Ussuri Series Release Notes

18.0.0.0b1-221

New Features

  • The service updates for keystone will now be executed through delegation to the keystone_service_setup_host which, by default, is localhost (the deploy host). Deployers can opt to rather change this to the utility container by implementing the following override in user_variables.yml.

    keystone_service_setup_host: "{{ groups['utility_all'][0] }}"
    
  • Added support for using mod_auth_openidc instead of shibboleth as a service provider for supporting users who have a preference to use OIDC for federation. Mod_auth_openidc is the apache module that is recommended in the keystone documentation for implementing openidc. Added a variable to called apache_mod to keystone_sp, if left undefined shibboleth will continue to be installed by default provided keystone_sp is not empty. Mod_auth_openidc will not be installed unless it is spelled correctly, any misspellings will result in a shibboleth install. Note that installing shibboleth on Debian based metal distro deployments may break services that depend on libcurl4, as shib2 requires libcurl3, and they are unable to coexist. This can be resolved when there is a shib3 package available in a future release of Ubuntu/Debian. There is currently no support for simultaneous use of shibboleth2 and mod_auth_openidc.

  • The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the keystone_install_method variable to distro.

  • Support separate oslo.messaging services for RPC and Notifications to enable operation of separate and different messaging backend servers in keystone.

Upgrade Notes

  • Application credentials are now enabled by default as a keystone authentication method. If deployments do not wish to enable application credentials then the existing keystone_auth_methods variable can be overidden with the required set of authentication methods.

  • The tasks creating a keystone service user have been removed, along with related variables keystone_service_user_name and keystone_service_password. This user can be deleted in existing deployments.

Deprecation Notes

  • The log path, /var/log/keystone is no longer used to capture service logs. All logging for the Keystone service will now be sent directly to the systemd journal.

  • The variable keystone_requires_pip_packages is no longer required and has therefore been removed.

  • The rabbitmq server parameters have been replaced by corresponding oslo.messaging RPC and Notify parameters in order to abstract the messaging service from the actual backend server deployment. - keystone_oslomsg_rpc_servers replaces keystone_rabbitmq_servers - keystone_oslomsg_rpc_port replaces keystone_rabbitmq_port - keystone_oslomsg_rpc_use_ssl replaces keystone_rabbitmq_use_ssl - keystone_oslomsg_rpc_userid replaces keystone_rabbitmq_userid - keystone_oslomsg_rpc_vhost replaces keystone_rabbitmq_vhost - keystone_oslomsg_notify_servers replaces keystone_rabbitmq_telemetry_servers - keystone_oslomsg_notify_port replaces keystone_rabbitmq_telemetry_port - keystone_oslomsg_notify_use_ssl replaces keystone_rabbitmq_telemetry_use_ssl - keystone_oslomsg_notify_userid replaces keystone_rabbitmq_telemetry_userid - keystone_oslomsg_notify_vhost replaces keystone_rabbitmq_telemetry_vhost

Security Issues

  • The default TLS verion has been set to TLS1.2. This only allows version 1.2 of the protocol to be used when terminating or creating TLS connections. You can change the value with the keystone_ssl_protocol variable.

Bug Fixes

  • The conditional that determines whether the sso_callback_template.html file is deployed for federated deployments has been fixed.

Other Notes

  • When running keystone with apache(httpd) all apache logs will be stored in the standard apache log directory which is controlled by the distro specific variable keystone_apache_default_log_folder.