Commit Graph

36 Commits

Author SHA1 Message Date
Takashi Kajinami
729f5d286c Replace legacy facts and use fact hash
... because the latest lint no longer allows usage of legacy facts and
top scope fact.

Change-Id: I6e76d095bb0f78ef4962f1150da94e4d4153a374
2023-03-01 16:51:25 +09:00
Rajesh Tailor
3b1ecbed5c Fix some typos in parameter descriptions
Change-Id: I634698c222da7e5f570ac3bd2cdee924457791bd
2022-06-17 16:38:08 +05:30
Takashi Kajinami
12a5b23668 Simplify definition to ensure keystone resource creation
Use the whole resource type instead of its individual resources, to
rely on interface instead of implementation of the dependent module.

Change-Id: I21e05882b2685d8d312f4d6cc516ebcaf2ba6677
2022-02-07 00:01:42 +09:00
Zuul
bdded914ce Merge "Accept system scope credentials for Keystone API request" 2022-01-08 00:11:53 +00:00
Takashi Kajinami
d6bbb2c583 Install and enable keystone-listner
To use the keystone notification feature, we need an independent
keyston-listner service. This change implements the missing capability
to manage the service and its package.

Closes-Bug: #1956397
Change-Id: Iedda0e9fe7b091b510ea9033db86921e4d2b4184
2022-01-05 15:16:19 +09:00
Takashi Kajinami
e3a92d7798 Accept system scope credentials for Keystone API request
This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following two items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware

Depends-on: https://review.opendev.org/804325
Change-Id: Ifbdde0718d1b6a6782c4f098fd152c3f636aa2c4
2021-11-25 21:11:50 +09:00
Takashi Kajinami
cfc1fc6ea2 Skip dependency on keystone endpoint if endpoint is not configured
Change-Id: Ic68cbca8768fa1efcffa17f66bd3040558b880fe
2021-09-29 04:24:38 +00:00
Takashi Kajinami
6f833db0a2 Use a 'params' hash for authtoken parameters
This change adds the 'params' hash in authtoken class, to implement
the same functionality as the one recently introduced into
puppet-nova[1].

[1] 5c38281e1b698f157f03bf1815733277c541c30b

Change-Id: I1ee5f6f36dce3429261b77a4c91b4732ced4a591
2020-10-12 14:04:26 +09:00
Takashi Kajinami
bded1a8c1e Add support for the keystone_authtoken/service_type parameter
Change-Id: Ica2918b3235f22348598507ec84b264e627322db
2020-10-12 14:02:49 +09:00
Takashi Kajinami
000d145608 Add support for the interface parameter in authtoken middleware
This patch adds support for [keystone_authtoken] interface parameter,
so that operators can define which endpoint should be used by authtoken
middleware.

Change-Id: I5068505afbaf57e66d28f7cf472ab09bb8355f04
2020-07-09 08:19:30 +09:00
Tobias Urdin
57af2573d6 Convert all class usage to relative names
Change-Id: I3c86c44a0e190ea92180e792a291d4ee5ff63da0
2019-12-08 15:15:52 +01:00
Zuul
39fa246cd0 Merge "Configure keystone_authtoken/service_token_roles" 2019-08-20 16:58:42 +00:00
Takashi Kajinami
59a8a7fe76 Configure keystone_authtoken/service_token_roles
This patch introduces a new hieradata to configure service_token_roles
in keystone authtoken middleware configuration, so that we can use
a customized role for user who uses service token feature.

Change-Id: Ife07d55390390e9dd62fe4df0393010b9aa40030
2019-08-19 17:00:57 +09:00
ZhongShengping
11552e857a Remove deprecated pki related options
The deprecated pki related options check_revocations_for_cached and
hash_algorithms option has been removed.

Change-Id: Ibf3bd406b7d6c62290d6e5ba61914e76f96c5a09
2019-08-15 11:51:37 +08:00
ZhongShengping
26abc42c2b Service_token_roles_required missing in the server config file
Service_token_roles_required missing in the server config file which
allows backwards compatibility to ensure that the service tokens are
compared against a list of possible roles for validity.

