24465816 Update Keystone for the Mitaka release
authorLaszlo Peter <laszlo.peter@oracle.com>
Wed, 07 Sep 2016 14:48:41 -0700
changeset 6851 f984e52b96bb
parent 6850 f8d3bc724af7
child 6852 bf55de364b19
24465816 Update Keystone for the Mitaka release
components/openstack/keystone/Makefile
components/openstack/keystone/files/keystone
components/openstack/keystone/files/keystone-upgrade
components/openstack/keystone/files/keystone.conf
components/openstack/keystone/files/keystone.stencil
components/openstack/keystone/files/keystone.xml
components/openstack/keystone/keystone.p5m
components/openstack/keystone/patches/CVE-2015-7546.patch
components/openstack/keystone/patches/launchpad-1459816+.patch
components/openstack/keystone/patches/mysql_cluster_support.patch
components/openstack/keystone/patches/no-federation.patch
components/openstack/keystone/patches/no-pysaml2.patch
components/openstack/keystone/patches/requirements.patch
components/openstack/keystone/patches/sample-data.sh.patch
--- a/components/openstack/keystone/Makefile	Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/Makefile	Wed Sep 07 14:48:41 2016 -0700
@@ -26,20 +26,19 @@
 include ../../../make-rules/shared-macros.mk
 
 COMPONENT_NAME=		keystone
-COMPONENT_CODENAME=	kilo
-COMPONENT_VERSION=	2015.1.2
-COMPONENT_BE_VERSION=	2015.1
+COMPONENT_CODENAME=	mitaka
+COMPONENT_VERSION=	9.1.0
+COMPONENT_BE_VERSION=	2016.1
 COMPONENT_SRC=		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:af63a89ca1cebfff593e35c24105c1442ab50f760871d756a48cfc120a7a8ddb
-COMPONENT_ARCHIVE_URL=	http://launchpad.net/$(COMPONENT_NAME)/$(COMPONENT_CODENAME)/$(COMPONENT_VERSION)/+download/$(COMPONENT_ARCHIVE)
+    sha256:3828f8907d07901a3f0516b9ee99fbd42bd9d293e4fa137d850a46487c76bad3
+COMPONENT_ARCHIVE_URL=	https://tarballs.openstack.org/$(COMPONENT_NAME)/$(COMPONENT_ARCHIVE)
 COMPONENT_SIG_URL=	$(COMPONENT_ARCHIVE_URL).asc
 COMPONENT_PROJECT_URL=	http://www.openstack.org/
 COMPONENT_BUGDB=	service/keystone
-IPS_COMPONENT_VERSION=	0.$(COMPONENT_VERSION)
 
-TPNO=			25790
+TPNO=			30359
 
 PKG_VARS +=		COMPONENT_BE_VERSION
 
@@ -78,8 +77,7 @@
 
 test:		$(NO_TESTS)
 
-system-test:    $(NO_TESTS)
-
+system-test:	$(NO_TESTS)
 
 REQUIRED_PACKAGES += cloud/openstack/openstack-common
 REQUIRED_PACKAGES += library/python/iniparse-27
--- a/components/openstack/keystone/files/keystone	Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/files/keystone	Wed Sep 07 14:48:41 2016 -0700
@@ -15,12 +15,11 @@
 #    under the License.
 
 import os
+from subprocess import CalledProcessError, check_call, Popen
 import sys
 
 import smf_include
 
-from subprocess import CalledProcessError, check_call, Popen
-
 
 def httpd(cmd):
     cmd = ['/usr/apache2/2.4/bin/httpd', '-f',
--- a/components/openstack/keystone/files/keystone-upgrade	Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/files/keystone-upgrade	Wed Sep 07 14:48:41 2016 -0700
@@ -29,89 +29,11 @@
 
 KEYSTONE_CONF_MAPPINGS = {
     # Deprecated group/name
-    ('DEFAULT', 'admin_bind_host'): ('eventlet_server', 'admin_bind_host'),
-    ('DEFAULT', 'admin_workers'): ('eventlet_server', 'admin_workers'),
-    ('DEFAULT', 'admin_port'): ('eventlet_server', 'admin_port'),
-    ('DEFAULT', 'tcp_keepidle'): ('eventlet_server', 'tcp_keepidle'),
-    ('ssl', 'cert_required'): ('eventlet_server_ssl', 'cert_required'),
-    ('DEFAULT', 'public_port'): ('eventlet_server', 'public_port'),
-    ('DEFAULT', 'public_bind_host'): ('eventlet_server', 'public_bind_host'),
-    ('DEFAULT', 'tcp_keepalive'): ('eventlet_server', 'tcp_keepalive'),
-    ('DEFAULT', 'public_workers'): ('eventlet_server', 'public_workers'),
-    ('ssl', 'keyfile'): ('eventlet_server_ssl', 'keyfile'),
-    ('ssl', 'ca_certs'): ('eventlet_server_ssl', 'ca_certs'),
-    ('ssl', 'enable'): ('eventlet_server_ssl', 'enable'),
-    ('ssl', 'certfile'): ('eventlet_server_ssl', 'certfile'),
-    ('DEFAULT', 'amqp_durable_queues'):
-        ('oslo_messaging_qpid', 'amqp_durable_queues'),
-    ('DEFAULT', 'amqp_auto_delete'):
-        ('oslo_messaging_qpid', 'amqp_auto_delete'),
-    ('DEFAULT', 'rpc_conn_pool_size'):
-        ('oslo_messaging_qpid', 'rpc_conn_pool_size'),
-    ('DEFAULT', 'qpid_hostname'):
-        ('oslo_messaging_qpid', 'qpid_hostname'),
-    ('DEFAULT', 'qpid_port'):
-        ('oslo_messaging_qpid', 'qpid_port'),
-    ('DEFAULT', 'qpid_hosts'):
-        ('oslo_messaging_qpid', 'qpid_hosts'),
-    ('DEFAULT', 'qpid_username'):
-        ('oslo_messaging_qpid', 'qpid_username'),
-    ('DEFAULT', 'qpid_password'):
-        ('oslo_messaging_qpid', 'qpid_password'),
-    ('DEFAULT', 'qpid_sasl_mechanisms'):
-        ('oslo_messaging_qpid', 'qpid_sasl_mechanisms'),
-    ('DEFAULT', 'qpid_heartbeat'):
-        ('oslo_messaging_qpid', 'qpid_heartbeat'),
-    ('DEFAULT', 'qpid_tcp_nodelay'):
-        ('oslo_messaging_qpid', 'qpid_tcp_nodelay'),
-    ('DEFAULT', 'qpid_receiver_capacity'):
-        ('oslo_messaging_qpid', 'qpid_receiver_capacity'),
-    ('DEFAULT', 'qpid_topology_version'):
-        ('oslo_messaging_qpid', 'qpid_topology_version'),
-    ('DEFAULT', 'kombu_ssl_version'):
-        ('oslo_messaging_rabbit', 'kombu_ssl_version'),
-    ('DEFAULT', 'kombu_ssl_keyfile'):
-        ('oslo_messaging_rabbit', 'kombu_ssl_keyfile'),
-    ('DEFAULT', 'kombu_ssl_certfile'):
-        ('oslo_messaging_rabbit', 'kombu_ssl_certfile'),
-    ('DEFAULT', 'kombu_ssl_ca_certs'):
-        ('oslo_messaging_rabbit', 'kombu_ssl_ca_certs'),
-    ('DEFAULT', 'kombu_reconnect_delay'):
-        ('oslo_messaging_rabbit', 'kombu_reconnect_delay'),
-    ('DEFAULT', 'rabbit_host'):
-        ('oslo_messaging_rabbit', 'rabbit_host'),
-    ('DEFAULT', 'rabbit_port'):
-        ('oslo_messaging_rabbit', 'rabbit_port'),
-    ('DEFAULT', 'rabbit_hosts'):
-        ('oslo_messaging_rabbit', 'rabbit_hosts'),
-    ('DEFAULT', 'rabbit_use_ssl'):
-        ('oslo_messaging_rabbit', 'rabbit_use_ssl'),
-    ('DEFAULT', 'rabbit_userid'):
-        ('oslo_messaging_rabbit', 'rabbit_userid'),
-    ('DEFAULT', 'rabbit_password'):
-        ('oslo_messaging_rabbit', 'rabbit_password'),
-    ('DEFAULT', 'rabbit_login_method'):
-        ('oslo_messaging_rabbit', 'rabbit_login_method'),
-    ('DEFAULT', 'rabbit_virtual_host'):
-        ('oslo_messaging_rabbit', 'rabbit_virtual_host'),
-    ('DEFAULT', 'rabbit_retry_interval'):
-        ('oslo_messaging_rabbit', 'rabbit_retry_interval'),
-    ('DEFAULT', 'rabbit_retry_backoff'):
-        ('oslo_messaging_rabbit', 'rabbit_retry_backoff'),
-    ('DEFAULT', 'rabbit_max_retries'):
-        ('oslo_messaging_rabbit', 'rabbit_max_retries'),
-    ('DEFAULT', 'rabbit_ha_queues'):
-        ('oslo_messaging_rabbit', 'rabbit_ha_queues'),
-    ('DEFAULT', 'fake_rabbit'):
-        ('oslo_messaging_rabbit', 'fake_rabbit'),
-    ('DEFAULT', 'max_request_body_size'):
-        ('oslo_middleware', 'max_request_body_size'),
-    ('assignment', 'list_limit'): ('resource', 'list_limit'),
-    ('assignment', 'caching'): ('resource', 'caching'),
-    ('assignment', 'cache_time'): ('resource', 'cache_time'),
-    ('token', 'revocation_cache_time'): ('revoke', 'cache_time'),
-    ('DEFAULT', 'log-format'): (None, None),
-    ('DEFAULT', 'use-syslog'): (None, None),
+    ('DEFAULT', 'rpc_thread_pool_size'):
+        ('DEFAULT', 'executor_thread_pool_size'),
+    ('DEFAULT', 'compute_port'): (None, None),
+    ('DEFAULT', 'log_format'): (None, None),
+    ('DEFAULT', 'use_syslog'): (None, None),
 }
 
 KEYSTONE_CONF_EXCEPTIONS = [
@@ -152,19 +74,6 @@
         modify_conf('/etc/keystone/keystone-paste.ini')
         modify_conf('/etc/keystone/logging.conf')
 
-    config = iniparse.RawConfigParser()
-    config.read('/etc/keystone/keystone.conf')
-    # In certain cases the database section does not exist and the
-    # default database chosen is sqlite.
-    if config.has_section('database'):
-        db_connection = config.get('database', 'connection')
-
-        if db_connection.startswith('mysql'):
-            engine = sqlalchemy.create_engine(db_connection)
-            if engine.url.username != '%SERVICE_USER%':
-                alter_mysql_tables(engine)
-                print "altered character set to utf8 in keystone tables"
-
     # update the current version
     check_call(['/usr/sbin/svccfg', '-s', os.environ['SMF_FMRI'], 'setprop',
                'config/upgrade-id', '=', pkg_ver])
--- a/components/openstack/keystone/files/keystone.conf	Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/files/keystone.conf	Wed Sep 07 14:48:41 2016 -0700
@@ -5,18 +5,12 @@
 #
 
 # A "shared secret" that can be used to bootstrap Keystone. This "token" does
-# not represent a user, and carries no explicit authorization. To disable in
-# production (highly recommended), remove AdminTokenAuthMiddleware from your
-# paste application pipelines (for example, in keystone-paste.ini). (string
-# value)
-#admin_token = ADMIN
-
-# (Deprecated) The port which the OpenStack Compute service listens on. This
-# option was only used for string replacement in the templated catalog backend.
-# Templated catalogs should replace the "$(compute_port)s" substitution with
-# the static port of the compute service. As of Juno, this option is deprecated
-# and will be removed in the L release. (integer value)
-#compute_port = 8774
+# not represent a user, and carries no explicit authorization. If set to
+# `None`, the value is ignored and the `admin_token` log in mechanism is
+# effectively disabled. To completely disable `admin_token` in production
+# (highly recommended), remove AdminTokenAuthMiddleware from your paste
+# application pipelines (for example, in keystone-paste.ini). (string value)
+#admin_token = <None>
 
 # The base public endpoint URL for Keystone that is advertised to clients
 # (NOTE: this does NOT affect how Keystone listens for connections). Defaults
@@ -34,8 +28,9 @@
 # found on a different server. (string value)
 #admin_endpoint = <None>
 
-# Maximum depth of the project hierarchy. WARNING: setting it to a large value
-# may adversely impact performance. (integer value)
+# Maximum depth of the project hierarchy, excluding the project acting as a
+# domain at the top of the hierarchy. WARNING: setting it to a large value may
+# adversely impact  performance. (integer value)
 #max_project_tree_depth = 5
 
 # Limit the sizes of user & project ID/names. (integer value)
@@ -57,7 +52,9 @@
 
 # The value passed as the keyword "rounds" to passlib's encrypt method.
 # (integer value)
-#crypt_strength = 40000
+# Minimum value: 1000
+# Maximum value: 100000
+#crypt_strength = 10000
 
 # The maximum number of entities that will be returned in a collection, with no
 # limit set by default. This global limit may be then overridden for a specific
@@ -69,7 +66,10 @@
 # project entities to be moved between domains by updating their domain_id.
 # Allowing such movement is not recommended if the scope of a domain admin is
 # being restricted by use of an appropriate policy file (see
-# policy.v3cloudsample as an example). (boolean value)
+# policy.v3cloudsample as an example). This ability is deprecated and will be
+# removed in a future release. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #domain_id_immutable = true
 
 # If set to true, strict password length checking is performed for password
@@ -79,9 +79,14 @@
 #strict_password_check = false
 
 # The HTTP header used to determine the scheme for the original request, even
-# if it was removed by an SSL terminating proxy. Typical value is
-# "HTTP_X_FORWARDED_PROTO". (string value)
-#secure_proxy_ssl_header = <None>
+# if it was removed by an SSL terminating proxy. (string value)
+#secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO
+
+# If set to true the server will return information in the response that may
+# allow an unauthenticated or authenticated user to get more information than
+# normal, such as why authentication failed. This may be useful for debugging
+# but is insecure. (boolean value)
+#insecure_debug = false
 
 #
 # From keystone.notifications
@@ -93,96 +98,101 @@
 # Define the notification format for Identity Service events. A "basic"
 # notification has information about the resource being operated on. A "cadf"
 # notification has the same information, as well as information about the
-# initiator of the event. Valid options are: basic and cadf (string value)
+# initiator of the event. (string value)
+# Allowed values: basic, cadf
 #notification_format = basic
 
-#
-# From keystone.openstack.common.eventlet_backdoor
-#
-
-# Enable eventlet backdoor.  Acceptable values are 0, <port>, and
-# <start>:<end>, where 0 results in listening on a random tcp port number;
-# <port> results in listening on the specified port number (and not enabling
-# backdoor if that port is in use); and <start>:<end> results in listening on
-# the smallest unused port number within the specified range of port numbers.
-# The chosen port is displayed in the service's log file. (string value)
-#backdoor_port = <None>
+# Define the notification options to opt-out from. The value expected is:
+# identity.<resource_type>.<operation>. This field can be set multiple times in
+# order to add more notifications to opt-out from. For example:
+#  notification_opt_out=identity.user.created
+#  notification_opt_out=identity.authenticate.success (multi valued)
+#notification_opt_out =
 
 #
 # From oslo.log
 #
 
-# Print debugging output (set logging level to DEBUG instead of default WARNING
-# level). (boolean value)
+# If set to true, the logging level will be set to DEBUG instead of the default
+# INFO level. (boolean value)
 #debug = false
 
-# Print more verbose output (set logging level to INFO instead of default
-# WARNING level). (boolean value)
-#verbose = false
+# If set to false, the logging level will be set to WARNING instead of the
+# default INFO level. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#verbose = true
 
 # The name of a logging configuration file. This file is appended to any
 # existing logging configuration files. For details about logging configuration
-# files, see the Python logging module documentation. (string value)
+# files, see the Python logging module documentation. Note that when logging
+# configuration files are used then all logging configuration is set in the
+# configuration file and other logging configuration options are ignored (for
+# example, logging_context_format_string). (string value)
 # Deprecated group/name - [DEFAULT]/log_config
 #log_config_append = <None>
 
-# DEPRECATED. A logging.Formatter log message format string which may use any
-# of the available logging.LogRecord attributes. This option is deprecated.
-# Please use logging_context_format_string and logging_default_format_string
-# instead. (string value)
-#log_format = <None>
-
-# Format string for %%(asctime)s in log records. Default: %(default)s . (string
+# Defines the format string for %%(asctime)s in log records. Default:
+# %(default)s . This option is ignored if log_config_append is set. (string
 # value)
 #log_date_format = %Y-%m-%d %H:%M:%S
 
-# (Optional) Name of log file to output to. If no default is set, logging will
-# go to stdout. (string value)
+# (Optional) Name of log file to send logging output to. If no default is set,
+# logging will go to stderr as defined by use_stderr. This option is ignored if
+# log_config_append is set. (string value)
 # Deprecated group/name - [DEFAULT]/logfile
 #log_file = <None>
 
-# (Optional) The base directory used for relative --log-file paths. (string
-# value)
+# (Optional) The base directory used for relative log_file  paths. This option
+# is ignored if log_config_append is set. (string value)
 # Deprecated group/name - [DEFAULT]/logdir
 #log_dir = <None>
 
