Newton Series Release Notes


Bug Fixes

  • The token flush cron job has been modified to run every hour instead of once a day. This is because this was causing issues with larger deployments, as the operation would take too long and sometimes even fail because of the transaction being so large. Note that this only affects people using the UUID token provider.


New Features

  • keystone-manage can be used to setup Keystone Fernet Keys. Disabled by default as long as the proper version of keystone is not in UCA. Upstream Keystone is moving to Fernet token support as the default provider. With recent issues witj PKI, Fernet is the only viable token format for multisite. Note, if fernet_keys parameter is set to a valid hash, keystone-manage won’t be used to generate credential keys but Puppet will manage file resources for each key in the hash. It allows ensures that a the keys are synchronized in a multinode environment.

Known Issues

  • Python memcache package install when memcache servers are specified. This solves the issue where a dependency on the package was missed for components using memcache.


New Features

  • admin_password is now an argument to the main class. This is needed because keystone-manage bootstrap should be taking the admin_password, not the admin_token. The admin_password will initially default to the value of the admin_token, but the admin_token is on a path to deprecation and is already deprecated in Keystone itself, so do not rely on the default.

  • python-ldap follows/chases referrals with anonymous access but this is disabled by default in Active Directory. There is an argument to set this to default to disabled but for the moment just present an option for the user to choose.


New Features

  • It is now possible to set a specific certificate and key files for the admin endpoint when it’s deployed over apache. It used to be the case that the public and admin endpoints had to match.

  • This adds a specific servername parameter for the admin endpoint’s vhost. This is useful in cases where the admin endpoint will serve a different certificate (on a different hostname) than the public endpoint.

  • keystone-manage can be used to setup Keystone credentials. Disabled by default as long as the proper version of keystone is not in UCA. It has been a requirement in Keystone upstream so puppet-keystone will support the management of credential directory, keystone-manage credential_setup execution (can be enabled with enable_credential_setup boolean) and the configuration of credential/key_repository in keystone.conf. Note, if credential_keys parameter is set to a valid hash, keystone-manage won’t be used to generate credential keys but Puppet will manage file resources for each key in the hash. It allows to generate the same keys in multinode environment.


New Features

  • Ensure parameter was added to service identity resource to allow control of keystone types within resource.

  • allows configuring cors settings.

Upgrade Notes

  • All keystone-manage execs are performed now only by keystone user.

Deprecation Notes

  • Fernet token is recommended in Mitaka release. The default for token_provider will be changed to Fernet in O release.

Bug Fixes

  • Fixed the keystone::wsgi::apache parameters for supplying custom admin and public wsgi scripts.


New Features

  • Implement bug 1589933 so now one associate the admin to admin_role for an entire domain if it uses the target_admin_domain parameter in the auth.pp class.

Upgrade Notes

  • update undef parameters in authtoken.pp to use $::os_service_default

  • Add all missing parameters and remove deprecated ones to configure keystone_authtoken section.

Bug Fixes

  • Fixes bug 1559013 so update of a keystone_endpoint does not recreate all endpoints when one or two network endpoint are missing.

  • Fixes bug 1597357 exits? was not using any retry as it expects an error to determine if the user exist. This fix it and enable classic retry mechanism for other errors.

Other Notes

  • If you use Ubuntu Cloud Archives (Canonical) packages and you set manage_policyrcd to true, you won’t be able to deloy OpenStack Mitaka.



Support for multi-domain has been added. You can configure LDAP identity drivers along with the sql, and have multi-domain working.

New Features

  • Add keystone::disable_admin_token_auth class Allow to disable admin_token (highly recommended by Keystone team) after an initial bootstrap.

  • Federation support for Mellon.

  • Run keystone-manage bootstrap Per upstream Keystone Mitaka commit 7b7fea7a3fe7677981fbf9bac5121bc15601163 keystone no longer creates the default domain during the db_sync. This feature enables by default the usage of keystone-manage bootstrap.

  • moves all dependencies to an external class. This allows keystone to be installed and managed via external mechanisms like venvs or docker.

  • Resource keystone_identity_provider for Keystone, used for Identity Federation. The remote-id parameter is missing from openstack client Kilo release on most distributions so this provider will work starting with Liberty.

  • Add the ability to manage LDAP support packages or not. In some instances you may not want this module installing the LDAP support packages even if you are using LDAP with keystone. The default behavior will be no change from before.

  • Add keystone domain specific configuration. Adds a provider able to configure multiple domains and two parameters in keystone class to setup a working multi-domains configuration.

  • Support for multiple ldap backend. It enables users to inject multiple ldap backend configurations into keystone.

  • Add policy driver option for Keystone. This option allows to configure the policy backend driver in the keystone.policy namespace. New parameter is policy/driver, using Keystone default value.

  • Provides bool to determine if policy-rc.d should be managed for keystone eventlet service.

  • The module no longer manages POSIX users/groups, file and directory, that are already managed by packaging.

  • Support for multi-domain;

  • Remove prefetch in keystone_user/keystone_user_role

  • Switch to puppet-oslo resource usage (instead of manual configuration file editing).

Known Issues

  • Keystone eventlet service is auto-started on debian based systems on package install.

Upgrade Notes

  • Usage of $::os_service_default function in init, db and logging classes. It will make sure that some Keystone parameters are using OpenStack default values.

  • The prefetch and associated instances class function removal could impact users that somehow use the command puppet resource keystone_user or puppet resource keystone_user_role in production. Those commands won’t work anymore. Directly use the associated openstack commands to get the same effect.

Deprecation Notes

  • Deprecate PKI signing related parameters.

  • Remove deprecated tenant LDAP parameters.

  • The single wsgi script for both the keystone admin and public endpoints have been deprecated upstream. As such, our support of a single wsgi script for keystone is also deprecated.

  • keystone::python class is deprecated, please use keystone::client.

  • Remove unused and broken keystone::dev::install class.

  • service_provider parameter is deprecated, does nothing and will be removed in a future release. The parameter has no effect. The Service provider will be found by Puppet itself. If you really need to override this value, please use a Puppet resource collector, using keystone-service resource tag.

  • verbose option is now deprecated for removal, the parameter has no effect.

Bug Fixes

  • Fixes bug 1533913 so admin user role is applied in admin_project_domain and admin_user_domain.

  • Fixes bug 1535939 so endpoint provider take the regions in account.

  • Fixes bug 1522541 so when /root/openrc is present and has a v2 auth_url, the Keystone_user resource will not fail to check credentials.

  • Hash domains by name. Improving performances of providers when managing lot of resources in the same domain (users and projects).

  • Sanitize providers for IPv6 by making sure the IP has brackets when needed.

  • Fixes bug 1563261 so when using LDAP backend, identity_driver, credential_driver and assignment_driver parameters will be configured in the Domain section, with other LDAP parameters.

  • Fixes bug 1554555 so openstack cli provider needs to pass domain in v3 calls

  • Fixes bug 1485508 so when domain_specific_drivers_enabled=True keystone_user provider fails.

Other Notes

  • Drop all Qpid support, it was removed from Oslo in Mitaka.

  • Add support for the newer admin and public wsgi scripts for keystone. Also added is the ability to provide a custom script for each of these. By default, the module will leverage scripts provided by the keystone package.