Commit Graph

41 Commits (master)

Author SHA1 Message Date
Takashi Kajinami 3c86a14ddb Remove redundant installation of python3-pysaml2
The python3-pysaml2 package is required by the python3-keystone package
so we don't have to install it explicitly.

Change-Id: I1ed978e55774637abcddaec91f36c6b5d3c473eb
2 weeks ago
Takashi Kajinami 486d7f1435 Replace legacy facts and use fact hash
... because the latest lint no longer allows usage of legacy facts and
top scope fact.

Change-Id: Ie757167eedce6fa1c99d08f96be1173871f21817
3 months ago
Takashi Kajinami fe95db4cb0 Use puppetlabs-apache to load auth modules.
... so that we don't have to maintain the required logics to enable
the module in our modules.

Related-Bug: #2006924
Change-Id: Ia46deea226a58638e74eee0c0172f0c3c5fa62e7
4 months ago
Rajesh Tailor c6a3840a8e Fix several typos in parameter descriptions.
Change-Id: I1c45f1fcb8663383b09014aa5095c9b0e99fb231
12 months ago
Takashi Kajinami c4cc44b180 Avoid hard-coding OS user/group in each manifest
and replace hard-codes by definition in params.pp .

Change-Id: I42db85d311f17693694a6a5cb5bd25fd1ab54182
1 year ago
Thomas Goirand 62d556fc63 Get rid of the $pyvers variable
Since everyone has switched to Python3, it's time for the removal of the
$pyvers variable.

Change-Id: I9555be66cda91643e443be664c8f81879b749ebd
2 years ago
Takashi Kajinami f342aad946 Fix python package names (ldappool and pysaml2)
This patch fixes package name of python-ldapppool and python-pysaml2,
so that correct package names, python3-*, are used in OSs which use
Python3 as the default Python.

Change-Id: I0dc5dd487996307811edd177d13d6d5ac8f841ee
3 years ago
Tobias Urdin 3fa63db938 Install the correct memcache bindings for py3
Change-Id: I51184bb0153f2754dc6bc0d445020d218f6ecc3a
3 years ago
Tobias Urdin fa11274b2f Convert all class usage to relative names
Change-Id: Ia631adf31be1eeadb7ab0f12b75f1eaed73d5fbf
4 years ago
Lee Yarwood 94f56fbc6b Inherit pyvers from openstacklib::defaults
Depends-On: I84b767921d151a61429b2c89e6372c4b447f0d7d
Change-Id: I16d17c4d943bd3d2fe7e49fd1e14376edd912ec1
4 years ago
Tobias Urdin ace7aeb3b7 Remove port 35357 deployment
The legacy admin and public ports for Keystone has since the
release of the v3 API not been required as keystone moved all
actions to the same API. [1]

This patch removes the deployment of port 35357 and remodels
puppet-keystone and more specifically the keystone::wsgi::apache
class to only deploy keystone on port 5000.

This has already been changed in the installation guides [2]
and is the recommend way to deploy keystone.

We have already prepared all our modules default values to use
port 5000 instead of 35357 a while ago and we also in the Rocky
release informed our users with a release note that this would
be performed [3]


Closes-Bug: 1804426
Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
4 years ago
ZhongShengping b141b3adc8 Fix lint
The libraries jobs fails with:
manifests/params.pp:9:ERROR: two-space soft tabs not used

Change-Id: Ib408ce44774e3e795dafd3f2d5c4959a8b1f1d66
Closes-Bug: #1806790
5 years ago
yatin 898ecc11f0 Install python3-keystoneclient in Fedora or RedHat > 7
Fedora repo [1] has python3 packages, start consuming those.


Change-Id: Id15a40384286a825f65658bdb1ad924a917d9031
5 years ago
Thomas Goirand bad6849b76 Debian is using python 3
Switch python-keystoneclient and python-memcache to their py3 counterpart
when running in Debian.

Change-Id: I129749cee6711b7c50097adf250523f507ee0605
5 years ago
Tobias Urdin f9cac1faf7 authtoken cannot manage python-memcache on RedHat
The keystone::resource::authtoken define does not
have access to the keystone::params class so it
used the package resource title as package name
when trying to install.

This resulted in the non-existing python-memcache
package failed to install on RedHat based systems.