-# Use syslog for logging. Existing syslog format is DEPRECATED during I, and
-# will change in J to honor RFC5424. (boolean value)
+# Uses logging handler designed to watch file system. When log file is moved or
+# removed this handler will open a new log file with specified path
+# instantaneously. It makes sense only if log_file option is specified and
+# Linux platform is used. This option is ignored if log_config_append is set.
+# (boolean value)
+#watch_log_file = false
+
+# Use syslog for logging. Existing syslog format is DEPRECATED and will be
+# changed later to honor RFC5424. This option is ignored if log_config_append
+# is set. (boolean value)
 #use_syslog = false
 
-# (Optional) Enables or disables syslog rfc5424 format for logging. If enabled,
-# prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The
-# format without the APP-NAME is deprecated in I, and will be removed in J.
-# (boolean value)
-#use_syslog_rfc_format = false
-
-# Syslog facility to receive log lines. (string value)
+# Syslog facility to receive log lines. This option is ignored if
+# log_config_append is set. (string value)
 #syslog_log_facility = LOG_USER
 
-# Log output to standard error. (boolean value)
+# Log output to standard error. This option is ignored if log_config_append is
+# set. (boolean value)
 #use_stderr = true
 
 # Format string to use for log messages with context. (string value)
 #logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
 
-# Format string to use for log messages without context. (string value)
+# Format string to use for log messages when context is undefined. (string
+# value)
 #logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
 
-# Data to append to log format when level is DEBUG. (string value)
+# Additional data to append to log message when logging level for the message
+# is DEBUG. (string value)
 #logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
 
 # Prefix each line of exception output with this format. (string value)
-#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s
-
-# List of logger=LEVEL pairs. (list value)
-#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN
+#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
+
+# Defines the format string for %(user_identity)s that is used in
+# logging_context_format_string. (string value)
+#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s
+
+# List of package logging levels in logger=LEVEL pairs. This option is ignored
+# if log_config_append is set. (list value)
+#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO
 
 # Enables or disables publication of error events. (boolean value)
 #publish_errors = false
 
-# Enables or disables fatal status of deprecations. (boolean value)
-#fatal_deprecations = false
-
 # The format for an instance that is passed with the log message. (string
 # value)
 #instance_format = "[instance: %(uuid)s] "
@@ -191,19 +201,27 @@
 # value)
 #instance_uuid_format = "[instance: %(uuid)s] "
 
+# Enables or disables fatal status of deprecations. (boolean value)
+#fatal_deprecations = false
+
 #
 # From oslo.messaging
 #
 
+# Size of RPC connection pool. (integer value)
+# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
+#rpc_conn_pool_size = 30
+
 # ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
 # The "host" option should point or resolve to this address. (string value)
 #rpc_zmq_bind_address = *
 
 # MatchMaker driver. (string value)
-#rpc_zmq_matchmaker = local
-
-# ZeroMQ receiver listening port. (integer value)
-#rpc_zmq_port = 9501
+# Allowed values: redis, dummy
+#rpc_zmq_matchmaker = redis
+
+# Type of concurrency used. Either "native" or "eventlet" (string value)
+#rpc_zmq_concurrency = eventlet
 
 # Number of ZeroMQ contexts, defaults to 1. (integer value)
 #rpc_zmq_contexts = 1
@@ -219,25 +237,41 @@
 # "host" option, if running Nova. (string value)
 #rpc_zmq_host = localhost
 
-# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
+# Seconds to wait before a cast expires (TTL). The default value of -1
+# specifies an infinite linger period. The value of 0 specifies no linger
+# period. Pending messages shall be discarded immediately when the socket is
+# closed. Only supported by impl_zmq. (integer value)
+#rpc_cast_timeout = -1
+
+# The default number of seconds that poll should wait. Poll raises timeout
+# exception when timeout expired. (integer value)
+#rpc_poll_timeout = 1
+
+# Expiration timeout in seconds of a name service record about existing target
+# ( < 0 means no timeout). (integer value)
+#zmq_target_expire = 120
+
+# Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy. (boolean
+# value)
+#use_pub_sub = true
+
+# Minimal port number for random ports range. (port value)
+# Minimum value: 0
+# Maximum value: 65535
+#rpc_zmq_min_port = 49152
+
+# Maximal port number for random ports range. (integer value)
+# Minimum value: 1
+# Maximum value: 65536
+#rpc_zmq_max_port = 65536
+
+# Number of retries to find free port number before fail with ZMQBindError.
 # (integer value)
-#rpc_cast_timeout = 30
-
-# Heartbeat frequency. (integer value)
-#matchmaker_heartbeat_freq = 300
-
-# Heartbeat time-to-live. (integer value)
-#matchmaker_heartbeat_ttl = 600
-
-# Size of RPC thread pool. (integer value)
-#rpc_thread_pool_size = 64
-
-# Driver or drivers to handle sending notifications. (multi valued)
-#notification_driver =
-
-# AMQP topic used for OpenStack notifications. (list value)
-# Deprecated group/name - [rpc_notifier2]/topics
-#notification_topics = notifications
+#rpc_zmq_bind_port_retries = 100
+
+# Size of executor thread pool. (integer value)
+# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size
+#executor_thread_pool_size = 64
 
 # Seconds to wait for a response from a call. (integer value)
 #rpc_response_timeout = 60
@@ -247,7 +281,7 @@
 # configuration. (string value)
 #transport_url = <None>
 
-# The messaging driver to use, defaults to rabbit. Other drivers include qpid
+# The messaging driver to use, defaults to rabbit. Other drivers include amqp
 # and zmq. (string value)
 #rpc_backend = rabbit
 
@@ -255,6 +289,32 @@
 # exchange name specified in the transport_url option. (string value)
 #control_exchange = keystone
 
+#
+# From oslo.service.service
+#
+
+# Enable eventlet backdoor.  Acceptable values are 0, <port>, and
+# <start>:<end>, where 0 results in listening on a random tcp port number;
+# <port> results in listening on the specified port number (and not enabling
+# backdoor if that port is in use); and <start>:<end> results in listening on
+# the smallest unused port number within the specified range of port numbers.
+# The chosen port is displayed in the service's log file. (string value)
+#backdoor_port = <None>
+
+# Enable eventlet backdoor, using the provided path as a unix socket that can
+# receive connections. This option is mutually exclusive with 'backdoor_port'
+# in that only one should be provided. If both are provided then the existence
+# of this option overrides the usage of that option. (string value)
+#backdoor_socket = <None>
+
+# Enables or disables logging values of all registered options when starting a
+# service (at DEBUG level). (boolean value)
+#log_options = true
+
+# Specify a timeout after which a gracefully shutdown server will exit. Zero
+# value means endless wait. (integer value)
+#graceful_shutdown_timeout = 60
+
 
 [assignment]
 
@@ -262,9 +322,17 @@
 # From keystone
 #
 
-# Assignment backend driver. (string value)
+# Entrypoint for the assignment backend driver in the keystone.assignment
+# namespace. Only an SQL driver is supplied. If an assignment driver is not
+# specified, the identity driver will choose the assignment driver (driver
+# selection based on `[identity]/driver` option is deprecated and will be
+# removed in the "O" release). (string value)
 #driver = <None>
 
+# A list of role names which are prohibited from being an implied role. (list
+# value)
+#prohibited_implied_role = admin
+
 
 [auth]
 
@@ -272,32 +340,37 @@
 # From keystone
 #
 
-# Default auth methods. (list value)
+# Allowed authentication methods. (list value)
 #methods = external,password,token,oauth1
 
-# The password auth plugin module. (string value)
-#password = keystone.auth.plugins.password.Password
-
-# The token auth plugin module. (string value)
-#token = keystone.auth.plugins.token.Token
-
-# The external (REMOTE_USER) auth plugin module. (string value)
-#external = keystone.auth.plugins.external.DefaultDomain
-
-# The oAuth1.0 auth plugin module. (string value)
-#oauth1 = keystone.auth.plugins.oauth1.OAuth
+# Entrypoint for the password auth plugin module in the keystone.auth.password
+# namespace. (string value)
+#password = <None>
+
+# Entrypoint for the token auth plugin module in the keystone.auth.token
+# namespace. (string value)
+#token = <None>
+
+# Entrypoint for the external (REMOTE_USER) auth plugin module in the
+# keystone.auth.external namespace. Supplied drivers are DefaultDomain and
+# Domain. The default driver is DefaultDomain. (string value)
+#external = <None>
+
+# Entrypoint for the oAuth1.0 auth plugin module in the keystone.auth.oauth1
+# namespace. (string value)
+#oauth1 = <None>
 
 
 [cache]
 
 #
-# From keystone
+# From oslo.cache
 #
 
 # Prefix for building the configuration dictionary for the cache region. This
 # should not need to be changed unless there is another dogpile.cache region
 # with the same configuration name. (string value)
-#config_prefix = cache.keystone
+#config_prefix = cache.oslo
 
 # Default TTL, in seconds, for any cached item in the dogpile.cache region.
 # This applies to any cached method that doesn't have an explicit cache
@@ -305,10 +378,10 @@
 #expiration_time = 600
 
 # Dogpile.cache backend module. It is recommended that Memcache with pooling
-# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in
+# (oslo_cache.memcache_pool) or Redis (dogpile.cache.redis) be used in
 # production deployments.  Small workloads (single process) like devstack can
 # use the dogpile.cache.memory backend. (string value)
-#backend = keystone.common.cache.noop
+#backend = dogpile.cache.null
 
 # Arguments supplied to the backend module. Specify this option once per
 # argument to be passed to the dogpile.cache backend. Example format:
@@ -320,8 +393,7 @@
 # (list value)
 #proxies =
 
-# Global toggle for all caching using the should_cache_fn mechanism. (boolean
-# value)
+# Global toggle for caching. (boolean value)
 #enabled = false
 
 # Extra debugging from the cache backend (cache keys, get/set/delete/etc
@@ -331,24 +403,24 @@
 #debug_cache_backend = false
 
 # Memcache servers in the format of "host:port". (dogpile.cache.memcache and
-# keystone.cache.memcache_pool backends only). (list value)
+# oslo_cache.memcache_pool backends only). (list value)
 #memcache_servers = localhost:11211
 
 # Number of seconds memcached server is considered dead before it is tried
-# again. (dogpile.cache.memcache and keystone.cache.memcache_pool backends
-# only). (integer value)
+# again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
+# (integer value)
 #memcache_dead_retry = 300
 
 # Timeout in seconds for every call to a server. (dogpile.cache.memcache and
-# keystone.cache.memcache_pool backends only). (integer value)
+# oslo_cache.memcache_pool backends only). (integer value)
 #memcache_socket_timeout = 3
 
 # Max total number of open connections to every memcached server.
-# (keystone.cache.memcache_pool backend only). (integer value)
+# (oslo_cache.memcache_pool backend only). (integer value)
 #memcache_pool_maxsize = 10
 
 # Number of seconds a connection to memcached is held unused in the pool before
-# it is closed. (keystone.cache.memcache_pool backend only). (integer value)
+# it is closed. (oslo_cache.memcache_pool backend only). (integer value)
 #memcache_pool_unused_timeout = 60
 
 # Number of seconds that an operation will wait to get a memcache client
@@ -366,8 +438,10 @@
 # value)
 #template_file = default_catalog.templates
 
-# Catalog backend driver. (string value)
-#driver = keystone.catalog.backends.sql.Catalog
+# Entrypoint for the catalog backend driver in the keystone.catalog namespace.
+# Supplied drivers are kvs, sql, templated, and endpoint_filter.sql (string
+# value)
+#driver = sql
 
 # Toggle for catalog caching. This has no effect unless global caching is
 # enabled. (boolean value)
@@ -382,14 +456,71 @@
 #list_limit = <None>
 
 
+[cors]
+
+#
+# From oslo.middleware
+#
+
+# Indicate whether this resource may be shared with the domain received in the
+# requests "origin" header. (list value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
+# Headers. (list value)
+#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list value)
+#allow_methods = GET,PUT,POST,DELETE,PATCH
+
+# Indicate which header field names may be used during the actual request.
+# (list value)
+#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name
+
+
+[cors.subdomain]
+
+#
+# From oslo.middleware
+#
+
+# Indicate whether this resource may be shared with the domain received in the
+# requests "origin" header. (list value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
+# Headers. (list value)
+#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list value)
+#allow_methods = GET,PUT,POST,DELETE,PATCH
+
+# Indicate which header field names may be used during the actual request.
+# (list value)
+#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name
+
+
 [credential]
 
 #
 # From keystone
 #
 
-# Credential backend driver. (string value)
-#driver = keystone.credential.backends.sql.Credential
+# Entrypoint for the credential backend driver in the keystone.credential
+# namespace. (string value)
+#driver = sql
 
 
 [database]
@@ -427,12 +558,6 @@
 # (string value)
 #mysql_sql_mode = TRADITIONAL
 
-# This configures the MySQL storage engine. This allows for OpenStack to
-# support different storage engines such as InnoDB, NDB, etc. By Default,
-# this value will be set to InnoDB. For MySQL Cluster, set to NDBCLUSTER.
-# Example: mysql_storage_engine=(string value)
-#mysql_storage_engine = InnoDB
-
 # Timeout before idle SQL connections are reaped. (integer value)
 # Deprecated group/name - [DEFAULT]/sql_idle_timeout
 # Deprecated group/name - [DATABASE]/sql_idle_timeout
@@ -463,7 +588,7 @@
 # If set, use this value for max_overflow with SQLAlchemy. (integer value)
 # Deprecated group/name - [DEFAULT]/sql_max_overflow
 # Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
-#max_overflow = <None>
+#max_overflow = 50
 
 # Verbosity of SQL debugging information: 0=None, 100=Everything. (integer
 # value)
@@ -504,8 +629,9 @@
 # From keystone
 #
 
-# Domain config backend driver. (string value)
-#driver = keystone.resource.config_backends.sql.DomainConfig
+# Entrypoint for the domain config backend driver in the
+# keystone.resource.domain_config namespace. (string value)
+#driver = sql
 
 # Toggle for domain config caching. This has no effect unless global caching is
 # enabled. (boolean value)
@@ -522,8 +648,9 @@
 # From keystone
 #
 
-# Endpoint Filter backend driver (string value)
-#driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
+# Entrypoint for the endpoint filter backend driver in the
+# keystone.endpoint_filter namespace. (string value)
+#driver = sql
 
 # Toggle to return all active endpoints if no filter exists. (boolean value)
 #return_all_endpoints_if_no_filter = true
@@ -535,8 +662,17 @@
 # From keystone
 #
 
-# Endpoint policy backend driver (string value)
-#driver = keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy
+# Enable endpoint_policy functionality. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: The option to enable the OS-ENDPOINT-POLICY extension has been
+# deprecated in the M release and will be removed in the O release. The OS-
+# ENDPOINT-POLICY extension will be enabled by default.
+#enabled = true
+
+# Entrypoint for the endpoint policy backend driver in the
+# keystone.endpoint_policy namespace. (string value)
+#driver = sql
 
 
 [eventlet_server]
@@ -548,31 +684,47 @@
 # The number of worker processes to serve the public eventlet application.
 # Defaults to number of CPUs (minimum of 2). (integer value)
 # Deprecated group/name - [DEFAULT]/public_workers
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 public_workers = 2
 
 # The number of worker processes to serve the admin eventlet application.
 # Defaults to number of CPUs (minimum of 2). (integer value)
 # Deprecated group/name - [DEFAULT]/admin_workers
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 admin_workers = 2
 
 # The IP address of the network interface for the public service to listen on.
 # (string value)
 # Deprecated group/name - [DEFAULT]/bind_host
 # Deprecated group/name - [DEFAULT]/public_bind_host
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #public_bind_host = 0.0.0.0
 
-# The port number which the public service listens on. (integer value)
+# The port number which the public service listens on. (port value)
+# Minimum value: 0
+# Maximum value: 65535
 # Deprecated group/name - [DEFAULT]/public_port
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #public_port = 5000
 
 # The IP address of the network interface for the admin service to listen on.
 # (string value)
 # Deprecated group/name - [DEFAULT]/bind_host
 # Deprecated group/name - [DEFAULT]/admin_bind_host
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #admin_bind_host = 0.0.0.0
 
-# The port number which the admin service listens on. (integer value)
+# The port number which the admin service listens on. (port value)
+# Minimum value: 0
+# Maximum value: 65535
 # Deprecated group/name - [DEFAULT]/admin_port
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #admin_port = 35357
 
 # If set to false, disables keepalives on the server; all connections will be
@@ -581,18 +733,23 @@
 
 # Timeout for socket operations on a client connection. If an incoming
 # connection is idle for this number of seconds it will be closed. A value of
-# '0' means wait forever. (integer value)
+# "0" means wait forever. (integer value)
 #client_socket_timeout = 900
 
 # Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e.
 # sockets used by the Keystone wsgi server for client connections. (boolean
 # value)
 # Deprecated group/name - [DEFAULT]/tcp_keepalive
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #tcp_keepalive = false
 
 # Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only
-# applies if tcp_keepalive is true. (integer value)
+# applies if tcp_keepalive is true. Ignored if system does not support it.
+# (integer value)
 # Deprecated group/name - [DEFAULT]/tcp_keepidle
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #tcp_keepidle = 600
 
 
@@ -604,24 +761,34 @@
 
 # Toggle for SSL support on the Keystone eventlet servers. (boolean value)
 # Deprecated group/name - [ssl]/enable
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #enable = false
 
 # Path of the certfile for SSL. For non-production environments, you may be
 # interested in using `keystone-manage ssl_setup` to generate self-signed
 # certificates. (string value)
 # Deprecated group/name - [ssl]/certfile
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #certfile = /etc/keystone/ssl/certs/keystone.pem
 
