The redirect URI specified in the Apache config for OIDC
was unintentionally serving a dual purpose as a redirect
URI and a handler for command line auth.
As of mod_auth_openidc v2.4.9 this no longer works.
This change splits the paths for command line auth and
the redirect URI into two to work around this.
Change-Id: I27c612cf8537b401c1195ae0892bf5569e2f3858
The Apache mod_auth_openidc requires explicit configuration in
order to read the X-Forwarded-Proto from the reverse proxy as
of version v2.4.11 which comes in from Ubuntu Jammy.
Eventually this will need to become the default and the
variable added in this patch can be removed.
Change-Id: Ic9d37a8463d137508d20de20b10af806a223f852
To standarize variable name across roles, this change renames
`keystone_ssl` to `keystone_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `keystone_ssl` it's unclear
whether it is about frontend or backend.
Backward compatibility will not be implemented because securing haproxy
traffic to its backends with TLS is currently not supported by OSA so
it is hard to leverage `keystone_ssl` variable anyway.
Change-Id: Ibf8607a4cf62ab518a09d64b1054ff7fbc580000
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: I83fbde781bbedd6e84f2ff1b1136b4558bf1da00
At the moment we don't provide any option rather then use memcached
backend. With that we also hardocde list of packages that should be
installed inside virtualenv for selected backend.
Adding bmemcached requirement to oslo_cache.memcache_pool [1] gives us
opportunity to refactor this bit of deployment and allow to be more
flexible in backend selection and requirements installation for it.
[1] https://review.opendev.org/c/openstack/oslo.cache/+/854628
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/858981/4
Change-Id: I2810208301fb31eeeabf31e4b38add7f8aa3e00b
This change gives the keystone role the ability to deploy keystone using
only uWSGI, which eliminates Apache and all of its dependencies from the
environment. While this capability is not as feature rich as the apache
based deployment, which is still the default, it does offer a signficant
reduction in process overhead targeting minimal deployment usec-ases,
for deployments which do not need or want advanced keystone features
this is a huge benefit.
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: I5a8484082f6331d2c5a452af2760c8e79d44fab8
This is now common functionality in an ansible role, rather than
being implemented directly in openstack-ansible service roles.
This patch creates the apache server certificate and key using the
pki role when keystone_ssl is true.
A CA certificate and key are generated and installed when keystone
is configured to be an IDP, triggered by keystone_idp.certfile being
defined.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/830794
Change-Id: Ie70aecc93b8acb7c1bbad02e98254b7c50c4c86f
Instead of having own implementation of uwsgi, use common role.
This allows to reduce maintainable code and ease
providing fixes and features to uwsgi deployment code.
Change-Id: I2dc9c749c37e41959da2403fab7512ab17b859e4
This adds a new variable to manage TLS v1.3 cipher suites.
The old variable for TLS v1.2 and below ciphers is renamed for
consistency, but is still supported as a default where overridden
by deployments.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823943
Change-Id: If857ec3e2e3728f6bea9740ff43dcb2df45429d2
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: Ia507320ca552ec60d893e398ad7f68d4283539be
There is no reason to support multiple web servers as a proxy for
keystone. Nginx is missing modules to support federation. With it's
removal we simplify code and reduce maintaining efforts needed.
Change-Id: Ib3f90a72dfc8f78cf304b0f130883befdeb09220
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/818674
A follow on from I8a1d7e8d31b43b70de062d5bbf2f648c71014af0.
Remove ability to use incorrect spelling in future releases.
Change-Id: If27c04ba5ce509a30fe2af2a56771cc1a12dbe9d
The sync from https://review.opendev.org/733244 updated to
openstackdocstheme 2.2.1 and reno 3.1.0 versions.
Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Change-Id: Iecbe3fa0e8cafb7a69d398d2bb039693c7d24957
Add file to the reno documentation build to show release notes for
stable/ussuri.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/ussuri.
Change-Id: I35d0841dd643d46e91ad44654897a4a7a2d76ea2
Sem-Ver: feature
New version of openstackdocstheme (Victoria+) respects pygments_style.
Since this repo is using now Victoria (master) requirements but has
not branched for Ussuri yet, it uses the new version.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
Change-Id: I9a8e5558cc159fe476a32c905cde19c7fb7d7099
This repo is now testing only with Python 3, so let's make
a few cleanups:
- Remove python 2.7 stanza from setup.py
- Remove obsolete sections from setup.cfg
- Cleanup */source/conf.py to remove now obsolete content.
Change-Id: I601d900d4c34565e08d121f4100ebd3b1140b991
This patch adds support for using mod_auth_openidc instead of shibboleth for
supporting users who have a preference to use oidc for federation. A new
variable called apache_mod is added to keystone_sp allowing the auth library
to be selected. If left undefined shibboleth auth module will continue to be
installed by default maintaining backward compatibility.
