Keystone v3 API no longer requires all the three endpoint types are
created and some deployments may use only public endpoints (or public
and internal endpoints).
This looses the validation to allow such deployment architecture.
Change-Id: I3873352dd3ea8556fbaa4ce3c558a912cc5f52e7
This fixes how the id property is generated in case some endpoint types
do not exist, which is allowed in Keystone v3 API.
Closes-Bug: #1713814
Change-Id: I2bbc831a78595e2f7cf3fc5d7d601281665fcc05
Keystone supports implied roles, and some of the default roles imply
different roles. (eg. admin implies manager)
This introduces a resource type to manage implied roles, and also
ensures the implied roles are created in bootstrap.
Depends-on: https://review.opendev.org/900138
Change-Id: I36ef3ddfcb2f60bdca8674ea8055b6f57a149512
The openstack command can resolve project id or user id from name and
domain name/id given. We can use that feature instead of maintaining
our own logic.
Change-Id: I3d4fbb082cf228ef4a75c0761fb21fdebf664cf4
Creating endpoint without service type was deprecated multiple cycles
ago. This removes the logic to support that old usage.
Change-Id: Ifaebb3658254bb91130807153624480df78443aa
The hash returned by the request method of Puppet::Provider::Openstack
uses symbols instead of strings as keys, see [1].
This prepends the missing ':' in front of the 'auth.auth_url' key to
make it a symbol and to have it return the actual value instead of
always coming back empty.
[1] a1dfd6861f/lib/puppet/provider/openstack.rb (L123)
Closes-Bug: #2010894
Change-Id: I97546a1030559d1f91030a668106e220ce7a7650
This is no longer used since we replaced the configuration file by
clouds.yaml. The resource was already deprecated by [1] in the past
cycle so can be removed.
[1] c140a44aeb
Change-Id: I631c0a14cc0ee5b56e7864980da9a651d6bf7d9b
... because that version is quite old and we don't expect it is still
used.
This also updates the output string used in unit tests according to
the one in newer versions.
Change-Id: I18a8ced73197efe96964d760c3a97703f8d8b6b9
This change replaces project-scoped/domain-scoped token used to verify
password by un-scoped token. The current logic doesn't work if the user
has only system-scoped role. In addition, scope is not required to
generate a token thus un-scoped token is enough to validate a password.
Change-Id: I670f596ccb5e8b5543f4d7bb236ddaec1a2c961e
When SRBAC is enforced, Keystone allows only system admin to create
resources like user, role, role assignment and etc. With this change
now each provider uses system scope credential to create resources
like user, endpoint and etc.
This change also replaces /etc/keystone/puppet.conf by the yaml file
for openstackclient(/etc/openstack/puppet/admin-clouds.yaml)
This allows us to switch a system scope credential and a project
scope credential, and helps us implement a new provider which requires
project scope, in the future.
Depends-on: https://review.opendev.org/828025
Change-Id: I27eb6b11df593581c94ef0affaf5abb8e333833b
This change is the initial work to support enforcing secure RBAC(SRBAC)
feature. The following two changes are made by this change.
- The keystone_user_role resource type now supports creating system
roles in addition to project roles and domain roles. The following
example shows how to assign the "admin" role to the "nova" user for
the system scope "all".
keystone_user_role{'nova@::::all':
ensure => 'present',
roles => ['admin'],
}
- Some defined resource types were updated so that the other puppet
modules can define keystone credentials for system scope access
instead of project scope access.
Note that this change does not update the usage of project scope
credentials in each providers, and that should be fixed later to
enforce SRBAC completely.
Change-Id: Id43eeb31424f04d6969a993704e5a5c175eb1cb0
This change ensures that all requests to Keystone API use the specific
endpoint, instead of the public endpoint which the openstack client
uses by default.
Change-Id: I33520272b04c908f25eb145ae5db21e6bc165c99
This was not supported in older Puppet 3 as
suggested by the comment but has been available
for a long time now.
Change-Id: I1353953484582c8b3fa3af96fb4fa44d67c61bdf
Most of the functions in the keystone provider
does not check the value before using it to
populate the cache causing error like:
(Puppet::Type::Keystone_user_role::ProviderOpenstack) Could not find
user with name [admin] and domain [Default]
(/Stage[main]/Keystone::Bootstrap/Keystone_user_role[admin@admin]) Could
not evaluate: undefined method `[]' for nil:NilClass
Change-Id: Ia35972cbcd4ab94c826d7a14f3c023b7a2e6c106
... and refactor the logic to ensure credentials are picked up from
the correct section.
