In this release cycle, a few services are enabling the
enforce scope and new defaults by default. Example Nova:
- https://review.opendev.org/c/openstack/nova/+/866218)
Until the new defaults enalbing by default is not released we
should keep testing the old defaults in existing jobs and we can
add new jobs testing new defautls. To do that we can provide the
way in devstack to keep scope/new defaults disable by default which
can be enabled by setting enforce_scope variable to true.
Once any service release the new defaults enabled by default then
we can switch the bhavior, enable the scope/new defaults by default
and a single job can disbale them to keep testing the old defaults
until service does not remove those.
Change-Id: I5c2ec3e1667172a75e06458f16cf3d57947b2c53
This updates each devstack service library, to use it as the
default value for service-specific RBAC configuration.
Change-Id: I41061d042206c411ee3dd94ce91098e612af7ae7
This reverts commit 26bd94b45e.
Reason for revert: Devstack keystone creation/setup are moved to
scope tokens, so we can reintroduce the scope check enable.
Change-Id: I6e1c261196dbcaf632748fb6f04e0867648b76c7
The admin_endpoint parameter has been removed from keystone[1], and
setting the parameter is no longer effective.
[1] 192cde56e57a06750641b319da8a72cdcaa554d0
Change-Id: I6ae6a3122668551acc018972624e914fcbb79a22
This user already has the admin role assignment on a project, which
implies the member role, making explicit calls to add the member role
redundant.
Change-Id: I398c5e2f098aeeb896de83872085cbce529a778a
This commit formalizes some additional users to act as different project
users and updates clouds.yaml file so they're easy to use.
It creates:
- a reader on the demo project
- a reader on the alt_demo project
- a member on the alt_demo project
With the adoption of secure RBAC personas, these are useful for using
OpenStack APIs as that work continues.
Change-Id: I3237a771275311377313b7d7d80ac059ac69d031
IDENTITY_API_VERSION is hardcoded to 3 in most locations already, drop
the remaining occurrences, but keep the variable definition since some
plugins still depend on it. Drop ENABLE_IDENTITY_V2 which no longer
has any effect.
Amend variable list for bootstrap_keystone().
Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I06f476d2105bc6ec2b511fc5effcfcc3973eaf97
Keystone has supported system-scope since Queens and we already make
sure we create a cloud profile for system-admin in
/etc/openstack/clouds.yaml.
This commit ensures keystone creates a couple of new users to model
system-member and system-reader personas. Doing this by default in
devstack makes it easier for people to use.
We've already taken a similar approach in tempest by setting up the
various system personas for tempest clients to use.
Change-Id: Iceb7c5f517db20072e121dc7538abaa888423c67
With the depending patch, the endpoint will still be created for
heat tests, so we can turn it off for everyone else.
Depends-On: https://review.opendev.org/c/openstack/openstacksdk/+/777343
Change-Id: I0dc7d6cedd07e942b9f23b26a785b386aff41fbc
The keystone admin endpoint technically isn't different any longer from
the other keystone endpoints in v3 of the API. However, some
applications like heat are still relying on it to exist.
So we make the creation of the admin endpoint during bootstrap optional
here, with the intention to change the default to False once all jobs
that still need this are modified to explicitly require it.
Change-Id: I7ab12141c558186e397c174c248a613d1810011b
Keystone no longer has any special functionality hidden behind the admin
site. KEYSTONE_AUTH_URI which used to point to the admin site has long
ago been changed to be a copy of KEYSTONE_SERVICE_URI, which points to
the public site.
Drop all KEYSTONE_AUTH_* variables except KEYSTONE_AUTH_URI which may
still be in use in some plugins.
This also allows to finally drop the fixup_keystone() function.
Change-Id: I549f3cadc27d137e014241cdd47e90267859c848
This reverts commit 9dc2b88eb4.
Reason for revert: Devstack creation/setup the things are not yet moved to scope tokens so we need to wait for that first and then do the scope check enable globally.
Change-Id: If0368aca39c1325bf90abd23831118b89e746222
Keystone-tempest-plugin has implemented the secure RBAC
tests and enabling the enforce_scope via keystone devstack
plugin. Doing those setting in devstack will help to manage
easily and in central place also avoid restarting the api
service.
Change-Id: I30da189474476d3397152a0a15c2e30a62d712ad
We have a *ton* of stuff in devstack that is very linear, specifically
the ten-ish minutes we spend loading osc to run a single API command
against something. We also generate configs, sync databases, and other
things that use one core of our worker and make our runtime longer
than it really needs to be.
The idea in this patch is to make it super simple to run some things
in the background and then wait for them to finish before proceeding
to something that will require them to be done. This avoids the
interleaving you would expect by redirecting the async tasks to a log
file, and then cat'ing that log file synchronously during the wait
operation. The per-task log file remains so it's easier to examine
it in isolation.
Multiple people have reported between 22-30% improvement in the
time it takes to stack with this. More can be done, but what is here
already makes a significant difference.
