starlingx
/
upstream
Code Issues Proposed changes

Merge "Upversioning Keystone and Barbican"

This commit is contained in:
Zuul 2019-04-22 18:05:38 +00:00 committed by Gerrit Code Review
parent 391cb10bcb 1b445a9415
commit 33b17aba4d
28 changed files with 343 additions and 716 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
centos_iso_image.inc
View File

@ -67,6 +67,6 @@ openstack-barbican-common
openstack-barbican-keystone-listener
openstack-barbican-worker
puppet-barbican
python-barbican
python2-barbican
python2-barbicanclient
python-ldap3
python2-ldap3

1
centos_pkg_dirs
View File

@ -16,7 +16,6 @@ openstack/python-keystoneclient
openstack/python-neutronclient
openstack/python-novaclient
openstack/python-openstackdocstheme
openstack/python-oslo-service
openstack/python-oslo-messaging
openstack/python-pankoclient
openstack/rabbitmq-server

5
openstack/python-keystone/centos/build_srpm.data
View File

@ -1,5 +1,2 @@
TAR_NAME="keystone"
SRC_DIR="$CGCS_BASE/git/keystone"
TIS_PATCH_VER=1
COPY_LIST="$FILES_BASE/*"
TIS_BASE_SRCREV=6a67918f9d5f39564af8eacc57b80cba98242683
TIS_PATCH_VER=GITREVCOUNT+2

2
openstack/python-keystone/centos/files/openstack-keystone.defaultconf
View File

@ -1,2 +0,0 @@
[DEFAULT]
log_dir= /var/log/keystone

11
openstack/python-keystone/centos/files/openstack-keystone.logrotate
View File

@ -1,11 +0,0 @@
/var/log/keystone/*.log {
weekly
dateext
rotate 10
size 1M
missingok
compress
notifempty
su keystone keystone
minsize 100k
}

3
openstack/python-keystone/centos/files/openstack-keystone.sysctl
View File

@ -1,3 +0,0 @@
# By default, keystone starts a service on port 5000
# http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
net.ipv4.ip_local_reserved_ports = 5000

1
openstack/python-keystone/centos/files/openstack-keystone.tmpfiles
View File

@ -1 +0,0 @@
d /run/keystone 0700 keystone keystone -

34
openstack/python-keystone/centos/meta_patches/Add-keyring-patch.patch Normal file
View File

@ -0,0 +1,34 @@
From 7feac57d571e49e042adb96738a3688c56adade0 Mon Sep 17 00:00:00 2001
From: Tyler Smith <tyler.smith@windriver.com>
Date: Mon, 8 Apr 2019 15:33:16 -0400
Subject: [PATCH 1/1] Add keyring patch
---
SPECS/openstack-keystone.spec | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/SPECS/openstack-keystone.spec b/SPECS/openstack-keystone.spec
index a20bda1..945de6d 100644
--- a/SPECS/openstack-keystone.spec
+++ b/SPECS/openstack-keystone.spec
@@ -28,7 +28,7 @@ Name: openstack-keystone
# https://review.openstack.org/#/q/I6a35fa0dda798fad93b804d00a46af80f08d475c,n,z
Epoch: 1
Version: 15.0.0
-Release: 0.2%{?milestone}%{?dist}
+Release: 0.2.el7%{?_tis_dist}.%{tis_patch_ver}
Summary: OpenStack Identity Service
License: ASL 2.0
URL: http://keystone.openstack.org/
@@ -42,6 +42,9 @@ Source3: openstack-keystone.sysctl
Source5: openstack-keystone-sample-data
Source20: keystone-dist.conf
+# STX: Include patches here
+Patch1: 0001-Rebasing-Keyring-integration.patch
+
BuildArch: noarch
BuildRequires: openstack-macros
BuildRequires: python%{pyver}-devel
--
1.8.3.1

2
openstack/python-keystone/centos/meta_patches/PATCH_ORDER Normal file
View File

@ -0,0 +1,2 @@
Add-keyring-patch.patch
Update-spec-with-tis-additions.patch

134
openstack/python-keystone/centos/meta_patches/Update-spec-with-tis-additions.patch Normal file
View File

