token <service-token>] [--endpoint <service-endpoint>]
++                    [--os-token <service-token>]
++                    [--os-endpoint <service-endpoint>]
++                    [--os-cacert <ca-certificate>] [--os-cert <certificate>]
++                    [--os-key <key>] [--insecure]
                      <subcommand> ...
      Command-line interface to the OpenStack Identity API.
      Positional arguments:
--      <subcommand>
--        catalog             List service catalog, possibly filtered by service.
++    <subcommand>
++        catalog
          ec2-credentials-create
                              Create EC2-compatibile credentials for user per tenant
          ec2-credentials-delete
@@ -97,13 +104,12 @@
                              List EC2-compatibile credentials for a user
          endpoint-create     Create a new endpoint associated with a service
          endpoint-delete     Delete a service endpoint
--        endpoint-get        Find endpoint filtered by a specific attribute or
--                            service type
++        endpoint-get
          endpoint-list       List configured service endpoints
          role-create         Create new role
          role-delete         Delete role
          role-get            Display role details
--        role-list           List all available roles
++        role-list           List all roles
          service-create      Add service to Service Catalog
          service-delete      Delete service from Service Catalog
          service-get         Display service from Service Catalog
@@ -113,39 +119,61 @@
          tenant-get          Display tenant details
          tenant-list         List all tenants
          tenant-update       Update tenant name, description, enabled status
--        token-get           Display the current user token
++        token-get
          user-create         Create new user
          user-delete         Delete user
++        user-get            Display user details.
          user-list           List users
          user-password-update
                              Update user password
          user-role-add       Add role to user
++        user-role-list      List roles granted to a user
          user-role-remove    Remove role from user
--        user-role-list      List roles for user
          user-update         Update user's name, email, and enabled status
          discover            Discover Keystone servers and show authentication
                              protocols and
++        bootstrap           Grants a new role to a new user on a new tenant, after
++                            creating each.
++        bash-completion     Prints all of the commands and options to stdout.
          help                Display help about this program or one of its
                              subcommands.
      Optional arguments:
--      --os-username <auth-user-name>
--                            Defaults to env[OS_USERNAME]
--      --os-password <auth-password>
--                            Defaults to env[OS_PASSWORD]
--      --os-tenant-name <auth-tenant-name>
--                            Defaults to env[OS_TENANT_NAME]
--      --os-tenant-id <tenant-id>
--                            Defaults to env[OS_TENANT_ID]
--      --os-auth-url <auth-url>
--                            Defaults to env[OS_AUTH_URL]
--      --os-region-name <region-name>
++    --os-username <auth-user-name>
++                            Name used for authentication with the OpenStack
++                            Identity service. Defaults to env[OS_USERNAME]
++    --os-password <auth-password>
++                            Password used for authentication with the OpenStack
++                            Identity service. Defaults to env[OS_PASSWORD]
++    --os-tenant-name <auth-tenant-name>
++                            Tenant to request authorization on. Defaults to
++                            env[OS_TENANT_NAME]
++    --os-tenant-id <tenant-id>
++                            Tenant to request authorization on. Defaults to
++                            env[OS_TENANT_ID]
++    --os-auth-url <auth-url>
++                            Specify the Identity endpoint to use for
++                            authentication. Defaults to env[OS_AUTH_URL]
++    --os-region-name <region-name>
                              Defaults to env[OS_REGION_NAME]
--      --os-identity-api-version <identity-api-version>
++    --os-identity-api-version <identity-api-version>
                              Defaults to env[OS_IDENTITY_API_VERSION] or 2.0
--      --token <service-token>
--                            Defaults to env[SERVICE_TOKEN]
--      --endpoint <service-endpoint>
--                            Defaults to env[SERVICE_ENDPOINT]
++    --os-token <service-token>
++                            Specify an existing token to use instead of retrieving
++                            one via authentication (e.g. with username &
++                            password). Defaults to env[OS_SERVICE_TOKEN]
++    --os-endpoint <service-endpoint>
++                            Specify an endpoint to use instead of retrieving one
++                            from the service catalog (via authentication).
++                            Defaults to env[OS_SERVICE_ENDPOINT]
++    --os-cacert <ca-certificate>
++                            Defaults to env[OS_CACERT]
++    --os-cert <certificate>
++                            Defaults to env[OS_CERT]
++    --os-key <key>        Defaults to env[OS_KEY]
++    --insecure            Explicitly allow keystoneclient to perform "insecure"
++                            SSL (https) requests. The server's certificate will
++                            not be verified against any certificate authorities.
++                            This option should be used with caution.
--See "keystone help COMMAND" for help on a specific command.
++    See "keystone help COMMAND" for help on a specific command.
 === added file 'babel.cfg'
 --- babel.cfg	1970-01-01 00:00:00 +0000
 +++ babel.cfg	2012-11-30 14:11:19 +0000
@@ -0,0 +1,1 @@
++[python: **.py]
 === modified file 'debian/changelog'
 --- debian/changelog	2012-10-10 18:40:31 +0000
 +++ debian/changelog	2012-11-30 14:11:19 +0000
@@ -1,3 +1,26 @@
++python-keystoneclient (1:0.2.0-0ubuntu1~cloud0) precise-grizzly; urgency=low
++
++  * New upstream release for the Ubuntu Cloud Archive.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Fri, 30 Nov 2012 08:07:06 -0600
++
++python-keystoneclient (1:0.2.0-0ubuntu1) raring; urgency=low
++
++  * New upstream release.
++  * debian/control: Add python-pkg-resources. (LP: #1071032)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Thu, 29 Nov 2012 12:46:21 -0600
++
++python-keystoneclient (1:0.1.3.37-0ubuntu1) raring-proposed; urgency=low
++
++  [ Adam Gandelman ]
++  * New upstream release.
++
++  [ Adrien Cunin ]
++  * Typo and cosmetic fixes to package description (LP: #960350)
++
++ -- Adam Gandelman <adamg@canonical.com>  Wed, 31 Oct 2012 09:17:26 +0100
++
  python-keystoneclient (1:0.1.3-0ubuntu1~cloud0) precise-folsom; urgency=low
    * New upstream snapshot for the Ubuntu Cloud Archive.
 === modified file 'debian/control'
 --- debian/control	2012-03-02 10:31:44 +0000
 +++ debian/control	2012-11-30 14:11:19 +0000
@@ -8,7 +8,7 @@
  Package: python-keystoneclient
  Architecture: all
--Depends: ${python:Depends}, ${misc:Depends}, python-httplib2
--Description: Client libary for Openstack Keystone API
-- This is a client for the OpenStack Keystone API. There's a Python API
++Depends: ${python:Depends}, ${misc:Depends}, python-pkg-resources
++Description: Client library for OpenStack Identity API
++ This is a client for the OpenStack Identity API. There's a Python API
   (the ``keystoneclient`` module), and a command-line script (``keystone``).
 === added directory 'doc/source/_templates'
 === added file 'doc/source/_templates/.placeholder'
 === added directory 'doc/source/_theme'
 === added file 'doc/source/_theme/layout.html'
 --- doc/source/_theme/layout.html	1970-01-01 00:00:00 +0000
 +++ doc/source/_theme/layout.html	2012-11-30 14:11:19 +0000
@@ -0,0 +1,83 @@
++{% extends "basic/layout.html" %}
++{% set css_files = css_files + ['_static/tweaks.css'] %}
++{% set script_files = script_files + ['_static/jquery.tweet.js'] %}
++
++{%- macro sidebar() %}
++      {%- if not embedded %}{% if not theme_nosidebar|tobool %}
++      <div class="sphinxsidebar">
++        <div class="sphinxsidebarwrapper">
++          {%- block sidebarlogo %}
++          {%- if logo %}
++            <p class="logo"><a href="{{ pathto(master_doc) }}">
++              <img class="logo" src="{{ pathto('_static/' + logo, 1) }}" alt="Logo"/>
++            </a></p>
++          {%- endif %}
++          {%- endblock %}
++          {%- block sidebartoc %}
++          {%- if display_toc %}
++            <h3><a href="{{ pathto(master_doc) }}">{{ _('Table Of Contents') }}</a></h3>
++            {{ toc }}
++          {%- endif %}
++          {%- endblock %}
++          {%- block sidebarrel %}
++          {%- if prev %}
++            <h4>{{ _('Previous topic') }}</h4>
++            <p class="topless"><a href="{{ prev.link|e }}"
++                                  title="{{ _('previous chapter') }}">{{ prev.title }}</a></p>
++          {%- endif %}
++          {%- if next %}
++            <h4>{{ _('Next topic') }}</h4>
++            <p class="topless"><a href="{{ next.link|e }}"
++                                  title="{{ _('next chapter') }}">{{ next.title }}</a></p>
++          {%- endif %}
++          {%- endblock %}
++          {%- block sidebarsourcelink %}
++          {%- if show_source and has_source and sourcename %}
++            <h3>{{ _('This Page') }}</h3>
++            <ul class="this-page-menu">
++              <li><a href="{{ pathto('_sources/' + sourcename, true)|e }}"
++                     rel="nofollow">{{ _('Show Source') }}</a></li>
++            </ul>
++          {%- endif %}
++          {%- endblock %}
++          {%- if customsidebar %}
++          {% include customsidebar %}
++          {%- endif %}
++          {%- block sidebarsearch %}
++          {%- if pagename != "search" %}
++          <div id="searchbox" style="display: none">
++            <h3>{{ _('Quick search') }}</h3>
++              <form class="search" action="{{ pathto('search') }}" method="get">
++                <input type="text" name="q" size="18" />
++                <input type="submit" value="{{ _('Go') }}" />
++                <input type="hidden" name="check_keywords" value="yes" />
++                <input type="hidden" name="area" value="default" />
++              </form>
++              <p class="searchtip" style="font-size: 90%">
++              {{ _('Enter search terms or a module, class or function name.') }}
++              </p>
++          </div>
++          <script type="text/javascript">$('#searchbox').show(0);</script>
++          {%- endif %}
++          {%- endblock %}
++        </div>
++      </div>
++      {%- endif %}{% endif %}
++{%- endmacro %}
++
++{% block relbar1 %}{% endblock relbar1 %}
++
++{% block header %}
++  <div id="header">
++    <h1 id="logo"><a href="http://www.openstack.org/">OpenStack</a></h1>
++    <ul id="navigation">
++      <li><a href="http://www.openstack.org/" title="Go to the Home page" class="link">Home</a></li>
++      <li><a href="http://www.openstack.org/projects/" title="Go to the OpenStack Projects page">Projects</a></li>
++      <li><a href="http://www.openstack.org/user-stories/" title="Go to the User Stories page" class="link">User Stories</a></li>
++      <li><a href="http://www.openstack.org/community/" title="Go to the Community page" class="link">Community</a></li>
++      <li><a href="http://www.openstack.org/blog/" title="Go to the OpenStack Blog">Blog</a></li>
++      <li><a href="http://wiki.openstack.org/" title="Go to the OpenStack Wiki">Wiki</a></li>
++      <li><a href="http://docs.openstack.org/" title="Go to OpenStack Documentation" class="current">Documentation</a></li>
++    </ul>
++  </div>
++{% endblock %}
 \ No newline at end of file
 === added file 'doc/source/_theme/theme.conf'
 --- doc/source/_theme/theme.conf	1970-01-01 00:00:00 +0000
 +++ doc/source/_theme/theme.conf	2012-11-30 14:11:19 +0000
@@ -0,0 +1,4 @@
++[theme]
++inherit = basic
++stylesheet = nature.css
++pygments_style = tango
 === modified file 'doc/source/conf.py'
 --- doc/source/conf.py	2012-09-07 13:13:18 +0000
 +++ doc/source/conf.py	2012-11-30 14:11:19 +0000
@@ -16,7 +16,7 @@
  import sys
  sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__),
--                "..", "..")))
++                '..', '..')))
  # If extensions (or modules to document with autodoc) are in another directory,
  # add these directories to sys.path here. If the directory is relative to the
@@ -28,7 +28,12 @@
  # Add any Sphinx extension module names here, as strings. They can be
  # extensions
  # coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
--extensions = ['sphinx.ext.autodoc', 'sphinx.ext.intersphinx']
++extensions = ['sphinx.ext.autodoc',
++              'sphinx.ext.todo',
++              'sphinx.ext.coverage',
++              'sphinx.ext.intersphinx']
++
++todo_include_todos = True
  # Add any paths that contain templates here, relative to this directory.
  templates_path = ['_templates']
@@ -50,10 +55,10 @@
  # |version| and |release|, also used in various other places throughout the
  # built documents.
+ #
--# The short X.Y version.
--version = '2.7'
++# The short XXXX.Y version.
++version = '2012.3'
  # The full version, including alpha/beta/rc tags.
--release = '2.7.0'
++release = '2012.3-dev'
  # The language for content autogenerated by Sphinx. Refer to documentation
  # for a list of supported languages.
@@ -98,7 +103,8 @@
  # The theme to use for HTML and HTML Help pages.  Major themes that come with
  # Sphinx are currently 'default' and 'sphinxdoc'.
--html_theme = 'nature'
++html_theme_path = ["."]
++html_theme = '_theme'
  # Theme options are theme-specific and customize the look and feel of a theme
  # further.  For a list of options available for each theme, see the
@@ -127,11 +133,12 @@
  # Add any paths that contain custom static files (such as style sheets) here,
  # relative to this directory. They are copied after the builtin static files,
  # so a file named "default.css" will overwrite the builtin "default.css".
--html_static_path = ['_static']
++html_static_path = ['static']
  # If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
  # using the given strftime format.
--#html_last_updated_fmt = '%b %d, %Y'
++git_cmd = "git log --pretty=format:'%ad, commit %h' --date=local -n1"
++html_last_updated_fmt = os.popen(git_cmd).read()
  # If true, SmartyPants will be used to convert quotes and dashes to
  # typographically correct entities.
@@ -181,8 +188,9 @@
  # .
  latex_documents = [
      ('index', 'python-keystoneclient.tex',
--    u'python-keystoneclient Documentation',
--    u'Nebula Inc, based on work by Rackspace and Jacob Kaplan-Moss', 'manual'),
++     u'python-keystoneclient Documentation',
++     u'Nebula Inc, based on work by Rackspace and Jacob Kaplan-Moss',
++     'manual'),
+ ]
  # The name of an image file (relative to this directory) to place at the top of
@@ -204,4 +212,7 @@
  # Example configuration for intersphinx: refer to the Python standard library.
--intersphinx_mapping = {'http://docs.python.org/': None}
++intersphinx_mapping = {'python': ('http://docs.python.org/', None),
++                       'nova': ('http://nova.openstack.org', None),
++                       'swift': ('http://swift.openstack.org', None),
++                       'glance': ('http://glance.openstack.org', None)}
 === modified file 'doc/source/index.rst'
 --- doc/source/index.rst	2012-06-22 12:58:18 +0000
 +++ doc/source/index.rst	2012-11-30 14:11:19 +0000
@@ -1,7 +1,7 @@
--Python bindings to the OpenStack Keystone API
--==================================================
++Python bindings to the OpenStack Identity API (Keystone)
++========================================================
--This is a client for OpenStack Keystone API. There's :doc:`a Python API
++This is a client for OpenStack Identity API. There's :doc:`a Python API
  <using-api>` (the :mod:`keystoneclient` module), and a :doc:`command-line script
  <shell>` (installed as :program:`keystone`).
@@ -10,20 +10,21 @@
  .. toctree::
     :maxdepth: 1
++   releases
++   shell
     using-api
--   shell
--   ref/index
--   releases
++
++   api/autoindex
  Contributing
  ============
--Code is hosted `on GitHub`_. Submit bugs to the Keystone project on
--`Launchpad`_. Submit code to the openstack/python-keystoneclient project using
--`Gerrit`_.
++Code is hosted `on GitHub`_. Submit bugs to the Keystone project on
++`Launchpad`_. Submit code to the ``openstack/python-keystoneclient`` project
++using `Gerrit`_.
  .. _on GitHub: https://github.com/openstack/python-keystoneclient
--.. _Launchpad: https://launchpad.net/keystone
++.. _Launchpad: https://launchpad.net/python-keystoneclient
  .. _Gerrit: http://wiki.openstack.org/GerritWorkflow
  Run tests with ``python setup.py test``.
 === removed directory 'doc/source/ref'
 === removed file 'doc/source/ref/client.rst'
 --- doc/source/ref/client.rst	2012-06-22 12:58:18 +0000
 +++ doc/source/ref/client.rst	1970-01-01 00:00:00 +0000
@@ -1,8 +0,0 @@
--Client
--======
--
--.. currentmodule:: keystoneclient.v2_0.client
--
--.. autoclass:: Client
--
--    .. automethod:: authenticate
 === removed file 'doc/source/ref/endpoints.rst'
 --- doc/source/ref/endpoints.rst	2012-06-22 12:58:18 +0000
 +++ doc/source/ref/endpoints.rst	1970-01-01 00:00:00 +0000
@@ -1,11 +0,0 @@
--==============================
--Endpoint Manager and Endpoints
--==============================
--
--
--
--.. currentmodule:: keystoneclient.v2_0.endpoints
--
--.. automodule:: keystoneclient.v2_0.endpoints
--    :members:
--
 === removed file 'doc/source/ref/exceptions.rst'
 --- doc/source/ref/exceptions.rst	2012-06-22 12:58:18 +0000
 +++ doc/source/ref/exceptions.rst	1970-01-01 00:00:00 +0000
@@ -1,8 +0,0 @@
--Exceptions
--==========
--
--.. currentmodule:: keystoneclient.exceptions
--
--.. automodule:: keystoneclient.exceptions
--    :members:
--
 === removed file 'doc/source/ref/generic-client.rst'
 --- doc/source/ref/generic-client.rst	2012-06-22 12:58:18 +0000
 +++ doc/source/ref/generic-client.rst	1970-01-01 00:00:00 +0000
@@ -1,12 +0,0 @@
--Generic client
--==============
--
--Use the generic client to obtain access to a specific endpoint version.
--
--
--.. currentmodule:: keystoneclient.generic.client
--
--.. autoclass:: Client
--
--    .. automethod:: discover
--
 === removed file 'doc/source/ref/index.rst'
 --- doc/source/ref/index.rst	2012-06-22 12:58:18 +0000
 +++ doc/source/ref/index.rst	1970-01-01 00:00:00 +0000
@@ -1,16 +0,0 @@
--API Reference
--=============
--
--The following API reference documents are available:
--
--.. toctree::
--   :maxdepth: 1
--
--   client
--   generic-client
--   tenants
--   users
--   roles
--   services
--   endpoints
--   exceptions
 === removed file 'doc/source/ref/roles.rst'
 --- doc/source/ref/roles.rst	2012-06-22 12:58:18 +0000
 +++ doc/source/ref/roles.rst	1970-01-01 00:00:00 +0000
@@ -1,9 +0,0 @@
--======================
--Role Manager and Roles
--======================
--
--.. currentmodule:: keystoneclient.v2_0.roles
--
--.. automodule:: keystoneclient.v2_0.roles
--    :members:
--
 === removed file 'doc/source/ref/services.rst'
 --- doc/source/ref/services.rst	2012-06-22 12:58:18 +0000
 +++ doc/source/ref/services.rst	1970-01-01 00:00:00 +0000
@@ -1,11 +0,0 @@
--============================
--Service Manager and Services
--============================
--
--
--
--.. currentmodule:: keystoneclient.v2_0.services
--
--.. automodule:: keystoneclient.v2_0.services
--    :members:
--
 === removed file 'doc/source/ref/tenants.rst'
 --- doc/source/ref/tenants.rst	2012-06-22 12:58:18 +0000
 +++ doc/source/ref/tenants.rst	1970-01-01 00:00:00 +0000
@@ -1,11 +0,0 @@
--==========================
--Tenant Manager and Tenants
--==========================
--
--
--
--.. currentmodule:: keystoneclient.v2_0.tenants
--
--.. automodule:: keystoneclient.v2_0.tenants
--    :members:
--
 === removed file 'doc/source/ref/users.rst'
 --- doc/source/ref/users.rst	2012-06-22 12:58:18 +0000
 +++ doc/source/ref/users.rst	1970-01-01 00:00:00 +0000
@@ -1,9 +0,0 @@
--======================
--User Manager and Users
--======================
--
--.. currentmodule:: keystoneclient.v2_0.users
--
--.. automodule:: keystoneclient.v2_0.users
--    :members:
--
 === modified file 'doc/source/releases.rst'
 --- doc/source/releases.rst	2012-06-22 12:58:18 +0000
 +++ doc/source/releases.rst	2012-11-30 14:11:19 +0000
@@ -2,105 +2,32 @@
  Release notes
  =============
--2.7.0 (October 21, 2011)
--========================
--* Forked from http://github.com/rackspace/python-novaclient
--* Rebranded to python-keystoneclient
--* Refactored to support Keystone API (auth, tokens, services, roles, tenants,
++0.1.3 (August 31, 2012)
++=======================
++* changed logging to report request and response independently in --debug mode
++* changed options to use hyphens instead of underscores
++* added support for PKI signed tokens with Keystone
++
++
++0.1.2 (July 9, 2012)
++====================
++* added support for two-way SSL and --insecure option to allow for self-signed
++  certificates
++* added support for password prompting if not provided
++* added support for bash completion for keystone
++* updated CLI options to use dashes instead of underscores
++
++0.1.1 (June 25, 2012)
++=====================
++* corrected versioning
++
++0.1.0 (March 29, 2012)
++======================
++* released with OpenStack Essex and Diablo compatibility
++* forked from http://github.com/rackspace/python-novaclient
++* refactored to support Identity API (auth, tokens, services, roles, tenants,
    users, etc.)
