Pike Series Release Notes


New Features

  • In Keystone, we can set group_members_are_ids option. This parameter enables the members of the group object class to be keystone user IDs rather than LDAP DNs. This is the case when using posixGroup as the group object class in Open Directory.

  • Adds user_description_attribute mapping support to the LDAP backend.

  • Add openstack-db tag to Exec that run db-sync.

Bug Fixes

  • Fixed a bug where the keystone_user resource would test the password with a disabled project causing it to think the password was changed when it actually wasn’t.


New Features

  • Added parameters for advanced configuration of httpd access and error logs destinations, like syslog (see mod_syslog). Note that this feature requires Apache2 >= 2.5.0. Lesser versions do not provide the required mod_syslog module.

Bug Fixes

  • issue with python-ldappool and python-ldap uninstalling each other each run.


New Features

  • Add two parameters to apache wsgi to allow overwrite and/or add additional wsgi process options.

Upgrade Notes

  • Deprecated keystone authtoken signing_dir option is removed in Pike.


Bug Fixes

  • The token flush cron job has been modified to run every hour instead of once a day. This is because this was causing issues with larger deployments, as the operation would take too long and sometimes even fail because of the transaction being so large. Note that this only affects people using the UUID token provider.


New Features

  • The flag ‘create_domain_entry’ was added to the ‘keystone::ldap_backend’ resource. It defaults to false. But, if set to true, it will create the domain in keystone and will attempt to refresh the keystone server. Note that in order for the keystone server to be refreshed, the ‘manage_service’ and ‘enabled’ flags need to be set in the base ::keystone module.

  • Add new parameter “rpc_response_timeout”, seconds to wait for a response from a call

  • Add support for oslo_messaging_amqp 1.0 backend via puppet-oslo resource

  • Calls to the ‘::keystone::resource::service_identity’ will automatically create roles as needed. So if a role is specified, the resource will make sure it exists.

  • Implement a basic crontab that does fernet keys rotations with keystone::cron::fernet_rotate class. This crontab won’t take care of the key distribution but just run keystone-manage fernet_rotate command in a scheduled way.

  • The parameter ‘fernet_replace_keys’ was added; this tells the manifest to not replace the fernet keys if they have been added already. This is useful in cases where rotation happens outside of puppet, and running puppet again would replace the keys and result in an invalid setup.

Deprecation Notes

  • keystone::endpoint::version is not default to undef which means Keystone endpoints will be versionless by default, so it enables services to reach Keystone v3 with is the current stable version. Therefore, we don’t need the version parameter, so we deprecate it in this cycle and will remove it later. If the user used to set ‘unset’ to $version, it will keep v2.0 endpoint but a migration to undef is recommended.