25 Commits

Author SHA1 Message Date
Takashi Kajinami
f6af383762 authtoken: Make password required
The password parameter is not really optional. This makes it
a required parameter to give more sensible validation error.

Change-Id: I0de636a2ca00757ef24552a0c9a97ee95e485d19
2023-07-12 22:07:37 +09:00
Takashi Kajinami
505c5dbbe4 Replace legacy facts and use fact hash
... because the latest lint no longer allows usage of legacy facts and
top scope fact.

This also fixes the wrong wsgi script name introduced by [1] to fix
broken litmus jobs.

[1] d7a1ea5fb7632e58a69f7dead32c28f1a9419a2e

Change-Id: Idb7d655242ccd6f785ea4dfbb94d8ff3ad961b03
2023-03-02 13:53:25 +09:00
Takashi Kajinami
95f5169393 Accept system scope credentials for Keystone API request
This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following two items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware

Depends-on: https://review.opendev.org/804325
Change-Id: I6907dd4b41dfe009a69fecd3ee5d8332c4c6a424
2022-01-25 10:54:14 +09:00
Takashi Kajinami
8b5cb8c0a3 Add support for [keystone_authtoken] service_type
Change-Id: Id7048f2b1bfed8641c9a6f6b7508a88282c25cf2
2022-01-24 13:12:55 +09:00
ZhongShengping
1afa1afac1 Add service_token_roles for keystone authtoken config
Add the ability to configure service_token_roles.

Change-Id: Ia19efd5737c57ccf0f7922c037cce47adf9a2fd6
Closes-Bug: #1892284
2020-08-20 10:41:27 +08:00
Lewis Denny
7585243d3f Add support for the interface parameter in authtoken middleware
This patch adds support for [keystone_authtoken] interface parameter,
so that operators can define which endpoint should be used by authtoken
middleware.

Change-Id: If61e708f68f96ce6c485a681d39e17c3cf737d2a
2020-07-16 21:28:49 +10:00
Tobias Urdin
a053d4e86e Convert all class usage to relative names
Change-Id: Ic7b8f4e584e3f1ed1d5c6c568cc6caf67493cdda
2019-12-08 23:24:12 +01:00
ZhongShengping
d69c2831b4 Remove deprecated pki related options
The deprecated pki related options check_revocations_for_cached and
hash_algorithms option has been removed.

Change-Id: I1c76eea5b6960cce2fe822aac9fa018c250ecd5d
2019-08-15 11:51:38 +08:00
ZhongShengping
4212800852 Service_token_roles_required missing in the server config file
Service_token_roles_required missing in the server config file which
allows backwards compatibility to ensure that the service tokens are
compared against a list of possible roles for validity.

Change-Id: Ie5ad7f2438c922692b4d7df60cd68a6afadb3a72
Closes-Bug: 1778198
2019-02-15 10:03:10 +08:00
Tobias Urdin
ab83c20ddf Remove auth_uri
Depends-On: https://review.openstack.org/#/c/621136/
Change-Id: Id8ad452022c92f2f4fc8503466a2e07e77f7ca73
2018-11-30 11:33:02 +01:00
ZhongShengping
ff52d5f8a5 Deprecate pki related options
check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.

Change-Id: Ic360bd95c3cf542ca2833e366102950cecd7ef5b
Closes-Bug: #1804562
Closes-Bug: #1804720
2018-11-23 10:23:57 +08:00
Zuul
7e91b74d24 Merge "Replace port 35357 with 5000" 2018-06-25 09:30:08 +00:00
Zuul
70b9cde131 Merge "Deprecate auth_uri option" 2018-05-15 19:16:32 +00:00
ZhongShengping
4e3341f589 Deprecate auth_uri option
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.

[1]https://review.openstack.org/#/c/508522/

Change-Id: If7049561c6a9e94fc5074112db9597cd8cb6996e
Depends-On: I4c82a63baabd6b9304b302c97cd751a0103d8316
Depends-On: I0dd36ef1f1f5dcdc57413736ecb8f2555712c36d
Closes-Bug: #1759098
2018-05-15 12:20:31 +02:00
ZhijunWei
35fc44fb95 Replace port 35357 with 5000
Now that the v2.0 API has been removed, we don't have a reason to
include deployment instructions for two separate applications on
different ports.