This includes the params class inside the define
so it gets access to the python_memcache_package_name

Change-Id: I3470292d87620db717251092fbacf16b2cace571
Closes-Bug: 1711437
5 years ago
Emilien Macchi 23b8e80456 Add group to policy management
The move of policy.json into code means the file may not exist. We've
added support to ensure that the file exists in the openstacklib but we
need to make sure the permissions are right for each service. This adds
the group information to the policies so it works right.

Depends-On: I26e8b1384f4f69712da9d06a4c565dfd1f17c9ed
Change-Id: I4dfcf05aa8418df3ee1a13925f0831dc30921186
Co-Authored-By: Alex Schultz <>
5 years ago
Sofer Athlan-Guyot c39780fc9e Include openstacklib defaults manifest.
This provides a mechanism for setting default across all modules.

Change-Id: Ifa5b0d68f19e138b5fefb389ee3f937aeaad00cb
Related-Bug: 1599113
7 years ago
Graeme Gillies 9fd52ae7b4 Added federation support for OpenID Connect with mod_auth_openidc
Change-Id: I710de4f38b899ab04cec8b3c5188e8a383bec18c
7 years ago
Sam Morrison 4b4402aaca Fix up client_package_name param
This was incorrectly set to python-keystone which is the python
library for the server.

The client package name is python-keystoneclient

Change-Id: Idd7272dc1e11d69649e5db0fbefc98a581fff877
7 years ago
Alex Schultz e812075fd9 Update keystone wsgi scripts
This change updates the wsgi configuration for keystone to use the
keystone-wsgi-public and keystone-wsgi-admin scripts provided. The
previous implementation has been deprecated as part of the
Mitaka cycle. We are deprecating the previous single script variable
that was used for both endpoints infavor of two new variables for each
of the scripts.

Change-Id: I03a7a057cae0bf86331191faf47ec394487150a7
Closes-Bug: #1558290
7 years ago
Emilien Macchi a5dbb53c19 Deprecate service_provider
Overriding service_provider was an hack and should not exist in any
Puppet is by itself able to find which Service provider to use.
If you want to override it for any reason, please use a Puppet resource
collector, using keystone-service resource tag.

This patch deprecates the service_provider parameter and drop its usage,
so puppet-keystone can easily work on more systems, (ie: Ubuntu Xenial
with Systemd).

Change-Id: I661319aa83676880a83f3ecfc00e9a803524c7cf
7 years ago
dmburmistrov 030820aa2d Set oslo options in keystone module through puppet-oslo
Key moments:
  * use oslo::{db,log,cache,policy},
  * update top-file docs
  * add new parameters provided by oslo
  * update tests accordingly
  * add oslo dependency to "metadata.json"
  * add release notes

Change-Id: I6840b7b9a0cd4832794b1b2a017fc241759aab66
7 years ago
Matthew Black cd4f7d8619 Fix issue with fernet_setup exec
The fernet_setup exec is requiring that the
keystone-user and keystone-group is passed
in the exec call. This change exposes two
new parameters that default to "keystone"
that are used in that exec call.

Change-Id: I1e122dc34d496bc26926b6bcd0921e672e099d2e
Closes-Bug: 1553327
7 years ago
Emilien Macchi 363d63ac3d Update default paste_config on Red Hat systems
Use same default for paste_config on Red Hat & Ubuntu systems
RDO packaging is now using keystone-paste.ini file in /etc/keystone,
like Ubuntu. So there is no need anymore to make a distinction.

Change-Id: I3987c254bdafe9fb23266da2fff2e21d1cd0cec3
7 years ago
Iury Gregory Melo Ferreira 759c626987 Federation support for mellon
This patch aim to configure Keystone to use Mellon
according to [1]


Change-Id: I092ea274bd3aa6aa2fd59d01bd2af48744f37240
8 years ago
iberezovskiy dd72e6d549 Follow-up on PyMySQL support for Red Hat platforms
Rely on packaging dependencies to avoid issues caused by different
package names between Fedora and RHEL (python-PyMySQL vs python2-PyMySQL).
includes all the discussion that led to this.

Change-Id: Iff047fab81f620f8df5a40296d23203461949546
8 years ago
iberezovskiy 55b64a899d Support of PyMySQL driver for MySQL backend
Add ability to use python-pymysql library
as backend for MySQL connections.
Switch acceptance tests on pyMySQL usage.

