--- a/components/openstack/keystone/Makefile Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/Makefile Wed Sep 07 14:48:41 2016 -0700
@@ -26,20 +26,19 @@
include ../../../make-rules/shared-macros.mk
COMPONENT_NAME= keystone
-COMPONENT_CODENAME= kilo
-COMPONENT_VERSION= 2015.1.2
-COMPONENT_BE_VERSION= 2015.1
+COMPONENT_CODENAME= mitaka
+COMPONENT_VERSION= 9.1.0
+COMPONENT_BE_VERSION= 2016.1
COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz
COMPONENT_ARCHIVE_HASH= \
- sha256:af63a89ca1cebfff593e35c24105c1442ab50f760871d756a48cfc120a7a8ddb
-COMPONENT_ARCHIVE_URL= http://launchpad.net/$(COMPONENT_NAME)/$(COMPONENT_CODENAME)/$(COMPONENT_VERSION)/+download/$(COMPONENT_ARCHIVE)
+ sha256:3828f8907d07901a3f0516b9ee99fbd42bd9d293e4fa137d850a46487c76bad3
+COMPONENT_ARCHIVE_URL= https://tarballs.openstack.org/$(COMPONENT_NAME)/$(COMPONENT_ARCHIVE)
COMPONENT_SIG_URL= $(COMPONENT_ARCHIVE_URL).asc
COMPONENT_PROJECT_URL= http://www.openstack.org/
COMPONENT_BUGDB= service/keystone
-IPS_COMPONENT_VERSION= 0.$(COMPONENT_VERSION)
-TPNO= 25790
+TPNO= 30359
PKG_VARS += COMPONENT_BE_VERSION
@@ -78,8 +77,7 @@
test: $(NO_TESTS)
-system-test: $(NO_TESTS)
-
+system-test: $(NO_TESTS)
REQUIRED_PACKAGES += cloud/openstack/openstack-common
REQUIRED_PACKAGES += library/python/iniparse-27
--- a/components/openstack/keystone/files/keystone Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/files/keystone Wed Sep 07 14:48:41 2016 -0700
@@ -15,12 +15,11 @@
# under the License.
import os
+from subprocess import CalledProcessError, check_call, Popen
import sys
import smf_include
-from subprocess import CalledProcessError, check_call, Popen
-
def httpd(cmd):
cmd = ['/usr/apache2/2.4/bin/httpd', '-f',
--- a/components/openstack/keystone/files/keystone-upgrade Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/files/keystone-upgrade Wed Sep 07 14:48:41 2016 -0700
@@ -29,89 +29,11 @@
KEYSTONE_CONF_MAPPINGS = {
# Deprecated group/name
- ('DEFAULT', 'admin_bind_host'): ('eventlet_server', 'admin_bind_host'),
- ('DEFAULT', 'admin_workers'): ('eventlet_server', 'admin_workers'),
- ('DEFAULT', 'admin_port'): ('eventlet_server', 'admin_port'),
- ('DEFAULT', 'tcp_keepidle'): ('eventlet_server', 'tcp_keepidle'),
- ('ssl', 'cert_required'): ('eventlet_server_ssl', 'cert_required'),
- ('DEFAULT', 'public_port'): ('eventlet_server', 'public_port'),
- ('DEFAULT', 'public_bind_host'): ('eventlet_server', 'public_bind_host'),
- ('DEFAULT', 'tcp_keepalive'): ('eventlet_server', 'tcp_keepalive'),
- ('DEFAULT', 'public_workers'): ('eventlet_server', 'public_workers'),
- ('ssl', 'keyfile'): ('eventlet_server_ssl', 'keyfile'),
- ('ssl', 'ca_certs'): ('eventlet_server_ssl', 'ca_certs'),
- ('ssl', 'enable'): ('eventlet_server_ssl', 'enable'),
- ('ssl', 'certfile'): ('eventlet_server_ssl', 'certfile'),
- ('DEFAULT', 'amqp_durable_queues'):
- ('oslo_messaging_qpid', 'amqp_durable_queues'),
- ('DEFAULT', 'amqp_auto_delete'):
- ('oslo_messaging_qpid', 'amqp_auto_delete'),
- ('DEFAULT', 'rpc_conn_pool_size'):
- ('oslo_messaging_qpid', 'rpc_conn_pool_size'),
- ('DEFAULT', 'qpid_hostname'):
- ('oslo_messaging_qpid', 'qpid_hostname'),
- ('DEFAULT', 'qpid_port'):
