This patch adds a config option to allow
configuring the cache_time for identity elements.
It is also including a complementary fix for
change I49e46e010c543f831959581b2122f59068f2c07b
that missed adjusting the correct template, and
used the wrong comparison "is not None".
Closes-bug: #2054418
Related-bug: #1771114
Change-Id: I57d376eb6c1f0f38cdd028aacf397aaf7f3a1cda
This is necessary to avoid collisions between
same usernames used service users.
Depends-on: I4fbfa8fba84b11c4e30e4db9a0c358db1e8c94f1
Closes-Bug: #2030755
Change-Id: I500fd131cbd6cd5c2b38fdbe81b8b48e50a3e3f7
We use a default expiration_time (dogpile-expiration-time)
of 600s which means that role assignments will take up to
this amount of time before all caches are updated to
reflect changes. This may not be suitable for some clouds
that make frequent changes to role assignments and lowering
the global value is not recommended so this overrides the
[role] cache_time to a more appropriate value and also
makes it configurable. We leave default value as None so
that the global value is still inherited but this at least
allows it to be customised.
Change-Id: I49e46e010c543f831959581b2122f59068f2c07b
Closes-Bug: #1771114
When the mysql password is changed via the shared-db relation, the
shared-db hook handler needs to restart keystone's apache2 so that the
password is picked up and used by keystone during the rest of the hook.
Change-Id: I37ed94d5937a9abf46fd12cd6f230ddb5a298b0e
This patch adds two actions:
1. An action to list the service usernames that can be rotated.
2. An action to rotate a service username that is on the list of
usernames that can be rotated.
Change-Id: I3a8a6af7ec8b0ea32da04eff34fafd32f43cee0e
func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/1005
This change add several configuration options to enable HTTP checks
to the HAProxy configuration, instead of the default TCP connection
checks (which continue to be the default)
Closes-Bug: #1880610
Change-Id: I50a9442ae66da71793a5e9904d23c26d1fbbdf42
There is a requirement for some end users where we need to specify
auth_ttl to a higher level. This should help with these users
Change-Id: Ifd515d7c103a6b24c4f5da500442406f04fb372f
This parameter is added to the relation in order to configure service
tokens on related services. The role of the service user is required for
service token validation.
Closes-Bug: #1992840
Change-Id: Id7e84d38a9f774179808137548307c9174a87f87
The linked bug shows the install of the charm with openstack-origin set
to zed. This happens because configure_installation_source() causes the
openstack-release package to be installed *before* the zed cloud archive
sources are configured into /etc/apt and an apt update done. This means
that the openstack-release package says "yoga" despite the zed packages
actually being installed.
Then, on the config-changed hook, it sees that the installed version is
showing as yoga and tries to do an upgrade. This fails, as the charm
hasn't yet bootstrapped, and the charm tries to bootstrap after
upgrading the packages.
There's a few bugs here which are exposed, but the tactical fix is to
force the openstack-release to match the installed packages.
Change-Id: I3f47daf6bda6b62ffe4152ede2709f802f0ab606
Closes-Bug: #1989538
Validates if the provided vip address(es) are in the subnet that the unit is in. If not, shows the message with invalid vips along with 'blocked' status.
Closes-Bug: #1958178
Change-Id: I6bb3e21f3934d6d2483564fba9216504a62d15dc
Add new option default_authorization_ttl used for
federation to set validity of group memberships
coming from a mapping.
Closes-Bug: #1970388
Change-Id: I4a8dbc501e14d1201ceed27077554924c56e3abd
We need to ensure value for 'service' provided on
identity relation before doing valid_services lookup.
Change-Id: I42fb9dbb48b3bcf8fd40700db84ec8210b8433a4
Related-Bug: #1965967
A charm joined to keystone via the identity-service relation can
now specify additional roles that can be granted to admin. This
is done by setting the relation data key `add_role_to_admin` the
value is a comma seperated list of roles that should be granted
to admin.