Change-Id: I52447482f15a1c075566c7596ce7c5465446fb5a
8 years ago
Sebastien Badia 7802890f0a db: Use postgresql lib class for psycopg package
This patch introduce the same design than mysql for postgresql
by requiring dedicated lib::python class instead of declaring
a new resource package within keystone module.

Change-Id: If775591f6798d06e6dfc2a042a0d21e331c912ff
8 years ago
Yanis Guenane a909129600 Introduce keystone::db class
Current modules[1][2][3] implements a
<component>::db class that is not implemented in keystone.

This commit aims to apply here the same logic.


Change-Id: Ifb868c101dd516eda7b9826e0faf33c3bc296e02
8 years ago
Alex Schultz 6ee894a287 Use Ubuntu provided for keystone.wsgi
The UCA packages now provide the wsgi python file. This change
removes the puppet provided one and uses the package provided one

Change-Id: I4699bf3441d80308b25072ee74ba683612e9d563
Closes-Bug: 1472477
8 years ago
Clayton O'Neill 46369a7966 Fix paste file location on Debian
On Debian (and Ubuntu) the paste file is in the /etc/keystone directory,
and the default setting is correct.  This change will set the
paste_deploy config file to absent if we're not on RedHat and no value
has been explicitly specified.

Closes-Bug: #1410453
Change-Id: I652bc67ff42881fa1cf66c191333b6feaeb27cca
8 years ago
Rich Megginson 879f87270a setup keystone using apache mod_wsgi
Allow keystone to be set up to use apache mod_wsgi as the server
instead of a standalone eventlet service.  There is a new keystone
class parameter: service_name.  The default is 'keystone', which will
set up the standalone eventlet service.  If 'httpd' is used, the
keystone class will skip creating the keystone service, which also means
no 'openstack-keystone' service.  The class 'keystone::wsgi::apache' is
then used to configure apache mod_wsgi to serve keystone.

Had to remove the File resource default in the keystone class.  When
using wsgi::apache, the apache class and other classes are included.
Since puppet uses dynamic scoping, this overrides the file resources
in those classes as well.  keystone now explicitly sets all of the
parameters in files/directory resources.

Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de
Closes-Bug: #1348728
9 years ago
Semyon Deviatkin 1cdd7a2197 Install dependency python-memcache when token driver memcache.
Token driver backends.memcache requires python-memcache which not
installed by default. As result keystone crash with exception.

Patch install python-memcache when it's need.

Change-Id: I752a97ad9b3135a7336265760f0cd3304e0277b4
9 years ago
François Charlier e35a6dc6ee Enable serving keystone from apache mod_wsgi
Serving keystone from a wsgi container is recommended for production
setups. SSL is enabled by default.

See the following URLs for explanations:

Documentation in manifests/wsgi/apache.pp

Apache can be configured as a drop in replacement for keystone (using
    ports 5000 & 35357) or with paths using the standard SSL port. See
examples in examples/apache_*.pp

- Also change some 'real_' prefix into '_real' suffix to respect the
coding guide.
- Added the '--insecure' option to keystone client in the provider to
allow using self-signed certificates.
- Fixed parsing the ssl/enable value in the provider.

There is no integer verification done in the manifests
and to get around a bug in rspec, which has been fixed
certain parameters that should be integer are treated as

files/httpd/ updated with lastest from keystone git repo

Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c
10 years ago
John Chilton 8d9d901d67 Enhanced configurability for python client configuration. 11 years ago
François Charlier a3e9aa9a32 Upstart is not useable on Debian 11 years ago
Dan Bode cdfc53324d Specify per platform service name
The name of the keystone service differs between
Debian and Redhat.

This commit codifies the service name differences.
11 years ago
Dan Bode d160633e4d Specify Debian and Redhat package names
The package names between Redhat and Debian are
slightly different.

This commit ensures that the package name is platform speific.
11 years ago
Dan Bode fa7e3a87fc Add inline docs and comments 11 years ago
Dan Bode 86cf9e4974 Minor style updates 11 years ago
Dan Bode f9894420de Add puppet manifests to support fragments
This commit adds Puppet code to allow for keystone.conf
to be composed of fragments.
11 years ago