- ('oslo_messaging_qpid', 'qpid_port'),
- ('DEFAULT', 'qpid_hosts'):
- ('oslo_messaging_qpid', 'qpid_hosts'),
- ('DEFAULT', 'qpid_username'):
- ('oslo_messaging_qpid', 'qpid_username'),
- ('DEFAULT', 'qpid_password'):
- ('oslo_messaging_qpid', 'qpid_password'),
- ('DEFAULT', 'qpid_sasl_mechanisms'):
- ('oslo_messaging_qpid', 'qpid_sasl_mechanisms'),
- ('DEFAULT', 'qpid_heartbeat'):
- ('oslo_messaging_qpid', 'qpid_heartbeat'),
- ('DEFAULT', 'qpid_tcp_nodelay'):
- ('oslo_messaging_qpid', 'qpid_tcp_nodelay'),
- ('DEFAULT', 'qpid_receiver_capacity'):
- ('oslo_messaging_qpid', 'qpid_receiver_capacity'),
- ('DEFAULT', 'qpid_topology_version'):
- ('oslo_messaging_qpid', 'qpid_topology_version'),
- ('DEFAULT', 'kombu_ssl_version'):
- ('oslo_messaging_rabbit', 'kombu_ssl_version'),
- ('DEFAULT', 'kombu_ssl_keyfile'):
- ('oslo_messaging_rabbit', 'kombu_ssl_keyfile'),
- ('DEFAULT', 'kombu_ssl_certfile'):
- ('oslo_messaging_rabbit', 'kombu_ssl_certfile'),
- ('DEFAULT', 'kombu_ssl_ca_certs'):
- ('oslo_messaging_rabbit', 'kombu_ssl_ca_certs'),
- ('DEFAULT', 'kombu_reconnect_delay'):
- ('oslo_messaging_rabbit', 'kombu_reconnect_delay'),
- ('DEFAULT', 'rabbit_host'):
- ('oslo_messaging_rabbit', 'rabbit_host'),
- ('DEFAULT', 'rabbit_port'):
- ('oslo_messaging_rabbit', 'rabbit_port'),
- ('DEFAULT', 'rabbit_hosts'):
- ('oslo_messaging_rabbit', 'rabbit_hosts'),
- ('DEFAULT', 'rabbit_use_ssl'):
- ('oslo_messaging_rabbit', 'rabbit_use_ssl'),
- ('DEFAULT', 'rabbit_userid'):
- ('oslo_messaging_rabbit', 'rabbit_userid'),
- ('DEFAULT', 'rabbit_password'):
- ('oslo_messaging_rabbit', 'rabbit_password'),
- ('DEFAULT', 'rabbit_login_method'):
- ('oslo_messaging_rabbit', 'rabbit_login_method'),
- ('DEFAULT', 'rabbit_virtual_host'):
- ('oslo_messaging_rabbit', 'rabbit_virtual_host'),
- ('DEFAULT', 'rabbit_retry_interval'):
- ('oslo_messaging_rabbit', 'rabbit_retry_interval'),
- ('DEFAULT', 'rabbit_retry_backoff'):
- ('oslo_messaging_rabbit', 'rabbit_retry_backoff'),
- ('DEFAULT', 'rabbit_max_retries'):
- ('oslo_messaging_rabbit', 'rabbit_max_retries'),
- ('DEFAULT', 'rabbit_ha_queues'):
- ('oslo_messaging_rabbit', 'rabbit_ha_queues'),
- ('DEFAULT', 'fake_rabbit'):
- ('oslo_messaging_rabbit', 'fake_rabbit'),
- ('DEFAULT', 'max_request_body_size'):
- ('oslo_middleware', 'max_request_body_size'),
- ('assignment', 'list_limit'): ('resource', 'list_limit'),
- ('assignment', 'caching'): ('resource', 'caching'),
- ('assignment', 'cache_time'): ('resource', 'cache_time'),
- ('token', 'revocation_cache_time'): ('revoke', 'cache_time'),
- ('DEFAULT', 'log-format'): (None, None),
- ('DEFAULT', 'use-syslog'): (None, None),
+ ('DEFAULT', 'rpc_thread_pool_size'):
+ ('DEFAULT', 'executor_thread_pool_size'),
+ ('DEFAULT', 'compute_port'): (None, None),
+ ('DEFAULT', 'log_format'): (None, None),
+ ('DEFAULT', 'use_syslog'): (None, None),
}
KEYSTONE_CONF_EXCEPTIONS = [
@@ -152,19 +74,6 @@
modify_conf('/etc/keystone/keystone-paste.ini')
modify_conf('/etc/keystone/logging.conf')
- config = iniparse.RawConfigParser()
- config.read('/etc/keystone/keystone.conf')
- # In certain cases the database section does not exist and the
- # default database chosen is sqlite.
