Ensures only the leader of the cluster (or service unit if multi nodes
but no hacluster) manages the data stored in the database. The leader
is also responsible for synchrnoizing on-disk copies of credentials to
all peers.
This eliminates the need for services in an Openstack deployment
to be deployed in order. Previously, keystone <-> mysql relation
needed to be established before anything else. With this change,
existing service entries are recreated in the new database for
existing relations.
This adds the ability to update a users' password via keystoneclient. This is
called for every run of ensure_initial_admin().
A basic config-changed hook is added to call ensure_initial_admin(), allowing:
- Changing the current admin user's password via
'juju set admin-password=foo'
- Defining a new admin user in the system via
'juju set admin-user=newadmin admin-password=foo'.
Note, when creating a new admin user, the previous admin user is not deleted from the system.
The new admin user can manage existing users thru the dashboard or keystoneclient.
Keystone+keystoneclient have recently changed to now throw errors when
a role is assigned to a user+tenant more than once. Account for this
by checking user+tenant's role assignments before attempting to assign.
The changes to keystone+keystoneclient happened in folsom, but this operation
is supported in the Essex release as well, so applying to the precise charm
branch to avoid an early delta between precise + quantal branches (which doesn't
exist yet).