--
--2.5.8 (July 11, 2011)
--=====================
--* returns all public/private ips, not just first one
--* better 'nova list' search options
--
--2.5.7 - 2.5.6 = minor tweaks
--
--2.5.5 (June 21, 2011)
--=====================
--* zone-boot min/max instance count added thanks to comstud
--* create for user added thanks to cerberus
--* fixed tests
--
--2.5.3 (June 15, 2011)
--=====================
--* ProjectID can be None for backwards compatability.
--* README/docs updated for projectId thanks to usrleon
--
--2.5.1 (June 10, 2011)
--=====================
--* ProjectID now part of authentication
--
--2.5.0 (June 3, 2011)
--====================
--
--* better logging thanks to GridDynamics
--
--2.4.4 (June 1, 2011)
--====================
--
--* added support for GET /servers with reservation_id (and /servers/detail)
--
--2.4.3 (May 27, 2011)
--====================
--
--* added support for POST /zones/select (client only, not cmdline)
--
--2.4 (March 7, 2011)
--===================
--
--* added Jacob Kaplan-Moss copyright notices to older/untouched files.
--
--
--2.3 (March 2, 2011)
--===================
--
--* package renamed to python-novaclient. Module to novaclient
--
--
--2.2 (March 1, 2011)
--===================
--
--* removed some license/copywrite notices from source that wasn't
--  significantly changed.
--
--
--2.1 (Feb 28, 2011)
--==================
--
--* shell renamed to nova from novatools
--
--* license changed from BSD to Apache
--
--2.0 (Feb 7, 2011)
--=================
--
--* Forked from https://github.com/jacobian/python-cloudservers
--
--* Rebranded to python-novatools
--
--* Auth URL support
--
--* New OpenStack specific commands added (pause, suspend, etc)
--
--1.2 (August 15, 2010)
--=====================
--
--* Support for Python 2.4 - 2.7.
--
--* Improved output of :program:`cloudservers ipgroup-list`.
--
--* Made ``cloudservers boot --ipgroup <name>`` work (as well as ``--ipgroup
--  <id>``).
--
--1.1 (May 6, 2010)
--=================
--
--* Added a ``--files`` option to :program:`cloudservers boot` supporting
--  the upload of (up to five) files at boot time.
--
--* Added a ``--key`` option to :program:`cloudservers boot` to key the server
--  with an SSH public key at boot time. This is just a shortcut for ``--files``,
--  but it's a useful shortcut.
--
--* Changed the default server image to Ubuntu 10.04 LTS.
++* removed legacy arguments of --username, --password, etc in migration to
++  support a cross-openstack unified CLI convention defined at
++  http://wiki.openstack.org/UnifiedCLI
++* required service ID for listing endpoints
 === modified file 'doc/source/shell.rst'
 --- doc/source/shell.rst	2012-09-07 13:13:18 +0000
 +++ doc/source/shell.rst	2012-11-30 14:11:19 +0000
@@ -1,22 +1,43 @@
  The :program:`keystone` shell utility
--=========================================
++=====================================
  .. program:: keystone
  .. highlight:: bash
--The :program:`keystone` shell utility interacts with OpenStack Keystone API
--from the command line. It supports the entirety of the OpenStack Keystone API.
--
--First, you'll need an OpenStack Keystone account. You get this by using the
--`keystone-manage` command in OpenStack Keystone.
--
--You'll need to provide :program:`keystone` with your OpenStack username and
--password. You can do this with the :option:`--os-username`, :option:`--os-password`.
--You can optionally specify a :option:`--os-tenant-id` or :option:`--os-tenant-name`,
--to scope your token to a specific tenant.  If you don't specify a tenant, you
--will be scoped to your default tenant if you have one.  Instead of using
--options, it is easier to just set them as environment variables:
++The :program:`keystone` shell utility interacts with OpenStack Identity API
++from the command line. It supports the entirety of the OpenStack Identity API.
++
++To communicate with the API, you will need to be authenticated - and the
++:program:`keystone` provides multiple options for this.
++
++While bootstrapping keystone the authentication is accomplished with a
++shared secret token and the location of the Identity API endpoint. The
++shared secret token is configured in keystone.conf as "admin_token".
++
++You can specify those values on the command line with :option:`--os-token`
++and :option:`--os-endpoint`, or set them in environment variables:
++
++.. envvar:: OS_SERVICE_TOKEN
++
++    Your keystone administrative token
++
++.. envvar:: OS_SERVICE_ENDPOINT
++
++    Your Identity API endpoint
++
++The command line options will override any environment variables set.
++
++If you already have accounts, you can use your OpenStack username and
++password. You can do this with the :option:`--os-username`,
++:option:`--os-password`.
++
++Keystone allows a user to be associated with one or more tenants. To specify
++the tenant for which you want to authorize against, you may optionally
++specify a :option:`--os-tenant-id` or :option:`--os-tenant-name`.
++
++Instead of using options, it is easier to just set them as environment
++variables:
  .. envvar:: OS_USERNAME
 === added directory 'doc/source/static'
 === added file 'doc/source/static/basic.css'
 --- doc/source/static/basic.css	1970-01-01 00:00:00 +0000
 +++ doc/source/static/basic.css	2012-11-30 14:11:19 +0000
@@ -0,0 +1,416 @@
++/**
++ * Sphinx stylesheet -- basic theme
++ * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++ */
++
++/* -- main layout ----------------------------------------------------------- */
++
++div.clearer {
++    clear: both;
++}
++
++/* -- relbar ---------------------------------------------------------------- */
++
++div.related {
++    width: 100%;
++    font-size: 90%;
++}
++
++div.related h3 {
++    display: none;
++}
++
++div.related ul {
++    margin: 0;
++    padding: 0 0 0 10px;
++    list-style: none;
++}
++
++div.related li {
++    display: inline;
++}
++
++div.related li.right {
++    float: right;
++    margin-right: 5px;
++}
++
++/* -- sidebar --------------------------------------------------------------- */
++
++div.sphinxsidebarwrapper {
++    padding: 10px 5px 0 10px;
++}
++
++div.sphinxsidebar {
++    float: left;
++    width: 230px;
++    margin-left: -100%;
++    font-size: 90%;
++}
++
++div.sphinxsidebar ul {
++    list-style: none;
++}
++
++div.sphinxsidebar ul ul,
++div.sphinxsidebar ul.want-points {
++    margin-left: 20px;
++    list-style: square;
++}
++
++div.sphinxsidebar ul ul {
++    margin-top: 0;
++    margin-bottom: 0;
++}
++
++div.sphinxsidebar form {
++    margin-top: 10px;
++}
++
++div.sphinxsidebar input {
++    border: 1px solid #98dbcc;
++    font-family: sans-serif;
++    font-size: 1em;
++}
++
++img {
++    border: 0;
++}
++
++/* -- search page ----------------------------------------------------------- */
++
++ul.search {
++    margin: 10px 0 0 20px;
++    padding: 0;
++}
++
++ul.search li {
++    padding: 5px 0 5px 20px;
++    background-image: url(file.png);
++    background-repeat: no-repeat;
++    background-position: 0 7px;
++}
++
++ul.search li a {
++    font-weight: bold;
++}
++
++ul.search li div.context {
++    color: #888;
++    margin: 2px 0 0 30px;
++    text-align: left;
++}
++
++ul.keywordmatches li.goodmatch a {
++    font-weight: bold;
++}
++
++/* -- index page ------------------------------------------------------------ */
++
++table.contentstable {
++    width: 90%;
++}
++
++table.contentstable p.biglink {
++    line-height: 150%;
++}
++
++a.biglink {
++    font-size: 1.3em;
++}
++
++span.linkdescr {
++    font-style: italic;
++    padding-top: 5px;
++    font-size: 90%;
++}
++
++/* -- general index --------------------------------------------------------- */
++
++table.indextable td {
++    text-align: left;
++    vertical-align: top;
++}
++
++table.indextable dl, table.indextable dd {
++    margin-top: 0;
++    margin-bottom: 0;
++}
++
++table.indextable tr.pcap {
++    height: 10px;
++}
++
++table.indextable tr.cap {
++    margin-top: 10px;
++    background-color: #f2f2f2;
++}
++
++img.toggler {
++    margin-right: 3px;
++    margin-top: 3px;
++    cursor: pointer;
++}
++
++/* -- general body styles --------------------------------------------------- */
++
++a.headerlink {
++    visibility: hidden;
++}
++
++h1:hover > a.headerlink,
++h2:hover > a.headerlink,
++h3:hover > a.headerlink,
++h4:hover > a.headerlink,
++h5:hover > a.headerlink,
++h6:hover > a.headerlink,
++dt:hover > a.headerlink {
++    visibility: visible;
++}
++
++div.body p.caption {
++    text-align: inherit;
++}
++
++div.body td {
++    text-align: left;
++}
++
++.field-list ul {
++    padding-left: 1em;
++}
++
++.first {
++}
++
++p.rubric {
++    margin-top: 30px;
++    font-weight: bold;
++}
++
++/* -- sidebars -------------------------------------------------------------- */
++
++div.sidebar {
++    margin: 0 0 0.5em 1em;
++    border: 1px solid #ddb;
++    padding: 7px 7px 0 7px;
++    background-color: #ffe;
++    width: 40%;
++    float: right;
++}
++
++p.sidebar-title {
++    font-weight: bold;
++}
++
++/* -- topics ---------------------------------------------------------------- */
++
++div.topic {
++    border: 1px solid #ccc;
++    padding: 7px 7px 0 7px;
++    margin: 10px 0 10px 0;
++}
++
++p.topic-title {
++    font-size: 1.1em;
++    font-weight: bold;
++    margin-top: 10px;
++}
++
++/* -- admonitions ----------------------------------------------------------- */
++
++div.admonition {
++    margin-top: 10px;
++    margin-bottom: 10px;
++    padding: 7px;
++}
++
++div.admonition dt {
++    font-weight: bold;
++}
++
++div.admonition dl {
++    margin-bottom: 0;
++}
++
++p.admonition-title {
++    margin: 0px 10px 5px 0px;
++    font-weight: bold;
++}
++
++div.body p.centered {
++    text-align: center;
++    margin-top: 25px;
++}
++
++/* -- tables ---------------------------------------------------------------- */
++
++table.docutils {
++    border: 0;
++    border-collapse: collapse;
++}
++
++table.docutils td, table.docutils th {
++    padding: 1px 8px 1px 0;
++    border-top: 0;
++    border-left: 0;
++    border-right: 0;
++    border-bottom: 1px solid #aaa;
++}
++
++table.field-list td, table.field-list th {
++    border: 0 !important;
++}
++
++table.footnote td, table.footnote th {
++    border: 0 !important;
++}
++
++th {
++    text-align: left;
++    padding-right: 5px;
++}
++
++/* -- other body styles ----------------------------------------------------- */
++
++dl {
++    margin-bottom: 15px;
++}
++
++dd p {
++    margin-top: 0px;
++}
++
++dd ul, dd table {
++    margin-bottom: 10px;
++}
++
++dd {
++    margin-top: 3px;
++    margin-bottom: 10px;
++    margin-left: 30px;
++}
++
++dt:target, .highlight {
++    background-color: #fbe54e;
++}
++
++dl.glossary dt {
++    font-weight: bold;
++    font-size: 1.1em;
++}
++
++.field-list ul {
++    margin: 0;
++    padding-left: 1em;
++}
++
++.field-list p {
++    margin: 0;
++}
++
++.refcount {
++    color: #060;
++}
++
++.optional {
++    font-size: 1.3em;
++}
++
++.versionmodified {
++    font-style: italic;
++}
++
++.system-message {
++    background-color: #fda;
++    padding: 5px;
++    border: 3px solid red;
++}
++
++.footnote:target  {
++    background-color: #ffa
++}
++
++.line-block {
++    display: block;
++    margin-top: 1em;
++    margin-bottom: 1em;
++}
++
++.line-block .line-block {
++    margin-top: 0;
++    margin-bottom: 0;
++    margin-left: 1.5em;
++}
++
++/* -- code displays --------------------------------------------------------- */
++
++pre {
++    overflow: auto;
++}
++
++td.linenos pre {
++    padding: 5px 0px;
++    border: 0;
++    background-color: transparent;
++    color: #aaa;
++}
++
++table.highlighttable {
++    margin-left: 0.5em;
++}
++
++table.highlighttable td {
++    padding: 0 0.5em 0 0.5em;
++}
++
++tt.descname {
++    background-color: transparent;
++    font-weight: bold;
++    font-size: 1.2em;
++}
++
++tt.descclassname {
++    background-color: transparent;
++}
++
++tt.xref, a tt {
++    background-color: transparent;
++    font-weight: bold;
++}
++
++h1 tt, h2 tt, h3 tt, h4 tt, h5 tt, h6 tt {
++    background-color: transparent;
++}
++
++/* -- math display ---------------------------------------------------------- */
++
++img.math {
++    vertical-align: middle;
++}
++
++div.body div.math p {
++    text-align: center;
++}
++
++span.eqno {
++    float: right;
++}
++
++/* -- printout stylesheet --------------------------------------------------- */
++
++@media print {
++    div.document,
++    div.documentwrapper,
++    div.bodywrapper {
++        margin: 0 !important;
++        width: 100%;
++    }
++
++    div.sphinxsidebar,
++    div.related,
++    div.footer,
++    #top-link {
++        display: none;
++    }
++}
 === added file 'doc/source/static/default.css'
 --- doc/source/static/default.css	1970-01-01 00:00:00 +0000
 +++ doc/source/static/default.css	2012-11-30 14:11:19 +0000
@@ -0,0 +1,230 @@
++/**
++ * Sphinx stylesheet -- default theme
++ * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++ */
++
++@import url("basic.css");
++
++/* -- page layout ----------------------------------------------------------- */
++
++body {
++    font-family: sans-serif;
++    font-size: 100%;
++    background-color: #11303d;
++    color: #000;
++    margin: 0;
++    padding: 0;
++}
++
++div.document {
++    background-color: #1c4e63;
++}
++
++div.documentwrapper {
++    float: left;
++    width: 100%;
++}
++
++div.bodywrapper {
++    margin: 0 0 0 230px;
++}
++
++div.body {
++    background-color: #ffffff;
++    color: #000000;
++    padding: 0 20px 30px 20px;
++}
++
++div.footer {
++    color: #ffffff;
++    width: 100%;
++    padding: 9px 0 9px 0;
++    text-align: center;
++    font-size: 75%;
++}
++
++div.footer a {
++    color: #ffffff;
++    text-decoration: underline;
++}
++
++div.related {
++    background-color: #133f52;
++    line-height: 30px;
++    color: #ffffff;
++}
++
++div.related a {
++    color: #ffffff;
++}
++
++div.sphinxsidebar {
++}
++
++div.sphinxsidebar h3 {
++    font-family: 'Trebuchet MS', sans-serif;
++    color: #ffffff;
++    font-size: 1.4em;
++    font-weight: normal;
++    margin: 0;
++    padding: 0;
++}
++
++div.sphinxsidebar h3 a {
++    color: #ffffff;
++}
++
++div.sphinxsidebar h4 {
++    font-family: 'Trebuchet MS', sans-serif;
++    color: #ffffff;
++    font-size: 1.3em;
++    font-weight: normal;
++    margin: 5px 0 0 0;
++    padding: 0;
++}
++
++div.sphinxsidebar p {
++    color: #ffffff;
++}
++
++div.sphinxsidebar p.topless {
++    margin: 5px 10px 10px 10px;
++}
++
++div.sphinxsidebar ul {
++    margin: 10px;
++    padding: 0;
++    color: #ffffff;
++}
++
++div.sphinxsidebar a {
++    color: #98dbcc;
++}
++
++div.sphinxsidebar input {
++    border: 1px solid #98dbcc;
++    font-family: sans-serif;
++    font-size: 1em;
++}
++
++/* -- body styles ----------------------------------------------------------- */
++
++a {
++    color: #355f7c;
++    text-decoration: none;
++}
++
++a:hover {
++    text-decoration: underline;
++}
++
++div.body p, div.body dd, div.body li {
++    text-align: left;
++    line-height: 130%;
++}
++
++div.body h1,
++div.body h2,
++div.body h3,
++div.body h4,
++div.body h5,
++div.body h6 {
++    font-family: 'Trebuchet MS', sans-serif;
++    background-color: #f2f2f2;
++    font-weight: normal;
++    color: #20435c;
++    border-bottom: 1px solid #ccc;
++    margin: 20px -20px 10px -20px;
++    padding: 3px 0 3px 10px;
++}
++
++div.body h1 { margin-top: 0; font-size: 200%; }
++div.body h2 { font-size: 160%; }
++div.body h3 { font-size: 140%; }
++div.body h4 { font-size: 120%; }
++div.body h5 { font-size: 110%; }
++div.body h6 { font-size: 100%; }
++
++a.headerlink {
++    color: #c60f0f;
++    font-size: 0.8em;
++    padding: 0 4px 0 4px;
++    text-decoration: none;
++}
++
++a.headerlink:hover {
++    background-color: #c60f0f;
++    color: white;
++}
++
++div.body p, div.body dd, div.body li {
++    text-align: left;
++    line-height: 130%;
++}
++
++div.admonition p.admonition-title + p {
++    display: inline;
++}
++
++div.admonition p {
++    margin-bottom: 5px;
++}
++
++div.admonition pre {
++    margin-bottom: 5px;
++}
++
++div.admonition ul, div.admonition ol {
++    margin-bottom: 5px;
++}
++
++div.note {
++    background-color: #eee;
++    border: 1px solid #ccc;
++}
++
++div.seealso {
++    background-color: #ffc;
++    border: 1px solid #ff6;
++}
++
++div.topic {
++    background-color: #eee;
++}
++
++div.warning {
++    background-color: #ffe4e4;
++    border: 1px solid #f66;
++}
++
++p.admonition-title {
++    display: inline;
++}
++
++p.admonition-title:after {
++    content: ":";
++}
++
++pre {
++    padding: 5px;
++    background-color: #eeffcc;
++    color: #333333;
++    line-height: 120%;
++    border: 1px solid #ac9;
++    border-left: none;
++    border-right: none;
++}
++
++tt {
++    background-color: #ecf0f3;
++    padding: 0 1px 0 1px;
++    font-size: 0.95em;
++}
++
++.warning tt {
++    background: #efc2c2;
++}
++
++.note tt {
++    background: #d6d6d6;
++}
 === added file 'doc/source/static/header-line.gif'
 Binary files doc/source/static/header-line.gif	1970-01-01 00:00:00 +0000 and doc/source/static/header-line.gif	2012-11-30 14:11:19 +0000 differ
 === added file 'doc/source/static/header_bg.jpg'
 Binary files doc/source/static/header_bg.jpg	1970-01-01 00:00:00 +0000 and doc/source/static/header_bg.jpg	2012-11-30 14:11:19 +0000 differ
 === added file 'doc/source/static/jquery.tweet.js'
 --- doc/source/static/jquery.tweet.js	1970-01-01 00:00:00 +0000
 +++ doc/source/static/jquery.tweet.js	2012-11-30 14:11:19 +0000
@@ -0,0 +1,154 @@
++(function($) {
++
++  $.fn.tweet = function(o){
++    var s = {
++      username: ["seaofclouds"],              // [string]   required, unless you want to display our tweets. :) it can be an array, just do ["username1","username2","etc"]
++      list: null,                              //[string]   optional name of list belonging to username
++      avatar_size: null,                      // [integer]  height and width of avatar if displayed (48px max)
++      count: 3,                               // [integer]  how many tweets to display?
