42 Commits

Author SHA1 Message Date
ZhongShengping
3c5f67488d Deprecate revocation_cache_time option
The revocation_cache_time is deprecated for removel because of PKI
token format is no longer supported.
Update warning message and add a release note.

Change-Id: I2c340522a696c3e436404e1b1403d6cf072d56d3
Closes-Bug: #1717144
2017-09-14 11:31:44 +08:00
ZhongShengping
6fde1a69d3 Remove deprecated keystone authtoken signing_dir option
Change-Id: Ie89e4385628cd5bfd0b43d7c00124c25dee17936
2017-07-07 09:59:10 +08:00
Matthew J. Black
12a328d74f Allow python-memcache install from authtoken class
The python-memcache package is required if using memcached. By
default the package is not installed and the define has it set to
false. This change allows managing the python-memcache package
install from the authtoken class.

Change-Id: I3a6f847e4d5ff64e09b664dc58b17db4094c814c
2017-01-11 17:37:45 -05:00
ZhongShengping
0540b5c98f Deprecate signing_dir option
The signing_dir is deprecated for removel because of PKI token format
is no longer supported.
Update warning message and release note.

Change-Id: I42b35c3cadde3bb22463c82e83168addfd4da99f
Closes-Bug: #1652700
2016-12-28 14:00:55 +08:00
Alex Schultz
b5b48d9863 Fix heat user dependencies
With the heat::deps implementation, we should ensure that the users are
created in before the heat::service::end anchor rather than the service
itself. This can lead to issues when we move the service to httpd and it
is colocated with keystone. Additionally the authtoken class needs to
include the ::heat::deps class.

Change-Id: I0c2b5e0e3671d37fb0450cd25dd6287bebda4dcb
2016-11-23 16:10:37 +00:00
Jenkins
95db61d071 Merge "Remove old authtoken options" 2016-11-21 22:13:36 +00:00
Jenkins
41ccdeb852 Merge "Force domain_password parameter to be defined" 2016-11-19 01:05:56 +00:00
Iury Gregory Melo Ferreira
da7bc46203 Remove old authtoken options
Since we are in ocata lets remove all old parameters in api
to configure the keystone_authtoken section

Change-Id: I7f18b79b9107baad78129b098246bd9c931420dc
2016-11-16 00:02:12 -03:00
Alex Schultz
08488e3686 Ability to manage domain config seperately
This change allows a user of the heat::keystone::domain class to manage
the user creation seperately from the user configuration for the heat
services.

Previously one could disable the management of the users but could not
prevent the configuration file from being updated if all they wanted to
do was create the users.

Change-Id: Iab8204d3dfd727149d41ad86616a8f95a6f720dc
2016-11-03 08:52:12 -06:00
Emilien Macchi
a1f3dfe6a9 Force domain_password parameter to be defined
Having a default value for a password is not acceptable for security
purpose.  We should unset the default value so we make sure catalog fail
if no value is set.  It enforces our users to set a value and stop
opening a security problem.

Change-Id: I41b974f6ece39743bfc2ad922b2f0dad20aec469
2016-11-02 10:46:33 -04:00
Iury Gregory Melo Ferreira
85b55571b8 Move Heat to authtoken
Switch keystone_authtoken parameters for the new class
heat::keystone::authtoken to configure the keystone_authtoken section
in heat.conf.

Some deprecations:
- heat::auth_uri is deprecated in favor of
  heat::keystone::authtoken::auth_uri.
- heat::identity_uri is deprecated in favor of
  heat::keystone::authtoken::auth_url.
- heat::auth_plugin is deprecated in favor of
  heat::keystone::authtoken::auth_type.
- heat::keystone_user is deprecated in favor of
  heat::keystone::authtoken::username.
- heat::keystone_tenant is deprecated in favor of
  heat::keystone::authtoken::project_name.
- heat::keystone_password is deprecated in favor of
  heat::keystone::authtoken::password.
- heat::keystone_user_domain_name is deprecated in favor of
  heat::keystone::authtoken::user_domain_name.
- heat::keystone_user_domain_id is deprecated, use the name option.
- heat::keystone_project_domain_name is deprecated in favor of
  heat::keystone::authtoken::project_domain_name.
- heat::keystone_project_domain_id is deprecated, use the name option.
- heat::memcached_servers is deprecated in favor of
  heat::keystone::authtoken::memcached_servers.

