This refactors resource dependencies to improve the following points.
- Avoid unnecessary dependencies across services. For example aodh
service does not require cinder db.
- Restart only api service when config files like paste.ini, which
are used only be api service is changed.
Change-Id: Iadb8552abf55228729bf5d31795b1e4bbb8b9929
The password parameter is not really optional. This makes it
a required parameter to give more sensible validation error.
Change-Id: I1e7ef82de4f41f79ceeb089dc29de3119c6b01f0
Use the whole resource type instead of its individual resources, to
rely on interface instead of implementation of the dependent module.
Change-Id: Ie28adb28dba6f8fd04520b1e5deea30fa66d775b
This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.
This change covers the following two items.
- assignment of system scope roles to system user
- credential parameters for authtoken middleware
Depends-on: https://review.opendev.org/804325
Change-Id: I1429b2cc6f3c01c07ec26b1a7242e451072be368
This change adds the 'params' hash in authtoken class, to implement
the same functionality as the one recently introduced into
puppet-nova[1].
[1] 5c38281e1b698f157f03bf1815733277c541c30b
Change-Id: I62c36a4521ca9b3c5062d88fe9a7ee55c748fbd3
This change removes redundant default value for heat::keystone::auth,
so that more clear error message when password is not set.
Change-Id: If585a3b6175d9aa2506786d2d158a8261403bd51
This patch adds support for [keystone_authtoken] interface parameter,
so that operators can define which endpoint should be used by authtoken
middleware.
Change-Id: I5325bdfbcec13b53b83ac669fb2b91885c370e60
The deprecated pki related options check_revocations_for_cached and
hash_algorithms option has been removed.
Change-Id: I316beed11236a11d4789974da3656196e2795694
This changes all the puppet 3 validate_* functions
to use the validate_legacy function.
The validate_legacy function has been available since
about three years but require Puppet >= 4.4.0 and since
there is Puppet 4.10.12 as latest we should assume people
are running a fairly new Puppet 4 version.
This is the first step to then remove all validate function
calls and use proper types for parameter as described in spec [1].
[1] https://review.openstack.org/#/c/568929/
Change-Id: I422be4bfb6fd6f73f0b24ae9464c5c85689594e1
Service_token_roles_required missing in the server config file which
allows backwards compatibility to ensure that the service tokens are
compared against a list of possible roles for validity.
Change-Id: Ia22d5b59adea42c4f3d0792bf83b92fa0e11b0c5
Closes-Bug: 1778198
This commit adds the service description as a class parameter in order to allow
users to update from a previous version if the service description is changed
(incorrectly spelled or wrong description)
Change-Id: Ibe18499a1ad815ce42f9b64821261fe721d40aff
Closes-Bug: #1468407
Make sure documentation is the same and follow
the standard which we are trying to enforce on
all modules.
Change-Id: I3ec7774580b861371290d0ce3aa257d2aa7a15ab
check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.
Change-Id: I6ed03f77f4a13bab4593b7669b331fc35a68854c
Closes-Bug: #1804562
Closes-Bug: #1804720
Now that the v2.0 API has been removed, we don't have a reason to
include deployment instructions for two separate applications on
different ports.
Change-Id: Ia81c354ea593954e79a0779f222208c027fcdede
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: I680e8060f6a8bf3befd4aa5d39f2b01ddeb5e859
Depends-On: I4c82a63baabd6b9304b302c97cd751a0103d8316
Closes-Bug: #1759098
The revocation_cache_time is deprecated for removel because of PKI
token format is no longer supported.
Update warning message and add a release note.
Change-Id: I2c340522a696c3e436404e1b1403d6cf072d56d3
Closes-Bug: #1717144
The python-memcache package is required if using memcached. By
default the package is not installed and the define has it set to
false. This change allows managing the python-memcache package
install from the authtoken class.
Change-Id: I3a6f847e4d5ff64e09b664dc58b17db4094c814c
The signing_dir is deprecated for removel because of PKI token format
is no longer supported.
Update warning message and release note.
Change-Id: I42b35c3cadde3bb22463c82e83168addfd4da99f
Closes-Bug: #1652700
With the heat::deps implementation, we should ensure that the users are
created in before the heat::service::end anchor rather than the service
itself. This can lead to issues when we move the service to httpd and it
is colocated with keystone. Additionally the authtoken class needs to
include the ::heat::deps class.
