Train Series Release Notes¶
Adding the following configurable items for OpenID:
keystone::federation::ipenidcclass now supports the new
openidc_response_modeparameter, to customize mod_auth_openidc response mode.
Content of fernet keys and credential keys are now hidden from output, when these files are updated.
Add TLS options to oslo.cache
Allow to specify drivername for postgres db
Adds interface parameter to keystone::resource::authtoken allow services to configure the interface to use for the Identity API endpoint. Valid values are “public”, “internal” or “admin”.
The keystone::endpoint::service_description parameter has been added with the default value of ‘OpenStack Identity Service’ (moved from hardcoded value to a parameter). This is used when setting the description on the identity service managed by the keystone::endpoint class.
Workers are raised to 2 x os_workers, so that we have as many workers as the one we had before we merged 2 keystone services(public and admin).
Fixed a bug where the keystone::resource::authtoken resource would not install the proper python memcache bindings when using python3.
default/public_endpiintparameter is no longer set by default because of known issue with different hosts/protocol used for each endpoints (especially for admin endpoint and public endpoint)
In case public_endpoint can’t be used and keystone providers are required, the deprecated
keystone::public_portcan still be used so that all provider implementations can detect endpoint url from these parameters. These parameters are added to keystone.conf if non-default value is set.
keystone::public_bind_host and keystone::public_port are now fully deprecated, and don’t affect the correspoiding parameters under eventlet section. These parameters are currently used to generate public_host only if keystone::public_endpoint is not set. However, users should use public_endpoint instead because this generation will be removed in a future release.
Allow users to run the RabbitMQ heartbeat over a native python thread in the oslo.messaging RabbitMQ driver, by using the rabbit_heartbeat_in_pthread option in configuration.
keystone::admin_bind_host and keystone::admin_port are deprecated and ignored as the correspoding options in keystone were already deprecated.
Now keystone::admin_endpoint does not affect keystone configuration, as the corresponding parameter in keystone was already removed.
keystone::public_bind_host and keystone::public_port are deprecated. They still works as valid hieradata to generate endpoint information used in keystone resource creation, but will be ignored in future. Use keystone::public_endpoint instead, which will be necessory option in the future to define public endpoint.
keystone::admin_workers and keystone::public_workers are deprecated, and now are ignored.
Add support to configure [oslo_middleware]/max_request_body_size with $max_request_body_size in the keystone:: class.
memcache_socket_timeout is changed to float value.
New resource, keystone::resource::service_user, is available to configure Keystone authentication parameters to use service token feature.
Add support to configure [keystone_authtoken]/service_token_roles with $service_token_roles in the keystone::resource::authtoken resource.
The deprecated parameters main_port and admin_port in keystone::federation::openidc is now removed.
The keystone::federation::openidc::keystone_url parameter is now mandatory and does not fallback on the keystone::public_endpoint value.
The deprecated parameters in keystone::wsgi::apache is removed, see below for what parameters you should use instead.
The deprecated resources keystone_paste_ini, keystone::config::keystone_paste_config, keystone::disable_admin_token_auth, keystone::disable_v2_api and keystone::paste_config is removed.
database_idle_timeout is deprecated and will be removed in a future release. Please use database_connection_recycle_time instead.