We are ecstatic to announce the release of: puppet-keystone 14.2.0: Puppet module for OpenStack Keystone This release is part of the stein release series. Download the package from: https://tarballs.openstack.org/puppet-keystone/ For more details, please see below. 14.2.0 ^^^^^^ Prelude ******* This release puppet-keystone no longer deploys keystone with separated ports (admin and public as they were called in v2.0). By default keystone will only listen to port 5000, you need to make sure all your services are configured to use the correct port to talk to keystone. New Features ************ * In Keystone, we can set group_members_are_ids option. This parameter enables the members of the group object class to be keystone user IDs rather than LDAP DNs. This is the case when using posixGroup as the group object class in Open Directory. * Added new parameter keystone::federation::openidc::keystone_url that can be used to set the keystone url for federation, if not provided it will use keystone::public_endpoint. Upgrade Notes ************* * The deprecated parameters keystone::debug, keystone::use_syslog, keystone::use_stderr and keystone::log_facility is removed, please set them in the keystone::logging class. * The deprecated params keystone::enable_pki_setup, signing_certfile, signing_keyfile, signing_ca_certs, signing_ca_key, signing_cert_subject and signing_key_size is now removed. * The deprecated parameter keystone::memcache_servers is now removed and the automatic behavior to set cache_enabled and cache_backend has been removed. You must now set the cache_memcached_servers and explicitly set cache_enabled to true and cache_backend to the backend you want to use for caching. * Keystone is now deployed with only port 5000, you can change this with keystone::wsgi::apache::api_port, you need to make sure all your services are configured to talk to keystone on this port. If you want to keep backward compatibility with port 35357 you should pass an array to api_port with both port 35357 and 5000. * The providers has been updated to read DEFAULT/public_port which defaults to 5000 and use that port to talk to Keystone when managing resources. You need to make sure that keystone::public_port and keystone::wsgi::apache::api_port is set to the same value if you are deploying keystone with Apache WSGI. * keystone::federation::mellon is now added to Keystone WSGI for port 5000 by default and admin_port and main_port parameters does not do anything and is deprecated. * keystone::federation::shibboleth is now added to Keystone WSGI for port 5000 by default and admin_port and main_port parameters does not do anything and is deprecated. * keystone::federation::openidc is now added to Keystone WSGI for port 5000 by default and admin_port and main_port parameters does not do anything and is deprecated. * keystone::federation::openidc::keystone_url parameter has been added to give the keystone endpoint, if it's not provided keystone::public_endpoint will be used. We recommend that you set this since keystone::public_endpoint might be deprecated in a future release. * The deprecated keystone::python class is now removed. * The deprecated parameter keystone::wsgi::wsgi_script_ensure is now deleted. Deprecation Notes ***************** * keystone_paste_ini resource, keystone::config::keystone_paste_config, keystone::disable_admin_token_auth, keystone::disable_v2_api and keystone::paste_config is all deprecated and has no effect on how Keystone behaves. These will be removed in the next release, keystone is not reading the paste configuration in Stein. * keystone::federation::mellon::module_plugin, keystone::federation::shibboleth::module_plugin, keystone::federation::openidc::module_plugin have been removed. * The keystone::cache_dir parameter is now deprecated and will be removed in a future release. It has no effect since it was only related to PKI which is removed. * The parameter keystone::resource::authtoken::check_revocations_for_cached is deprecated and will be removed in a future release. It was related to PKI which is removed. * The parameter keystone::resource::authtoken::hash_algorithms is deprecated and will be removed in a future release. It was related to PKI which is removed. * As of the removal of port 35357 the following parameters are deprecated in the keystone::wsgi::apache class and has no