Heat has an additional configuration for plugin_dirs
parameter. This parameter provides a list of directories
to search for plug-ins. This change allows configuration
of plugin_dirs parameter in heat.conf file. This change
will allow a user to set this value, if required. Else
$::os_service_default will be used and the parameter will
not be added to the config file, as it is done today.
Change-Id: I636d52f867ee447eaf0e1e80bf9fdc30c91f4ec1
It is usually the same as auth_url which is defined there
$::heat::keystone::authtoken::auth_url. We can now point this to
another part of the catalog (ie, public vs internal for instance).
Co-Authored-By: Sergii Golovatiuk <sgolovat@redhat.com>
Change-Id: I4429d86d831f49f1bc0fef04379a81ada20b6ab6
The move of policy.json into code means the file may not exist. We've
added support to ensure that the file exists in the openstacklib but we
need to make sure the permissions are right for each service. This adds
the group information to the policies so it works right.
Depends-On: I26e8b1384f4f69712da9d06a4c565dfd1f17c9ed
Change-Id: I748ed0cba392d783e75b2cf16833a687d6152a22
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
Being able to set the log files for the apache vhost was done in a
recent commit [1]. However, that commit missed exposing the
configuration in the service-specific manifests. This adds that.
[1] Ic2ffef73f6a12d6225f87d285003c3deb7541126
Change-Id: Iae6a86cb93305cb3307e058cfd31e0fca3b1be8e
Due to Python's GIL [1], we can't use multiple threads for running
OpenStack services without a performance penalty, since the execution
ends up serialized, which defeats the purpose.
Instead, we should use several processes, since this approach doesn't
have this limitation.
[1] https://wiki.python.org/moin/GlobalInterpreterLock
Change-Id: I116df85f259528d547a958850b9c3793d01e2a45
This allows the setting of the error and access file logs, as well as
the access log format. This was done in a similar fashion as one can
configure these ones in the keystone wsgi manifest.
Change-Id: Ic2ffef73f6a12d6225f87d285003c3deb7541126
An empty string is an acceptable value of this entry, and it forces
logging to stdout/stderr, which is useful when running on containers.
Change-Id: I8c3a635688ef98e6038c2bee33cd253da8d3baf0
The revocation_cache_time is deprecated for removel because of PKI
token format is no longer supported.
Update warning message and add a release note.
Change-Id: I2c340522a696c3e436404e1b1403d6cf072d56d3
Closes-Bug: #1717144
Add parameter to apache_wsgi to allow overwrite and/or
add additional wsgi process options.
This possibility was added to openstacklib
with Change-Id: I41914ce3361988d5db1695f09d21209772fdf548
Change-Id: I3df74ddc4a258083ccfe4e47180f022742655ba6
Param keystone_ec2_uri was providing default value. It was raising an
engine service error on ifras where ec2 endpoint was not created.
Change-Id: I48c47a2c59ec89212a45125b373844e340731fd9
Param heartbeat_timeout_threshold by default is set to 60 in oslo module.
We shouldn't set hardcoded value, but take default one.
Change-Id: Id572fd98846f640d88cbb46c4a74f9fd43813d8b
Oslo.messaging uses the transport_url to represent the rpc and
notification messaging driver to use and its full configuration. The
rpc_backend configuration option is deprecated for removal and
should not gate oslo.messaging driver configuration options.
This patch:
* deprecate rpc_backend
* remove conditional check
* update spec tests
* add release note
Change-Id: I1537c9e0db956d4271c8334a0aa543cd20c57e67
This adds support for setting reauthentication_auth_method
flag in heat.conf.
Change-Id: I247b02a50bb46ce16ca120961dd9c3df3e6026fd
Partial-Bug: #1683983
Now TripleO sets this value, we can use os_service_default for
the default value and we won't have duplicated resource.
Change-Id: I00a47d6dae5be6ea18d93ac8b47c0c0cc58fe43f
Add support for clients/endpoint_type parameter.