 # Path of the keyfile for SSL. (string value)
 # Deprecated group/name - [ssl]/keyfile
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #keyfile = /etc/keystone/ssl/private/keystonekey.pem
 
 # Path of the CA cert file for SSL. (string value)
 # Deprecated group/name - [ssl]/ca_certs
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #ca_certs = /etc/keystone/ssl/certs/ca.pem
 
 # Require client certificate. (boolean value)
 # Deprecated group/name - [ssl]/cert_required
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #cert_required = false
 
 
@@ -631,8 +798,9 @@
 # From keystone
 #
 
-# Federation backend driver. (string value)
-#driver = keystone.contrib.federation.backends.sql.Federation
+# Entrypoint for the federation backend driver in the keystone.federation
+# namespace. (string value)
+#driver = sql
 
 # Value to be used when filtering assertion parameters from the environment.
 # (string value)
@@ -646,16 +814,14 @@
 # A domain name that is reserved to allow federated ephemeral users to have a
 # domain concept. Note that an admin will not be able to create a domain with
 # this name or update an existing domain to this name. You are not advised to
-# change this value unless you really have to. Changing this option to empty
-# string or None will not have any impact and default name will be used.
-# (string value)
+# change this value unless you really have to. (string value)
 #federated_domain_name = Federated
 
 # A list of trusted dashboard hosts. Before accepting a Single Sign-On request
 # to return a token, the origin host must be a member of the trusted_dashboard
 # list. This configuration option may be repeated for multiple values. For
-# example: trusted_dashboard=http://acme.com trusted_dashboard=http://beta.com
-# (multi valued)
+# example: trusted_dashboard=http://acme.com/auth/websso
+# trusted_dashboard=http://beta.com/auth/websso (multi valued)
 #trusted_dashboard =
 
 # Location of Single Sign-On callback handler, will return a token to a trusted
@@ -713,8 +879,9 @@
 # if domain_specific_drivers_enabled is set to true. (string value)
 #domain_config_dir = /etc/keystone/domains
 
-# Identity backend driver. (string value)
-#driver = keystone.identity.backends.sql.Identity
+# Entrypoint for the identity backend driver in the keystone.identity
+# namespace. Supplied drivers are ldap and sql. (string value)
+#driver = sql
 
 # Toggle for identity caching. This has no effect unless global caching is
 # enabled. (boolean value)
@@ -726,6 +893,7 @@
 
 # Maximum supported length for user passwords; decrease to improve performance.
 # (integer value)
+# Maximum value: 4096
 #max_password_length = 4096
 
 # Maximum number of entities that will be returned in an identity collection.
@@ -739,13 +907,14 @@
 # From keystone
 #
 
-# Keystone Identity Mapping backend driver. (string value)
-#driver = keystone.identity.mapping_backends.sql.Mapping
-
-# Public ID generator for user and group entities. The Keystone identity mapper
-# only supports generators that produce no more than 64 characters. (string
-# value)
-#generator = keystone.identity.id_generators.sha256.Generator
+# Entrypoint for the identity mapping backend driver in the
+# keystone.identity.id_mapping namespace. (string value)
+#driver = sql
+
+# Entrypoint for the public ID generator for user and group entities in the
+# keystone.identity.id_generator namespace. The Keystone identity mapper only
+# supports generators that produce no more than 64 characters. (string value)
+#generator = sha256
 
 # The format of user and group IDs changed in Juno for backends that do not
 # generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the
@@ -757,7 +926,7 @@
 # mapping for even the default LDAP driver. It is only safe to do this if you
 # do not already have assignments for users and groups from the default LDAP
 # domain, and it is acceptable for Keystone to provide the different IDs to
-# clients than it did previously.  Typically this means that the only time you
+# clients than it did previously. Typically this means that the only time you
 # can set this value to False is when configuring a fresh installation.
 # (boolean value)
 #backward_compatible_ids = true
@@ -793,7 +962,9 @@
 # From keystone
 #
 
-# URL for connecting to the LDAP server. (string value)
+# URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified
+# as a comma separated string. The first URL to successfully bind is used for
+# the connection. (string value)
 #url = ldap://localhost
 
 # User BindDN to query the LDAP server. (string value)
@@ -817,18 +988,18 @@
 # your LDAP server supports subtree deletion. (boolean value)
 #allow_subtree_delete = false
 
-# The LDAP scope for queries, this can be either "one" (onelevel/singleLevel)
-# or "sub" (subtree/wholeSubtree). (string value)
+# The LDAP scope for queries, "one" represents oneLevel/singleLevel and "sub"
+# represents subtree/wholeSubtree options. (string value)
+# Allowed values: one, sub
 #query_scope = one
 
 # Maximum results per page; a value of zero ("0") disables paging. (integer
 # value)
 #page_size = 0
 
-# The LDAP dereferencing option for queries. This can be either "never",
-# "searching", "always", "finding" or "default". The "default" option falls
-# back to using default dereferencing configured by your ldap.conf. (string
-# value)
+# The LDAP dereferencing option for queries. The "default" option falls back to
+# using default dereferencing configured by your ldap.conf. (string value)
+# Allowed values: never, searching, always, finding, default
 #alias_dereferencing = default
 
 # Sets the LDAP debugging level for LDAP calls. A value of 0 means that
@@ -840,7 +1011,7 @@
 # value)
 #chase_referrals = <None>
 
-# Search base for users. (string value)
+# Search base for users. Defaults to the suffix value. (string value)
 #user_tree_dn = <None>
 
 # LDAP search filter for users. (string value)
@@ -856,6 +1027,9 @@
 # LDAP attribute mapped to user name. (string value)
 #user_name_attribute = sn
 
+# LDAP attribute mapped to user description. (string value)
+#user_description_attribute = description
+
 # LDAP attribute mapped to user email. (string value)
 #user_mail_attribute = mail
 
@@ -887,18 +1061,30 @@
 #user_enabled_default = True
 
 # List of attributes stripped off the user on update. (list value)
-#user_attribute_ignore = default_project_id,tenants
+#user_attribute_ignore = default_project_id
 
 # LDAP attribute mapped to default_project_id for users. (string value)
 #user_default_project_id_attribute = <None>
 
 # Allow user creation in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Write support for Identity LDAP backends has been deprecated in the M
+# release and will be removed in the O release.
 #user_allow_create = true
 
 # Allow user updates in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Write support for Identity LDAP backends has been deprecated in the M
+# release and will be removed in the O release.
 #user_allow_update = true
 
 # Allow user deletion in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Write support for Identity LDAP backends has been deprecated in the M
+# release and will be removed in the O release.
 #user_allow_delete = true
 
 # If true, Keystone uses an alternative method to determine if a user is
@@ -910,117 +1096,17 @@
 # (string value)
 #user_enabled_emulation_dn = <None>
 
+# Use the "group_member_attribute" and "group_objectclass" settings to
+# determine membership in the emulated enabled group. (boolean value)
+#user_enabled_emulation_use_group_config = false
+
 # List of additional LDAP attributes used for mapping additional attribute
 # mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>,
 # where ldap_attr is the attribute in the LDAP entry and user_attr is the
 # Identity API attribute. (list value)
 #user_additional_attribute_mapping =
 
-# Search base for projects (string value)
-# Deprecated group/name - [ldap]/tenant_tree_dn
-#project_tree_dn = <None>
-
-# LDAP search filter for projects. (string value)
-# Deprecated group/name - [ldap]/tenant_filter
-#project_filter = <None>
-
-# LDAP objectclass for projects. (string value)
-# Deprecated group/name - [ldap]/tenant_objectclass
-#project_objectclass = groupOfNames
-
-# LDAP attribute mapped to project id. (string value)
-# Deprecated group/name - [ldap]/tenant_id_attribute
-#project_id_attribute = cn
-
-# LDAP attribute mapped to project membership for user. (string value)
-# Deprecated group/name - [ldap]/tenant_member_attribute
-#project_member_attribute = member
-
-# LDAP attribute mapped to project name. (string value)
-# Deprecated group/name - [ldap]/tenant_name_attribute
-#project_name_attribute = ou
-
-# LDAP attribute mapped to project description. (string value)
-# Deprecated group/name - [ldap]/tenant_desc_attribute
-#project_desc_attribute = description
-
-# LDAP attribute mapped to project enabled. (string value)
-# Deprecated group/name - [ldap]/tenant_enabled_attribute
-#project_enabled_attribute = enabled
-
-# LDAP attribute mapped to project domain_id. (string value)
-# Deprecated group/name - [ldap]/tenant_domain_id_attribute
-#project_domain_id_attribute = businessCategory
-
-# List of attributes stripped off the project on update. (list value)
-# Deprecated group/name - [ldap]/tenant_attribute_ignore
-#project_attribute_ignore =
-
-# Allow project creation in LDAP backend. (boolean value)
-# Deprecated group/name - [ldap]/tenant_allow_create
-#project_allow_create = true
-
-# Allow project update in LDAP backend. (boolean value)
-# Deprecated group/name - [ldap]/tenant_allow_update
-#project_allow_update = true
-
-# Allow project deletion in LDAP backend. (boolean value)
-# Deprecated group/name - [ldap]/tenant_allow_delete
-#project_allow_delete = true
-
-# If true, Keystone uses an alternative method to determine if a project is
-# enabled or not by checking if they are a member of the
-# "project_enabled_emulation_dn" group. (boolean value)
-# Deprecated group/name - [ldap]/tenant_enabled_emulation
-#project_enabled_emulation = false
-
-# DN of the group entry to hold enabled projects when using enabled emulation.
-# (string value)
-# Deprecated group/name - [ldap]/tenant_enabled_emulation_dn
-#project_enabled_emulation_dn = <None>
-
-# Additional attribute mappings for projects. Attribute mapping format is
-# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry
-# and user_attr is the Identity API attribute. (list value)
-# Deprecated group/name - [ldap]/tenant_additional_attribute_mapping
-#project_additional_attribute_mapping =
-
-# Search base for roles. (string value)
-#role_tree_dn = <None>
-
-# LDAP search filter for roles. (string value)
-#role_filter = <None>
-
-# LDAP objectclass for roles. (string value)
-#role_objectclass = organizationalRole
-
-# LDAP attribute mapped to role id. (string value)
-#role_id_attribute = cn
-
-# LDAP attribute mapped to role name. (string value)
-#role_name_attribute = ou
-
-# LDAP attribute mapped to role membership. (string value)
-#role_member_attribute = roleOccupant
-
-# List of attributes stripped off the role on update. (list value)
-#role_attribute_ignore =
-
-# Allow role creation in LDAP backend. (boolean value)
-#role_allow_create = true
-
-# Allow role update in LDAP backend. (boolean value)
-#role_allow_update = true
-
-# Allow role deletion in LDAP backend. (boolean value)
-#role_allow_delete = true
-
-# Additional attribute mappings for roles. Attribute mapping format is
-# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry
-# and user_attr is the Identity API attribute. (list value)
-#role_additional_attribute_mapping =
-
-# Search base for groups. (string value)
+# Search base for groups. Defaults to the suffix value. (string value)
 #group_tree_dn = <None>
 
 # LDAP search filter for groups. (string value)
@@ -1045,12 +1131,24 @@
 #group_attribute_ignore =
 
 # Allow group creation in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Write support for Identity LDAP backends has been deprecated in the M
+# release and will be removed in the O release.
 #group_allow_create = true
 
 # Allow group update in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Write support for Identity LDAP backends has been deprecated in the M
+# release and will be removed in the O release.
 #group_allow_update = true
 
 # Allow group deletion in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Write support for Identity LDAP backends has been deprecated in the M
+# release and will be removed in the O release.
 #group_allow_delete = true
 
 # Additional attribute mappings for groups. Attribute mapping format is
@@ -1068,11 +1166,13 @@
 # Enable TLS for communicating with LDAP servers. (boolean value)
 #use_tls = false
 
-# Valid options for tls_req_cert are demand, never, and allow. (string value)
+# Specifies what checks to perform on client certificates in an incoming TLS
+# session. (string value)
+# Allowed values: demand, never, allow
 #tls_req_cert = demand
 
 # Enable LDAP connection pooling. (boolean value)
-#use_pool = false
+#use_pool = true
 
 # Connection pool size. (integer value)
 #pool_size = 10
@@ -1094,7 +1194,7 @@
 # Enable LDAP connection pooling for end user authentication. If use_pool is
 # disabled, then this setting is meaningless and is not used at all. (boolean
 # value)
-#use_auth_pool = false
+#use_auth_pool = true
 
 # End user auth connection pool size. (integer value)
 #auth_pool_size = 100
@@ -1102,6 +1202,11 @@
 # End user auth connection lifetime in seconds. (integer value)
 #auth_pool_connection_lifetime = 60
 
+# If the members of the group objectclass are user IDs rather than DNs, set
+# this to true. This is the case when using posixGroup as the group objectclass
+# and OpenDirectory. (boolean value)
+#group_members_are_ids = false
+
 
 [matchmaker_redis]
 
@@ -1112,22 +1217,29 @@
 # Host to locate redis. (string value)
 #host = 127.0.0.1
 
-# Use this port to connect to redis host. (integer value)
+# Use this port to connect to redis host. (port value)
+# Minimum value: 0
+# Maximum value: 65535
 #port = 6379
 
 # Password for Redis server (optional). (string value)
-#password = <None>
-
-
-[matchmaker_ring]
-
-#
-# From oslo.messaging
-#
-
-# Matchmaker ring file (JSON). (string value)
-# Deprecated group/name - [DEFAULT]/matchmaker_ringfile
-#ringfile = /etc/oslo/matchmaker_ring.json
+#password =
+
+# List of Redis Sentinel hosts (fault tolerance mode) e.g.
+# [host:port, host1:port ... ] (list value)
+#sentinel_hosts =
+
+# Redis replica set name. (string value)
+#sentinel_group_name = oslo-messaging-zeromq
+
+# Time in ms to wait between connection attempts. (integer value)
+#wait_timeout = 500
+
+# Time in ms to wait before the transaction is killed. (integer value)
+#check_timeout = 20000
+
+# Timeout in ms on blocking socket operations (integer value)
+#socket_timeout = 1000
 
 
 [memcache]
@@ -1171,8 +1283,9 @@
 # From keystone
 #
 
-# Credential backend driver. (string value)
-#driver = keystone.contrib.oauth1.backends.sql.OAuth1
+# Entrypoint for the OAuth backend driver in the keystone.oauth1 namespace.
+# (string value)
+#driver = sql
 
 # Duration (in seconds) for the OAuth Request Token. (integer value)
 #request_token_duration = 28800
@@ -1188,8 +1301,15 @@
 #
 
 # role-assignment inheritance to projects from owning domain or from projects
-# higher in the hierarchy can be optionally enabled. (boolean value)
-#enabled = false
+# higher in the hierarchy can be optionally disabled. In the future, this
+# option will be removed and the hierarchy will be always enabled. (boolean
+# value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: The option to enable the OS-INHERIT extension has been deprecated in
+# the M release and will be removed in the O release. The OS-INHERIT extension
+# will be enabled by default.
+#enabled = true
 
 
 [oslo_messaging_amqp]
@@ -1222,7 +1342,7 @@
 # Deprecated group/name - [amqp1]/trace
 #trace = false
 
-# CA certificate PEM file for verifing server certificate (string value)
+# CA certificate PEM file to verify server certificate (string value)
 # Deprecated group/name - [amqp1]/ssl_ca_file
 #ssl_ca_file =
 
@@ -1242,71 +1362,47 @@
 # Deprecated group/name - [amqp1]/allow_insecure_clients
 #allow_insecure_clients = false
 
-
-[oslo_messaging_qpid]
+# Space separated list of acceptable SASL mechanisms (string value)
+# Deprecated group/name - [amqp1]/sasl_mechanisms
+#sasl_mechanisms =
+
+# Path to directory that contains the SASL configuration (string value)
+# Deprecated group/name - [amqp1]/sasl_config_dir
+#sasl_config_dir =
+
+# Name of configuration file (without .conf suffix) (string value)
+# Deprecated group/name - [amqp1]/sasl_config_name
+#sasl_config_name =
+
+# User name for message broker authentication (string value)
+# Deprecated group/name - [amqp1]/username
+#username =
+
+# Password for message broker authentication (string value)
+# Deprecated group/name - [amqp1]/password
+#password =
+
+
+[oslo_messaging_notifications]
 