- if config.has_section('database'):
- db_connection = config.get('database', 'connection')
-
- if db_connection.startswith('mysql'):
- engine = sqlalchemy.create_engine(db_connection)
- if engine.url.username != '%SERVICE_USER%':
- alter_mysql_tables(engine)
- print "altered character set to utf8 in keystone tables"
-
# update the current version
check_call(['/usr/sbin/svccfg', '-s', os.environ['SMF_FMRI'], 'setprop',
'config/upgrade-id', '=', pkg_ver])
--- a/components/openstack/keystone/files/keystone.conf Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/files/keystone.conf Wed Sep 07 14:48:41 2016 -0700
@@ -5,18 +5,12 @@
#
# A "shared secret" that can be used to bootstrap Keystone. This "token" does
-# not represent a user, and carries no explicit authorization. To disable in
-# production (highly recommended), remove AdminTokenAuthMiddleware from your
-# paste application pipelines (for example, in keystone-paste.ini). (string
-# value)
-#admin_token = ADMIN
-
-# (Deprecated) The port which the OpenStack Compute service listens on. This
-# option was only used for string replacement in the templated catalog backend.
-# Templated catalogs should replace the "$(compute_port)s" substitution with
-# the static port of the compute service. As of Juno, this option is deprecated
-# and will be removed in the L release. (integer value)
-#compute_port = 8774
+# not represent a user, and carries no explicit authorization. If set to
+# `None`, the value is ignored and the `admin_token` log in mechanism is
+# effectively disabled. To completely disable `admin_token` in production
+# (highly recommended), remove AdminTokenAuthMiddleware from your paste
+# application pipelines (for example, in keystone-paste.ini). (string value)
+#admin_token = <None>
# The base public endpoint URL for Keystone that is advertised to clients
# (NOTE: this does NOT affect how Keystone listens for connections). Defaults
@@ -34,8 +28,9 @@
# found on a different server. (string value)
#admin_endpoint = <None>
-# Maximum depth of the project hierarchy. WARNING: setting it to a large value
-# may adversely impact performance. (integer value)
+# Maximum depth of the project hierarchy, excluding the project acting as a
+# domain at the top of the hierarchy. WARNING: setting it to a large value may
+# adversely impact performance. (integer value)