@ -0,0 +1,134 @@
From 7afb60e6591d9d1e6d6374a85cf516182b660815 Mon Sep 17 00:00:00 2001
From: Tyler Smith <tyler.smith@windriver.com>
Date: Mon, 8 Apr 2019 15:40:07 -0400
Subject: [PATCH 1/1] Update-spec-with-tis-additions
---
SPECS/openstack-keystone.spec | 44 +++++++++++++++++++++++++++++++++++++++----
1 file changed, 40 insertions(+), 4 deletions(-)
diff --git a/SPECS/openstack-keystone.spec b/SPECS/openstack-keystone.spec
index 945de6d..74b6ba2 100644
--- a/SPECS/openstack-keystone.spec
+++ b/SPECS/openstack-keystone.spec
@@ -12,7 +12,8 @@
%global pyver_build %py%{pyver}_build
# End of macros for py2/py3 compatibility
-%global with_doc 1
+#STX: Turn off doc building
+%global with_doc 0
%global service keystone
# guard for package OSP does not support
%global rhosp 0
@@ -42,6 +43,13 @@ Source3: openstack-keystone.sysctl
Source5: openstack-keystone-sample-data
Source20: keystone-dist.conf
+#STX
+Source99: openstack-keystone.service
+Source100: keystone-all
+Source101: keystone-fernet-keys-rotate-active
+Source102: password-rules.conf
+Source103: public.py
+
# STX: Include patches here
Patch1: 0001-Rebasing-Keyring-integration.patch
@@ -234,9 +242,9 @@ sed -i 's#/local/bin#/bin#' httpd/wsgi-keystone.conf
sed -i 's#apache2#httpd#' httpd/wsgi-keystone.conf
%build
-PYTHONPATH=. oslo-config-generator-%{pyver} --config-file=config-generator/keystone.conf
-PYTHONPATH=. oslo-config-generator-%{pyver} --config-file=config-generator/keystone.conf --format yaml --output-file=%{service}-schema.yaml
-PYTHONPATH=. oslo-config-generator-%{pyver} --config-file=config-generator/keystone.conf --format json --output-file=%{service}-schema.json
+PYTHONPATH=. oslo-config-generator --config-file=config-generator/keystone.conf
+PYTHONPATH=. oslo-config-generator --config-file=config-generator/keystone.conf --format yaml --output-file=%{service}-schema.yaml
+PYTHONPATH=. oslo-config-generator --config-file=config-generator/keystone.conf --format json --output-file=%{service}-schema.json
# distribution defaults are located in keystone-dist.conf
%{pyver_build}
@@ -251,6 +259,8 @@ PYTHONPATH=. oslo-config-generator-%{pyver} --config-file=config-generator/keyst
# Instead, ship an empty file that operators can override.
echo "{}" > policy.json
+# STX: default dir for fernet tokens
+install -d -m 750 %{buildroot}%{_sysconfdir}/keystone/credential-keys/
install -d -m 755 %{buildroot}%{_sysconfdir}/keystone
install -p -D -m 640 etc/keystone.conf.sample %{buildroot}%{_sysconfdir}/keystone/keystone.conf
install -p -D -m 640 policy.json %{buildroot}%{_sysconfdir}/keystone/policy.json
@@ -261,7 +271,8 @@ install -p -D -m 644 etc/policy.v3cloudsample.json %{buildroot}%{_datadir}/keyst
install -p -D -m 640 etc/logging.conf.sample %{buildroot}%{_sysconfdir}/keystone/logging.conf
install -p -D -m 640 etc/default_catalog.templates %{buildroot}%{_sysconfdir}/keystone/default_catalog.templates
install -p -D -m 640 etc/sso_callback_template.html %{buildroot}%{_sysconfdir}/keystone/sso_callback_template.html
-install -p -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/openstack-keystone
+# STX: don't install a separate keystone logrotate file as this is managed by syslog-ng
+#install -p -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/openstack-keystone
install -d -m 755 %{buildroot}%{_prefix}/lib/sysctl.d
install -p -D -m 644 %{SOURCE3} %{buildroot}%{_prefix}/lib/sysctl.d/openstack-keystone.conf
# Install sample data script.
@@ -270,6 +281,21 @@ install -p -D -m 755 %{SOURCE5} %{buildroot}%{_bindir}/openstack-keystone-sample
# Install sample HTTPD integration files
install -p -D -m 644 httpd/wsgi-keystone.conf %{buildroot}%{_datadir}/keystone/
+# STX install keystone cron script
+install -p -D -m 755 %{SOURCE101} %{buildroot}%{_bindir}/keystone-fernet-keys-rotate-active
+
+# STX: install password rules(readable only)
+install -p -D -m 440 %{SOURCE102} %{buildroot}%{_sysconfdir}/keystone/password-rules.conf
+
+# STX: install keystone public gunicorn app
+install -p -D -m 755 %{SOURCE103} %{buildroot}/%{_datarootdir}/keystone/public.py
+
+# STX: install openstack-keystone service script
+install -p -D -m 644 %{SOURCE99} %{buildroot}%{_unitdir}/openstack-keystone.service
+
+# STX: Install keystone-all bash script
+install -p -D -m 755 %{SOURCE100} %{buildroot}%{_bindir}/keystone-all
+
install -d -m 755 %{buildroot}%{_sharedstatedir}/keystone
install -d -m 755 %{buildroot}%{_localstatedir}/log/keystone
@@ -325,6 +351,10 @@ chmod 660 %{_localstatedir}/log/keystone/keystone.log
%{_bindir}/keystone-manage
%{_bindir}/keystone-status
%{_bindir}/openstack-keystone-sample-data
+# STX: add keystone-all
+%{_bindir}/keystone-all
+# STX: add Keystone fernet keys cron job
+%{_bindir}/keystone-fernet-keys-rotate-active
%dir %{_datadir}/keystone
%attr(0644, root, keystone) %{_datadir}/keystone/keystone-dist.conf
%attr(0644, root, keystone) %{_datadir}/keystone/policy.v3cloudsample.json
@@ -332,20 +362,26 @@ chmod 660 %{_localstatedir}/log/keystone/keystone.log
%attr(0644, root, keystone) %{_datadir}/keystone/%{service}-schema.json
%attr(0755, root, root) %{_datadir}/keystone/sample_data.sh
%attr(0644, root, keystone) %{_datadir}/keystone/wsgi-keystone.conf
+# STX: add openstack-keystone sysinit script
+%{_unitdir}/openstack-keystone.service
%dir %attr(0750, root, keystone) %{_sysconfdir}/keystone
%config(noreplace) %attr(0640, root, keystone) %{_sysconfdir}/keystone/keystone.conf
%config(noreplace) %attr(0640, root, keystone) %{_sysconfdir}/keystone/logging.conf
%config(noreplace) %attr(0640, root, keystone) %{_sysconfdir}/keystone/policy.json
%config(noreplace) %attr(0640, root, keystone) %{_sysconfdir}/keystone/default_catalog.templates
%config(noreplace) %attr(0640, keystone, keystone) %{_sysconfdir}/keystone/sso_callback_template.html
-%config(noreplace) %{_sysconfdir}/logrotate.d/openstack-keystone
+# STX: log rotate not needed
+#%config(noreplace) %{_sysconfdir}/logrotate.d/openstack-keystone
%dir %attr(-, keystone, keystone) %{_sharedstatedir}/keystone
%dir %attr(0750, keystone, keystone) %{_localstatedir}/log/keystone
%ghost %attr(0660, root, keystone) %{_localstatedir}/log/keystone/keystone.log
%{_prefix}/lib/sysctl.d/openstack-keystone.conf
-
+# STX: add password rules configuration
+%attr(0440, root, keystone) %{_sysconfdir}/keystone/password-rules.conf
%files -n python%{pyver}-keystone -f %{service}.lang
+# STX: public.py addition
+%{_datarootdir}/keystone/public*.py*
%defattr(-,root,root,-)
%license LICENSE
%{pyver_sitelib}/keystone
--
1.8.3.1