 #
 # From oslo.messaging
 #
 
-# Use durable queues in AMQP. (boolean value)
-# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
-#amqp_durable_queues = false
-
-# Auto-delete queues in AMQP. (boolean value)
-# Deprecated group/name - [DEFAULT]/amqp_auto_delete
-#amqp_auto_delete = false
-
-# Size of RPC connection pool. (integer value)
-# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
-#rpc_conn_pool_size = 30
-
-# Qpid broker hostname. (string value)
-# Deprecated group/name - [DEFAULT]/qpid_hostname
-#qpid_hostname = localhost
-
-# Qpid broker port. (integer value)
-# Deprecated group/name - [DEFAULT]/qpid_port
-#qpid_port = 5672
-
-# Qpid HA cluster host:port pairs. (list value)
-# Deprecated group/name - [DEFAULT]/qpid_hosts
-#qpid_hosts = $qpid_hostname:$qpid_port
-
-# Username for Qpid connection. (string value)
-# Deprecated group/name - [DEFAULT]/qpid_username
-#qpid_username =
-
-# Password for Qpid connection. (string value)
-# Deprecated group/name - [DEFAULT]/qpid_password
-#qpid_password =
-
-# Space separated list of SASL mechanisms to use for auth. (string value)
-# Deprecated group/name - [DEFAULT]/qpid_sasl_mechanisms
-#qpid_sasl_mechanisms =
-
-# Seconds between connection keepalive heartbeats. (integer value)
-# Deprecated group/name - [DEFAULT]/qpid_heartbeat
-#qpid_heartbeat = 60
-
-# Transport to use, either 'tcp' or 'ssl'. (string value)
-# Deprecated group/name - [DEFAULT]/qpid_protocol
-#qpid_protocol = tcp
-
-# Whether to disable the Nagle algorithm. (boolean value)
-# Deprecated group/name - [DEFAULT]/qpid_tcp_nodelay
-#qpid_tcp_nodelay = true
-
-# The number of prefetched messages held by receiver. (integer value)
-# Deprecated group/name - [DEFAULT]/qpid_receiver_capacity
-#qpid_receiver_capacity = 1
-
-# The qpid topology version to use.  Version 1 is what was originally used by
-# impl_qpid.  Version 2 includes some backwards-incompatible changes that allow
-# broker federation to work.  Users should update to version 2 when they are
-# able to take everything down, as it requires a clean break. (integer value)
-# Deprecated group/name - [DEFAULT]/qpid_topology_version
-#qpid_topology_version = 1
+# The Drivers(s) to handle sending notifications. Possible values are
+# messaging, messagingv2, routing, log, test, noop (multi valued)
+# Deprecated group/name - [DEFAULT]/notification_driver
+#driver =
+
+# A URL representing the messaging driver to use for notifications. If not set,
+# we fall back to the same configuration used for RPC. (string value)
+# Deprecated group/name - [DEFAULT]/notification_transport_url
+#transport_url = <None>
+
+# AMQP topic used for OpenStack notifications. (list value)
+# Deprecated group/name - [rpc_notifier2]/topics
+# Deprecated group/name - [DEFAULT]/notification_topics
+#topics = notifications
 
 
 [oslo_messaging_rabbit]
@@ -1316,6 +1412,7 @@
 #
 
 # Use durable queues in AMQP. (boolean value)
+# Deprecated group/name - [DEFAULT]/amqp_durable_queues
 # Deprecated group/name - [DEFAULT]/rabbit_durable_queues
 #amqp_durable_queues = false
 
@@ -1323,10 +1420,6 @@
 # Deprecated group/name - [DEFAULT]/amqp_auto_delete
 #amqp_auto_delete = false
 
-# Size of RPC connection pool. (integer value)
-# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
-#rpc_conn_pool_size = 30
-
 # SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and
 # SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some
 # distributions. (string value)
@@ -1350,11 +1443,28 @@
 # Deprecated group/name - [DEFAULT]/kombu_reconnect_delay
 #kombu_reconnect_delay = 1.0
 
+# EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not
+# be used. This option may notbe available in future versions. (string value)
+#kombu_compression = <None>
+
+# How long to wait a missing client beforce abandoning to send it its replies.
+# This value should not be longer than rpc_response_timeout. (integer value)
+# Deprecated group/name - [DEFAULT]/kombu_reconnect_timeout
+#kombu_missing_consumer_retry_timeout = 60
+
+# Determines how the next RabbitMQ node is chosen in case the one we are
+# currently connected to becomes unavailable. Takes effect only if more than
+# one RabbitMQ node is provided in config. (string value)
+# Allowed values: round-robin, shuffle
+#kombu_failover_strategy = round-robin
+
 # The RabbitMQ broker address where a single node is used. (string value)
 # Deprecated group/name - [DEFAULT]/rabbit_host
 #rabbit_host = localhost
 
-# The RabbitMQ broker port where a single node is used. (integer value)
+# The RabbitMQ broker port where a single node is used. (port value)
+# Minimum value: 0
+# Maximum value: 65535
 # Deprecated group/name - [DEFAULT]/rabbit_port
 #rabbit_port = 5672
 
@@ -1390,21 +1500,38 @@
 # Deprecated group/name - [DEFAULT]/rabbit_retry_backoff
 #rabbit_retry_backoff = 2
 
+# Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
+# (integer value)
+#rabbit_interval_max = 30
+
 # Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry
 # count). (integer value)
 # Deprecated group/name - [DEFAULT]/rabbit_max_retries
 #rabbit_max_retries = 0
 
-# Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you
-# must wipe the RabbitMQ database. (boolean value)
+# Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this
+# option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring
+# is no longer controlled by the x-ha-policy argument when declaring a queue.
+# If you just want to make sure that all queues (except  those with auto-
+# generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy
+# HA '^(?!amq\.).*' '{"ha-mode": "all"}' " (boolean value)
 # Deprecated group/name - [DEFAULT]/rabbit_ha_queues
 #rabbit_ha_queues = false
 
+# Positive integer representing duration in seconds for queue TTL (x-expires).
+# Queues which are unused for the duration of the TTL are automatically
+# deleted. The parameter affects only reply and fanout queues. (integer value)
+# Minimum value: 1
+#rabbit_transient_queues_ttl = 1800
+
+# Specifies the number of messages to prefetch. Setting to zero allows
+# unlimited messages. (integer value)
+#rabbit_qos_prefetch_count = 0
+
 # Number of seconds after which the Rabbit broker is considered down if
-# heartbeat's keep-alive fails (0 disables the heartbeat, >0 enables it.
-# Enabling heartbeats requires kombu>=3.0.7 and amqp>=1.4.0). EXPERIMENTAL
-# (integer value)
-#heartbeat_timeout_threshold = 0
+# heartbeat's keep-alive fails (0 disable the heartbeat). EXPERIMENTAL (integer
+# value)
+#heartbeat_timeout_threshold = 60
 
 # How often times during the heartbeat_timeout_threshold we check the
 # heartbeat. (integer value)
@@ -1414,6 +1541,104 @@
 # Deprecated group/name - [DEFAULT]/fake_rabbit
 #fake_rabbit = false
 
+# Maximum number of channels to allow (integer value)
+#channel_max = <None>
+
+# The maximum byte size for an AMQP frame (integer value)
+#frame_max = <None>
+
+# How often to send heartbeats for consumer's connections (integer value)
+#heartbeat_interval = 1
+
+# Enable SSL (boolean value)
+#ssl = <None>
+
+# Arguments passed to ssl.wrap_socket (dict value)
+#ssl_options = <None>
+
+# Set socket timeout in seconds for connection's socket (floating point value)
+#socket_timeout = 0.25
+
+# Set TCP_USER_TIMEOUT in seconds for connection's socket (floating point
+# value)
+#tcp_user_timeout = 0.25
+
+# Set delay for reconnection to some host which has connection error (floating
+# point value)
+#host_connection_reconnect_delay = 0.25
+
+# Maximum number of connections to keep queued. (integer value)
+#pool_max_size = 10
+
+# Maximum number of connections to create above `pool_max_size`. (integer
+# value)
+#pool_max_overflow = 0
+
+# Default number of seconds to wait for a connections to available (integer
+# value)
+#pool_timeout = 30
+
+# Lifetime of a connection (since creation) in seconds or None for no
+# recycling. Expired connections are closed on acquire. (integer value)
+#pool_recycle = 600
+
+# Threshold at which inactive (since release) connections are considered stale
+# in seconds or None for no staleness. Stale connections are closed on acquire.
+# (integer value)
+#pool_stale = 60
+
+# Persist notification messages. (boolean value)
+#notification_persistence = false
+
+# Exchange name for for sending notifications (string value)
+#default_notification_exchange = ${control_exchange}_notification
+
+# Max number of not acknowledged message which RabbitMQ can send to
+# notification listener. (integer value)
+#notification_listener_prefetch_count = 100
+
+# Reconnecting retry count in case of connectivity problem during sending
+# notification, -1 means infinite retry. (integer value)
+#default_notification_retry_attempts = -1
+
+# Reconnecting retry delay in case of connectivity problem during sending
+# notification message (floating point value)
+#notification_retry_delay = 0.25
+
+# Time to live for rpc queues without consumers in seconds. (integer value)
+#rpc_queue_expiration = 60
+
+# Exchange name for sending RPC messages (string value)
+#default_rpc_exchange = ${control_exchange}_rpc
+
+# Exchange name for receiving RPC replies (string value)
+#rpc_reply_exchange = ${control_exchange}_rpc_reply
+
+# Max number of not acknowledged message which RabbitMQ can send to rpc
+# listener. (integer value)
+#rpc_listener_prefetch_count = 100
+
+# Max number of not acknowledged message which RabbitMQ can send to rpc reply
+# listener. (integer value)
+#rpc_reply_listener_prefetch_count = 100
+
+# Reconnecting retry count in case of connectivity problem during sending
+# reply. -1 means infinite retry during rpc_timeout (integer value)
+#rpc_reply_retry_attempts = -1
+
+# Reconnecting retry delay in case of connectivity problem during sending
+# reply. (floating point value)
+#rpc_reply_retry_delay = 0.25
+
+# Reconnecting retry count in case of connectivity problem during sending RPC
+# message, -1 means infinite retry. If actual retry attempts in not 0 the rpc
+# request could be processed more then one time (integer value)
+#default_rpc_retry_attempts = -1
+
+# Reconnecting retry delay in case of connectivity problem during sending RPC
+# message (floating point value)
+#rpc_retry_delay = 0.25
+
 
 [oslo_middleware]
 
@@ -1426,6 +1651,13 @@
 # Deprecated group/name - [DEFAULT]/max_request_body_size
 #max_request_body_size = 114688
 
+# The HTTP Header that will be used to determine what the original request
+# protocol scheme was, even if it was hidden by an SSL termination proxy.
+# (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#secure_proxy_ssl_header = X-Forwarded-Proto
+
 
 [oslo_policy]
 
@@ -1467,8 +1699,9 @@
 # From keystone
 #
 
-# Policy backend driver. (string value)
-#driver = keystone.policy.backends.sql.Policy
+# Entrypoint for the policy backend driver in the keystone.policy namespace.
+# Supplied drivers are rules and sql. (string value)
+#driver = sql
 
 # Maximum number of entities that will be returned in a policy collection.
 # (integer value)
@@ -1481,8 +1714,10 @@
 # From keystone
 #
 
-# Resource backend driver. If a resource driver is not specified, the
-# assignment driver will choose the resource driver. (string value)
+# Entrypoint for the resource backend driver in the keystone.resource
+# namespace. Only an SQL driver is supplied. If a resource driver is not
+# specified, the assignment driver will choose the resource driver. (string
+# value)
 #driver = <None>
 
 # Toggle for resource caching. This has no effect unless global caching is
@@ -1500,6 +1735,31 @@
 # Deprecated group/name - [assignment]/list_limit
 #list_limit = <None>
 
+# Name of the domain that owns the `admin_project_name`. Defaults to None.
+# (string value)
+#admin_project_domain_name = <None>
+
+# Special project for performing administrative operations on remote services.
+# Tokens scoped to this project will contain the key/value
+# `is_admin_project=true`. Defaults to None. (string value)
+#admin_project_name = <None>
+
+# Whether the names of projects are restricted from containing url reserved
+# characters. If set to new, attempts to create or update a project with a url
+# unsafe name will return an error. In addition, if set to strict, attempts to
+# scope a token using an unsafe project name will return an error. (string
+# value)
+# Allowed values: off, new, strict
+#project_name_url_safe = off
+
+# Whether the names of domains are restricted from containing url reserved
+# characters. If set to new, attempts to create or update a domain with a url
+# unsafe name will return an error. In addition, if set to strict, attempts to
+# scope a token using a domain name which is unsafe will return an error.
+# (string value)
+# Allowed values: off, new, strict
+#domain_name_url_safe = off
+
 
 [revoke]
 
@@ -1507,9 +1767,10 @@
 # From keystone
 #
 
-# An implementation of the backend for persisting revocation events. (string
-# value)
-#driver = keystone.contrib.revoke.backends.sql.Revoke
+# Entrypoint for an implementation of the backend for persisting revocation
+# events in the keystone.revoke namespace. Supplied drivers are kvs and sql.
+# (string value)
+#driver = sql
 
 # This value (calculated in seconds) is added to token expiration before a
 # revocation event may be removed from the backend. (integer value)
@@ -1532,7 +1793,8 @@
 # From keystone
 #
 
-# Role backend driver. (string value)
+# Entrypoint for the role backend driver in the keystone.role namespace.
+# Supplied drivers are ldap and sql. (string value)
 #driver = <None>
 
 # Toggle for role caching. This has no effect unless global caching is enabled.
@@ -1610,8 +1872,9 @@
 # Telephone number of contact person. (string value)
 #idp_contact_telephone = <None>
 
-# Contact type. Allowed values are: technical, support, administrative billing,
-# and other (string value)
+# The contact type describing the main point of contact for the identity
+# provider. (string value)
+# Allowed values: technical, support, administrative, billing, other
 #idp_contact_type = other
 
 # Path to the Identity Provider Metadata file. This file should be generated
@@ -1623,6 +1886,17 @@
 #relay_state_prefix = ss:mem:
 
 
+[shadow_users]
+
+#
+# From keystone
+#
+
+# Entrypoint for the shadow users backend driver in the
+# keystone.identity.shadow_users namespace. (string value)
+#driver = sql
+
+
 [signing]
 
 #
@@ -1632,27 +1906,56 @@
 # Path of the certfile for token signing. For non-production environments, you
 # may be interested in using `keystone-manage pki_setup` to generate self-
 # signed certificates. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: PKI token support has been deprecated in the M release and will be
+# removed in the O release. Fernet or UUID tokens are recommended.
 #certfile = /etc/keystone/ssl/certs/signing_cert.pem
 
 # Path of the keyfile for token signing. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: PKI token support has been deprecated in the M release and will be
+# removed in the O release. Fernet or UUID tokens are recommended.
 #keyfile = /etc/keystone/ssl/private/signing_key.pem
 
 # Path of the CA for token signing. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: PKI token support has been deprecated in the M release and will be
+# removed in the O release. Fernet or UUID tokens are recommended.
 #ca_certs = /etc/keystone/ssl/certs/ca.pem
 
 # Path of the CA key for token signing. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: PKI token support has been deprecated in the M release and will be
+# removed in the O release. Fernet or UUID tokens are recommended.
 #ca_key = /etc/keystone/ssl/private/cakey.pem
 
 # Key size (in bits) for token signing cert (auto generated certificate).
 # (integer value)
+# Minimum value: 1024
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: PKI token support has been deprecated in the M release and will be
+# removed in the O release. Fernet or UUID tokens are recommended.
 #key_size = 2048
 
 # Days the token signing cert is valid for (auto generated certificate).
 # (integer value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: PKI token support has been deprecated in the M release and will be
+# removed in the O release. Fernet or UUID tokens are recommended.
 #valid_days = 3650
 
 # Certificate subject (auto generated certificate) for token signing. (string
 # value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: PKI token support has been deprecated in the M release and will be
+# removed in the O release. Fernet or UUID tokens are recommended.
 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
 
 
@@ -1666,6 +1969,7 @@
 #ca_key = /etc/keystone/ssl/private/cakey.pem
 
 # SSL key length (in bits) (auto generated certificate). (integer value)
+# Minimum value: 1024
 #key_size = 1024
 
 # Days the certificate is valid for once signed (auto generated certificate).
@@ -1695,13 +1999,15 @@
 # Amount of time a token should remain valid (in seconds). (integer value)
 #expiration = 3600
 
-# Controls the token construction, validation, and revocation operations. Core
-# providers are "keystone.token.providers.[fernet|pkiz|pki|uuid].Provider".
-# (string value)
-#provider = keystone.token.providers.uuid.Provider
-
-# Token persistence backend driver. (string value)
-#driver = keystone.token.persistence.backends.sql.Token
+# Controls the token construction, validation, and revocation operations.
+# Entrypoint in the keystone.token.provider namespace. Core providers are
+# [fernet|pkiz|pki|uuid]. (string value)
+#provider = uuid
+
+# Entrypoint for the token persistence backend driver in the
+# keystone.token.persistence namespace. Supplied drivers are kvs, memcache,
+# memcache_pool, and sql. (string value)
+#driver = sql
 
 # Toggle for token system caching. This has no effect unless global caching is
 # enabled. (boolean value)
@@ -1727,8 +2033,42 @@
 # that hashlib supports. WARNING: Before changing this value, the auth_token
 # middleware must be configured with the hash_algorithms, otherwise token
 # revocation will not be processed correctly. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: PKI token support has been deprecated in the M release and will be
+# removed in the O release. Fernet or UUID tokens are recommended.
 #hash_algorithm = md5
 
+# Add roles to token that are not explicitly added, but that are linked
+# implicitly to other roles. (boolean value)
+#infer_roles = true
+
+
+[tokenless_auth]
+
+#
+# From keystone
+#
+
+# The list of trusted issuers to further filter the certificates that are
+# allowed to participate in the X.509 tokenless authorization. If the option is
+# absent then no certificates will be allowed. The naming format for the
+# attributes of a Distinguished Name(DN) must be separated by a comma and
+# contain no spaces. This configuration option may be repeated for multiple
+# values. For example: trusted_issuer=CN=john,OU=keystone,O=openstack
+# trusted_issuer=CN=mary,OU=eng,O=abc (multi valued)
+#trusted_issuer =
+
+# The protocol name for the X.509 tokenless authorization along with the option
+# issuer_attribute below can look up its corresponding mapping. (string value)
+#protocol = x509
+
+# The issuer attribute that is served as an IdP ID for the X.509 tokenless
+# authorization along with the protocol to look up its corresponding mapping.
+# It is the environment variable in the WSGI environment that references to the
+# issuer of the client certificate. (string value)
+#issuer_attribute = SSL_CLIENT_I_DN
+
 