Change-Id: I7ecac3d64eece1845dc963886e09cc2be149ae03
The /etc/keystone/fernet-keys/ directory must exist prior to
keystone-manage bootstrap being called.
Closes-Bug: #1951076
Change-Id: Ifa1ca433a658011365376a38e20b2901202bca21
When purely using relation-set from a leader, updates after
the leader has changed can lead to old data being persisted
on a relation in addition to newer data being set by the new
leader. When this happens, there can be issues with services
using old data to talk to other related services.
This change introduces the use of the application data bag
to ensure that all units related to keystone get the same
data from the leader, regardless of leadership changes.
While this change enables the application data bag for these
relations, it still sends the per-unit relation data as well
to maintain backwards compatibility. Charms that consume the
identity-service and identity-notification relations will
need an update to use the application data bag to complete
this change.
Partial-Bug: #1902264
Change-Id: Iadd795fec605e7704e5a6673906452279bbecb34
Adds backend options for 'admin-port' and 'public-port' in
HAProxyContext. HAProxy will now expect 200-300 statuses and the string
"stable".
test_haproxy_context_service_enabled updated to reflect expected ctxt.
Closes-Bug: #1933233
Change-Id: I88cef4539f5d7dc70f6fbaacfb2ff768e958d346
The [cache]/expiration_time currently caches items for the default
of 600s and is not configurable via the charm. This change adds a
dogpile-cache-expiration config option that will default to 600s
so as not to cause any behavior changes by default.
Closes-Bug: #1899117
Change-Id: I639b2b77d5db69744897b6798613a797d05fe23b
Co-authored-by: Chris MacNaughton <chris.macnaughton@canonical.com>
While admin passwords are discouraged, they are used by some users
and using a file to import into the config option may include new
line characters. Strip the white space from the admin password to
prevent confusion for users.
Change-Id: I986b10e960153daed9d0d0cbf81d9c9e918a2150
Closes-Bug: #1895004
For principal - subordinate plugin type relations where the
principal Python payload imports code from packages managed by a
subordinate, upgrades can be problematic.
This change will allow a subordinate charm that have opted into the
feature to inform its principal about all implemented release -
packages combinations ahead of time. With this information in place
the principal can do the upgrade in one operation without risk of
charm relation RPC type processing at a critical moment.
Also sync c-h.
Closes-Bug: #1806111
Change-Id: I95567d5d047eb64842436e671b74a633e6f509f4
There are scenarios where a keystone's consumer might want to talk to
keystone over the internal url, exposing this information over the
relation would allow services like openstack-dashboard to implement
a configuration option equivalent to `use-internal-endpoint` provided
by nova-cloud-controller.
Closes-bug: #1812361
Change-Id: I129a686ed9d20035894a36500cb64d1798d3f9d2
Co-Authored-By: Felipe Reyes <felipe.reyes@canonical.com>
The related bug indicated that the Fernet keys could get out of sync
between the leader and non-leader units. This patchset assumes that
hooks fail, or that units are off-line when the rotation occurs. Thus
it tries hard to ensure that the keys are in sync. It still uses juju
to 'send' the keys from the leader to the subordinate units, so in that
sense, it is not a fix to the related bug, but it does make it more
robust.
Change-Id: Id40a3ccbe565bd742e3fdbd5190deb6b21204a82
Related-Bug: #1849519
This is my first commit to learn gerrit workflow. The fix just simply
removed a blank line between imports.
Change-Id: I2953f501fbacf2909fd33a8b385e501e72b351de
Expose catalog-cache-expiration which can be used to specify how
long catalogue entries will be cached for. In addiontion inform
charms that receive notifications of endpoint changes what this
setting is.
Change-Id: I3ce72efc5bd96c987748f66a275f92941daa8fe5
This will also give us more insights into the leader-set failure
happening in the linked bug.
Also updated project files from latest release-tools templates.
Also blacklisted libjuju 2.8.3 which causes spurious
JujuAPIError's.