320
openstack/python-keystone/centos/openstack-keystone.spec
View File

@ -1,320 +0,0 @@
%global with_doc %{!?_without_doc:1}%{?_without_doc:0}
%global service keystone
%{!?upstream_version: %global upstream_version %{version}%{?milestone}}
Name: openstack-keystone
Epoch: 0
Version: 12.0.0
Release: 1%{?_tis_dist}.%{tis_patch_ver}
Summary: OpenStack Identity Service
License: Apache-2.0
URL: https://launchpad.net/keystone/
Source0: %{service}-%{version}.tar.gz
Source1: openstack-keystone.logrotate
Source2: openstack-keystone.sysctl
Source3: openstack-keystone.tmpfiles
Source4: openstack-keystone.defaultconf
#WRS
Source99: openstack-keystone.service
Source100: keystone-all
Source101: keystone-fernet-keys-rotate-active
Source102: password-rules.conf
Source103: public.py
BuildArch: noarch
BuildRequires: openstack-macros
BuildRequires: openstack-tempest
BuildRequires: python-webtest
BuildRequires: python-bcrypt
BuildRequires: python2-devel
BuildRequires: python-fixtures
BuildRequires: python-freezegun
BuildRequires: python-lxml
BuildRequires: python-mock
# WRS: Required for debian based builds only
# use openstackdocstheme on RHEL instead
#BuildRequires: python-os-api-ref
BuildRequires: python2-openstackdocstheme
BuildRequires: python-os-testr
# Required to build keystone.conf
BuildRequires: python-oslo-cache >= 1.5.0
BuildRequires: python-oslo-config >= 2:3.9.0
BuildRequires: python-oslotest
BuildRequires: python-osprofiler >= 1.1.0
BuildRequires: python-pbr >= 1.8
BuildRequires: python-subunit
BuildRequires: python-reno
BuildRequires: python-requests
BuildRequires: python2-scrypt
BuildRequires: python-testrepository
BuildRequires: python-testresources
# Required to compile translation files
BuildRequires: python-babel
#WRS: Need these for build_sphinx
BuildRequires: tsconfig
BuildRequires: python2-pycodestyle
Requires: python-keystone = %{epoch}:%{version}-%{release}
Requires: python-keystoneclient >= 1:2.3.1
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
BuildRequires: systemd
BuildRequires: systemd-devel
BuildRequires: xmlsec1-openssl
Requires(pre): shadow-utils
%description
Keystone is a Python implementation of the OpenStack
(http://www.openstack.org) identity service API.
.
This package contains the keystone python libraries.
%package -n python-keystone
Summary: Keystone Python libraries
Group: Application/System
Requires: python-babel
Requires: python-paste
Requires: python-paste-deploy
Requires: python-PyMySQL
Requires: python-routes
Requires: python-sqlalchemy
Requires: python-webob
Requires: python-bcrypt
Requires: python-cryptography
Requires: python-dogpile-cache
Requires: python-jsonschema
Requires: python-keystoneclient
Requires: python-keystonemiddleware
Requires: python-ldappool
Requires: python-msgpack
Requires: python-oauthlib
Requires: python-oslo-cache
Requires: python-oslo-concurrency
Requires: python-oslo-config
Requires: python-oslo-context
Requires: python-oslo-db
Requires: python-oslo-i18n
Requires: python-oslo-log
Requires: python-oslo-messaging
Requires: python-oslo-middleware
Requires: python-oslo-policy
Requires: python-oslo-serialization
Requires: python-oslo-utils
Requires: python-osprofiler
Requires: python-passlib
Requires: python-pbr
Requires: python-pycadf
Requires: python-pysaml2
Requires: python-memcached
Requires: python-six
Requires: python-migrate
Requires: python-stevedore
Requires: python-ldap
%description -n python-keystone
Keystone is a Python implementation of the OpenStack
(http://www.openstack.org) identity service API.
This package contains the Keystone Python library.
%package doc
Summary: Documentation for OpenStack Identity Service
Group: Documentation
BuildRequires: python-paste-deploy
BuildRequires: python-routes
BuildRequires: python-sphinx
BuildRequires: python-cryptography
BuildRequires: python-dogpile-cache
BuildRequires: python-jsonschema
BuildRequires: python-keystonemiddleware
BuildRequires: python-ldappool
BuildRequires: python-msgpack
BuildRequires: python-oauthlib
BuildRequires: python-oslo-concurrency
BuildRequires: python-oslo-db
BuildRequires: python-oslo-i18n
BuildRequires: python-oslo-log
BuildRequires: python-oslo-messaging
BuildRequires: python-oslo-middleware
BuildRequires: python-oslo-policy
BuildRequires: python-oslo-sphinx
BuildRequires: python-passlib
BuildRequires: python-pysaml2
BuildRequires: python-memcached
BuildRequires: python2-pip
BuildRequires: python2-wheel
%description doc
OpenStack Keystone documentaion.
.
This package contains the documentation
%prep
%setup -q -n keystone-%{upstream_version}
find . \( -name .gitignore -o -name .placeholder \) -delete
find keystone -name \*.py -exec sed -i '/\/usr\/bin\/env python/d' {} \;
# Let RPM handle the dependencies
rm -f test-requirements.txt requirements.txt
# adjust paths to WSGI scripts
sed -i 's#/local/bin#/bin#' httpd/wsgi-keystone.conf
sed -i 's#apache2#httpd#' httpd/wsgi-keystone.conf
sed -i 's/^warning-is-error.*/warning-is-error = 0/g' setup.cfg
%build
#PYTHONPATH=.
# WRS: export PBR version
export PBR_VERSION=%{version}
%{__python2} setup.py build
%{__python2} setup.py build_sphinx --builder=html,man
# remove the Sphinx-build leftovers
rm -rf doc/build/html/.{doctrees,buildinfo}
# config file generation
oslo-config-generator --config-file config-generator/keystone.conf \
--output-file etc/keystone.conf.sample
# policy file generation
oslopolicy-sample-generator --config-file config-generator/keystone-policy-generator.conf --output-file etc/keystone.policy.yaml
%py2_build_wheel
%install
# WRS: export PBR version
export PBR_VERSION=%{version}
%{__python2} setup.py install --skip-build --root %{buildroot}
mkdir -p $RPM_BUILD_ROOT/wheels
