Ocata Series Release Notes


Bug Fixes

  • Fixed a bug where the keystone_user resource would test the password with a disabled project causing it to think the password was changed when it actually wasn’t.


Bug Fixes

  • issue with python-ldappool and python-ldap uninstalling each other each run.


New Features

  • The flag ‘create_domain_entry’ was added to the ‘keystone::ldap_backend’ resource. It defaults to false. But, if set to true, it will create the domain in keystone and will attempt to refresh the keystone server. Note that in order for the keystone server to be refreshed, the ‘manage_service’ and ‘enabled’ flags need to be set in the base ::keystone module.

Bug Fixes

  • The token flush cron job has been modified to run every hour instead of once a day. This is because this was causing issues with larger deployments, as the operation would take too long and sometimes even fail because of the transaction being so large. Note that this only affects people using the UUID token provider.


New Features

  • Add oslo.messaging notification transport_url via puppet-oslo resource.

  • Email parameter is now optional for roles::admin and the default value will be admin@localhost.


New Features

  • Federation mellon support Web Single Sign-On (SSO) When configuring federation using mellon enable setup of Web Single Sign-On.

Deprecation Notes

  • group_allow_* options for ldap are deprecated in Keystone. Setting these will now have no effect and these will be removed as parameters in a future release.

  • signing_dir option is now deprecated for removal, the parameter has no effect.


New Features

  • keystone-manage can be used to setup Keystone Fernet Keys. Disabled by default as long as the proper version of keystone is not in UCA. Upstream Keystone is moving to Fernet token support as the default provider. With recent issues witj PKI, Fernet is the only viable token format for multisite. Note, if fernet_keys parameter is set to a valid hash, keystone-manage won’t be used to generate credential keys but Puppet will manage file resources for each key in the hash. It allows ensures that a the keys are synchronized in a multinode environment.

Known Issues

  • Python memcache package install when memcache servers are specified. This solves the issue where a dependency on the package was missed for components using memcache.

Upgrade Notes

  • Fernet token is now the default token provider for keystone.

  • keystone::enable_fernet_setup is now true by default to ensure fernet tokens work out of the box.

Deprecation Notes

  • user_allow_* options for ldap are deprecated in Keystone. Setting these will now have no effect and these will be removed as parameters in a future release.

  • keystone::rabbit_host, keystone::rabbit_hosts, keystone::rabbit_password, keystone::rabbit_port, keystone::rabbit_userid and keystone::rabbit_virtual_host are deprecated. keystone::default_transport_url should be used instead.

Security Issues

  • Make the fernet key directory, fernet keys, credential folder, and credentials have mode 0600. This ensures that only the keystone user can read the keys.

Bug Fixes

  • Fixed documentation for log_dir parameter

Other Notes

  • Parameters that control the number of spawned child processes for distributing processing have had their default value changed from ::processorcount to ::os_workers.

  • The verbose option was marked to be removed in Ocata, in Newton the option was deprecated.