Current Series Release Notes

18.0.0.0b1-323

New Features

  • New variables have been added to manage used cache backends:

    • openstack_cache_backend: defines driver, that will be used for caching. Default: oslo_cache.memcache_pool

    • openstack_cache_backend_map: maps selected backend to the oslo driver that should be installed and configured for it.

  • The service updates for keystone will now be executed through delegation to the keystone_service_setup_host which, by default, is localhost (the deploy host). Deployers can opt to rather change this to the utility container by implementing the following override in user_variables.yml.

    keystone_service_setup_host: "{{ groups['utility_all'][0] }}"
    
  • The keystone role now supports the option keystone_use_uwsgi, which will allow deployers the ability to run keystone via uWSGI without needing the apache webserver. When the keystone_use_uwsgi option is enabled, it will setup the uWSGI process on port 5000.

  • Added support for using mod_auth_openidc instead of shibboleth as a service provider for supporting users who have a preference to use OIDC for federation. Mod_auth_openidc is the apache module that is recommended in the keystone documentation for implementing openidc. Added a variable to called apache_mod to keystone_sp, if left undefined shibboleth will continue to be installed by default provided keystone_sp is not empty. Mod_auth_openidc will not be installed unless it is spelled correctly, any misspellings will result in a shibboleth install. Note that installing shibboleth on Debian based metal distro deployments may break services that depend on libcurl4, as shib2 requires libcurl3, and they are unable to coexist. This can be resolved when there is a shib3 package available in a future release of Ubuntu/Debian. There is currently no support for simultaneous use of shibboleth2 and mod_auth_openidc.

  • The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the keystone_install_method variable to distro.

  • Support separate oslo.messaging services for RPC and Notifications to enable operation of separate and different messaging backend servers in keystone.

Upgrade Notes

  • Application credentials are now enabled by default as a keystone authentication method. If deployments do not wish to enable application credentials then the existing keystone_auth_methods variable can be overidden with the required set of authentication methods.

  • The following keystone role variables were previously deprecated, and are now removed. Replacement variables were introduced in the Xena release. keystone_database_pool_timeout keystone_database_max_pool_size keystone_database_idle_timeout

  • The keystone installation now uses ansible-role-pki to create and install a server certificate for Apache when keystone_ssl is true. The same role is also used to create a CA certificate and key for SAML federation when keystone_idp is populated by the deployer. For an existing keystone SAML setup the certificate and key will be re-created which may be undesirable, unless the existing ones are first copied to the relevant directories in /etc/openstack_deploy/pki/roots on the deploy host. The variables keystone_ssl_self_signed_regen and keystone_ssl_self_signed_subject are removed and are replaced with equivalent functionality via the new keystone_pki_* variables.

  • Variable keystone_ssl was deprecated in favor of keystone_backend_ssl.

  • Keystone now uses common uwsgi role for uWSGI deployment. Along with that variable keystone_services has been extended with required arguments for uWSGI. If you override this variable locally make sure to update it’s structure accordingly.

  • Keystone OIDC parameter ‘oidc_redirect_uri’ is replaced with ‘oidc_redirect_path’. This parameter no longer needs to be set explicitly unless you run additional services which may collide with the default on the same port as Keystone. Your OIDC provider may need to be updated to reflect this change in redirect URI which defaults to the Keystone public URL plus the path /oidc_redirect.

  • The tasks creating a keystone service user have been removed, along with related variables keystone_service_user_name and keystone_service_password. This user can be deleted in existing deployments.

Deprecation Notes

  • For consistency reasons, the following variables were deprecated in favor of the new ones in a standardized format used in other repositories. keystone_database_pool_timeout -> keystone_db_pool_timeout keystone_database_max_pool_size -> keystone_db_max_pool_size keystone_database_idle_timeout -> keystone_db_connection_recycle_time However, they will be supported until next Yoga release.

  • keystone_database_min_pool_size was deprecated as it’s deprecated in oslo.db

  • The log path, /var/log/keystone is no longer used to capture service logs. All logging for the Keystone service will now be sent directly to the systemd journal.

  • The variable keystone_requires_pip_packages is no longer required and has therefore been removed.

  • We removed multiple web server support for keystone and left only Apache since nginx is missing features required for federation setup. With this change following variables are deprecated and have no effect:

    • keystone_web_server

    • keystone_centos_nginx_mirror

    • keystone_centos_nginx_key

    • keystone_nginx_access_log_format_combined

    • keystone_nginx_access_log_format_extras

    • keystone_nginx_ports

    • keystone_nginx_extra_conf

    Nginx web server will be removed and replaced with Apache during upgrade.

  • The rabbitmq server parameters have been replaced by corresponding oslo.messaging RPC and Notify parameters in order to abstract the messaging service from the actual backend server deployment. - keystone_oslomsg_rpc_servers replaces keystone_rabbitmq_servers - keystone_oslomsg_rpc_port replaces keystone_rabbitmq_port - keystone_oslomsg_rpc_use_ssl replaces keystone_rabbitmq_use_ssl - keystone_oslomsg_rpc_userid replaces keystone_rabbitmq_userid - keystone_oslomsg_rpc_vhost replaces keystone_rabbitmq_vhost - keystone_oslomsg_notify_servers replaces keystone_rabbitmq_telemetry_servers - keystone_oslomsg_notify_port replaces keystone_rabbitmq_telemetry_port - keystone_oslomsg_notify_use_ssl replaces keystone_rabbitmq_telemetry_use_ssl - keystone_oslomsg_notify_userid replaces keystone_rabbitmq_telemetry_userid - keystone_oslomsg_notify_vhost replaces keystone_rabbitmq_telemetry_vhost

  • The variable ‘keystone_ssl_cipher_suite’ is deprecated in favour of ‘keystone_ssl_cipher_suite_tls12’ which will continue to manage configuration of ciphers for TLS v1.2 and earlier.

Security Issues

  • The default TLS verion has been set to TLS1.2. This only allows version 1.2 of the protocol to be used when terminating or creating TLS connections. You can change the value with the keystone_ssl_protocol variable.

Bug Fixes

  • Fixes use of Apache mod_auth_openidc on Ubuntu Jammy where a new OIDCXForwardedHeaders configuration option is required.

  • Fixed OpenStack command line OIDC integration where Apache mod_auth_openidc if >= v2.4.9 including on Ubuntu Jammy.

  • For deployers using Keystone as an OIDC-based Service Provider there has been a spelling fix for the OIDCScope setting. Please use keystone_sp.trusted_idp_list.0.oidc_scope instead of keystone_sp.trusted_idp_list.0.idc_scope.

  • The conditional that determines whether the sso_callback_template.html file is deployed for federated deployments has been fixed.

Other Notes

  • When running keystone with apache(httpd) all apache logs will be stored in the standard apache log directory which is controlled by the distro specific variable keystone_apache_default_log_folder.

  • The keystone role can now has the ability to run a minimal uWSGI process for keystone when the option keystone_use_uwsgi is set true. This feature provides operators the ability to run a minimal install without apache. While the minimal deployment is functional, it is not featureful. Things like modshib and oath are not supported when running the minimal setup.