Use the fernet token provider as the default for keystone.
The Keystone token provider of choice is changing from UUID to Fernet.
However, due the the need for multi-site keystone deploys to have keys
kept in sync, we cannot change the default in upstream Keystone
without breaking existing deployments. Fernet requires a deliberate
setup step like what is done in devstack. Making the change in
devstack documents the expected setup.
Change-Id: I8c0db244634b0861b0eb3c48fe6ede153f7f04f2
Make it possible to construct the service users in their own seperate
domain. Changing this away from Default will not work for everyone yet,
though it does work for basic service interaction however enabling it
will allow us to start testing and hopefully gating that services aren't
relying on v2 only concepts.
Change-Id: I7e73df5dd1caabf355783da2bc0f3007ade92fba
This is a follow-on to I6f392d3c16726f6dd734184dcf3014fb4f388207 to
note the variable is kept for backwards compatibility.
Change-Id: I1008b2d4e2baf82e1aa531d9eaf96a084beb69aa
Make our usual admin user to be a real admin,
and open the way for improving the per project
policy.json files.
Change-Id: I133a5953d209bc1edbd03ecfae750f77e3eaa64d
Related-Change: https://review.openstack.org/#/c/242232
Insert the unversioned keystone URLs into the service catalog. Services
should be able to determine the correct URL for their work from this.
Depends-On: I931f0c558aafc8dfaa5519744c6e4e7fcffc3205
Change-Id: I6171f782a1dd397720a9b2a3393b30ae5aca0cc2
Normally a standalone uwsgi server would run in "master" mode -- it
handles signals to reload the processes. I tried this originally
with keystone but found that the server didn't shut down when
unstacking. The reason it didn't shut down is because (by default)
uwsgi does a reload on SIGTERM & SIGHUP rather than shutting down by
default, see [1].
Setting "die-on-term = true" & "exit-on-reload = true" changes the
uwsgi server to shut down when unstacking.
[1] http://uwsgi-docs.readthedocs.org/en/latest/Management.html#reloading-the-server
Change-Id: I145fef185d4a31078295941779e175b7452a5760
There was a lot of duplication in the uwsgi options between the
admin and public config files. The options common to both are
moved into their own section.
Change-Id: I5519c7d4d8b8446a7a5fdb8033852655d8a2c67b
keytone has removed it's CLI and will release a new version
when Newton begins. As part of the removal process we also
need to remove the bash completion script, which is currently
failing devstack gates.
Change-Id: I132b862bde5b4173bf34beae12a7a882f5a96314
* memcache_servers is a deprecated name for memcached_servers.
See: keystonemiddleware/auth_token/__init__.py#n287
NOTE: memcache_serves in the cache section is valid option for
oslo.cache. See oslo_cache/_opts.py#n65
Depends-on: Id65f1bff8e38c777fa406d88ac6a2355d6033d94
Change-Id: I3e1230b139e710a0433e71ce118ca246d7c6a0e6
Use the additional keystone-manage parameters to setup the identity
endpoint in the service catalog rather than manually fetching a token
for this.
Change-Id: I6f5be1df205dee8f3251b4eb413e00ae64f00f07
Since https://review.openstack.org/#/c/281779/2 have been
merged the telemetry integration job is broken.
Unfortunatly, it can't be fixed on our side, because we have to
rename SERVICE_TENANT_NAME in many devstack plugin, we can't merge thing
until all plugins have been fixed.
So this change restores SERVICE_TENANT_NAME, to be able to switch to SERVICE_PROJECT_NAME.
Related-bug: #1548634
Change-Id: I14ebf23aa63f0f153b934ad213a6209d22e73e9d
The uwsgi keystone jobs are failing with an error like
+ devstack/functions-common:_run_process:L1391: setsid uwsgi /etc/keystone/keystone-uwsgi-admin.ini
+ devstack/functions-common:_run_process:L1395: exit 0
execvp: No such file or directory
I think this is because uwsgi isn't installed on the images. The fix
is to pip install it.
Also, use the full path to the uwsgi executable (even though execvp
is used) because eventlet (calling keystone-all) does.
Also, the uwsgi process wasn't shutting down on ./unstack.sh. This
is worked around by not running master process.
Change-Id: Id02e16c5149ba3dfa13051e87cfccd8e505b7362
This replaces the use of TENANT variables with PROJECT ones during the
initial setup. The openrc will still export a OS_TENANT_NAME because
many tools (cinderclient, glanceclient amoung them) will not function
without it. We warn when we do that.
