84 Commits

Author SHA1 Message Date
generalfuzz
783bbfddcd Fix Keystone Centos 8 mod_ssl
Keystone was not loading the correct mod_ssl library in centos 8
deployment.

Change-Id: I604d675ba7ad28922f360fdc729746f99c1507b4
Partially-Implements: blueprint add-ssl-internal-network
2020-05-14 09:08:42 +00:00
James Kirsch
b475643c11 Add support for encrypting backend Keystone HAProxy traffic
This patch introduces an optional backend encryption for Keystone
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Keystone service.

Change-Id: I6351147ddaff8b2ae629179a9bc3bae2ebac9519
Partially-Implements: blueprint add-ssl-internal-network
2020-04-09 09:22:55 +00:00
Zuul
36c2201a3b Merge "Fix keystone fernet bootstrap" 2020-02-05 10:31:52 +00:00
Michal Nasiadka
0799782ce8 Fix keystone fernet bootstrap
There are cases when a multinode deployment ends up in unusable
keystone public wsgi on some nodes.

The root cause is that keystone public wsgi doesn't find fernet
keys on startup - and then persists on sending 500 errors to any
requests - due to a race condition between
fernet_setup/fernet-push.sh and keystone startup.

Depends-On: https://review.opendev.org/703742/
Change-Id: I63709c2e3f6a893db82a05640da78f492bf8440f
Closes-Bug: #1846789
2020-02-03 13:41:11 +01:00
Mark Goddard
c56d273c93 Python 3: Use distro_python_version for WSGI python_path
Currently the WSGI configuration for binary images uses python2.7
site-packages in some places. This change uses distro_python_version to
select the correct python path.

Change-Id: Id5f3f0ede106498b9264942fa0399d7c7862c122
Partially-Implements: blueprint python-3
2020-01-30 14:08:13 +00:00
Zuul
61266a63e3 Merge "Fix fernet-node-sync error catching" 2020-01-14 10:31:09 +00:00
Michal Nasiadka
72afbcec4e Fix fernet-node-sync error catching
Backport: train stein rocky
Depends-On: https://review.opendev.org/701779
Related-Bug: #1859047
Change-Id: I09844e0807a93d9edd8d014276b0174d77a993a0
2020-01-13 12:42:56 +00:00
Michal Nasiadka
4072a3ebff Use distro_python_version in fernet-node-sync
Since Debian and Ubuntu are already on Python3 only and don't have unversioned
Python binaries (no /usr/bin/python) - we need to call the fetch-fernet-tokens
script using distro_python_version

Backport: train
Related-Bug: #1859047
Change-Id: I42378af9b25f14079fc57b4068ab25d5d4877362
2020-01-10 14:31:00 +00:00
Michal Nasiadka
3f55b87069 Improve Apache logging
Currently we don't put global Apache error logs into /var/log/kolla,
this change adds statements that redirect those logs there.

Adapted the logfile names to catch into openstack wsgi logging fluentd
input config and existing logrotate cron entries.

Change-Id: I21216e688a1993239e3e81411a4e8b6f13e138c2
2019-12-06 13:11:49 +00:00
Mark Goddard
d09ee49afc Fix keystone fernet rotation for source images
In source images, keystone-manage is installed to a virtualenv in
/var/lib/kolla/venv. This is not in the PATH for cron jobs, which always
use PATH=/usr/bin:/bin. This results in the following error:

/usr/bin/fernet-rotate.sh: line 3: keystone-manage: command not found

However this error is not typically visible, since cron logs to syslog
and we do not configure fluentd to collect these logs.

This change configures the PATH in the fernet-rotate.sh script for
source images.

Change-Id: Ib49ea586d36ae32d01b9610a48b13798db4a4cd5
Closes-Bug: #1850711
2019-11-05 12:06:26 +00:00
Michal Nasiadka
0240763d7d Add proper wsgi loglevel when openstack_logging_debug
Change-Id: I51144d92f34ed51c499a4119c059e6475d02eb46
2019-10-24 09:33:05 +00:00
Radosław Piliszek
bc053c09c1 Implement IPv6 support in the control plane
Introduce kolla_address filter.
Introduce put_address_in_context filter.

Add AF config to vars.

