This refactors resource dependencies to improve the following points.
- Avoid unnecessary dependencies across services. For example aodh
service does not require cinder db.
- Restart only api service when config files like paste.ini, which
are used only be api service is changed.
Change-Id: If2cbbc392bd54d906c7a4f51f1c7cfca69463aaf
The password parameter is not really optional. This makes it
a required parameter to give more sensible validation error.
Change-Id: I879e4c6cb072892a2e143702c876b22dc9ae526e
This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.
This change covers the following two items.
- assignment of system scope roles to system user
- credential parameters for authtoken middleware
Depends-on: https://review.opendev.org/804325
Change-Id: Id0ba4c95005d148477a313f0aa5edddc3c681e15
This change adds the 'params' hash in authtoken class, to implement
the same functionality as the one recently introduced into
puppet-nova[1].
[1] 5c38281e1b698f157f03bf1815733277c541c30b
Change-Id: I8708bd573340107b3e974a3c6ef3a80b528628f5
This patch adds support for [keystone_authtoken] interface parameter,
so that operators can define which endpoint should be used by authtoken
middleware.
Change-Id: I494c1e25c98a57b78c779bcd0bf30c92fe70ff0a
This patch introduces a new hieradata to configure service_token_roles
in keystone authtoken middleware configuration, so that we can use
a customized role for user who uses service token feature.
Change-Id: Iad16376047628bd16470dd4fd17fd260b927aa6c
The deprecated pki related options check_revocations_for_cached and
hash_algorithms option has been removed.
Change-Id: I99d92bbc92f5801fae4332b3daf546be2e7c196d
Service_token_roles_required missing in the server config file which
allows backwards compatibility to ensure that the service tokens are
compared against a list of possible roles for validity.
Change-Id: I83d3b7ef866e2fb576edb866e60121a0789ef14d
Closes-Bug: 1778198
check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.
Change-Id: I6d7b74c6a21943953f8de5dd0ed0ec59835cd05d
Closes-Bug: #1804562
Closes-Bug: #1804720
Now that the v2.0 API has been removed, we don't have a reason to
include deployment instructions for two separate applications on
different ports.
Change-Id: I3546eb7cd596ae7a0894d42961d183ef842f7cb4
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: Ie9c4c339374af50f5d1a8b3dbf6bf632c5bf06ef
Depends-On: I4c82a63baabd6b9304b302c97cd751a0103d8316
Closes-Bug: #1759098
Keystone v2 api's are removed in [1], so it's required
to set user_domain_name and project_domain_name otherwise
all requests fallbacks to keystone v2.0 and fails.
[1] https://review.openstack.org/#/c/499783/
Change-Id: If52cd4cea4d3fceb7e272366d20276a209b4dc5b
Closes-Bug: #1723838
The revocation_cache_time is deprecated for removel because of PKI
token format is no longer supported.
Update warning message and add a release note.
Change-Id: I899960c95b068858568155539aa0fa48bed99200
Closes-Bug: #1717144
The python-memcache package is required if using memcached. By
default the package is not installed and the define has it set to
false. This change allows managing the python-memcache package
install from the authtoken class.
Change-Id: I644d57b938497c374cb6f08a894fe21fab10eb41
The signing_dir is deprecated for removel because of PKI token format
is no longer supported.
Update warning message and release note.
Change-Id: I902f75a284a571360aa859f76d8602cd8a177720
Closes-Bug: #1652700
This adds defined anchor points for external modules to hook into the
software install, config and service dependency chain. This allows
external modules to manage software installation (virtualenv,
containers, etc) and service management (pacemaker) without needing rely
on resources that may change or be renamed.
Change-Id: If9fa188b7dca47e6724a737d66e34c0c85668c36
Since we are in ocata lets remove all old parameters in api
to configure the keystone_authtoken section
Change-Id: Idd1bc92b6a68e93911042784d9edb366f85547a6
This change updates our previous implementation of the keystone
authtoken setting to use the new designate::keystone::authtoken class to
do the configuration for the api.
Change-Id: Ib2a1d20d4e29353fc139835ce1c010a801506b9c
Closes-Bug: #1604463
Takashi Kajinami