#max_project_tree_depth = 5
# Limit the sizes of user & project ID/names. (integer value)
@@ -57,7 +52,9 @@
# The value passed as the keyword "rounds" to passlib's encrypt method.
# (integer value)
-#crypt_strength = 40000
+# Minimum value: 1000
+# Maximum value: 100000
+#crypt_strength = 10000
# The maximum number of entities that will be returned in a collection, with no
# limit set by default. This global limit may be then overridden for a specific
@@ -69,7 +66,10 @@
# project entities to be moved between domains by updating their domain_id.
# Allowing such movement is not recommended if the scope of a domain admin is
# being restricted by use of an appropriate policy file (see
-# policy.v3cloudsample as an example). (boolean value)
+# policy.v3cloudsample as an example). This ability is deprecated and will be
+# removed in a future release. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#domain_id_immutable = true
# If set to true, strict password length checking is performed for password
@@ -79,9 +79,14 @@
#strict_password_check = false
# The HTTP header used to determine the scheme for the original request, even
-# if it was removed by an SSL terminating proxy. Typical value is
-# "HTTP_X_FORWARDED_PROTO". (string value)
-#secure_proxy_ssl_header = <None>
+# if it was removed by an SSL terminating proxy. (string value)
+#secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO
+
+# If set to true the server will return information in the response that may
+# allow an unauthenticated or authenticated user to get more information than
+# normal, such as why authentication failed. This may be useful for debugging
+# but is insecure. (boolean value)
+#insecure_debug = false
#
# From keystone.notifications
@@ -93,96 +98,101 @@
# Define the notification format for Identity Service events. A "basic"
# notification has information about the resource being operated on. A "cadf"
# notification has the same information, as well as information about the
-# initiator of the event. Valid options are: basic and cadf (string value)
+# initiator of the event. (string value)
+# Allowed values: basic, cadf
#notification_format = basic
-#
-# From keystone.openstack.common.eventlet_backdoor
-#
-
-# Enable eventlet backdoor. Acceptable values are 0, <port>, and
-# <start>:<end>, where 0 results in listening on a random tcp port number;
-# <port> results in listening on the specified port number (and not enabling
-# backdoor if that port is in use); and <start>:<end> results in listening on
-# the smallest unused port number within the specified range of port numbers.
-# The chosen port is displayed in the service's log file. (string value)
-#backdoor_port = <None>
+# Define the notification options to opt-out from. The value expected is:
+# identity.<resource_type>.<operation>. This field can be set multiple times in
+# order to add more notifications to opt-out from. For example:
+# notification_opt_out=identity.user.created
+# notification_opt_out=identity.authenticate.success (multi valued)
+#notification_opt_out =
#
# From oslo.log
#
-# Print debugging output (set logging level to DEBUG instead of default WARNING
-# level). (boolean value)
+# If set to true, the logging level will be set to DEBUG instead of the default
+# INFO level. (boolean value)
#debug = false
-# Print more verbose output (set logging level to INFO instead of default
-# WARNING level). (boolean value)
-#verbose = false
+# If set to false, the logging level will be set to WARNING instead of the
+# default INFO level. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#verbose = true
# The name of a logging configuration file. This file is appended to any
# existing logging configuration files. For details about logging configuration
-# files, see the Python logging module documentation. (string value)
+# files, see the Python logging module documentation. Note that when logging
+# configuration files are used then all logging configuration is set in the
+# configuration file and other logging configuration options are ignored (for
+# example, logging_context_format_string). (string value)
# Deprecated group/name - [DEFAULT]/log_config
#log_config_append = <None>
-# DEPRECATED. A logging.Formatter log message format string which may use any
-# of the available logging.LogRecord attributes. This option is deprecated.
-# Please use logging_context_format_string and logging_default_format_string
-# instead. (string value)
-#log_format = <None>
-
-# Format string for %%(asctime)s in log records. Default: %(default)s . (string
+# Defines the format string for %%(asctime)s in log records. Default:
+# %(default)s . This option is ignored if log_config_append is set. (string
# value)
#log_date_format = %Y-%m-%d %H:%M:%S
-# (Optional) Name of log file to output to. If no default is set, logging will
-# go to stdout. (string value)
+# (Optional) Name of log file to send logging output to. If no default is set,
+# logging will go to stderr as defined by use_stderr. This option is ignored if
+# log_config_append is set. (string value)
# Deprecated group/name - [DEFAULT]/logfile
#log_file = <None>
-# (Optional) The base directory used for relative --log-file paths. (string
-# value)
+# (Optional) The base directory used for relative log_file paths. This option
+# is ignored if log_config_append is set. (string value)
# Deprecated group/name - [DEFAULT]/logdir
#log_dir = <None>
-# Use syslog for logging. Existing syslog format is DEPRECATED during I, and
-# will change in J to honor RFC5424. (boolean value)
+# Uses logging handler designed to watch file system. When log file is moved or
+# removed this handler will open a new log file with specified path
+# instantaneously. It makes sense only if log_file option is specified and
+# Linux platform is used. This option is ignored if log_config_append is set.
+# (boolean value)
+#watch_log_file = false
+
+# Use syslog for logging. Existing syslog format is DEPRECATED and will be
+# changed later to honor RFC5424. This option is ignored if log_config_append
+# is set. (boolean value)
#use_syslog = false
-# (Optional) Enables or disables syslog rfc5424 format for logging. If enabled,
-# prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The
-# format without the APP-NAME is deprecated in I, and will be removed in J.