Change-Id: I466558e98176f20743271191df64dc327f0efcc6
Closes-bug: #1604463
2016-08-25 18:08:22 -03:00
Venkata Mahesh Jonnalagadda
6f16641c4e Provide default service_name for keystone endpoint
This change updates the heat::keystone::auth class to include a default
service_name of 'heat' so that if a user changes the auth_name, the
service is still created as being related to 'heat'. This improves the
user experiance when they want to customize the usernames for services.

Closes-Bug: #1590040

Change-Id: Iee47e78dbeb269e5fe6c52030de378c13e51c1f3
2016-06-10 06:45:40 -04:00
iberezovskiy
3b49812852 Drop all current deprecated parameters for heat
Change-Id: I71ef16d9467230c9430458971266c67ae2def238
2016-04-22 14:45:22 +03:00
Simon Leinen
d696384909 Fix email and auth_name defaults in header
The header had different values ("heat" rather than "heat-cfn") for
these than the code.  This change fixes it by adapting the
documentation (header) to the reality of the code.

Change-Id: I92b25527b65e954afae36292b0d9140a8b6e4b09
Closes-bug: #1571407
2016-04-17 23:07:51 +02:00
Martin Mágr
e7c472d053 Improve heat::keystone::domain
- change resource names so that autorequire works
 - enable to skip Keystone resource management

Change-Id: I9078be31f26e454e0686debcefa070721767a581
2015-11-09 12:01:36 +01:00
Clayton O'Neill
dca9fe942b Move deps & external hooks into a standalone class
Previously the anchors and dependencies that allow external hooks were
all in the main ::heat class.  However, if you wanted to include just
::heat::db::mysql, then it would fail, since it assumed the main heat
class was included.  This moves all of those resources and relationships
into a new class, ::heat::deps.  All of the classes will now include
this class so that the anchors and deps are always evaluated even if
only a portion of the classes are used, and even if ::heat isn't pulled
in.

Change-Id: I4297df160a7afae2b66c1ac76e37de313fa4fb09
Closes-Bug: #1507934
2015-10-20 09:57:36 -04:00
Gilles Dubreuil
f592e646c4 Missing domain in keystone::domain
The domain name wasn't used for the keystone_user_role resource.

This change requires "replace indirection calls" [1]
Both needs to be merged as same time in order to pass CI tests.

[1] https://review.openstack.org/226624

Change-Id: I2a717b06a73af966d6625b4f6ec3254baf7c50a0
Depends-On: I36fabf547fa50fc14d49f491f11cb4a0571f7d31
2015-10-14 09:00:32 +11:00
Matt Fischer
bc4e8c0d65 Make the role for heat_stack_user configurable
Before you could configure the role in the config file but not the
keystone role that was created. Now you can do both.

Change-Id: Iea6df1679d3ceef1f0876e65dac06628147c700b
2015-09-29 19:44:53 -06:00
Emilien Macchi
320e93d301 Allow to not manage Keystone domain
When configuring Heat domains, we might want to use the default domain.
However, the default domain might already exist or managed by
puppet-keystone.
This patch allows to disable its management in puppet-heat, but keep
True for backward compatibility so the domain will be managed by
default.

Change-Id: I2e9f2ebb5b12cc33565d74bf955250dcc82bcbb9
2015-09-25 12:26:03 -04:00
Emilien Macchi
1b209d35be Cleanup configure_delegated_roles deprecated parameter
In Kilo, we decided to use ::heat::keystone::auth to manage the
Keystone_role resource to help with Trusts configuration.
Though the configuration was and still remains part of ::heat::engine
class because we assume ::heat::keystone::auth can be run outside the
heat-engine node.

