This patch adds a config option to allow
configuring the cache_time for identity elements.
It is also including a complementary fix for
change I49e46e010c543f831959581b2122f59068f2c07b
that missed adjusting the correct template, and
used the wrong comparison "is not None".
Closes-bug: #2054418
Related-bug: #1771114
Change-Id: I57d376eb6c1f0f38cdd028aacf397aaf7f3a1cda
We use a default expiration_time (dogpile-expiration-time)
of 600s which means that role assignments will take up to
this amount of time before all caches are updated to
reflect changes. This may not be suitable for some clouds
that make frequent changes to role assignments and lowering
the global value is not recommended so this overrides the
[role] cache_time to a more appropriate value and also
makes it configurable. We leave default value as None so
that the global value is still inherited but this at least
allows it to be customised.
Change-Id: I49e46e010c543f831959581b2122f59068f2c07b
Closes-Bug: #1771114
There is a requirement for some end users where we need to specify
auth_ttl to a higher level. This should help with these users
Change-Id: Ifd515d7c103a6b24c4f5da500442406f04fb372f
This change adds a new configuration in line Apache's frontend
configuration to include (if present) the files generated by the
keystone-openidc charm to configure Open ID Connect configuration
Change-Id: I8c96b1f1ffad84d57276fd60461c1aee60b32d3b
Add new option default_authorization_ttl used for
federation to set validity of group memberships
coming from a mapping.
Closes-Bug: #1970388
Change-Id: I4a8dbc501e14d1201ceed27077554924c56e3abd
Apache2's default value for KeepAliveTimeout is 5 seconds, which is okay
for general web-page serving use cases. However, sessions and connection
pools created by keystoneauth1.session.Session can be terminated
unnecessarily during multiple API calls in a session due to the short
KeepAliveTimeout.
Let's ease KeepAliveTimeout to 75 seconds, which is fairly standard for
API services behind a reverse proxy since it's the default value of
nginx.
Closes-Bug: #1947010
Change-Id: Iff24f0f4b35fcc239abc14f37a76dcad8380d785
The default apache2 environment, and therefore the default WSGI
environment, sets LANG=C. For languages beyond the scope of ASCII
this can create problems.
Explicitly set the lang and locale to C.UTF-8 which will support all
UTF-8 language sets.
Change-Id: I110cc089fa7d51dfd513c630cb28cd49b330bf6f
Closes-Bug: #1933109
Ensure that the 'admin_and_matching_domain_id' rule correct
matches to the target.domain_id field, ensuring that domain
admins can actually query user and projects within a domain.
Change-Id: I4c000363dd7746f401613d99210e8ca12f34b010
Closes-Bug: 1830076
The [cache]/expiration_time currently caches items for the default
of 600s and is not configurable via the charm. This change adds a
dogpile-cache-expiration config option that will default to 600s
so as not to cause any behavior changes by default.
Closes-Bug: #1899117
Change-Id: I639b2b77d5db69744897b6798613a797d05fe23b
Co-authored-by: Chris MacNaughton <chris.macnaughton@canonical.com>
The last update was 2016, and it's time to drop TLSv1 and TLSv1.1 as the
base configuration recommended by Mozilla.
https://wiki.mozilla.org/Security/Server_Side_TLS
This is equivalent to a charm-helper's change:
27d6ceb385
Closes-Bug: #1886630
Change-Id: Ia8cb1ad7417014fbc20178ccc598117c97a34188
Expose catalog-cache-expiration which can be used to specify how
long catalogue entries will be cached for. In addiontion inform
charms that receive notifications of endpoint changes what this
setting is.
Change-Id: I3ce72efc5bd96c987748f66a275f92941daa8fe5
Stop the use of the admin_token and use the bootstrap process
to initialize Keystone instead. Fortunately the implementation
of the bootstrap process is both idempotent when it needs to be
and it can be safely called on an existing deployment.
Subsequently we can migrate by just removing the admin_token
from the configuration and create new credentials for use by
the charm with a call to ``keystone-manage bootstrap``.
Remove configuration templates for versions prior to Mitaka, by
doing this we need to move any configuration initially defined
prior to Miataka forward to the ``templates/mitaka`` folder.
A side effect of this migration is that newly bootstrapped
deployments will get their ``default`` domain created with a
literal ID of ``default``. Prior to this change third party
software making assumptions about that being the case may have
had issues.