install -m 644 dist/*.whl $RPM_BUILD_ROOT/wheels/
mkdir -p %{buildroot}%{_mandir}/man1
install -d -m 755 %{buildroot}%{_sysconfdir}/keystone
install -d -m 755 %{buildroot}%{_sysconfdir}/sysctl.d
install -d -m 755 %{buildroot}%{_localstatedir}/{lib,log}/keystone
install -d -m 750 %{buildroot}%{_localstatedir}/cache/keystone
install -d -m 755 %{buildroot}%{_sysconfdir}/keystone/keystone.conf.d/
# default dir for fernet tokens
install -d -m 750 %{buildroot}%{_sysconfdir}/keystone/credential-keys/
install -D -m 644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/keystone.conf
install -p -D -m 640 etc/keystone.conf.sample %{buildroot}%{_sysconfdir}/keystone/keystone.conf
install -D -m 640 %{SOURCE4} %{buildroot}/%{_sysconfdir}/keystone/keystone.conf.d/010-keystone.conf
#install -D -m 440 %{SOURCE5} %{buildroot}/%{_sysconfdir}/keystone/README.config
install -p -D -m 640 etc/logging.conf.sample %{buildroot}%{_sysconfdir}/keystone/logging.conf
install -p -D -m 640 etc/keystone-paste.ini %{buildroot}%{_sysconfdir}/keystone/keystone-paste.ini
install -p -D -m 640 etc/keystone.policy.yaml %{buildroot}%{_sysconfdir}/keystone/keystone.policy.yaml
install -p -D -m 640 etc/default_catalog.templates %{buildroot}%{_sysconfdir}/keystone/default_catalog.templates
install -p -D -m 640 etc/sso_callback_template.html %{buildroot}%{_sysconfdir}/keystone/sso_callback_template.html
# WRS: don't install a seperate keystone logrotate file as this is managed by syslog-ng
#install -p -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/openstack-keystone
install -p -D -m 644 etc/policy.v3cloudsample.json %{buildroot}%{_datadir}/keystone/policy.v3cloudsample.json
install -p -D -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysctl.d/openstack-keystone.conf
install -p -D -m 644 doc/build/man/*.1 %{buildroot}%{_mandir}/man1/
# Install sample data script.
install -p -D -m 755 tools/sample_data.sh %{buildroot}%{_datadir}/keystone/sample_data.sh
# Install apache configuration files
install -p -D -m 644 httpd/wsgi-keystone.conf %{buildroot}%{_datadir}/keystone/
# WRS install keystone cron script
install -p -D -m 755 %{SOURCE101} %{buildroot}%{_bindir}/keystone-fernet-keys-rotate-active
# WRS: install password rules(readable only)
install -p -D -m 440 %{SOURCE102} %{buildroot}%{_sysconfdir}/keystone/password-rules.conf
# WRS: install keystone public gunicorn app
install -p -D -m 755 %{SOURCE103} %{buildroot}/%{_datarootdir}/keystone/public.py
# WRS: install openstack-keystone service script
install -p -D -m 644 %{SOURCE99} %{buildroot}%{_unitdir}/openstack-keystone.service
# WRS: Install keystone-all bash script
install -p -D -m 755 %{SOURCE100} %{buildroot}%{_bindir}/keystone-all
%pre
# 163:163 for keystone (openstack-keystone) - rhbz#752842
getent group keystone >/dev/null || groupadd -r --gid 163 keystone
getent passwd keystone >/dev/null || \
useradd --uid 163 -r -g keystone -d %{_sharedstatedir}/keystone -s /sbin/nologin \
-c "OpenStack Keystone Daemons" keystone
exit 0
# WRS: disable testr
#%check
# don't want to depend on hacking for package building
#rm keystone/tests/unit/test_hacking_checks.py
#%{__python2} setup.py testr
%post
%tmpfiles_create %{_tmpfilesdir}/keystone.conf
%systemd_post openstack-keystone.service
%sysctl_apply openstack-keystone.conf
%preun
%systemd_preun openstack-keystone.service
%postun
%systemd_postun_with_restart openstack-keystone.service
%files
%license LICENSE
%doc README.rst
%{_mandir}/man1/keystone*.1.gz
%{_bindir}/keystone-wsgi-admin
%{_bindir}/keystone-wsgi-public
%{_bindir}/keystone-manage
# WRS: add keystone-all as part of newton rebase
%{_bindir}/keystone-all
# WRS: add Keystone fernet keys cron job
%{_bindir}/keystone-fernet-keys-rotate-active
%_tmpfilesdir/keystone.conf
%dir %{_datadir}/keystone
%attr(0644, root, keystone) %{_datadir}/keystone/policy.v3cloudsample.json
%attr(0755, root, root) %{_datadir}/keystone/sample_data.sh
%attr(0644, root, keystone) %{_datadir}/keystone/wsgi-keystone.conf
# WRS: add openstack-keystone sysVinit script
%{_unitdir}/openstack-keystone.service
%dir %attr(0750, root, keystone) %{_sysconfdir}/keystone
%dir %attr(0750, root, keystone) %{_sysconfdir}/keystone/keystone.conf.d/
%config(noreplace) %attr(0640, root, keystone) %{_sysconfdir}/keystone/keystone.conf
%config(noreplace) %attr(0640, root, keystone) %{_sysconfdir}/keystone/keystone.conf.d/010-keystone.conf
%config(noreplace) %attr(0640, root, keystone) %{_sysconfdir}/keystone/keystone-paste.ini
%config(noreplace) %attr(0640, root, keystone) %{_sysconfdir}/keystone/logging.conf
%config(noreplace) %attr(0640, root, keystone) %{_sysconfdir}/keystone/default_catalog.templates
%config(noreplace) %attr(0640, keystone, keystone) %{_sysconfdir}/keystone/keystone.policy.yaml
%config(noreplace) %attr(0640, keystone, keystone) %{_sysconfdir}/keystone/sso_callback_template.html
# WRS: add password rules configuration
%attr(0440, root, keystone) %{_sysconfdir}/keystone/password-rules.conf
# WRS: log rotate not needed
#%config(noreplace) %{_sysconfdir}/logrotate.d/openstack-keystone
%dir %attr(0755, %{keystone}, %{keystone}) %{_localstatedir}/lib/keystone
%dir %attr(0750, %{keystone}, %{keystone}) %{_localstatedir}/log/keystone
%dir %attr(0750, %{keystone}, %{keystone}) %{_localstatedir}/cache/keystone
%{_sysconfdir}/sysctl.d/openstack-keystone.conf
%files -n python-keystone
%{_datarootdir}/keystone/public*.py*
%defattr(-,root,root,-)
%doc README.rst
%license LICENSE
%{python2_sitelib}/keystone
%{python2_sitelib}/keystone-*.egg-info
%files doc
%license LICENSE
%doc doc/build/html
%package wheels
Summary: %{name} wheels
%description wheels
Contains python wheels for %{name}
%files wheels
/wheels/*
%changelog

