This reverts commit 9dc2b88eb42a5f98f43bc8ad3dfa3962a4d44d74.
Reason for revert: Devstack creation/setup the things are not yet moved to scope tokens so we need to wait for that first and then do the scope check enable globally.
Change-Id: If0368aca39c1325bf90abd23831118b89e746222
Keystone-tempest-plugin has implemented the secure RBAC
tests and enabling the enforce_scope via keystone devstack
plugin. Doing those setting in devstack will help to manage
easily and in central place also avoid restarting the api
service.
Change-Id: I30da189474476d3397152a0a15c2e30a62d712ad
We have a *ton* of stuff in devstack that is very linear, specifically
the ten-ish minutes we spend loading osc to run a single API command
against something. We also generate configs, sync databases, and other
things that use one core of our worker and make our runtime longer
than it really needs to be.
The idea in this patch is to make it super simple to run some things
in the background and then wait for them to finish before proceeding
to something that will require them to be done. This avoids the
interleaving you would expect by redirecting the async tasks to a log
file, and then cat'ing that log file synchronously during the wait
operation. The per-task log file remains so it's easier to examine
it in isolation.
Multiple people have reported between 22-30% improvement in the
time it takes to stack with this. More can be done, but what is here
already makes a significant difference.
Change-Id: I270a910b531641b023c13f75dfedca057a1f1031
This reverts commit f6286cb586eb1f861866bfdf85c4f873c79fd592.
This patch is blocking glance as it needs mod_wsgi to perform new import workflow.
Change-Id: I4475247dfe986114d37678b3d3d552c0c7d02ddc
Those historic references to port 5000 and 35357 aren't being used
anymore for some time, so let us drop them.
Clean up some python2/3 wording along the way.
No longer mention Identity API v2, which is also a thing of the past.
Change-Id: Iafff097eee082f24ea2ae27ad038ad115aa36c61
Keystone no longer has any special functionality hidden behind the admin
endpoint. Stop referencing it in consumers, so it can later be dropped
completely.
Change-Id: I04a5d77908005268cc7c59e7e9ddeea70f6732e2
This is already unconditionally installed via install_apache_uwsgi in
stack.sh; we don't need to install it again in keystone. Since we
need workarounds on some platforms (see
I3bc5260e77cebe852cc8d70d9eddf84ef71d74bb) we only want to do this in
one place.
Change-Id: I40d84cbdf68cf6bb5cba143b6c0c126cdb8a84d4
All these uwsgi invocations assume that the uwsgi binary is in the
same directory as their project binaries are installed into (probably
/usr/bin). That may not be correct -- for example if using a packaged
uwsgi on Fedora the binary will live in /usr/sbin/uwsgi (not /usr/bin
where the project files from pip are).
Switch invocations to just find it in the path.
Change-Id: I298e3374e9c84e209ffcabbaaacda17f8df19f4f
The function was using a hard coded value of localhost:11211 when
we have an option MEMCACHE_SERVERS that can be defined and used
inside DevStack.
Change-Id: I4947928fe406a9844d5bdaa3c826d273952fa097
This patch adds new options:
* CACHE_BACKEND - with default "dogpile.cache.memcached"
* MEMCACHE_SERVERS - with default "localhost:1121"
to add possibility to configure various backends as cache in
Nova and Keystone.
It also adds options:
* KEYSTONE_ENABLE_CACHE - True by default
* NOVA_ENABLE_CACHE - True by default
To make possibility to enable and disable cache in those projects'
config files.
Default values configured there are the same as before were
hardcoded for Keystone config.
Nova has also enabled this cache by default.
Change-Id: I9082be077b59acd3a39910fa64e29147cb5c2dd7
Closes-Bug: #1836642
This is no longer being used due to Keystone PKI tokens no longer
being implemented.
In order to not break backward compatibility we create a new function
that is to be used instead and deprecate the old one. Modify the old
function to ignore the 3rd argument and display a deprecation warning.
Adjust callers to no longer create and set that directory, calling the
new function instead.
Change-Id: Id0dec1ba72467cce5cacfcfdb2bc0af2bd3a3610
The RPC transport_url for keystone was being set in the DEFAULT
section, even though keystone doesn't do anything with it. Instead,
keystone leans on the [oslo_messaging_notification] section from
oslo.messaging to register the transport_url option.
This change sets the transport_url in the proper section instead of
using the DEFAULT section.
Change-Id: I11590d0175da7ea310d5529f2d7c0bf8d7fb25b3
token.provider.drvier.uuid and token.driver
has been removed from keystone[1].
Devstack has reference/setting of those config
options which is confusing for user and it can
lead to import error like[2]
This commit cleanup the devstack bits of removed
config options.
bp removed-as-of-rocky
[1] https://blueprints.launchpad.net/keystone/+spec/removed-as-of-rocky
[2] http://paste.openstack.org/show/725391/
Change-Id: I29b3b356622c485c4c1046679234a38e7b645071
With the move to flask, Keystone does not utilize paste-ini. This
patchset removes the paste-ini support from devstack for Keystone.