effect: * "servername_admin" please use "servername" * "public_port" and "admin_port" please use "api_port" * "admin_bind_host" please use "bind_host" * "public_path" and "admin_path" please use "path" * "ssl_cert_admin" and "ssl_key_admin" please use "ssl_cert" and "ssl_key" * "wsgi_admin_script_source" and "wsgi_public_script_source" please use "wsgi_script_source" * "custom_wsgi_process_options_main" and "custom_wsgi_process_options_admin" please use "custom_wsgi_process_options" * keystone::federation::mellon::admin_port and main_port is deprecated and has no effect and will be removed in a future release. * keystone::federation::shibboleth::admin_port and main_port is deprecated and has no effect and will be removed in a future release. * keystone::federation::openidc::admin_port and main_port is deprecated and has no effect and will be removed in a future release. * keystone::federation::openidc_httpd_configuration is deprecated and will be removed in a future release. Changes in puppet-keystone 14.1.0..14.2.0 ----------------------------------------- 4d679a4 Prepare Stein M2 ace7aeb Remove port 35357 deployment 5a93287 Revert "Remove auth_uri" 2dbb1f3 Add rabbitmq dependency 3288bfc Fix editorial problem 95f02a4 Correct openid federation protocol name in httpd template 7397dae Fix lint 2f8d0c3 Remove auth_uri 5f5eb4c Cleanup documentation f349eb8 Remove module_plugins d3c3ff0 Fix module structure b141b3a Fix lint 8e44af1 update support for openidc in puppet-keystone a25e8ee Remove deprecated PKI a2a6d22 Remove deprecated logging parameters 287b45d Change openstack-dev to openstack-discuss fa21938 Add a LDAP param group_members_are_ids 7ecf923 Remove deprecated class keystone::python 1235a79 Remove deprecated keystone::memcache_servers ebd139c Remove deprecated keystone::wsgi::wsgi_script_ensure 697be3b Deprecate all paste code Diffstat (except docs and test files) ------------------------------------- README.md | 2 +- ext/keystone_test.rb | 55 --- ext/keystone_test_v3.rb | 64 --- lib/puppet/provider/keystone.rb | 4 +- .../provider/keystone_paste_ini/ini_setting.rb | 1 + lib/puppet/type/keystone_paste_ini.rb | 3 + manifests/config.pp | 20 +- manifests/db/mysql.pp | 16 +- manifests/db/sync.pp | 4 +- manifests/deps.pp | 1 + manifests/disable_admin_token_auth.pp | 34 +- manifests/disable_v2_api.pp | 24 +- manifests/federation.pp | 31 ++ manifests/federation/identity_provider.pp | 4 +- manifests/federation/mellon.pp | 77 ++- manifests/federation/openidc.pp | 89 ++-- .../federation/openidc_httpd_configuration.pp | 16 +- manifests/federation/shibboleth.pp | 57 +-- manifests/init.pp | 223 ++------- manifests/ldap.pp | 6 + manifests/ldap_backend.pp | 6 + manifests/logging.pp | 220 ++++----- manifests/params.pp | 8 +- manifests/policy.pp | 4 +- manifests/python.pp | 21 - manifests/resource/authtoken.pp | 48 +- manifests/wsgi/apache.pp | 306 +++++------- metadata.json | 10 +- ...add-group_members_are_ids-7decbef235d0afd8.yaml | 7 + .../deprecate-keystone-paste-01d714353e5544df.yaml | 8 + ...remove-deprecated-logging-d3004849c0e4e66a.yaml | 6 + ...-deprecated-module_plugin-2a8159de7e119dda.yaml | 6 + .../remove-deprecated-pki-9a1c242be81e5104.yaml | 19 + .../remove-memcache-servers-26d449260910ac1c.yaml | 7 + .../notes/remove-port-35357-ba49d2cf102f8c38.yaml | 64 +++ .../remove-python-class-50fd67c3fcabdac1.yaml | 4 + ...remove-wsgi-script-ensure-8507f913c9d6076c.yaml | 4 + setup.cfg | 2 +- .../keystone_federation_identity_provider_spec.rb | 4 - .../keystone_federation_shibboleth_spec.rb | 4 - spec/acceptance/keystone_wsgi_apache_spec.rb | 4 - spec/classes/keystone_config_spec.rb | 13 - .../keystone_disable_admin_token_auth_spec.rb | 20 - spec/classes/keystone_federation_mellon_spec.rb | 38 +- spec/classes/keystone_federation_openidc_spec.rb | 50 +- .../classes/keystone_federation_shibboleth_spec.rb | 65 +-- spec/classes/keystone_federation_spec.rb | 36 ++ spec/classes/keystone_init_spec.rb | 186 +------ spec/classes/keystone_ldap_spec.rb | 2 + spec/classes/keystone_wsgi_apache_spec.rb | 547 +++++---------------- spec/defines/keystone_ldap_backend_spec.rb | 2 + spec/defines/keystone_resource_authtoken_spec.rb | 6 - spec/unit/provider/keystone_spec.rb | 14 +- spec/unit/type/keystone_paste_ini_spec.rb | 1 + templates/openidc.conf.erb | 18 +- 56 files changed, 830 insertions(+), 1726 deletions(-)