Address contexts:
- raw (default): <ADDR>
- memcache: inet6:[<ADDR>]
- url: [<ADDR>]

Other changes:

globals.yml - mention just IP in comment

prechecks/port_checks (api_intf) - kolla_address handles validation

3x interface conditional (swift configs: replication/storage)

2x interface variable definition with hostname
(haproxy listens; api intf)

1x interface variable definition with hostname with bifrost exclusion
(baremetal pre-install /etc/hosts; api intf)

neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network

basic multinode source CI job for IPv6

prechecks for rabbitmq and qdrouterd use proper NSS database now

MariaDB Galera Cluster WSREP SST mariabackup workaround
(socat and IPv6)

Ceph naming workaround in CI
TODO: probably needs documenting

RabbitMQ IPv6-only proto_dist

Ceph ms switch to IPv6 mode

Remove neutron-server ml2_type_vxlan/vxlan_group setting
as it is not used (let's avoid any confusion)
and could break setups without proper multicast routing
if it started working (also IPv4-only)

haproxy upgrade checks for slaves based on ipv6 addresses

TODO:

ovs-dpdk grabs ipv4 network address (w/ prefix len / submask)
not supported, invalid by default because neutron_external has no address
No idea whether ovs-dpdk works at all atm.

ml2 for xenapi
Xen is not supported too well.
This would require working with XenAPI facts.

rp_filter setting
This would require meddling with ip6tables (there is no sysctl param).
By default nothing is dropped.
Unlikely we really need it.

ironic dnsmasq is configured IPv4-only
dnsmasq needs DHCPv6 options and testing in vivo.

KNOWN ISSUES (beyond us):

One cannot use IPv6 address to reference the image for docker like we
currently do, see: https://github.com/moby/moby/issues/39033
(docker_registry; docker API 400 - invalid reference format)
workaround: use hostname/FQDN

RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4.
This is due to old RabbitMQ versions available in images.
IPv4 is preferred by default and may fail in the IPv6-only scenario.
This should be no problem in real life as IPv6-only is indeed IPv6-only.
Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will
no longer be relevant as we supply all the necessary config.
See: https://github.com/rabbitmq/rabbitmq-server/pull/1982

For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed
to work well). Older Ansible versions are known to miss IPv6 addresses
in interface facts. This may affect redeploys, reconfigures and
upgrades which run after VIP address is assigned.
See: https://github.com/ansible/ansible/issues/63227

Bifrost Train does not support IPv6 deployments.
See: https://storyboard.openstack.org/#!/story/2006689

Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c
Implements: blueprint ipv6-control-plane
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-10-16 10:24:35 +02:00
Zuul
6189a0c25c Merge "Update python_path for "source" install type" 2019-09-18 11:43:17 +00:00
chenxing
16d0d4c361 Update python_path for "source" install type
Both ubuntu source and binary install type support python3 now,
python_path should be updated.

Depends-On: https://review.opendev.org/675581
Partially Implements: blueprint python3-support

Change-Id: I4bf721b44220bde2d25d4d985f5ca411699a5a72
2019-09-09 16:06:23 +08:00
Rafael Weingärtner
22a6223b1b Standardize the configuration of "oslo_messaging" section
After all of the discussions we had on
"https://review.opendev.org/#/c/670626/2", I studied all projects that
have an "oslo_messaging" section. Afterwards, I applied the same method
that is already used in "oslo_messaging" section in Nova, Cinder, and
others. This guarantees that we have a consistent method to
enable/disable notifications across projects based on components (e.g.
Ceilometer) being enabled or disabled. Here follows the list of
components, and the respective changes I did.

* Aodh:
The section is declared, but it is not used. Therefore, it will
be removed in an upcomming PR.

* Congress:
The section is declared, but it is not used. Therefore, it will
be removed in an upcomming PR.

* Cinder:
It was already properly configured.

* Octavia:
The section is declared, but it is not used. Therefore, it will
be removed in an upcomming PR.

* Heat:
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Ceilometer:
Ceilometer publishes some messages in the rabbitMQ. However, the
default driver is "messagingv2", and not ''(empty) as defined in Oslo;
these configurations are defined in ceilometer/publisher/messaging.py.
Therefore, we do not need to do anything for the
"oslo_messaging_notifications" section in Ceilometer

* Tacker:
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Neutron:
It was already properly configured.

