f623801860
TL;DR: To support upgrades, we need to make sure _member_ role is still assigned to the admin user if that role assignment existed before the undercloud was upgraded. Background: Until fairly recently, keystone created a _member_ role and this was applied to all users, including the admin role used for overcloud deployments. This creates a problem on upgrade however, because puppet isn't aware of any existing role assignments, hence it deletes them, and heat contains a reference to a keystone trust, which expects to delegate this role (by default all roles are delegated, so on an older deployment the trust will delegate _member_ and admin). The _member_ role is not needed anymore by new deployments, and is no longer created, so we need to detect the existence of this legacy role, and apply it only for environments where it exists - we can safely ignore connection errors trying to connect to keystone and read the roles during an intial deployment, because no new deployments should ever contain the _member_ role, it's only an upgrade issue. This patch is a Puppet collector, that will collect the admin role assignement resource, and makes sure we assign both admin and _member_ based on a flag set by undercloud.py that is passed via hiera. Closes-Bug: #1571708 Co-Authored-By: Steven Hardy <shardy@redhat.com> Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: I06ccdeb01e0aa69754855a0dcae3087725399583
12 lines
238 B
Plaintext
12 lines
238 B
Plaintext
six>=1.9.0
|
|
python-keystoneclient>=2.0.0,!=2.1.0 # Apache-2.0
|
|
python-novaclient
|
|
python-mistralclient>=2.0.0 # Apache-2.0
|
|
oslo.config
|
|
psutil>=1.1.1,<2.0.0
|
|
netaddr>=0.7.12,!=0.7.16
|
|
pystache
|
|
os-cloud-config
|
|
os-refresh-config
|
|
os-apply-config
|