Train Series Release Notes


New Features

  • Adding the following configurable items for OpenID:

    • keystone::federation::openidc::openidc_pass_userinfo_as to set OIDCPassUserInfoAs

    • keystone::federation::openidc::openidc_pass_claim_as to set OIDCPassClaimsAs

  • The keystone::federation::ipenidc class now supports the new openidc_response_mode parameter, to customize mod_auth_openidc response mode.

Security Issues

  • Content of fernet keys and credential keys are now hidden from output, when these files are updated.


New Features

  • Add TLS options to oslo.cache

  • Allow to specify drivername for postgres db

  • Adds interface parameter to keystone::resource::authtoken allow services to configure the interface to use for the Identity API endpoint. Valid values are “public”, “internal” or “admin”.

  • The keystone::endpoint::service_description parameter has been added with the default value of ‘OpenStack Identity Service’ (moved from hardcoded value to a parameter). This is used when setting the description on the identity service managed by the keystone::endpoint class.

Bug Fixes

  • Workers are raised to 2 x os_workers, so that we have as many workers as the one we had before we merged 2 keystone services(public and admin).

  • Fixed a bug where the keystone::resource::authtoken resource would not install the proper python memcache bindings when using python3.

  • The default/public_endpiint parameter is no longer set by default because of known issue with different hosts/protocol used for each endpoints (especially for admin endpoint and public endpoint)

  • In case public_endpoint can’t be used and keystone providers are required, the deprecated keystone::public_bind_host and keystone::public_port can still be used so that all provider implementations can detect endpoint url from these parameters. These parameters are added to keystone.conf if non-default value is set.


Deprecation Notes

  • keystone::public_bind_host and keystone::public_port are now fully deprecated, and don’t affect the correspoiding parameters under eventlet section. These parameters are currently used to generate public_host only if keystone::public_endpoint is not set. However, users should use public_endpoint instead because this generation will be removed in a future release.


New Features

  • Allow users to run the RabbitMQ heartbeat over a native python thread in the oslo.messaging RabbitMQ driver, by using the rabbit_heartbeat_in_pthread option in configuration.

Deprecation Notes

  • keystone::admin_bind_host and keystone::admin_port are deprecated and ignored as the correspoding options in keystone were already deprecated.

  • Now keystone::admin_endpoint does not affect keystone configuration, as the corresponding parameter in keystone was already removed.

  • keystone::public_bind_host and keystone::public_port are deprecated. They still works as valid hieradata to generate endpoint information used in keystone resource creation, but will be ignored in future. Use keystone::public_endpoint instead, which will be necessory option in the future to define public endpoint.

  • keystone::admin_workers and keystone::public_workers are deprecated, and now are ignored.


New Features

  • Add support to configure [oslo_middleware]/max_request_body_size with $max_request_body_size in the keystone:: class.

  • memcache_socket_timeout is changed to float value.

  • New resource, keystone::resource::service_user, is available to configure Keystone authentication parameters to use service token feature.


New Features

  • Add support to configure [keystone_authtoken]/service_token_roles with $service_token_roles in the keystone::resource::authtoken resource.

Upgrade Notes

  • The deprecated parameters main_port and admin_port in keystone::federation::openidc is now removed.

  • The keystone::federation::openidc::keystone_url parameter is now mandatory and does not fallback on the keystone::public_endpoint value.

  • The deprecated parameters in keystone::wsgi::apache is removed, see below for what parameters you should use instead.

    • Removed servername_admin please use servername

    • Removed public_port and admin_port please use api_port

    • Removed admin_bind_host please use bind_host

    • Removed public_path and admin_path please use path

    • Removed ssl_cert_admin and ssl_key_admin please use ssl_cert and ssl_key

    • Removed wsgi_admin_script_source and wsgi_public_script_source please use wsgi_script_source

    • Removed custom_wsgi_process_options_main and custom_wsgi_process_options_admin please use custom_wsgi_process_options

  • The deprecated resources keystone_paste_ini, keystone::config::keystone_paste_config, keystone::disable_admin_token_auth, keystone::disable_v2_api and keystone::paste_config is removed.

Deprecation Notes

  • database_idle_timeout is deprecated and will be removed in a future release. Please use database_connection_recycle_time instead.