Stein Series Release Notes¶
Allow to specify drivername for postgres db
Add support to configure [oslo_middleware]/max_request_body_size with $max_request_body_size in the keystone:: class.
In this release Ubuntu has moved all projects that supported it to python3 which means that there will be a lot of changes. The Puppet OpenStack project does not test the upgrade path from python2 to python3 packages so there might be manual steps required when moving to the python3 packages.
This module now requires a puppetlabs-mysql version >= 6.0.0
Ubuntu packages are now using python3, the upgrade path is not tested by Puppet OpenStack. Manual steps may be required when upgrading.
The keystone::token_driver parameter which has had no effect that past couple of releases and is now deprecated. This parameter if it was set to memcache would install the appropriate python-memcache package. Now that this is removed you need to ensure keystone::manage_backend_package is set properly if you have caching enabled since that manages that package now. The default value for manage_backend_package is true so if you don’t set it explicitly to false there is no change required on your part.
The keystone::token_driver is now deprecated, has no effect and will be removed in a future release.
Fixed a bug where the keystone_user resource would test the password with a disabled project causing it to think the password was changed when it actually wasn’t.
The default interface for the keystone providers is to use the “public” interface. This was changed from the “admin” one, since v3 doesn’t require it, and the keystone team even discourages using it.
This release puppet-keystone no longer deploys keystone with separated ports (admin and public as they were called in v2.0). By default keystone will only listen to port 5000, you need to make sure all your services are configured to use the correct port to talk to keystone.
In Keystone, we can set group_members_are_ids option. This parameter enables the members of the group object class to be keystone user IDs rather than LDAP DNs. This is the case when using posixGroup as the group object class in Open Directory.
Added new parameter keystone::federation::openidc::keystone_url that can be used to set the keystone url for federation, if not provided it will use keystone::public_endpoint.
The deprecated parameters keystone::debug, keystone::use_syslog, keystone::use_stderr and keystone::log_facility is removed, please set them in the keystone::logging class.
The deprecated params keystone::enable_pki_setup, signing_certfile, signing_keyfile, signing_ca_certs, signing_ca_key, signing_cert_subject and signing_key_size is now removed.
The deprecated parameter keystone::memcache_servers is now removed and the automatic behavior to set cache_enabled and cache_backend has been removed. You must now set the cache_memcached_servers and explicitly set cache_enabled to true and cache_backend to the backend you want to use for caching.
Keystone is now deployed with only port 5000, you can change this with keystone::wsgi::apache::api_port, you need to make sure all your services are configured to talk to keystone on this port. If you want to keep backward compatibility with port 35357 you should pass an array to api_port with both port 35357 and 5000.
Now that keystone::wsgi::apache::admin_bind_host is deprecated and has no effect if you are deploying separated networks that was used by specifying admin_bind_host and bind_host you must now merge the value set in admin_bind_host and set it together with the value bind_host parameter. The default value for parameter bind_host has not changed and is still undef which will the Keystone vhost listen to 0.0.0.0
The providers has been updated to read DEFAULT/public_port which defaults to 5000 and use that port to talk to Keystone when managing resources. You need to make sure that keystone::public_port is set to one port that Keystone is listening to that is configured with keystone::wsgi::apache::api_port if you are deploying Keystone with Apache WSGI.
If you are setting keystone::admin_bind_host and/or keystone::public_bind_host you need to make sure they are properly set to networks which both have access to the port specified in the new param keystone::wsgi::apache::api_port which is what Apache should listen to and to the port configured with keystone::public_port that is used by providers.
keystone::federation::mellon is now added to Keystone WSGI for port 5000 by default and admin_port and main_port parameters does not do anything and is deprecated.
keystone::federation::shibboleth is now added to Keystone WSGI for port 5000 by default and admin_port and main_port parameters does not do anything and is deprecated.
keystone::federation::openidc is now added to Keystone WSGI for port 5000 by default and admin_port and main_port parameters does not do anything and is deprecated.
keystone::federation::openidc::keystone_url parameter has been added to give the keystone endpoint, if it’s not provided keystone::public_endpoint will be used. We recommend that you set this since keystone::public_endpoint might be deprecated in a future release.
The deprecated keystone::python class is now removed.
The deprecated parameter keystone::wsgi::wsgi_script_ensure is now deleted.
keystone_paste_ini resource, keystone::config::keystone_paste_config, keystone::disable_admin_token_auth, keystone::disable_v2_api and keystone::paste_config is all deprecated and has no effect on how Keystone behaves. These will be removed in the next release, keystone is not reading the paste configuration in Stein.
keystone::federation::mellon::module_plugin, keystone::federation::shibboleth::module_plugin, keystone::federation::openidc::module_plugin have been removed.
The keystone::cache_dir parameter is now deprecated and will be removed in a future release. It has no effect since it was only related to PKI which is removed.
The parameter keystone::resource::authtoken::check_revocations_for_cached is deprecated and will be removed in a future release. It was related to PKI which is removed.
The parameter keystone::resource::authtoken::hash_algorithms is deprecated and will be removed in a future release. It was related to PKI which is removed.
As of the removal of port 35357 the following parameters are deprecated in the keystone::wsgi::apache class and has no effect:
keystone::federation::mellon::admin_port and main_port is deprecated and has no effect and will be removed in a future release.
keystone::federation::shibboleth::admin_port and main_port is deprecated and has no effect and will be removed in a future release.
keystone::federation::openidc::admin_port and main_port is deprecated and has no effect and will be removed in a future release.
keystone::federation::openidc_httpd_configuration is deprecated and will be removed in a future release.
Add new parameter “amqp_durable_queues”, to indicate whether to use durable queues in AMQP
Added new parameter keystone::manage_backend_package that is sent to the oslo::cache class which determines if the backend cache python library should be installed or not. Defaults to true same as oslo::cache default value.
Added new parameters password_hash_algorithm and password_hash_rounds to keystone class that can be used to configure the password hash algorithm.