The revocation_cache_time is deprecated for removel because of PKI
token format is no longer supported.
Update warning message and add a release note.
Change-Id: I2c340522a696c3e436404e1b1403d6cf072d56d3
Closes-Bug: #1717144
The python-memcache package is required if using memcached. By
default the package is not installed and the define has it set to
false. This change allows managing the python-memcache package
install from the authtoken class.
Change-Id: I3a6f847e4d5ff64e09b664dc58b17db4094c814c
The signing_dir is deprecated for removel because of PKI token format
is no longer supported.
Update warning message and release note.
Change-Id: I42b35c3cadde3bb22463c82e83168addfd4da99f
Closes-Bug: #1652700
With the heat::deps implementation, we should ensure that the users are
created in before the heat::service::end anchor rather than the service
itself. This can lead to issues when we move the service to httpd and it
is colocated with keystone. Additionally the authtoken class needs to
include the ::heat::deps class.
Change-Id: I0c2b5e0e3671d37fb0450cd25dd6287bebda4dcb
Since we are in ocata lets remove all old parameters in api
to configure the keystone_authtoken section
Change-Id: I7f18b79b9107baad78129b098246bd9c931420dc
This change allows a user of the heat::keystone::domain class to manage
the user creation seperately from the user configuration for the heat
services.
Previously one could disable the management of the users but could not
prevent the configuration file from being updated if all they wanted to
do was create the users.
Change-Id: Iab8204d3dfd727149d41ad86616a8f95a6f720dc
Having a default value for a password is not acceptable for security
purpose. We should unset the default value so we make sure catalog fail
if no value is set. It enforces our users to set a value and stop
opening a security problem.
Change-Id: I41b974f6ece39743bfc2ad922b2f0dad20aec469
Switch keystone_authtoken parameters for the new class
heat::keystone::authtoken to configure the keystone_authtoken section
in heat.conf.
Some deprecations:
- heat::auth_uri is deprecated in favor of
heat::keystone::authtoken::auth_uri.
- heat::identity_uri is deprecated in favor of
heat::keystone::authtoken::auth_url.
- heat::auth_plugin is deprecated in favor of
heat::keystone::authtoken::auth_type.
- heat::keystone_user is deprecated in favor of
heat::keystone::authtoken::username.
- heat::keystone_tenant is deprecated in favor of
heat::keystone::authtoken::project_name.
- heat::keystone_password is deprecated in favor of
heat::keystone::authtoken::password.
- heat::keystone_user_domain_name is deprecated in favor of
heat::keystone::authtoken::user_domain_name.
- heat::keystone_user_domain_id is deprecated, use the name option.
- heat::keystone_project_domain_name is deprecated in favor of
heat::keystone::authtoken::project_domain_name.
- heat::keystone_project_domain_id is deprecated, use the name option.
- heat::memcached_servers is deprecated in favor of
heat::keystone::authtoken::memcached_servers.
Change-Id: I466558e98176f20743271191df64dc327f0efcc6
Closes-bug: #1604463
This change updates the heat::keystone::auth class to include a default
service_name of 'heat' so that if a user changes the auth_name, the
service is still created as being related to 'heat'. This improves the
user experiance when they want to customize the usernames for services.
Closes-Bug: #1590040
Change-Id: Iee47e78dbeb269e5fe6c52030de378c13e51c1f3
The header had different values ("heat" rather than "heat-cfn") for
these than the code. This change fixes it by adapting the
documentation (header) to the reality of the code.
Change-Id: I92b25527b65e954afae36292b0d9140a8b6e4b09
Closes-bug: #1571407
Previously the anchors and dependencies that allow external hooks were
all in the main ::heat class. However, if you wanted to include just
::heat::db::mysql, then it would fail, since it assumed the main heat
class was included. This moves all of those resources and relationships
into a new class, ::heat::deps. All of the classes will now include
this class so that the anchors and deps are always evaluated even if
only a portion of the classes are used, and even if ::heat isn't pulled
in.
Change-Id: I4297df160a7afae2b66c1ac76e37de313fa4fb09
Closes-Bug: #1507934
The domain name wasn't used for the keystone_user_role resource.
This change requires "replace indirection calls" [1]
Both needs to be merged as same time in order to pass CI tests.
[1] https://review.openstack.org/226624
Change-Id: I2a717b06a73af966d6625b4f6ec3254baf7c50a0
Depends-On: I36fabf547fa50fc14d49f491f11cb4a0571f7d31
Before you could configure the role in the config file but not the
keystone role that was created. Now you can do both.
