The python3-pysaml2 package is required by the python3-keystone package
so we don't have to install it explicitly.
Change-Id: I1ed978e55774637abcddaec91f36c6b5d3c473eb
... so that we don't have to maintain the required logics to enable
the module in our modules.
Related-Bug: #2006924
Change-Id: Ia46deea226a58638e74eee0c0172f0c3c5fa62e7
This patch fixes package name of python-ldapppool and python-pysaml2,
so that correct package names, python3-*, are used in OSs which use
Python3 as the default Python.
Change-Id: I0dc5dd487996307811edd177d13d6d5ac8f841ee
The legacy admin and public ports for Keystone has since the
release of the v3 API not been required as keystone moved all
actions to the same API. [1]
This patch removes the deployment of port 35357 and remodels
puppet-keystone and more specifically the keystone::wsgi::apache
class to only deploy keystone on port 5000.
This has already been changed in the installation guides [2]
and is the recommend way to deploy keystone.
We have already prepared all our modules default values to use
port 5000 instead of 35357 a while ago and we also in the Rocky
release informed our users with a release note that this would
be performed [3]
[1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py
[2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html
[3] https://review.openstack.org/#/c/586791/
Closes-Bug: 1804426
Depends-On: https://review.openstack.org/#/c/627793/
Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
The libraries jobs fails with:
manifests/params.pp:9:ERROR: two-space soft tabs not used
Change-Id: Ib408ce44774e3e795dafd3f2d5c4959a8b1f1d66
Closes-Bug: #1806790
The keystone::resource::authtoken define does not
have access to the keystone::params class so it
used the package resource title as package name
when trying to install.
This resulted in the non-existing python-memcache
package failed to install on RedHat based systems.
This includes the params class inside the define
so it gets access to the python_memcache_package_name
variable.
Change-Id: I3470292d87620db717251092fbacf16b2cace571
Closes-Bug: 1711437
The move of policy.json into code means the file may not exist. We've
added support to ensure that the file exists in the openstacklib but we
need to make sure the permissions are right for each service. This adds
the group information to the policies so it works right.
Depends-On: I26e8b1384f4f69712da9d06a4c565dfd1f17c9ed
Change-Id: I4dfcf05aa8418df3ee1a13925f0831dc30921186
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
This was incorrectly set to python-keystone which is the python
library for the server.
The client package name is python-keystoneclient
Change-Id: Idd7272dc1e11d69649e5db0fbefc98a581fff877
This change updates the wsgi configuration for keystone to use the
keystone-wsgi-public and keystone-wsgi-admin scripts provided. The
previous httpd.py implementation has been deprecated as part of the
Mitaka cycle. We are deprecating the previous single script variable
that was used for both endpoints infavor of two new variables for each
of the scripts.
Change-Id: I03a7a057cae0bf86331191faf47ec394487150a7
Closes-Bug: #1558290
Overriding service_provider was an hack and should not exist in any
module.
Puppet is by itself able to find which Service provider to use.
If you want to override it for any reason, please use a Puppet resource
collector, using keystone-service resource tag.
This patch deprecates the service_provider parameter and drop its usage,
so puppet-keystone can easily work on more systems, (ie: Ubuntu Xenial
with Systemd).
Change-Id: I661319aa83676880a83f3ecfc00e9a803524c7cf
The fernet_setup exec is requiring that the
keystone-user and keystone-group is passed
in the exec call. This change exposes two
new parameters that default to "keystone"
that are used in that exec call.
Change-Id: I1e122dc34d496bc26926b6bcd0921e672e099d2e
Closes-Bug: 1553327
Use same default for paste_config on Red Hat & Ubuntu systems
RDO packaging is now using keystone-paste.ini file in /etc/keystone,
like Ubuntu. So there is no need anymore to make a distinction.
Change-Id: I3987c254bdafe9fb23266da2fff2e21d1cd0cec3
Rely on packaging dependencies to avoid issues caused by different
package names between Fedora and RHEL (python-PyMySQL vs python2-PyMySQL).
https://review.openstack.org/#/c/245229/4/spec/classes/neutron_db_spec.rb
includes all the discussion that led to this.
Change-Id: Iff047fab81f620f8df5a40296d23203461949546
Add ability to use python-pymysql library
as backend for MySQL connections.
Switch acceptance tests on pyMySQL usage.
Docs: https://wiki.openstack.org/wiki/PyMySQL_evaluation
Change-Id: I52447482f15a1c075566c7596ce7c5465446fb5a
This patch introduce the same design than mysql for postgresql
by requiring dedicated lib::python class instead of declaring
a new resource package within keystone module.
Change-Id: If775591f6798d06e6dfc2a042a0d21e331c912ff
The UCA packages now provide the wsgi python file. This change
removes the puppet provided one and uses the package provided one
instead.
Change-Id: I4699bf3441d80308b25072ee74ba683612e9d563
Closes-Bug: 1472477
On Debian (and Ubuntu) the paste file is in the /etc/keystone directory,
and the default setting is correct. This change will set the
paste_deploy config file to absent if we're not on RedHat and no value
has been explicitly specified.
Closes-Bug: #1410453
Change-Id: I652bc67ff42881fa1cf66c191333b6feaeb27cca
Allow keystone to be set up to use apache mod_wsgi as the server
instead of a standalone eventlet service. There is a new keystone
class parameter: service_name. The default is 'keystone', which will
set up the standalone eventlet service. If 'httpd' is used, the
keystone class will skip creating the keystone service, which also means
no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is
then used to configure apache mod_wsgi to serve keystone.
Had to remove the File resource default in the keystone class. When
using wsgi::apache, the apache class and other classes are included.
Since puppet uses dynamic scoping, this overrides the file resources
in those classes as well. keystone now explicitly sets all of the
parameters in files/directory resources.
Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de
Closes-Bug: #1348728
Token driver backends.memcache requires python-memcache which not
installed by default. As result keystone crash with exception.
Patch install python-memcache when it's need.
Change-Id: I752a97ad9b3135a7336265760f0cd3304e0277b4
Serving keystone from a wsgi container is recommended for production
setups. SSL is enabled by default.
See the following URLs for explanations:
http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/https://etherpad.openstack.org/havana-keystone-performance
Documentation in manifests/wsgi/apache.pp
Apache can be configured as a drop in replacement for keystone (using
ports 5000 & 35357) or with paths using the standard SSL port. See
examples in examples/apache_*.pp
- Also change some 'real_' prefix into '_real' suffix to respect the
coding guide.
- Added the '--insecure' option to keystone client in the provider to
allow using self-signed certificates.
- Fixed parsing the ssl/enable value in the provider.
There is no integer verification done in the manifests
and to get around a bug in rspec, which has been fixed
in https://github.com/rodjek/rspec-puppet/pull/107,
certain parameters that should be integer are treated as
strings
files/httpd/keystone.py updated with lastest from keystone git repo
Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c
Takashi Kajinami
yatin