Change-Id: I8dd629937c9178660992fd648175dbef80ffa3c2
Keystone now provides a set of default roles in addition to `admin`
by default [0]. This is done during the `keystone-manage bootstrap`
process.
This change aligns the `Member` role override from devstack with the
`member` role provided from keystone.
[0] https://review.openstack.org/#/c/572243/
Change-Id: I3da3530aa73a8a1500116bcefdcba7b947d5e05e
Closes-Bug: 1777359
This commit just makes sure that the configuration file for keystone
exists on the system. We use iniset to actually populate the values
we want before we run keystone anyway.
This results in a cleaner configuration file that isn't bloated with
comments and help text.
Change-Id: I7a1f879e9e242a11e2c4663ec116e33da28db7f5
This reverts commit ef5ebed6c9ca3d9d47fd2a732a1542555a0f65ba.
The problem here is a backwards-incompatible change to
configure_auth_token_middleware. Plugins are still passing a
"signing_dir" which is interpreted now as the "section" argument
... this leads to an interesting red-herring issue; because "v" is a
gnu sed command for checking the version, a signing_dir of "/var/..."
(as done in most plugins) gives the weird error:
sed: -e expression #1, char 32: expected newer version of sed
I think we'll either need a new function, or dummy arguments to get
this back in.
Change-Id: I2098d4eb2747282622cf486fa7dbf216f932f58b
PKI tokens have been actively deprecated from keystone and there are
deprecations being emitted from keystonemiddleware. Because of this we
no longer need an auth cache directory in the services where the PKI
certifcates used to be stored.
Remove the creation and use of all these AUTH_CACHE directories.
Change-Id: I5680376e70e74882e9fdb87ee1b95d5f40570ad7
By default memcached is bound to 127.0.0.1 and we have no code in place
to change that. So instead of using the $SERVICE_HOST variable, we
hardcode it to localhost, just as we do for the cache settings, see [1].
This also avoids a bug that occurs when $SERVICE_HOST contains an IPv6
address, as in that case it would have to be prefixed by "inet6:" [2].
[1] I95d798d122e2a95e27eb1d2c4e786c3cd844440b
[2] https://bugs.launchpad.net/swift/+bug/1610064
Change-Id: I46bed8a048f4b0d669dfc65b28ddeb36963553e0
Partial-Bug: 1656329
* Check KEYSTONE_DEPLOY flag and cleanup appropriately
* When we stop process, we should not wipe uwsgi config we should
remove files only on cleanup
* We should not call cleanup *BEFORE* configure, we are just wiping
out the uwsgi ini files
* cleanup_placement should be called from clean.sh
Change-Id: I066f5f87ff22d7da2e3814f8c2de75f2af625d2b
Code in grenade and elsewhere rely on the process/service name
when one runs "ps auxw" and they grep for example "grep -e glance-api"
to check if the service is running. with uwsgi, let us make sure
we use process name prefix so it is easier to spot the services
and be compatible with code elsewhere that relies on this.
Change-Id: I4d1cd223ed9904fcb19b26fc9362b676e0b4f9b3
Configuration options that toggle support for LDAP read/write
were deprecated and removed as of the Ocata release:
I13eada3d5c3a166223c3e3ce70b7054eaed1003a
This means we no longer need to clutter the domain-specific
configuration with these values since they are no longer used.
Change-Id: I23b5b994862f066c3d48ce524c396faecabf60f8
There are some comment errors, it's modify 'Captial' to 'Capital' in
keystone file, and modify 'possition' to 'position' in openrc file, and
modify 'comming' to 'coming' in stack file, and
modify 'prefered' to 'preferred' in stackrc file.
Change-Id: I0fdd539cbfff842a4ba7fca9100b881443300f9a
When the ldap service is enable on local.conf devstack ldap
plugin starts slapd service using its default config on Ubuntu
and installs ldap-utils package.
Enables domain specific drivers on Keystone and creates LDAP
domain 'Users' with a demo user.
Change-Id: I8d7aa260b01f675e4ed201ef93bfd66474f4b228
We are trying to keep better track of what pieces of devstack consume
the most time. Add the db sync commands to the time tracking as they run
the database migrations which can take more time than expected.
Change-Id: Ib92f2b8304ccf703712d45fd7207444de3599e2d
Reduce bcrypt hashing rounds from 12 to 4 (minimal possilbe).
This is going to imporve a lot of perforamcne of OpenStack.
Bcrypt is hashing algorithm that is designed to use a lot of resources and
in that way stops brutforce attacks. It's exponential algorithm that depends
on amount of rounds. By default they use 12 rounds which is quite high value,
good enough for real secure production enviorments.
In case of DevStack it's going to slow down all authentication by many times.