* Nova
It was already properly configured. However, we found another issue
with its configuration. Kolla-ansible does not configure nova
notifications as it should. If 'searchlight' is not installed (enabled)
the 'notification_format' should be 'unversioned'. The default is
'both'; so nova will send a notification to the queue
versioned_notifications; but that queue has no consumer when
'searchlight' is disabled. In our case, the queue got 511k messages.
The huge amount of "stuck" messages made the Rabbitmq cluster
unstable.

https://bugzilla.redhat.com/show_bug.cgi?id=1478274
https://bugs.launchpad.net/ceilometer/+bug/1665449

* Nova_hyperv:
I added the same configurations as in Nova project.

* Vitrage
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Searchlight
I created a mechanism similar to what we have in AODH, Cinder, Nova,
and others.

* Ironic
I created a mechanism similar to what we have in AODH, Cinder, Nova,
and others.

* Glance
It was already properly configured.

* Trove
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Blazar
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Sahara
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Watcher
I created a mechanism similar to what we have in AODH, Cinder, Nova,
and others.

* Barbican
I created a mechanism similar to what we have in Cinder, Nova,
and others. I also added a configuration to 'keystone_notifications'
section. Barbican needs its own queue to capture events from Keystone.
Otherwise, it has an impact on Ceilometer and other systems that are
connected to the "notifications" default queue.

* Keystone
Keystone is the system that triggered this work with the discussions
that followed on https://review.opendev.org/#/c/670626/2. After a long
discussion, we agreed to apply the same approach that we have in Nova,
Cinder and other systems in Keystone. That is what we did. Moreover, we
introduce a new topic "barbican_notifications" when barbican is
enabled. We also removed the "variable" enable_cadf_notifications, as
it is obsolete, and the default in Keystone is CADF.

* Mistral:
It was hardcoded "noop" as the driver. However, that does not seem a
good practice. Instead, I applied the same standard of using the driver
and pushing to "notifications" queue if Ceilometer is enabled.

* Cyborg:
I created a mechanism similar to what we have in AODH, Cinder, Nova,
and others.

* Murano
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Senlin
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Manila
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Zun
The section is declared, but it is not used. Therefore, it will
be removed in an upcomming PR.

* Designate
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Magnum
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

Closes-Bug: #1838985

Change-Id: I88bdb004814f37c81c9a9c4e5e491fac69f6f202
Signed-off-by: Rafael Weingärtner <rafael@apache.org>
2019-08-15 13:18:16 -03:00
Mark Goddard
09e29d0db9 Don't rotate keystone fernet keys during deploy
When running deploy or reconfigure for Keystone,
ansible/roles/keystone/tasks/deploy.yml calls init_fernet.yml,
which runs /usr/bin/fernet-rotate.sh, which calls keystone-manage
fernet_rotate.

This means that a token can become invalid if the operator runs
deploy or reconfigure too often.

This change splits out fernet-push.sh from the fernet-rotate.sh
script, then calls fernet-push.sh after the fernet bootstrap
performed in deploy.

Change-Id: I824857ddfb1dd026f93994a4ac8db8f80e64072e
Closes-Bug: #1833729
2019-06-27 08:41:27 +00:00
Mark Goddard
6c1442c385 Fix keystone fernet key rotation scheduling
Right now every controller rotates fernet keys. This is nice because
should any controller die, we know the remaining ones will rotate the
keys. However, we are currently over-rotating the keys.

When we over rotate keys, we get logs like this:

 This is not a recognized Fernet token <token> TokenNotFound

Most clients can recover and get a new token, but some clients (like
Nova passing tokens to other services) can't do that because it doesn't
have the password to regenerate a new token.

With three controllers, in crontab in keystone-fernet we see the once a day
correctly staggered across the three controllers:

ssh ctrl1 sudo cat /etc/kolla/keystone-fernet/crontab
0 0 * * * /usr/bin/fernet-rotate.sh
ssh ctrl2 sudo cat /etc/kolla/keystone-fernet/crontab
0 8 * * * /usr/bin/fernet-rotate.sh
ssh ctrl3 sudo cat /etc/kolla/keystone-fernet/crontab
0 16 * * * /usr/bin/fernet-rotate.sh

Currently with three controllers we have this keystone config:

[token]
expiration = 86400 (although, keystone default is one hour)
allow_expired_window = 172800 (this is the keystone default)

[fernet_tokens]
max_active_keys = 4

Currently, kolla-ansible configures key rotation according to the following:

   rotation_interval = token_expiration / num_hosts

This means we rotate keys more quickly the more hosts we have, which doesn't
make much sense.

