This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.
This change covers the following three items.
- assignment of system scope roles to system user
- credential parameters for authtoken middleware
- credential parameters for oslo.limit library
Note that the credential parameters for authtoken middleware are
used in some providers, and these providers still require a project
scope credential. This will be fixed by the subsequent change.
Depends-on: https://review.opendev.org/804325
Depends-on: https://review.opendev.org/823629
Change-Id: Ic7682993b341a7d45b0957f102f5c3dbd52f9043
This change adds the 'params' hash in authtoken class, to implement
the same functionality as the one recently introduced into
puppet-nova[1].
[1] 5c38281e1b698f157f03bf1815733277c541c30b
Change-Id: Ic4f451cfbd0145466ae65330729e980f5567795e
Currently we validate database_connection in 2 layers, each puppet
modules and puppet-oslo, however this makes it difficult to maintain
validation pattern because we always need to fix both.
This patch removes the validation from each puppet modules so that
we need to maitain only one place, puppet-oslo to update validation
logic.
Change-Id: If13825dff529c91508ae19e48c7918cbd2b50245
This patch adds support for [keystone_authtoken] interface parameter,
so that operators can define which endpoint should be used by authtoken
middleware.
Change-Id: I380868884abe92b35e93c3bf22d877838d0eac55
The deprecated pki related options check_revocations_for_cached and
hash_algorithms option has been removed.
Change-Id: Ib692f55fa267e9fbe17d94c5116f244be02b2107
This changes all the puppet 3 validate_* functions
to use the validate_legacy function.
The validate_legacy function has been available since
about three years but require Puppet >= 4.4.0 and since
there is Puppet 4.10.12 as latest we should assume people
are running a fairly new Puppet 4 version.
This is the first step to then remove all validate function
calls and use proper types for parameter as described in spec [1].
[1] https://review.openstack.org/#/c/568929/
Change-Id: Ib21fef57404d63579743270be4080d248a4ca8cc
Service_token_roles_required missing in the server config file which
allows backwards compatibility to ensure that the service tokens are
compared against a list of possible roles for validity.
Change-Id: I49828052bdf33391edcd962fc6c4208c715e377a
Closes-Bug: 1778198
Make sure documentation is the same and follow
the standard which we are trying to enforce on
all modules.
Change-Id: I1b54aefa27a929946aaf91c6f863466df8b13107
check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.
Change-Id: Ic25814ff5d8a3134de59876c38da2c245c50d7ca
Closes-Bug: #1804562
Closes-Bug: #1804720
Now that the v2.0 API has been removed, we don't have a reason to
include deployment instructions for two separate applications on
different ports.
Change-Id: Ieb132483803085c0e97a3572fc035af3817467af
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: I081c6f8c791ef7d4dc1d5bf8dfc2676c73e66734
Depends-On: I4c82a63baabd6b9304b302c97cd751a0103d8316
Closes-Bug: #1759098
Add pool_timeout option to configure this value for pool_timeout with
SQLAlchemy.
Change-Id: I724f0b24b6f7ffb846f8bdf44156dcebeeaa7cae
Closes-Bug: #1757581
An empty string is an acceptable value of this entry, and it forces
logging to stdout/stderr, which is useful when running on containers.
In other modules (such as puppet-keystone) log_file defaults to
$::os_service_default. This is not the case in this module, so we
need to allow an empty value in log_file here as well.
Change-Id: I3fa4a38d21f0f7e447157ab7814a547c10a4b7d3
Keystone v2.0 API was removed so we have no choice but configuring
user_domain_name and project_domain_name otherwise it fallbacks to
Keystone v2.0 and it fails. This patch sets the default value so we make
sure Keystone v3 will be used out of the box for our users.
Change-Id: If0a614520c4737e489147e18b1e9028e1f671f88
An empty string is an acceptable value of this entry, and it forces
logging to stdout/stderr, which is useful when running on containers.
Change-Id: Idd27daadfd1294d7f83777f851a1f39a7f860308
The revocation_cache_time is deprecated for removel because of PKI
token format is no longer supported.
Update warning message and add a release note.
Change-Id: Ia607af51a784113541ac576b9293700dbafba31d
Closes-Bug: #1717144
The db_max_retries parameter regulates the number of reconnection
attempts performed after an error raised rather than at startup.
Change-Id: Ib3cfc7b27945389f523d7112d88462995e7416af
Releated-Bug: #1579718
The python-memcache package is required if using memcached. By
default the package is not installed and the define has it set to
false. This change allows managing the python-memcache package
install from the authtoken class.
Change-Id: I7de3338061bad949f26ed0d84782124c7b61eb70
The signing_dir is deprecated for removel because of PKI token format
is no longer supported.
Update warning message and release note.
Change-Id: Ifaad2dffab360df2790dac8d9ad8c9a87f719f6b
Closes-Bug: #1652700
Since we are in ocata lets remove all old parameters in api
to configure the keystone_authtoken section
Change-Id: I4dc0bd544f91fd52ad437b4c3ebbd16a43895726
log_file should be set to $::os_service_default and not to the boolean
false because the boolean false gets interpreted as a file name.
Change-Id: I2b7f3ad6f04b24e357948bd23782b89764e632e5
Use glance::<service>::authtoken to configure keystone_authtoken
section in glance configs, with all parameters required
to configure keystonemiddleware.
Also changed auth_type to auth_strategy, because auth_type is
related to keystone authentication.
Change-Id: I722a1e41b2cee0b3040c37f07adfd13c33edaa5c
Closes-bug: #1604463
This adds defined anchor points for external modules to hook into the
software install, config and service dependency chain. This allows
external modules to manage software installation (virtualenv,
containers, etc) and service management (pacemaker) without needing rely
on resources that may change or be renamed.
Change-Id: If683fbd098e701a3c4da91941cf818b18b41b209
Option "verbose" from group "DEFAULT" is deprecated for removal.
The parameter has no effect.
-Deprecated verbose for logging and init
-Remove verbose in README
-Remove verbose from tests.
If this option is not set explicitly, there is no such warning
Change-Id: I7e58412fe26962337845b3cb9d67679bac0709d8
Takashi Kajinami