openstack/charm-keystone
Code Issues Proposed changes
Files
0a02c30fe5f4650235519897b71588ae22fa0971
charm-keystone/templates/ocata/keystone.conf
Frode Nordahl 0a02c30fe5 Replace use of admin_token with Keystone bootstrap 
Stop the use of the admin_token and use the bootstrap process
to initialize Keystone instead.  Fortunately the implementation
of the bootstrap process is both idempotent when it needs to be
and it can be safely called on an existing deployment.

Subsequently we can migrate by just removing the admin_token
from the configuration and create new credentials for use by
the charm with a call to ``keystone-manage bootstrap``.

Remove configuration templates for versions prior to Mitaka, by
doing this we need to move any configuration initially defined
prior to Miataka forward to the ``templates/mitaka`` folder.

A side effect of this migration is that newly bootstrapped
deployments will get their ``default`` domain created with a
literal ID of ``default``.  Prior to this change third party
software making assumptions about that being the case may have
had issues.

Closes-Bug: #1859844
Closes-Bug: #1837113
Related-Bug: #1774733
Closes-Bug: #1648719
Closes-Bug: #1578678
Func-Test-Pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/191
Change-Id: I23940720c24527ee34149f035c3bdf9ff54812c9
2020-03-13 09:52:10 +01:00

136 lines
3.0 KiB
Plaintext
Raw Blame History

# ocata
###############################################################################
# [ WARNING ]
# Configuration file maintained by Juju. Local changes may be overwritten.
###############################################################################
[DEFAULT]
use_syslog = {{ use_syslog }}
log_config_append = {{ log_config }}
debug = {{ debug }}
public_endpoint = {{ public_endpoint }}
admin_endpoint = {{ admin_endpoint }}
[database]
{% if database_host -%}
connection = {{ database_type }}://{{ database_user }}:{{ database_password }}@{{ database_host }}/{{ database }}{% if database_ssl_ca %}?ssl_ca={{ database_ssl_ca }}{% if database_ssl_cert %}&ssl_cert={{ database_ssl_cert }}&ssl_key={{ database_ssl_key }}{% endif %}{% endif %}
{% else -%}
connection = sqlite:////var/lib/keystone/keystone.db
{% endif -%}
connection_recycle_time = 200
[identity]
driver = {{ identity_backend }}
{% if default_domain_id -%}
default_domain_id = {{ default_domain_id }}
{% endif -%}
{% if api_version == 3 -%}
domain_specific_drivers_enabled = True
domain_config_dir = {{ domain_config_dir }}
{% endif -%}
[credential]
driver = sql
[trust]
driver = sql
[os_inherit]
[catalog]
driver = sql
[endpoint_filter]
[token]
{% if token_provider == 'fernet' -%}
provider = fernet
{% else -%}
driver = sql
provider = uuid
{% endif -%}
expiration = {{ token_expiration }}
{% if token_provider == 'fernet' -%}
[fernet_tokens]
max_active_keys = {{ fernet_max_active_keys }}
{% endif -%}
{% include "parts/section-signing" %}
{% include "section-oslo-cache" %}
[policy]
driver = sql
[assignment]
driver = {{ assignment_backend }}
[oauth1]
{% if middlewares -%}
{% include "parts/section-middleware" %}
{% else %}
[auth]
methods = external,password,token,oauth1,mapped,openid,totp
password = keystone.auth.plugins.password.Password
{% endif %}
[paste_deploy]
config_file = {{ paste_config_file }}
[extra_headers]
Distribution = Ubuntu
[ldap]
{% if identity_backend == 'ldap' -%}
url = {{ ldap_server }}
user = {{ ldap_user }}
password = {{ ldap_password }}
suffix = {{ ldap_suffix }}
{% if ldap_config_flags -%}
{% for key, value in ldap_config_flags.items() -%}
{{ key }} = {{ value }}
{% endfor -%}
{% endif -%}
{% if ldap_readonly -%}
user_allow_create = False
user_allow_update = False
user_allow_delete = False
tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False
role_allow_create = False
role_allow_update = False
role_allow_delete = False
group_allow_create = False
group_allow_update = False
group_allow_delete = False
{% endif -%}
{% endif -%}
{% if api_version == 3 %}
[resource]
admin_project_domain_name = {{ admin_domain_name }}
admin_project_name = admin
{% endif -%}
{% if password_security_compliance %}
[security_compliance]
{% for k, v in password_security_compliance.items() -%}
{{ k }} = {{ v }}
{% endfor -%}
{% endif -%}
{% include "parts/section-federation" %}
{% include "section-oslo-middleware" %}
# This goes in the section above, selectively
# Bug #1819134
max_request_body_size = 114688
View Git Blame Copy Permalink