Change-Id: I654cf1564607f6c4ac47db0987d2a86e335a3f89
Closes-Bug: 1778198
2019-02-15 10:02:59 +08:00
ZhongShengping
713dc65543 keystone/auth: make service description configurable
This commit adds the service description as a class parameter in order to allow
users to update from a previous version if the service description is changed
(incorrectly spelled or wrong description)

Change-Id: I689b27bcc358e6c4797b97fb3a7ef8e9aee152fe
Closes-Bug: #1468407
2018-12-17 14:18:17 +08:00
ZhongShengping
acab57fd4a Cleanup documentation
Make sure documentation is the same and follow
the standard which we are trying to enforce on
all modules.

Change-Id: Icff5eab9ee9c59be99fb3029612bdb8602778093
2018-12-13 17:11:10 +08:00
Tobias Urdin
a0a7a97ed4 Remove auth_uri
Change-Id: I2237da6b2d786e2faea0ec92161042c4d50b7551
2018-11-28 23:53:34 +01:00
ZhongShengping
bd2f247255 Deprecate pki related options
check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.

Change-Id: I5a0a697afbabe6312e2a2b46f70f51964649a9da
Closes-Bug: #1804562
Closes-Bug: #1804720
2018-11-23 10:19:16 +08:00
qiaomin
a6f0c70c3f Replace port 35357 with 5000
Now that the v2.0 API has been removed, we don't have a reason to
include deployment instructions for two separate applications on
different ports.

Change-Id: Id4cccbb31bcaef6343e90b504438e31bbc0f69db
2018-05-13 00:46:53 +08:00
zhubingbing
0ea5301b4d neat: missing : in $::os_service_default
Change-Id: Ie392eefc30bb4c5cc3fdfe6e00d468304c6d5cde
2018-05-11 14:22:11 +08:00
ZhongShengping
e2564755c2 Deprecate auth_uri option
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.

[1]https://review.openstack.org/#/c/508522/

Change-Id: I34a4a90e23683f5938b3047c31899ffae1dadd73
Depends-On: I4c82a63baabd6b9304b302c97cd751a0103d8316
Closes-Bug: #1759098
2018-04-03 16:54:58 +08:00
ZhongShengping
b72c58da06 Remove deprecated keystone authtoken revocation_cache_time option
Change-Id: Ib609a8e31b88986ed1f9d0e9731549059f0f7a12
2018-03-27 10:33:20 +08:00
Juan Antonio Osorio Robles
9aa994c9a4 Configure *_domain_name to Default by default
Keystone v2.0 API was removed so we have no choice but configuring
user_domain_name and project_domain_name otherwise it fallbacks to
Keystone v2.0 and it fails. This patch sets the default value so we make
sure Keystone v3 will be used out of the box for our users.

Change-Id: I27631d4c6a81e7fa50b2f5154d87d0def8e3a875
Co-Authored-By: Harry Rybacki <hrybacki@redhat.com>
2017-10-06 16:04:14 +03:00
ZhongShengping
275436a982 Deprecate revocation_cache_time option
The revocation_cache_time is deprecated for removel because of PKI
token format is no longer supported.
Update warning message and add a release note.

Change-Id: Ie4e84d00ba741c394eaca459e4e1d7beca5375f4
Closes-Bug: #1717144
2017-09-14 10:56:27 +08:00
ZhongShengping
55acfdf048 Remove deprecated keystone authtoken signing_dir option
Change-Id: I3ff98337ff10750c0fda5379e336ea5e7ac6e44a
2017-07-07 09:58:06 +08:00
Matthew J. Black
eeb2aa8a15 Allow python-memcache install from authtoken class
The python-memcache package is required if using memcached. By
default the package is not installed and the define has it set to
false. This change allows managing the python-memcache package
install from the authtoken class.

