Stein Series Release Notes

New Features

  • The service setup in keystone for barbican will now be executed through delegation to the barbican_service_setup_host which, by default, is localhost (the deploy host). Deployers can opt to rather change this to the utility container by implementing the following override in user_variables.yml.

    barbican_service_setup_host: "{{ groups['utility_all'][0] }}"
  • The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the barbican_install_method variable to distro.

  • Support separate oslo.messaging services for RPC and Notifications to enable operation of separate and different messaging backend servers in barbican.

Deprecation Notes

  • The variable barbican_requires_pip_packages is no longer required and has therefore been removed.

  • The log path, /var/log/barbican is no longer used to capture service logs. All logging for the barbican service will now be sent directly to the systemd journal.

  • The rabbitmq server parameters have been replaced by corresponding oslo.messaging RPC and Notify parameters in order to abstract the messaging service from the actual backend server deployment. - barbican_oslomsg_rpc_servers replaces rabbitmq_servers - barbican_oslomsg_rpc_port replaces rabbitmq_port - barbican_oslomsg_rpc_userid replaces barbican_rabbitmq_userid - barbican_oslomsg_rpc_vhost replaces barbican_rabbitmq_vhost - added barbican_oslomsg_rpc_use_ssl - added barbican_oslomsg_notify_servers - added barbican_oslomsg_notify_port - added barbican_oslomsg_notify_use_ssl - added barbican_oslomsg_notify_userid - added barbican_oslomsg_notify_vhost - added barbican_oslomsg_notify_password

Security Issues

  • The default TLS version has been set to TLS1.2. This only allows version 1.2 of the protocol to be used when terminating or creating TLS connections. You can change the value with the barbican_ssl_protocol variable.