So this patch aims to drop the deprecated parameter, update the
documentation and unit tests.

Change-Id: I045a3a82095e23778c4e878b13f2fc7f561d680e
2015-09-24 07:54:27 -04:00
Jenkins
16b4eca4c9 Merge "Create Heat Domain with Keystone_domain resource" 2015-08-21 03:03:43 +00:00
Jenkins
13fcf95bea Merge "Remove deprecated parameter stack_user_domain" 2015-08-06 10:32:02 +00:00
Martin Mágr
b5f0f0de74 Create Heat Domain with Keystone_domain resource
This patch replaces the usage of Exec to create the Heat domain, by
using the Keystone_domain resource recently implemented in
puppet-keystone.

Change-Id: I5abdac6334e535e8be4e4d19223b4e83b7a39db1
2015-07-31 13:34:06 -06:00
Denis Egorenko
b7d19f43bd Remove deprecated parameter stack_user_domain
According to [1], stack_user_domain parameter is deprecated,
and now will be used stack_user_domain_name parameter instead.

[1] http://docs.openstack.org/kilo/config-reference/content/orchestration-configuring-api.html

Change-Id: I558eaf311af8751897c402b3d3c2d82b4fadb07d
2015-07-30 14:31:55 +00:00
Sebastien Badia
0ea44a1eb1 keystone/auth: make service description configurable
This commit adds the service description as a class parameter in order to allow
users to update from a previous version if the service description is changed
(incorrectly spelled or wrong description)

Change-Id: Ifa39ae38c1004924f14089cfc45394839d442081
Closes-Bug: #1468407
2015-06-25 08:43:16 +00:00
Mathieu Gagné
8062dd7ae5 Introduce public_url, internal_url and admin_url
This change deprecates the following parameters:
- version (replaced by public/internal/admin_url)
- port (replaced by public/internal/admin_url)
- public_protocol (replaced by public_url)
- public_address (replaced by public_url)
- internal_protocol (replaced by internal_url)
- internal_address (replaced by internal_url)
- admin_protocol (replaced by admin_url)
- admin_address (replaced by admin_url)

Add deprecation warnings if any of those values are provided
while maintaining full backward compatibility.

Closes-bug: #1274979
Change-Id: I52ed1e7bd9315bfc3b4d4b331ff8c4006654ea3c
2015-06-11 16:49:35 -04:00
Martin Mágr
c280fa5501 Fix Keystone domain class
Currently ::heat::keystone::domain works only if keystonerc_admin
is sourced because of missing OS_TENANT_NAME env given to script
heat-keystone-setup-domain. This patch fixes this issue.

Change-Id: Idf5d35df2c39fe724350a00437b76be3333194c2
2015-04-14 11:42:06 +02:00
Martin Mágr
8c09567b62 Log output of heat-keystone-setup-domain
For debugging reasons output of the script should be logged (and I'm
very sorry that I didn't realize it in the original patch).

Change-Id: I7799021b51039bffd7082c4e587fe49b8424f5d0
2015-03-19 10:27:56 +01:00
Jenkins
76187ef191 Merge "Add Puppet 4.x lint checks" 2015-03-11 17:14:23 +00:00
Sebastien Badia
44e1bbf039 Add Puppet 4.x lint checks
This changes the puppet-lint requirement to 1.1.x, so that we can use
puppet-lint plugins. Most of these plugins are for 4.x compat, but some
just catch common errors.

Change-Id: If5f03538be85cee4a1d3b4c9a87eae1230432114
2015-03-02 13:54:32 +01:00
Matt Fischer
0993b23eeb Make configuring the service optional.
Even if the endpoint is disabled the service will always be created.
Make this settable like the endpoint.