Keystone docs state:

   max_active_keys =
     ((token_expiration + allow_expired_window) / rotation_interval) + 2

For details see:
https://docs.openstack.org/keystone/stein/admin/fernet-token-faq.html

Rotation is based on pushing out a staging key, so should any server
start using that key, other servers will consider that valid. Then each
server in turn starts using the staging key, each in term demoting the
existing primary key to a secondary key. Eventually you prune the
secondary keys when there is no token in the wild that would need to be
decrypted using that key. So this all makes sense.

This change adds new variables for fernet_token_allow_expired_window and
fernet_key_rotation_interval, so that we can correctly calculate the
correct number of active keys. We now set the default rotation interval
so as to minimise the number of active keys to 3 - one primary, one
secondary, one buffer.

This change also fixes the fernet cron job generator, which was broken
in the following cases:

* requesting an interval of more than 1 day resulted in no jobs
* requesting an interval of more than 60 minutes, unless an exact
  multiple of 60 minutes, resulted in no jobs

It should now be possible to request any interval up to a week divided
by the number of hosts.

Change-Id: I10c82dc5f83653beb60ddb86d558c5602153341a
Closes-Bug: #1809469
2019-05-17 14:05:48 +01:00
Mark Goddard
d62ccca3e0 Fix ubuntu binary deploys
1. The Keystone WSGI scripts don't have a python3- prefix, although they
   are using python 3.

2. The Placement WSGI script doesn't have a python3- prefix, although it
   is using python 3.

Depends-On: https://review.openstack.org/651327
Change-Id: I805df8f85634edea8322495ca73897d44967cfe6
Closes-Bug: #1823989
2019-04-10 08:55:25 +01:00
Mark Goddard
a103ed7c07 Use service-specific _install_type variables in wsgi scripts
Change-Id: I0c31ad353e1fb764bc8e826cda5c3d092623f44b
2019-03-15 15:22:54 +00:00
chenxing
6722e18465 ubuntu: update configuration Stein UCA
Update wsgi configuration after services migrating to python3.

Change-Id: I25d8db36dabd5f148b2ec96a30381c6a86fa710e
Depends-On: https://review.openstack.org/#/c/625298/
Partially Implements: blueprint python3-support
2019-03-13 21:25:51 +08:00
Jim Rollenhagen
bece976b91 Allow keystone services to use independent hostnames
This allows keystone service endpoints to use custom hostnames, and adds the
following variables:

* keystone_internal_fqdn
* keystone_external_fqdn

These default to the old values of kolla_internal_fqdn or
kolla_external_fqdn.

This also adds the following variables:

* keystone_admin_listen_port
* keystone_public_listen_port

These default to keystone_admin_port and keystone_public_port,
respectively, for backward compatibility.

These options allow the user to differentiate between the port the
service listens on, and the port the service is reachable on. This is
useful for external load balancers which live on the same host as the
service itself.

Change-Id: I50c46c674134f9958ee4357f0f4eed5483af2214
Implements: blueprint service-hostnames
2019-02-08 10:26:00 -05:00
Kien Nguyen
043943117d Use <project>_install_type instead of kolla_install_type
Use <project>_install_type instead of kolla_install_type
to set python_path. For example, general kolla_install_type
is 'binary', but user wants to deploy Horizon from 'source'.
Horizon templates still use python_path=/usr/share/openstack-dashboard,
it is wrong.

Change-Id: Ide6a24e17b1f8ab6506aa5e53f70693706830418
2019-01-04 14:33:46 +07:00
Zuul
1549c85efd Merge "Fernet cron path" 2018-10-29 13:12:36 +00:00
Zuul
0fd03fc88d Merge "Fix keystone domains directory permissions" 2018-10-23 20:16:30 +00:00
Christian Berendt
1192f93f6b Fix keystone domains directory permissions
Closes-bug: #1799348

Change-Id: I4c43076795d28ea36f9e1d165e56abb110c5b544
2018-10-23 07:24:49 +02:00
Kevin Tibi
35a21b0711 Fernet cron path
Fix the path of fernet cron for centos images

Change-Id: Iedf3a8630bc3c25fd05f580980d499023bf974fa
2018-10-22 10:49:34 +02:00
Zhangfei Gao
ce809aea23 osprofiler support redis
Currently osprofiler only choose elasticsearch,
which is only supported on x86.
On other platform like aarch64 osprofiler can
not be used since no elasticsearch package.