-# (boolean value)
-#use_syslog_rfc_format = false
-
-# Syslog facility to receive log lines. (string value)
+# Syslog facility to receive log lines. This option is ignored if
+# log_config_append is set. (string value)
#syslog_log_facility = LOG_USER
-# Log output to standard error. (boolean value)
+# Log output to standard error. This option is ignored if log_config_append is
+# set. (boolean value)
#use_stderr = true
# Format string to use for log messages with context. (string value)
#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
-# Format string to use for log messages without context. (string value)
+# Format string to use for log messages when context is undefined. (string
+# value)
#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
-# Data to append to log format when level is DEBUG. (string value)
+# Additional data to append to log message when logging level for the message
+# is DEBUG. (string value)
#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
# Prefix each line of exception output with this format. (string value)
-#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s
-
-# List of logger=LEVEL pairs. (list value)
-#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN
+#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
+
+# Defines the format string for %(user_identity)s that is used in
+# logging_context_format_string. (string value)
+#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s
+
+# List of package logging levels in logger=LEVEL pairs. This option is ignored
+# if log_config_append is set. (list value)
+#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO
# Enables or disables publication of error events. (boolean value)
#publish_errors = false
-# Enables or disables fatal status of deprecations. (boolean value)
-#fatal_deprecations = false
-
# The format for an instance that is passed with the log message. (string
# value)
#instance_format = "[instance: %(uuid)s] "
@@ -191,19 +201,27 @@
# value)
#instance_uuid_format = "[instance: %(uuid)s] "
+# Enables or disables fatal status of deprecations. (boolean value)
+#fatal_deprecations = false
+
#
# From oslo.messaging
#
+# Size of RPC connection pool. (integer value)
+# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
+#rpc_conn_pool_size = 30
+
# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
# The "host" option should point or resolve to this address. (string value)
#rpc_zmq_bind_address = *
# MatchMaker driver. (string value)
-#rpc_zmq_matchmaker = local
-
-# ZeroMQ receiver listening port. (integer value)
-#rpc_zmq_port = 9501
+# Allowed values: redis, dummy
+#rpc_zmq_matchmaker = redis
+
+# Type of concurrency used. Either "native" or "eventlet" (string value)
+#rpc_zmq_concurrency = eventlet
# Number of ZeroMQ contexts, defaults to 1. (integer value)
#rpc_zmq_contexts = 1
@@ -219,25 +237,41 @@
# "host" option, if running Nova. (string value)
#rpc_zmq_host = localhost
-# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
+# Seconds to wait before a cast expires (TTL). The default value of -1
+# specifies an infinite linger period. The value of 0 specifies no linger
+# period. Pending messages shall be discarded immediately when the socket is
+# closed. Only supported by impl_zmq. (integer value)
+#rpc_cast_timeout = -1
+
+# The default number of seconds that poll should wait. Poll raises timeout
+# exception when timeout expired. (integer value)
+#rpc_poll_timeout = 1
+
+# Expiration timeout in seconds of a name service record about existing target
+# ( < 0 means no timeout). (integer value)
+#zmq_target_expire = 120
+
+# Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy. (boolean
+# value)
+#use_pub_sub = true
+
+# Minimal port number for random ports range. (port value)
+# Minimum value: 0
+# Maximum value: 65535
+#rpc_zmq_min_port = 49152
+
+# Maximal port number for random ports range. (integer value)
+# Minimum value: 1
+# Maximum value: 65536
+#rpc_zmq_max_port = 65536
+
+# Number of retries to find free port number before fail with ZMQBindError.
# (integer value)
-#rpc_cast_timeout = 30
-
-# Heartbeat frequency. (integer value)
-#matchmaker_heartbeat_freq = 300
-
-# Heartbeat time-to-live. (integer value)
-#matchmaker_heartbeat_ttl = 600
-
-# Size of RPC thread pool. (integer value)
-#rpc_thread_pool_size = 64
-
-# Driver or drivers to handle sending notifications. (multi valued)
-#notification_driver =
-
-# AMQP topic used for OpenStack notifications. (list value)
-# Deprecated group/name - [rpc_notifier2]/topics
-#notification_topics = notifications
+#rpc_zmq_bind_port_retries = 100
+
+# Size of executor thread pool. (integer value)
+# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size
+#executor_thread_pool_size = 64
# Seconds to wait for a response from a call. (integer value)
#rpc_response_timeout = 60
@@ -247,7 +281,7 @@
# configuration. (string value)
#transport_url = <None>
-# The messaging driver to use, defaults to rabbit. Other drivers include qpid
+# The messaging driver to use, defaults to rabbit. Other drivers include amqp
# and zmq. (string value)
#rpc_backend = rabbit
@@ -255,6 +289,32 @@
# exchange name specified in the transport_url option. (string value)
#control_exchange = keystone
+#
+# From oslo.service.service
+#
+
+# Enable eventlet backdoor. Acceptable values are 0, <port>, and
+# <start>:<end>, where 0 results in listening on a random tcp port number;
+# <port> results in listening on the specified port number (and not enabling
+# backdoor if that port is in use); and <start>:<end> results in listening on
+# the smallest unused port number within the specified range of port numbers.