Change-Id: I7a4f7c660c1ce857f936156a0e3d2bb419571759
2015-03-01 18:49:43 -07:00
Matt Fischer
02df1c7974 Mark heat's keystone password as secret
Change-Id: I7d4e0fe452566435eb67d3d9ed6b3849021ba690
2015-02-24 13:22:50 -07:00
Matt Fischer
a4af24cb2f Rework delegated roles
In deployments that have keystone only nodes, the keystone nodes will
need to configure the keystone roles, but they will not have a heat.conf
file. This means that the functionality between writing the config file
and configuring the role is split. The old role configuration is left in
engine as a deprecated parameter.

Fixes-bug: #1409977

Change-Id: I84a53c4992bcdfc4440560b78c602d517a18ec39
2015-02-03 17:46:49 +00:00
Jenkins
dc4861e396 Merge "Move keystone role creation to keystone area" 2015-01-13 00:02:10 +00:00
Matt Fischer
74e8743659 Move keystone role creation to keystone area
When the engine code does things with Keystone roles/etc it breaks when
run on nodes that are not running Keystone. Some environments have
Keystone in a separate node thereby causing issues. This moves it into
the Keystone auth class to match the functaionality of other puppet
modules and avoid this issue. The older parameters are deprecated but
will still work.

Based on the original patch by Vladislav Belogrudov.

Change-Id: I3d6545cf1e5338b1098ee52daedcc17dc9ad990b
Closes-Bug: #1393293
2015-01-12 14:25:56 -07:00
Jenkins
50ae53a95b Merge "Implement Keystone domain creation" 2014-12-23 03:26:21 +00:00
Emilien Macchi
077ef2d42c Refactorise Keystone resources management
Refactorise the code of Keystone resources management with backward
compatibility since we don't modify the unit tests.

Change-Id: I397768ba0c9d8020c6e722aa34315dd32b1d967a
Implements: blueprint common-openstack-identity-resource
2014-11-21 10:24:14 -05:00
Gael Chamoulaud
45a35dc2ec Add puppet-lint-param-docs plugins to puppet-lint
- This puppet-lint plugin checks if all parameters are documented
- Fix some unaligned arrows
- https://github.com/domcleal/puppet-lint-param-docs

Change-Id: I5e73747b726191bc4fc55e6e227892507e185871
Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
2014-11-13 12:42:40 +01:00
Martin Magr
41608dc6c8 Implement Keystone domain creation
Keystone domain has to be created for Heat. This patch implements this
via helper script [1] since we don't have support for Keystone v3 API
in puppet-keystone yet. This implementation should be refactored as soon
as we will have v3 API available in puppet-keystone. For more info
please check [2].

[1] https://github.com/openstack/heat/blob/master/bin/heat-keystone-setup-domain
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1076172

Change-Id: I036a84eee6b9d0afa9a9ed96849494324ba4c4db
2014-09-18 12:27:20 +02:00
Mike Dorman
c1102fd5e3 Make user creation optional when creating service.
In some cases it is useful to be able to just configure
the service in Keystone and not the service user. This
is the case when e.g. a read only LDAP backend is used.
Added a parameter configure_user (defaults to true).
Closes-Bug: 1360232

Change-Id: Ia17fa32744bd951eac3307a858917ac1ba3be37c
2014-09-11 18:04:35 -05:00
Mike Dorman
ddea2e245a Adds ability to override service names for service catalog
Instead of forcing the name of the service in the service catalog to
match auth_name, this allows the ability to explicitly set the service
name, spearately from auth_name.

If service_name is not specified, it's value defaults to the value
of auth_name (which maintains the current behavior.)

Closes-bug: #1359755
Change-Id: I1d26aa7970471a40d7d636387826523925a71844
2014-08-21 09:55:04 -04:00
Ian Wienand
08b11b13f2 Add heat::keystone::auth class
Add heat::keystone::auth and heat::keystone::auth_cfn classes to
configure heat & heat-cfn service/endpoints

Change-Id: I0a2ce7001ccf6dccd680dfc002351bb034943e2e
2013-09-12 11:57:03 +10:00