Enable osprofiler by enable_osprofiler: "yes",
which choose elasticsearch by default.
Choose redis by enable_redis: "yes" & osprofiler_backend: "redis"
On platform without elasticsearch support like aarch64
set enable_elasticsearch: "no"

Change-Id: I68fe7a33e11d28684962fc5d0b3d326e90784d78
2018-06-01 09:34:04 +08:00
wu.chunyang
998b9fbbec Remove "keystone_token_provider==uuid" from keystone.conf
it missing from [0]

[0]: https://review.openstack.org/#/c/566210/

Change-Id: I990dea52d3aa45d3d7c352c2664541799d912cdc
2018-05-04 18:01:53 +08:00
Zuul
44f350d9bb Merge "Use internal interface to connect with keystone_ssh" 2018-04-11 06:02:34 +00:00
Jeffrey Zhang
9d5bafabb2 Use the pbr generated wsgi binary file located in binary folder
Since pbr 1.4.0, wsgi_scripts entrypoing is supported and it will
generated a wsgi compatible binary file. No need to copied it to
/var/www/cgi-bin/keystone folder.

Change-Id: If85558dcdcdf185be6171de20eed3faa8e101661
2018-03-21 00:27:47 +08:00
Jeffrey Zhang
f8cb527f78 Security reinforce for apache server
Disable ServerSignature and Hide apache related infromation.

Change-Id: I9188ddb85988539087c922117bb9f53454b7507c
2018-03-14 18:14:26 +08:00
Dai Dang Van
d77930373e Support policy.yaml file [part 2]
- Keystone
- Glance
- Nova
- Cinder

This will copy only yaml or json policy file if they exist.

Change-Id: I4a9415d82322aed68c9b7650bdf346f58fa49e2a
Implements: blueprint support-custom-policy-yaml
Co-authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>
2018-01-29 13:35:59 +00:00
Andrew Smith
fd1d3af0df Add support for hybrid messaging backends
This commit separates the messaging rpc and notify transports in order
to support separate and different oslo.messaging backends

This patch:
* add rpc and notify variables
* update service role conf templates
* add example to globals.yaml
* add release note

Implements: blueprint hybrid-messaging
Change-Id: I34691c2895c8563f1f322f0850ecff98d11b5185
2017-11-22 14:09:40 -05:00
Christian Berendt
6f8e354805 Use internal interface to connect with keystone_ssh
Change-Id: I1283014f785c2e6abf8db99c4fd71c008718a35e
Closes-bug: #1695102
2017-10-10 06:57:42 +00:00
Christian Berendt
6625e84863 Fix "key_repository is world readable: /etc/keystone/fernet-keys/" warning
TrivialFix

Change-Id: Ia54ee5cae2ffcdcca24cb162699e09b0808a1037
Depends-on: Ida2ed62eaba8908fb0bd50bb0be00fb5f9b1adc3
2017-09-11 11:28:16 +00:00
Narasimha SV
4566d1cfc9 enable CORS for Gnocchi and Keystone for grafana datasource
adding cors section to keystone and gnocchi templates when
grafana is enabled

Change-Id: I54f4c06ed64254df0f9481e461c9393a399212a3
Closes-bug: #1651796
2017-07-26 09:52:56 +08:00
Jenkins
0cd868243f Merge "Disable trace for all containers running httpd" 2017-07-19 08:09:06 +00:00
Jeffrey Zhang
f5dd178fc5 Disable trace for all containers running httpd
Trace method is enabled in default for httpd. There is security risk
with trace enabled. So disable it in default. more info please check[0].

[0] https://security.stackexchange.com/a/7711

Change-Id: I4496a6d058d88e1abfb210085f189e7a610e0362
Closes-Bug: #1705160
2017-07-19 10:52:41 +08:00
Jeffrey Zhang
cacf08f0a6 Remove all kolla-kubernetes configurations
kolla-kubernetes is using its own configuration generation[0], so it is
time for kolla-ansible to remove the related code to simplify the
logical.