+# The chosen port is displayed in the service's log file. (string value)
+#backdoor_port = <None>
+
+# Enable eventlet backdoor, using the provided path as a unix socket that can
+# receive connections. This option is mutually exclusive with 'backdoor_port'
+# in that only one should be provided. If both are provided then the existence
+# of this option overrides the usage of that option. (string value)
+#backdoor_socket = <None>
+
+# Enables or disables logging values of all registered options when starting a
+# service (at DEBUG level). (boolean value)
+#log_options = true
+
+# Specify a timeout after which a gracefully shutdown server will exit. Zero
+# value means endless wait. (integer value)
+#graceful_shutdown_timeout = 60
+
[assignment]
@@ -262,9 +322,17 @@
# From keystone
#
-# Assignment backend driver. (string value)
+# Entrypoint for the assignment backend driver in the keystone.assignment
+# namespace. Only an SQL driver is supplied. If an assignment driver is not
+# specified, the identity driver will choose the assignment driver (driver
+# selection based on `[identity]/driver` option is deprecated and will be
+# removed in the "O" release). (string value)
#driver = <None>
+# A list of role names which are prohibited from being an implied role. (list
+# value)
+#prohibited_implied_role = admin
+
[auth]
@@ -272,32 +340,37 @@
# From keystone
#
-# Default auth methods. (list value)
+# Allowed authentication methods. (list value)
#methods = external,password,token,oauth1
-# The password auth plugin module. (string value)
-#password = keystone.auth.plugins.password.Password
-
-# The token auth plugin module. (string value)
-#token = keystone.auth.plugins.token.Token
-
-# The external (REMOTE_USER) auth plugin module. (string value)
-#external = keystone.auth.plugins.external.DefaultDomain
-
-# The oAuth1.0 auth plugin module. (string value)
-#oauth1 = keystone.auth.plugins.oauth1.OAuth
+# Entrypoint for the password auth plugin module in the keystone.auth.password
+# namespace. (string value)
+#password = <None>
+
+# Entrypoint for the token auth plugin module in the keystone.auth.token
+# namespace. (string value)
+#token = <None>
+
+# Entrypoint for the external (REMOTE_USER) auth plugin module in the
+# keystone.auth.external namespace. Supplied drivers are DefaultDomain and
+# Domain. The default driver is DefaultDomain. (string value)
+#external = <None>
+
+# Entrypoint for the oAuth1.0 auth plugin module in the keystone.auth.oauth1
+# namespace. (string value)
+#oauth1 = <None>
[cache]