This patch does not support simultaneous use of shibboleth and mod_auth_openidc
primarily because shib2 depends on libcurl3 but mod_auth_openidc depends on
libcurl4 which cannot coexist on Ubuntu. This can be resolved when there is a
shib3 package available in a future release of Ubuntu.
Change-Id: I80031f7d3f0fcc2029cd6861dcb6687e8a9f0a2e
Add file to the reno documentation build to show release notes for
stable/train.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/train.
Change-Id: Ifd8157a8f959a5e8475be6b411c83b165ad4e9ea
Sem-Ver: feature
Add file to the reno documentation build to show release notes for
stable/stein.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/stein.
Change-Id: I6e54970c514acdd618e873c688f6499d71cb238c
Sem-Ver: feature
That typo was wrongly fixed into OSA reno, instead of fixing it
in the role.
This should fix things.
Change-Id: I3876209f37a4a1f2569900a296d5c1264061c914
The keystone service user is never used by the keystone service. Remove
the tasks creating it and related variables.
Change-Id: Iede26cba97ab43cdd0abc3887883e61d40007b34
Without this patch, the release notes published at
https://docs.openstack.org/releasenotes/openstack-ansible/rocky.html contains
the same line multiple times which is not very clear.
[...]
Support separate oslo.messaging services for RPC and Notifications
to enable operation of separate and different messaging backend servers.
Support separate oslo.messaging services for RPC and Notifications
to enable operation of separate and different messaging backend servers.
[...]
Change-Id: I0ed1a43670d97f2e2215d04c641f7bd4cfbe4f44
The systemd journal would normally be populated with the standard out of
a service however with the use of uwsgi this is not actually happening
resulting in us only capturing the logs from the uwsgi process instead
of the service itself. This change implements journal logging in the
service config, which is part of OSLO logging.
OSLO logging docs found here: <https://docs.openstack.org/oslo.log/3.28.1/journal.html>
Change-Id: I943bd5f1ac767f83d853cee09a5857f6f9f0efff
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
In order to reduce the packages required to pip install on to the hosts,
we allow the service setup to be delegated to a specific host, defaulting
to the deploy host. We also switch as many tasks as possible to using the
built-in Ansible modules which make use of the shade library.
The 'virtualenv' package is now installed appropriately by the openstack_hosts
role, so there's no need to install it any more. The 'httplib2' package is a
legacy Ansible requirement for the get_url/get_uri module which is no longer
needed. The keystone client library is not required any more now that we're
using the upstream modules. As there are no required packages left, the task
to install them is also removed.
With the dependent patches, the openstack_openrc role is now executed once
on the designated host, so it is no longer required as a meta-dependency for
the role.
Depends-On: https://review.openstack.org/579233
Depends-On: https://review.openstack.org/579959
Depends-On: https://review.openstack.org/580156
Change-Id: I8f193d5f6f1f6020b23a4c4eebf3ad537d61e0b7
The sso_callback_template file needs to be deployed for a
Keystone SP, not IDP. This patch fixes the conditional.
Closes-Bug: #1772772
Change-Id: I420e291807434382b4d3cd4c8809c7540a419f5a
This introduces oslo.messaging variables that define the RPC and
Notify transports for the OpenStack services. These parameters
replace the rabbitmq values and are used to generate the messaging
transport_url for the service. The association of the messaging
backend server to the oslo.messaging services will then be
transparent to the keystone service.
This patch:
* Add oslo.messaging variables for RPC and Notify to defaults
* Update transport_url generation
* Update examples
* Add oslo.messaging to inventory
* Add release note
Depends-On: If4326a6848d2d32af284fdbb94798eb0b03734d5
Depends-On: I2b09145b60116c029fc85477399c24f94974b61d
Change-Id: I8d5b09dd0cb905e0dee40e260efbfeff1da180ce
Distributions provide packages for the OpenStack services so we add
support for using these instead of the pip ones.
Depends-On: I5a78e2120e596d36629b4ba978b2b5df76b149b0
Depends-On: Ib64dcbc960df7d369d202ce8cf7bdc29b3ee0e0a
Depends-On: Id9dd2dea146709414ab9ce8d439f1587e6776fd4
Depends-On: I2ba89e25c0010c9a5b515a3d0c9c731b30876e74
Depends-On: I0442b0aa94c3d0882d1118ad0c824d123bd21c88
Change-Id: I26848678dd07a409ef3e159cffb4ba6f0a228ab4
Implements: blueprint openstack-distribution-packages
When deploying the base templates for api-paste, policy files
and other files which are included in the service git source,
we now use the venv files instead of requiring access to a
git source and a complex set of lookups and variable
implementations.