Closes-Bug: #1941953
Change-Id: Ibbc8aa6f31a3e28978d6d779add8ee9dd0dbd6e4
... because openstackclient 4.0.0 was released about 2 years ago and
mixing usage of master puppet-keystone and such old openstackclient is
not supported.
Change-Id: I6a72d632981aadedc5f2aeb0740d6cf8d93c5fef
This replaces the provider implementation of keystone_config type so
that MultiStrOpt, which is used by several options like
- oslo_messaging_notifications/driver
- oslo_policy/policy_dirs
are handled correctly.
Change-Id: I84bb99e1ad746611d31f2e950614be73de4e8f0e
This patch is adding the configuration of the number of workers,
threads, and the size of the listen queue in Debian, which uses
uwsgi to run Keystone. Therefore, this patch adds a new
keystone_uwsgi_config provider as well as a new keystone::wsgi::uwsgi
class.
This is, hopefully, the first of a long series of patches for
the whole puppet-openstack to add uwsgi support.
Change-Id: I7df39cd3ab18967946afb2954cfa9afd8aa46d72
Running "openstack service set <id> --description="
will throw an error [1].
The error occurs because the request to Keystone must include any
of enabled, name or type to satisfy the minProperties of the patch
request.
This patch always sets the --name parameter when calling the openstack
command so that we satisfy this requirement.
[1] http://paste.openstack.org/show/795869/
Change-Id: Ie4e2fe62ee7734f657f765c352ba542360c0e1d7
This class combines the keystone-manage bootstrap command
from init, the keystone::endpoint functionality that manages
the keystone endpoints and the keystone::roles::admin class
that manages users and projects.
This is one of the steps to make sure we only have a single
point of entry for bootstrapping (keystone-manage bootstrap)
and then only managing resources after that.
This is especially required since we are getting rid of the
admin token and cannot manage resources before keystone-manage
bootstrap has created the user, project, service and endpoints
for us.
These resources should always be in the default domain and
deployments should manage domain specific configuration themselves
using the provider resources.
This class uses the default values from the keystone-manage
bootstrap command.
In the past puppet-keystone has always created a openstack project
that is assumed as a admin project even though the bootstrap command
creates the admin project. Since this uses the default values from
the bootstrap command we should move away from having an openstack
project, if we need that in testing it should be created there and
not in the default deployment.
Depends-On: https://review.opendev.org/#/c/698528/
Change-Id: I683fcdd743bddf6d4e989dd7e7c553db745934db
Remove public_bind_host and public_port configured under eventlet
section as they were alrady deprecated.
Set public_endpoint from public_bind_host and public_port so that
these information can be refered by provider code to get endpoint
even if public_endpoint isn't explicitly given.
Change-Id: Ic38e41b31155a7d3a4f1f5fc606421dd525c1025
python-openstackclient has removed the --os-url option in [1]. This
commit is part of the upcoming 4.0.0 release.
The openstack provider relies on that for Keystone initial configuration,
so we need to fix this or puppet-keystone will be broken.
[2] is a more solid long-term solution, but this can work as a stop-gap.
[1] - https://review.opendev.org/677795
[2] - https://review.opendev.org/630714
Depends-On: https://review.opendev.org/682108
Depends-On: https://review.opendev.org/682415
Change-Id: Id0bc07f352d0b545e60aabd4523536dfc7fc59a8
openstack role list is deprecated since Newton and
is removed in openstackclient-4.0.0 with [1]. Use
role assignment list --names instead.
[1] https://review.opendev.org/#/c/612798/
Change-Id: I7bb2d3573c4f7ba092e019a363116bab11cc7063
This patch migrates configuration options related to eventlet server
from DEFAULT section to eventlet_server, as the ones in DEFAULT
section was deprecated[1]
[1] I6dd718c4d54056d0e29978f393ec45f7291f802d
Change-Id: I1a726c706f509f2a2be68098cda8431cddc0fe92
Removes all the deprecated resources for paste
support in keystone which we notified about in Stein.
Keystone doesn't use paste so it doesn't work in Stein
either so we remove it for Train.