#
-# From keystone
+# From oslo.cache
#
# Prefix for building the configuration dictionary for the cache region. This
# should not need to be changed unless there is another dogpile.cache region
# with the same configuration name. (string value)
-#config_prefix = cache.keystone
+#config_prefix = cache.oslo
# Default TTL, in seconds, for any cached item in the dogpile.cache region.
# This applies to any cached method that doesn't have an explicit cache
@@ -305,10 +378,10 @@
#expiration_time = 600
# Dogpile.cache backend module. It is recommended that Memcache with pooling
-# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in
+# (oslo_cache.memcache_pool) or Redis (dogpile.cache.redis) be used in
# production deployments. Small workloads (single process) like devstack can
# use the dogpile.cache.memory backend. (string value)
-#backend = keystone.common.cache.noop
+#backend = dogpile.cache.null
# Arguments supplied to the backend module. Specify this option once per
# argument to be passed to the dogpile.cache backend. Example format:
@@ -320,8 +393,7 @@
# (list value)
#proxies =
-# Global toggle for all caching using the should_cache_fn mechanism. (boolean
-# value)
+# Global toggle for caching. (boolean value)
#enabled = false
# Extra debugging from the cache backend (cache keys, get/set/delete/etc
@@ -331,24 +403,24 @@
#debug_cache_backend = false
# Memcache servers in the format of "host:port". (dogpile.cache.memcache and
-# keystone.cache.memcache_pool backends only). (list value)
+# oslo_cache.memcache_pool backends only). (list value)
#memcache_servers = localhost:11211
# Number of seconds memcached server is considered dead before it is tried
-# again. (dogpile.cache.memcache and keystone.cache.memcache_pool backends
-# only). (integer value)
+# again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
+# (integer value)
#memcache_dead_retry = 300
# Timeout in seconds for every call to a server. (dogpile.cache.memcache and
-# keystone.cache.memcache_pool backends only). (integer value)
+# oslo_cache.memcache_pool backends only). (integer value)
#memcache_socket_timeout = 3
# Max total number of open connections to every memcached server.
-# (keystone.cache.memcache_pool backend only). (integer value)
+# (oslo_cache.memcache_pool backend only). (integer value)
#memcache_pool_maxsize = 10
# Number of seconds a connection to memcached is held unused in the pool before
-# it is closed. (keystone.cache.memcache_pool backend only). (integer value)
+# it is closed. (oslo_cache.memcache_pool backend only). (integer value)
#memcache_pool_unused_timeout = 60
# Number of seconds that an operation will wait to get a memcache client
@@ -366,8 +438,10 @@
# value)
#template_file = default_catalog.templates
-# Catalog backend driver. (string value)
-#driver = keystone.catalog.backends.sql.Catalog
+# Entrypoint for the catalog backend driver in the keystone.catalog namespace.
+# Supplied drivers are kvs, sql, templated, and endpoint_filter.sql (string
+# value)
+#driver = sql
# Toggle for catalog caching. This has no effect unless global caching is
# enabled. (boolean value)
@@ -382,14 +456,71 @@
#list_limit = <None>
+[cors]
+
+#
+# From oslo.middleware
+#
+
+# Indicate whether this resource may be shared with the domain received in the
+# requests "origin" header. (list value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
+# Headers. (list value)
+#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list value)
+#allow_methods = GET,PUT,POST,DELETE,PATCH
+
+# Indicate which header field names may be used during the actual request.
+# (list value)
+#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name
+
+
+[cors.subdomain]
+
+#
+# From oslo.middleware
+#
+
+# Indicate whether this resource may be shared with the domain received in the
+# requests "origin" header. (list value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
+# Headers. (list value)
+#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list value)
+#allow_methods = GET,PUT,POST,DELETE,PATCH
+
+# Indicate which header field names may be used during the actual request.
+# (list value)
+#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name
+
+
[credential]
#
# From keystone
#
-# Credential backend driver. (string value)
-#driver = keystone.credential.backends.sql.Credential
+# Entrypoint for the credential backend driver in the keystone.credential
+# namespace. (string value)
+#driver = sql
[database]
@@ -427,12 +558,6 @@
# (string value)
#mysql_sql_mode = TRADITIONAL
-# This configures the MySQL storage engine. This allows for OpenStack to
-# support different storage engines such as InnoDB, NDB, etc. By Default,
-# this value will be set to InnoDB. For MySQL Cluster, set to NDBCLUSTER.
-# Example: mysql_storage_engine=(string value)
-#mysql_storage_engine = InnoDB
-
# Timeout before idle SQL connections are reaped. (integer value)
# Deprecated group/name - [DEFAULT]/sql_idle_timeout
# Deprecated group/name - [DATABASE]/sql_idle_timeout
@@ -463,7 +588,7 @@
# If set, use this value for max_overflow with SQLAlchemy. (integer value)
# Deprecated group/name - [DEFAULT]/sql_max_overflow
# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
-#max_overflow = <None>
+#max_overflow = 50
# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer
# value)
@@ -504,8 +629,9 @@
# From keystone
#
-# Domain config backend driver. (string value)
-#driver = keystone.resource.config_backends.sql.DomainConfig
+# Entrypoint for the domain config backend driver in the
+# keystone.resource.domain_config namespace. (string value)
+#driver = sql
# Toggle for domain config caching. This has no effect unless global caching is
# enabled. (boolean value)
@@ -522,8 +648,9 @@
# From keystone
#
-# Endpoint Filter backend driver (string value)
-#driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
+# Entrypoint for the endpoint filter backend driver in the
+# keystone.endpoint_filter namespace. (string value)
+#driver = sql
# Toggle to return all active endpoints if no filter exists. (boolean value)
#return_all_endpoints_if_no_filter = true
@@ -535,8 +662,17 @@
# From keystone
#
-# Endpoint policy backend driver (string value)
-#driver = keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy
+# Enable endpoint_policy functionality. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: The option to enable the OS-ENDPOINT-POLICY extension has been
+# deprecated in the M release and will be removed in the O release. The OS-
+# ENDPOINT-POLICY extension will be enabled by default.
