This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.
This change covers the following two items.
- assignment of system scope roles to system user
- credential parameters for authtoken middleware
Depends-on: https://review.opendev.org/804325
Change-Id: I1429b2cc6f3c01c07ec26b1a7242e451072be368
The authtoken parameters are not managed directly but managed by
the keystone::resource::authtoken class. Thus we should avoid testing
parameters directly otherwise any change in the resource type can
cause test failures.
Change-Id: I293c28cc9e7decc2149b44b8f9154f088ebf09db
This change adds the 'params' hash in authtoken class, to implement
the same functionality as the one recently introduced into
puppet-nova[1].
[1] 5c38281e1b698f157f03bf1815733277c541c30b
Change-Id: I62c36a4521ca9b3c5062d88fe9a7ee55c748fbd3
This patch adds support for [keystone_authtoken] interface parameter,
so that operators can define which endpoint should be used by authtoken
middleware.
Change-Id: I5325bdfbcec13b53b83ac669fb2b91885c370e60
Service_token_roles_required missing in the server config file which
allows backwards compatibility to ensure that the service tokens are
compared against a list of possible roles for validity.
Change-Id: Ia22d5b59adea42c4f3d0792bf83b92fa0e11b0c5
Closes-Bug: 1778198
check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.
Change-Id: I6ed03f77f4a13bab4593b7669b331fc35a68854c
Closes-Bug: #1804562
Closes-Bug: #1804720
Now that the v2.0 API has been removed, we don't have a reason to
include deployment instructions for two separate applications on
different ports.
Change-Id: Ia81c354ea593954e79a0779f222208c027fcdede
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: I680e8060f6a8bf3befd4aa5d39f2b01ddeb5e859
Depends-On: I4c82a63baabd6b9304b302c97cd751a0103d8316
Closes-Bug: #1759098
The revocation_cache_time is deprecated for removel because of PKI
token format is no longer supported.
Update warning message and add a release note.
Change-Id: I2c340522a696c3e436404e1b1403d6cf072d56d3
Closes-Bug: #1717144
The python-memcache package is required if using memcached. By
default the package is not installed and the define has it set to
false. This change allows managing the python-memcache package
install from the authtoken class.
Change-Id: I3a6f847e4d5ff64e09b664dc58b17db4094c814c
The signing_dir is deprecated for removel because of PKI token format
is no longer supported.
Update warning message and release note.
Change-Id: I42b35c3cadde3bb22463c82e83168addfd4da99f
Closes-Bug: #1652700
Switch keystone_authtoken parameters for the new class
heat::keystone::authtoken to configure the keystone_authtoken section
in heat.conf.
Some deprecations:
- heat::auth_uri is deprecated in favor of
heat::keystone::authtoken::auth_uri.
- heat::identity_uri is deprecated in favor of
heat::keystone::authtoken::auth_url.
- heat::auth_plugin is deprecated in favor of
heat::keystone::authtoken::auth_type.
- heat::keystone_user is deprecated in favor of
heat::keystone::authtoken::username.
- heat::keystone_tenant is deprecated in favor of
heat::keystone::authtoken::project_name.
- heat::keystone_password is deprecated in favor of
heat::keystone::authtoken::password.
- heat::keystone_user_domain_name is deprecated in favor of
heat::keystone::authtoken::user_domain_name.
- heat::keystone_user_domain_id is deprecated, use the name option.
- heat::keystone_project_domain_name is deprecated in favor of
heat::keystone::authtoken::project_domain_name.
- heat::keystone_project_domain_id is deprecated, use the name option.
- heat::memcached_servers is deprecated in favor of
heat::keystone::authtoken::memcached_servers.
Change-Id: I466558e98176f20743271191df64dc327f0efcc6
Closes-bug: #1604463