Ocata Series Release Notes
- The flag ‘create_domain_entry’ was added to the ‘keystone::ldap_backend’ resource. It defaults to false. But, if set to true, it will create the domain in keystone and will attempt to refresh the keystone server. Note that in order for the keystone server to be refreshed, the ‘manage_service’ and ‘enabled’ flags need to be set in the base ::keystone module.
- The token flush cron job has been modified to run every hour instead of once a day. This is because this was causing issues with larger deployments, as the operation would take too long and sometimes even fail because of the transaction being so large. Note that this only affects people using the UUID token provider.
- Add oslo.messaging notification transport_url via puppet-oslo resource.
- Email parameter is now optional for roles::admin and the default value will be admin@localhost.
- Federation mellon support Web Single Sign-On (SSO) When configuring federation using mellon enable setup of Web Single Sign-On.
- group_allow_* options for ldap are deprecated in Keystone. Setting these will now have no effect and these will be removed as parameters in a future release.
- signing_dir option is now deprecated for removal, the parameter has no effect.
- keystone-manage can be used to setup Keystone Fernet Keys. Disabled by default as long as the proper version of keystone is not in UCA. Upstream Keystone is moving to Fernet token support as the default provider. With recent issues witj PKI, Fernet is the only viable token format for multisite.
Note, if fernet_keys parameter is set to a valid hash, keystone-manage won’t be used to generate credential keys but Puppet will manage file resources for each key in the hash. It allows ensures that a the keys are synchronized in a multinode environment.
- Python memcache package install when memcache servers are specified. This solves the issue where a dependency on the package was missed for components using memcache.
- Fernet token is now the default token provider for keystone.
- keystone::enable_fernet_setup is now true by default to ensure fernet tokens work out of the box.
- user_allow_* options for ldap are deprecated in Keystone. Setting these will now have no effect and these will be removed as parameters in a future release.
- keystone::rabbit_host, keystone::rabbit_hosts, keystone::rabbit_password, keystone::rabbit_port, keystone::rabbit_userid and keystone::rabbit_virtual_host are deprecated. keystone::default_transport_url should be used instead.
- Make the fernet key directory, fernet keys, credential folder, and credentials have mode 0600. This ensures that only the keystone user can read the keys.
- Fixed documentation for log_dir parameter
- Parameters that control the number of spawned child processes for distributing processing have had their default value changed from ::processorcount to ::os_workers.
- The verbose option was marked to be removed in Ocata, in Newton the option was deprecated.