Using credentials in keystone_authtoken options for nova_* resources
was deprecated some cycles ago[1].
[1] 0ed626e146
Change-Id: Iff2124f142791df8eb0be12ce134e32145bc209c
This is partial revert of 0ed626e146 .
After discussing several problems caused by scope separation, we
decided to suspend implementing the scope enforcement and focus on
project personas like reader role. As the result of that decision,
the system admin persona will be removed, thus we should use
the project admin persona instead. The previous policy rules to allow
system scope access have been reverted by [1].
This does not revert the original patch to keep the unit tests which
were hugely refactored by that change.
[1] 066e1e69d1394839a9f0bde4ca8c3a0db2d52396
Change-Id: I85847850602ab3526d2fdb1a56bb927183198825
This change enforces usage of system scope credentials to manage
flavors, aggregates, and services, following the new policy rules for
SRBAC support in nova.
The logic to look up credential for the nova service user from
[keystone_authtoken] is left to keep backward compatibility but is
deprecated and will be removed.
Depends-on: https://review.opendev.org/806474
Depends-on: https://review.opendev.org/828025
Depends-on: https://review.opendev.org/828874
Change-Id: I71779f0f1459d64914589a94a440336386266306
... because we generally use parameters under keystone_authtoken
to find credentials.
This patch also removes useless and incorrect handling about keystone
version, so that domain parameters are correctly set.
Change-Id: Ibfd489e977e8f8f52defecacc00cb8afcd1596a1
When reading credentials from the configuration's keystone_authtoken
section www_authenticate_uri was used as URL for Keystone.
As www_authenticate_uri is a public endpoint that is not necessarily
reachable for the Puppet agent, this change uses the more appropriate
auth_url as Keystone URL.
Change-Id: I52fdeaaf773e0fc7e111e58ffb02ef9485eed260
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: I0dd36ef1f1f5dcdc57413736ecb8f2555712c36d
Depends-On: I4c82a63baabd6b9304b302c97cd751a0103d8316
Closes-Bug: #1759098
When you execute nova-manage commands, oslo logs to the following
location (file name is dynamically created based on command name).
/var/log/nova/nova-manage.log
Because puppet-nova is executing these commands as root,
nova-manage.log is owned by root, preventing the 'nova-manage
db archive_deleted_rows' entry in nova's crontab from executing.
Permission denied: '/var/log/nova/nova-manage.log'
This log file is also an outlier, as all other log files in
/var/log/nova/ are owned by nova:nova.
Similar issues are possible for other nova logs, if for example
a nova services is initially started manually as root, so the
ownership of all nova logs is corrected before configuring nova.
Co-Authored-By: Oliver Walsh <owalsh@redhat.com>
Co-Authored-By: Diana Clarke <diana.joan.clarke@gmail.com>
Co-Authored-By: Maciej Kucia <maciej@kucia.net>
Closes-Bug: #1671681
Change-Id: I0ca0110cbf9139c79074cf603dcab9135f96e765
The arguments were provided as a string which would result in
mangling if there are any symbols in the arguments. This
patch changes the behaviour to pass an array which will
prevent any of those issues.
Closes-Bug: #1717545
Change-Id: I9c87072aaa218658b943c1ee30caa448aae8bdd7
When some of the providers (like nova_aggregate) were moved over to
openstacklib, region support was missing. This fixes the base provider
code to pass region_name into openstacklib if region_name is set.
Change-Id: I6953c10ceab708402ce25a23d1f8d20f3288cbad
Closes-Bug: #1517220
Depends-On: I3345dac8bebd68f93290c1d45aa9a4d80bf3fb34
This adds the $LOAD_PATH manipulation needed to find openstacklib from
the nova base provider code. When compiling a static catalog (puppet
master --compile), the puppet master doesn't populate the plugin
directory before hand. That means that either openstacklib won't be
found at all, or may be an old mismatched version. This code is copied
from the keystone module which has similar needs.
Change-Id: I60f9389a571362191180442ffbad9a92bd9c0c78
In nova::keystone::authtoken, use keystone::resource::authtoken to configure
keystone_authtoken section in nova.conf, with all parameters
required to configure keystonemiddleware.