Change-Id: I824b1121842eb5821034071874bf1bb2d7c3631e
Keystone is going to remove support for eventlet. Rather than only
have one way to run keystone (in Apache Httpd with mod_wsgi), we
should continue to gate on multiple wsgi containers to ensure that
keystone remains container-agnostic. The suggested alternative
container is uwsgi.
To run keystone in uwsgi rather than httpd or eventlet, set the
following env var in local.conf:
KEYSTONE_DEPLOY=uwsgi
There's a lot of options to uwsgi. Here's some protips:
http://uwsgi-docs.readthedocs.org/en/latest/ThingsToKnow.html
Change-Id: If3b49879ce5181c16f0f0ab0db12fa55fe810a41
Currently there's a boolean KEYSTONE_USE_MOD_WSGI to switch between
running keystone in mod_wsgi and eventlet. We've got a need to
support more/different deployment options (e.g., uwsgi), so a
boolean is inadequate.
A new input variable KEYSTONE_DEPLOY is introduced that can be
set to mod_wsgi or eventlet (and other values in future) to
control how keystone is deployed. KEYSTONE_USE_MOD_WSGI is
deprecated.
Change-Id: I9b2815e6f007309f088346df9ac48e6a24ae3656
This is just another code path for little benefit in devstack which is
going to rot out. We should be opinionated here and only support the
dynamic catalog.
Change-Id: I4e5c7e86aefe72fc21c77d423033e9b169318fec
There are some parts of devstack we should really delete, but we have
no idea who is using them. Push out some deprecations so we can look
at this through logstash.
Change-Id: Id5c8748606cce16f64e978ad7ac9309bebac0eb7
Remove the microseconds from the apache logs and move back to using
milliseconds. There is no longer any 2.2 workarounds in the keystone
setup process.
Change-Id: I8787eee41fbde1f9794aeffe1e862af0d5117bc3
Tweak a code comment based on a review comment from Steve Martinelli in
https://review.openstack.org/#/c/275121/ where the alt_demo user is now
always created.
Change-Id: I9e9a769f601e52c030e9f6953f1746788c24a185
For testing reasons it's typically very useful to have a second non
admin user to cross check that it can't do a thing to the first
user. It was useful enough we always created it with tempest (though
we didn't always use it).
This makes devstack always create an alt_demo user, which is available
in occ as devstack-alt. This will help us unwind some of the keystone
v3 breaks with functional tests using keystone cli to build this
second user.
Change-Id: Iaaf02469180563e2d8c413fee0ee66ada2296cfa
Enable keystone caching since there is now a memcache server available
for the middlewares to cache validation. Offload queries to the
keystone backend to memcache as well.
Change-Id: I6d1d28f5b974e79d44d1e86ea53c666e3f5771df
Instead of using in-process caching for tokens per service per
worker (disabled by default now), use a shared memcache to cache
token validation(s). This should both offload/speedup validations
and avoid the issues surrounding inconsistent validation responses
when using in-process caching [since each worker caches separately].
Change-Id: Ifc17c27744dac5ad55e84752ca6f68169c2f5a86
Be gone ADMIN_TOKEN, long live keystone-manage bootstrap.
This patch reworks the initial setup for keystone by using
the new bootstrap command. After a minimal service catalog
has been created, using this process, we simply authenticate
as usual.
implements bp: bootstrap
Depends-On: I113c6934b6b83ceff23a94101967a6df1126873f
Change-Id: Ia1475d461eab60b68c6a0356714b21c7f92e0194
Keystone further broken apart the assignment backend into: role,
resource, and assignment. We should define the backends in the
config file and allow users to override the default by passing in
their own value.
Change-Id: Ieb22c428609d3db852814c7eceb77efa6bbde633
Keystone now provides an "ldap" in extras to install its ldap
dependencies so devstack doesn't have to track the python
dependencies itself.
Installation of the extras is done in an extra install line. This is
slightly redundant, however this pattern works much better from an
install stand point as it supports an arbitrarily large number of
extras.
Partial-Bug: 1479962
Change-Id: If0f0ff48f3d6b3c414f2d6fcd747ecf45a397658
Option "auth_plugin" from group "keystone_authtoken" is deprecated.
Use option "auth_type" from group "keystone_authtoken".
Change-Id: I01371bd924114d6470e960a91a3045fe7dc22339
Closes-Bug: #1528746
All keystone extensions have been moved into cores and are
enabled by default, there is no need to configure the extension
in devstack but configure it in devstack will block the
install process.
Change-Id: I7d21b122c641f601295ee7ece3583404b3874dbd
Closes-Bug: #1526033