Change-Id: I0c2b5e0e3671d37fb0450cd25dd6287bebda4dcb
Since we are in ocata lets remove all old parameters in api
to configure the keystone_authtoken section
Change-Id: I7f18b79b9107baad78129b098246bd9c931420dc
This change allows a user of the heat::keystone::domain class to manage
the user creation seperately from the user configuration for the heat
services.
Previously one could disable the management of the users but could not
prevent the configuration file from being updated if all they wanted to
do was create the users.
Change-Id: Iab8204d3dfd727149d41ad86616a8f95a6f720dc
Having a default value for a password is not acceptable for security
purpose. We should unset the default value so we make sure catalog fail
if no value is set. It enforces our users to set a value and stop
opening a security problem.
Change-Id: I41b974f6ece39743bfc2ad922b2f0dad20aec469
Switch keystone_authtoken parameters for the new class
heat::keystone::authtoken to configure the keystone_authtoken section
in heat.conf.
Some deprecations:
- heat::auth_uri is deprecated in favor of
heat::keystone::authtoken::auth_uri.
- heat::identity_uri is deprecated in favor of
heat::keystone::authtoken::auth_url.
- heat::auth_plugin is deprecated in favor of
heat::keystone::authtoken::auth_type.
- heat::keystone_user is deprecated in favor of
heat::keystone::authtoken::username.
- heat::keystone_tenant is deprecated in favor of
heat::keystone::authtoken::project_name.
- heat::keystone_password is deprecated in favor of
heat::keystone::authtoken::password.
- heat::keystone_user_domain_name is deprecated in favor of
heat::keystone::authtoken::user_domain_name.
- heat::keystone_user_domain_id is deprecated, use the name option.
- heat::keystone_project_domain_name is deprecated in favor of
heat::keystone::authtoken::project_domain_name.
- heat::keystone_project_domain_id is deprecated, use the name option.
- heat::memcached_servers is deprecated in favor of
heat::keystone::authtoken::memcached_servers.
Change-Id: I466558e98176f20743271191df64dc327f0efcc6
Closes-bug: #1604463
This change updates the heat::keystone::auth class to include a default
service_name of 'heat' so that if a user changes the auth_name, the
service is still created as being related to 'heat'. This improves the
user experiance when they want to customize the usernames for services.
Closes-Bug: #1590040
Change-Id: Iee47e78dbeb269e5fe6c52030de378c13e51c1f3
The header had different values ("heat" rather than "heat-cfn") for
these than the code. This change fixes it by adapting the
documentation (header) to the reality of the code.
Change-Id: I92b25527b65e954afae36292b0d9140a8b6e4b09
Closes-bug: #1571407
Previously the anchors and dependencies that allow external hooks were
all in the main ::heat class. However, if you wanted to include just
::heat::db::mysql, then it would fail, since it assumed the main heat
class was included. This moves all of those resources and relationships
into a new class, ::heat::deps. All of the classes will now include
this class so that the anchors and deps are always evaluated even if
only a portion of the classes are used, and even if ::heat isn't pulled
in.
Change-Id: I4297df160a7afae2b66c1ac76e37de313fa4fb09
Closes-Bug: #1507934
The domain name wasn't used for the keystone_user_role resource.
This change requires "replace indirection calls" [1]
Both needs to be merged as same time in order to pass CI tests.
[1] https://review.openstack.org/226624
Change-Id: I2a717b06a73af966d6625b4f6ec3254baf7c50a0
Depends-On: I36fabf547fa50fc14d49f491f11cb4a0571f7d31
Before you could configure the role in the config file but not the
keystone role that was created. Now you can do both.
Change-Id: Iea6df1679d3ceef1f0876e65dac06628147c700b
When configuring Heat domains, we might want to use the default domain.
However, the default domain might already exist or managed by
puppet-keystone.
This patch allows to disable its management in puppet-heat, but keep
True for backward compatibility so the domain will be managed by
default.
Change-Id: I2e9f2ebb5b12cc33565d74bf955250dcc82bcbb9
In Kilo, we decided to use ::heat::keystone::auth to manage the
Keystone_role resource to help with Trusts configuration.
Though the configuration was and still remains part of ::heat::engine
class because we assume ::heat::keystone::auth can be run outside the
heat-engine node.
So this patch aims to drop the deprecated parameter, update the
documentation and unit tests.
Change-Id: I045a3a82095e23778c4e878b13f2fc7f561d680e
This patch replaces the usage of Exec to create the Heat domain, by
using the Keystone_domain resource recently implemented in
puppet-keystone.
Change-Id: I5abdac6334e535e8be4e4d19223b4e83b7a39db1
Takashi Kajinami