Note: Default to False now, because TripleO already sets this resource.
and we don't want duplicated resource.
Once we switch TripleO to use this new option, the default will
become os_service_default.
Change-Id: If707c5623c0e34e9219eeafdafaf0ac42daf5c8d
Closes-Bug: #1675409
This includes a resource that will generically create the vhost for
the specified API.
Co-Authored-By: Thomas Herve <therve@redhat.com>
Depends-On: I9a9246522810de546a7c460ab1133d6bf9081a15
Change-Id: I253f46f5ad943971dd9ea6995591c72a36953bdb
All db settings should be applied and all releated packages should be
installed before dbsync starts.
Change-Id: Iec6254f654afbbe1ababb150b47ff5e99b8032b5
The python-memcache package is required if using memcached. By
default the package is not installed and the define has it set to
false. This change allows managing the python-memcache package
install from the authtoken class.
Change-Id: I3a6f847e4d5ff64e09b664dc58b17db4094c814c
The signing_dir is deprecated for removel because of PKI token format
is no longer supported.
Update warning message and release note.
Change-Id: I42b35c3cadde3bb22463c82e83168addfd4da99f
Closes-Bug: #1652700
With the heat::deps implementation, we should ensure that the users are
created in before the heat::service::end anchor rather than the service
itself. This can lead to issues when we move the service to httpd and it
is colocated with keystone. Additionally the authtoken class needs to
include the ::heat::deps class.
Change-Id: I0c2b5e0e3671d37fb0450cd25dd6287bebda4dcb
The rabbitmq connection parameters have been deprecated in favor of the
transport_url setting.
Change-Id: I7ae5c5a2584eab063b8e647dc34008ac71bd04e0
Related-Bug: #1625198
Since we are in ocata lets remove all old parameters in api
to configure the keystone_authtoken section
Change-Id: I7f18b79b9107baad78129b098246bd9c931420dc
These settings are all legacy, as for some time heat has instead supported
deriving the URLs internally using the endpoints from the keystone catalog.
Defaulting these to localhost seems like a bad default, as in
most cases heat will caclulate a more reasonable default (e.g something
derived from the actual heat public endpoint in keystone), and it's somewhat
surprising when you don't pass a value and get localhost instead of the heat
defaults.
They can still be used to override the keystone endpoint, which is sometimes
useful, but in most cases these should no longer be set IMO.
Note the relevant heat commits which make these settings optional are
Id402664e38e3da071ad634233b3a1f8e13af152d and
If8a2d3f37d87c26228e709c20f61969b397f2da0 (present in all Heat releases
since Mitaka)
Closes-Bug: #1641873
Change-Id: I90ccdd881a41d803e28064f44b821ab48a6fa8ea
This change allows a user of the heat::keystone::domain class to manage
the user creation seperately from the user configuration for the heat
services.
Previously one could disable the management of the users but could not
prevent the configuration file from being updated if all they wanted to
do was create the users.
Change-Id: Iab8204d3dfd727149d41ad86616a8f95a6f720dc
Having a default value for a password is not acceptable for security
purpose. We should unset the default value so we make sure catalog fail
if no value is set. It enforces our users to set a value and stop
opening a security problem.
Change-Id: I41b974f6ece39743bfc2ad922b2f0dad20aec469
Option "auth_plugin" from group "trustee" is deprecated in Heat.
Use option "auth_type" from group "trustee" instead.
Change-Id: I19024ad7be968c7364dbb8ff94372a168f6f6096
Closes-Bug: #1633282
If db sync fails, it is never retried leading to errors. So, this
patch adds retries for db_sync to avoid sync fails.
Change-Id: I094f592989928cefef0b9cd9c7b9d837f51d03b1
Closes-Bug: #1628580
This may required in instances where socket.gethostname() (the default)
does not return an FQDN and an FQDN (or other identifer) is desired.
Change-Id: Ibb86cdcf7e6304eabc1fe165feec9555bfadb32f