 [trust]
 
@@ -1746,5 +2086,6 @@
 # Maximum depth of trust redelegation. (integer value)
 #max_redelegation_count = 3
 
-# Trust backend driver. (string value)
-#driver = keystone.trust.backends.sql.Trust
+# Entrypoint for the trust backend driver in the keystone.trust namespace.
+# (string value)
+#driver = sql
--- a/components/openstack/keystone/files/keystone.stencil	Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/files/keystone.stencil	Wed Sep 07 14:48:41 2016 -0700
@@ -75,7 +75,7 @@
 
 PidFile /var/lib/keystone/keystone.httpd.pid
 
-ServerName 127.0.0.1
+ServerName $%{config/servername}
 Listen $%{config/public_port}
 Listen $%{config/admin_port}
 
--- a/components/openstack/keystone/files/keystone.xml	Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/files/keystone.xml	Wed Sep 07 14:48:41 2016 -0700
@@ -104,6 +104,7 @@
         <propval name='error_log' type='astring'
           value='/var/log/keystone/keystone_error.log'/>
         <propval name='public_port' type='count' value='5000'/>
+        <propval name='servername' type='astring' value='127.0.0.1'/>
         <propval name='use_tls' type='boolean' value='false'/>
       </property_group>
     </instance>
@@ -157,6 +158,15 @@
           </description>
         </prop_pattern>
 
+        <prop_pattern required='true' type='astring' name='servername'>
+          <description>
+            <loctext xml:lang='C'>
+              The Apache ServerName Directive.  Hostname and port that the
+              server uses to identify itself.
+            </loctext>
+          </description>
+        </prop_pattern>
+
         <prop_pattern required='false' type='astring' name='ssl_cert_file'>
           <description>
             <loctext xml:lang='C'>
--- a/components/openstack/keystone/keystone.p5m	Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/keystone.p5m	Wed Sep 07 14:48:41 2016 -0700
@@ -28,7 +28,7 @@
 set name=pkg.summary value="OpenStack Keystone (Identity Service)"
 set name=pkg.description \
     value="OpenStack Keystone is a service that provides Identity, Token, Catalog, and Policy services for use specifically by projects in the OpenStack family."
-set name=pkg.human-version value="Kilo $(COMPONENT_VERSION)"
+set name=pkg.human-version value="Mitaka $(COMPONENT_VERSION)"
 set name=com.oracle.info.description \
     value="Keystone, the OpenStack identity service"
 set name=com.oracle.info.tpno value=$(TPNO)
@@ -42,7 +42,8 @@
 set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
 set name=openstack.upgrade-id reboot-needed=true value=$(COMPONENT_BE_VERSION)
 set name=org.opensolaris.arc-caseid value=PSARC/2013/350 value=PSARC/2014/048 \
-    value=PSARC/2014/209 value=PSARC/2015/110 value=PSARC/2015/535
+    value=PSARC/2014/209 value=PSARC/2015/110 value=PSARC/2015/535 \
+    value=PSARC/2016/455
 set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
 #
 dir  path=etc/keystone owner=keystone group=keystone mode=0700
@@ -87,14 +88,16 @@
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone-$(COMPONENT_VERSION)-py$(PYVER).egg-info/requires.txt
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone-$(COMPONENT_VERSION)-py$(PYVER).egg-info/top_level.txt
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/V8_backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/V8_backends/sql.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/V8_role_backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/V8_role_backends/sql.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/backends/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/backends/ldap.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/backends/sql.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/controllers.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/core.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/role_backends/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/role_backends/ldap.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/role_backends/sql.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/routers.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/schema.py
@@ -109,29 +112,30 @@
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/auth/plugins/password.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/auth/plugins/saml2.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/auth/plugins/token.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/auth/plugins/totp.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/auth/routers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/backends.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/backends/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/backends/kvs.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/backends/sql.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/backends/templated.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/controllers.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/core.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/routers.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/schema.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/clean.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/cli.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/cmd/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/cmd/all.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/cmd/cli.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/cmd/manage.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/authorization.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/base64utils.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/cache/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/cache/_memcache_pool.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/cache/_context_cache.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/cache/backends/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/cache/backends/memcache_pool.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/cache/backends/mongo.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/cache/backends/noop.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/cache/core.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/clean.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/config.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/controller.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/dependency.py
@@ -145,13 +149,11 @@
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/kvs/backends/inmemdb.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/kvs/backends/memcached.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/kvs/core.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/kvs/legacy.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/ldap/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/ldap/core.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/manager.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/models.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/openssl.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/pemutils.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/router.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/core.py
@@ -159,38 +161,45 @@
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/manage.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/migrate.cfg
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/044_icehouse.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/045_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/046_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/047_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/048_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/049_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/050_fk_consistent_indexes.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/051_add_id_mapping.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/052_add_auth_url_to_region.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/053_endpoint_to_region_association.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/054_add_actor_id_index.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/055_add_indexes_to_token_table.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/056_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/057_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/058_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/059_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/060_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/061_add_parent_project.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/062_drop_assignment_role_fk.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/063_drop_region_auth_url.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/064_drop_user_and_group_fk.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/065_add_domain_config.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/066_fixup_service_name_value.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/067_drop_redundant_mysql_index.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/067_kilo.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/068_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/069_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/070_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/071_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/072_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/073_insert_assignment_inherited_pk.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/074_add_is_domain_project.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/075_confirm_config_registration.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/076_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/077_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/078_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/079_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/080_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/081_add_endpoint_policy_table.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/082_add_federation_tables.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/083_add_oauth1_tables.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/084_add_revoke_tables.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/085_add_endpoint_filtering_table.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/086_add_duplicate_constraint_trusts.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/087_implied_roles.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/088_domain_specific_roles.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/089_add_root_of_all_domains.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/090_add_local_user_and_password_tables.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/091_migrate_data_to_local_user_and_password_tables.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/092_make_implied_roles_fks_cascaded.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/093_migrate_domains_to_projects.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/094_add_federated_user_table.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/095_add_integer_pkey_to_revocation_event_table.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/096_drop_role_name_constraint.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migration_helpers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/tokenless_auth.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/utils.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/validation/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/validation/parameter_types.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/validation/validators.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/wsgi.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/config.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/admin_crud/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/admin_crud/core.py
@@ -202,40 +211,23 @@
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/backends/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/backends/catalog_sql.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/backends/sql.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/controllers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/core.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/migrate_repo/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/migrate_repo/migrate.cfg
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/migrate_repo/versions/001_add_endpoint_filtering_table.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/migrate_repo/versions/002_add_endpoint_groups.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/migrate_repo/versions/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/routers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/schema.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/backends/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/backends/sql.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/controllers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/core.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/migrate_repo/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/migrate_repo/migrate.cfg
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/migrate_repo/versions/001_add_endpoint_policy_table.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/migrate_repo/versions/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/routers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/configuration.rst
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/controllers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/core.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/migrate_repo/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/migrate_repo/migrate.cfg
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/migrate_repo/versions/001_example_table.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/migrate_repo/versions/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/routers.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/backends/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/backends/sql.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/controllers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/core.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/idp.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/migrate_repo/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/migrate_repo/migrate.cfg
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/migrate_repo/versions/001_add_identity_provider_table.py
@@ -248,13 +240,9 @@
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/migrate_repo/versions/008_add_relay_state_to_sp.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/migrate_repo/versions/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/routers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/schema.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/utils.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/backends/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/backends/sql.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/controllers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/core.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/migrate_repo/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/migrate_repo/migrate.cfg
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/migrate_repo/versions/001_add_oauth_tables.py
@@ -264,29 +252,21 @@
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/migrate_repo/versions/005_consumer_id_index.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/migrate_repo/versions/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/routers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/validator.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/backends/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/backends/kvs.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/backends/sql.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/controllers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/core.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/migrate_repo/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/migrate_repo/migrate.cfg
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/migrate_repo/versions/001_revoke_table.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/migrate_repo/versions/002_add_audit_id_and_chain_to_revoke_table.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/migrate_repo/versions/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/model.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/routers.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/s3/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/s3/core.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/simple_cert/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/simple_cert/controllers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/simple_cert/core.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/simple_cert/routers.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/user_crud/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/user_crud/core.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/controllers.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/credential/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/credential/backends/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/credential/backends/sql.py
@@ -294,9 +274,25 @@
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/credential/core.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/credential/routers.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/credential/schema.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/endpoint_policy/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/endpoint_policy/backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/endpoint_policy/backends/sql.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/endpoint_policy/controllers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/endpoint_policy/core.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/endpoint_policy/routers.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/exception.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/hacking/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/hacking/checks.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/V8_backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/V8_backends/sql.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/backends/sql.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/constants.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/controllers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/core.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/idp.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/routers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/schema.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/utils.py
 link path=usr/lib/python$(PYVER)/vendor-packages/keystone/httpd/admin \
     target=keystone.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/httpd/keystone.py
@@ -316,23 +312,24 @@
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/identity/mapping_backends/mapping.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/identity/mapping_backends/sql.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/identity/routers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/identity/schema.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/identity/shadow_backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/identity/shadow_backends/sql.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/middleware/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/middleware/auth.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/middleware/core.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/middleware/ec2_token.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/models/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/models/revoke_model.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/models/token_model.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/notifications.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/README
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/_i18n.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/eventlet_backdoor.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/fileutils.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/loopingcall.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/service.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/systemd.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/threadgroup.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/versionutils.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/oauth1/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/oauth1/backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/oauth1/backends/sql.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/oauth1/controllers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/oauth1/core.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/oauth1/routers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/oauth1/schema.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/oauth1/validator.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/policy/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/policy/backends/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/policy/backends/rules.py
@@ -341,9 +338,10 @@
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/policy/core.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/policy/routers.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/policy/schema.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/V8_backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/V8_backends/sql.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/backends/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/backends/ldap.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/backends/sql.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/config_backends/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/config_backends/sql.py
@@ -351,13 +349,21 @@
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/core.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/routers.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/schema.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/routers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/revoke/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/revoke/backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/revoke/backends/sql.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/revoke/controllers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/revoke/core.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/revoke/model.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/revoke/routers.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/server/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/server/backends.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/server/common.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/server/eventlet.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/server/wsgi.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/service.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/_simple_cert.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/controllers.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/persistence/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/persistence/backends/__init__.py
@@ -377,6 +383,7 @@
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/providers/pkiz.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/providers/uuid.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/routers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/utils.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/trust/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/trust/backends/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/trust/backends/sql.py
@@ -384,6 +391,13 @@
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/trust/core.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/trust/routers.py
 file path=usr/lib/python$(PYVER)/vendor-packages/keystone/trust/schema.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/v2_crud/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/v2_crud/admin_crud.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/v2_crud/user_crud.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/version/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/version/controllers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/version/routers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/version/service.py
 dir  path=var/lib/keystone owner=keystone group=keystone mode=0700
 dir  path=var/log/keystone owner=keystone group=keystone mode=0700
 #
@@ -393,8 +407,9 @@
 #
 license keystone.license license="Apache v2.0"
 
-# To upgrade to Kilo version, Juno version of the package must be on the system
-depend type=origin fmri=cloud/openstack/[email protected] root-image=true
+# To upgrade to the Mitaka version, the Kilo version of the package must be on
+# the system
+depend type=origin fmri=cloud/openstack/[email protected] root-image=true
 
 # force a dependency on package delivering httpd(8)
 depend type=require fmri=__TBD pkg.debug.depend.file=usr/apache2/2.4/bin/httpd
@@ -435,10 +450,6 @@
 # out.
 depend type=require fmri=library/python/keystoneclient-$(PYV)
 
-# force a dependency on keystonemiddleware; pkgdepend work is needed to flush
-# this out.
-depend type=require fmri=library/python/keystonemiddleware-$(PYV)
-
 # force a dependency on ldappool; pkgdepend work is needed to flush this out.
 depend type=require fmri=library/python/ldappool-$(PYV)
 
@@ -452,6 +463,9 @@
 # out.
 depend type=require fmri=library/python/openstackclient-$(PYV)
 
+# force a dependency on oslo.cache; pkgdepend work is needed to flush this out.
+depend type=require fmri=library/python/oslo.cache-$(PYV)
+
 # force a dependency on oslo.concurrency; pkgdepend work is needed to flush this
 # out.
 depend type=require fmri=library/python/oslo.concurrency-$(PYV)
@@ -459,6 +473,10 @@
 # force a dependency on oslo.config; pkgdepend work is needed to flush this out.
 depend type=require fmri=library/python/oslo.config-$(PYV)
 
+# force a dependency on oslo.context; pkgdepend work is needed to flush this
+# out.
+depend type=require fmri=library/python/oslo.context-$(PYV)
+
 # force a dependency on oslo.db; pkgdepend work is needed to flush this out.
 depend type=require fmri=library/python/oslo.db-$(PYV)
 
@@ -483,6 +501,10 @@
 # this out.
 depend type=require fmri=library/python/oslo.serialization-$(PYV)
 
+# force a dependency on oslo.service; pkgdepend work is needed to flush this
+# out.
+depend type=require fmri=library/python/oslo.service-$(PYV)
+
 # force a dependency on oslo.utils; pkgdepend work is needed to flush this out.
 depend type=require fmri=library/python/oslo.utils-$(PYV)
 
@@ -502,18 +524,14 @@
 # force a dependency on python-ldap; pkgdepend work is needed to flush this out.
 depend type=require fmri=library/python/python-ldap-$(PYV)
 
-# force a dependency on python-memcached; pkgdepend work is needed to flush this
-# out.
-depend type=require fmri=library/python/python-memcached-$(PYV)
-
 # force a dependency on routes; pkgdepend work is needed to flush this out.
 depend type=require fmri=library/python/routes-$(PYV)
 
-# force a dependency on setuptools; pkgdepend work is needed to flush this out.
-depend type=require fmri=library/python/setuptools-$(PYV)
-
 # force a dependency on six; pkgdepend work is needed to flush this out.
 depend type=require fmri=library/python/six-$(PYV)
 