143
openstack/python-keystone/centos/patches/0001-Rebasing-Keyring-integration.patch Normal file
View File

@ -0,0 +1,143 @@
From dfe0978f6590818487bb9fc5e9b8156e77a25590 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 8 Apr 2019 15:25:28 -0400
Subject: [PATCH 1/1] Rebasing Keyring integration
---
keystone/exception.py | 6 ++++++
keystone/identity/core.py | 50 +++++++++++++++++++++++++++++++++++++++++++++++
requirements.txt | 1 +
3 files changed, 57 insertions(+)
diff --git a/keystone/exception.py b/keystone/exception.py
index b85878b..56601ce 100644
--- a/keystone/exception.py
+++ b/keystone/exception.py
@@ -224,6 +224,12 @@ class ApplicationCredentialLimitExceeded(ForbiddenNotSecurity):
"maximum of %(limit)d already exceeded for user.")
+class WRSForbiddenAction(Error):
+ message_format = _("That action is not permitted")
+ code = 403
+ title = 'Forbidden'
+
+
class SecurityError(Error):
"""Security error exception.
diff --git a/keystone/identity/core.py b/keystone/identity/core.py
index ed43e76..da7e7ba 100644
--- a/keystone/identity/core.py
+++ b/keystone/identity/core.py
@@ -17,6 +17,7 @@
import copy
import functools
import itertools
+import keyring
import operator
import os
import threading
@@ -54,6 +55,7 @@ MEMOIZE_ID_MAPPING = cache.get_memoization_decorator(group='identity',
DOMAIN_CONF_FHEAD = 'keystone.'
DOMAIN_CONF_FTAIL = '.conf'
+KEYRING_CGCS_SERVICE = "CGCS"
# The number of times we will attempt to register a domain to use the SQL
# driver, if we find that another process is in the middle of registering or
@@ -1069,6 +1071,26 @@ class Manager(manager.Manager):
if new_ref['domain_id'] != orig_ref['domain_id']:
raise exception.ValidationError(_('Cannot change Domain ID'))
+ def _update_keyring_password(self, user, new_password):
+ """Update user password in Keyring backend.
+ This method Looks up user entries in Keyring backend
+ and accordingly update the corresponding user password.
+ :param user : keyring user struct
+ :param new_password : new password to set
+ """
+ if (new_password is not None) and ('name' in user):
+ try:
+ # only update if an entry exists
+ if (keyring.get_password(KEYRING_CGCS_SERVICE, user['name'])):
+ keyring.set_password(KEYRING_CGCS_SERVICE,
+ user['name'], new_password)
+ except (keyring.errors.PasswordSetError, RuntimeError):
+ msg = ('Failed to Update Keyring Password for the user %s')
+ LOG.warning(msg, user['name'])
+ # only raise an exception if this is the admin user
+ if (user['name'] == 'admin'):
+ raise exception.WRSForbiddenAction(msg % user['name'])
+
@domains_configured
@exception_translated('user')
def update_user(self, user_id, user_ref, initiator=None):
@@ -1113,6 +1135,13 @@ class Manager(manager.Manager):
)
notifications.invalidate_token_cache_notification(reason)
+ # Certain local Keystone users are stored in Keystone as opposed
+ # to the default SQL Identity backend, such as the admin user.
+ # When its password is updated, we need to update Keyring as well
+ # as certain services retrieve this user context from Keyring and
+ # will get auth failures
+ if ('password' in user) and ('name' in ref):
+ self._update_keyring_password(ref, user['password'])
return self._set_domain_id_and_mapping(
ref, domain_id, driver, mapping.EntityType.USER)
@@ -1128,6 +1157,7 @@ class Manager(manager.Manager):
hints.add_filter('user_id', user_id)
fed_users = PROVIDERS.shadow_users_api.list_federated_users_info(hints)
+ username = user_old.get('name', "")
driver.delete_user(entity_id)
PROVIDERS.assignment_api.delete_user_assignments(user_id)
self.get_user.invalidate(self, user_id)
@@ -1141,6 +1171,18 @@ class Manager(manager.Manager):
PROVIDERS.credential_api.delete_credentials_for_user(user_id)
PROVIDERS.id_mapping_api.delete_id_mapping(user_id)
+
+ # Delete the keyring entry associated with this user (if present)
+ try:
+ keyring.delete_password(KEYRING_CGCS_SERVICE, username)
+ except keyring.errors.PasswordDeleteError:
+ LOG.warning(('delete_user: PasswordDeleteError for %s'),
+ username)
+ pass
+ except exception.UserNotFound:
+ LOG.warning(('delete_user: UserNotFound for %s'),
+ username)
+ pass
notifications.Audit.deleted(self._USER, user_id, initiator)
# Invalidate user role assignments cache region, as it may be caching
@@ -1390,6 +1432,14 @@ class Manager(manager.Manager):
notifications.Audit.updated(self._USER, user_id, initiator)
self._persist_revocation_event_for_user(user_id)
+ user = self.get_user(user_id)
+ # Update Keyring password for the 'user' if it
+ # has an entry in Keyring
+ if (original_password) and ('name' in user):
+ # Change the 'user' password in keyring, provided the user
+ # has an entry in Keyring backend
+ self._update_keyring_password(user, new_password)
+
@MEMOIZE
def _shadow_nonlocal_user(self, user):
try:
diff --git a/requirements.txt b/requirements.txt
index e3de1c6..e6d3536 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -42,3 +42,4 @@ pycadf!=2.0.0,>=1.1.0 # Apache-2.0
msgpack>=0.5.0 # Apache-2.0
osprofiler>=1.4.0 # Apache-2.0
pytz>=2013.6 # MIT
+keyring>=5.3
--
1.8.3.1

