This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.
This change covers the following three items.
- assignment of system scope roles to system user
- credential parameters for authtoken middleware
- credential parameters for service token feature
Note that the credential parameters for authtoken middleware are
used in some providers, and these providers still require a project
scope credential. This will be fixed by the subsequent change.
Depends-on: https://review.opendev.org/804325
Change-Id: Ibd7afcb121b669cf533b077b926637b092e3df19
The authtoken parameters are not managed directly but managed by
the keystone::resource::authtoken class. Thus we should avoid testing
parameters directly otherwise any change in the resource type can
cause test failures.
Change-Id: Id460720347a7383b24b4b1c3a7c772d89d7d606d
Currently adding a new authtoken parameter requires changes
in nearly 30 different puppet projects. For options without defaults,
defining these individually in each puppet-* project doesn't
appear to add any value since validation is already happening
in the keystone::resource::authtoken class.
This change adds a params parameter which is a hash of options to
pass through to the authtoken resource. The individual params are
still used as defaults, but any keys set in the params hash override
them. I propose deprecating these individual parameters in a future
commit.
Depends-On: https://review.opendev.org/#/c/743858/
Change-Id: I695834ac03a52d8569e50db600676a89e165491d
This patch adds support for [keystone_authtoken] interface parameter,
so that operators can define which endpoint should be used by authtoken
middleware.
Change-Id: Ic3f9ad9d4366ec2d4279e7463fe22eb2b63eacaf
This patch introduces a new hieradata nova::keystone::auth::roles,
to configure customized role assigned to nova user.
This is required to configure service token feature, as it requires
special role is assigned to the user who uses the feature.
Change-Id: I00021bac80d09258bf1c1c040adb835b4294df19
This patch introduces nova::keystone::service_user class
to configure parameters to enable service token feature
in Nova.
Depends-on: https://review.opendev.org/#/c/666467/
Change-Id: I0400fdbaf098121c0f5e380379b7cfb660963ddd
Service_token_roles_required missing in the server config file which
allows backwards compatibility to ensure that the service tokens are
compared against a list of possible roles for validity.
Change-Id: I826a09ede0d15502da69cd0b48c5e54854e07f6c
Closes-Bug: 1778198
check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.
Change-Id: I97ba129ad72cad9554a51603d7416a0feeecb47c
Closes-Bug: #1804562
Closes-Bug: #1804720
Now that the v2.0 API has been removed, we don't have a reason to
include deployment instructions for two separate applications on
different ports.
Change-Id: Ib78b6826d1a98baeebf7455a3778555973e789bc
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: I0dd36ef1f1f5dcdc57413736ecb8f2555712c36d
Depends-On: I4c82a63baabd6b9304b302c97cd751a0103d8316
Closes-Bug: #1759098
Keystone v2.0 API was removed so we have no choice but configuring
user_domain_name and project_domain_name otherwise it fallbacks to
Keystone v2.0 and it fails. This patch sets the default value so we make
sure Keystone v3 will be used out of the box for our users.
Change-Id: I372928fca38664ac0638212386d1d7c7cb7666c8
The revocation_cache_time is deprecated for removel because of PKI
token format is no longer supported.
Update warning message and add a release note.
Change-Id: I3c031b1fb99f493c7c116c75014503915670a81c
Closes-Bug: #1717144
The python-memcache package is required if using memcached. By
default the package is not installed and the define has it set to
false. This change allows managing the python-memcache package
install from the authtoken class.
Change-Id: I59ddd0cf40f00932355ae626a22ba27dfc6dab22
The signing_dir is deprecated for removel because of PKI token format
is no longer supported.
Update warning message and release note.
Change-Id: Iac54c65a5a717dbcdf5015fb606eef6a2fda4306
Closes-Bug: #1652700
In nova::keystone::authtoken, use keystone::resource::authtoken to configure
keystone_authtoken section in nova.conf, with all parameters
required to configure keystonemiddleware.
This patch will allow to deploy Nova to use Keystone v3 authentification.
Update acceptance and examples
Some deprecations:
- nova::api::admin_tenant_name is deprecated in favor of
nova::keystone::authtoken::project_name.
- nova::api::admin_user is deprecated in favor of
nova::keystone::authtoken::username.
- nova::api::admin_password is deprecated in favor of
nova::keystone::authtoken::password.
- nova::api::identity_uri is deprecated in favor of
nova::keystone::authtoken::auth_url.
- nova::api::auth_version is deprecated in favor of
nova::keystone::authtoken::auth_version
- nova::api::auth_uri is deprecated in favor of
nova::keystone::authtoken::auth_uri
- nova::memcached_servers is deprecated in favor of
nova::keystone::authtoken::memcached_servers.
The patch is backward compatible and keep defaults values like before.
Depends-On: I299d4c372da702232eaa7cb34b690e372f56e701
Change-Id: I32649549879f912a0f49881c244b119497cf8473
Related-Bug: #1604463