Closes-Bug: #1859844
Closes-Bug: #1837113
Related-Bug: #1774733
Closes-Bug: #1648719
Closes-Bug: #1578678
Func-Test-Pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/191
Change-Id: I23940720c24527ee34149f035c3bdf9ff54812c9
For the keystone-kerberos charm to configure correctly
with the keystone charm, the apache config needs to be
edited. Also, the alias needs the info of the keystone
context for the location of the script, hence cannot
be put in a separate optional config. It does not affect
non kerberos configuration.
Change-Id: I2842b628f0c3f88bd7efd735f76926b5d34cc108
This feature adds a "password-security-compliance" option to the
charm to enable setting of keys in the "[security_compliance]" section
of the keystone.conf file. This section was added in the Newton
release, and so this feature supports this from the Newton release.
It also protects the service accounts from two of the PCI-DSS options
but setting the user options 'ignore_password_expiry' and
'ignore_change_password_upon_first_use' to True to prevent the cloud
from being broken.
Change-Id: If7c54fae73188284bd9b03a53626cdf52158b994
Closes-Bug: #1776688
Currently, Apache ports.conf file is not being configured by this
charm. This patch changes the ports.conf default file with another one
that does not open port 80 on SSL environments.
Change-Id: I35ba6bb31af6d795d02d90d0d127ac5c6c129d0f
Closes-bug: #1845665
Openstack services don't use the default ports (80 and 443), so
change Apache to not open them.
Change-Id: I394e03de59e1d8f8e65197509dcf95fa05727afa
Closes-bug: #1845665
The direct import of the auth plugin
'keystone.auth.plugins.oauth1.OAuth' is deprecated since
Liberty.
The entrypoint should only be defined in case there is a
need to override the default implementation with a custom
class.
A closer inspection to the code confirms that:
70c9dd8256/keystone/conf/auth.py (L63)
Closes-Bug: #1837109
Change-Id: Icbad28cdefbccb6e6499ad4e19ad0d6bfaeff677
The direct import of the auth plugin
'keystone.auth.plugins.token.Token' is deprecated since
Liberty.
The entrypoint should only be defined in case there is a
need to override the default implementation with a custom
class.
A closer inspection to the code confirms that:
70c9dd8256/keystone/conf/auth.py (L38)
Closes-Bug: #1837110
Change-Id: I80e584de7d5bf46c5621e357333853975cfebade
Removing deprecated 'driver' option from 'token'
group in Queens.
Note: it was getting stuck during pause_resume test. Problem is fixed.
The value was deprecated in Pike:
05c535c0bc/keystone/conf/token.py (L76)
Closes-Bug: #1837108
Change-Id: I97c1bdc8f96b6320a52fdc2b329d2e8905f5be0e
Rather than use hard coded auth methods, use the protocal named passed
over the keystone-fid-service-provider relation.
Also, when using federation do not allow the "external" method as they
are mutually exclusive.
Change-Id: I08f0632630d7f0e8d2d7ddb057e02f9febf9ad6f
Closes-Bug: #1828015
Closes-Bug: #1828018
This patch creates a new middleware context to retrieve data
from subordinate charm and update the kesytone configuration file.
It also allows integration with keystone-middleware interface:
https://github.com/openstack-charmers/interface-keystone-middleware
This patch uses the subordinate configuration approach
to retrieve data from the subordinate charm.
Every changes required for paste.ini file will be handled by
the subordinate charm. The latter should deal with keystone upgrades.
Closes-Bug: #1808597
Change-Id: I4897011fbc791abc97e34e75826579820e80a4f1
In icehouse database/idle_timeout has been deprecated in favor to
database/connection_recycle_time. This commit reflects the change in
our templates.
Change-Id: I6814a9d61d24c713e7a5182bf9683a393cda06bb
Closes-Bug: 1805592
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@canonical.com>
Major changes:
* decoupling the hooks/manager.py file from the charm. It is now a
script that is called from hooks/keystone_utils.py as it has to use
the same Python version/libraries as the installed keystone payload
software. keystone_utils.py and manager.py communicate via a Unix
Domain Socket using json, encoded to base64.
* As Python3 requires absolute imports, the charmhelpers symlink has
been removed from hooks, and the hooks and charmhelpers symlinks have
been removed from the actions directory. Instead, the path is
adjusted so that the modules can be found.
Change-Id: I18996e15d2d08b1dacf0533132eae880cbb9aa32
This patchset adds more Fernet token implementation:
1. Adds a cron job to rotate / sync keys to other units.
2. Adds additional tests around gating on config.
3. Adds rotation / syncing with more robust key handling.
Change-Id: Ied021ad83c241f241dbb5f9acdede9045e43a8a3
Remove configuration options which no longer have effect
(the supporting code has been removed).