1
openstack/python-keystone/centos/srpm_path Normal file
View File

@ -0,0 +1 @@
mirror:Source/openstack-keystone-15.0.0-0.2.0rc2.el7.src.rpm

7
openstack/python-keystone/centos/stx-keystone.dev_docker_image
View File

@ -1,7 +0,0 @@
BUILDER=loci
LABEL=stx-keystone
PROJECT=keystone
PROJECT_REPO=https://github.com/openstack/keystone.git
PIP_PACKAGES="python-openstackclient ldap ldappool python-ldap pylint"
PROFILES="fluent apache"

1
openstack/python-keystonemiddleware/centos/build_srpm.data
View File

@ -1 +0,0 @@
TIS_PATCH_VER=1

35
openstack/python-keystonemiddleware/centos/meta_patches/0001-update-package-versioning-for-TIS-format.patch
View File

@ -1,35 +0,0 @@
commit fd40ac6be0cb4e0dcc8295e9f9673fa5970e0035
Author: Shoaib Nasir <shoaib.nasir@windriver.com>
Date: Wed Feb 14 17:00:55 2018 -0500
0001-update-package-versioning-for-TIS-format
diff --git a/SPECS/python-keystonemiddleware.spec b/SPECS/python-keystonemiddleware.spec
index 8ccc7b4..63e83d2 100644
--- a/SPECS/python-keystonemiddleware.spec
+++ b/SPECS/python-keystonemiddleware.spec
@@ -9,7 +9,7 @@
Name: python-%{sname}
Version: 4.17.0
-Release: 1%{?dist}
+Release: 1.el7%{?_tis_dist}.%{tis_patch_ver}
Summary: Middleware for OpenStack Identity
License: ASL 2.0
@@ -133,6 +133,7 @@ rm -rf %{sname}.egg-info
sed -i 's/^warning-is-error.*/warning-is-error = 0/g' setup.cfg
%build
+export PBR_VERSION=%{version}
%py2_build
%if 0%{?with_python3}
%py3_build
@@ -147,6 +148,7 @@ rm -rf doc/build/html/.{doctrees,buildinfo}
%install
+export PBR_VERSION=%{version}
%if 0%{?with_python3}
%py3_install
# Delete tests

21
openstack/python-keystonemiddleware/centos/meta_patches/0002-Upstream-gnnochi-panko-fix.patch
View File

@ -1,21 +0,0 @@
commit 5ba75388d3394c3016570a4e68fb79aebd18bf31
Author: Shoaib Nasir <shoaib.nasir@windriver.com>
Date: Wed Feb 14 19:01:00 2018 -0500
WRS: 0002-Upstream-gnnochi-panko-fix
diff --git a/SPECS/python-keystonemiddleware.spec b/SPECS/python-keystonemiddleware.spec
index 63e83d2..cb3c9c9 100644
--- a/SPECS/python-keystonemiddleware.spec
+++ b/SPECS/python-keystonemiddleware.spec
@@ -15,6 +15,10 @@ Summary: Middleware for OpenStack Identity
License: ASL 2.0
URL: http://launchpad.net/keystonemiddleware
Source0: https://tarballs.openstack.org/%{sname}/%{sname}-%{version}.tar.gz
+
+# WRS
+Patch0001: 0001-Upstream-gnnochi-panko-fix.patch
+
BuildArch: noarch

2
openstack/python-keystonemiddleware/centos/meta_patches/PATCH_ORDER
View File

@ -1,2 +0,0 @@
0001-update-package-versioning-for-TIS-format.patch
0002-Upstream-gnnochi-panko-fix.patch

70
openstack/python-keystonemiddleware/centos/patches/0001-Upstream-gnnochi-panko-fix.patch
View File

@ -1,70 +0,0 @@
commit c475ceb3658309e5c24bae2423e2ec1b125531d8
Author: rpm-build <rpm-build>
Date: Wed Feb 14 18:41:21 2018 -0500
0002-Upstream-gnocchi-panko-bug
Expect paste.deploy and gnocchi/panko options
The authtoken middleware has been printing warning log messages to
the API logs for all services, reporting unexpected conf keys. This
was traced back to paste.deploy adding 'here' and '__file__' and
both gnocchi and panko adding 'configkey' keys in wsgi apps though
these do not actually exist in the conf file. This change allows
for those keys without printing a warning that unnecessarily
confuses operators.
But it's kind of a hack, especially the configkey bit. We shouldn't
have to know about gnocchi/panko specifics like this. And it doesn't
address the comment in the bug about what is seen for ironic. So I
think there will still be more to do here.
Change-Id: I678482309c7dd35ce147bebf13ebefc84251fe91
Partial-Bug: 1722444
Signed-of-by: Shoaib Nasir <shoaib.nasir@windriver.com>
#enter the commit message for your changes. Lines starting
diff --git a/keystonemiddleware/_common/config.py b/keystonemiddleware/_common/config.py
index 3e38eba..de701b0 100644
--- a/keystonemiddleware/_common/config.py
+++ b/keystonemiddleware/_common/config.py
@@ -49,17 +49,18 @@ def _conf_values_type_convert(group_name, all_options, conf):
for k, v in conf.items():
dest = k
try:
- if v is not None:
+ # 'here' and '__file__' come from paste.deploy
+ # 'configkey' is added by panko and gnocchi
+ if v is not None and k not in ['here', '__file__', 'configkey']:
type_, dest = opt_types[k]
v = type_(v)
except KeyError: # nosec
- # This option is not known to auth_token. v is not converted.
_LOG.warning(
- 'The option "%s" in conf is not known to auth_token', k)
+ 'The option "%s" is not known to keystonemiddleware', k)
except ValueError as e:
raise exceptions.ConfigurationError(
- _('Unable to convert the value of %(key)s option into correct '
- 'type: %(ex)s') % {'key': k, 'ex': e})
+ _('Unable to convert the value of option "%(key)s" into '
+ 'correct type: %(ex)s') % {'key': k, 'ex': e})
opts[dest] = v
return opts
diff --git a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
index 6c66aee..b3aa8ff 100644
--- a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
+++ b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
@@ -495,7 +495,7 @@ class GeneralAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
conf = {
'wrong_key': '123'
}
- log = 'The option "wrong_key" in conf is not known to auth_token'
+ log = 'The option "wrong_key" is not known to keystonemiddleware'
auth_token.AuthProtocol(self.fake_app, conf)
self.assertThat(self.logger.output, matchers.Contains(log))

