This class combines the keystone-manage bootstrap command
from init, the keystone::endpoint functionality that manages
the keystone endpoints and the keystone::roles::admin class
that manages users and projects.
This is one of the steps to make sure we only have a single
point of entry for bootstrapping (keystone-manage bootstrap)
and then only managing resources after that.
This is especially required since we are getting rid of the
admin token and cannot manage resources before keystone-manage
bootstrap has created the user, project, service and endpoints
for us.
These resources should always be in the default domain and
deployments should manage domain specific configuration themselves
using the provider resources.
This class uses the default values from the keystone-manage
bootstrap command.
In the past puppet-keystone has always created a openstack project
that is assumed as a admin project even though the bootstrap command
creates the admin project. Since this uses the default values from
the bootstrap command we should move away from having an openstack
project, if we need that in testing it should be created there and
not in the default deployment.
Depends-On: https://review.opendev.org/#/c/698528/
Change-Id: I683fcdd743bddf6d4e989dd7e7c553db745934db
Keystone removed support for writable ldap support in Ocata. We should
remove these configs from the examples and the specification so that it
doesn't give the impression the functionality is still supported. It
also cleans up the configuration a little bit.
Relevant release notes that advertize the removal:
https://docs.openstack.org/releasenotes/keystone/ocata.html#relnotes-11-0-0-origin-stable-ocata-other-notes
Change-Id: I83da28d3988960252708c60ce53fe36f34ee4204
python-ldap follows/chases referrals with anonymous access but
this is disabled by default in Active Directory. There is an
argument to set this to default to disabled but for the moment
just present an option for the user to choose.
For further information see:
https://access.redhat.com/solutions/2309891
Change-Id: I83ff3186ecced663a30a028e153f9259427fa13d
Signed-off-by: Christopher Brown <snecklifter@gmail.com>
Option "verbose" from group "DEFAULT" is deprecated for removal.
The parameter has no effect.
-Deprecated verbose for logging and init
-Remove verbose in examples and README
-Remove verbose from tests.
If this option is not set explicitly, there is no such warning.
Change-Id: I2f554c07f71458894aaa5d8079285ac92d0f04a3
Instead of using long backend/drivers name, use short name and stevedore
will load plugins for us.
It will prevent this kind of message in logs:
Failed to load 'keystone.catalog.backends.sql.Catalog' using stevedore:
No 'keystone.catalog' driver found,
Also cleanup unit and functional tests that were setting wrong
credential & assignment drivers.
Change-Id: Id3b8ed63ef9a821eba5374af7ed0fd1c8d755e09
This enable the user to inject multiple ldap backend configurations into
keystone.
Currently the ldap configuration is modeled through a class and injected
inside keystone.conf. In a multiple domains environment, this prevents
the user to create a ldap configuration by domain.
A deprecation warning is added to the current ldap class. This class is
not using the define as doing so would automatically trigger a restart
of the keystone server. This would be unexpected by the openstack
operator and would certainly be seen as a bug. This imply a lot of code
duplication but is required to make a smooth transition.
Change-Id: I75307d4a04510d8ba1a24663b1724849ea5b48f5