++      intro_text: null,                       // [string]   do you want text BEFORE your your tweets?
++      outro_text: null,                       // [string]   do you want text AFTER your tweets?
++      join_text:  null,                       // [string]   optional text in between date and tweet, try setting to "auto"
++      auto_join_text_default: "i said,",      // [string]   auto text for non verb: "i said" bullocks
++      auto_join_text_ed: "i",                 // [string]   auto text for past tense: "i" surfed
++      auto_join_text_ing: "i am",             // [string]   auto tense for present tense: "i was" surfing
++      auto_join_text_reply: "i replied to",   // [string]   auto tense for replies: "i replied to" @someone "with"
++      auto_join_text_url: "i was looking at", // [string]   auto tense for urls: "i was looking at" http:...
++      loading_text: null,                     // [string]   optional loading text, displayed while tweets load
++      query: null                             // [string]   optional search query
++    };
++
++    if(o) $.extend(s, o);
++
++    $.fn.extend({
++      linkUrl: function() {
++        var returning = [];
++        var regexp = /((ftp|http|https):\/\/(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-\/]))?)/gi;
++        this.each(function() {
++          returning.push(this.replace(regexp,"<a href=\"$1\">$1</a>"));
++        });
++        return $(returning);
++      },
++      linkUser: function() {
++        var returning = [];
++        var regexp = /[\@]+([A-Za-z0-9-_]+)/gi;
++        this.each(function() {
++          returning.push(this.replace(regexp,"<a href=\"http://twitter.com/$1\">@$1</a>"));
++        });
++        return $(returning);
++      },
++      linkHash: function() {
++        var returning = [];
++        var regexp = / [\#]+([A-Za-z0-9-_]+)/gi;
++        this.each(function() {
++          returning.push(this.replace(regexp, ' <a href="http://search.twitter.com/search?q=&tag=$1&lang=all&from='+s.username.join("%2BOR%2B")+'">#$1</a>'));
++        });
++        return $(returning);
++      },
++      capAwesome: function() {
++        var returning = [];
++        this.each(function() {
++          returning.push(this.replace(/\b(awesome)\b/gi, '<span class="awesome">$1</span>'));
++        });
++        return $(returning);
++      },
++      capEpic: function() {
++        var returning = [];
++        this.each(function() {
++          returning.push(this.replace(/\b(epic)\b/gi, '<span class="epic">$1</span>'));
++        });
++        return $(returning);
++      },
++      makeHeart: function() {
++        var returning = [];
++        this.each(function() {
++          returning.push(this.replace(/(&lt;)+[3]/gi, "<tt class='heart'>&#x2665;</tt>"));
++        });
++        return $(returning);
++      }
++    });
++
++    function relative_time(time_value) {
++      var parsed_date = Date.parse(time_value);
++      var relative_to = (arguments.length > 1) ? arguments[1] : new Date();
++      var delta = parseInt((relative_to.getTime() - parsed_date) / 1000);
++      var pluralize = function (singular, n) {
++        return '' + n + ' ' + singular + (n == 1 ? '' : 's');
++      };
++      if(delta < 60) {
++      return 'less than a minute ago';
++      } else if(delta < (45*60)) {
++      return 'about ' + pluralize("minute", parseInt(delta / 60)) + ' ago';
++      } else if(delta < (24*60*60)) {
++      return 'about ' + pluralize("hour", parseInt(delta / 3600)) + ' ago';
++      } else {
++      return 'about ' + pluralize("day", parseInt(delta / 86400)) + ' ago';
++      }
++    }
++
++    function build_url() {
++      var proto = ('https:' == document.location.protocol ? 'https:' : 'http:');
++      if (s.list) {
++        return proto+"//api.twitter.com/1/"+s.username[0]+"/lists/"+s.list+"/statuses.json?per_page="+s.count+"&callback=?";
++      } else if (s.query == null && s.username.length == 1) {
++        return proto+'//twitter.com/status/user_timeline/'+s.username[0]+'.json?count='+s.count+'&callback=?';
++      } else {
++        var query = (s.query || 'from:'+s.username.join('%20OR%20from:'));
++        return proto+'//search.twitter.com/search.json?&q='+query+'&rpp='+s.count+'&callback=?';
++      }
++    }
++
++    return this.each(function(){
++      var list = $('<ul class="tweet_list">').appendTo(this);
++      var intro = '<p class="tweet_intro">'+s.intro_text+'</p>';
++      var outro = '<p class="tweet_outro">'+s.outro_text+'</p>';
++      var loading = $('<p class="loading">'+s.loading_text+'</p>');
++
++      if(typeof(s.username) == "string"){
++        s.username = [s.username];
++      }
++
++      if (s.loading_text) $(this).append(loading);
++      $.getJSON(build_url(), function(data){
++        if (s.loading_text) loading.remove();
++        if (s.intro_text) list.before(intro);
++        $.each((data.results || data), function(i,item){
++          // auto join text based on verb tense and content
++          if (s.join_text == "auto") {
++            if (item.text.match(/^(@([A-Za-z0-9-_]+)) .*/i)) {
++              var join_text = s.auto_join_text_reply;
++            } else if (item.text.match(/(^\w+:\/\/[A-Za-z0-9-_]+\.[A-Za-z0-9-_:%&\?\/.=]+) .*/i)) {
++              var join_text = s.auto_join_text_url;
++            } else if (item.text.match(/^((\w+ed)|just) .*/im)) {
++              var join_text = s.auto_join_text_ed;
++            } else if (item.text.match(/^(\w*ing) .*/i)) {
++              var join_text = s.auto_join_text_ing;
++            } else {
++              var join_text = s.auto_join_text_default;
++            }
++          } else {
++            var join_text = s.join_text;
++          };
++
++          var from_user = item.from_user || item.user.screen_name;
++          var profile_image_url = item.profile_image_url || item.user.profile_image_url;
++          var join_template = '<span class="tweet_join"> '+join_text+' </span>';
++          var join = ((s.join_text) ? join_template : ' ');
++          var avatar_template = '<a class="tweet_avatar" href="http://twitter.com/'+from_user+'"><img src="'+profile_image_url+'" height="'+s.avatar_size+'" width="'+s.avatar_size+'" alt="'+from_user+'\'s avatar" title="'+from_user+'\'s avatar" border="0"/></a>';
++          var avatar = (s.avatar_size ? avatar_template : '');
++          var date = '<a href="http://twitter.com/'+from_user+'/statuses/'+item.id+'" title="view tweet on twitter">'+relative_time(item.created_at)+'</a>';
++          var text = '<span class="tweet_text">' +$([item.text]).linkUrl().linkUser().linkHash().makeHeart().capAwesome().capEpic()[0]+ '</span>';
++
++          // until we create a template option, arrange the items below to alter a tweet's display.
++          list.append('<li>' + avatar + date + join + text + '</li>');
++
++          list.children('li:first').addClass('tweet_first');
++          list.children('li:odd').addClass('tweet_even');
++          list.children('li:even').addClass('tweet_odd');
++        });
++        if (s.outro_text) list.after(outro);
++      });
++
++    });
++  };
++})(jQuery);
 \ No newline at end of file
 === added file 'doc/source/static/nature.css'
 --- doc/source/static/nature.css	1970-01-01 00:00:00 +0000
 +++ doc/source/static/nature.css	2012-11-30 14:11:19 +0000
@@ -0,0 +1,245 @@
++/*
++ * nature.css_t
++ * ~~~~~~~~~~~~
++ *
++ * Sphinx stylesheet -- nature theme.
++ *
++ * :copyright: Copyright 2007-2011 by the Sphinx team, see AUTHORS.
++ * :license: BSD, see LICENSE for details.
++ *
++ */
++
++@import url("basic.css");
++
++/* -- page layout ----------------------------------------------------------- */
++
++body {
++    font-family: Arial, sans-serif;
++    font-size: 100%;
++    background-color: #111;
++    color: #555;
++    margin: 0;
++    padding: 0;
++}
++
++div.documentwrapper {
++    float: left;
++    width: 100%;
++}
++
++div.bodywrapper {
++    margin: 0 0 0 {{ theme_sidebarwidth|toint }}px;
++}
++
++hr {
++    border: 1px solid #B1B4B6;
++}
++
++div.document {
++    background-color: #eee;
++}
++
++div.body {
++    background-color: #ffffff;
++    color: #3E4349;
++    padding: 0 30px 30px 30px;
++    font-size: 0.9em;
++}
++
++div.footer {
++    color: #555;
++    width: 100%;
++    padding: 13px 0;
++    text-align: center;
++    font-size: 75%;
++}
++
++div.footer a {
++    color: #444;
++    text-decoration: underline;
++}
++
++div.related {
++    background-color: #6BA81E;
++    line-height: 32px;
++    color: #fff;
++    text-shadow: 0px 1px 0 #444;
++    font-size: 0.9em;
++}
++
++div.related a {
++    color: #E2F3CC;
++}
++
++div.sphinxsidebar {
++    font-size: 0.75em;
++    line-height: 1.5em;
++}
++
++div.sphinxsidebarwrapper{
++    padding: 20px 0;
++}
++
++div.sphinxsidebar h3,
++div.sphinxsidebar h4 {
++    font-family: Arial, sans-serif;
++    color: #222;
++    font-size: 1.2em;
++    font-weight: normal;
++    margin: 0;
++    padding: 5px 10px;
++    background-color: #ddd;
++    text-shadow: 1px 1px 0 white
++}
++
++div.sphinxsidebar h4{
++    font-size: 1.1em;
++}
++
++div.sphinxsidebar h3 a {
++    color: #444;
++}
++
++
++div.sphinxsidebar p {
++    color: #888;
++    padding: 5px 20px;
++}
++
++div.sphinxsidebar p.topless {
++}
++
++div.sphinxsidebar ul {
++    margin: 10px 20px;
++    padding: 0;
++    color: #000;
++}
++
++div.sphinxsidebar a {
++    color: #444;
++}
++
++div.sphinxsidebar input {
++    border: 1px solid #ccc;
++    font-family: sans-serif;
++    font-size: 1em;
++}
++
++div.sphinxsidebar input[type=text]{
++    margin-left: 20px;
++}
++
++/* -- body styles ----------------------------------------------------------- */
++
++a {
++    color: #005B81;
++    text-decoration: none;
++}
++
++a:hover {
++    color: #E32E00;
++    text-decoration: underline;
++}
++
++div.body h1,
++div.body h2,
++div.body h3,
++div.body h4,
++div.body h5,
++div.body h6 {
++    font-family: Arial, sans-serif;
++    background-color: #BED4EB;
++    font-weight: normal;
++    color: #212224;
++    margin: 30px 0px 10px 0px;
++    padding: 5px 0 5px 10px;
++    text-shadow: 0px 1px 0 white
++}
++
++div.body h1 { border-top: 20px solid white; margin-top: 0; font-size: 200%; }
++div.body h2 { font-size: 150%; background-color: #C8D5E3; }
++div.body h3 { font-size: 120%; background-color: #D8DEE3; }
++div.body h4 { font-size: 110%; background-color: #D8DEE3; }
++div.body h5 { font-size: 100%; background-color: #D8DEE3; }
++div.body h6 { font-size: 100%; background-color: #D8DEE3; }
++
++a.headerlink {
++    color: #c60f0f;
++    font-size: 0.8em;
++    padding: 0 4px 0 4px;
++    text-decoration: none;
++}
++
++a.headerlink:hover {
++    background-color: #c60f0f;
++    color: white;
++}
++
++div.body p, div.body dd, div.body li {
++    line-height: 1.5em;
++}
++
++div.admonition p.admonition-title + p {
++    display: inline;
++}
++
++div.highlight{
++    background-color: white;
++}
++
++div.note {
++    background-color: #eee;
++    border: 1px solid #ccc;
++}
++
++div.seealso {
++    background-color: #ffc;
++    border: 1px solid #ff6;
++}
++
++div.topic {
++    background-color: #eee;
++}
++
++div.warning {
++    background-color: #ffe4e4;
++    border: 1px solid #f66;
++}
++
++p.admonition-title {
++    display: inline;
++}
++
++p.admonition-title:after {
++    content: ":";
++}
++
++pre {
++    padding: 10px;
++    background-color: White;
++    color: #222;
++    line-height: 1.2em;
++    border: 1px solid #C6C9CB;
++    font-size: 1.1em;
++    margin: 1.5em 0 1.5em 0;
++    -webkit-box-shadow: 1px 1px 1px #d8d8d8;
++    -moz-box-shadow: 1px 1px 1px #d8d8d8;
++}
++
++tt {
++    background-color: #ecf0f3;
++    color: #222;
++    /* padding: 1px 2px; */
++    font-size: 1.1em;
++    font-family: monospace;
++}
++
++.viewcode-back {
++    font-family: Arial, sans-serif;
++}
++
++div.viewcode-block:target {
++    background-color: #f4debf;
++    border-top: 1px solid #ac9;
++    border-bottom: 1px solid #ac9;
++}
 === added file 'doc/source/static/openstack_logo.png'
 Binary files doc/source/static/openstack_logo.png	1970-01-01 00:00:00 +0000 and doc/source/static/openstack_logo.png	2012-11-30 14:11:19 +0000 differ
 === added file 'doc/source/static/tweaks.css'
 --- doc/source/static/tweaks.css	1970-01-01 00:00:00 +0000
 +++ doc/source/static/tweaks.css	2012-11-30 14:11:19 +0000
@@ -0,0 +1,94 @@
++body {
++  background: #fff url(../_static/header_bg.jpg) top left no-repeat;
++}
++
++#header {
++  width: 950px;
++  margin: 0 auto;
++  height: 102px;
++}
++
++#header h1#logo {
++  background: url(../_static/openstack_logo.png) top left no-repeat;
++  display: block;
++  float: left;
++  text-indent: -9999px;
++  width: 175px;
++  height: 55px;
++}
++
++#navigation {
++  background: url(../_static/header-line.gif) repeat-x 0 bottom;
++  display: block;
++  float: left;
++  margin: 27px 0 0 25px;
++  padding: 0;
++}
++
++#navigation li{
++  float: left;
++  display: block;
++  margin-right: 25px;
++}
++
++#navigation li a {
++  display: block;
++  font-weight: normal;
++  text-decoration: none;
++  background-position: 50% 0;
++  padding: 20px 0 5px;
++  color: #353535;
++  font-size: 14px;
++}
++
++#navigation li a.current, #navigation li a.section {
++  border-bottom: 3px solid #cf2f19;
++  color: #cf2f19;
++}
++
++div.related {
++  background-color: #cde2f8;
++  border: 1px solid #b0d3f8;
++}
++
++div.related a {
++  color: #4078ba;
++  text-shadow: none;
++}
++
++div.sphinxsidebarwrapper {
++  padding-top: 0;
++}
++
++pre {
++  color: #555;
++}
++
++div.documentwrapper h1, div.documentwrapper h2, div.documentwrapper h3, div.documentwrapper h4, div.documentwrapper h5, div.documentwrapper h6 {
++  font-family: 'PT Sans', sans-serif !important;
++  color: #264D69;
++  border-bottom: 1px dotted #C5E2EA;
++  padding: 0;
++  background: none;
++  padding-bottom: 5px;
++}
++
++div.documentwrapper h3 {
++  color: #CF2F19;
++}
++
++a.headerlink {
++  color: #fff !important;
++  margin-left: 5px;
++  background: #CF2F19 !important;
++}
++
++div.body {
++  margin-top: -25px;
++  margin-left: 230px;
++}
++
++div.document {
++  width: 960px;
++  margin: 0 auto;
++}
 \ No newline at end of file
 === modified file 'doc/source/using-api.rst'
 --- doc/source/using-api.rst	2012-06-22 12:58:18 +0000
 +++ doc/source/using-api.rst	2012-11-30 14:11:19 +0000
@@ -4,7 +4,8 @@
  Introduction
  ============
--The main concepts in the Keystone API are:
++
++The main concepts in the Identity API are:
   * tenants
   * users
@@ -12,12 +13,13 @@
   * services
   * endpoints
--The Keystone API lets you query and make changes through managers. For example,
--to maipulate tenants, you interact with a
--``keystoneclient.v2_0.tenants.TenantManger`` object.
++The Identity API lets you query and make changes through managers. For example,
++to manipulate tenants, you interact with a
++``keystoneclient.v2_0.tenants.TenantManager`` object.
--You obtain access to managers through via atributes of the ``keystoneclient.v2_0.client.Client`` object. For example, the ``tenants`` attribute of the ``Client``
--class is a tenant manager::
++You obtain access to managers through via attributes of the
++``keystoneclient.v2_0.client.Client`` object. For example, the ``tenants``
++attribute of the ``Client`` class is a tenant manager::
      >>> from keystoneclient.v2_0 import client
      >>> keystone = client.Client(...)
@@ -36,8 +38,8 @@
  If you are an administrator, you can authenticate by connecting to the admin
  endpoint and using the admin token (sometimes referred to as the service
--token). The token is specified as the ``admin_token`` configuration option in your
--keystone.conf config file, which is typically in /etc/keystone::
++token). The token is specified as the ``admin_token`` configuration option in
++your keystone.conf config file, which is typically in /etc/keystone::
      >>> from keystoneclient.v2_0 import client
      >>> token = '012345SECRET99TOKEN012345'
@@ -54,7 +56,7 @@
      >>> tenant_name='openstackDemo'
      >>> auth_url='http://192.168.206.130:5000/v2.0'
      >>> keystone = client.Client(username=username, password=password,
--    ...                         tenant_name, auth_url=auth_url)
++    ...                          tenant_name=tenant_name, auth_url=auth_url)
  Creating tenants
  ================
@@ -77,8 +79,9 @@
      >>> keystone = client.Client(...)
      >>> tenants = keystone.tenants.list()
      >>> my_tenant = [x for x in tenants if x.name=='openstackDemo'][0]
--    >>> my_user = keystone.users.create(name="adminUser", password="secretword",
--    ...                                                   tenant_id=my_tenant.id)
++    >>> my_user = keystone.users.create(name="adminUser",
++    ...                                 password="secretword",
++    ...                                 tenant_id=my_tenant.id)
  Creating roles and adding users
  ===============================
@@ -103,7 +106,8 @@
      >>> keystone = client.Client(...)