1
openstack/python-keystonemiddleware/centos/srpm_path
View File

@ -1 +0,0 @@
mirror:Source/python-keystonemiddleware-4.17.0-1.el7.src.rpm

25
openstack/python-oslo-messaging/centos/meta_patches/0005-turning-off-doc-building.patch Normal file
View File

@ -0,0 +1,25 @@
From 1ca217ce27dbb37c131476d0abf32b9deefa80a4 Mon Sep 17 00:00:00 2001
From: Tyler Smith <tyler.smith@windriver.com>
Date: Wed, 17 Apr 2019 15:56:33 -0400
Subject: [PATCH 1/1] turning off doc building
---
SPECS/python-oslo-messaging.spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/SPECS/python-oslo-messaging.spec b/SPECS/python-oslo-messaging.spec
index c1f7400..c2aff2c 100644
--- a/SPECS/python-oslo-messaging.spec
+++ b/SPECS/python-oslo-messaging.spec
@@ -2,7 +2,7 @@
%if 0%{?fedora} >= 24
%global with_python3 1
%endif
-%global with_doc 1
+%global with_doc 0
#guard for including python-pyngus (OSP 12 does not ship python-pyngus)
%global rhosp 0
--
1.8.3.1

1
openstack/python-oslo-messaging/centos/meta_patches/PATCH_ORDER
View File

@ -2,3 +2,4 @@ update-package-versioning-for-tis-format.patch
spec-rabbit-increase-heartbeat-rate-to-decrease-polling-interval.patch
fix-pifpaf-build-error.patch
0004-disable-check-on-build.patch
0005-turning-off-doc-building.patch

1
openstack/python-oslo-service/centos/build_srpm.data
View File

@ -1 +0,0 @@
TIS_PATCH_VER=2

2
openstack/python-oslo-service/centos/meta_patches/PATCH_ORDER
View File

@ -1,2 +0,0 @@
update-package-versioning-for-tis-format.patch
spec-loopingcall-permit-aborting-while-sleeping.patch

27
openstack/python-oslo-service/centos/meta_patches/spec-loopingcall-permit-aborting-while-sleeping.patch
View File

@ -1,27 +0,0 @@
From e6daf4d7dbe603e82a267d6d99a454453b902f68 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 14:42:44 -0400
Subject: [PATCH] WRS: spec-loopingcall-permit-aborting-while-sleeping.patch
---
SPECS/python-oslo-service.spec | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/SPECS/python-oslo-service.spec b/SPECS/python-oslo-service.spec
index 658bb42..5ff8f34 100644
--- a/SPECS/python-oslo-service.spec
+++ b/SPECS/python-oslo-service.spec
@@ -14,6 +14,10 @@ Summary: Oslo service library
License: ASL 2.0
URL: http://launchpad.net/oslo
Source0: https://tarballs.openstack.org/%{pypi_name}/%{pypi_name}-%{upstream_version}.tar.gz
+
+# WRS
+Patch0001: loopingcall-permit-aborting-while-sleeping.patch
+
BuildArch: noarch
%package -n python2-%{pname}
--
2.7.4

27
openstack/python-oslo-service/centos/meta_patches/update-package-versioning-for-tis-format.patch
View File

@ -1,27 +0,0 @@
From 7081d0aaaf782a19251d9e43b543c99c93ab218d Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 14:42:44 -0400
Subject: [PATCH 1/2] WRS: update-package-versioning-for-tis-format.patch
Conflicts:
SPECS/python-oslo-service.spec
---
SPECS/python-oslo-service.spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/SPECS/python-oslo-service.spec b/SPECS/python-oslo-service.spec
index d95f88e..658bb42 100644
--- a/SPECS/python-oslo-service.spec
+++ b/SPECS/python-oslo-service.spec
@@ -8,7 +8,7 @@
Name: python-%{pname}
Version: 1.25.1
-Release: 1%{?dist}
+Release: 1.el7%{?_tis_dist}.%{tis_patch_ver}
Summary: Oslo service library
License: ASL 2.0
--
2.7.4

177
openstack/python-oslo-service/centos/patches/loopingcall-permit-aborting-while-sleeping.patch
View File

