This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.
This change covers the following two items.
- assignment of system scope roles to system user
- credential parameters for authtoken middleware
Depends-on: https://review.opendev.org/804325
Change-Id: Id0ba4c95005d148477a313f0aa5edddc3c681e15
The authtoken parameters are not managed directly but managed by
the keystone::resource::authtoken class. Thus we should avoid testing
parameters directly otherwise any change in the resource type can
cause test failures.
Change-Id: I4f52c018c1252cff58a144eb542a195ff44664bd
This change adds the 'params' hash in authtoken class, to implement
the same functionality as the one recently introduced into
puppet-nova[1].
[1] 5c38281e1b698f157f03bf1815733277c541c30b
Change-Id: I8708bd573340107b3e974a3c6ef3a80b528628f5
This patch adds support for [keystone_authtoken] interface parameter,
so that operators can define which endpoint should be used by authtoken
middleware.
Change-Id: I494c1e25c98a57b78c779bcd0bf30c92fe70ff0a
This patch introduces a new hieradata to configure service_token_roles
in keystone authtoken middleware configuration, so that we can use
a customized role for user who uses service token feature.
Change-Id: Iad16376047628bd16470dd4fd17fd260b927aa6c
Service_token_roles_required missing in the server config file which
allows backwards compatibility to ensure that the service tokens are
compared against a list of possible roles for validity.
Change-Id: I83d3b7ef866e2fb576edb866e60121a0789ef14d
Closes-Bug: 1778198
check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.
Change-Id: I6d7b74c6a21943953f8de5dd0ed0ec59835cd05d
Closes-Bug: #1804562
Closes-Bug: #1804720
Now that the v2.0 API has been removed, we don't have a reason to
include deployment instructions for two separate applications on
different ports.
Change-Id: I3546eb7cd596ae7a0894d42961d183ef842f7cb4
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: Ie9c4c339374af50f5d1a8b3dbf6bf632c5bf06ef
Depends-On: I4c82a63baabd6b9304b302c97cd751a0103d8316
Closes-Bug: #1759098
Keystone v2 api's are removed in [1], so it's required
to set user_domain_name and project_domain_name otherwise
all requests fallbacks to keystone v2.0 and fails.
[1] https://review.openstack.org/#/c/499783/
Change-Id: If52cd4cea4d3fceb7e272366d20276a209b4dc5b
Closes-Bug: #1723838
The revocation_cache_time is deprecated for removel because of PKI
token format is no longer supported.
Update warning message and add a release note.
Change-Id: I899960c95b068858568155539aa0fa48bed99200
Closes-Bug: #1717144
The python-memcache package is required if using memcached. By
default the package is not installed and the define has it set to
false. This change allows managing the python-memcache package
install from the authtoken class.
Change-Id: I644d57b938497c374cb6f08a894fe21fab10eb41
The signing_dir is deprecated for removel because of PKI token format
is no longer supported.
Update warning message and release note.
Change-Id: I902f75a284a571360aa859f76d8602cd8a177720
Closes-Bug: #1652700
This change updates our previous implementation of the keystone
authtoken setting to use the new designate::keystone::authtoken class to
do the configuration for the api.
Change-Id: Ib2a1d20d4e29353fc139835ce1c010a801506b9c
Closes-Bug: #1604463