      >>> service = keystone.services.create(name="nova", service_type="compute",
      ...                                    description="Nova Compute Service")
--    >>> keystone.endpoints.create(region="RegionOne", service_id=service.id,
--    ...            publicurl="http://192.168.206.130:8774/v2/%(tenant_id)s",
--    ...            adminurl="http://192.168.206.130:8774/v2/%(tenant_id)s",
--    ...            internalurl="http://192.168.206.130:8774/v2/%(tenant_id)s")
++    >>> keystone.endpoints.create(
++    ...     region="RegionOne", service_id=service.id,
++    ...     publicurl="http://192.168.206.130:8774/v2/%(tenant_id)s",
++    ...     adminurl="http://192.168.206.130:8774/v2/%(tenant_id)s",
++    ...     internalurl="http://192.168.206.130:8774/v2/%(tenant_id)s")
 === added directory 'examples'
 === added directory 'examples/pki'
 === added directory 'examples/pki/certs'
 === added file 'examples/pki/certs/cacert.pem'
 --- examples/pki/certs/cacert.pem	1970-01-01 00:00:00 +0000
 +++ examples/pki/certs/cacert.pem	2012-11-30 14:11:19 +0000
@@ -0,0 +1,18 @@
++-----BEGIN CERTIFICATE-----
++MIIC0TCCAjqgAwIBAgIJAP2TNFqmE1KUMA0GCSqGSIb3DQEBBQUAMIGeMQowCAYD
++VQQFEwE1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1bm55
++dmFsZTESMBAGA1UEChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTElMCMG
++CSqGSIb3DQEJARYWa2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxMLU2Vs
++ZiBTaWduZWQwIBcNMTIxMTExMTA1NDA2WhgPMjA3MTA1MDYxMDU0MDZaMIGeMQow
++CAYDVQQFEwE1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1
++bm55dmFsZTESMBAGA1UEChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTEl
++MCMGCSqGSIb3DQEJARYWa2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxML
++U2VsZiBTaWduZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXgnd5wlHAp
++GxZ58LrpEkHU995lT9PxtMgkp0tpFhg7R5HQw9K7TfQk5NHB28hNzf8UE/c0z2pJ
++XggPnAzvdx27NQeJGX5CWsi6fITZ8vH/+SxgfxxC+CE/6BkDpzw21MgBtq11vWL7
++XVaxNeU12Ax889U66i3CrObuCYt2mbpzAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMB
++Af8wDQYJKoZIhvcNAQEFBQADgYEAkFIbnr2/0/XWp+f80Gl6GAC7tdmZFlT9udVF
++q794rXyMlYY64pq34SzfQAn+4DztT4B9yzrTx03tLNr6Uf+5TS+ubcwG41UBBMs/
++Icf9zBMRqr+IXhijS49gQ7dPjqNTCqX+6ILbRWjdXP15ZWymI3ayQL/CMwFt/E+0
++kT6MLes=
++-----END CERTIFICATE-----
 === added file 'examples/pki/certs/middleware.pem'
 --- examples/pki/certs/middleware.pem	1970-01-01 00:00:00 +0000
 +++ examples/pki/certs/middleware.pem	2012-11-30 14:11:19 +0000
@@ -0,0 +1,33 @@
++-----BEGIN CERTIFICATE-----
++MIICoTCCAgoCARAwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV
++BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK
++EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr
++ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x
++MjExMTExMDU0MDZaGA8yMDcxMDUwNjEwNTQwNlowgZAxCzAJBgNVBAYTAlVTMQsw
++CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh
++Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv
++cGVuc3RhY2sub3JnMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEB
++BQADgY0AMIGJAoGBALVu4bjaOH33yAx0WdpEqj4UDVsLxVjWxEpIbOlDlc6IfJd+
++cUriQtxf6ahjxtzLPERS81SnwZmrICWZngbOn733pULMTZktTJH+o7C74NdKwUSN
++xjlCeWUy+FqIQoje4ygoJRPpMdkp1wHNO0ZERwRN9e8M5TIlx/LRtk+q8bT5AgMB
++AAEwDQYJKoZIhvcNAQEFBQADgYEAcp9ancue9Oq+MkaPucCrIqFhiUsdUThulJlB
++etPpUDGgStBSHgze/oxG2+flIjRoI6gG9Chfw//vWHOwDT7N32AHSgaI4b8/k/+s
++hAV2khYkV4PW2oS1TfeU/vxQzXbgApqhLBNqfFmJVW48aGAr/aqsJi3MYWN3269+
++6vChaVw=
++-----END CERTIFICATE-----
++-----BEGIN PRIVATE KEY-----
++MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALVu4bjaOH33yAx0
++WdpEqj4UDVsLxVjWxEpIbOlDlc6IfJd+cUriQtxf6ahjxtzLPERS81SnwZmrICWZ
++ngbOn733pULMTZktTJH+o7C74NdKwUSNxjlCeWUy+FqIQoje4ygoJRPpMdkp1wHN
++O0ZERwRN9e8M5TIlx/LRtk+q8bT5AgMBAAECgYAmwq6EYFJrTvE0//JmN/8qzfvg
++dI5PoWpD+F8UInUxr2T2tHOdrOLd07vGVrKYXu7cJeCIOGKa4r02azAggioL/nE9
++FgPpqEC+QROvLuhFsk1gLZ2pGQ06sveKZVMH22h59BKZkYlhjh5qd4vlmhPqkmPp
++gdXj7ZjDCJhhQdFVkQJBANp18k2mVksn8q29LMieVTSIZNN3ucDA1QHbim+3fp/O
++GxCzU7Mv1Xfnu1zoRFu5/sF3YG0Zy3TGPDrEljBC3rUCQQDUnBjVFXL35OkBZqXW
++taJPzGbsPoqAO+Ls2juS97zNzeGxUNhvcKuEvHO63PXqDxp1535DpvJEBN1rT2FF
++iaO1AkEAt/QTWWFUTqrPxY6DNFdm5fpn9E1fg7icZJkKBDJeFJCH59MpCryfovzl
++n0ERtq9ynlQ4RQYwdR8rvkylLvRP9QJAOiXHFOAc5XeR0nREfwiGL9TzgUFJl/DJ
++C4ZULMnctVzNkTVPPItQHal87WppR26CCiUZ/161e6zo8eRv8hjG0QJABWqfYQuK
++dWH8nxlXS+NFUDbsCdL+XpOVE7iEH7hvSw/A/kz40mLx8sDp/Fz1ysrogR/L+NGC
++Vrlwm4q/WYJO0Q==
++-----END PRIVATE KEY-----
 === added file 'examples/pki/certs/signing_cert.pem'
 --- examples/pki/certs/signing_cert.pem	1970-01-01 00:00:00 +0000
 +++ examples/pki/certs/signing_cert.pem	2012-11-30 14:11:19 +0000
@@ -0,0 +1,17 @@
++-----BEGIN CERTIFICATE-----
++MIICoDCCAgkCAREwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV
++BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK
++EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr
++ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x
++MjExMTExMDU0MDZaGA8yMDcxMDUwNjEwNTQwNlowgY8xCzAJBgNVBAYTAlVTMQsw
++CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh
++Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv
++cGVuc3RhY2sub3JnMREwDwYDVQQDEwhLZXlzdG9uZTCBnzANBgkqhkiG9w0BAQEF
++AAOBjQAwgYkCgYEAuoQC6IBqMxC5845c/ZkLsdcQbTHqIpYJHEkwEoxyeEjwiGFf
++iZmiZ91pSFNc9MfjdJnN+be/ndVS19w1nrrJvV/udVsf6JZWkTPX5HyxnllwznCH
++pP7gfvMZzGsqzWlSdiD6mcRbCYRX9hCCauG3jhCtISINCVYMYQGH6QSib9sCAwEA
++ATANBgkqhkiG9w0BAQUFAAOBgQBCssELi+1RSjEmzeqSnpgUqmtpvB9oxbcwl+xH
++rIrYvqMU6pV2aSxgLDqpGjjusLHUau9Bmu3Myc/fm9/mlPUQHNj0AWl8vvfSlq1b
++vsWMUa1h4UFlPWoF2DIUFd+noBxe5CbcLUV6K0oyJAcPO433OyuGl5oQkhxmoy1J
++w59KRg==
++-----END CERTIFICATE-----
 === added file 'examples/pki/certs/ssl_cert.pem'
 --- examples/pki/certs/ssl_cert.pem	1970-01-01 00:00:00 +0000
 +++ examples/pki/certs/ssl_cert.pem	2012-11-30 14:11:19 +0000
@@ -0,0 +1,17 @@
++-----BEGIN CERTIFICATE-----
++MIICoTCCAgoCARAwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV
++BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK
++EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr
++ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x
++MjExMTExMDU0MDZaGA8yMDcxMDUwNjEwNTQwNlowgZAxCzAJBgNVBAYTAlVTMQsw
++CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh
++Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv
++cGVuc3RhY2sub3JnMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEB
++BQADgY0AMIGJAoGBALVu4bjaOH33yAx0WdpEqj4UDVsLxVjWxEpIbOlDlc6IfJd+
++cUriQtxf6ahjxtzLPERS81SnwZmrICWZngbOn733pULMTZktTJH+o7C74NdKwUSN
++xjlCeWUy+FqIQoje4ygoJRPpMdkp1wHNO0ZERwRN9e8M5TIlx/LRtk+q8bT5AgMB
++AAEwDQYJKoZIhvcNAQEFBQADgYEAcp9ancue9Oq+MkaPucCrIqFhiUsdUThulJlB
++etPpUDGgStBSHgze/oxG2+flIjRoI6gG9Chfw//vWHOwDT7N32AHSgaI4b8/k/+s
++hAV2khYkV4PW2oS1TfeU/vxQzXbgApqhLBNqfFmJVW48aGAr/aqsJi3MYWN3269+
++6vChaVw=
++-----END CERTIFICATE-----
 === added directory 'examples/pki/cms'
 === added file 'examples/pki/cms/auth_token_revoked.json'
 --- examples/pki/cms/auth_token_revoked.json	1970-01-01 00:00:00 +0000
 +++ examples/pki/cms/auth_token_revoked.json	2012-11-30 14:11:19 +0000
@@ -0,0 +1,1 @@
++{"access": {"serviceCatalog": [{"endpoints": [{"adminURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", "region": "regionOne", "internalURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", "publicURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a"}], "endpoints_links": [], "type": "volume", "name": "volume"}, {"endpoints": [{"adminURL": "http://127.0.0.1:9292/v1", "region": "regionOne", "internalURL": "http://127.0.0.1:9292/v1", "publicURL": "http://127.0.0.1:9292/v1"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", "region": "regionOne", "internalURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", "publicURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://127.0.0.1:35357/v2.0", "region": "RegionOne", "internalURL": "http://127.0.0.1:35357/v2.0", "publicURL": "http://127.0.0.1:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}],"token": {"expires": "2012-06-02T14:47:34Z", "id": "placeholder", "tenant": {"enabled": true, "description": null, "name": "tenant_name1", "id": "tenant_id1"}}, "user": {"username": "revoked_username1", "roles_links": ["role1","role2"], "id": "revoked_user_id1", "roles": [{"name": "role1"}, {"name": "role2"}], "name": "revoked_username1"}}}
 === added file 'examples/pki/cms/auth_token_revoked.pem'
 --- examples/pki/cms/auth_token_revoked.pem	1970-01-01 00:00:00 +0000
 +++ examples/pki/cms/auth_token_revoked.pem	2012-11-30 14:11:19 +0000
@@ -0,0 +1,42 @@
++-----BEGIN CMS-----
++MIIHVgYJKoZIhvcNAQcCoIIHRzCCB0MCAQExCTAHBgUrDgMCGjCCBeQGCSqGSIb3
++DQEHAaCCBdUEggXReyJhY2Nlc3MiOiB7InNlcnZpY2VDYXRhbG9nIjogW3siZW5k
++cG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2L3Yx
++LzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwgInJlZ2lvbiI6ICJy
++ZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2
++L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwgInB1YmxpY1VS
++TCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzYvdjEvNjRiNmYzZmJjYzUzNDM1ZThh
++NjBmY2Y4OWJiNjYxN2EifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUi
++OiAidm9sdW1lIiwgIm5hbWUiOiAidm9sdW1lIn0sIHsiZW5kcG9pbnRzIjogW3si
++YWRtaW5VUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo5MjkyL3YxIiwgInJlZ2lvbiI6
++ICJyZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo5
++MjkyL3YxIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjkyOTIvdjEi
++fV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiaW1hZ2UiLCAibmFt
++ZSI6ICJnbGFuY2UifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRw
++Oi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5
++YmI2NjE3YSIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjog
++Imh0dHA6Ly8xMjcuMC4wLjE6ODc3NC92MS4xLzY0YjZmM2ZiY2M1MzQzNWU4YTYw
++ZmNmODliYjY2MTdhIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3
++NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSJ9XSwgImVu
++ZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJjb21wdXRlIiwgIm5hbWUiOiAi
++bm92YSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMjcu
++MC4wLjE6MzUzNTcvdjIuMCIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVy
++bmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6MzUzNTcvdjIuMCIsICJwdWJsaWNV
++UkwiOiAiaHR0cDovLzEyNy4wLjAuMTo1MDAwL3YyLjAifV0sICJlbmRwb2ludHNf
++bGlua3MiOiBbXSwgInR5cGUiOiAiaWRlbnRpdHkiLCAibmFtZSI6ICJrZXlzdG9u
++ZSJ9XSwidG9rZW4iOiB7ImV4cGlyZXMiOiAiMjAxMi0wNi0wMlQxNDo0NzozNFoi
++LCAiaWQiOiAicGxhY2Vob2xkZXIiLCAidGVuYW50IjogeyJlbmFibGVkIjogdHJ1
++ZSwgImRlc2NyaXB0aW9uIjogbnVsbCwgIm5hbWUiOiAidGVuYW50X25hbWUxIiwg
++ImlkIjogInRlbmFudF9pZDEifX0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJyZXZv
++a2VkX3VzZXJuYW1lMSIsICJyb2xlc19saW5rcyI6IFsicm9sZTEiLCJyb2xlMiJd
++LCAiaWQiOiAicmV2b2tlZF91c2VyX2lkMSIsICJyb2xlcyI6IFt7Im5hbWUiOiAi
++cm9sZTEifSwgeyJuYW1lIjogInJvbGUyIn1dLCAibmFtZSI6ICJyZXZva2VkX3Vz
++ZXJuYW1lMSJ9fX0NCjGCAUkwggFFAgEBMIGkMIGeMQowCAYDVQQFEwE1MQswCQYD
++VQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1bm55dmFsZTESMBAGA1UE
++ChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTElMCMGCSqGSIb3DQEJARYW
++a2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxMLU2VsZiBTaWduZWQCAREw
++BwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEgYBhV5KrVjcdACPUNafkPY+lgCSlh6uc
++N55SATBcQmg1/argEUFg/cx2GcF7ftQV384iGepLEgsq+6om2wPw6DWA0RknpVLJ
++vMsHbWdGoXIZ5jRuAQTPtkXcJQOR677baDHvGJ+5zwBBDT2CmN2Tcv348+Xpjp7D
++hF/cmAXnYYo00g==
++-----END CMS-----
 === added file 'examples/pki/cms/auth_token_scoped.json'
 --- examples/pki/cms/auth_token_scoped.json	1970-01-01 00:00:00 +0000
 +++ examples/pki/cms/auth_token_scoped.json	2012-11-30 14:11:19 +0000
@@ -0,0 +1,1 @@
++{"access": {"serviceCatalog": [{"endpoints": [{"adminURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", "region": "regionOne", "internalURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", "publicURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a"}], "endpoints_links": [], "type": "volume", "name": "volume"}, {"endpoints": [{"adminURL": "http://127.0.0.1:9292/v1", "region": "regionOne", "internalURL": "http://127.0.0.1:9292/v1", "publicURL": "http://127.0.0.1:9292/v1"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", "region": "regionOne", "internalURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", "publicURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://127.0.0.1:35357/v2.0", "region": "RegionOne", "internalURL": "http://127.0.0.1:35357/v2.0", "publicURL": "http://127.0.0.1:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}],"token": {"expires": "2012-06-02T14:47:34Z", "id": "placeholder", "tenant": {"enabled": true, "description": null, "name": "tenant_name1", "id": "tenant_id1"}}, "user": {"username": "user_name1", "roles_links": ["role1","role2"], "id": "user_id1", "roles": [{"name": "role1"}, {"name": "role2"}], "name": "user_name1"}}}
 === added file 'examples/pki/cms/auth_token_scoped.pem'
 --- examples/pki/cms/auth_token_scoped.pem	1970-01-01 00:00:00 +0000
 +++ examples/pki/cms/auth_token_scoped.pem	2012-11-30 14:11:19 +0000
@@ -0,0 +1,41 @@
++-----BEGIN CMS-----
++MIIHQAYJKoZIhvcNAQcCoIIHMTCCBy0CAQExCTAHBgUrDgMCGjCCBc4GCSqGSIb3
++DQEHAaCCBb8EggW7eyJhY2Nlc3MiOiB7InNlcnZpY2VDYXRhbG9nIjogW3siZW5k
++cG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2L3Yx
++LzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwgInJlZ2lvbiI6ICJy
++ZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2
++L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwgInB1YmxpY1VS
++TCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzYvdjEvNjRiNmYzZmJjYzUzNDM1ZThh
++NjBmY2Y4OWJiNjYxN2EifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUi
++OiAidm9sdW1lIiwgIm5hbWUiOiAidm9sdW1lIn0sIHsiZW5kcG9pbnRzIjogW3si
++YWRtaW5VUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo5MjkyL3YxIiwgInJlZ2lvbiI6
++ICJyZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo5
++MjkyL3YxIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjkyOTIvdjEi
++fV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiaW1hZ2UiLCAibmFt
++ZSI6ICJnbGFuY2UifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRw
++Oi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5
++YmI2NjE3YSIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjog
++Imh0dHA6Ly8xMjcuMC4wLjE6ODc3NC92MS4xLzY0YjZmM2ZiY2M1MzQzNWU4YTYw
++ZmNmODliYjY2MTdhIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3
++NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSJ9XSwgImVu
++ZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJjb21wdXRlIiwgIm5hbWUiOiAi
++bm92YSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMjcu
++MC4wLjE6MzUzNTcvdjIuMCIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVy
++bmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6MzUzNTcvdjIuMCIsICJwdWJsaWNV
++UkwiOiAiaHR0cDovLzEyNy4wLjAuMTo1MDAwL3YyLjAifV0sICJlbmRwb2ludHNf
++bGlua3MiOiBbXSwgInR5cGUiOiAiaWRlbnRpdHkiLCAibmFtZSI6ICJrZXlzdG9u
++ZSJ9XSwidG9rZW4iOiB7ImV4cGlyZXMiOiAiMjAxMi0wNi0wMlQxNDo0NzozNFoi
++LCAiaWQiOiAicGxhY2Vob2xkZXIiLCAidGVuYW50IjogeyJlbmFibGVkIjogdHJ1
++ZSwgImRlc2NyaXB0aW9uIjogbnVsbCwgIm5hbWUiOiAidGVuYW50X25hbWUxIiwg
++ImlkIjogInRlbmFudF9pZDEifX0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJ1c2Vy
++X25hbWUxIiwgInJvbGVzX2xpbmtzIjogWyJyb2xlMSIsInJvbGUyIl0sICJpZCI6
++ICJ1c2VyX2lkMSIsICJyb2xlcyI6IFt7Im5hbWUiOiAicm9sZTEifSwgeyJuYW1l
++IjogInJvbGUyIn1dLCAibmFtZSI6ICJ1c2VyX25hbWUxIn19fQ0KMYIBSTCCAUUC
++AQEwgaQwgZ4xCjAIBgNVBAUTATUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTES
++MBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3RhY2sxETAPBgNVBAsT
++CEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBvcGVuc3RhY2sub3Jn
++MRQwEgYDVQQDEwtTZWxmIFNpZ25lZAIBETAHBgUrDgMCGjANBgkqhkiG9w0BAQEF
++AASBgFizBVs3dCvlHx04nUHgXHpaA9RL+e3uaaNszK9UwCBpBlv8c6+74sz6i3+G
++eYDIpL9bc6QgNJ6cKhmW5yLmS8/+mmAMAcm06bdWc7p/mqC3Ild+xmQ+OHDYyyJg
++DvtRUgtidFUCvxne/nwKK0WHJlpY+iwWqel5F+Xqmb8vheb1
++-----END CMS-----
 === added file 'examples/pki/cms/auth_token_unscoped.json'
 --- examples/pki/cms/auth_token_unscoped.json	1970-01-01 00:00:00 +0000
 +++ examples/pki/cms/auth_token_unscoped.json	2012-11-30 14:11:19 +0000
@@ -0,0 +1,1 @@
++{"access": {"token": {"expires": "2012-08-17T15:35:34Z", "id": "01e032c996ef4406b144335915a41e79"}, "serviceCatalog": {}, "user": {"username": "user_name1", "roles_links": [], "id": "c9c89e3be3ee453fbf00c7966f6d3fbd", "roles": [{'name': 'role1'},{'name': 'role2'},], "name": "user_name1"}}}
 \ No newline at end of file
 === added file 'examples/pki/cms/auth_token_unscoped.pem'
 --- examples/pki/cms/auth_token_unscoped.pem	1970-01-01 00:00:00 +0000
 +++ examples/pki/cms/auth_token_unscoped.pem	2012-11-30 14:11:19 +0000
@@ -0,0 +1,17 @@
++-----BEGIN CMS-----
++MIICpwYJKoZIhvcNAQcCoIICmDCCApQCAQExCTAHBgUrDgMCGjCCATUGCSqGSIb3
++DQEHAaCCASYEggEieyJhY2Nlc3MiOiB7InRva2VuIjogeyJleHBpcmVzIjogIjIw
++MTItMDgtMTdUMTU6MzU6MzRaIiwgImlkIjogIjAxZTAzMmM5OTZlZjQ0MDZiMTQ0
++MzM1OTE1YTQxZTc5In0sICJzZXJ2aWNlQ2F0YWxvZyI6IHt9LCAidXNlciI6IHsi
++dXNlcm5hbWUiOiAidXNlcl9uYW1lMSIsICJyb2xlc19saW5rcyI6IFtdLCAiaWQi
++OiAiYzljODllM2JlM2VlNDUzZmJmMDBjNzk2NmY2ZDNmYmQiLCAicm9sZXMiOiBb
++eyduYW1lJzogJ3JvbGUxJ30seyduYW1lJzogJ3JvbGUyJ30sXSwgIm5hbWUiOiAi
++dXNlcl9uYW1lMSJ9fX0xggFJMIIBRQIBATCBpDCBnjEKMAgGA1UEBRMBNTELMAkG
++A1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxEjAQBgNV
++BAoTCU9wZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUxJTAjBgkqhkiG9w0BCQEW
++FmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMTC1NlbGYgU2lnbmVkAgER
++MAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIGAITCwkW7cAbcWbCBD5GfGMGHB9hP/
++UagaCZ8HFhlzjdQoJjvC+Mtu+3lWlwqPGR8ztY9kBc1401S2qJxD4FGo+M3CkNpF
++s0mtaT2PUJfFkDCzHqeBQNFHyZeqLjkPYnokPcw4s3i60DBGTFfAiUT3xumn8a4h
++C+zEAee35C/A+Iw=
++-----END CMS-----
 === added file 'examples/pki/cms/revocation_list.json'
 --- examples/pki/cms/revocation_list.json	1970-01-01 00:00:00 +0000
 +++ examples/pki/cms/revocation_list.json	2012-11-30 14:11:19 +0000
@@ -0,0 +1,1 @@
++{"revoked":[{"id":"7acfcfdaf6a14aebe97c61c5947bc4d3","expires":"2012-08-14T17:58:48Z"}]}
 === added file 'examples/pki/cms/revocation_list.pem'
 --- examples/pki/cms/revocation_list.pem	1970-01-01 00:00:00 +0000
 +++ examples/pki/cms/revocation_list.pem	2012-11-30 14:11:19 +0000
@@ -0,0 +1,12 @@
++-----BEGIN CMS-----
++MIIB2QYJKoZIhvcNAQcCoIIByjCCAcYCAQExCTAHBgUrDgMCGjBpBgkqhkiG9w0B
++BwGgXARaeyJyZXZva2VkIjpbeyJpZCI6IjdhY2ZjZmRhZjZhMTRhZWJlOTdjNjFj
++NTk0N2JjNGQzIiwiZXhwaXJlcyI6IjIwMTItMDgtMTRUMTc6NTg6NDhaIn1dfQ0K
++MYIBSTCCAUUCAQEwgaQwgZ4xCjAIBgNVBAUTATUxCzAJBgNVBAYTAlVTMQswCQYD
++VQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3RhY2sx
++ETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBvcGVu
++c3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZAIBETAHBgUrDgMCGjANBgkq
++hkiG9w0BAQEFAASBgDNDhvViAo8EqTVVvZ00pWUWjajTwoV1w1os1XDJ1XacBUo+
++rsh7gljIIVuvHL2F9C660I5jxhb7QVsTge3CwSiDmexxBAPOs4lNR5hFH7FdT47b
++OK2qd0XnRjo5F7odUxIkozuQ/UISaNTPeWxGEMNVhpTXo2Dwn8wN1wrs/Z2E
++-----END CMS-----
 === added file 'examples/pki/gen_pki.sh'
 --- examples/pki/gen_pki.sh	1970-01-01 00:00:00 +0000
 +++ examples/pki/gen_pki.sh	2012-11-30 14:11:19 +0000
@@ -0,0 +1,222 @@
++#!/bin/bash
++
++# Copyright 2012 OpenStack LLC
++#
++# Licensed under the Apache License, Version 2.0 (the "License"); you may
++# not use this file except in compliance with the License. You may obtain
++# a copy of the License at
++#
++#      http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
++# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
++# License for the specific language governing permissions and limitations
++# under the License.