+# force a dependency on stevedore; pkgdepend work is needed to flush this out.
+depend type=require fmri=library/python/stevedore-$(PYV)
+
 # force a dependency on webob; pkgdepend work is needed to flush this out.
 depend type=require fmri=library/python/webob-$(PYV)
--- a/components/openstack/keystone/patches/CVE-2015-7546.patch	Wed Sep 07 14:48:41 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,195 +0,0 @@
-From 9c9c1331e0c004897d5f4c5847f7143b56373f10 Mon Sep 17 00:00:00 2001
-From: Brant Knudson <[email protected]>
-Date: Tue, 1 Dec 2015 11:09:14 -0600
-Subject: [PATCH] Add audit IDs to revocation events
-
-The revoked tokens' audit ID is now included in the data returned in
-the revocation list.
-
-Closes-Bug: 1490804
-Change-Id: Ifcf88f1158bebddc4f927121fbf4136fb53b659f
-(cherry picked from commit d5378f173da14a34ca010271477337879002d6d0)
-Conflicts:
-	keystone/tests/unit/test_backend.py
----
- keystone/tests/unit/test_backend.py        | 39 ++++++++++++++++++++----------
- keystone/tests/unit/test_backend_sql.py    |  3 ++-
- keystone/token/persistence/backends/kvs.py |  9 +++++++
- keystone/token/persistence/backends/sql.py | 12 ++++++++-
- 4 files changed, 48 insertions(+), 15 deletions(-)
-
-diff --git a/keystone/tests/unit/test_backend.py b/keystone/tests/unit/test_backend.py
-index 6cf0649..9c82502 100644
---- a/keystone/tests/unit/test_backend.py
-+++ b/keystone/tests/unit/test_backend.py
[email protected]@ -3778,7 +3778,9 @@ class TokenTests(object):
-         token_id = self._create_token_id()
-         data = {'id': token_id, 'a': 'b',
-                 'trust_id': None,
--                'user': {'id': 'testuserid'}}
-+                'user': {'id': 'testuserid'},
-+                'token_data': {'access': {'token': {
-+                    'audit_ids': [uuid.uuid4().hex]}}}}
-         data_ref = self.token_provider_api._persistence.create_token(token_id,
-                                                                      data)
-         expires = data_ref.pop('expires')
[email protected]@ -3813,7 +3815,8 @@ class TokenTests(object):
-         # FIXME(morganfainberg): These tokens look nothing like "Real" tokens.
-         # This should be fixed when token issuance is cleaned up.
-         data = {'id': token_id, 'a': 'b',
--                'user': {'id': user_id}}
-+                'user': {'id': user_id},
-+                'access': {'token': {'audit_ids': [uuid.uuid4().hex]}}}
-         if tenant_id is not None:
-             data['tenant'] = {'id': tenant_id, 'name': tenant_id}
-         if tenant_id is NULL_OBJECT:
[email protected]@ -3822,7 +3825,7 @@ class TokenTests(object):
-             data['expires'] = expires
-         if trust_id is not None:
-             data['trust_id'] = trust_id
--            data.setdefault('access', {}).setdefault('trust', {})
-+            data['access'].setdefault('trust', {})
-             # Testuserid2 is used here since a trustee will be different in
-             # the cases of impersonation and therefore should not match the
-             # token's user_id.
[email protected]@ -3988,17 +3991,21 @@ class TokenTests(object):
- 
-         self.assertEqual(data_ref, new_data_ref)
- 
--    def check_list_revoked_tokens(self, token_ids):
--        revoked_ids = [x['id']
--                       for x in self.token_provider_api.list_revoked_tokens()]
-+    def check_list_revoked_tokens(self, token_infos):
-+        revocation_list = self.token_provider_api.list_revoked_tokens()
-+        revoked_ids = [x['id'] for x in revocation_list]
-+        revoked_audit_ids = [x['audit_id'] for x in revocation_list]
-         self._assert_revoked_token_list_matches_token_persistence(revoked_ids)
--        for token_id in token_ids:
-+        for token_id, audit_id in token_infos:
-             self.assertIn(token_id, revoked_ids)
-+            self.assertIn(audit_id, revoked_audit_ids)
- 
-     def delete_token(self):
-         token_id = uuid.uuid4().hex
-+        audit_id = uuid.uuid4().hex
-         data = {'id_hash': token_id, 'id': token_id, 'a': 'b',
--                'user': {'id': 'testuserid'}}
-+                'user': {'id': 'testuserid'},
-+                'token_data': {'token': {'audit_ids': [audit_id]}}}
-         data_ref = self.token_provider_api._persistence.create_token(token_id,
-                                                                      data)
-         self.token_provider_api._persistence.delete_token(token_id)
[email protected]@ -4010,7 +4017,7 @@ class TokenTests(object):
-             exception.TokenNotFound,
-             self.token_provider_api._persistence.delete_token,
-             data_ref['id'])
--        return token_id
-+        return (token_id, audit_id)
- 
-     def test_list_revoked_tokens_returns_empty_list(self):
-         revoked_ids = [x['id']
[email protected]@ -4061,12 +4068,16 @@ class TokenTests(object):
-         token_data = {'id_hash': token_id, 'id': token_id, 'a': 'b',
-                       'expires': expire_time,
-                       'trust_id': None,
--                      'user': {'id': 'testuserid'}}
-+                      'user': {'id': 'testuserid'},
-+                      'token_data': {'token': {
-+                          'audit_ids': [uuid.uuid4().hex]}}}
-         token2_id = uuid.uuid4().hex
-         token2_data = {'id_hash': token2_id, 'id': token2_id, 'a': 'b',
-                        'expires': expire_time,
-                        'trust_id': None,
--                       'user': {'id': 'testuserid'}}
-+                       'user': {'id': 'testuserid'},
-+                       'token_data': {'token': {
-+                           'audit_ids': [uuid.uuid4().hex]}}}
-         # Create 2 Tokens.
-         self.token_provider_api._persistence.create_token(token_id,
-                                                           token_data)
[email protected]@ -4101,7 +4112,8 @@ class TokenTests(object):
-     def _test_predictable_revoked_pki_token_id(self, hash_fn):
-         token_id = self._create_token_id()
-         token_id_hash = hash_fn(token_id).hexdigest()
--        token = {'user': {'id': uuid.uuid4().hex}}
-+        token = {'user': {'id': uuid.uuid4().hex},
-+                 'token_data': {'token': {'audit_ids': [uuid.uuid4().hex]}}}
- 
-         self.token_provider_api._persistence.create_token(token_id, token)
-         self.token_provider_api._persistence.delete_token(token_id)
[email protected]@ -4123,7 +4135,8 @@ class TokenTests(object):
- 
-     def test_predictable_revoked_uuid_token_id(self):
-         token_id = uuid.uuid4().hex
--        token = {'user': {'id': uuid.uuid4().hex}}
-+        token = {'user': {'id': uuid.uuid4().hex},
-+                 'token_data': {'token': {'audit_ids': [uuid.uuid4().hex]}}}
- 
-         self.token_provider_api._persistence.create_token(token_id, token)
-         self.token_provider_api._persistence.delete_token(token_id)
-diff --git a/keystone/tests/unit/test_backend_sql.py b/keystone/tests/unit/test_backend_sql.py
-index a7c63bf..7adc936 100644
---- a/keystone/tests/unit/test_backend_sql.py
-+++ b/keystone/tests/unit/test_backend_sql.py
[email protected]@ -441,7 +441,8 @@ class SqlToken(SqlTests, test_backend.TokenTests):
-         # necessary.
- 
-         expected_query_args = (token_sql.TokenModel.id,
--                               token_sql.TokenModel.expires)
-+                               token_sql.TokenModel.expires,
-+                               token_sql.TokenModel.extra,)
- 
-         with mock.patch.object(token_sql, 'sql') as mock_sql:
-             tok = token_sql.Token()
-diff --git a/keystone/token/persistence/backends/kvs.py b/keystone/token/persistence/backends/kvs.py
-index b4807bf..9a7ccea 100644
---- a/keystone/token/persistence/backends/kvs.py
-+++ b/keystone/token/persistence/backends/kvs.py
[email protected]@ -211,6 +211,15 @@ class Token(token.persistence.Driver):
-                                                           subsecond=True)
-         revoked_token_data['id'] = data['id']
- 
-+        token_data = data['token_data']
-+        if 'access' in token_data:
-+            # It's a v2 token.
-+            audit_ids = token_data['access']['token']['audit_ids']
-+        else:
-+            # It's a v3 token.
-+            audit_ids = token_data['token']['audit_ids']
-+        revoked_token_data['audit_id'] = audit_ids[0]
-+
-         token_list = self._get_key_or_default(self.revocation_key, default=[])
-         if not isinstance(token_list, list):
-             # NOTE(morganfainberg): In the case that the revocation list is not
-diff --git a/keystone/token/persistence/backends/sql.py b/keystone/token/persistence/backends/sql.py
-index 08c3a21..7c5c11d 100644
---- a/keystone/token/persistence/backends/sql.py
-+++ b/keystone/token/persistence/backends/sql.py
[email protected]@ -228,13 +228,23 @@ class Token(token.persistence.Driver):
-         session = sql.get_session()
-         tokens = []
-         now = timeutils.utcnow()
--        query = session.query(TokenModel.id, TokenModel.expires)
-+        query = session.query(TokenModel.id, TokenModel.expires,
-+                              TokenModel.extra)
-         query = query.filter(TokenModel.expires > now)
-         token_references = query.filter_by(valid=False)
-         for token_ref in token_references:
-+            token_data = token_ref[2]['token_data']
-+            if 'access' in token_data:
-+                # It's a v2 token.
-+                audit_ids = token_data['access']['token']['audit_ids']
-+            else:
-+                # It's a v3 token.
-+                audit_ids = token_data['token']['audit_ids']
-+
-             record = {
-                 'id': token_ref[0],
-                 'expires': token_ref[1],
-+                'audit_id': audit_ids[0],
-             }
-             tokens.append(record)
-         return tokens
--- 
-1.9.1
-
--- a/components/openstack/keystone/patches/launchpad-1459816+.patch	Wed Sep 07 14:48:41 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,420 +0,0 @@
-The following in-house jumbo patch constitutes the upstream changes in
-Kilo for the following changesets
-
-	fa43b6f6d196ea7780de4530c1d59bd43bc0b6de
-	82449dd550b4724fc90e1f2c16ae5f3237eebd25
-	e614b299408b65a6558888b1f4930a9b641f1920
-	6cd2e5eccdad0005c4a69d85aa6918cfc33062c5
-	19f3ad9eca9e9d73e6a147b06d66d4dcb66d2934
-
-which address a number of issues with tools/sample_data.sh including
-switching from the deprecated keystoneclient to the new openstackclient
-commands.
-
-commit fa43b6f6d196ea7780de4530c1d59bd43bc0b6de
-Author: phil-hopkins-a <[email protected]>
-Date:   Thu May 28 15:34:57 2015 -0500
-
-    updates sample_data script to use the new openstack commands
-    
-    Cleans up the sample_data script to replace the keystoneclient commands
-    with the new openstackclient commands
-    
-    Change-Id: Id68ff2b466e582a0c2f4418d173f7d63c14f5f37
-    Closes-Bug: #1459816
-
-commit 82449dd550b4724fc90e1f2c16ae5f3237eebd25
-Author: Eric Brown <[email protected]>
-Date:   Sun Jul 12 22:47:27 2015 -0700
-
-    Replace reference of ksc with osc
-    
-    The leading comment in sample_data.sh still references the old
-    python-keystoneclient when its python-openstackclient that is
-    used to populate sample data.
-    
-    This patch also makes a minor fix of the Swift service description.
-    
-    TrivialFix
-    
-    Change-Id: Ie4f5729dcc0b3a6164470d11ba91ddaaec0bb022
-
-commit e614b299408b65a6558888b1f4930a9b641f1920
-Author: Ghe Rivero <[email protected]>
-Date:   Sat Aug 1 05:00:05 2015 +0200
-
-    Update exported variables for openstack client
-    
-    When using openstack client to populate an initial keystone
-    deployment, instead of the former keystone client, the env.
-    variables needed are OS_TOKEN and OS_URL instead of the
-    previous OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT
-    
-    Change-Id: I79dcd56896945267cf1c8ff4378ffff63048e155
-
-commit 6cd2e5eccdad0005c4a69d85aa6918cfc33062c5
-Author: Ghe Rivero <[email protected]>
-Date:   Sat Aug 1 05:16:28 2015 +0200
-
-    Missing ADMIN_USER in sample_data.sh
-    
-    When moving from keystone to openstack client, the initialization of
-    the ADMIN_USER variable was removed, making the script to fail.
-    
-    Change-Id: Iee2d5b1cbed6c93e335a4b4dbad3034a2f8e29ed
-
-commit 19f3ad9eca9e9d73e6a147b06d66d4dcb66d2934
-Author: Ghe Rivero <[email protected]>
-Date:   Sun Aug 2 17:57:37 2015 +0200
-
-    Create neutron service in sample_data.sh
-    
-    With the addition of Neutron to the sample_data.sh script, all services
-    required by the compute starter kit tag [1] are created (plus swift and ec2
-    compatible credentials)
-    
-    [1] http://governance.openstack.org/reference/tags/compute_starter_kit.html
-    
-    Change-Id: Iebc4f6b005e0466fe60691d964c7dea0e0eee947
-
---- keystone-2015.1.2/doc/source/developing.rst.~1~	2015-10-13 10:18:02.000000000 -0700
-+++ keystone-2015.1.2/doc/source/developing.rst	2016-02-05 23:16:41.873683648 -0800
[email protected]@ -75,6 +75,7 @@ place:
-     $ bin/keystone-manage db_sync
- 
- .. _`python-keystoneclient`: https://github.com/openstack/python-keystoneclient
-+.. _`openstackclient`: https://git.openstack.org/cgit/openstack/python-openstackclient
- 
- If the above commands result in a ``KeyError``, or they fail on a
- ``.pyc`` file with the message, ``You can only have one Python script per
[email protected]@ -158,18 +159,24 @@ data for use with keystone:
- 
- .. code-block:: bash
- 
--    $ OS_SERVICE_TOKEN=ADMIN tools/with_venv.sh tools/sample_data.sh
-+    $ OS_TOKEN=ADMIN tools/with_venv.sh tools/sample_data.sh
- 
- Notice it requires a service token read from an environment variable for
- authentication.  The default value "ADMIN" is from the ``admin_token``
- option in the ``[DEFAULT]`` section in ``etc/keystone.conf``.
- 
- Once run, you can see the sample data that has been created by using the
--`python-keystoneclient`_ command-line interface:
-+`openstackclient`_ command-line interface:
- 
- .. code-block:: bash
- 
--    $ tools/with_venv.sh keystone --os-token ADMIN --os-endpoint http://127.0.0.1:35357/v2.0/ user-list
-+    $ tools/with_venv.sh openstack --os-token ADMIN --os-url http://127.0.0.1:35357/v2.0/ user list
-+
-+The `openstackclient`_ can be installed using the following:
-+
-+.. code-block:: bash
-+
-+    $ tools/with_venv.sh pip install python-openstackclient
- 
- Filtering responsibilities between controllers and drivers
- ----------------------------------------------------------
---- keystone-2015.1.2/tools/sample_data.sh.~1~	2015-10-13 10:18:02.000000000 -0700
-+++ keystone-2015.1.2/tools/sample_data.sh	2016-02-05 23:16:41.875371581 -0800
[email protected]@ -14,14 +14,14 @@
- # License for the specific language governing permissions and limitations
- # under the License.
- 
--# Sample initial data for Keystone using python-keystoneclient
-+# Sample initial data for Keystone using python-openstackclient
- #
- # This script is based on the original DevStack keystone_data.sh script.
- #
- # It demonstrates how to bootstrap Keystone with an administrative user
--# using the OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT environment variables
--# and the administrative API.  It will get the admin_token (OS_SERVICE_TOKEN)
--# and admin_port from keystone.conf if available.
-+# using the OS_TOKEN and OS_URL environment variables and the administrative
-+# API.  It will get the admin_token (OS_TOKEN) and admin_port from
-+# keystone.conf if available.
- #
- # Disable creation of endpoints by setting DISABLE_ENDPOINTS environment variable.
- # Use this with the Catalog Templated backend.
[email protected]@ -36,17 +36,25 @@
- # service              nova      admin
- # service              ec2       admin
- # service              swift     admin
-+# service              neutron   admin
- 
- # By default, passwords used are those in the OpenStack Install and Deploy Manual.
- # One can override these (publicly known, and hence, insecure) passwords by setting the appropriate
- # environment variables. A common default password for all the services can be used by
- # setting the "SERVICE_PASSWORD" environment variable.
- 
-+# Test to verify that the openstackclient is installed, if not exit
-+type openstack >/dev/null 2>&1 || {
-+    echo >&2 "openstackclient is not installed. Please install it to use this script. Aborting."
-+    exit 1
-+    }
-+
- ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete}
- NOVA_PASSWORD=${NOVA_PASSWORD:-${SERVICE_PASSWORD:-nova}}
- GLANCE_PASSWORD=${GLANCE_PASSWORD:-${SERVICE_PASSWORD:-glance}}
- EC2_PASSWORD=${EC2_PASSWORD:-${SERVICE_PASSWORD:-ec2}}
- SWIFT_PASSWORD=${SWIFT_PASSWORD:-${SERVICE_PASSWORD:-swiftpass}}
-+NEUTRON_PASSWORD=${NEUTRON_PASSWORD:-${SERVICE_PASSWORD:-neutron}}
- 
- CONTROLLER_PUBLIC_ADDRESS=${CONTROLLER_PUBLIC_ADDRESS:-localhost}
- CONTROLLER_ADMIN_ADDRESS=${CONTROLLER_ADMIN_ADDRESS:-localhost}
[email protected]@ -79,14 +87,14 @@ if [[ -r "$KEYSTONE_CONF" ]]; then
-     fi
- fi
- 
--export OS_SERVICE_TOKEN=${OS_SERVICE_TOKEN:-$CONFIG_SERVICE_TOKEN}
--if [[ -z "$OS_SERVICE_TOKEN" ]]; then
-+export OS_TOKEN=${OS_TOKEN:-$CONFIG_SERVICE_TOKEN}
-+if [[ -z "$OS_TOKEN" ]]; then
-     echo "No service token found."
--    echo "Set OS_SERVICE_TOKEN manually from keystone.conf admin_token."
-+    echo "Set OS_TOKEN manually from keystone.conf admin_token."
-     exit 1
- fi
- 
--export OS_SERVICE_ENDPOINT=${OS_SERVICE_ENDPOINT:-http://$CONTROLLER_PUBLIC_ADDRESS:${CONFIG_ADMIN_PORT:-35357}/v2.0}
-+export OS_URL=${OS_URL:-http://$CONTROLLER_PUBLIC_ADDRESS:${CONFIG_ADMIN_PORT:-35357}/v2.0}
- 
- function get_id () {
-     echo `"[email protected]" | grep ' id ' | awk '{print $4}'`
[email protected]@ -95,141 +103,160 @@ function get_id () {
- #
- # Default tenant
- #
--DEMO_TENANT=$(get_id keystone tenant-create --name=demo \
--                                            --description "Default Tenant")
-+openstack project create demo \
-+                         --description "Default Tenant"
- 
--ADMIN_USER=$(get_id keystone user-create --name=admin \
--                                         --pass="${ADMIN_PASSWORD}")
-+openstack user create admin --project demo \
-+                      --password "${ADMIN_PASSWORD}"
- 
--ADMIN_ROLE=$(get_id keystone role-create --name=admin)
-+openstack role create admin
- 
--keystone user-role-add --user-id $ADMIN_USER \
--                       --role-id $ADMIN_ROLE \
--                       --tenant-id $DEMO_TENANT
-+openstack role add --user admin \
-+                   --project demo\
-+                   admin
- 
- #
- # Service tenant
- #
--SERVICE_TENANT=$(get_id keystone tenant-create --name=service \
--                                               --description "Service Tenant")
-+openstack project create service \
-+                  --description "Service Tenant"
-+
-+openstack user create glance --project service\
-+                      --password "${GLANCE_PASSWORD}"
-+
-+openstack role add --user glance \
-+                   --project service \
-+                   admin
-+
-+openstack user create nova --project service\
-+                      --password "${NOVA_PASSWORD}"
-+
-+openstack role add --user nova \
-+                   --project service \
-+                   admin
-+
-+openstack user create ec2 --project service \
-+                      --password "${EC2_PASSWORD}"
-+
-+openstack role add --user ec2 \
-+                   --project service \
-+                   admin
- 
--GLANCE_USER=$(get_id keystone user-create --name=glance \
--                                          --pass="${GLANCE_PASSWORD}")
-+openstack user create swift --project service \
-+                      --password "${SWIFT_PASSWORD}" \
- 
--keystone user-role-add --user-id $GLANCE_USER \
--                       --role-id $ADMIN_ROLE \
--                       --tenant-id $SERVICE_TENANT
--
--NOVA_USER=$(get_id keystone user-create --name=nova \
--                                        --pass="${NOVA_PASSWORD}" \
--                                        --tenant-id $SERVICE_TENANT)
--
--keystone user-role-add --user-id $NOVA_USER \
--                       --role-id $ADMIN_ROLE \
--                       --tenant-id $SERVICE_TENANT
--
--EC2_USER=$(get_id keystone user-create --name=ec2 \
--                                       --pass="${EC2_PASSWORD}" \
--                                       --tenant-id $SERVICE_TENANT)
--
--keystone user-role-add --user-id $EC2_USER \
--                       --role-id $ADMIN_ROLE \
--                       --tenant-id $SERVICE_TENANT
--
--SWIFT_USER=$(get_id keystone user-create --name=swift \
--                                         --pass="${SWIFT_PASSWORD}" \
--                                         --tenant-id $SERVICE_TENANT)
--
--keystone user-role-add --user-id $SWIFT_USER \
--                       --role-id $ADMIN_ROLE \
--                       --tenant-id $SERVICE_TENANT
-+openstack role add --user swift \
-+                   --project service \
-+                   admin
-+
-+openstack user create neutron --project service \
-+                      --password "${NEUTRON_PASSWORD}" \
-+
-+openstack role add --user neutron \
-+                   --project service \
-+                   admin
- 
- #
- # Keystone service
- #
--KEYSTONE_SERVICE=$(get_id \
--keystone service-create --name=keystone \
--                        --type=identity \
--                        --description="Keystone Identity Service")
-+openstack service create --name keystone \
-+                         --description "Keystone Identity Service" \
-+                         identity
- if [[ -z "$DISABLE_ENDPOINTS" ]]; then
--    keystone endpoint-create --region RegionOne --service-id $KEYSTONE_SERVICE \
-+    openstack endpoint create --region RegionOne \
-         --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:\$(public_port)s/v2.0" \
-         --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:\$(admin_port)s/v2.0" \
--        --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:\$(public_port)s/v2.0"
-+        --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:\$(public_port)s/v2.0" \
-+        keystone
- fi
- 
- #
- # Nova service
- #
--NOVA_SERVICE=$(get_id \
--keystone service-create --name=nova \
--                        --type=compute \
--                        --description="Nova Compute Service")
-+openstack service create --name=nova \
-+                         --description="Nova Compute Service" \
-+                         compute
- if [[ -z "$DISABLE_ENDPOINTS" ]]; then
--    keystone endpoint-create --region RegionOne --service-id $NOVA_SERVICE \
-+    openstack endpoint create --region RegionOne \
-         --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:8774/v2/\$(tenant_id)s" \
-         --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:8774/v2/\$(tenant_id)s" \
--        --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8774/v2/\$(tenant_id)s"
-+        --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8774/v2/\$(tenant_id)s" \
-+        nova
- fi
- 
- #
- # Volume service