Change-Id: I51b890098df6d918c1d84adba272559ef45411bb
Partial-Bug: #1890256
This patch eliminates almost all the manager.py calls when
updating/checking the endpoints from the relation(s) with other charms.
Change-Id: Ibb7999239ec9927e76052b7e45c4545127b5919a
Closes-Bug: #1890602
If a client requests a role then inform them what role was
actually created or already existed.
If a client requests the creation of a role and that role already
exists with a different mix of upper and lower case then the new
role is not created. This is because keystone purports to be case
insensative. However the client may not be case insesative (horizon)
and may assume that the role was created. This change replies to
the client with a new key 'created_roles'. This tells the client
what the case sensative name actually is.
Change-Id: Idc0865a688886a2066dfcdbd15e30118ae5c5bb8
Closes-Bug: #1890437
Fallback to v2 API behaviour for processing endpoints for older
OpenStack releases where the v2 API is still the default.
Change-Id: Ieb9afed0a6442fac48f8e1ccc0f5c34626a3be18
Closes-Bug: 1889180
Depending on the order of hook execution its possible for a charm
requesting notification of endpoint changes via the subscribe_ep_change
relation key will only get a partial set of information based on
services which are registered after their service is registered.
If this situation happens and a subscribed to service already exists
in the endpoint catalog add these to the JSON dict of information
passed to the requesting charm.
Change-Id: Ibac7ea6de013674b570c3de205d95c0a9d1cd8ae
Closes-Bug: 1887394
Sharing the admin password with peers over the 'cluster' relation
was needed in case the leader would die and the next leader would
then need that information. This was implemented years ago when
the leader DB didn't exist.
This led to a race condition described in the mentioned bug and
can now be safely removed.
Validated by deploying several keystone and glance units, then
removing the keystone leader, then adding a glance unit and
checking that this new unit gets its service credentials.
Also added useful traces, made linter happy and increased fernet
token expiration to avoid spurious test failures.
Closes-Bug: #1818113
Change-Id: I004903e50f51e190467d71691982de26518d7149
When the certificates relation is ready before the
HA relation is clustered, the VIP symlinks will not
be created pointing at the correct certificates. This
change updates the HA handlers to ensure that the
certificate relation is handled after clustering,
if there are any certificate relations.
Change-Id: Idfbdaf7919569983cdf159e44a6dad26eccfd195
Closes-Bug: #1886077
When Keystone tries to setup identity credentials before the
API is ready, there will be hook errors as the API service
is not available to communicate with. Adding in a gate on
API readiness before handing out credentials makes this safe.
Change-Id: I9f2700a391cfb664572a39e8db5b2d3e370cf170
Closes-Bug: #1886918
None is returned for a relation data value if a key isn't present -
assuming that it's a string is not correct. This change fixes that by
returning an empty string if protocol-name is not present.
Change-Id: I2bab6a69f9f663edee0738ff35b804d81736cb5c
Closes-Bug: #1882084
The checks that keystone was performing before emitting identity
data were applicable to any Openstack api charm so the check
definitions have been moved to charmhelpers so other charms can
use them. The checks as they were are encapsulated in
`check_api_unit_ready` *1
Bug 1818113 was caused by keystone emitting identity data
as soon as the leader was ready but ignoring the state of the
peer units. This is now covered by a new check
`check_api_application_ready` which performs all the local
unit checks and then checks that all peers have reported
as ready too.
In addition `check_api_unit_ready` is now used when
setting the units workload status and `check_api_application_ready`
is used when setting the application workload status.
*1 https://github.com/juju/charm-helpers/blob/master/charmhelpers/contrib/openstack/utils.py#L2289
*2 https://github.com/juju/charm-helpers/blob/master/charmhelpers/contrib/openstack/utils.py#L2330
Change-Id: I99830ab2c2482e8beef174424820907ce96fd5d7
Closes-Bug: #1818113
Keystone does not reliably pick up policy changes (observed on
Queens) unless apache is restarted. This change triggers a restart
when policy is changed.
Change-Id: Ia29312baa9c1b8113649fc2826f0464588c3ce11