++
++# This script generates the crypto necessary for the SSL tests.
++
++DIR=`dirname "$0"`
++CURRENT_DIR=`cd "$DIR" && pwd`
++CERTS_DIR=$CURRENT_DIR/certs
++PRIVATE_DIR=$CURRENT_DIR/private
++CMS_DIR=$CURRENT_DIR/cms
++
++
++function rm_old {
++  rm -rf $CERTS_DIR/*.pem
++  rm -rf $PRIVATE_DIR/*.pem
++}
++
++function cleanup {
++  rm -rf *.conf > /dev/null 2>&1
++  rm -rf index* > /dev/null 2>&1
++  rm -rf *.crt > /dev/null 2>&1
++  rm -rf newcerts > /dev/null 2>&1
++  rm -rf *.pem > /dev/null 2>&1
++  rm -rf serial* > /dev/null 2>&1
++}
++
++function generate_ca_conf {
++  echo '
++[ req ]
++default_bits            = 1024
++default_keyfile         = cakey.pem
++default_md              = sha1
++
++prompt                  = no
++distinguished_name      = ca_distinguished_name
++
++x509_extensions         = ca_extensions
++
++[ ca_distinguished_name ]
++serialNumber            = 5
++countryName             = US
++stateOrProvinceName     = CA
++localityName            = Sunnyvale
++organizationName        = OpenStack
++organizationalUnitName  = Keystone
++emailAddress            = keystone@openstack.org
++commonName              = Self Signed
++
++[ ca_extensions ]
++basicConstraints        = critical,CA:true
++' > ca.conf
++}
++
++function generate_ssl_req_conf {
++  echo '
++[ req ]
++default_bits            = 1024
++default_keyfile         = keystonekey.pem
++default_md              = sha1
++
++prompt                  = no
++distinguished_name      = distinguished_name
++
++[ distinguished_name ]
++countryName             = US
++stateOrProvinceName     = CA
++localityName            = Sunnyvale
++organizationName        = OpenStack
++organizationalUnitName  = Keystone
++commonName              = localhost
++emailAddress            = keystone@openstack.org
++' > ssl_req.conf
++}
++
++function generate_cms_signing_req_conf {
++  echo '
++[ req ]
++default_bits            = 1024
++default_keyfile         = keystonekey.pem
++default_md              = sha1
++
++prompt                  = no
++distinguished_name      = distinguished_name
++
++[ distinguished_name ]
++countryName             = US
++stateOrProvinceName     = CA
++localityName            = Sunnyvale
++organizationName        = OpenStack
++organizationalUnitName  = Keystone
++commonName              = Keystone
++emailAddress            = keystone@openstack.org
++' > cms_signing_req.conf
++}
++
++function generate_signing_conf {
++  echo '
++[ ca ]
++default_ca      = signing_ca
++
++[ signing_ca ]
++dir             = .
++database        = $dir/index.txt
++new_certs_dir   = $dir/newcerts
++
++certificate     = $dir/certs/cacert.pem
++serial          = $dir/serial
++private_key     = $dir/private/cakey.pem
++
++default_days            = 21360
++default_crl_days        = 30
++default_md              = sha1
++
++policy                  = policy_any
++
++[ policy_any ]
++countryName             = supplied
++stateOrProvinceName     = supplied
++localityName            = optional
++organizationName        = supplied
++organizationalUnitName  = supplied
++emailAddress            = supplied
++commonName              = supplied
++' > signing.conf
++}
++
++function setup {
++  touch index.txt
++  echo '10' > serial
++  generate_ca_conf
++  mkdir newcerts
++}
++
++function check_error {
++  if [ $1 != 0 ] ; then
++    echo "Failed! rc=${1}"
++    echo 'Bailing ...'
++    cleanup
++    exit $1
++  else
++    echo 'Done'
++  fi
++}
++
++function generate_ca {
++  echo 'Generating New CA Certificate ...'
++  openssl req -x509 -newkey rsa:1024 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes
++  check_error $?
++}
++
++function ssl_cert_req {
++  echo 'Generating SSL Certificate Request ...'
++  generate_ssl_req_conf
++  openssl req -newkey rsa:1024 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes
++  check_error $?
++  #openssl req -in req.pem -text -noout
++}
++
++function cms_signing_cert_req {
++  echo 'Generating CMS Signing Certificate Request ...'
++  generate_cms_signing_req_conf
++  openssl req -newkey rsa:1024 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes
++  check_error $?
++  #openssl req -in req.pem -text -noout
++}
++
++function issue_certs {
++  generate_signing_conf
++  echo 'Issuing SSL Certificate ...'
++  openssl ca -in ssl_req.pem -config signing.conf -batch
++  check_error $?
++  openssl x509 -in $CURRENT_DIR/newcerts/10.pem -out $CERTS_DIR/ssl_cert.pem
++  check_error $?
++  echo 'Issuing CMS Signing Certificate ...'
++  openssl ca -in cms_signing_req.pem -config signing.conf -batch
++  check_error $?
++  openssl x509 -in $CURRENT_DIR/newcerts/11.pem -out $CERTS_DIR/signing_cert.pem
++  check_error $?
++}
++
++function create_middleware_cert {
++  cp $CERTS_DIR/ssl_cert.pem $CERTS_DIR/middleware.pem
++  cat $PRIVATE_DIR/ssl_key.pem >> $CERTS_DIR/middleware.pem
++}
++
++function check_openssl {
++  echo 'Checking openssl availability ...'
++  which openssl
++  check_error $?
++}
++
++function gen_sample_cms {
++  for json_file in "${CMS_DIR}/auth_token_revoked.json" "${CMS_DIR}/auth_token_unscoped.json" "${CMS_DIR}/auth_token_scoped.json" "${CMS_DIR}/revocation_list.json"
++  do
++    openssl cms -sign -in $json_file -nosmimecap -signer $CERTS_DIR/signing_cert.pem -inkey $PRIVATE_DIR/signing_key.pem -outform PEM -nodetach -nocerts -noattr -out ${json_file/.json/.pem}
++  done
++}
++
++check_openssl
++rm_old
++cleanup
++setup
++generate_ca
++ssl_cert_req
++cms_signing_cert_req
++issue_certs
++create_middleware_cert
++gen_sample_cms
++cleanup
 === added directory 'examples/pki/private'
 === added file 'examples/pki/private/cakey.pem'
 --- examples/pki/private/cakey.pem	1970-01-01 00:00:00 +0000
 +++ examples/pki/private/cakey.pem	2012-11-30 14:11:19 +0000
@@ -0,0 +1,16 @@
++-----BEGIN PRIVATE KEY-----
++MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMXgnd5wlHApGxZ5
++8LrpEkHU995lT9PxtMgkp0tpFhg7R5HQw9K7TfQk5NHB28hNzf8UE/c0z2pJXggP
++nAzvdx27NQeJGX5CWsi6fITZ8vH/+SxgfxxC+CE/6BkDpzw21MgBtq11vWL7XVax
++NeU12Ax889U66i3CrObuCYt2mbpzAgMBAAECgYEAligxJE9CFSrcR14Zc3zSQeqe
++fcFbpnXQveAyo2MHRTQWx2wobY19RjuI+DOn2IRSQbK2w+zrSLiMBonx3U8Kj8nx
++A4EQ75GLJEEr81TvBoIZSJAqrowNrkXNq8W++qwjlGXRjKiBAYlKMrFvR4lij4XN
++6cdB7kGdSIUmhvC20sECQQD4ebCGfsgFWnrqOrco6T9eQRTvP3+gJuqYXYLuVSTC
++R4gHxT5QVXSZt/Hv3UWJ0BLDbyLzLGHf30w1AqgwsUP5AkEAy96qXq6j2+IRa5w7
++2G+KZHF5N/MK/Hyy27Jw67GBVeGQj1Dwq2ZGAJBZrfXjTtQQAGdQ7EfOTCAOzHgX
++2Bx0ywJAYqfGbBBIkL+VEA0SDh9WNrE2g6u9m7P371kplEGgH7dRDmzFShYz/pin
++aep8IrTHzmsBAHY9wiqh0mZkqzim2QJADTYdxkr89WfeByI1wp3f0wiDeXu3j4sp
++MBGNPcjf/8fBTXhKUGEtUiYImbxggaA+dTg8x0MT/FzreJajvO6DJwJARMc6rhzv
++aTlm4IgApcDPBeuz6SKex9TfvDUJpqACoFM4lMgyHADi9NrJBslxFHPP5eTiM2Ag
++vI7EuW837e6raQ==
++-----END PRIVATE KEY-----
 === added file 'examples/pki/private/signing_key.pem'
 --- examples/pki/private/signing_key.pem	1970-01-01 00:00:00 +0000
 +++ examples/pki/private/signing_key.pem	2012-11-30 14:11:19 +0000
@@ -0,0 +1,16 @@
++-----BEGIN PRIVATE KEY-----
++MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALqEAuiAajMQufOO
++XP2ZC7HXEG0x6iKWCRxJMBKMcnhI8IhhX4mZomfdaUhTXPTH43SZzfm3v53VUtfc
++NZ66yb1f7nVbH+iWVpEz1+R8sZ5ZcM5wh6T+4H7zGcxrKs1pUnYg+pnEWwmEV/YQ
++gmrht44QrSEiDQlWDGEBh+kEom/bAgMBAAECgYBywfSUHya4gqsW2toGQps6cauu
++s85uN0glujY0w2tO7Pnpv5errvaI12cG1BvWlAIz5MohwlfIgc919wyavCyRJgQN
++xQo5v5MEMYKKc8ppmXpRr03HLwoPLOHVs6UHRJQT9dhOBfmLzMZIP7P/lJlt2/1X
++Okwxft/PWorczKX1aQJBAORlVqP+Cj4r5kz1A77agnCvINioV1VM5n9PvzPVzYLH
++5r1I53RWFooy1Hx2RUCmtSRQMZMeI9iGMg9c8d3LJ4UCQQDRDuIAd3AoNBcwXKC4
++BPNkbI9BSqnpIdZo87BzpY8rJ/ra3VHMHuq4w+gQsmmEy3pp01AZd1uBqv3s1wHy
++muffAkEAn2ZmiH+lUGy9B5q8qXfBL7naF7utb/gCqnnSvO+LxamUTSjTeKsYgg0l
++pVO503xF0fkyEDYp2FUYHQbGOwAtLQJAHkJ3N/YRx9/yU0+0+63LxQdpnNu/yDzb
++mglbywF1vZtl1fQe+NqowuGoX3JTj6McLuElQOpj1lr3siZU49bEJQJBANRazUzj
++Xfoja7wGuZ3PwHdxxoNDlJ2u0rYjcfK9VZuPGSz/25iCOkaar3OralJ3lfCWbFKA
++vvRp8Hl2Yk4hdKM=
++-----END PRIVATE KEY-----
 === added file 'examples/pki/private/ssl_key.pem'
 --- examples/pki/private/ssl_key.pem	1970-01-01 00:00:00 +0000
 +++ examples/pki/private/ssl_key.pem	2012-11-30 14:11:19 +0000
@@ -0,0 +1,16 @@
++-----BEGIN PRIVATE KEY-----
++MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALVu4bjaOH33yAx0
++WdpEqj4UDVsLxVjWxEpIbOlDlc6IfJd+cUriQtxf6ahjxtzLPERS81SnwZmrICWZ
++ngbOn733pULMTZktTJH+o7C74NdKwUSNxjlCeWUy+FqIQoje4ygoJRPpMdkp1wHN
++O0ZERwRN9e8M5TIlx/LRtk+q8bT5AgMBAAECgYAmwq6EYFJrTvE0//JmN/8qzfvg
++dI5PoWpD+F8UInUxr2T2tHOdrOLd07vGVrKYXu7cJeCIOGKa4r02azAggioL/nE9
++FgPpqEC+QROvLuhFsk1gLZ2pGQ06sveKZVMH22h59BKZkYlhjh5qd4vlmhPqkmPp
++gdXj7ZjDCJhhQdFVkQJBANp18k2mVksn8q29LMieVTSIZNN3ucDA1QHbim+3fp/O
++GxCzU7Mv1Xfnu1zoRFu5/sF3YG0Zy3TGPDrEljBC3rUCQQDUnBjVFXL35OkBZqXW
++taJPzGbsPoqAO+Ls2juS97zNzeGxUNhvcKuEvHO63PXqDxp1535DpvJEBN1rT2FF
++iaO1AkEAt/QTWWFUTqrPxY6DNFdm5fpn9E1fg7icZJkKBDJeFJCH59MpCryfovzl
++n0ERtq9ynlQ4RQYwdR8rvkylLvRP9QJAOiXHFOAc5XeR0nREfwiGL9TzgUFJl/DJ
++C4ZULMnctVzNkTVPPItQHal87WppR26CCiUZ/161e6zo8eRv8hjG0QJABWqfYQuK
++dWH8nxlXS+NFUDbsCdL+XpOVE7iEH7hvSw/A/kz40mLx8sDp/Fz1ysrogR/L+NGC
++Vrlwm4q/WYJO0Q==
++-----END PRIVATE KEY-----
 === added file 'keystoneclient/access.py'
 --- keystoneclient/access.py	1970-01-01 00:00:00 +0000
 +++ keystoneclient/access.py	2012-11-30 14:11:19 +0000
@@ -0,0 +1,144 @@
++# Copyright 2012 Nebula, Inc.
++#
++# All Rights Reserved.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++# http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++
++class AccessInfo(dict):
++    """An object for encapsulating a raw authentication token from keystone
++    and helper methods for extracting useful values from that token."""
++
++    def __init__(self, *args, **kwargs):
++        dict.__init__(self, *args, **kwargs)
++
++    @property
++    def auth_token(self):
++        """ Returns the token_id associated with the auth request, to be used
++        in headers for authenticating OpenStack API requests.
++
++        :returns: str
++        """
++        return self['token'].get('id', None)
++
++    @property
++    def username(self):
++        """ Returns the username associated with the authentication request.
++        Follows the pattern defined in the V2 API of first looking for 'name',
++        returning that if available, and falling back to 'username' if name
++        is unavailable.
++
++        :returns: str
++        """
++        name = self['user'].get('name', None)
++        if name:
++            return name
++        else:
++            return self['user'].get('username', None)
++
++    @property
++    def user_id(self):
++        """ Returns the user id associated with the authentication request.
++
++        :returns: str
++        """
++        return self['user'].get('id', None)
++
++    @property
++    def tenant_name(self):
++        """ Returns the tenant (project) name associated with the
++        authentication request.
++
++        :returns: str
++        """
++        tenant_dict = self['token'].get('tenant', None)
++        if tenant_dict:
++            return tenant_dict.get('name', None)
++        return None
++
++    @property
++    def project_name(self):
++        """ Synonym for tenant_name """
++        return self.tenant_name
++
++    @property
++    def scoped(self):
++        """ Returns true if the authorization token was scoped to a tenant
++        (project), and contains a populated service catalog.
++
++        :returns: bool
++        """
++        if ('serviceCatalog' in self
++            and self['serviceCatalog']
++            and 'tenant' in self['token']):
++            return True
++        return False
++
++    @property
++    def tenant_id(self):
++        """ Returns the tenant (project) id associated with the authentication
++        request, or None if the authentication request wasn't scoped to a
++        tenant (project).
++
++        :returns: str
++        """
++        tenant_dict = self['token'].get('tenant', None)
++        if tenant_dict:
++            return tenant_dict.get('id', None)
++        return None
++
++    @property
++    def project_id(self):
++        """ Synonym for project_id """
++        return self.tenant_id
++
++    @property
++    def auth_url(self):
++        """ Returns a tuple of URLs from publicURL and adminURL for the service
++        'identity' from the service catalog associated with the authorization
++        request. If the authentication request wasn't scoped to a tenant
++        (project), this property will return None.
++
++        :returns: tuple of urls
++        """
++        return_list = []
++        if 'serviceCatalog' in self and self['serviceCatalog']:
++            identity_services = [x for x in self['serviceCatalog']
++                                 if x['type'] == 'identity']
++            for svc in identity_services:
++                for endpoint in svc['endpoints']:
++                    if 'publicURL' in endpoint:
++                        return_list.append(endpoint['publicURL'])
++        if len(return_list) > 0:
++            return tuple(return_list)
++        return None
++
++    @property
++    def management_url(self):
++        """ Returns the first adminURL for 'identity' from the service catalog
++        associated with the authorization request, or None if the
++        authentication request wasn't scoped to a tenant (project).
++
++        :returns: tuple of urls
++        """
++        return_list = []
++        if 'serviceCatalog' in self and self['serviceCatalog']:
++            identity_services = [x for x in self['serviceCatalog']
++                                 if x['type'] == 'identity']
++            for svc in identity_services:
++                for endpoint in svc['endpoints']:
++                    if 'adminURL' in endpoint:
++                        return_list.append(endpoint['adminURL'])
++        if len(return_list) > 0:
++            return tuple(return_list)
++        return None
 === modified file 'keystoneclient/base.py'
 --- keystoneclient/base.py	2012-06-22 12:58:18 +0000
 +++ keystoneclient/base.py	2012-11-30 14:11:19 +0000
@@ -18,6 +18,8 @@
  Base utilities to build API operation managers and objects on top of.