Change-Id: I270a910b531641b023c13f75dfedca057a1f1031
This reverts commit f6286cb586.
This patch is blocking glance as it needs mod_wsgi to perform new import workflow.
Change-Id: I4475247dfe986114d37678b3d3d552c0c7d02ddc
Those historic references to port 5000 and 35357 aren't being used
anymore for some time, so let us drop them.
Clean up some python2/3 wording along the way.
No longer mention Identity API v2, which is also a thing of the past.
Change-Id: Iafff097eee082f24ea2ae27ad038ad115aa36c61
Keystone no longer has any special functionality hidden behind the admin
endpoint. Stop referencing it in consumers, so it can later be dropped
completely.
Change-Id: I04a5d77908005268cc7c59e7e9ddeea70f6732e2
This is already unconditionally installed via install_apache_uwsgi in
stack.sh; we don't need to install it again in keystone. Since we
need workarounds on some platforms (see
I3bc5260e77cebe852cc8d70d9eddf84ef71d74bb) we only want to do this in
one place.
Change-Id: I40d84cbdf68cf6bb5cba143b6c0c126cdb8a84d4
All these uwsgi invocations assume that the uwsgi binary is in the
same directory as their project binaries are installed into (probably
/usr/bin). That may not be correct -- for example if using a packaged
uwsgi on Fedora the binary will live in /usr/sbin/uwsgi (not /usr/bin
where the project files from pip are).
Switch invocations to just find it in the path.
Change-Id: I298e3374e9c84e209ffcabbaaacda17f8df19f4f
The function was using a hard coded value of localhost:11211 when
we have an option MEMCACHE_SERVERS that can be defined and used
inside DevStack.
Change-Id: I4947928fe406a9844d5bdaa3c826d273952fa097
This patch adds new options:
* CACHE_BACKEND - with default "dogpile.cache.memcached"
* MEMCACHE_SERVERS - with default "localhost:1121"
to add possibility to configure various backends as cache in
Nova and Keystone.
It also adds options:
* KEYSTONE_ENABLE_CACHE - True by default
* NOVA_ENABLE_CACHE - True by default
To make possibility to enable and disable cache in those projects'
config files.
Default values configured there are the same as before were
hardcoded for Keystone config.
Nova has also enabled this cache by default.
Change-Id: I9082be077b59acd3a39910fa64e29147cb5c2dd7
Closes-Bug: #1836642
This is no longer being used due to Keystone PKI tokens no longer
being implemented.
In order to not break backward compatibility we create a new function
that is to be used instead and deprecate the old one. Modify the old
function to ignore the 3rd argument and display a deprecation warning.
Adjust callers to no longer create and set that directory, calling the
new function instead.
Change-Id: Id0dec1ba72467cce5cacfcfdb2bc0af2bd3a3610
The RPC transport_url for keystone was being set in the DEFAULT
section, even though keystone doesn't do anything with it. Instead,
keystone leans on the [oslo_messaging_notification] section from
oslo.messaging to register the transport_url option.
This change sets the transport_url in the proper section instead of
using the DEFAULT section.
Change-Id: I11590d0175da7ea310d5529f2d7c0bf8d7fb25b3
token.provider.drvier.uuid and token.driver
has been removed from keystone[1].
Devstack has reference/setting of those config
options which is confusing for user and it can
lead to import error like[2]
This commit cleanup the devstack bits of removed
config options.
bp removed-as-of-rocky
[1] https://blueprints.launchpad.net/keystone/+spec/removed-as-of-rocky
[2] http://paste.openstack.org/show/725391/
Change-Id: I29b3b356622c485c4c1046679234a38e7b645071
With the move to flask, Keystone does not utilize paste-ini. This
patchset removes the paste-ini support from devstack for Keystone.
Change-Id: I8dd629937c9178660992fd648175dbef80ffa3c2
Keystone now provides a set of default roles in addition to `admin`
by default [0]. This is done during the `keystone-manage bootstrap`
process.
This change aligns the `Member` role override from devstack with the
`member` role provided from keystone.
[0] https://review.openstack.org/#/c/572243/
Change-Id: I3da3530aa73a8a1500116bcefdcba7b947d5e05e
Closes-Bug: 1777359
This commit just makes sure that the configuration file for keystone
exists on the system. We use iniset to actually populate the values
we want before we run keystone anyway.
This results in a cleaner configuration file that isn't bloated with
comments and help text.
Change-Id: I7a1f879e9e242a11e2c4663ec116e33da28db7f5
This reverts commit ef5ebed6c9.
The problem here is a backwards-incompatible change to
configure_auth_token_middleware. Plugins are still passing a
"signing_dir" which is interpreted now as the "section" argument
... this leads to an interesting red-herring issue; because "v" is a
gnu sed command for checking the version, a signing_dir of "/var/..."
(as done in most plugins) gives the weird error:
sed: -e expression #1, char 32: expected newer version of sed
I think we'll either need a new function, or dummy arguments to get
this back in.