This is simpler and more cross-series, and works from Queens
due to the related bug's patches.
Change-Id: I6a4e2514e66b15b2ae227e62b6dc9ae1a50a4fbd
Related-Bug: #1718356
We found a bug recently where either oslo.cache or python-memcached
aren't using the `backend_argument` properly with more than one
memcached server defined. Until we get the memcached client libraries
figured out, `memcache_servers` works just the same for a single
memcached instance and it works defined with a ring of memcached
instances.
The current variable used for the directive memcache_servers was
pointing to localhost servers, that were historically used for
UUID token cache. Only the ``keystone_cache_backend_argument``
has the right list of servers, but the variable's content is
already formatted to match the cache_backend_argument directive,
and therefore needs editing to be used in ``memcache_servers``.
This is far too fragile, and simplification was needed. This
patch moves to a new variable (with a graceful deprecation
cycle), ``keystone_cache_servers``, a simple list containing the
servers.
The variable ``keystone_memcached_max_compare_and_set_retry``
wasn't used and was therefore removed too.
Related-Bug: 1743036
Closes-Bug: 1681695
Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>
Change-Id: I85ebce8b41dd440e1866a08aa1329b3df798c04f
Release notes are version independent, so remove version/release
values. We've found that projects now require the service package
to be installed in order to build release notes, and this is entirely
due to the current convention of pulling in the version information.
Release notes should not need installation in order to build, so this
unnecessary version setting needs to be removed.
This is needed for new release notes publishing, see
I56909152975f731a9d2c21b2825b972195e48ee8 and the discussion starting
at
http://lists.openstack.org/pipermail/openstack-dev/2017-November/124480.html
.
Change-Id: Ifd60c0793970e1df3f3f99bc33fc972758da40b1
Adds the following headers as static:
X-Content-Type-Options "nosniff"
X-XSS-Protection "1; mode=block"
append Content-Security-Policy "default-src 'self' https: wss:;"
nosniff prevents non-executable mime times from becoming executable.
The X-XSS-Protection header will prevent the loading of a page if the
browser detects an xss attack. The Content-Security-Policy declares
what dynamic resources are allowed to load.
Adds the following header as user-setable via the
keystone_x_frame_options variable.
X-Frame-Options "DENY"
By default the X-Frame-Options header denies embedding in an iframe.
Change-Id: Iadd3e93bdb7e9d41ae1d027196367448dbce19f1
Partial-Bug: 1717321
This patch implements an initial set of jobs intended to match
the current job execution method. It does not intend to improve
how the jobs are executed - only to replicate what is currently
in openstack-infra/openstack-zuul-jobs and provide the platform
to iterate on.
Change-Id: Ic04b7e658e7755c8e66e47a84442a5f3c791fa78
This patch allows deployers to add arbitrary headers to Keystone
responses. This can be handy for CORS or for passing certain
headers through nginx to the requester.
Closes-Bug: 1695827
Change-Id: I8f838ecce118cb36081b98f483ddef465ddbae3f
This patch implements the use of uWSGI exclusively,
always with a web server acting as a reverse proxy.
It removes the option of using uWSGI with Apache
and mod_wsgi.
In the case of Keystone being used in a Federated
Service Provider configuration, it will use Apache
as the web server but for all other environments
it will use Nginx instead.
Change-Id: If6e95fc0d3f7d34780db1aed2b8cedca87499934
As part of the docs migration work[0] for Pike we need to switch to use the
openstackdocstheme.
[0]https://review.openstack.org/#/c/472275/
Change-Id: I140c31bf00c5b807248adb08c62db3de5d5b7a19
Option "rpc_backend" from group "DEFAULT" is deprecated for removal
(Replaced by [DEFAULT]/transport_url). Its value may be silently
ignored in the future.
Change-Id: Ib9adcd5e9fe058a4780505000ab9fbffe7df638f
Implements: blueprint deprecate-rpc-backend
The systemd unit 'TimeoutSec' value which controls the time
between sending a SIGTERM signal and a SIGKILL signal when
stopping or restarting the service has been reduced from 300
seconds to 120 seconds. This provides 2 minutes for long-lived
sessions to drain while preventing new ones from starting
before a restart or a stop.
The 'RestartSec' value which controls the time between the
service stop and start when restarting has been reduced from
150 seconds to 2 seconds to make the restart happen faster.
These values can be adjusted by using the *_init_config_overrides
variables which use the config_template task to change template
defaults.
Change-Id: I66594554d7444ef5fb0ff30f0382815aeffa4bfb