  """
++import urllib
++
  from keystoneclient import exceptions
@@ -76,7 +78,11 @@
      def _get(self, url, response_key):
          resp, body = self.api.get(url)
--        return self.resource_class(self, body[response_key])
++        return self.resource_class(self, body[response_key], loaded=True)
++
++    def _head(self, url):
++        resp, body = self.api.head(url)
++        return resp.status == 204
      def _create(self, url, body, response_key, return_raw=False):
          resp, body = self.api.post(url, body=body)
@@ -87,11 +93,15 @@
      def _delete(self, url):
          resp, body = self.api.delete(url)
--    def _update(self, url, body, response_key=None, method="PUT"):
++    def _update(self, url, body=None, response_key=None, method="PUT"):
          methods = {"PUT": self.api.put,
--                   "POST": self.api.post}
++                   "POST": self.api.post,
++                   "PATCH": self.api.patch}
          try:
--            resp, body = methods[method](url, body=body)
++            if body is not None:
++                resp, body = methods[method](url, body=body)
++            else:
++                resp, body = methods[method](url)
          except KeyError:
              raise exceptions.ClientException("Invalid update method: %s"
                                               % method)
@@ -139,6 +149,115 @@
          return found
++class CrudManager(Manager):
++    """Base manager class for manipulating Keystone entities.
++
++    Children of this class are expected to define a `collection_key` and `key`.
++
++    - `collection_key`: Usually a plural noun by convention (e.g. `entities`);
++      used to refer collections in both URL's (e.g.  `/v3/entities`) and JSON
++      objects containing a list of member resources (e.g. `{'entities': [{},
++      {}, {}]}`).
++    - `key`: Usually a singular noun by convention (e.g. `entity`); used to
++      refer to an individual member of the collection.
++
++    """
++    collection_key = None
++    key = None
++
++    def build_url(self, base_url=None, **kwargs):
++        """Builds a resource URL for the given kwargs.
++
++        Given an example collection where `collection_key = 'entities'` and
++        `key = 'entity'`, the following URL's could be generated.
++
++        By default, the URL will represent a collection of entities, e.g.::
++
++            /entities
++
++        If kwargs contains an `entity_id`, then the URL will represent a
++        specific member, e.g.::
++
++            /entities/{entity_id}
++
++        If a `base_url` is provided, the generated URL will be appended to it.
++
++        """
++        url = base_url if base_url is not None else ''
++
++        url += '/%s' % self.collection_key
++
++        # do we have a specific entity?
++        entity_id = kwargs.get('%s_id' % self.key)
++        if entity_id is not None:
++            url += '/%s' % entity_id
++
++        return url
++
++    def _filter_kwargs(self, kwargs):
++        # drop null values
++        for key, ref in kwargs.copy().iteritems():
++            if ref is None:
++                kwargs.pop(key)
++            else:
++                id_value = getid(ref)
++                if id_value != ref:
++                    kwargs.pop(key)
++                    kwargs['%s_id' % key] = id_value
++        return kwargs
++
++    def create(self, **kwargs):
++        kwargs = self._filter_kwargs(kwargs)
++        return self._create(
++            self.build_url(**kwargs),
++            {self.key: kwargs},
++            self.key)
++
++    def get(self, **kwargs):
++        kwargs = self._filter_kwargs(kwargs)
++        return self._get(
++            self.build_url(**kwargs),
++            self.key)
++
++    def head(self, **kwargs):
++        kwargs = self._filter_kwargs(kwargs)
++        return self._head(self.build_url(**kwargs))
++
++    def list(self, base_url=None, **kwargs):
++        kwargs = self._filter_kwargs(kwargs)
++
++        return self._list(
++            '%(base_url)s%(query)s' % {
++                'base_url': self.build_url(base_url=base_url, **kwargs),
++                'query': '?%s' % urllib.urlencode(kwargs) if kwargs else '',
++            },
++            self.collection_key)
++
++    def put(self, base_url=None, **kwargs):
++        kwargs = self._filter_kwargs(kwargs)
++
++        return self._update(
++            self.build_url(base_url=base_url, **kwargs),
++            method='PUT')
++
++    def update(self, **kwargs):
++        kwargs = self._filter_kwargs(kwargs)
++        params = kwargs.copy()
++        params.pop('%s_id' % self.key)
++
++        return self._update(
++            self.build_url(**kwargs),
++            {self.key: params},
++            self.key,
++            method='PATCH')
++
++    def delete(self, **kwargs):
++        kwargs = self._filter_kwargs(kwargs)
++
++        return self._delete(
++            self.build_url(**kwargs))
++
++
  class Resource(object):
      """
      A resource represents a particular instance of an object (tenant, user,
@@ -185,6 +304,9 @@
          if new:
              self._add_details(new._info)
++    def delete(self):
++        return self.manager.delete(self)
++
      def __eq__(self, other):
          if not isinstance(other, self.__class__):
              return False
 === modified file 'keystoneclient/client.py'
 --- keystoneclient/client.py	2012-09-07 13:13:18 +0000
 +++ keystoneclient/client.py	2012-11-30 14:11:19 +0000
@@ -10,7 +10,6 @@
  import copy
  import logging
--import os
  import urlparse
  import httplib2
@@ -26,6 +25,7 @@
      urlparse.parse_qsl = cgi.parse_qsl
++from keystoneclient import access
  from keystoneclient import exceptions
@@ -39,40 +39,71 @@
      def __init__(self, username=None, tenant_id=None, tenant_name=None,
                   password=None, auth_url=None, region_name=None, timeout=None,
                   endpoint=None, token=None, cacert=None, key=None,
--                 cert=None, insecure=False):
++                 cert=None, insecure=False, original_ip=None, debug=False,
++                 auth_ref=None):
          super(HTTPClient, self).__init__(timeout=timeout, ca_certs=cacert)
          if cert:
              if key:
                  self.add_certificate(key=key, cert=cert, domain='')
              else:
                  self.add_certificate(key=cert, cert=cert, domain='')
--        self.username = username
--        self.tenant_id = tenant_id
--        self.tenant_name = tenant_name
++        self.version = 'v2.0'
++        # set baseline defaults
++        self.username = None
++        self.tenant_id = None
++        self.tenant_name = None
++        self.auth_url = None
++        self.token = None
++        self.auth_token = None
++        self.management_url = None
++        # if loading from a dictionary passed in via auth_ref,
++        # load values from AccessInfo parsing that dictionary
++        self.auth_ref = access.AccessInfo(**auth_ref) if auth_ref else None
++        if self.auth_ref:
++            self.username = self.auth_ref.username
++            self.tenant_id = self.auth_ref.tenant_id
++            self.tenant_name = self.auth_ref.tenant_name
++            self.auth_url = self.auth_ref.auth_url[0]
++            self.management_url = self.auth_ref.management_url[0]
++            self.auth_token = self.auth_ref.auth_token
++        # allow override of the auth_ref defaults from explicit
++        # values provided to the client
++        if username:
++            self.username = username
++        if tenant_id:
++            self.tenant_id = tenant_id
++        if tenant_name:
++            self.tenant_name = tenant_name
++        if auth_url:
++            self.auth_url = auth_url.rstrip('/')
++        if token:
++            self.auth_token = token
++        if endpoint:
++            self.management_url = endpoint.rstrip('/')
          self.password = password
--        self.auth_url = auth_url.rstrip('/') if auth_url else None
--        self.version = 'v2.0'
++        self.original_ip = original_ip
          self.region_name = region_name
--        self.auth_token = token
--
--        self.management_url = endpoint
          # httplib2 overrides
          self.force_exception_to_status_code = True
          self.disable_ssl_certificate_validation = insecure
          # logging setup
--        self.debug_log = os.environ.get('KEYSTONECLIENT_DEBUG', False)
++        self.debug_log = debug
          if self.debug_log:
              ch = logging.StreamHandler()
              _logger.setLevel(logging.DEBUG)
              _logger.addHandler(ch)
      def authenticate(self):
--        """ Authenticate against the keystone API.
++        """ Authenticate against the Identity API.
          Not implemented here because auth protocols should be API
          version-specific.
++
++        Expected to authenticate or validate an existing authentication
++        reference already associated with the client. Invoking this call
++        *always* makes a call to the Keystone.
          """
          raise NotImplementedError
@@ -107,6 +138,9 @@
          if self.debug_log:
              _logger.debug("RESP: %s\nRESP BODY: %s\n", resp, body)
++    def serialize(self, entity):
++        return json.dumps(entity)
++
      def request(self, url, method, **kwargs):
          """ Send an http request with the specified characteristics.
@@ -117,9 +151,12 @@
          request_kwargs = copy.copy(kwargs)
          request_kwargs.setdefault('headers', kwargs.get('headers', {}))
          request_kwargs['headers']['User-Agent'] = self.USER_AGENT
++        if self.original_ip:
++            request_kwargs['headers']['Forwarded'] = "for=%s;by=%s" % (
++                self.original_ip, self.USER_AGENT)
          if 'body' in kwargs:
              request_kwargs['headers']['Content-Type'] = 'application/json'
--            request_kwargs['body'] = json.dumps(kwargs['body'])
++            request_kwargs['body'] = self.serialize(kwargs['body'])
          self.http_log_req((url, method,), request_kwargs)
          resp, body = super(HTTPClient, self).request(url,
@@ -127,6 +164,13 @@
                                                       **request_kwargs)
          self.http_log_resp(resp, body)
++        if resp.status in (400, 401, 403, 404, 408, 409, 413, 500, 501):
++            _logger.debug("Request returned failure status: %s", resp.status)
++            raise exceptions.from_response(resp, body)
++        elif resp.status in (301, 302, 305):
++            # Redirected. Reissue the request to the new location.
++            return self.request(resp['location'], method, **kwargs)
++
          if body:
              try:
                  body = json.loads(body)
@@ -136,51 +180,38 @@
              _logger.debug("No body was returned.")
              body = None
--        if resp.status in (400, 401, 403, 404, 408, 409, 413, 500, 501):
--            _logger.exception("Request returned failure status.")
--            raise exceptions.from_response(resp, body)
--        elif resp.status in (301, 302, 305):
--            # Redirected. Reissue the request to the new location.
--            return self.request(resp['location'], method, **kwargs)
--
          return resp, body
      def _cs_request(self, url, method, **kwargs):
--        if not self.management_url:
--            self.authenticate()
++        """ Makes an authenticated request to keystone endpoint by
++        concatenating self.management_url and url and passing in method and
++        any associated kwargs. """
++        if self.management_url is None:
++            raise exceptions.AuthorizationFailure(
++                'Current authorization does not have a known management url')
          kwargs.setdefault('headers', {})
          if self.auth_token:
              kwargs['headers']['X-Auth-Token'] = self.auth_token
--        # Perform the request once. If we get a 401 back then it
--        # might be because the auth token expired, so try to
--        # re-authenticate and try again. If it still fails, bail.
--        try:
--            resp, body = self.request(self.management_url + url, method,
--                                      **kwargs)
--            return resp, body
--        except exceptions.Unauthorized:
--            try:
--                if getattr(self, '_failures', 0) < 1:
--                    self._failures = getattr(self, '_failures', 0) + 1
--                    self.authenticate()
--                    resp, body = self.request(self.management_url + url,
--                                              method, **kwargs)
--                    return resp, body
--                else:
--                    raise
--            except exceptions.Unauthorized:
--                raise
++        resp, body = self.request(self.management_url + url, method,
++                                  **kwargs)
++        return resp, body
      def get(self, url, **kwargs):
          return self._cs_request(url, 'GET', **kwargs)
++    def head(self, url, **kwargs):
++        return self._cs_request(url, 'HEAD', **kwargs)
++
      def post(self, url, **kwargs):
          return self._cs_request(url, 'POST', **kwargs)
      def put(self, url, **kwargs):
          return self._cs_request(url, 'PUT', **kwargs)
++    def patch(self, url, **kwargs):
++        return self._cs_request(url, 'PATCH', **kwargs)
++
      def delete(self, url, **kwargs):
          return self._cs_request(url, 'DELETE', **kwargs)
 === added directory 'keystoneclient/common'
 === added file 'keystoneclient/common/__init__.py'
 === added file 'keystoneclient/common/cms.py'
 --- keystoneclient/common/cms.py	1970-01-01 00:00:00 +0000
 +++ keystoneclient/common/cms.py	2012-11-30 14:11:19 +0000
@@ -0,0 +1,169 @@
++import hashlib
++
++import logging
++
++
++subprocess = None
++LOG = logging.getLogger(__name__)
++PKI_ANS1_PREFIX = 'MII'
++
++
++def _ensure_subprocess():
++    # NOTE(vish): late loading subprocess so we can
++    #             use the green version if we are in
++    #             eventlet.
++    global subprocess
++    if not subprocess:
++        try:
++            from eventlet import patcher
++            if patcher.already_patched.get('os'):
++                from eventlet.green import subprocess
++            else:
++                import subprocess
++        except ImportError:
++            import subprocess
++
++
++def cms_verify(formatted, signing_cert_file_name, ca_file_name):
++    """
++        verifies the signature of the contents IAW CMS syntax
++    """
++    _ensure_subprocess()
++    process = subprocess.Popen(["openssl", "cms", "-verify",
++                                "-certfile", signing_cert_file_name,
++                                "-CAfile", ca_file_name,
++                                "-inform", "PEM",
++                                "-nosmimecap", "-nodetach",
++                                "-nocerts", "-noattr"],
++                               stdin=subprocess.PIPE,
++                               stdout=subprocess.PIPE,
++                               stderr=subprocess.PIPE)
++    output, err = process.communicate(formatted)
++    retcode = process.poll()
++    if retcode:
++        LOG.error('Verify error: %s' % err)
++        raise subprocess.CalledProcessError(retcode, "openssl", output=err)
++    return output
++
++
++def token_to_cms(signed_text):
++    copy_of_text = signed_text.replace('-', '/')
++
++    formatted = "-----BEGIN CMS-----\n"
++    line_length = 64
++    while len(copy_of_text) > 0:
++        if (len(copy_of_text) > line_length):
++            formatted += copy_of_text[:line_length]
++            copy_of_text = copy_of_text[line_length:]
++        else:
++            formatted += copy_of_text
++            copy_of_text = ""
++        formatted += "\n"
++
++    formatted += "-----END CMS-----\n"
++
++    return formatted
++
++
++def verify_token(token, signing_cert_file_name, ca_file_name):
++    return cms_verify(token_to_cms(token),
++                      signing_cert_file_name,
++                      ca_file_name)
++
++
++def is_ans1_token(token):
++    '''
++    thx to ayoung for sorting this out.
++
++    base64 decoded hex representation of MII is 3082
++    In [3]: binascii.hexlify(base64.b64decode('MII='))
++    Out[3]: '3082'
++
++    re: http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
++
++    pg4:  For tags from 0 to 30 the first octet is the identfier
++    pg10: Hex 30 means sequence, followed by the length of that sequence.
++    pg5:  Second octet is the length octet
++          first bit indicates short or long form, next 7 bits encode the number
++          of subsequent octets that make up the content length octets as an
++          unsigned binary int
++
++          82 = 10000010 (first bit indicates long form)
++          0000010 = 2 octets of content length
++          so read the next 2 octets to get the length of the content.
++
++    In the case of a very large content length there could be a requirement to
++    have more than 2 octets to designate the content length, therefore
++    requiring us to check for MIM, MIQ, etc.
++    In [4]: base64.b64encode(binascii.a2b_hex('3083'))
++    Out[4]: 'MIM='
++    In [5]: base64.b64encode(binascii.a2b_hex('3084'))
++    Out[5]: 'MIQ='
++    Checking for MI would become invalid at 16 octets of content length
++    10010000 = 90
++    In [6]: base64.b64encode(binascii.a2b_hex('3090'))
++    Out[6]: 'MJA='
++    Checking for just M is insufficient
++
++    But we will only check for MII:
++    Max length of the content using 2 octets is 7FFF or 32767
++    It's not practical to support a token of this length or greater in http
++    therefore, we will check for MII only and ignore the case of larger tokens
++    '''
++    return token[:3] == PKI_ANS1_PREFIX
++
++
++def cms_sign_text(text, signing_cert_file_name, signing_key_file_name):
++    """ Uses OpenSSL to sign a document
++    Produces a Base64 encoding of a DER formatted CMS Document
++    http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax
++    """
++    _ensure_subprocess()
++    process = subprocess.Popen(["openssl", "cms", "-sign",
++                                "-signer", signing_cert_file_name,
++                                "-inkey", signing_key_file_name,
++                                "-outform", "PEM",
++                                "-nosmimecap", "-nodetach",
++                                "-nocerts", "-noattr"],
++                               stdin=subprocess.PIPE,
++                               stdout=subprocess.PIPE,
++                               stderr=subprocess.PIPE)
++    output, err = process.communicate(text)
++    retcode = process.poll()
++    if retcode or "Error" in err:
++        LOG.error('Signing error: %s' % err)
++        raise subprocess.CalledProcessError(retcode, "openssl")
++    return output
++
++
++def cms_sign_token(text, signing_cert_file_name, signing_key_file_name):
++    output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name)
++    return cms_to_token(output)
++
++
++def cms_to_token(cms_text):
++
++    start_delim = "-----BEGIN CMS-----"
++    end_delim = "-----END CMS-----"
++    signed_text = cms_text
++    signed_text = signed_text.replace('/', '-')
++    signed_text = signed_text.replace(start_delim, '')
++    signed_text = signed_text.replace(end_delim, '')
++    signed_text = signed_text.replace('\n', '')
++
++    return signed_text
++
++
++def cms_hash_token(token_id):
++    """
++    return: for ans1_token, returns the hash of the passed in token
++            otherwise, returns what it was passed in.
++    """
++    if token_id is None:
++        return None
++    if is_ans1_token(token_id):
++        hasher = hashlib.md5()
++        hasher.update(token_id)
++        return hasher.hexdigest()
++    else:
++        return token_id
 === added directory 'keystoneclient/contrib'
 === added file 'keystoneclient/contrib/__init__.py'
 === added directory 'keystoneclient/contrib/bootstrap'
 === added file 'keystoneclient/contrib/bootstrap/__init__.py'
 === added file 'keystoneclient/contrib/bootstrap/shell.py'
 --- keystoneclient/contrib/bootstrap/shell.py	1970-01-01 00:00:00 +0000
 +++ keystoneclient/contrib/bootstrap/shell.py	2012-11-30 14:11:19 +0000
@@ -0,0 +1,28 @@
++from keystoneclient import utils
++from keystoneclient.v2_0 import client
++
++
++@utils.arg('--user-name', metavar='<user-name>', default='admin', dest='user',
++           help='The name of the user to be created (default="admin").')
++@utils.arg('--pass', metavar='<password>', required=True, dest='passwd',
++           help='The password for the new user.')
++@utils.arg('--role-name', metavar='<role-name>', default='admin', dest='role',
++           help='The name of the role to be created and granted to the user '
++           '(default="admin").')
++@utils.arg('--tenant-name', metavar='<tenant-name>', default='admin',
++           dest='tenant',
++           help='The name of the tenant to be created (default="admin").')
++def do_bootstrap(kc, args):
++    """Grants a new role to a new user on a new tenant, after creating each."""
++    tenant = kc.tenants.create(tenant_name=args.tenant)
++    role = kc.roles.create(name=args.role)
++    user = kc.users.create(name=args.user, password=args.passwd, email=None)
++    kc.roles.add_user_role(user=user, role=role, tenant=tenant)
++
++    # verify the result
++    user_client = client.Client(
++        username=args.user,
++        password=args.passwd,
++        tenant_name=args.tenant,
++        auth_url=kc.management_url)
++    user_client.authenticate()
 === modified file 'keystoneclient/exceptions.py'
 --- keystoneclient/exceptions.py	2012-06-22 12:58:18 +0000
 +++ keystoneclient/exceptions.py	2012-11-30 14:11:19 +0000
@@ -9,6 +9,10 @@
      pass
++class ValidationError(Exception):
++    pass
++
++
  class AuthorizationFailure(Exception):
      pass
@@ -24,6 +28,11 @@
      pass
++class EmptyCatalog(Exception):
++    """ The service catalog is empty. """
++    pass
++
++
  class ClientException(Exception):
      """
      The base exception class for all exceptions this library raises.
@@ -95,6 +104,14 @@
      message = "Not Implemented"
++class ServiceUnavailable(ClientException):
++    """
++    HTTP 503 - Service Unavailable: The server is currently unavailable.