- #
--VOLUME_SERVICE=$(get_id \
--keystone service-create --name=volume \
--                        --type=volume \
--                        --description="Nova Volume Service")
-+openstack service create --name=volume \
-+                         --description="Cinder Volume Service" \
-+                         volume
- if [[ -z "$DISABLE_ENDPOINTS" ]]; then
--    keystone endpoint-create --region RegionOne --service-id $VOLUME_SERVICE \
-+    openstack endpoint create --region RegionOne \
-         --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:8776/v1/\$(tenant_id)s" \
-         --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:8776/v1/\$(tenant_id)s" \
--        --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8776/v1/\$(tenant_id)s"
-+        --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8776/v1/\$(tenant_id)s" \
-+        volume
- fi
- 
- #
- # Image service
- #
--GLANCE_SERVICE=$(get_id \
--keystone service-create --name=glance \
--                        --type=image \
--                        --description="Glance Image Service")
-+openstack service create --name=glance \
-+                         --description="Glance Image Service" \
-+                         image
- if [[ -z "$DISABLE_ENDPOINTS" ]]; then
--    keystone endpoint-create --region RegionOne --service-id $GLANCE_SERVICE \
-+    openstack endpoint create --region RegionOne  \
-         --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:9292" \
-         --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:9292" \
--        --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:9292"
-+        --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:9292" \
-+        glance
- fi
- 
- #
- # EC2 service
- #
--EC2_SERVICE=$(get_id \
--keystone service-create --name=ec2 \
--                        --type=ec2 \
--                        --description="EC2 Compatibility Layer")
-+openstack service create --name=ec2 \
-+                         --description="EC2 Compatibility Layer" \
-+                         ec2
- if [[ -z "$DISABLE_ENDPOINTS" ]]; then
--    keystone endpoint-create --region RegionOne --service-id $EC2_SERVICE \
-+    openstack endpoint create --region RegionOne \
-         --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:8773/services/Cloud" \
-         --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:8773/services/Admin" \
--        --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8773/services/Cloud"
-+        --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8773/services/Cloud" \
-+        ec2
- fi
- 
- #
- # Swift service
- #
--SWIFT_SERVICE=$(get_id \
--keystone service-create --name=swift \
--                        --type="object-store" \
--                        --description="Swift Service")
-+openstack service create --name=swift \
-+                         --description="Swift Object Storage Service" \
-+                         object-store
- if [[ -z "$DISABLE_ENDPOINTS" ]]; then
--    keystone endpoint-create --region RegionOne --service-id $SWIFT_SERVICE \
-+    openstack endpoint create --region RegionOne \
-         --publicurl   "http://$CONTROLLER_PUBLIC_ADDRESS:8080/v1/AUTH_\$(tenant_id)s" \
-         --adminurl    "http://$CONTROLLER_ADMIN_ADDRESS:8080/v1" \
--        --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8080/v1/AUTH_\$(tenant_id)s"
-+        --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8080/v1/AUTH_\$(tenant_id)s" \
-+        swift
-+fi
-+
-+#
-+# Neutron service
-+#
-+openstack service create --name=neutron \
-+                         --description="Neutron Network Service" \
-+                         network
-+if [[ -z "$DISABLE_ENDPOINTS" ]]; then
-+    openstack endpoint create --region RegionOne \
-+        --publicurl   "http://$CONTROLLER_PUBLIC_ADDRESS:9696" \
-+        --adminurl    "http://$CONTROLLER_ADMIN_ADDRESS:9696" \
-+        --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:9696" \
-+        neutron
- fi
- 
- # create ec2 creds and parse the secret and access key returned
--RESULT=$(keystone ec2-credentials-create --tenant-id=$SERVICE_TENANT --user-id=$ADMIN_USER)
-+ADMIN_USER=$(get_id openstack user show admin)
-+RESULT=$(openstack ec2 credentials create --project service --user $ADMIN_USER)
- ADMIN_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'`
- ADMIN_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'`
- 
--- a/components/openstack/keystone/patches/mysql_cluster_support.patch	Wed Sep 07 14:48:41 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,348 +0,0 @@
-This patchset is for bug:
-
-22725754 - Keystone needs to support MySQL Cluster
-
-This fixes the following aspects of Keystone:
-1. Implementation of an oslo.db configuration parameter to specify the MySQL 
-   storage engine (mysql_storage_engine).
-2. Replacement of hardcoded SQL statements that set the engine to "InnoDB" 
-   to the above configuration value.
-3. Logic to handle SQL differences between MySQL InnoDB and MySQL Cluster (NDB). 
-   This includes column lengths, constraints, foreign keys, and indexes.
-
-This has not been committed upstream, but has been filed in launchpad:
-
-https://bugs.launchpad.net/keystone/+bug/1564110
-
-
---- keystone-2015.1.2/keystone/contrib/endpoint_policy/migrate_repo/versions/001_add_endpoint_policy_table.py.orig	2016-02-17 11:31:28.370731100 -0700
-+++ keystone-2015.1.2/keystone/contrib/endpoint_policy/migrate_repo/versions/001_add_endpoint_policy_table.py	2016-02-19 13:15:20.604166480 -0700
[email protected]@ -13,7 +13,9 @@
- # under the License.
- 
- import sqlalchemy as sql
-+from oslo_config import cfg
- 
-+CONF = cfg.CONF
- 
- def upgrade(migrate_engine):
-     # Upgrade operations go here. Don't create your own engine; bind
[email protected]@ -34,7 +36,7 @@ def upgrade(migrate_engine):
-         sql.Column('region_id', sql.String(64),
-                    nullable=True),
-         sql.UniqueConstraint('endpoint_id', 'service_id', 'region_id'),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     endpoint_policy_table.create(migrate_engine, checkfirst=True)
---- keystone-2015.1.2/keystone/contrib/federation/migrate_repo/versions/001_add_identity_provider_table.py.orig	2016-02-17 11:31:28.364528948 -0700
-+++ keystone-2015.1.2/keystone/contrib/federation/migrate_repo/versions/001_add_identity_provider_table.py	2016-02-19 13:14:23.091304897 -0700
[email protected]@ -11,7 +11,9 @@
- # under the License.
- 
- import sqlalchemy as sql
-+from oslo_config import cfg
- 
-+CONF = cfg.CONF
- 
- def upgrade(migrate_engine):
-     meta = sql.MetaData()
[email protected]@ -23,7 +25,7 @@ def upgrade(migrate_engine):
-         sql.Column('id', sql.String(64), primary_key=True),
-         sql.Column('enabled', sql.Boolean, nullable=False),
-         sql.Column('description', sql.Text(), nullable=True),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     idp_table.create(migrate_engine, checkfirst=True)
[email protected]@ -36,7 +38,7 @@ def upgrade(migrate_engine):
-                    sql.ForeignKey('identity_provider.id', ondelete='CASCADE'),
-                    primary_key=True),
-         sql.Column('mapping_id', sql.String(64), nullable=True),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     federation_protocol_table.create(migrate_engine, checkfirst=True)
---- keystone-2015.1.2/keystone/contrib/federation/migrate_repo/versions/007_add_remote_id_table.py.orig	2016-02-17 11:31:28.369152519 -0700
-+++ keystone-2015.1.2/keystone/contrib/federation/migrate_repo/versions/007_add_remote_id_table.py	2016-02-19 13:14:36.794647452 -0700
[email protected]@ -11,7 +11,9 @@
- # under the License.
- 
- import sqlalchemy as orm
-+from oslo_config import cfg
- 
-+CONF = cfg.CONF
- 
- def upgrade(migrate_engine):
-     meta = orm.MetaData()
[email protected]@ -27,7 +29,7 @@ def upgrade(migrate_engine):
-         orm.Column('remote_id',
-                    orm.String(255),
-                    primary_key=True),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     remote_id_table.create(migrate_engine, checkfirst=True)
---- keystone-2015.1.2/keystone/contrib/federation/migrate_repo/versions/005_add_service_provider_table.py.orig	2016-02-17 11:31:28.366074588 -0700
-+++ keystone-2015.1.2/keystone/contrib/federation/migrate_repo/versions/005_add_service_provider_table.py	2016-02-19 13:16:25.569156414 -0700
[email protected]@ -11,7 +11,9 @@
- # under the License.
- 
- import sqlalchemy as sql
-+from oslo_config import cfg
- 
-+CONF = cfg.CONF
- 
- def upgrade(migrate_engine):
-     meta = sql.MetaData()
[email protected]@ -25,7 +27,7 @@ def upgrade(migrate_engine):
-         sql.Column('enabled', sql.Boolean, nullable=False),
-         sql.Column('description', sql.Text(), nullable=True),
-         sql.Column('sp_url', sql.String(256), nullable=True),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     sp_table.create(migrate_engine, checkfirst=True)
---- keystone-2015.1.2/keystone/contrib/federation/migrate_repo/versions/002_add_mapping_tables.py.orig	2016-02-17 11:31:28.367627604 -0700
-+++ keystone-2015.1.2/keystone/contrib/federation/migrate_repo/versions/002_add_mapping_tables.py	2016-02-19 13:14:46.042762324 -0700
[email protected]@ -11,7 +11,9 @@
- # under the License.
- 
- import sqlalchemy as sql
-+from oslo_config import cfg
- 
-+CONF = cfg.CONF
- 
- def upgrade(migrate_engine):
-     meta = sql.MetaData()
[email protected]@ -22,6 +24,6 @@ def upgrade(migrate_engine):
-         meta,
-         sql.Column('id', sql.String(64), primary_key=True),
-         sql.Column('rules', sql.Text(), nullable=False),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine ,
-         mysql_charset='utf8')
-     mapping_table.create(migrate_engine, checkfirst=True)
---- keystone-2015.1.2/keystone/common/sql/migration_helpers.py.orig	2016-02-17 11:31:28.355333466 -0700
-+++ keystone-2015.1.2/keystone/common/sql/migration_helpers.py	2016-02-19 10:15:36.520071425 -0700
[email protected]@ -164,9 +164,9 @@ def _fix_federation_tables(engine):
-         # alter table to execute
-         engine.execute("SET foreign_key_checks = 0")
-         # * Make the tables using InnoDB engine
--        engine.execute("ALTER TABLE identity_provider Engine=InnoDB")
--        engine.execute("ALTER TABLE federation_protocol Engine=InnoDB")
--        engine.execute("ALTER TABLE mapping Engine=InnoDB")
-+        engine.execute("ALTER TABLE identity_provider Engine=%s" % CONF.database.mysql_storage_engine)
-+        engine.execute("ALTER TABLE federation_protocol Engine=%s" % CONF.database.mysql_storage_engine)
-+        engine.execute("ALTER TABLE mapping Engine=%s" % CONF.database.mysql_storage_engine)
-         # * Make the tables using utf8 encoding
-         engine.execute("ALTER TABLE identity_provider "
-                        "CONVERT TO CHARACTER SET utf8")
---- keystone-2015.1.2/keystone/common/sql/migrate_repo/versions/051_add_id_mapping.py.orig	2016-02-17 11:31:28.357606093 -0700
-+++ keystone-2015.1.2/keystone/common/sql/migrate_repo/versions/051_add_id_mapping.py	2016-02-19 13:10:31.212704447 -0700
[email protected]@ -13,9 +13,10 @@
- # under the License.
- 
- import sqlalchemy as sql
--
- from keystone.identity.mapping_backends import mapping
-+from oslo_config import cfg
- 
-+CONF = cfg.CONF
- 
- MAPPING_TABLE = 'id_mapping'
- 
[email protected]@ -36,6 +37,6 @@ def upgrade(migrate_engine):
-             name='entity_type'),
-             nullable=False),
-         sql.UniqueConstraint('domain_id', 'local_id', 'entity_type'),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
-     mapping_table.create(migrate_engine, checkfirst=True)
---- keystone-2015.1.2/keystone/common/sql/migrate_repo/versions/044_icehouse.py.orig	2016-02-17 11:31:28.359732657 -0700
-+++ keystone-2015.1.2/keystone/common/sql/migrate_repo/versions/044_icehouse.py	2016-02-19 13:12:49.670971345 -0700
[email protected]@ -47,7 +47,7 @@ def upgrade(migrate_engine):
-         sql.Column('blob', ks_sql.JsonBlob, nullable=False),
-         sql.Column('type', sql.String(length=255), nullable=False),
-         sql.Column('extra', ks_sql.JsonBlob.impl),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     domain = sql.Table(
[email protected]@ -56,7 +56,7 @@ def upgrade(migrate_engine):
-         sql.Column('name', sql.String(length=64), nullable=False),
-         sql.Column('enabled', sql.Boolean, default=True, nullable=False),
-         sql.Column('extra', ks_sql.JsonBlob.impl),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     endpoint = sql.Table(
[email protected]@ -70,7 +70,7 @@ def upgrade(migrate_engine):
-         sql.Column('extra', ks_sql.JsonBlob.impl),
-         sql.Column('enabled', sql.Boolean, nullable=False, default=True,
-                    server_default='1'),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     group = sql.Table(
[email protected]@ -80,7 +80,7 @@ def upgrade(migrate_engine):
-         sql.Column('name', sql.String(length=64), nullable=False),
-         sql.Column('description', sql.Text),
-         sql.Column('extra', ks_sql.JsonBlob.impl),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     policy = sql.Table(
[email protected]@ -89,7 +89,7 @@ def upgrade(migrate_engine):
-         sql.Column('type', sql.String(length=255), nullable=False),
-         sql.Column('blob', ks_sql.JsonBlob, nullable=False),
-         sql.Column('extra', ks_sql.JsonBlob.impl),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     project = sql.Table(
[email protected]@ -100,7 +100,7 @@ def upgrade(migrate_engine):
-         sql.Column('description', sql.Text),
-         sql.Column('enabled', sql.Boolean),
-         sql.Column('domain_id', sql.String(length=64), nullable=False),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     role = sql.Table(
[email protected]@ -108,7 +108,7 @@ def upgrade(migrate_engine):
-         sql.Column('id', sql.String(length=64), primary_key=True),
-         sql.Column('name', sql.String(length=255), nullable=False),
-         sql.Column('extra', ks_sql.JsonBlob.impl),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     service = sql.Table(
[email protected]@ -118,7 +118,7 @@ def upgrade(migrate_engine):
-         sql.Column('enabled', sql.Boolean, nullable=False, default=True,
-                    server_default='1'),
-         sql.Column('extra', ks_sql.JsonBlob.impl),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     token = sql.Table(
[email protected]@ -129,7 +129,7 @@ def upgrade(migrate_engine):
-         sql.Column('valid', sql.Boolean, default=True, nullable=False),
-         sql.Column('trust_id', sql.String(length=64)),
-         sql.Column('user_id', sql.String(length=64)),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     trust = sql.Table(
[email protected]@ -143,7 +143,7 @@ def upgrade(migrate_engine):
-         sql.Column('expires_at', sql.DateTime),
-         sql.Column('remaining_uses', sql.Integer, nullable=True),
-         sql.Column('extra', ks_sql.JsonBlob.impl),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     trust_role = sql.Table(
[email protected]@ -152,7 +152,7 @@ def upgrade(migrate_engine):
-                    nullable=False),
-         sql.Column('role_id', sql.String(length=64), primary_key=True,
-                    nullable=False),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     user = sql.Table(
[email protected]@ -164,14 +164,14 @@ def upgrade(migrate_engine):
-         sql.Column('enabled', sql.Boolean),
-         sql.Column('domain_id', sql.String(length=64), nullable=False),
-         sql.Column('default_project_id', sql.String(length=64)),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     user_group_membership = sql.Table(
-         'user_group_membership', meta,
-         sql.Column('user_id', sql.String(length=64), primary_key=True),
-         sql.Column('group_id', sql.String(length=64), primary_key=True),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     region = sql.Table(
[email protected]@ -181,7 +181,7 @@ def upgrade(migrate_engine):
-         sql.Column('description', sql.String(255), nullable=False),
-         sql.Column('parent_region_id', sql.String(64), nullable=True),
-         sql.Column('extra', sql.Text()),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     assignment = sql.Table(
[email protected]@ -199,7 +199,7 @@ def upgrade(migrate_engine):
-         sql.Column('role_id', sql.String(64), nullable=False),
-         sql.Column('inherited', sql.Boolean, default=False, nullable=False),
-         sql.PrimaryKeyConstraint('type', 'actor_id', 'target_id', 'role_id'),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
- 
-     # create all tables
---- keystone-2015.1.2/keystone/common/sql/migrate_repo/versions/065_add_domain_config.py.orig	2016-02-17 11:31:28.361388817 -0700
-+++ keystone-2015.1.2/keystone/common/sql/migrate_repo/versions/065_add_domain_config.py	2016-02-19 13:10:34.283121353 -0700
[email protected]@ -11,8 +11,10 @@
- # under the License.
- 
- import sqlalchemy as sql
--
- from keystone.common import sql as ks_sql
-+from oslo_config import cfg
-+
-+CONF = cfg.CONF
- 
- WHITELIST_TABLE = 'whitelisted_config'
- SENSITIVE_TABLE = 'sensitive_config'
[email protected]@ -29,7 +31,7 @@ def upgrade(migrate_engine):
-         sql.Column('group', sql.String(255), primary_key=True),
-         sql.Column('option', sql.String(255), primary_key=True),
-         sql.Column('value', ks_sql.JsonBlob.impl, nullable=False),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
-     whitelist_table.create(migrate_engine, checkfirst=True)
- 
[email protected]@ -40,6 +42,6 @@ def upgrade(migrate_engine):
-         sql.Column('group', sql.String(255), primary_key=True),
-         sql.Column('option', sql.String(255), primary_key=True),
-         sql.Column('value', ks_sql.JsonBlob.impl, nullable=False),
--        mysql_engine='InnoDB',
-+        mysql_engine=CONF.database.mysql_storage_engine,
-         mysql_charset='utf8')
-     sensitive_table.create(migrate_engine, checkfirst=True)
---- keystone-2015.1.2/keystone/tests/unit/test_sql_upgrade.py.orig	2016-02-17 11:31:28.362966631 -0700
-+++ keystone-2015.1.2/keystone/tests/unit/test_sql_upgrade.py	2016-02-19 10:47:11.044395387 -0700
[email protected]@ -663,9 +663,9 @@ class SqlUpgradeTests(SqlMigrateBase):
-         noninnodb = connection.execute("SELECT table_name "
-                                        "from information_schema.TABLES "
-                                        "where TABLE_SCHEMA='%(database)s' "
--                                       "and ENGINE!='InnoDB' "
-+                                       "and ENGINE!='%(mysql_storage_engine)s' "
-                                        "and TABLE_NAME!='migrate_version'" %
--                                       dict(database=database))
-+                                       dict(database=database, mysql_storage_engine=CONF.database.mysql_storage_engine))
-         names = [x[0] for x in noninnodb]
-         self.assertEqual([], names,
-                          "Non-InnoDB tables exist")
--- a/components/openstack/keystone/patches/no-federation.patch	Wed Sep 07 14:48:41 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,14 +0,0 @@
-In-house patch to remove the Federation extension from the default
-Keystone pipeline as this is not currently supported on Solaris.
-
---- keystone-2015.1.2/etc/keystone-paste.ini.~1~	2015-10-13 10:18:02.000000000 -0700
-+++ keystone-2015.1.2/etc/keystone-paste.ini	2016-05-28 23:30:44.744506171 -0700
[email protected]@ -79,7 +79,7 @@ pipeline = sizelimit url_normalize reque
- [pipeline:api_v3]
- # The last item in this pipeline must be service_v3 or an equivalent
- # application. It cannot be a filter.
--pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension endpoint_policy_extension service_v3
-+pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension oauth1_extension endpoint_filter_extension endpoint_policy_extension service_v3
- 
- [app:public_version_service]
- paste.app_factory = keystone.service:public_version_app_factory
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/keystone/patches/no-pysaml2.patch	Wed Sep 07 14:48:41 2016 -0700
@@ -0,0 +1,61 @@
+We don't currently have pysaml2 in Solaris because of its
+dependency on pycrypto.
+
+This patch makes the pysaml2 dependency in keystone optional.
+The saml_idp_metadata command of keystone-manage and
+federation_routers are disabled if the modules that depend
+on pysaml2 cannot be loaded.
+
+This patch is not suitable for pushing upstream.
+
+--- keystone-9.0.0/keystone/version/service.py.~1~	2016-04-06 23:37:38.000000000 -0800
++++ keystone-9.0.0/keystone/version/service.py	2016-05-18 20:25:46.012718550 -0800
[email protected]@ -26,7 +26,6 @@ from keystone.catalog import routers as
+ from keystone.common import wsgi
+ from keystone.credential import routers as credential_routers
+ from keystone.endpoint_policy import routers as endpoint_policy_routers
+-from keystone.federation import routers as federation_routers
+ from keystone.i18n import _LW
+ from keystone.identity import routers as identity_routers
+ from keystone.oauth1 import routers as oauth1_routers
[email protected]@ -139,12 +138,17 @@ def v3_app_factory(global_conf, **local_
+                        policy_routers,
+                        resource_routers,
+                        revoke_routers,
+-                       federation_routers,
+                        oauth1_routers,
+                        # TODO(morganfainberg): Remove the simple_cert router
+                        # when PKI and PKIZ tokens are removed.
+                        simple_cert_ext]
+ 
++    try:
++        from keystone.federation import routers as federation_routers
++        all_api_routers.append(federation_routers)
++    except:
++        pass
++
+     if CONF.trust.enabled:
+         all_api_routers.append(trust_routers)
+ 
+--- keystone-9.0.0/keystone/cmd/cli.py.~1~	2016-04-06 23:37:38.000000000 -0800
++++ keystone-9.0.0/keystone/cmd/cli.py	2016-05-19 00:26:16.105127235 -0800
[email protected]@ -32,7 +32,6 @@ from keystone.common import sql
+ from keystone.common.sql import migration_helpers
+ from keystone.common import utils
+ from keystone import exception
+-from keystone.federation import idp
+ from keystone.federation import utils as mapping_engine
+ from keystone.i18n import _, _LW, _LI
+ from keystone.server import backends
[email protected]@ -848,6 +847,11 @@ class SamlIdentityProviderMetadata(BaseA
+ 
+     @staticmethod
+     def main():
++        try:
++            from keystone.federation import idp
++        except:
++            raise ValueError(_('saml_idp_metadata not currently supported; '
++                               'pysaml2 is required.')) 
+         metadata = idp.MetadataGenerator().generate_metadata()
+         print(metadata.to_string())
+ 
--- a/components/openstack/keystone/patches/requirements.patch	Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/patches/requirements.patch	Wed Sep 07 14:48:41 2016 -0700
@@ -1,71 +1,25 @@
 In-house patch to remove unnecessary dependencies from Keystone's
 requirements files. The specific reasons are as follows:
 
