From f65e91899010ac7535e6dad00c766452e2642986 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Wed, 5 Jan 2022 09:48:29 +0900 Subject: [PATCH] Enable notification from Keystone when Barbican is enabled Barbican, especially the barbican-keystone-listener service, consumes notifications from Keystone so that secrets associated with deleted users are purged. This change ensures notification is enabled in Keystone when Barbican is enabled to use that feature properly. Conflicts: deployment/keystone/keystone-container-puppet.yaml Closes-Bug: #1956400 Change-Id: I9322cd2a2f274daba1d02d5bf98e5abbca795df0 (cherry picked from 3a04690cda3332b539445d07ff2f24f7425796af) --- deployment/keystone/keystone-container-puppet.yaml | 13 ++++++++++++- environments/services-baremetal/barbican.yaml | 3 +++ environments/services/barbican.yaml | 3 +++ ...ystone-notification-driver-0c71165430eb57ef.yaml | 7 +++++++ 4 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/keystone-notification-driver-0c71165430eb57ef.yaml diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml index 34bc2f0914..5c7cb717f1 100644 --- a/deployment/keystone/keystone-container-puppet.yaml +++ b/deployment/keystone/keystone-container-puppet.yaml @@ -181,6 +181,12 @@ parameters: type: comma_delimited_list default: 'noop' description: Driver or drivers to handle sending notifications. + KeystoneNotificationDriver: + type: comma_delimited_list + default: [] + description: | + Driver or drivers to handle sending notifications. This parameter is + specific to Keystone. KeystoneEnableDBPurge: default: true description: | @@ -423,6 +429,7 @@ conditions: password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}} unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}} cors_allowed_origin_set: {not: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']}} + keystone_notification_driver_set: {not: {equals: [{get_param: KeystoneNotificationDriver}, []]}} outputs: role_data: @@ -480,7 +487,11 @@ outputs: - {get_param: KeystoneDebug} - true - {get_param: Debug } - keystone::notification_driver: {get_param: NotificationDriver} + keystone::notification_driver: + if: + - keystone_notification_driver_set + - {get_param: KeystoneNotificationDriver} + - {get_param: NotificationDriver} keystone::notification_format: {get_param: KeystoneNotificationFormat} tripleo::profile::base::keystone::extra_notification_topics: {get_param: KeystoneNotificationTopics} keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge} diff --git a/environments/services-baremetal/barbican.yaml b/environments/services-baremetal/barbican.yaml index 1b067790c8..e5186ead0f 100644 --- a/environments/services-baremetal/barbican.yaml +++ b/environments/services-baremetal/barbican.yaml @@ -2,3 +2,6 @@ # Barbican with the default secret store backend. resource_registry: OS::TripleO::Services::BarbicanApi: ../../deployment/barbican/barbican-api-container-puppet.yaml + +parameter_defaults: + KeystoneNotificationDriver: messagingv2 diff --git a/environments/services/barbican.yaml b/environments/services/barbican.yaml index 1b067790c8..e5186ead0f 100644 --- a/environments/services/barbican.yaml +++ b/environments/services/barbican.yaml @@ -2,3 +2,6 @@ # Barbican with the default secret store backend. resource_registry: OS::TripleO::Services::BarbicanApi: ../../deployment/barbican/barbican-api-container-puppet.yaml + +parameter_defaults: + KeystoneNotificationDriver: messagingv2 diff --git a/releasenotes/notes/keystone-notification-driver-0c71165430eb57ef.yaml b/releasenotes/notes/keystone-notification-driver-0c71165430eb57ef.yaml new file mode 100644 index 0000000000..ecac7ddaf6 --- /dev/null +++ b/releasenotes/notes/keystone-notification-driver-0c71165430eb57ef.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + The new ``KeystoneNotificationDriver`` parameter has been added. + This parameter overrides the global ``NotificationDriver`` parameter and + allows customizing notification driver only in Keystone, which is required + to use notification listner function in Barbican.