This code moves all deps to an external class so that Keystone can be
installed with mechanisms besides packages (like venv or docker). This
also cleans-up the dependency tree by removing false or confusing
dependencies.
Change-Id: If69cd7cba267f75faad51fdbc80a58b24d2095d8
Co-Author: Clayton O'Neill <clayton.oneill@twcable.com>
The fernet_setup exec is requiring that the
keystone-user and keystone-group is passed
in the exec call. This change exposes two
new parameters that default to "keystone"
that are used in that exec call.
Change-Id: I1e122dc34d496bc26926b6bcd0921e672e099d2e
Closes-Bug: 1553327
Change I0d1ca6b11d9ba5b03c92dff728e0edc3bd06cc19 was occasionaly merged
without adding tests for header, this patch fixes that.
Change-Id: I9a4b7bc5564a2208397a7ff1a58bd5f0600eab37
These classes essentially do the same thing, except client.pp didn't
allow us to specify a specific package name and python.pp didn't tag
the package. Additionally, keystone.pp installs openstackclient.
Therefore I'm removing the functionality and deprecating python.pp
and will see what happens in CI.
Change-Id: I7f2243a902372e8f64127221316db7f98f94be61
Per upstream Keystone Mitaka commit 7b7fea7a3fe7677981fbf9bac5121bc15601163
keystone no longer creates the default domain during the db_sync. This
patch updates the keystone class so that it adds a new option to
enable_bootstrap (true by default) to re-add this functionality.
Change-Id: I2b3b83bedc951147723bc932135688fba30ecffb
Closes-bug: #1549867
Instead of using long backend/drivers name, use short name and stevedore
will load plugins for us.
It will prevent this kind of message in logs:
Failed to load 'keystone.catalog.backends.sql.Catalog' using stevedore:
No 'keystone.catalog' driver found,
Also cleanup unit and functional tests that were setting wrong
credential & assignment drivers.
Change-Id: Id3b8ed63ef9a821eba5374af7ed0fd1c8d755e09
This patch is a squash between:
* I35187a857ae6e67b301d62e30525eaab75707161
* I30d759697ed42dc35f8df8e231c9e012d2762894
It entirely drops the usage of User resource dependency.
Note: since beaker jobs were failing with sepeparated patches, we
decided to use one patchset so Beaker job can pass the CI.
Change-Id: Id69eca0ce73ba7c16aca939821234717618f5ec4
Closes-bug: #1458915
Co-Authored-By: Drew Fisher <drew.fisher@oracle.com>
This folder is not useful unless you use PKI tokens, so only
create it if we have pki setup enabled.
Change-Id: Ie0912955493164b68f9fc2cbc4690cb23f6d5c97
Use same default for paste_config on Red Hat & Ubuntu systems
RDO packaging is now using keystone-paste.ini file in /etc/keystone,
like Ubuntu. So there is no need anymore to make a distinction.
Change-Id: I3987c254bdafe9fb23266da2fff2e21d1cd0cec3
Given that not many people use pki tokens and they're going to be
deprecated sometime in the next few releases, we will default this value
to false.
Change-Id: If0ea3e575f04f9d486eb1483c3e8ec07181bf015
The keystone documentation highly recommends disabling the admin_token
authentication after the initial bootstrap because it exposes a major
attack vector. This patch adds a new class,
keystone::disable_admin_token_auth, which uses ini_subsetting to remove
the admin_token_auth keyword from the pipeline lists.
After the first puppet run, users who use this class with the default
values will need to provide some other way for puppet to authenticate
to keystone. The keystone providers can all read from /root/openrc or
from OS_* environment variables. The openstack_extras::auth_file class
can be used to create the openrc file.
This class must be declared after the main keystone class because it
uses the restart_keystone exec from the main class. This patch moves
this exec out of the $default_domain conditional so that it is
available to reference from the keystone::pipeline class. This is safe
to do because it is a refreshonly exec, so even though it is
unconditionally declared, it will only be activated if the default
domain resource activates it, or the keystone::disable_admin_token_auth
class activates it, or both. It will only restart keystone once no
matter how many times it is activated.
Change-Id: If8a7e1639189f46e16fc996fd7919eb784d24971
Depends-On: Idc3b938e37b792636ec7c2702bf8429467b78d66
This patch adds a new admin_bind_host setting to the
keystone::wsgi::apache class. This setting is important
for for users who may use different (local) bind IPs
for the public and admin APIs.
This was previously possible when running Apache under
eventlet and is important to deployment tools like
TripleO which make use of these settings.
Change-Id: I22a348c298ff44f616b2e898f4872eddea040239
We need to configure rabbit_ha_queues = True only if we have
more than 1 RabbitMQ host. In we have one RabbitMQ host we need to
set rabbit_ha_queues = False.
We also need to use one pattern for configuration of this parameter
for different OpenStack components.
Change-Id: I6f25905b000494264cacbd13ba74daba538c6cf7
Closes-Bug: #1470054
The code matching the existing endpoints did not take the region into
account. This was giving random results and messing up the catalog
badly.
This code fix it this and add associated rspec checks.
Closes-Bug: #1535939
Change-Id: If1cdf30c37194b3a7b08bf85860cf7fb7266f6e1
In keystone::roles::admin, admin_project_domain and admin_user_domain
are not applied to the admin role. This results in errors when
applying the role as it uses the "Default" domain in
keystone_user_role:
class { '::keystone::roles::admin':
email => 'marcus@aptira.com',
password => $admin_password,
admin => 'admin', # username
admin_tenant => 'admin', # project name
admin_user_domain => 'admin', # domain for user
admin_project_domain => 'admin', # domain for project
}
Error: /Stage[main]/Keystone::Roles::Admin/Keystone_user_role[admin@admin]: Could not evaluate: No project admin with domain Default found
This patch adds the admin_project_domain and the admin_user_domain to the
role.