Depends-On: https://review.opendev.org/#/c/658546/
Change-Id: Id7dfdf2f5cb9453044d39812b7cbd216b7f3eb50
Using a proc in type title patterns causes an error when generating
puppet types for environment isolation. For example, running `puppet
generate types` on a puppet master produces the following error:
```
Error:
/etc/puppetlabs/code/environments/production/modules/keystone/lib/puppet/type/keystone_user_role.rb:
title patterns that use procs are not supported.
```
This commit changes the `project_domain` parameter to always default to
`DEFAULT_DOMAIN` even when using a `<user>::<user_domain>@::<domain>` or
`<user>@::<domain>` title pattern. The only place I could find that
utilized `project_domain` being unset was determining `keystone_domain`
autorequires. The logic was updated to reflect that `project_domain` is
either set or should use the default unless `domain` is set.
Change-Id: Icd29c5aa89ae442ca69cad0411188162462bf6ff
When testing the password for a keystone_user
resource we need to ensure the project id that
is used for testing auth is not disabled causing
it to fail and puppet things the password should
be changed.
Change-Id: Ic4b17a2c750c3162cc609a9469d7422c2084b977
Closes-Bug: 1814906
With the removal of the 35357 port in a recent commit [1], we ended up
with an inconsistent use of public/internal bits of the URL. This breaks
in TripleO, since we still configure the admin endpoint. So, the default
port that was used (5000), doesn't work in TripleO.
To address this, we then completely remove the usage of the admin
endpoint for the provider, relying instead on the "public" endpoint
that's configured in keystone.
Typically, it will be behind a load balancer, so it'll actually point to
the internal endpoint of keystone. Which is what we really want to use.
[1] I951e863e7e7c8f409a13398b397b82ef70d7c123
Change-Id: I64cf93ab0c4ade3ae71aa3cd4aea444aff699a17
Related-Bug: #1804426
The legacy admin and public ports for Keystone has since the
release of the v3 API not been required as keystone moved all
actions to the same API. [1]
This patch removes the deployment of port 35357 and remodels
puppet-keystone and more specifically the keystone::wsgi::apache
class to only deploy keystone on port 5000.
This has already been changed in the installation guides [2]
and is the recommend way to deploy keystone.
We have already prepared all our modules default values to use
port 5000 instead of 35357 a while ago and we also in the Rocky
release informed our users with a release note that this would
be performed [3]
[1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py
[2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html
[3] https://review.openstack.org/#/c/586791/
Closes-Bug: 1804426
Depends-On: https://review.openstack.org/#/c/627793/
Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
Keystone no longer uses it's paste ini file or
uses the paste deploy parts so we deprecate all
that now. [1]
Unfortunately this should probably have been done
in Rocky but got missed, in Stein keystone will
effectively remove the paste ini file. [1]
[1] https://docs.openstack.org/releasenotes/keystone/rocky.html
Change-Id: Ifefea626f754d247b376745fbb2791e725ebafbc
Closes-Bug: 1794045
Now that the v2.0 API has been removed, we don't have a reason to
include deployment instructions for two separate applications on
different ports.
Change-Id: Ifb06f5f66db45312c87b07aa77195c77d9a2668c
Keystone roles are not case sensitive, so while handling
roles we need to ignore case.
Change-Id: I0a1a0779b9609185a9208dc3204d23a5fcce255a
Closes-Bug: #1777451
Older python-openstackclient crashes with this error if no project or
domain are passed to the openstack token issue command:
Set a scope, such as a project or domain, with --os-project-name or OS_PROJECT_NAME
The @property_hash[:domain] value is not properly populated at this time,
making the "openstack token issue" command being invoked without proper scope.
The @property_hash[:domain_id] value is however available. Using the domain_id
instead makes both older and recent python-openstackclient happy.
Closes-bug: #1654379
Change-Id: Ie23bdb7e9dd77e6ec4358c68d77671ef3c0678a6
Put back exists? method in keystone_user in line with the usual
openstacklib mechanism. This is done by adding the possibility for
request call to pass regexp messages that shouldn't be retried.
Now we can safely call fetch_user without worrying about having the call
retried by opentacklib.
Fetch_project has the same behavior, so I added it to the mix. It may
be a performance killer somewhere.
Change-Id: I368cf6a06d21d018337af3e6d09cdabee839a563
Closes-Bug: 1597357