This patch will allow to deploy Nova to use Keystone v3 authentification.
Update acceptance and examples
Some deprecations:
- nova::api::admin_tenant_name is deprecated in favor of
nova::keystone::authtoken::project_name.
- nova::api::admin_user is deprecated in favor of
nova::keystone::authtoken::username.
- nova::api::admin_password is deprecated in favor of
nova::keystone::authtoken::password.
- nova::api::identity_uri is deprecated in favor of
nova::keystone::authtoken::auth_url.
- nova::api::auth_version is deprecated in favor of
nova::keystone::authtoken::auth_version
- nova::api::auth_uri is deprecated in favor of
nova::keystone::authtoken::auth_uri
- nova::memcached_servers is deprecated in favor of
nova::keystone::authtoken::memcached_servers.
The patch is backward compatible and keep defaults values like before.
Depends-On: I299d4c372da702232eaa7cb34b690e372f56e701
Change-Id: I32649549879f912a0f49881c244b119497cf8473
Related-Bug: #1604463
This patch changes the nova providers to use puppet-openstacklib's
authentication methods, which use python-openstackclient as an interface,
instead of the nova command line client.
The benefits of this is a code reduction. This patch reduces the amount
of code in the nova parent provider and nova providers by reusing code from
Puppet::Provider::Openstack instead of implementing authentication,
retries, and response parsing in the provider.
This patch doesn't affect next providers:
* nova_network and nova_floating:
openstack client has small functionality for managing nova floatings
and doesn't provide possibility to manage nova-networks,
so keeping old format of auth for this providers.
Also Nova-Network is deprecated.
* nova_cell:
openstack client doesn't provide possibility to manage cells;
* nova security groups - will be done in separate patch;
Additional reasoning for this change is in the blueprint.
Also added new tests for providers.
blueprint use-openstackclient-in-module-resources
Change-Id: Ifa09aeb71ba0bcc425eece314803a0d1609bed9f
Allow the metadata parameter to the nova_aggregate provider
to take a hash of key/value pairs, in addition to a comma-
delimited list as a string.
Also better handle existing metadata values which contain
commas.
Change-Id: I148def3be059d87fa9aa8f748cd3a5ec7770473a
Closes-bug: 1534853
Updates the nova_aggregate provider to support nova cells
routing info in the naming of hosts and hosts aggregate.
Change-Id: I29131e378184262a74b9e99a85a8215282787f65
Closes-bug: 1533423
This change updates the puppet-nova module to use the new keys
for authentication, since auth_host, auth_port and auth_protocol
were deprecated in favor of auth_uri.
Change-Id: Id0183eaf8a93d45b6374777ddcf80c0f3f2dbebb
Closes-Bug: #1521539
Nova providers did not previously have region support, so things like
the host aggregate provider do not work as expected in a multi-region
environment. This change mirrors what puppet-neutron's providers do,
they use the nova_region_name setting, this uses neutron/region_name.
Change-Id: I1d5bddbe977352b0458115ab77b8129311b63453
Closes-Bug: #1517220
nova will throw an error if you attempt to add a node to a host
aggergate that does not "exist" in terms of nova. Therefore
depending on the order in which your nodes come up, you can have puppet
attempting to add a node to a host aggregate when the node does not yet
have nova compute installed and "registered". This is especially true if
you manage your host list with a hiera list or other mechanism that is
not directly tied to nova-compute being installed. Instead of blowing up
with an error, we will instead print a warning and let eventual
consistency solve it as your nodes are installed.
Since it is inefficient to call nova host-list once for every member of
a host aggregate we also cache this information and similarly cache the
output of nova aggegrate-details which previously was also called
once for every member of every aggegrate.
Change-Id: I6249cd070ad804c626d880decb6767e2ff14dcbd
Bring nova aggregate and availability zones support into puppet-nova.
- Handle nil values and 0 lengths (Aimon Bustardo)
- Remove extraneous whitespace on aggregate-create (Aimon Bustardo)
Implements: blueprint aggregate-handling
Change-Id: I9125d573a6a3cf4d444300d3570c4ab394c4ecd8
Takashi Kajinami