Commit Graph

66 Commits

Author SHA1 Message Date
Takashi Kajinami
d72accf703 Expose policy_default_rule
The option has been managed by the underlying puppet-oslo module but
has not been configurable. This introduces the parameter to customize
the option.

Change-Id: Iac1ebf8af8900e9e351ef359f1c5c2e4c1704d00
2023-01-23 14:43:31 +09:00
Takashi Kajinami
b9c8d0a2aa Switch to Ubuntu Jammy (22.04)
... because Focal no longer supports the recent releases such as Zed.

Change-Id: I38e3eb00de72afe761e6b278881437753e83ecd5
2023-01-15 22:34:46 +09:00
Takashi Kajinami
d34f26c319 Add Apache WSGI logging parameters for pipe/syslog
Add parameters for advanced logging configurations in Apache to
support piped logging and support for syslog (via mod_syslog
available in Apache >= 2.5.0)

Co-Authored-By: Andy Botting <andy@andybotting.com>
Change-Id: If07cac9bc41d173baeadbefb4dad3612c32ee369
2022-08-26 17:46:20 +09:00
Takashi Kajinami
5d3e8252d6 Expose headers option of apache::vhost
The headers option in apache::vhost is required in some case, for
example when adding the X-XSS-Protection header. This change allows
customizing the option for the api vhost.

This change also adds support for request_headers so that both request
headers and response headers can customized.

Change-Id: Ie5f2669a8686a3546b652251881615e0e18bf433
2022-07-01 11:37:02 +09:00
Takashi Kajinami
ff956c7a5b Remove deprecated parameters for websocket service user
... because these parameters were deprecated during Yoga cycle[1] and
have had no effect since then.

[1] 7eeb46e04d

Change-Id: I6b2ee2e3e9fb633f5f3c6fa9b2e4106e5430484e
2022-06-19 22:04:51 +09:00
Takashi Kajinami
d3e8ce069a Remove support for CentOS 8 Stream
... because RDO will provide packages for only CentOS Stream 9 for Zed
release. This change removes RHEL 8 as well.

Depends-on: https://review.opendev.org/843503
Change-Id: I41a09ca923b887e428a75a788cbe4e047ccf26e0
2022-06-01 14:08:08 +09:00
Takashi Kajinami
f25c60a03b Fix missing updates of deprecated parameters
This is follow-up of 7eeb46e04d and fixes
the following two points.
 - tenant_name is deprecated but a proper warning message is missing
 - password is deprecated and now is optional, but it is still
   validated

Closes-Bug: #1973315
Change-Id: I169d42dee4896843e55d4989dc440ad7e7c7ec94
2022-05-13 11:58:47 +00:00
Takashi Kajinami
411e1ea3fe apache+mod_wsgi: Disable SSL by default
During the previous cycle, a warning message was added to inform users
of this change.

Now the default value is updated so that SSL is disabled by default.

Change-Id: I17cd1a7adcc09168d3f53f44787858ef1d89a0a7
2022-05-06 22:21:32 +09:00
Takashi Kajinami
263f4ae329 Add CentOS/RHEL 9 to supported operating systems
... because these operating systems are now verified by unit tests and
integration tests.

Change-Id: I26f192685973a8e721ef52e7a7c3bb45478a275f
2022-02-23 01:39:57 +09:00
Takashi Kajinami
4026124a72 Add socket keepalive options for the pymemcache backend
This patch specifies a set of options required to setup the socket
keepalive feature of pymemcache (dogpile.cache) cache backend.