[0] https://github.com/openstack/kolla-kubernetes/tree/master/ansible

Change-Id: I7bb0b7fe3b8eea906613e936d5e9d19f4f2e80bb
Implements: blueprint clean-k8s-config
2017-07-18 22:00:58 +08:00
Jenkins
c59714ccff Merge "Remove keystone-paste.ini file in kolla" 2017-06-13 14:58:04 +00:00
Jeffrey Zhang
6ce222af3e Remove keystone-paste.ini file in kolla
keystone-paste.ini file is introduced by
I3a3ca2e74c0ae341105d3481f97956c6da473046 for a security risk of
admin_token_auth middleware. Now this middleware is removed by
I57586ccfa0ad1309cc806d95377dc1ecad015914. So it is safe to use upstream
keystone-paste.ini file.

This patch also keep custom paste file feature. Just put the file to
/etc/kolla/config/keystone/keyston-paste.ini path.

Closes-Bug: #1695023
Partially-Implements: blueprint custom-paste
Change-Id: Ieb983b6a9edb6a156928f6b56a4bd2dbed4281e2
2017-06-13 01:38:29 +00:00
Eduardo Gonzalez
ab4b1ff785 Support OSprofile usage
OSprofile allows user/devs trace OpenStack requests.

Implements: blueprint enable-osprofiler
Co-Authored-By: Bertrand Lallau <bertrand.lallau@gmail.com>
Change-Id: I82ea85d726011ef6cbf99380f395452d6d7f8053
2017-06-02 22:41:33 +02:00
James McCarthy
274291463e Change default permissions in jinja templates.
Many of the templates use 600, remove unnecessary permission
on these templates to bring them in line with the others.

Change-Id: I30fe1b3822b9c7bb6ab98729fc519dc1d603db27
2017-05-26 12:29:02 +01:00
Bertrand Lallau
afdd11b9a2 Generalize api_interface_address variable usage
Useful api_interface_address variable has been define here:
https://github.com/openstack/kolla-ansible/blob/master/ansible/group_vars/all.yml#L57
In order to simplify codebase we must use it as much as possible.

Change-Id: I18fec19bf69e05a22a4142a9cd1165eccd022455
2017-05-23 08:35:15 +00:00
shaofeng_cheng
83fae8c8f9 Fix secure_proxy_ssl_header option
Option "secure_proxy_ssl_header" from group "DEFAULT" is deprecated
in Keystone.

see
https://docs.openstack.org/ocata/config-reference/identity/samples/keystone.conf.html

Change-Id: I390969fce5b592c0267399969abc54e5caffbfc8
Closes-Bug: #1675982
2017-03-30 15:49:51 +08:00
Paul Bourke
9828ad1167 Fix keystone idempotency
The wrapper keystone_bootstrap.sh expects to parse output from the
keystone-manage command. Somewhere along the line this command stopped
logging to stderr resulting in it not being able to report it's changed
status correctly.

Closes-Bug: #1668220

Change-Id: I895ebe11b88fd239fa8cb6e1a2fed779743e4139
2017-02-27 10:24:47 +00:00
Jeffrey Zhang
ba023042b2 Disable revoke_by_id in keystone
revoke api is only used when using kvs revoke driver. In most of case it
is useless and unnecessary.

Change-Id: I6afaf32574330e3ee57435f688c41ae74dbdf7ed
Closes-Bug: #1664026
2017-02-13 21:39:44 +08:00
Jeffrey Zhang
2b402ace4d Fix the WARNING in copy keystone domain task
Change-Id: I2bf2e8a6ba17c813bb2b9cdf05d3062f29d9fdf6
Closes-Bug: #1653168
2017-02-05 20:49:20 +08:00
Eduardo Gonzalez
775d8019b6 Add custom policies in service.json
Include custom policy.json files in service-api.json.j2 files

Change-Id: Ic55bfc6f61131aa72c3497ce8b2282056bcc7f92
Partially-Implements: blueprint custom-policies
2016-12-02 16:22:17 +00:00
Jeffrey Zhang
fc54163319 Use uuid as keystone default token provider
Keystone uses fernet as default provider in its code now. This patch
adds provider=token in keystone.conf file explicitly.

TrivialFix

Change-Id: Id7142ff4f00ee99579ad420573eafefea0f4dcb7
2016-11-11 12:42:47 +08:00