The Kilo release of openstack deprecated the eventlet wsgi server in favor of
using apache with mod_wsgi. This changes disables the keystone service and
adds a vhost to the existing apache server to run keystone using mod_wsgi.
Change-Id: I8125d8081c14550e86cd77b25185f27f500e368b
Closes-Bug: 1515628
When checking for existing roles/users/tenants the charm was case
sensitive such that admin != Admin. However, when keystone tries to
create a role/user/tenant that exists but with different case mysql will
error out. OpenNFV requires that the admin user be named 'admin' with
lower case but the default is 'Admin' leading to failed deploys of
OpenStack.
This change makes the check for existence case insensitive. It does
*not* change the creation of roles/users/tenants. Therefore,
roles/users/tenants will be created unchanged but checks for existence
will still match even when case does not.
Change-Id: I49c4f5e8d0e79f64fbc8bf412341a93f4a970778
Closes-Bug: #1512984
This contains a fix against the original change id:
Ie0c5e0249bde0839345ad66f7400522754aa91ca which broke
keystone. Otherwise, the fix is the same:
The existing pause/resume functionality is enhanced with
changed charm-helpers support to chech that the services
really are stopped and that paused units really stay
paused. The restart_on_change decorator is gated
such that if the unit is 'paused' then the service
is not accidentally started.
Change-Id: I6a828676be11338266845e822be087d734944da0
The existing pause/resume functionality is enhanced with
changed charm-helpers support to chech that the services
really are stopped and that paused units really stay
paused. The restart_on_change decorator is gated
such that if the unit is 'paused' then the service
is not accidentally started.
Change-Id: Ie0c5e0249bde0839345ad66f7400522754aa91ca
This change adds a cron job definition to flush the keystone tokens
once every hour. Without this, the keystone database grows unbounded,
which can be problematic in production environments.
This change introduces a new keystone-token-flush templated cron job,
which will run the keystone-manage token_flush command as the keystone
user once per hour. This change honors the use-syslog setting by
sending output of the command either to the keystone-token-flush.log
file or to the syslog using the logger exec.
Only the juju service leader will have the cron job active in order to
prevent multiple units from running the token_flush at the concurrently.
Change-Id: I21be3b23a8fe66b67fba0654ce498d62b3afc2ac
Closes-Bug: #1467832
Aodh is part of the OpenStack Telemetry and provides alarming and
notification services based on events across an OpenStack Cloud.
Ensure that keystone understands 'aodh' and 'alarming' as valid
endpoint types.
Change-Id: Id1d9fed86ec7af2327f2d18738703290b4f833a1
This changes enables the Keystone v3 api. It can be toggled on and off via the
preferred-api-version option.
When services join the identity-service relation they will be presented with a
new parameter api_version which is the maximum api version the keystone charm
supports and matches what was set via preferred-api-version.
If preferred-api-version is set to 3 then the charm will render a new
policy.json which adds support for domains etc when keystone is checking
authorisation. The new policy.json requires an admin domain to be created and
specifies that a user is classed as an admin of the whole cloud if they have
the admin role against that admin domain.
The admin domain, called admin_domain, is created by the charm. The name of
this domain is currently not user configurable. The role that enables a user to
be classed as an admin is specified by the old charm option admin-role. The
charm grants admin-role to the admin-user against the admin_domain.
Switching a deployed cloud from preferred-api-version 2 to
preferred-api-version 3 is supported. Switching from preferred-api-version 3 to
preferred-api-version 2 should work from the charm point of view but may cause
problems if there are duplicate users between domains or may have unintended
consequences like escalating the privilege of some users so is not recommended.
Change-Id: I8eec2a90e0acbf56ee72cb5036a0a21f4a77a2c3
Implemented new is_paused() and assess_status() functions, and changed
the pause and resume actions to use them. Changed existing and added new
tests to verify functionality.
CloudKitty (Rating-as-a-Service for OpenStack) requires the creation of a
service in keystone to properly work. This patch registers cloukitty as a valid
service to enable the relation between those two charms.
MidoNet needs its low-level API to have access to the admin token.
Thus, it needs to be considered a valid service. This patch adds it
to the list of valid services so that the identity-service relation
can be completed successfully and with the admin_token.