Original oslo.cache change:
https://review.opendev.org/c/openstack/oslo.cache/+/803716

Co-Authored-By: Grzegorz Grasza <xek@redhat.com>
Depends-On: https://review.opendev.org/807851
Change-Id: I683f1328ab68839b4877e91513cae206656a6ad2
2022-01-27 20:40:17 +09:00
Zuul
067273d60b Merge "Disable the zaqar-messaging service user" 2022-01-05 03:03:40 +00:00
Takashi Kajinami
fe7da441a6 Accept system scope credentials for Keystone API request
This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following two items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware

Depends-on: https://review.opendev.org/804325
Change-Id: I2a54b0d0c03a98b3fe7a3a4a28051247eea7e70a
2022-01-03 15:28:31 +09:00
Takashi Kajinami
7eeb46e04d Disable the zaqar-messaging service user
The zaqar::keystone::auth_websocket class has been added to create
an independent keystone endpoint for websocket service but the service
user created by the class has never been used.
This change disables the logic to create the user and the associated
resources like roles and projects, so that only required resources are
created.

Change-Id: Iaa0042acb9fda198f10e6067523301bfd08bf249
2022-01-03 15:15:54 +09:00
Takashi Kajinami
e9a86ec687 Add support for [storage] topic_pipeline
Change-Id: Ia4e80a1e0365aeb9d8f010296c6391aa747d29ba
2021-11-16 10:09:33 +09:00
Takashi Kajinami
484d14fb2c Add support for Redis management store driver
Change-Id: I29b7a7e16ea1f8a2b5a80bb44cdd8e902a3b3350
2021-11-09 13:24:41 +00:00
Takashi Kajinami
f88fa279bb Prepare to update default of <service>::wsgi::apache::ssl
Currently the <service>::wsgi::apache::ssl parameters have inconsistent
default values. Some parameters default to true while the other default
to false.

Based on the following points, false is considered to be the more
reasonable default.
 - Usage of SSL is optional and is not always required
 - There are other methods(like load-balancer) to implement SSL
   termination
 - Enabling SSL doesn't work with the default values currently
   defined, and requires additional parameters like ssl_cert.
 - false is the default value defined in the base implementation in
   puppet-openstacklib.

This change is the preparation to change the default value, and
introduces a warning message to make users aware of the future change.

Change-Id: I96bae290b599f65b3b03fc5efb8bce3c0459f13a
2021-11-03 21:06:26 +09:00
ZhongShengping
17078f0478 Add watch_log_file option
Add support for Using logging handler designed to watch file system.

Change-Id: I3e9479610eb3ff02cd08afefd4b6e411f8fd2812
Closes-Bug: #1943212
2021-09-14 16:02:09 +08:00
Takashi Kajinami
9c04deee7f Allow purging policy files
This change introduces the new purge_config parameter to the policy
class so that any policy rules not managed by puppet manifests can be
cleared.

Co-Authored-By: Martin Schuppert <mschuppert@redhat.com>
Depends-On: https://review.opendev.org/802305
Change-Id: I7e453f3abf08e13d2366ea68af1ce859a88e8448
2021-09-04 22:22:37 +09:00
Takashi Kajinami
dfe0e42f86 Add support for oslo.cache options
Neutron uses oslo.cache options for caching. This change adds support
for the options implemented in the library.

Change-Id: I8d9930c80c65867ebd220153c20d06cdab0a47b5
2021-08-23 14:37:52 +09:00
Zuul
06ff76d602 Merge "Add support for [cors] options" 2021-07-04 21:56:02 +00:00
Takashi Kajinami
4aa042d69b Add support for [cors] options
Change-Id: Ia30208b782787bd528f1c1be4883b53476a8456f
2021-07-01 18:28:47 +09:00
Takashi Kajinami
e1b0c4eaa1 Drop Fedora support
Fedora support is never tested, and has been unmaintained for a while.
Because we don't expect any actual user using OpenStack on Fedora, this
change drops support for Fedora directly.