Change-Id: Ia3f899dfb78b0887f31ee82d6b21d2fb2536ad84
Closes-Bug: #1533913
Implements blueprint keystone-domain-configuration
Adds a provider able to configure multiple domains and two parameters in
keystone class to setup a working multi-domains configuration.
The keystone_config type has been refactored into a mixin to be shared
by keystone_config and keystone_domain_config.
The provider, even though it is inheriting from openstack_config (and
not keystone_config because it hard code the path), has required more
new code. The problem is that we have several configuration files to
work with (one per domain) which is unusual.
The self.prefetch method is required to check the current catalog. If
it's changing the Keystone_config[identity/domain_config_dir] we take it
directly into account without the need for another run.
Keystone_config[identity/domain_config_dir] configuration and the
associated directory are autorequired.
Change-Id: I5e4b298460ee592640af59ac9dcbefa3daf98098
This change adds the ability to manage the cache memcache servers.
Previously we were enabling the cache if memcache servers were set but
improperly configuring the cache configuration options for keystone.
The memcache servers were being set for memcache/servers but
the cache configuration looks at cache/memcache_servers for its server
list. With this change we are adding a cache_memcache_servers parameter
to allow the configuring the cache/memcache_servers. We are continuing to
use the memcache_servers as the default if cache_memcache_servers is not
provided.
Additionally we are allowing the manual enabling and disabling of the
cache configuration but will fall back to the previous behaviour
of enabling the cache if memcache servers are specified.
New parameters are:
- cache_memcache_servers
- cache_enabled
Change-Id: I6f86c7f8f55a6f7a7e8caa922c55e618fec8e392
Closes-Bug: #1523393
A recent change (1] made Keystone_endpoint matching service by name/type.
This change added a warning if endpoints were not created with a default
service.
The way this new feature was added is problematic because we had
warnings by default, since all Puppet modules use this define, so it
introduced a poor user experience.
This patch makes sure a service type is configured with the new way in
the keystone::resource::service_identity function, when creating
endpoint.
For backward compatibility, when no service type is specified, we have now a
conditional that sends a warning if no service type is set but still
create the endpoints.
For the service management, it adds the service type with the new way,
so we don't have any warning by default.
So from this patch, we don't have this kind of warning by default:
/Keystone_endpoint[RegionOne/keystone]/type: Support for a endpoint
without the type set is deprecated in Liberty. It will be dropped in
Mitaka
[1] http://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=0a4e06abb0f5b3f324464ff5219d2885816311ce
Closes-Bug: #1528308
Change-Id: I6e411d8f81c7ae5c768d85a236c0942d265c74dd
Rely on packaging dependencies to avoid issues caused by different
package names between Fedora and RHEL (python-PyMySQL vs python2-PyMySQL).
https://review.openstack.org/#/c/245229/4/spec/classes/neutron_db_spec.rb
includes all the discussion that led to this.
Change-Id: Iff047fab81f620f8df5a40296d23203461949546
This option is entrypoint for the policy backend driver
in the keystone.policy namespace.
Adding below parameter:
policy/driver
Change-Id: Ie1b957f18517591a7ecd4635f907d6f56750beb7
Switch to $::os_service_default all params in logging and db.
Changes: logging.pp, db.pp and tests.
Related-bug: #1515273
Change-Id: Ib84dceafb032747adc1d8b6e56bd01e89aa802cb
This patch implements the class to configure Keystone
as a Service Provider. It covers only Keystone as SP
for K2K (Protocol is SAML and module is Shibboleth)
On Debian based systems:
1- Configure keystone.conf
2- Install Shibboleth
3- Reconfigure the selected Keystone VirtualHost on Apache.
On RedHat based systems:
1- Configure keystone.conf
2- Reconfigure the selected Keystone VirtualHost on Apache.
Note: Step 2 will only execute if the user have add the extra repository
or installed shibboleth.
(About the extra repository, see:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall)
Implements: blueprint enabling-federation
Change-Id: I32a1487c7674605124e6d0b182fe38ea4b58de87
Currently most of the tests in keystone_db_mysql_spec.rb aren't checking
anything, they're just setting up the framework. This patch will add test
coverage for mysql.
Change-Id: Ieb497d7ebeb0ddc145a53548500b02fbc10399ca
Add ability to use python-pymysql library
as backend for MySQL connections.
Switch acceptance tests on pyMySQL usage.
Docs: https://wiki.openstack.org/wiki/PyMySQL_evaluation
Change-Id: I52447482f15a1c075566c7596ce7c5465446fb5a
"revoke_id" param was added for fernet tokens
configuration. It revokes token by token identifier.
Setting revoke_by_id to true enables various forms
of enumerating tokens.
Change-Id: I645cd591f1018a9a595d8f738a782f64c0a984a4
The tenant parameter was made deprecated in Kilo and to be removed in Liberty:
see bug/1472437 and corresponding patch.
This patch removes the tenant parameter from the keystone_user provider and the
manifests using it.
From now on, a user is assigned to a project (tenant) through the
keystone_user_role provider.
For instance,
When using the default domain:
keystone_user_role {'user1@project':
ensure => present,
roles => ['admin'],
}
When using non default domains:
keystone_user_role {'user1::domain1@project1::domain2':
ensure => present,
roles => ['admin'],
}
Change-Id: I79f1bca4c67a4c92234431b2ae867933172a1ebe
