Mitaka Series Release Notes


Bug Fixes

  • Fixes bug 1559013 so update of a keystone_endpoint does not recreate all endpoints when one or two network endpoint are missing.


New Features

  • Ensure parameter was added to service identity resource to allow control of keystone types within resource.

Deprecation Notes

  • The single wsgi script for both the keystone admin and public endpoints have been deprecated upstream. As such, our support of a single wsgi script for keystone is also deprecated.

Other Notes

  • Add support for the newer admin and public wsgi scripts for keystone. Also added is the ability to provide a custom script for each of these. By default, the module will leverage scripts provided by the keystone package.



Support for multi-domain has been added. You can configure LDAP identity drivers along with the sql, and have multi-domain working.

New Features

  • Provides bool to determine if policy-rc.d should be managed for keystone eventlet service.

  • Support for multi-domain;

  • Remove prefetch in keystone_user/keystone_user_role

Known Issues

  • Keystone eventlet service is auto-started on debian based systems on package install.

Upgrade Notes

  • The prefetch and associated instances class function removal could impact users that somehow use the command puppet resource keystone_user or puppet resource keystone_user_role in production. Those commands won’t work anymore. Directly use the associated openstack commands to get the same effect.

Bug Fixes

  • Fixes bug 1554555 so openstack cli provider needs to pass domain in v3 calls

  • Fixes bug 1485508 so when domain_specific_drivers_enabled=True keystone_user provider fails.



This is the first Mitaka release for puppet-keystone module.

New Features

  • Add keystone::disable_admin_token_auth class Allow to disable admin_token (highly recommended by Keystone team) after an initial bootstrap.

  • Federation support for Mellon.

  • Run keystone-manage bootstrap Per upstream Keystone Mitaka commit 7b7fea7a3fe7677981fbf9bac5121bc15601163 keystone no longer creates the default domain during the db_sync. This feature enables by default the usage of keystone-manage bootstrap.

  • moves all dependencies to an external class. This allows keystone to be installed and managed via external mechanisms like venvs or docker.

  • Resource keystone_identity_provider for Keystone, used for Identity Federation. The remote-id parameter is missing from openstack client Kilo release on most distributions so this provider will work starting with Liberty.

  • Add the ability to manage LDAP support packages or not. In some instances you may not want this module installing the LDAP support packages even if you are using LDAP with keystone. The default behavior will be no change from before.

  • Add keystone domain specific configuration. Adds a provider able to configure multiple domains and two parameters in keystone class to setup a working multi-domains configuration.

  • Support for multiple ldap backend. It enables users to inject multiple ldap backend configurations into keystone.

  • Add policy driver option for Keystone. This option allows to configure the policy backend driver in the keystone.policy namespace. New parameter is policy/driver, using Keystone default value.

  • The module no longer manages POSIX users/groups, file and directory, that are already managed by packaging.

Upgrade Notes

  • Usage of $::os_service_default function in init, db and logging classes. It will make sure that some Keystone parameters are using OpenStack default values.

Deprecation Notes

  • Remove deprecated tenant LDAP parameters.

  • keystone::python class is deprecated, please use keystone::client.

  • Remove unused and broken keystone::dev::install class.

Bug Fixes

  • Fixes bug 1533913 so admin user role is applied in admin_project_domain and admin_user_domain.

  • Fixes bug 1535939 so endpoint provider take the regions in account.

  • Fixes bug 1522541 so when /root/openrc is present and has a v2 auth_url, the Keystone_user resource will not fail to check credentials.

  • Hash domains by name. Improving performances of providers when managing lot of resources in the same domain (users and projects).

  • Sanitize providers for IPv6 by making sure the IP has brackets when needed.


New Features

  • Release notes are no longer maintained by hand, we now use the reno tool to manage them.

Bug Fixes

  • Fixes bug 1523393 so we’re able to correctly configure cache memcache servers options for Keystone.