Change-Id: I9ec4a576b576b6eea50a81846f1590ece73350d9
2021-06-15 11:34:09 +00:00
Takashi Kajinami
8b7287cfab Add support for oslo_policy/enforce_new_defaults
Depends-on: https://review.opendev.org/781428
Change-Id: Iface46d749bc237e1df2eaa3ed47c0b2211eacbf
2021-03-24 18:28:47 +09:00
Takashi Kajinami
58ccef2a9c Add support for the oslo_policy/enforce_scope parameter
Depends-on: https://review.opendev.org/#/c/759008/
Change-Id: Ibdebe7a447dedbcf16ab9a27a0cc7ac38df4f4c4
2021-03-16 18:46:26 +09:00
Takashi Kajinami
1feab68bfa Use yaml instead of json for policy file
Because usage of json for policy file will be deprecated and replaced
by yaml[1].

[1] https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Depends-on: https://review.opendev.org/769647
Change-Id: I44aefbc366b549ad7ad73391a5d41cd151a66f62
2021-01-07 23:07:38 +00:00
ZhongShengping
6c5b691a85 Allow db sync timeouts to be configurable
As Openstack projects continue to have longer database migration
chains, the Puppet default timeout of 300 seconds for an execution
is becoming too short a duration on some hardware, leading to timeouts.
As projects continue to add more migration scripts without pruning
the base, timeouts will continue to become more frequent unless
this time can be expanded.

Change-Id: I4a3941c5a21560c6246d22e89d4566dcdc95bfd6
Closes-Bug: #1904962
2020-11-23 09:27:52 +08:00
Takashi Kajinami
010790e3c1 Add support for the keystone_authtoken/service_type parameter
Change-Id: If76bf361fe554761729fc16bacf9c3ca1d959bfa
2020-11-03 17:40:59 +09:00
Takashi Kajinami
a6eae2f39e Add support for the interface parameter in authtoken middleware
This patch adds support for [keystone_authtoken] interface parameter,
so that operators can define which endpoint should be used by authtoken
middleware.

Change-Id: I74d848da4f2e923f224786fd55b35cb063bb59a1
2020-07-09 15:34:36 +09:00
Takashi Kajinami
58bb3d444f Add support for service_token_roles in authtoken
Add support for service_token_roles in authtoken middleware, so that
we can customize roles assigned to users, which use service user token
feature.

Change-Id: I4376f16e11e9749e55ad36a124777ea0d8686e45
2020-02-16 21:22:35 +09:00
ZhongShengping
84e31f0c3d Remove deprecated pki related options
The deprecated pki related options check_revocations_for_cached and
hash_algorithms option has been removed.

Change-Id: I1b9c60080b1fefe82bec1ebff4158c0586869d79
2019-08-15 11:51:37 +08:00
ZhongShengping
6a13cb3e84 Add openstackclient installation to the client class
The repo is inside the openstackclient plugin commands[1].

[1]https://docs.openstack.org/python-openstackclient/latest/cli/plugin-commands.html

Change-Id: I6e99e240e75fd4cfa9ec94b0587e46668e1b259e
2019-05-17 16:31:22 +08:00
ZhongShengping
aed1d7264f Add log_file parameter
Change-Id: I958a8b28e9874be81036e6f84c89a276bf512e6d
Closes-Bug: #1819417
2019-03-12 10:37:40 +08:00
Zuul
0cf3f10ac9 Merge "Add release note about Ubuntu py3 upgrade" 2019-02-25 17:23:49 +00:00
Tobias Urdin
bd806884c8 Add release note about Ubuntu py3 upgrade
Change-Id: Ia7fdf94022e955af88abbe1329f8bf08278e45c7
2019-02-24 00:14:03 +01:00
ZhongShengping
7640153684 Service_token_roles_required missing in the server config file
Service_token_roles_required missing in the server config file which
allows backwards compatibility to ensure that the service tokens are
compared against a list of possible roles for validity.

Change-Id: I751b3a94c3aac7a0faf638afea0168769589b71d
Closes-Bug: 1778198
2019-02-15 10:03:11 +08:00
Tobias Urdin
b6ed758a78 Use puppet 4 compatible mysql functions
These was introduced in 6.0.0 and is required to
support later version of puppetlabs-mysql.