-iso8601			Not applicable
-
-netaddr			Not applicable
-
 Paste			Not applicable
 
-posix-ipc		Not applicable
-
 pysaml2			Not applicable to Solaris
 
---- keystone-2015.1.2/keystone.egg-info/requires.txt.~1~	2015-10-13 10:22:09.000000000 -0700
-+++ keystone-2015.1.2/keystone.egg-info/requires.txt	2016-02-02 00:30:30.677285834 -0800
[email protected]@ -2,16 +2,13 @@ pbr!=0.7,<1.0,>=0.6
- WebOb>=1.2.3
- eventlet!=0.17.0,>=0.16.1
- greenlet>=0.3.2
--netaddr>=0.7.12
- PasteDeploy>=1.5.0
--Paste
- Routes!=2.0,>=1.12.3
- cryptography>=0.8 # Apache-2.0
- six>=1.9.0
- SQLAlchemy<=0.9.99,>=0.9.7
- sqlalchemy-migrate!=0.9.8,<0.10.0,>=0.9.5
- passlib
--iso8601>=0.1.9
- python-keystoneclient<1.4.0,>=1.2.0
- keystonemiddleware<1.6.0,>=1.5.0
- oslo.concurrency<1.9.0,>=1.8.2 # Apache-2.0
[email protected]@ -25,9 +22,7 @@ oslo.policy<0.4.0,>=0.3.1 # Apache-2.0
- oslo.serialization<1.5.0,>=1.4.0 # Apache-2.0
- oslo.utils!=1.4.1,<1.5.0,>=1.4.0 # Apache-2.0
- oauthlib>=0.6
--pysaml2
- dogpile.cache>=0.5.3
- jsonschema<3.0.0,>=2.0.0
- pycadf<0.9.0,>=0.8.0
--posix-ipc
- msgpack-python>=0.4.0
---- keystone-2015.1.2/requirements.txt.~1~	2015-10-13 10:18:02.000000000 -0700
-+++ keystone-2015.1.2/requirements.txt	2016-02-02 00:30:59.005350937 -0800
[email protected]@ -6,16 +6,13 @@ pbr!=0.7,<1.0,>=0.6
- WebOb>=1.2.3
- eventlet!=0.17.0,>=0.16.1
- greenlet>=0.3.2
--netaddr>=0.7.12
- PasteDeploy>=1.5.0
--Paste
- Routes!=2.0,>=1.12.3
- cryptography>=0.8 # Apache-2.0
- six>=1.9.0
- SQLAlchemy<=0.9.99,>=0.9.7
- sqlalchemy-migrate!=0.9.8,<0.10.0,>=0.9.5
- passlib
--iso8601>=0.1.9
- python-keystoneclient<1.4.0,>=1.2.0
- keystonemiddleware<1.6.0,>=1.5.0
- oslo.concurrency<1.9.0,>=1.8.2 # Apache-2.0
[email protected]@ -29,9 +26,7 @@ oslo.policy<0.4.0,>=0.3.1 # Apache-2.0
- oslo.serialization<1.5.0,>=1.4.0 # Apache-2.0
- oslo.utils!=1.4.1,<1.5.0,>=1.4.0 # Apache-2.0
- oauthlib>=0.6
--pysaml2
- dogpile.cache>=0.5.3
- jsonschema<3.0.0,>=2.0.0
- pycadf<0.9.0,>=0.8.0
--posix-ipc
- msgpack-python>=0.4.0
+--- keystone-9.0.2/requirements.txt.~1~	2016-05-26 11:34:30.000000000 -0800
++++ keystone-9.0.2/requirements.txt	2016-06-27 18:17:38.084276305 -0800
[email protected]@ -7,7 +7,6 @@ WebOb>=1.2.3 # MIT
+ eventlet!=0.18.3,>=0.18.2 # MIT
+ greenlet>=0.3.2 # MIT
+ PasteDeploy>=1.5.0 # MIT
+-Paste # MIT
+ Routes!=2.0,!=2.1,!=2.3.0,>=1.12.3;python_version=='2.7' # MIT
+ Routes!=2.0,!=2.3.0,>=1.12.3;python_version!='2.7' # MIT
+ cryptography!=1.3.0,>=1.0 # BSD/Apache-2.0
[email protected]@ -32,7 +31,6 @@ oslo.serialization>=1.10.0 # Apache-2.0
+ oslo.service>=1.0.0 # Apache-2.0
+ oslo.utils>=3.5.0 # Apache-2.0
+ oauthlib>=0.6 # BSD
+-pysaml2<4.0.3,>=2.4.0 # Apache-2.0
+ dogpile.cache>=0.5.7 # BSD
+ jsonschema!=2.5.0,<3.0.0,>=2.0.0 # MIT
+ pycadf!=2.0.0,>=1.1.0 # Apache-2.0
--- a/components/openstack/keystone/patches/sample-data.sh.patch	Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/patches/sample-data.sh.patch	Wed Sep 07 14:48:41 2016 -0700
@@ -7,8 +7,8 @@
 It also includes a change to use the standard Solaris tr(1) rather than
 GNU sed.
 
---- keystone-2015.1.2/tools/sample_data.sh.~2~	2016-02-07 01:41:04.218073379 -0800
-+++ keystone-2015.1.2/tools/sample_data.sh	2016-02-07 01:44:19.119595020 -0800
+--- keystone-9.1.0/tools/sample_data.sh.~1~	2016-07-05 08:27:02.000000000 -0700
++++ keystone-9.1.0/tools/sample_data.sh	2016-08-24 02:06:51.106133355 -0700
 @@ -23,8 +23,8 @@
  # API.  It will get the admin_token (OS_TOKEN) and admin_port from
  # keystone.conf if available.
@@ -20,18 +20,24 @@
  #
  # A EC2-compatible credential is created for the admin user and
  # placed in etc/ec2rc.
[email protected]@ -37,11 +37,15 @@
- # service              ec2       admin
- # service              swift     admin
- # service              neutron   admin
[email protected]@ -33,15 +33,19 @@
+ # -------------------------------------------------------
+ # demo                 admin     admin
+ # service              glance    service
+-# service              nova      service
++# service              nova      admin, service
+ # service              ec2       service
+ # service              swift     service
+-# service              neutron   service
 -
 -# By default, passwords used are those in the OpenStack Install and Deploy Manual.
 -# One can override these (publicly known, and hence, insecure) passwords by setting the appropriate
 -# environment variables. A common default password for all the services can be used by
 -# setting the "SERVICE_PASSWORD" environment variable.
-+# service              cinder    admin
-+# service              heat      admin
-+# service              ironic    admin
++# service              neutron   admin, service
++# service              cinder    service
++# service              heat      service
++# service              ironic    service
 +
 +# By default, passwords used are those in the OpenStack Install and Deploy
 +# Manual. One can override these (publicly known, and hence, insecure)
@@ -124,9 +130,26 @@
      fi
  fi
  
[email protected]@ -156,6 +204,29 @@ openstack role add --user neutron \
[email protected]@ -139,6 +187,10 @@ openstack user create nova --project ser
+ 
+ openstack role add --user nova \
                     --project service \
-                    admin
++                   admin
++
++openstack role add --user nova \
++                   --project service \
+                    service
+ 
+ openstack user create ec2 --project service \
[email protected]@ -160,8 +212,35 @@ openstack user create neutron --project
+ 
+ openstack role add --user neutron \
+                    --project service \
++                   admin
++
++openstack role add --user neutron \
++                   --project service \
+                    service
  
 +openstack user create cinder --project service \
 +                             --password "${CINDER_PASSWORD}"
@@ -154,7 +177,7 @@
  #
  # Keystone service
  #
[email protected]@ -178,24 +249,32 @@ openstack service create --name=nova \
[email protected]@ -184,24 +263,32 @@ openstack service create --name=nova \
                           compute
  if [[ -z "$DISABLE_ENDPOINTS" ]]; then
      openstack endpoint create --region RegionOne \
@@ -195,7 +218,7 @@
  fi
  
  #
[email protected]@ -206,9 +285,9 @@ openstack service create --name=glance \
[email protected]@ -212,9 +299,9 @@ openstack service create --name=glance \
                           image
  if [[ -z "$DISABLE_ENDPOINTS" ]]; then
      openstack endpoint create --region RegionOne  \
@@ -208,7 +231,7 @@
          glance
  fi
  
[email protected]@ -220,9 +299,9 @@ openstack service create --name=ec2 \
[email protected]@ -226,9 +313,9 @@ openstack service create --name=ec2 \
                           ec2
  if [[ -z "$DISABLE_ENDPOINTS" ]]; then
      openstack endpoint create --region RegionOne \
@@ -221,7 +244,7 @@
          ec2
  fi
  
[email protected]@ -234,9 +313,11 @@ openstack service create --name=swift \
[email protected]@ -240,9 +327,11 @@ openstack service create --name=swift \
                           object-store
  if [[ -z "$DISABLE_ENDPOINTS" ]]; then
      openstack endpoint create --region RegionOne \
@@ -236,7 +259,7 @@
          swift
  fi
  
[email protected]@ -248,12 +329,48 @@ openstack service create --name=neutron
[email protected]@ -254,12 +343,48 @@ openstack service create --name=neutron
                           network
  if [[ -z "$DISABLE_ENDPOINTS" ]]; then
      openstack endpoint create --region RegionOne \