Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.
Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.
Change-Id: I5732f9197902fccb96eb8537050849a1692d3725
Related-Bug: #2029486
Simplify maintained codebase by getting rid of library/keystone_sp can
use looping instead now.
Updates to openstack collections in terms of naming, as well as using
newer implemented functionalities.
Change-Id: I2f02ca712f309285310693b191f0d1cd1be8e24d
Identity providers can be created with specified domain
IDPs are linked to a keystone domain. Currently when we provision a new IDP
it gets created within a new autogenerated domain. Provisioners can now
give a domain_id in an IDP entry within the trusted_idp_list and the IDP
will be created within that domain.
Add IDP display_name to defaults
Allows operator a name different to the one used in the backend
to display to the user in the horizon Identity Provider dropdown.
Change-Id: Iaf9f1b9198f14c903f9801e0ce7da86b74d9c5bd
3 uses of the OSA 'keystone' module remain and should be replaced
in a future patch when the collection contains a suitable module.
Depends-On: https://review.opendev.org/718431
Depends-On: https://review.opendev.org/718362
Change-Id: Ice2434cc0b76024611cf832e8755e05b30ebfe28
Tested the move to the os_* modules, couple of issues needed to be fixed.
Depends-on: https://review.opendev.org/#/c/702714/
Change-Id: I5ce4d0ba4c1522fd3899fc97e4d0b6f064b47bb4
This patch delegates tasks setting up a keystone identity provider to the
keystone_service_setup_host becasue the ansible modules used require the
python-keystoneclient module. These tasks will fail when the keystone
(container) host is not the deploy host as python-keystoneclient will
be missing.
These tasks have recently been refactored in a previous patch [1] to use
the os_* ansible modules instead of the OSA specific keystone module.
This patch fixes a reported bug with the old code which is also present
after that refactoring.
[1] https://review.opendev.org/#/c/656397/
Change-Id: I16a61501a0578e87464e8bd1031af4270eac2d98
Closes-Bug: #1856165
The numerous tags within the role have been condensed
to two tags: keystone-install and keystone-config
These tags have been chosen as they are namespaced
and cover the two major functions of the role.
Documentation has been updated to inform how each tag
influences the function of the role.
Change-Id: Iea4bff944ce0a35a4b1bc044171472ea44eda323
https://review.openstack.org/#/c/255599/ implemented a keystone-manage
bootstrap command as an alternative to using an admin token when
bootstrapping the keystone service. Admin tokens have been deprecated
as of Mitaka and will be removed in Ocata.
The use of this command replaces tasks to create the admin user, its
password, role, and project and the keystone service endpoints.
The keystone_auth_admin_token variable has been removed and its use in
any tasks against the keystone library have been replaced with login
credentials for the admin user.
The functional test has been updated to use the current head of
stable/mitaka and master for keystone and requirements respectively. The
policy and api-paste files have also been updated from the head of
keystone stable/mitaka.
This change will require updates to make use of the same SHAs in the
integrated openstack-ansible repo and in a majority of the OpenStack
service roles' tests.
Change-Id: I720fab85efe11a7512a124e44a73cf67b5f686b5
This patch adds the ability to configure Keystone as a Service
Provider (SP) for a Federated Identity Provider (IdP).
* New variables to configure Keystone as a service provider are now
supported under a root `keystone_sp` variable. Example configurations
can be seen in Keystone's defaults file. This configuration includes
the list of identity providers and trusted dashboards. (At this time
only one identity provider is supported).
* Identity provider configuration includes the remote-to-local user
mapping and the list of remote attributes the SP can obtain from the
IdP.
* Shibboleth is installed and configured in the Keystone containers when
SP configuration is present.
* Horizon is configured for SSO login
DocImpact
UpgradeImpact
Implements: blueprint keystone-federation
Change-Id: I78b3d740434ea4b3ca0bd9f144e4a07026be23c6
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Dmitriy Rabotyagov