Change-Id: I4978e2706e983735f37f5441efbc6b1c8d8fd053
2019-02-08 12:31:52 +01:00
Zuul
1aee71c6e3 Merge "Remove deprecated logging" 2018-12-07 13:09:46 +00:00
Tobias Urdin
4d35451f8c Remove deprecated logging
Change-Id: Ieeff7fa6726f9398383d93ab50f8e864a3f9d8c5
2018-11-29 11:10:06 +01:00
Tobias Urdin
00c52b2fba Remove auth_uri
Change-Id: I922316436583432ac705379ff68cb6247b27aba2
2018-11-29 00:33:04 +01:00
ZhongShengping
84c8ba02af Deprecate pki related options
check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.

Change-Id: I0ad17b24278372f9f3648450f23957413a1f40d3
Closes-Bug: #1804562
Closes-Bug: #1804720
2018-11-23 10:24:14 +08:00
ZhongShengping
19dc2c1e2f Deprecate auth_uri option
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.

[1]https://review.openstack.org/#/c/508522/

Change-Id: Icf6c42182b10cdfb07461923f7fd41fccb0f9013
Depends-On: I4c82a63baabd6b9304b302c97cd751a0103d8316
Closes-Bug: #1759098
2018-04-03 16:55:05 +08:00
ZhongShengping
afbc7455bb Remove deprecated keystone authtoken revocation_cache_time option
Change-Id: I6e864bc01bcdd61172906d42e37661f5e3dfc66f
2018-03-27 10:33:24 +08:00
ZhongShengping
d2891b9670 Add 'openstack-db' tag to db-sync Exec resource
In order to make easy orchestration on all OpenStack db-sync, add this
tag so people can use this tag in composition layer.
A use case it to set some orchestration to make sure MySQL Galera is
ready before running any Exec with this tag.

Change-Id: I468f796bc344f91510e977dd07cfd563174c66dd
Closes-Bug: #1755102
2018-03-12 16:33:11 +08:00
ZhongShengping
55d6e99e93 Add use_journal option for logging configuration
This enables oslo.log to pass logging records to journald.

Change-Id: I37a497fd795eba5b7fb350a044bdb31e46a90ae6
2018-01-15 17:40:19 +08:00
Juan Antonio Osorio Robles
67e70cab9b Expose use_json logging option
It enables JSON-formatted logging from oslo.log.

Change-Id: I0476f2af30761b571c342f8a7aa901ce87754611
2017-11-27 14:28:22 +02:00
ZhongShengping
a3a99c2b9c add parameter to overwrite/add wsgi process options
Add parameter to apache_wsgi to allow overwrite
and/or add additional wsgi process options.

This possibility was added to openstacklib
with Change-Id: I41914ce3361988d5db1695f09d21209772fdf548
lease enter the commit message for your changes. Lines starting

Change-Id: Ibb04420a730bb0fdccc30fe6e81d4b0f5fc6ebc2
2017-10-23 14:16:14 +08:00
ZhongShengping
200fe99e63 Deprecate revocation_cache_time option
The revocation_cache_time is deprecated for removel because of PKI
token format is no longer supported.
Update warning message and add a release note.

Change-Id: Ib7caf25e92ebc2dc11ddc3b952da2f2c9ff616cb
Closes-Bug: #1717144
2017-09-14 12:26:58 +08:00
Thomas Herve
a868904ac0 Add support for redis message store
This adds new class to setup redis as the messaging backend.

Change-Id: I0ef259f2dfcc661a30b5a55c23eac3eb1240f462
2017-08-30 21:41:32 +02:00
ZhongShengping
673da3b664 Remove deprecated keystone authtoken signing_dir option
Change-Id: I7127fa24716b12f44e77f76dda83952a4b73efc2
2017-07-07 10:01:29 +08:00
Thomas Herve
d1e35d4e6b Fix db-sync
This fixes the command used to sync zaqar database.

Change-Id: I9e57885796a6ba2efe8d7a16528d582163ae896a
2017-03-07 22:14:59 +01:00