Change-Id: I7aeccac5720adbaf7791ae9f782d223e9a2aaaf9
2017-01-11 17:25:31 -05:00
ZhongShengping
34644420e1 Deprecate signing_dir option
The signing_dir is deprecated for removel because of PKI token format
is no longer supported.
Update warning message and release note.

Change-Id: Ibabd9a446078d38ec7c12a5a4a21a97d992881ff
Closes-Bug: #1652700
2016-12-27 17:05:57 +08:00
ZhongShengping
e12dfaefd7 Add hooks for external install & svc management
This adds defined anchor points for external modules to hook into the
software install, config and service dependency chain.  This allows
external modules to manage software installation (virtualenv,
containers, etc) and service management (pacemaker) without needing rely
on resources that may change or be renamed.

Change-Id: If0175f5719ec72871febcec04785d63f56fd3d2b
2016-11-25 17:44:49 +08:00
Iury Gregory Melo Ferreira
bc47dbcea8 Remove old authtoken options
Since we are in ocata lets remove all old parameters in api
to configure the keystone_authtoken section

Change-Id: I4d44e7a6e1623acfd73345e0877a9fcd8f128ca8
2016-11-08 19:50:50 -03:00
Iury Gregory Melo Ferreira
0df44cb07c Move barbican to authtoken
Create a new class to handle all configuration for
keystone_authtoken section in configuration file using
keystone::resource::authtoken

This patch is not backward compatible:
- we have change auth_type in api.pp to auth_strategy,
because auth_type is related to keystone authentication.
- removed all parameters related to keystone_authtoken
from api.pp and moved to authtoken.pp

Change-Id: I2dee8a3d1c399234941f96d8f21f49526777f501
Depends-On: I94914ed5a8b5c1447606547b31ed46bb72b4de01
Related-Bug: #1604463
2016-08-14 01:55:50 -03:00
Juan Antonio Osorio Robles
dadb8de7a8 Change default service_name to 'barbican'
While we were already able to pick an independent auth_name and
service_name; the service_name was defaulting to auth_name. Now it
has a value of its own to be consistent with other modules.

Related-Bug: #1590040
Change-Id: Ied45e546667b7c04e9b511a3ae23c529ad78e7df
2016-06-08 10:18:42 +03:00
Ade Lee
bf14bf1feb Added keystone config to barbican api manifest
The acceptance test now has a barbican API server that runs in
a gunicorn instance that uses keystone as an authentication source.

We specify the snakeoil plugin because its a more useful and realistic
plugin to use in acceptance tests.

Fixed barbican manifest to not require including barbican::api,
and fixed typo in dogtag spec.

Added option to not autocreate the database.  This allows use of
mysql and dbsync when creating the database.

Fixed a couple of package tags.

Change-Id: I7c25f8692a4388874b05ab561602553f37e4961b
Depends-On: Ia79f3d1bed0c2a66ed17ae2ee91ca70c73f6c434
Depends-On: Ic36fd606fe06202b0ca5b8eeaf5c5bdc2a5708fd
2016-05-12 18:34:05 -04:00
Ade Lee
74c76bdadb Add keystone notification options to barbican-api manifest
Change-Id: Ifc3f016611268f3dc7d9e39428b423852536982d
2016-04-01 10:14:18 -04:00
Emilien Macchi
395e69546f Make Keystone_endpoint match service by name/type
Since a chance in puppet-keystone (1], we now match an endpoint with a
service name/type.
)
[1] http://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=0a4e06abb0f5b3f324464ff5219d2885816311ce

Change-Id: I237f92ce3a656fbcc14117405a351ba219f2bba1
Closes-Bug: #1528308
2015-12-22 18:05:08 +01:00
Emilien Macchi
18e92427eb puppet-barbican: Initial commit
This is the initial commit for puppet-barbican.
It has been automatically generated using cookiecutter[1] and msync[2]

[1] https://github.com/openstack/puppet-openstack-cookiecutter
[2] https://github.com/openstack/puppet-modulesync-configs

Change-Id: I52b10cb17701bba20ad64d3f4cc15950c1038c54
2015-10-02 08:50:49 -04:00