++    """
++    http_status = 503
++    message = "Service Unavailable"
++
++
  # In Python 2.4 Exception is old-style and thus doesn't have a __subclasses__()
  # so we can do this:
  #     _code_map = dict((c.http_status, c)
@@ -106,7 +123,8 @@
                                                Forbidden,
                                                NotFound,
                                                OverLimit,
--                                              HTTPNotImplemented])
++                                              HTTPNotImplemented,
++                                              ServiceUnavailable])
  def from_response(response, body):
 === modified file 'keystoneclient/generic/shell.py'
 --- keystoneclient/generic/shell.py	2012-03-26 14:01:05 +0000
 +++ keystoneclient/generic/shell.py	2012-11-30 14:11:19 +0000
@@ -28,13 +28,15 @@
      extensions supported.
      Usage::
--    $ keystone discover
--    Keystone found at http://localhost:35357
--        - supports version v1.0 (DEPRECATED) here http://localhost:35357/v1.0
--        - supports version v1.1 (CURRENT) here http://localhost:35357/v1.1
--        - supports version v2.0 (BETA) here http://localhost:35357/v2.0
--            - and RAX-KSKEY: Rackspace API Key Authentication Admin Extension
--            - and RAX-KSGRP: Rackspace Keystone Group Extensions
++
++        $ keystone discover
++        Keystone found at http://localhost:35357
++
++    - supports version v1.0 (DEPRECATED) here http://localhost:35357/v1.0
++    - supports version v1.1 (CURRENT) here http://localhost:35357/v1.1
++    - supports version v2.0 (CURRENT) here http://localhost:35357/v2.0
++        - and RAX-KSKEY: Rackspace API Key Authentication Admin Extension
++        - and RAX-KSGRP: Rackspace Keystone Group Extensions
      """
      if cs.endpoint:
          versions = cs.discover(cs.endpoint)
 === added directory 'keystoneclient/locale'
 === added file 'keystoneclient/locale/keystoneclient.pot'
 --- keystoneclient/locale/keystoneclient.pot	1970-01-01 00:00:00 +0000
 +++ keystoneclient/locale/keystoneclient.pot	2012-11-30 14:11:19 +0000
@@ -0,0 +1,20 @@
++# Translations template for python-keystoneclient.
++# Copyright (C) 2012 ORGANIZATION
++# This file is distributed under the same license as the
++# python-keystoneclient project.
++# FIRST AUTHOR <EMAIL@ADDRESS>, 2012.
++#
++#, fuzzy
++msgid ""
++msgstr ""
++"Project-Id-Version: python-keystoneclient 0.1.3.12\n"
++"Report-Msgid-Bugs-To: EMAIL@ADDRESS\n"
++"POT-Creation-Date: 2012-09-29 16:02-0700\n"
++"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
++"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
++"Language-Team: LANGUAGE <LL@li.org>\n"
++"MIME-Version: 1.0\n"
++"Content-Type: text/plain; charset=utf-8\n"
++"Content-Transfer-Encoding: 8bit\n"
++"Generated-By: Babel 0.9.6\n"
++
 === added directory 'keystoneclient/middleware'
 === added file 'keystoneclient/middleware/__init__.py'
 === added file 'keystoneclient/middleware/auth_token.py'
 --- keystoneclient/middleware/auth_token.py	1970-01-01 00:00:00 +0000
 +++ keystoneclient/middleware/auth_token.py	2012-11-30 14:11:19 +0000
@@ -0,0 +1,864 @@
++# vim: tabstop=4 shiftwidth=4 softtabstop=4
++
++# Copyright 2010-2012 OpenStack LLC
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++#    http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
++# implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++"""
++TOKEN-BASED AUTH MIDDLEWARE
++
++This WSGI component:
++
++* Verifies that incoming client requests have valid tokens by validating
++  tokens with the auth service.
++* Rejects unauthenticated requests UNLESS it is in 'delay_auth_decision'
++  mode, which means the final decision is delegated to the downstream WSGI
++  component (usually the OpenStack service)
++* Collects and forwards identity information based on a valid token
++  such as user name, tenant, etc
++
++Refer to: http://keystone.openstack.org/middlewarearchitecture.html
++
++HEADERS
++-------
++
++* Headers starting with HTTP\_ is a standard http header
++* Headers starting with HTTP_X is an extended http header
++
++Coming in from initial call from client or customer
++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++HTTP_X_AUTH_TOKEN
++    The client token being passed in.
++
++HTTP_X_STORAGE_TOKEN
++    The client token being passed in (legacy Rackspace use) to support
++    swift/cloud files
++
++Used for communication between components
++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++WWW-Authenticate
++    HTTP header returned to a user indicating which endpoint to use
++    to retrieve a new token
++
++What we add to the request for use by the OpenStack service
++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++HTTP_X_IDENTITY_STATUS
++    'Confirmed' or 'Invalid'
++    The underlying service will only see a value of 'Invalid' if the Middleware
++    is configured to run in 'delay_auth_decision' mode
++
++HTTP_X_TENANT_ID
++    Identity service managed unique identifier, string
++
++HTTP_X_TENANT_NAME
++    Unique tenant identifier, string
++
++HTTP_X_USER_ID
++    Identity-service managed unique identifier, string
++
++HTTP_X_USER_NAME
++    Unique user identifier, string
++
++HTTP_X_ROLES
++    Comma delimited list of case-sensitive Roles
++
++HTTP_X_SERVICE_CATALOG
++    json encoded keystone service catalog (optional).
++
++HTTP_X_TENANT
++    *Deprecated* in favor of HTTP_X_TENANT_ID and HTTP_X_TENANT_NAME
++    Keystone-assigned unique identifier, deprecated
++
++HTTP_X_USER
++    *Deprecated* in favor of HTTP_X_USER_ID and HTTP_X_USER_NAME
++    Unique user name, string
++
++HTTP_X_ROLE
++    *Deprecated* in favor of HTTP_X_ROLES
++    This is being renamed, and the new header contains the same data.
++
++OTHER ENVIRONMENT VARIABLES
++---------------------------
++
++keystone.token_info
++    Information about the token discovered in the process of
++    validation.  This may include extended information returned by the
++    Keystone token validation call, as well as basic information about
++    the tenant and user.
++
++"""
++
++import datetime
++import httplib
++import json
++import logging
++import os
++import stat
++import time
++import webob
++import webob.exc
++
++from keystoneclient.openstack.common import jsonutils
++from keystoneclient.common import cms
++from keystoneclient import utils
++from keystoneclient.openstack.common import timeutils
++
++CONF = None
++try:
++    from openstack.common import cfg
++    CONF = cfg.CONF
++except ImportError:
++    # cfg is not a library yet, try application copies
++    for app in 'nova', 'glance', 'quantum', 'cinder':
++        try:
++            cfg = __import__('%s.openstack.common.cfg' % app,
++                             fromlist=['%s.openstack.common' % app])
++            # test which application middleware is running in
++            if hasattr(cfg, 'CONF') and 'config_file' in cfg.CONF:
++                CONF = cfg.CONF
++                break
++        except ImportError:
++            pass
++if not CONF:
++    from keystoneclient.openstack.common import cfg
++    CONF = cfg.CONF
++LOG = logging.getLogger(__name__)
++
++# alternative middleware configuration in the main application's
++# configuration file e.g. in nova.conf
++# [keystone_authtoken]
++# auth_host = 127.0.0.1
++# auth_port = 35357
++# auth_protocol = http
++# admin_tenant_name = admin
++# admin_user = admin
++# admin_password = badpassword
++opts = [
++    cfg.StrOpt('auth_admin_prefix', default=''),
++    cfg.StrOpt('auth_host', default='127.0.0.1'),
++    cfg.IntOpt('auth_port', default=35357),
++    cfg.StrOpt('auth_protocol', default='https'),
++    cfg.StrOpt('auth_uri', default=None),
++    cfg.BoolOpt('delay_auth_decision', default=False),
++    cfg.StrOpt('admin_token'),
++    cfg.StrOpt('admin_user'),
++    cfg.StrOpt('admin_password'),
++    cfg.StrOpt('admin_tenant_name', default='admin'),
++    cfg.StrOpt('certfile'),
++    cfg.StrOpt('keyfile'),
++    cfg.StrOpt('signing_dir'),
++    cfg.ListOpt('memcache_servers'),
++    cfg.IntOpt('token_cache_time', default=300),
++]
++CONF.register_opts(opts, group='keystone_authtoken')
++
++
++def will_expire_soon(expiry):
++    """ Determines if expiration is about to occur.
++
++    :param expiry: a datetime of the expected expiration
++    :returns: boolean : true if expiration is within 30 seconds
++    """
++    soon = (timeutils.utcnow() + datetime.timedelta(seconds=30))
++    return expiry < soon
++
++
++class InvalidUserToken(Exception):
++    pass
++
++
++class ServiceError(Exception):
++    pass
++
++
++class ConfigurationError(Exception):
++    pass
++
++
++class AuthProtocol(object):
++    """Auth Middleware that handles authenticating client calls."""
++
++    def __init__(self, app, conf):
++        LOG.info('Starting keystone auth_token middleware')
++        self.conf = conf
++        self.app = app
++
++        # delay_auth_decision means we still allow unauthenticated requests
++        # through and we let the downstream service make the final decision
++        self.delay_auth_decision = (self._conf_get('delay_auth_decision') in
++                                    (True, 'true', 't', '1', 'on', 'yes', 'y'))
++
++        # where to find the auth service (we use this to validate tokens)
++        self.auth_host = self._conf_get('auth_host')
++        self.auth_port = int(self._conf_get('auth_port'))
++        self.auth_protocol = self._conf_get('auth_protocol')
++        if self.auth_protocol == 'http':
++            self.http_client_class = httplib.HTTPConnection
++        else:
++            self.http_client_class = httplib.HTTPSConnection
++
++        self.auth_admin_prefix = self._conf_get('auth_admin_prefix')
++        self.auth_uri = self._conf_get('auth_uri')
++        if self.auth_uri is None:
++            self.auth_uri = '%s://%s:%s' % (self.auth_protocol,
++                                            self.auth_host,
++                                            self.auth_port)
++
++        # SSL
++        self.cert_file = self._conf_get('certfile')
++        self.key_file = self._conf_get('keyfile')
++
++        #signing
++        self.signing_dirname = self._conf_get('signing_dir')
++        if self.signing_dirname is None:
++            self.signing_dirname = '%s/keystone-signing' % os.environ['HOME']
++        LOG.info('Using %s as cache directory for signing certificate' %
++                 self.signing_dirname)
++        if (os.path.exists(self.signing_dirname) and
++                not os.access(self.signing_dirname, os.W_OK)):
++                raise ConfigurationError("unable to access signing dir %s" %
++                                         self.signing_dirname)
++
++        if not os.path.exists(self.signing_dirname):
++            os.makedirs(self.signing_dirname)
++        #will throw IOError  if it cannot change permissions
++        os.chmod(self.signing_dirname, stat.S_IRWXU)
++
++        val = '%s/signing_cert.pem' % self.signing_dirname
++        self.signing_cert_file_name = val
++        val = '%s/cacert.pem' % self.signing_dirname
++        self.ca_file_name = val
++        val = '%s/revoked.pem' % self.signing_dirname
++        self.revoked_file_name = val
++
++        # Credentials used to verify this component with the Auth service since
++        # validating tokens is a privileged call
++        self.admin_token = self._conf_get('admin_token')
++        self.admin_token_expiry = None
++        self.admin_user = self._conf_get('admin_user')
++        self.admin_password = self._conf_get('admin_password')
++        self.admin_tenant_name = self._conf_get('admin_tenant_name')
++
++        # Token caching via memcache
++        self._cache = None
++        self._iso8601 = None
++        memcache_servers = self._conf_get('memcache_servers')
++        # By default the token will be cached for 5 minutes
++        self.token_cache_time = int(self._conf_get('token_cache_time'))
++        self._token_revocation_list = None
++        self._token_revocation_list_fetched_time = None
++        cache_timeout = datetime.timedelta(seconds=0)
++        self.token_revocation_list_cache_timeout = cache_timeout
++        if memcache_servers:
++            try:
++                import memcache
++                import iso8601
++                LOG.info('Using memcache for caching token')
++                self._cache = memcache.Client(memcache_servers.split(','))
++                self._iso8601 = iso8601
++            except ImportError as e:
++                LOG.warn('disabled caching due to missing libraries %s', e)
++
++    def _conf_get(self, name):
++        # try config from paste-deploy first
++        if name in self.conf:
++            return self.conf[name]
++        else:
++            return CONF.keystone_authtoken[name]
++
++    def __call__(self, env, start_response):
++        """Handle incoming request.
++
++        Authenticate send downstream on success. Reject request if
++        we can't authenticate.
++
++        """
++        LOG.debug('Authenticating user token')
++        try:
++            self._remove_auth_headers(env)
++            user_token = self._get_user_token_from_header(env)
++            token_info = self._validate_user_token(user_token)
++            env['keystone.token_info'] = token_info
++            user_headers = self._build_user_headers(token_info)
++            self._add_headers(env, user_headers)
++            return self.app(env, start_response)
++
++        except InvalidUserToken:
++            if self.delay_auth_decision:
++                LOG.info('Invalid user token - deferring reject downstream')
++                self._add_headers(env, {'X-Identity-Status': 'Invalid'})
++                return self.app(env, start_response)
++            else:
++                LOG.info('Invalid user token - rejecting request')
++                return self._reject_request(env, start_response)
++
++        except ServiceError as e:
++            LOG.critical('Unable to obtain admin token: %s' % e)
++            resp = webob.exc.HTTPServiceUnavailable()
++            return resp(env, start_response)
++
++    def _remove_auth_headers(self, env):
++        """Remove headers so a user can't fake authentication.
++
++        :param env: wsgi request environment
++
++        """
++        auth_headers = (
++            'X-Identity-Status',
++            'X-Tenant-Id',
++            'X-Tenant-Name',
++            'X-User-Id',
++            'X-User-Name',
++            'X-Roles',
++            'X-Service-Catalog',
++            # Deprecated
++            'X-User',
++            'X-Tenant',
++            'X-Role',
++        )
++        LOG.debug('Removing headers from request environment: %s' %
++                  ','.join(auth_headers))
++        self._remove_headers(env, auth_headers)
++
++    def _get_user_token_from_header(self, env):
++        """Get token id from request.
++
++        :param env: wsgi request environment
++        :return token id
++        :raises InvalidUserToken if no token is provided in request
++
++        """
++        token = self._get_header(env, 'X-Auth-Token',
++                                 self._get_header(env, 'X-Storage-Token'))
++        if token:
++            return token
++        else:
++            LOG.warn("Unable to find authentication token in headers: %s", env)
++            raise InvalidUserToken('Unable to find token in headers')
++
++    def _reject_request(self, env, start_response):
++        """Redirect client to auth server.
++
++        :param env: wsgi request environment
++        :param start_response: wsgi response callback
++        :returns HTTPUnauthorized http response
++
++        """
++        headers = [('WWW-Authenticate', 'Keystone uri=\'%s\'' % self.auth_uri)]
++        resp = webob.exc.HTTPUnauthorized('Authentication required', headers)
++        return resp(env, start_response)
++
++    def get_admin_token(self):
++        """Return admin token, possibly fetching a new one.
++
++        if self.admin_token_expiry is set from fetching an admin token, check
++        it for expiration, and request a new token is the existing token
++        is about to expire.
++
++        :return admin token id
++        :raise ServiceError when unable to retrieve token from keystone
++
++        """
++        if self.admin_token_expiry:
++            if will_expire_soon(self.admin_token_expiry):
++                self.admin_token = None
++
++        if not self.admin_token:
++            (self.admin_token,
++             self.admin_token_expiry) = self._request_admin_token()
++
++        return self.admin_token
++
++    def _get_http_connection(self):
++        if self.auth_protocol == 'http':
++            return self.http_client_class(self.auth_host, self.auth_port)
++        else:
++            return self.http_client_class(self.auth_host,
++                                          self.auth_port,
++                                          self.key_file,
++                                          self.cert_file)
++
++    def _http_request(self, method, path):
++        """HTTP request helper used to make unspecified content type requests.
++
++        :param method: http method
++        :param path: relative request url
++        :return (http response object)
++        :raise ServerError when unable to communicate with keystone
++
++        """
++        conn = self._get_http_connection()
++
++        try:
++            conn.request(method, path)
++            response = conn.getresponse()
++            body = response.read()
++        except Exception as e:
++            LOG.error('HTTP connection exception: %s' % e)
++            raise ServiceError('Unable to communicate with keystone')
++        finally:
++            conn.close()
++
++        return response, body
++
++    def _json_request(self, method, path, body=None, additional_headers=None):
++        """HTTP request helper used to make json requests.
++
++        :param method: http method
++        :param path: relative request url
++        :param body: dict to encode to json as request body. Optional.
++        :param additional_headers: dict of additional headers to send with
++                                   http request. Optional.
++        :return (http response object, response body parsed as json)
++        :raise ServerError when unable to communicate with keystone
++
++        """
++        conn = self._get_http_connection()
++
++        kwargs = {
++            'headers': {
++                'Content-type': 'application/json',
++                'Accept': 'application/json',
++            },
++        }
++
++        if additional_headers:
++            kwargs['headers'].update(additional_headers)
++
++        if body:
++            kwargs['body'] = jsonutils.dumps(body)
++
++        full_path = self.auth_admin_prefix + path
++        try:
++            conn.request(method, full_path, **kwargs)
++            response = conn.getresponse()
++            body = response.read()
++        except Exception as e:
++            LOG.error('HTTP connection exception: %s' % e)
++            raise ServiceError('Unable to communicate with keystone')
++        finally:
++            conn.close()
++
++        try:
++            data = jsonutils.loads(body)
++        except ValueError:
++            LOG.debug('Keystone did not return json-encoded body')
++            data = {}
++
++        return response, data
++
++    def _request_admin_token(self):
++        """Retrieve new token as admin user from keystone.
++
++        :return token id upon success
++        :raises ServerError when unable to communicate with keystone
++
++        """
++        params = {
++            'auth': {
++                'passwordCredentials': {
++                    'username': self.admin_user,
++                    'password': self.admin_password,
++                },
++                'tenantName': self.admin_tenant_name,
++            }
++        }
++
++        response, data = self._json_request('POST',
++                                            '/v2.0/tokens',
++                                            body=params)
++
++        try:
++            token = data['access']['token']['id']
++            expiry = data['access']['token']['expires']
++            assert token
++            assert expiry
++            datetime_expiry = timeutils.parse_isotime(expiry)
++            return (token, timeutils.normalize_time(datetime_expiry))
++        except (AssertionError, KeyError):
++            LOG.warn("Unexpected response from keystone service: %s", data)
++            raise ServiceError('invalid json response')
++        except (ValueError):
++            LOG.warn("Unable to parse expiration time from token: %s", data)
++            raise ServiceError('invalid json response')
++
++    def _validate_user_token(self, user_token, retry=True):
++        """Authenticate user using PKI
++
++        :param user_token: user's token id
++        :param retry: Ignored, as it is not longer relevant
++        :return uncrypted body of the token if the token is valid
++        :raise InvalidUserToken if token is rejected
++        :no longer raises ServiceError since it no longer makes RPC
++
++        """
++        try:
++            token_id = cms.cms_hash_token(user_token)
++            cached = self._cache_get(token_id)
++            if cached:
++                return cached
++            if cms.is_ans1_token(user_token):
++                verified = self.verify_signed_token(user_token)
++                data = json.loads(verified)
++            else:
++                data = self.verify_uuid_token(user_token, retry)
++            self._cache_put(token_id, data)
++            return data
++        except Exception as e:
++            LOG.debug('Token validation failure.', exc_info=True)
++            self._cache_store_invalid(user_token)
++            LOG.warn("Authorization failed for token %s", user_token)
++            raise InvalidUserToken('Token authorization failed')
++
++    def _build_user_headers(self, token_info):
++        """Convert token object into headers.
++
++        Build headers that represent authenticated user:
++         * X_IDENTITY_STATUS: Confirmed or Invalid
++         * X_TENANT_ID: id of tenant if tenant is present
++         * X_TENANT_NAME: name of tenant if tenant is present
++         * X_USER_ID: id of user
++         * X_USER_NAME: name of user
++         * X_ROLES: list of roles
++         * X_SERVICE_CATALOG: service catalog
++
++        Additional (deprecated) headers include:
++         * X_USER: name of user
++         * X_TENANT: For legacy compatibility before we had ID and Name
++         * X_ROLE: list of roles
++
++        :param token_info: token object returned by keystone on authentication
++        :raise InvalidUserToken when unable to parse token object
++
++        """
++        user = token_info['access']['user']
++        token = token_info['access']['token']
++        roles = ','.join([role['name'] for role in user.get('roles', [])])
++
++        def get_tenant_info():
++            """Returns a (tenant_id, tenant_name) tuple from context."""