Change-Id: I6267a1b6189601e117d28be342864688d3522aa6
2018-05-13 15:10:23 +08:00
zhubingbing
9fe546b7d0 neat: missing : in $::os_service_default
Change-Id: I29279f0abed6ca3f0e3db66237c540ae73c21d98
2018-05-11 14:02:40 +08:00
ZhongShengping
ae7290a272 Remove deprecated keystone authtoken revocation_cache_time option
Change-Id: Id80297afb799a230e0cca042ab1036ed78ca97e4
2018-03-27 10:48:15 +08:00
ZhongShengping
a54b81c779 Configure *_domain_name to Default by default
Keystone v2.0 API was removed so we have no choice but configuring
user_domain_name and project_domain_name otherwise it fallbacks to
Keystone v2.0 and it fails. This patch sets the default value so we make
sure Keystone v3 will be used out of the box for our users.

Change-Id: I4d2a5620e7a4dc5c5fddabd3da0299e0f2211102
2017-10-13 14:44:08 +08:00
ZhongShengping
64389fe880 Add deps to all that is needed
Change-Id: I7e54d8050bc73f2f29d35d8784f97e9285051ce1
2017-09-21 09:23:24 +08:00
ZhongShengping
2d905626da Deprecate revocation_cache_time option
The revocation_cache_time is deprecated for removel because of PKI
token format is no longer supported.
Update warning message and add a release note.

Change-Id: Ib4030f83a9201155e5168c164d257a14b9da16e0
Closes-Bug: #1717144
2017-09-14 11:58:05 +08:00
ZhongShengping
4b9db23377 Remove deprecated keystone authtoken signing_dir option
Change-Id: Id8fb41492d216de5c6ede43aa5b530d16ed8d46f
2017-07-07 10:01:10 +08:00
Matthew J. Black
1266a13ba0 Allow python-memcache install from authtoken class
The python-memcache package is required if using memcached. By
default the package is not installed and the define has it set to
false. This change allows managing the python-memcache package
install from the authtoken class.

Change-Id: Iee2b5a00c9eb026a42ebd4bf166d06f6bc5f6e27
2017-01-11 18:08:54 -05:00
ZhongShengping
160d44ab51 Deprecate signing_dir option
The signing_dir is deprecated for removel because of PKI token format
is no longer supported.
Update warning message and release note.

Change-Id: I91803e5f2c674e284657bbd40ea32b349a8f393f
Closes-Bug: #1652700
2016-12-28 14:36:31 +08:00
Iury Gregory Melo Ferreira
287ef4dfe2 Remove old authtoken options
Since we are in ocata lets remove all old parameters in api
to configure the keystone_authtoken section

Change-Id: I2ad9c559768324cb494bcbe719195817b3ca4864
2016-11-08 01:11:16 -03:00
Alexey Deryugin
b51e789701 Configure keystone authtoken options
In trove::api, use keystone::resource::authtoken to configure
keystone_authtoken section in trove.conf, with all parameters required
to configure keystonemiddleware.
This patch will allow to deploy Trove to use Keystone v3
authentification.

Some deprecations:
- trove::api::keystone_tenant is deprecated in favor of trove::keystone::authtoken::project_name.
- trove::api::keystone_user is deprecated in favor of trove::keystone::authtoken::username.
- trove::api::keystone_password is deprecated in favor of trove::keystone::authtoken::password.
- trove::api::identity_uri is deprecated in favor of trove::keystone::authtoken::auth_url.
- trove::api::auth_uri is deprecated in favor of trove::keystone::authtoken::auth_uri.

Change-Id: I808ebda1c4ec3a5b2ed294eb8af4eecafa861051
Closes-Bug: #1604463
2016-08-23 22:08:04 -03:00