Update and fix formatting of `README.md`.
Remove templates for no longer supported OpenStack releases.
Change-Id: Ibbda87738d98f6ad97da212ad1b56be88b33e9a3
The configuration options for plugin entry points is
superflous and leads to Internal Server errors on Rocky.
Remove them from configuration and have Keystone use its
defaults.
Change-Id: I460aec084478f2ead8c16a11c0731bc110197368
Closes-Bug: #1784295
Starting OpenStack Rocky the currently used `uuid` token format
is no longer supported and we need to change to use `fernet` tokens.
This change provides basic functionalty to initialize fernet token
repository and distribute keys to non-leader units.
A configuration option is also added allowing change of token format
in a controlled manner prior to upgrading to OpenStack Rocky.
Further work is required to implement key rotation, actions etc. and
these topics will be addressed in separate commits.
The commit also fixes a instance of missing release check for writing
of `policy.json`, and a few places where writing of `policy.json`
previously was omitted.
Change-Id: I1d0ff22a5f091b02f5700412745572c246103e9e
Purge references to upstream removed sections and token
features.
policy.json now at level with:
openstack/keystone@0022adb6ae
Change-Id: I0e1163d1c16c7987409dff23ce6cdcc35df302ab
The functionality was removed from charm in commit
17b24e7fde
Template references was left behind and this commit addresses
that.
Change-Id: I55362faec21f32cccdcb82f810680b70fe2fb53b
Ensure that oslo.middleware parses any proxy information
forwarded from haproxy/apache with regards to protocol;
this ensures that https connections are correctly detected.
Includes charm helper sync to bring in oslo middleware
template.
Change-Id: I2ce75a4a2033d8d3c07bd9f7ce6e4f5f6d9488cf
Closes-Bug: 1758675
* add support for relating with subordinate charms providing Service
Provider functionality via apache2 authentication modules;
* enable additional authentication methods on the keystone side to
accept parsed assertion data provided via apache2 authentication module
variables exported to WSGI environment;
* move https frontend and WSGI API apache config files to keystone
instead of relying on charm-helpers as modifications are needed there to
add IncludeOptional directives. openstack_https_frontend.conf is added
on purpose as ServerName cannot be correctly determined after ProxyPass
which results in TLS errors during SAML exchange process;
* add an additional relation to openstack-dashboard to provide URL
information necessary to trust 'origin' parameter in WebSSO URLs used by
horizon during the authentication process. Also add a context to render
the federation section that is used to render this information in
keystone.conf;
Subordinates can choose to use different apache2 authentication modules.
If those modules support vhost-level variables then multiple
subordinates for the same module can be used. For example,
mod_auth_mellon can be used multiple times in different vhosts to
protect federated token endpoints related to different identity provider
and protocol combinations).
Trusted dashboard relation could be used to provide dashboard origin URL
from a different site via cross-model relations.
NOTE: this functionality will be triggered only on Ocata+ (inclusive)
Change-Id: I1ef623b0b0e2a9f68cec4be550965c5e15e5f561
Drop support for deployment from Git repositories, as deprecated
in the 17.02 charm release. This feature is unmaintained and has
no known users.
Change-Id: Ic054e29ef55d8890a3130af16b48f105efcf8f6a
Install and configure memcached on the keystone units and configure
keystone to use the cache. This should speed up token access for
existing tokens.
Change-Id: I26af0a97660e5bbe293a32e6b9e3d209338f905a
Closes-Bug: #1722541
Ensure that a valid entry point is used for the uuid token
backend, resolving compatibility with later OpenStack releases.
Change-Id: I566e6a2e9c0aa1fc1afe02dbc9f899cfb0c7a9f6
Closes-Bug: 1722909
Install OpenStack using snaps. By setting openstack-origin to
snap:track/channel or snap:track the charm will use snaps to
install rather than debs. If channel is left off it defaults to
stable. For example: snap:ocata/edge will install the edge version of
Ocata and snap:pike will install the stable version of Pike.
Charm helpers sync for snap related helpers.
Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac
Only enable the [signing] section of the keystone configuration
if PKI token format is in use; other token formats don't have
support for token revocation retrieval.
Note that PKI format tokens are no longer supported >= Pike.
Change-Id: I8179ecc5d37d866588147f639ebc77a870408dfe
Closes-Bug: 1709189
Rodrigo Barbieri