++            def essex():
++                """Essex puts the tenant ID and name on the token."""
++                return (token['tenant']['id'], token['tenant']['name'])
++
++            def pre_diablo():
++                """Pre-diablo, Keystone only provided tenantId."""
++                return (token['tenantId'], token['tenantId'])
++
++            def default_tenant():
++                """Assume the user's default tenant."""
++                return (user['tenantId'], user['tenantName'])
++
++            for method in [essex, pre_diablo, default_tenant]:
++                try:
++                    return method()
++                except KeyError:
++                    pass
++
++            raise InvalidUserToken('Unable to determine tenancy.')
++
++        tenant_id, tenant_name = get_tenant_info()
++
++        user_id = user['id']
++        user_name = user['name']
++
++        rval = {
++            'X-Identity-Status': 'Confirmed',
++            'X-Tenant-Id': tenant_id,
++            'X-Tenant-Name': tenant_name,
++            'X-User-Id': user_id,
++            'X-User-Name': user_name,
++            'X-Roles': roles,
++            # Deprecated
++            'X-User': user_name,
++            'X-Tenant': tenant_name,
++            'X-Role': roles,
++        }
++
++        try:
++            catalog = token_info['access']['serviceCatalog']
++            rval['X-Service-Catalog'] = jsonutils.dumps(catalog)
++        except KeyError:
++            pass
++
++        return rval
++
++    def _header_to_env_var(self, key):
++        """Convert header to wsgi env variable.
++
++        :param key: http header name (ex. 'X-Auth-Token')
++        :return wsgi env variable name (ex. 'HTTP_X_AUTH_TOKEN')
++
++        """
++        return 'HTTP_%s' % key.replace('-', '_').upper()
++
++    def _add_headers(self, env, headers):
++        """Add http headers to environment."""
++        for (k, v) in headers.iteritems():
++            env_key = self._header_to_env_var(k)
++            env[env_key] = v
++
++    def _remove_headers(self, env, keys):
++        """Remove http headers from environment."""
++        for k in keys:
++            env_key = self._header_to_env_var(k)
++            try:
++                del env[env_key]
++            except KeyError:
++                pass
++
++    def _get_header(self, env, key, default=None):
++        """Get http header from environment."""
++        env_key = self._header_to_env_var(key)
++        return env.get(env_key, default)
++
++    def _cache_get(self, token):
++        """Return token information from cache.
++
++        If token is invalid raise InvalidUserToken
++        return token only if fresh (not expired).
++        """
++        if self._cache and token:
++            key = 'tokens/%s' % token
++            cached = self._cache.get(key)
++            if cached == 'invalid':
++                LOG.debug('Cached Token %s is marked unauthorized', token)
++                raise InvalidUserToken('Token authorization failed')
++            if cached:
++                data, expires = cached
++                if time.time() < float(expires):
++                    LOG.debug('Returning cached token %s', token)
++                    return data
++                else:
++                    LOG.debug('Cached Token %s seems expired', token)
++
++    def _cache_put(self, token, data):
++        """Put token data into the cache.
++
++        Stores the parsed expire date in cache allowing
++        quick check of token freshness on retrieval.
++        """
++        if self._cache and data:
++            key = 'tokens/%s' % token
++            if 'token' in data.get('access', {}):
++                timestamp = data['access']['token']['expires']
++                expires = self._iso8601.parse_date(timestamp).strftime('%s')
++            else:
++                LOG.error('invalid token format')
++                return
++            LOG.debug('Storing %s token in memcache', token)
++            self._cache.set(key,
++                            (data, expires),
++                            time=self.token_cache_time)
++
++    def _cache_store_invalid(self, token):
++        """Store invalid token in cache."""
++        if self._cache:
++            key = 'tokens/%s' % token
++            LOG.debug('Marking token %s as unauthorized in memcache', token)
++            self._cache.set(key,
++                            'invalid',
++                            time=self.token_cache_time)
++
++    def cert_file_missing(self, called_proc_err, file_name):
++        return (called_proc_err.output.find(file_name)
++                and not os.path.exists(file_name))
++
++    def verify_uuid_token(self, user_token, retry=True):
++        """Authenticate user token with keystone.
++
++        :param user_token: user's token id
++        :param retry: flag that forces the middleware to retry
++                      user authentication when an indeterminate
++                      response is received. Optional.
++        :return token object received from keystone on success
++        :raise InvalidUserToken if token is rejected
++        :raise ServiceError if unable to authenticate token
++
++        """
++
++        headers = {'X-Auth-Token': self.get_admin_token()}
++        response, data = self._json_request('GET',
++                                            '/v2.0/tokens/%s' % user_token,
++                                            additional_headers=headers)
++
++        if response.status == 200:
++            self._cache_put(user_token, data)
++            return data
++        if response.status == 404:
++            # FIXME(ja): I'm assuming the 404 status means that user_token is
++            #            invalid - not that the admin_token is invalid
++            self._cache_store_invalid(user_token)
++            LOG.warn("Authorization failed for token %s", user_token)
++            raise InvalidUserToken('Token authorization failed')
++        if response.status == 401:
++            LOG.info('Keystone rejected admin token %s, resetting', headers)
++            self.admin_token = None
++        else:
++            LOG.error('Bad response code while validating token: %s' %
++                      response.status)
++        if retry:
++            LOG.info('Retrying validation')
++            return self._validate_user_token(user_token, False)
++        else:
++            LOG.warn("Invalid user token: %s. Keystone response: %s.",
++                     user_token, data)
++
++            raise InvalidUserToken()
++
++    def is_signed_token_revoked(self, signed_text):
++        """Indicate whether the token appears in the revocation list."""
++        revocation_list = self.token_revocation_list
++        revoked_tokens = revocation_list.get('revoked', [])
++        if not revoked_tokens:
++            return
++        revoked_ids = (x['id'] for x in revoked_tokens)
++        token_id = utils.hash_signed_token(signed_text)
++        for revoked_id in revoked_ids:
++            if token_id == revoked_id:
++                LOG.debug('Token %s is marked as having been revoked',
++                          token_id)
++                return True
++        return False
++
++    def cms_verify(self, data):
++        """Verifies the signature of the provided data's IAW CMS syntax.
++
++        If either of the certificate files are missing, fetch them and
++        retry.
++        """
++        while True:
++            try:
++                output = cms.cms_verify(data, self.signing_cert_file_name,
++                                        self.ca_file_name)
++            except cms.subprocess.CalledProcessError as err:
++                if self.cert_file_missing(err, self.signing_cert_file_name):
++                    self.fetch_signing_cert()
++                    continue
++                if self.cert_file_missing(err, self.ca_file_name):
++                    self.fetch_ca_cert()
++                    continue
++                raise err
++            return output
++
++    def verify_signed_token(self, signed_text):
++        """Check that the token is unrevoked and has a valid signature."""
++        if self.is_signed_token_revoked(signed_text):
++            raise InvalidUserToken('Token has been revoked')
++
++        formatted = cms.token_to_cms(signed_text)
++        return self.cms_verify(formatted)
++
++    @property
++    def token_revocation_list_fetched_time(self):
++        if not self._token_revocation_list_fetched_time:
++            # If the fetched list has been written to disk, use its
++            # modification time.
++            if os.path.exists(self.revoked_file_name):
++                mtime = os.path.getmtime(self.revoked_file_name)
++                fetched_time = datetime.datetime.fromtimestamp(mtime)
++            # Otherwise the list will need to be fetched.
++            else:
++                fetched_time = datetime.datetime.min
++            self._token_revocation_list_fetched_time = fetched_time
++        return self._token_revocation_list_fetched_time
++
++    @token_revocation_list_fetched_time.setter
++    def token_revocation_list_fetched_time(self, value):
++        self._token_revocation_list_fetched_time = value
++
++    @property
++    def token_revocation_list(self):
++        timeout = (self.token_revocation_list_fetched_time +
++                   self.token_revocation_list_cache_timeout)
++        list_is_current = timeutils.utcnow() < timeout
++        if list_is_current:
++            # Load the list from disk if required
++            if not self._token_revocation_list:
++                with open(self.revoked_file_name, 'r') as f:
++                    self._token_revocation_list = jsonutils.loads(f.read())
++        else:
++            self.token_revocation_list = self.fetch_revocation_list()
++        return self._token_revocation_list
++
++    @token_revocation_list.setter
++    def token_revocation_list(self, value):
++        """Save a revocation list to memory and to disk.
++
++        :param value: A json-encoded revocation list
++
++        """
++        self._token_revocation_list = jsonutils.loads(value)
++        self.token_revocation_list_fetched_time = timeutils.utcnow()
++        with open(self.revoked_file_name, 'w') as f:
++            f.write(value)
++
++    def fetch_revocation_list(self, retry=True):
++        headers = {'X-Auth-Token': self.get_admin_token()}
++        response, data = self._json_request('GET', '/v2.0/tokens/revoked',
++                                            additional_headers=headers)
++        if response.status == 401:
++            if retry:
++                LOG.info('Keystone rejected admin token %s, resetting admin '
++                         'token', headers)
++                self.admin_token = None
++                return self.fetch_revocation_list(retry=False)
++        if response.status != 200:
++            raise ServiceError('Unable to fetch token revocation list.')
++        if (not 'signed' in data):
++            raise ServiceError('Revocation list inmproperly formatted.')
++        return self.cms_verify(data['signed'])
++
++    def fetch_signing_cert(self):
++        response, data = self._http_request('GET',
++                                            '/v2.0/certificates/signing')
++        try:
++            #todo check response
++            certfile = open(self.signing_cert_file_name, 'w')
++            certfile.write(data)
++            certfile.close()
++        except (AssertionError, KeyError):
++            LOG.warn("Unexpected response from keystone service: %s", data)
++            raise ServiceError('invalid json response')
++
++    def fetch_ca_cert(self):
++        response, data = self._http_request('GET',
++                                            '/v2.0/certificates/ca')
++        try:
++            #todo check response
++            certfile = open(self.ca_file_name, 'w')
++            certfile.write(data)
++            certfile.close()
++        except (AssertionError, KeyError):
++            LOG.warn("Unexpected response from keystone service: %s", data)
++            raise ServiceError('invalid json response')
++
++
++def filter_factory(global_conf, **local_conf):
++    """Returns a WSGI filter app for use with paste.deploy."""
++    conf = global_conf.copy()
++    conf.update(local_conf)
++
++    def auth_filter(app):
++        return AuthProtocol(app, conf)
++    return auth_filter
++
++
++def app_factory(global_conf, **local_conf):
++    conf = global_conf.copy()
++    conf.update(local_conf)
++    return AuthProtocol(None, conf)
 === added file 'keystoneclient/middleware/test.py'
 --- keystoneclient/middleware/test.py	1970-01-01 00:00:00 +0000
 +++ keystoneclient/middleware/test.py	2012-11-30 14:11:19 +0000
@@ -0,0 +1,67 @@
++# vim: tabstop=4 shiftwidth=4 softtabstop=4
++
++# Copyright 2012 OpenStack LLC
++#
++# Licensed under the Apache License, Version 2.0 (the "License"); you may
++# not use this file except in compliance with the License. You may obtain
++# a copy of the License at
++#
++#      http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
++# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
++# License for the specific language governing permissions and limitations
++# under the License.
++
++#
++# Test support for middleware authentication
++#
++
++import os
++import sys
++
++
++ROOTDIR = os.path.dirname(os.path.abspath(os.curdir))
++
++
++def rootdir(*p):
++    return os.path.join(ROOTDIR, *p)
++
++
++class NoModule(object):
++    """A mixin class to provide support for unloading/disabling modules."""
++
++    def __init__(self, *args, **kw):
++        super(NoModule, self).__init__(*args, **kw)
++        self._finders = []
++        self._cleared_modules = {}
++
++    def tearDown(self):
++        super(NoModule, self).tearDown()
++        for finder in self._finders:
++            sys.meta_path.remove(finder)
++        sys.modules.update(self._cleared_modules)
++
++    def clear_module(self, module):
++        cleared_modules = {}
++        for fullname in sys.modules.keys():
++            if fullname == module or fullname.startswith(module + '.'):
++                cleared_modules[fullname] = sys.modules.pop(fullname)
++        return cleared_modules
++
++    def disable_module(self, module):
++        """Ensure ImportError for the specified module."""
++
++        # Clear 'module' references in sys.modules
++        self._cleared_modules.update(self.clear_module(module))
++
++        # Disallow further imports of 'module'
++        class NoModule(object):
++            def find_module(self, fullname, path):
++                if fullname == module or fullname.startswith(module + '.'):
++                    raise ImportError
++
++        finder = NoModule()
++        self._finders.append(finder)
++        sys.meta_path.insert(0, finder)
 === added file 'keystoneclient/openstack/common/cfg.py'
 --- keystoneclient/openstack/common/cfg.py	1970-01-01 00:00:00 +0000
 +++ keystoneclient/openstack/common/cfg.py	2012-11-30 14:11:19 +0000
@@ -0,0 +1,1653 @@
++# vim: tabstop=4 shiftwidth=4 softtabstop=4
++
++# Copyright 2012 Red Hat, Inc.
++#
++#    Licensed under the Apache License, Version 2.0 (the "License"); you may
++#    not use this file except in compliance with the License. You may obtain
++#    a copy of the License at
++#
++#         http://www.apache.org/licenses/LICENSE-2.0
++#
++#    Unless required by applicable law or agreed to in writing, software
++#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
++#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
++#    License for the specific language governing permissions and limitations
++#    under the License.
++
++r"""
++Configuration options which may be set on the command line or in config files.
++
++The schema for each option is defined using the Opt sub-classes, e.g.:
++
++::
++
++    common_opts = [
++        cfg.StrOpt('bind_host',
++                   default='0.0.0.0',
++                   help='IP address to listen on'),
++        cfg.IntOpt('bind_port',
++                   default=9292,
++                   help='Port number to listen on')
++    ]
++
++Options can be strings, integers, floats, booleans, lists or 'multi strings'::
++
++    enabled_apis_opt = cfg.ListOpt('enabled_apis',
++                                   default=['ec2', 'osapi_compute'],
++                                   help='List of APIs to enable by default')
++
++    DEFAULT_EXTENSIONS = [
++        'nova.api.openstack.compute.contrib.standard_extensions'
++    ]
++    osapi_compute_extension_opt = cfg.MultiStrOpt('osapi_compute_extension',
++                                                  default=DEFAULT_EXTENSIONS)
++
++Option schemas are registered with the config manager at runtime, but before
++the option is referenced::
++
++    class ExtensionManager(object):
++
++        enabled_apis_opt = cfg.ListOpt(...)
++
++        def __init__(self, conf):
++            self.conf = conf
++            self.conf.register_opt(enabled_apis_opt)
++            ...
++
++        def _load_extensions(self):
++            for ext_factory in self.conf.osapi_compute_extension:
++                ....
++
++A common usage pattern is for each option schema to be defined in the module or
++class which uses the option::
++
++    opts = ...
++
++    def add_common_opts(conf):
++        conf.register_opts(opts)
++
++    def get_bind_host(conf):
++        return conf.bind_host
++
++    def get_bind_port(conf):
++        return conf.bind_port
++
++An option may optionally be made available via the command line. Such options
++must registered with the config manager before the command line is parsed (for
++the purposes of --help and CLI arg validation)::
++
++    cli_opts = [
++        cfg.BoolOpt('verbose',
++                    short='v',
++                    default=False,
++                    help='Print more verbose output'),
++        cfg.BoolOpt('debug',
++                    short='d',
++                    default=False,
++                    help='Print debugging output'),
++    ]
++
++    def add_common_opts(conf):
++        conf.register_cli_opts(cli_opts)
++
++The config manager has two CLI options defined by default, --config-file
++and --config-dir::
++
++    class ConfigOpts(object):
++
++        def __call__(self, ...):
++
++            opts = [
++                MultiStrOpt('config-file',
++                        ...),
++                StrOpt('config-dir',
++                       ...),
++            ]
++
++            self.register_cli_opts(opts)
++
++Option values are parsed from any supplied config files using
++openstack.common.iniparser. If none are specified, a default set is used
++e.g. glance-api.conf and glance-common.conf::
++
++    glance-api.conf:
++      [DEFAULT]
++      bind_port = 9292
++
++    glance-common.conf:
++      [DEFAULT]
++      bind_host = 0.0.0.0
++
++Option values in config files override those on the command line. Config files
++are parsed in order, with values in later files overriding those in earlier
++files.
++
++The parsing of CLI args and config files is initiated by invoking the config
++manager e.g.::
++
++    conf = ConfigOpts()
++    conf.register_opt(BoolOpt('verbose', ...))
++    conf(sys.argv[1:])
++    if conf.verbose:
++        ...
++
++Options can be registered as belonging to a group::
++
++    rabbit_group = cfg.OptGroup(name='rabbit',
++                                title='RabbitMQ options')
++
++    rabbit_host_opt = cfg.StrOpt('host',
++                                 default='localhost',
++                                 help='IP/hostname to listen on'),
++    rabbit_port_opt = cfg.IntOpt('port',
++                                 default=5672,
++                                 help='Port number to listen on')
++
++    def register_rabbit_opts(conf):
++        conf.register_group(rabbit_group)
++        # options can be registered under a group in either of these ways:
++        conf.register_opt(rabbit_host_opt, group=rabbit_group)
++        conf.register_opt(rabbit_port_opt, group='rabbit')
++
++If it no group attributes are required other than the group name, the group
++need not be explicitly registered e.g.
++
++    def register_rabbit_opts(conf):
++        # The group will automatically be created, equivalent calling::
++        #   conf.register_group(OptGroup(name='rabbit'))
++        conf.register_opt(rabbit_port_opt, group='rabbit')
++
++If no group is specified, options belong to the 'DEFAULT' section of config
++files::
++
++    glance-api.conf:
++      [DEFAULT]
++      bind_port = 9292
++      ...
++
++      [rabbit]
++      host = localhost
++      port = 5672
++      use_ssl = False
++      userid = guest
++      password = guest
++      virtual_host = /
++
++Command-line options in a group are automatically prefixed with the
++group name::
++
++    --rabbit-host localhost --rabbit-port 9999
++
++Option values in the default group are referenced as attributes/properties on
++the config manager; groups are also attributes on the config manager, with
++attributes for each of the options associated with the group::
++
++    server.start(app, conf.bind_port, conf.bind_host, conf)
++
++    self.connection = kombu.connection.BrokerConnection(
++        hostname=conf.rabbit.host,
++        port=conf.rabbit.port,
++        ...)
++
++Option values may reference other values using PEP 292 string substitution::
++
++    opts = [
++        cfg.StrOpt('state_path',
++                   default=os.path.join(os.path.dirname(__file__), '../'),
++                   help='Top-level directory for maintaining nova state'),
++        cfg.StrOpt('sqlite_db',
++                   default='nova.sqlite',
++                   help='file name for sqlite'),
++        cfg.StrOpt('sql_connection',
++                   default='sqlite:///$state_path/$sqlite_db',
++                   help='connection string for sql database'),
++    ]
++
++Note that interpolation can be avoided by using '$$'.
++
++For command line utilities that dispatch to other command line utilities, the
++disable_interspersed_args() method is available. If this this method is called,
++then parsing e.g.::
++
++  script --verbose cmd --debug /tmp/mything
++
++will no longer return::
++
++  ['cmd', '/tmp/mything']
++
++as the leftover arguments, but will instead return::
++
++  ['cmd', '--debug', '/tmp/mything']
++
++i.e. argument parsing is stopped at the first non-option argument.
++
++Options may be declared as required so that an error is raised if the user
++does not supply a value for the option.
++
++Options may be declared as secret so that their values are not leaked into
++log files:
++
++     opts = [
++        cfg.StrOpt('s3_store_access_key', secret=True),
++        cfg.StrOpt('s3_store_secret_key', secret=True),
++        ...
++     ]

Ubuntupython-keystoneclient package

Merge lp:~zulcss/ubuntu/precise/python-keystoneclient/new into lp:~ubuntu-cloud-archive/ubuntu/precise/python-keystoneclient/trunk

Commit Message

Description of the Change

Preview Diff

Subscribers

Ubuntu
python-keystoneclient package