Change-Id: Iea6df1679d3ceef1f0876e65dac06628147c700b
When configuring Heat domains, we might want to use the default domain.
However, the default domain might already exist or managed by
puppet-keystone.
This patch allows to disable its management in puppet-heat, but keep
True for backward compatibility so the domain will be managed by
default.
Change-Id: I2e9f2ebb5b12cc33565d74bf955250dcc82bcbb9
In Kilo, we decided to use ::heat::keystone::auth to manage the
Keystone_role resource to help with Trusts configuration.
Though the configuration was and still remains part of ::heat::engine
class because we assume ::heat::keystone::auth can be run outside the
heat-engine node.
So this patch aims to drop the deprecated parameter, update the
documentation and unit tests.
Change-Id: I045a3a82095e23778c4e878b13f2fc7f561d680e
This patch replaces the usage of Exec to create the Heat domain, by
using the Keystone_domain resource recently implemented in
puppet-keystone.
Change-Id: I5abdac6334e535e8be4e4d19223b4e83b7a39db1
This commit adds the service description as a class parameter in order to allow
users to update from a previous version if the service description is changed
(incorrectly spelled or wrong description)
Change-Id: Ifa39ae38c1004924f14089cfc45394839d442081
Closes-Bug: #1468407
This change deprecates the following parameters:
- version (replaced by public/internal/admin_url)
- port (replaced by public/internal/admin_url)
- public_protocol (replaced by public_url)
- public_address (replaced by public_url)
- internal_protocol (replaced by internal_url)
- internal_address (replaced by internal_url)
- admin_protocol (replaced by admin_url)
- admin_address (replaced by admin_url)
Add deprecation warnings if any of those values are provided
while maintaining full backward compatibility.
Closes-bug: #1274979
Change-Id: I52ed1e7bd9315bfc3b4d4b331ff8c4006654ea3c
Currently ::heat::keystone::domain works only if keystonerc_admin
is sourced because of missing OS_TENANT_NAME env given to script
heat-keystone-setup-domain. This patch fixes this issue.
Change-Id: Idf5d35df2c39fe724350a00437b76be3333194c2
For debugging reasons output of the script should be logged (and I'm
very sorry that I didn't realize it in the original patch).
Change-Id: I7799021b51039bffd7082c4e587fe49b8424f5d0
This changes the puppet-lint requirement to 1.1.x, so that we can use
puppet-lint plugins. Most of these plugins are for 4.x compat, but some
just catch common errors.
Change-Id: If5f03538be85cee4a1d3b4c9a87eae1230432114
Even if the endpoint is disabled the service will always be created.
Make this settable like the endpoint.
Change-Id: I7a4f7c660c1ce857f936156a0e3d2bb419571759
In deployments that have keystone only nodes, the keystone nodes will
need to configure the keystone roles, but they will not have a heat.conf
file. This means that the functionality between writing the config file
and configuring the role is split. The old role configuration is left in
engine as a deprecated parameter.
Fixes-bug: #1409977
Change-Id: I84a53c4992bcdfc4440560b78c602d517a18ec39
When the engine code does things with Keystone roles/etc it breaks when
run on nodes that are not running Keystone. Some environments have
Keystone in a separate node thereby causing issues. This moves it into
the Keystone auth class to match the functaionality of other puppet
modules and avoid this issue. The older parameters are deprecated but
will still work.
Based on the original patch by Vladislav Belogrudov.
Change-Id: I3d6545cf1e5338b1098ee52daedcc17dc9ad990b
Closes-Bug: #1393293
Refactorise the code of Keystone resources management with backward
compatibility since we don't modify the unit tests.
Change-Id: I397768ba0c9d8020c6e722aa34315dd32b1d967a
Implements: blueprint common-openstack-identity-resource
- This puppet-lint plugin checks if all parameters are documented
- Fix some unaligned arrows
- https://github.com/domcleal/puppet-lint-param-docs
Change-Id: I5e73747b726191bc4fc55e6e227892507e185871
Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
In some cases it is useful to be able to just configure
the service in Keystone and not the service user. This
is the case when e.g. a read only LDAP backend is used.
Added a parameter configure_user (defaults to true).
Closes-Bug: 1360232
Change-Id: Ia17fa32744bd951eac3307a858917ac1ba3be37c
Instead of forcing the name of the service in the service catalog to
match auth_name, this allows the ability to explicitly set the service
name, spearately from auth_name.
If service_name is not specified, it's value defaults to the value
of auth_name (which maintains the current behavior.)
Closes-bug: #1359755
Change-Id: I1d26aa7970471a40d7d636387826523925a71844