Change-Id: I2098d4eb2747282622cf486fa7dbf216f932f58b
PKI tokens have been actively deprecated from keystone and there are
deprecations being emitted from keystonemiddleware. Because of this we
no longer need an auth cache directory in the services where the PKI
certifcates used to be stored.
Remove the creation and use of all these AUTH_CACHE directories.
Change-Id: I5680376e70e74882e9fdb87ee1b95d5f40570ad7
By default memcached is bound to 127.0.0.1 and we have no code in place
to change that. So instead of using the $SERVICE_HOST variable, we
hardcode it to localhost, just as we do for the cache settings, see [1].
This also avoids a bug that occurs when $SERVICE_HOST contains an IPv6
address, as in that case it would have to be prefixed by "inet6:" [2].
[1] I95d798d122e2a95e27eb1d2c4e786c3cd844440b
[2] https://bugs.launchpad.net/swift/+bug/1610064
Change-Id: I46bed8a048f4b0d669dfc65b28ddeb36963553e0
Partial-Bug: 1656329
* Check KEYSTONE_DEPLOY flag and cleanup appropriately
* When we stop process, we should not wipe uwsgi config we should
remove files only on cleanup
* We should not call cleanup *BEFORE* configure, we are just wiping
out the uwsgi ini files
* cleanup_placement should be called from clean.sh
Change-Id: I066f5f87ff22d7da2e3814f8c2de75f2af625d2b
Code in grenade and elsewhere rely on the process/service name
when one runs "ps auxw" and they grep for example "grep -e glance-api"
to check if the service is running. with uwsgi, let us make sure
we use process name prefix so it is easier to spot the services
and be compatible with code elsewhere that relies on this.
Change-Id: I4d1cd223ed9904fcb19b26fc9362b676e0b4f9b3
Configuration options that toggle support for LDAP read/write
were deprecated and removed as of the Ocata release:
I13eada3d5c3a166223c3e3ce70b7054eaed1003a
This means we no longer need to clutter the domain-specific
configuration with these values since they are no longer used.
Change-Id: I23b5b994862f066c3d48ce524c396faecabf60f8
There are some comment errors, it's modify 'Captial' to 'Capital' in
keystone file, and modify 'possition' to 'position' in openrc file, and
modify 'comming' to 'coming' in stack file, and
modify 'prefered' to 'preferred' in stackrc file.
Change-Id: I0fdd539cbfff842a4ba7fca9100b881443300f9a
When the ldap service is enable on local.conf devstack ldap
plugin starts slapd service using its default config on Ubuntu
and installs ldap-utils package.
Enables domain specific drivers on Keystone and creates LDAP
domain 'Users' with a demo user.
Change-Id: I8d7aa260b01f675e4ed201ef93bfd66474f4b228
We are trying to keep better track of what pieces of devstack consume
the most time. Add the db sync commands to the time tracking as they run
the database migrations which can take more time than expected.
Change-Id: Ib92f2b8304ccf703712d45fd7207444de3599e2d
Reduce bcrypt hashing rounds from 12 to 4 (minimal possilbe).
This is going to imporve a lot of perforamcne of OpenStack.
Bcrypt is hashing algorithm that is designed to use a lot of resources and
in that way stops brutforce attacks. It's exponential algorithm that depends
on amount of rounds. By default they use 12 rounds which is quite high value,
good enough for real secure production enviorments.
In case of DevStack it's going to slow down all authentication by many times.
Rally shows about 5 times slownest (adding 2-5 seconds to every authenticate)
DevStack is meant for developemnt & CI so performance is way more important than
security.
Change-Id: Id8c763d63cb91f37a774f9400f35c309f37d6f12
Transient failures were being reported because the current lockout
period for users was too short. While this does increase the
run time IdentityV3UsersTest.test_user_account_lockout, it
allows for more flexibility if there is network latency or some
other factor that cause the lockout to expired before the
next authentication.
Change-Id: I61bc39bbc35ac414b4a72929a90845956c99eb1a
Closes-Bug: 1693917
The old implementation for is_$service_enabled simply checked if any of
the subservices were enabled and if so the service was considered to be
enabled. This makes disabling services complicated as it means you have
to list every single subservice which can and do change over time.
Instead also check if the generic service name is in the disabled
services list and if so don't treat the service as enabled.
Change-Id: I7fe4dfca2cd9c15069d50a04161a29c5638291cb
Both keystone and neutron didn't yet have systemd awareness for
setting up logging (i.e. drop the extra date / time stamps)
Change-Id: Ib442c603c9afb679676976c37c2c6122201ae846
When transitioning between different wsgi modes, or service modes, we
should really safely stop and cleanup things that are started in any
service mode, which makes it easier to ensure that we don't leave
things around from past runs.
Change-Id: I33acbee39e1a2da2bfd79a5dd54b84a12a778be1
Ghanshyam Mann