@ -1,177 +0,0 @@
From a4de48a129ff6526ae19533af76730c4707d8a53 Mon Sep 17 00:00:00 2001
From: Allain Legacy <allain.legacy@windriver.com>
Date: Wed, 31 May 2017 16:18:19 -0400
Subject: [PATCH] Permit aborting loopingcall while sleeping
Some of the openstack services implement worker tasks that are based on
the oslo-service LoopingCallBase objects. They do this as a way to have
a task that runs periodically as a greenthread within a child worker
process. For example, the neutron-server runs AgentStatusCheckWorker()
objects as base service workers in its child worker processes.
When the parent server process handles a SIGTERM signal it attempts to
stop all services launched on each of the child worker processes (i.e.,
ProcessLauncher.stop()). That results in a stop() being called on each
of the underlying base services and then a wait() to ensure that they
complete before shutdown.
If any service that is implemented on a LoopingCallBase related object
is suspended on a greenthread.sleep() the previous call to stop() will
have no effect and so the wait() will block until the sleep() finishes.
For tasks that either have a frequent FixedLoopingBase interface or a
short initial_delay this may not be a problem, but for those with a long
delay this could mean that the wait() blocks for minutes before the
process is allowed to shutdown.
To solve this the LoopingCallBase calls to greenthread.sleep() are being
replaced with a threading.Event() object's wait() method. This allows a
caller of stop() to interrupt the sleep and expedite the shutdown.
Closes-Bug: #1660210
Change-Id: I5835f9595826df5349e4cc8b1da8529bb960ee04
Signed-off-by: Allain Legacy <allain.legacy@windriver.com>
---
oslo_service/loopingcall.py | 19 +++++++++++++------
oslo_service/tests/test_loopingcall.py | 14 +++++++-------
2 files changed, 20 insertions(+), 13 deletions(-)
diff --git a/oslo_service/loopingcall.py b/oslo_service/loopingcall.py
index 1747fda..ee2813d 100644
--- a/oslo_service/loopingcall.py
+++ b/oslo_service/loopingcall.py
@@ -18,6 +18,7 @@
import random
import sys
import time
+import threading
from eventlet import event
from eventlet import greenthread
@@ -85,19 +86,25 @@ class LoopingCallBase(object):
self.args = args
self.kw = kw
self.f = f
- self._running = False
self._thread = None
self.done = None
+ self.abort = threading.Event()
+
+ @property
+ def _running(self):
+ return not self.abort.is_set()
def stop(self):
- self._running = False
+ self.abort.set()
def wait(self):
return self.done.wait()
def _on_done(self, gt, *args, **kwargs):
self._thread = None
- self._running = False
+
+ def _sleep(self, timeout):
+ return self.abort.wait(timeout)
def _start(self, idle_for, initial_delay=None, stop_on_exception=True):
"""Start the looping
@@ -114,8 +121,8 @@ class LoopingCallBase(object):
"""
if self._thread is not None:
raise RuntimeError(self._RUN_ONLY_ONE_MESSAGE)
- self._running = True
self.done = event.Event()
+ self.abort.clear()
self._thread = greenthread.spawn(
self._run_loop, idle_for,
initial_delay=initial_delay, stop_on_exception=stop_on_exception)
@@ -129,7 +136,7 @@ class LoopingCallBase(object):
func = self.f if stop_on_exception else _safe_wrapper(self.f, kind,
func_name)
if initial_delay:
- greenthread.sleep(initial_delay)
+ self._sleep(initial_delay)
try:
watch = timeutils.StopWatch()
while self._running:
@@ -143,7 +150,7 @@ class LoopingCallBase(object):
'for %(idle).02f seconds',
{'func_name': func_name, 'idle': idle,
'kind': kind})
- greenthread.sleep(idle)
+ self._sleep(idle)
except LoopingCallDone as e:
self.done.send(e.retvalue)
except Exception:
diff --git a/oslo_service/tests/test_loopingcall.py b/oslo_service/tests/test_loopingcall.py
index 7ac8025..218e9d1 100644
--- a/oslo_service/tests/test_loopingcall.py
+++ b/oslo_service/tests/test_loopingcall.py
@@ -285,7 +285,7 @@ class DynamicLoopingCallTestCase(test_base.BaseTestCase):
else:
self.num_runs = self.num_runs - 1
- @mock.patch('eventlet.greenthread.sleep')
+ @mock.patch('oslo_service.loopingcall.LoopingCallBase._sleep')
def test_timeout_task_without_return(self, sleep_mock):
self.num_runs = 1
timer = loopingcall.DynamicLoopingCall(
@@ -294,7 +294,7 @@ class DynamicLoopingCallTestCase(test_base.BaseTestCase):
timer.start(periodic_interval_max=5).wait()
sleep_mock.assert_has_calls([mock.call(5)])
- @mock.patch('eventlet.greenthread.sleep')
+ @mock.patch('oslo_service.loopingcall.LoopingCallBase._sleep')
def test_interval_adjustment(self, sleep_mock):
self.num_runs = 2
@@ -303,7 +303,7 @@ class DynamicLoopingCallTestCase(test_base.BaseTestCase):
sleep_mock.assert_has_calls([mock.call(5), mock.call(1)])
- @mock.patch('eventlet.greenthread.sleep')
+ @mock.patch('oslo_service.loopingcall.LoopingCallBase._sleep')
def test_initial_delay(self, sleep_mock):
self.num_runs = 1
@@ -315,7 +315,7 @@ class DynamicLoopingCallTestCase(test_base.BaseTestCase):
class TestBackOffLoopingCall(test_base.BaseTestCase):
@mock.patch('random.SystemRandom.gauss')
- @mock.patch('eventlet.greenthread.sleep')
+ @mock.patch('oslo_service.loopingcall.LoopingCallBase._sleep')
def test_exponential_backoff(self, sleep_mock, random_mock):
def false():
return False
@@ -366,7 +366,7 @@ class TestBackOffLoopingCall(test_base.BaseTestCase):
self.assertEqual(expected_times, sleep_mock.call_args_list)
@mock.patch('random.SystemRandom.gauss')
- @mock.patch('eventlet.greenthread.sleep')
+ @mock.patch('oslo_service.loopingcall.LoopingCallBase._sleep')
def test_no_backoff(self, sleep_mock, random_mock):
random_mock.return_value = 1
func = mock.Mock()
@@ -381,7 +381,7 @@ class TestBackOffLoopingCall(test_base.BaseTestCase):
self.assertTrue(retvalue, 'return value')
@mock.patch('random.SystemRandom.gauss')
- @mock.patch('eventlet.greenthread.sleep')
+ @mock.patch('oslo_service.loopingcall.LoopingCallBase._sleep')
def test_no_sleep(self, sleep_mock, random_mock):
# Any call that executes properly the first time shouldn't sleep
random_mock.return_value = 1
@@ -394,7 +394,7 @@ class TestBackOffLoopingCall(test_base.BaseTestCase):
self.assertTrue(retvalue, 'return value')
@mock.patch('random.SystemRandom.gauss')
- @mock.patch('eventlet.greenthread.sleep')
+ @mock.patch('oslo_service.loopingcall.LoopingCallBase._sleep')
def test_max_interval(self, sleep_mock, random_mock):
def false():
return False
--
2.7.4

1
openstack/python-oslo-service/centos/srpm_path
View File

@ -1 +0,0 @@
mirror:Source/python-oslo-service-1.25.1-1.el7.src.rpm