This refactors resource dependencies to improve the following points.
- Avoid unnecessary dependencies across services. For example aodh
service does not require cinder db.
- Restart only api service when config files like paste.ini, which
are used only be api service is changed.
Change-Id: If2cbbc392bd54d906c7a4f51f1c7cfca69463aaf
The password parameter is not really optional. This makes it
a required parameter to give more sensible validation error.
Change-Id: I879e4c6cb072892a2e143702c876b22dc9ae526e
Use the whole resource type instead of its individual resources, to
rely on interface instead of implementation of the dependent module.
Change-Id: If969163b4b1df813341569ca7c626a35253cefd5
This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.
This change covers the following two items.
- assignment of system scope roles to system user
- credential parameters for authtoken middleware
Depends-on: https://review.opendev.org/804325
Change-Id: Id0ba4c95005d148477a313f0aa5edddc3c681e15
This change adds the 'params' hash in authtoken class, to implement
the same functionality as the one recently introduced into
puppet-nova[1].
[1] 5c38281e1b698f157f03bf1815733277c541c30b
Change-Id: I8708bd573340107b3e974a3c6ef3a80b528628f5
Designate has already removed its v1 API, so we should deprecate
and remove all parameters for it.
This change also fixes the outdated default value for keystone endpoint
url, which still includes '/v1'.
Change-Id: I645af15a9825ad000fc951d6c8334e715e645c8a
This patch adds support for [keystone_authtoken] interface parameter,
so that operators can define which endpoint should be used by authtoken
middleware.
Change-Id: I494c1e25c98a57b78c779bcd0bf30c92fe70ff0a
This patch introduces a new hieradata to configure service_token_roles
in keystone authtoken middleware configuration, so that we can use
a customized role for user who uses service token feature.
Change-Id: Iad16376047628bd16470dd4fd17fd260b927aa6c
The deprecated pki related options check_revocations_for_cached and
hash_algorithms option has been removed.
Change-Id: I99d92bbc92f5801fae4332b3daf546be2e7c196d
Service_token_roles_required missing in the server config file which
allows backwards compatibility to ensure that the service tokens are
compared against a list of possible roles for validity.
Change-Id: I83d3b7ef866e2fb576edb866e60121a0789ef14d
Closes-Bug: 1778198
Make sure documentation is the same and follow
the standard which we are trying to enforce on
all modules.
Change-Id: I47f55d8e608509ee9f42a00edb7acfe59ca87983
check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.
Change-Id: I6d7b74c6a21943953f8de5dd0ed0ec59835cd05d
Closes-Bug: #1804562
Closes-Bug: #1804720
Now that the v2.0 API has been removed, we don't have a reason to
include deployment instructions for two separate applications on
different ports.
Change-Id: I3546eb7cd596ae7a0894d42961d183ef842f7cb4
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: Ie9c4c339374af50f5d1a8b3dbf6bf632c5bf06ef
Depends-On: I4c82a63baabd6b9304b302c97cd751a0103d8316
Closes-Bug: #1759098
Keystone v2 api's are removed in [1], so it's required
to set user_domain_name and project_domain_name otherwise
all requests fallbacks to keystone v2.0 and fails.
[1] https://review.openstack.org/#/c/499783/
Change-Id: If52cd4cea4d3fceb7e272366d20276a209b4dc5b
Closes-Bug: #1723838
The revocation_cache_time is deprecated for removel because of PKI
token format is no longer supported.
Update warning message and add a release note.
Change-Id: I899960c95b068858568155539aa0fa48bed99200
Closes-Bug: #1717144
The python-memcache package is required if using memcached. By
default the package is not installed and the define has it set to
false. This change allows managing the python-memcache package
install from the authtoken class.
Change-Id: I644d57b938497c374cb6f08a894fe21fab10eb41
The signing_dir is deprecated for removel because of PKI token format
is no longer supported.
Update warning message and release note.
Change-Id: I902f75a284a571360aa859f76d8602cd8a177720
Closes-Bug: #1652700
This adds defined anchor points for external modules to hook into the
software install, config and service dependency chain. This allows
external modules to manage software installation (virtualenv,
containers, etc) and service management (pacemaker) without needing rely
on resources that may change or be renamed.
Change-Id: If9fa188b7dca47e6724a737d66e34c0c85668c36
Since we are in ocata lets remove all old parameters in api
to configure the keystone_authtoken section
Change-Id: Idd1bc92b6a68e93911042784d9edb366f85547a6
This change updates our previous implementation of the keystone
authtoken setting to use the new designate::keystone::authtoken class to
do the configuration for the api.
Change-Id: Ib2a1d20d4e29353fc139835ce1c010a801506b9c
Closes-Bug: #1604463
Add configure_user & configure_user_role parameters in auth manifest
and so that users can disable if required. By default, these are
set to true.
And add related tests for disable user & user_role params.
Change-Id: Ic45e636d2b8e6b8c2684389d1d4836900d7e8911
Closes-Bug: #1587859
This change updates the designate::keystone::auth class to include a default
service_name of 'designate' so that if a user changes the auth_name, the
service is still created as being related to 'designate'. This improves the
user experiance when they want to customize the usernames for services.
Closes-bug: #1590040
Change-Id: I58658de33ba90d2f8d6fbc1aaa0099f1ad024aa6
This commit adds the service description as a class parameter in order to allow
users to update from a previous version if the service description is changed
(incorrectly spelled or wrong description)
Closes-Bug: #1468407
Change-Id: Id7bb7c9a26c8e4938ede0f3963303a50668b6e99
This change deprecates the following parameters:
- version (replaced by public/internal/admin_url)
- port (replaced by public/internal/admin_url)
- public_protocol (replaced by public_url)
- public_address (replaced by public_url)
- internal_protocol (replaced by internal_url)
- internal_address (replaced by internal_url)
- admin_protocol (replaced by admin_url)
- admin_address (replaced by admin_url)
Add deprecation warnings if any of those values are provided
while maintaining full backward compatibility.
Change-Id: Iae590b71d5447d19e5e2e64daed49237156e0991
Closes-bug: #1274979
Instead of forcing the name of the service in the service catalog to
match auth_name, this allows the ability to explicitly set the service
name, spearately from auth_name.
If service_name is not specified, it's value defaults to the value
of auth_name (which maintains the current behavior.)
Change-Id: Ibd44ddf46478a19f92c98e721a3fa04804d0d40d
Closes-bug: #1359755
This ensures that all parameters are documented and includes fixes to
existing undocumented parameters or incorrectly formatted docs.
Change-Id: I14c093214e45ad3b14123e16ee8ccf309ba45978
Re-factorise the code of Keystone resources management with backward
compatibility since we don't modify the unit tests.
Change-Id: I83e858765c35c81a381ec6ad407b9ce55305ddcb
Implements: blueprint common-openstack-identity-resource
* Fix designate package name require, openstack-designate is the final
package name, designate-common name is override by params class.
* Remove designate-common dependency on central/sink/api services.
* Fix designate::api/keystone_user default user.
Change-Id: I441565d39ba5d425c6b93db071237a85f1eb4b1f