Rally shows about 5 times slownest (adding 2-5 seconds to every authenticate)
DevStack is meant for developemnt & CI so performance is way more important than
security.
Change-Id: Id8c763d63cb91f37a774f9400f35c309f37d6f12
Transient failures were being reported because the current lockout
period for users was too short. While this does increase the
run time IdentityV3UsersTest.test_user_account_lockout, it
allows for more flexibility if there is network latency or some
other factor that cause the lockout to expired before the
next authentication.
Change-Id: I61bc39bbc35ac414b4a72929a90845956c99eb1a
Closes-Bug: 1693917
The old implementation for is_$service_enabled simply checked if any of
the subservices were enabled and if so the service was considered to be
enabled. This makes disabling services complicated as it means you have
to list every single subservice which can and do change over time.
Instead also check if the generic service name is in the disabled
services list and if so don't treat the service as enabled.
Change-Id: I7fe4dfca2cd9c15069d50a04161a29c5638291cb
Both keystone and neutron didn't yet have systemd awareness for
setting up logging (i.e. drop the extra date / time stamps)
Change-Id: Ib442c603c9afb679676976c37c2c6122201ae846
When transitioning between different wsgi modes, or service modes, we
should really safely stop and cleanup things that are started in any
service mode, which makes it easier to ensure that we don't leave
things around from past runs.
Change-Id: I33acbee39e1a2da2bfd79a5dd54b84a12a778be1
We should be able to operate without the identity admin endpoint,
given that in v3 it's all the same. This floats that out there to see
if we can or not.
Change-Id: Ic233f6b43dd1e3cfdadff0f18aba4ea78825a996
auth_uri is not a keystonemiddleware option, and it's use in config
files is confusing at best. Remove it for clarity.
Change-Id: Ie3a9ab30d81809363444d5f3b41588b3889dc185
This makes keystone use the proxy uwsgi module when running in uwsgi
mode. It also introduces a new stackrc variable which is WSGI_MODE
that we can use to control the conditionals in services that current
work with mod_wsgi.
Also update retry timeouts on proxy pass so that workers don't disable
their connections during polling for initial activity.
Change-Id: I46294fb24e3c23fa19fcfd7d6c9ee8a932354702
tls-proxy is the way we're now doing a standard install using https
between services. There is a lot more work to make services directly
handle https, and having python daemons do that directly is a bit of
an anti pattern. Nothing currently tests this in project-config from
my recent grepping, so in the interest of long term maintenance,
delete it all.
Change-Id: I910df4ceab6f24f3d9c484e0433c93b06f17d6e1
Instead of this code all existing in keystone inline, factor out into
a dedicated set of functions, and make keystone use this. This drops
uwsgi supporting https directly, but that's not going to be a
supported model going forward once we get to proxy only anyway.
Change-Id: I1d89be1f1b36f26eaf543b99bde6fdc5701474fe
uwsgi is a different service type under systemd and shouldn't be run as
a standard oneshot type. The uwsgi docs outline a good pattern for
writing systemd unit files:
http://uwsgi-docs.readthedocs.io/en/latest/Systemd.html
This commit takes those suggestions and creates a separate path for
writing uwsgi unit files.
Change-Id: I9b541b86781afdded311dba058cedd783e1a0dfa
As of Id6e3c0ac54b21d85e68625a5b52fe2559fb70f24 keystone's policy
file is empty and it is no longer required at runtime. This commit
updates devstack to not deploy a policy file for keystone because
devstack doesn't specify any policy overrides. Instead, we can remove
the sample policy file and rely on the defaults that have been
registered in code. This is the same approach nova took with policy
in I85a251376dfe38caa4b100861bf764014a98bc37.
Change-Id: Ib1d9a51a78e2a84a3d7294dc8782605a681fa9e8
During the PTG there was a discussion that the screen developer
workflow wasn't nearly as useful as it once was. There were now too
many services to see them all on one screen, and one of the most
common service restart scenarios was not restarting one service, but a
bunch to get code to take effect.
This implements a 3rd way of running services instead of direct
forking via bash, or running under screen, which is running as systemd
units.
Logging is adjusted because it's redundant to log datetime in oslo.log
when journald has that.
Swift needed to have services launched by absolute path to work.
This is disabled by default, but with instructions on using it. The
long term intent is to make this the way to run devstack, which would
be the same between both the gate and local use.
Some changes were also needed to run_process to pass the run User
in. A hack around the keystone uwsgi launcher was done at the same
time to remove a run_process feature that only keystone uwsgi uses.
Change-Id: I836bf27c4cfdc449628aa7641fb96a5489d5d4e7
This makes setup_colorized_logging be a thing which takes a single
parameter and doesn't let projects do things differently. It also
changes the order of values from user / project to project / user to
represent the hierachy more clearly.
Change-Id: I8c0ba7da54be588e3e068734feb4f78ed7c5a14a