Ussuri Series Release Notes¶
Adding the following configurable items for OpenID:
Add TLS options to oslo.cache
Allow to specify drivername for postgres db
keystone::cron::trust_flushclass was added to configure a cron job to purge expired or soft-deleted trusts.
keystone::federation::ipenidcclass now supports the new
openidc_response_modeparameter, to customize mod_auth_openidc response mode.
Since Ussuri release, identity service record is created by bootstrap instead of API call. Since current bootstrap doesn’t support service the value has been changed to “” from the previous value, “OpenStack Identity Service”, which was implemented in puppet-keystone.
Fixed a bug where the keystone::resource::authtoken resource would not install the proper python memcache bindings when using python3.
default/public_endpiintparameter is no longer set by default because of known issue with different hosts/protocol used for each endpoints (especially for admin endpoint and public endpoint)
keystone::cacheclass was introduced to manage configurations for caching in keystone.
Deprecated idle_timeout option has been removed.
The following puppet variables are deprecated and staged for removal. Keystone removed LDAP support for projects and roles in Mitaka. Even if these options are set in keystone’s configuration file, they’re silently ignored. We will remove these options in a future release:
database_min_pool_size option is now deprecated for removal, the parameter has no effect.
The following parameters for managing cache are now deprecated because of the introduction of
keystone::cacheto manage cache configuration. The parameters in
Workers are raised to 2 x os_workers, so that we have as many workers as the one we had before we merged 2 keystone services(public and admin).
Added keystone::bootstrap class.
Now that the keystone::endpoint and keystone::roles::admin classes is deprecated and has no effect deployments must define the new keystone::bootstrap class with the proper data that was earlier passed to those classes. Please go through the parameters in keystone::bootstrap carefully and define the class.
If you are using a multi-domain setup where you previously relied on keystone::endpoint and/or keystone::roles::admin to create your domains and domain scoped admin accounts the keystone::bootstrap does not do this and you need to ensure this is managed in your deployment using the keystone provider resources.
The keystone::endpoint and keystone::roles::admin classes is now deprecated and has no effect. Please read the upgrade notes carefully!
Adds interface parameter to keystone::resource::authtoken allow services to configure the interface to use for the Identity API endpoint. Valid values are “public”, “internal” or “admin”.
The service validation in keystone::service is deprecated so the following parameters in keystone::service has no effect anymore, validate, admin_token, admin_endpoint, retries, delay, insecure, cacert.
The service validation in ::keystone is deprecated so the following parameters has no effect validate_service, validate_insecure, validate_auth_url and validate_cacert.
The user_allow_create, user_allow_update, user_allow_delete, group_allow_create, group_allow_update and group_allow_delete parameters in keystone::ldap_backend is deprecated, has no effect and will be removed in a later release.