+#enabled = true
+
+# Entrypoint for the endpoint policy backend driver in the
+# keystone.endpoint_policy namespace. (string value)
+#driver = sql
[eventlet_server]
@@ -548,31 +684,47 @@
# The number of worker processes to serve the public eventlet application.
# Defaults to number of CPUs (minimum of 2). (integer value)
# Deprecated group/name - [DEFAULT]/public_workers
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
public_workers = 2
# The number of worker processes to serve the admin eventlet application.
# Defaults to number of CPUs (minimum of 2). (integer value)
# Deprecated group/name - [DEFAULT]/admin_workers
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
admin_workers = 2
# The IP address of the network interface for the public service to listen on.
# (string value)
# Deprecated group/name - [DEFAULT]/bind_host
# Deprecated group/name - [DEFAULT]/public_bind_host
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#public_bind_host = 0.0.0.0
-# The port number which the public service listens on. (integer value)
+# The port number which the public service listens on. (port value)
+# Minimum value: 0
+# Maximum value: 65535
# Deprecated group/name - [DEFAULT]/public_port
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#public_port = 5000
# The IP address of the network interface for the admin service to listen on.
# (string value)
# Deprecated group/name - [DEFAULT]/bind_host
# Deprecated group/name - [DEFAULT]/admin_bind_host
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#admin_bind_host = 0.0.0.0
-# The port number which the admin service listens on. (integer value)
+# The port number which the admin service listens on. (port value)
+# Minimum value: 0
+# Maximum value: 65535
# Deprecated group/name - [DEFAULT]/admin_port
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#admin_port = 35357
# If set to false, disables keepalives on the server; all connections will be
@@ -581,18 +733,23 @@
# Timeout for socket operations on a client connection. If an incoming
# connection is idle for this number of seconds it will be closed. A value of
-# '0' means wait forever. (integer value)
+# "0" means wait forever. (integer value)
#client_socket_timeout = 900
# Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e.
# sockets used by the Keystone wsgi server for client connections. (boolean
# value)
# Deprecated group/name - [DEFAULT]/tcp_keepalive
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#tcp_keepalive = false
# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only
-# applies if tcp_keepalive is true. (integer value)
+# applies if tcp_keepalive is true. Ignored if system does not support it.
+# (integer value)
# Deprecated group/name - [DEFAULT]/tcp_keepidle
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#tcp_keepidle = 600
@@ -604,24 +761,34 @@
# Toggle for SSL support on the Keystone eventlet servers. (boolean value)
# Deprecated group/name - [ssl]/enable
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#enable = false
# Path of the certfile for SSL. For non-production environments, you may be
# interested in using `keystone-manage ssl_setup` to generate self-signed
# certificates. (string value)
# Deprecated group/name - [ssl]/certfile
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#certfile = /etc/keystone/ssl/certs/keystone.pem
# Path of the keyfile for SSL. (string value)
# Deprecated group/name - [ssl]/keyfile
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#keyfile = /etc/keystone/ssl/private/keystonekey.pem
# Path of the CA cert file for SSL. (string value)
# Deprecated group/name - [ssl]/ca_certs
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#ca_certs = /etc/keystone/ssl/certs/ca.pem
# Require client certificate. (boolean value)
# Deprecated group/name - [ssl]/cert_required
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#cert_required = false
@@ -631,8 +798,9 @@
# From keystone
#
-# Federation backend driver. (string value)
-#driver = keystone.contrib.federation.backends.sql.Federation
+# Entrypoint for the federation backend driver in the keystone.federation
+# namespace. (string value)
+#driver = sql
# Value to be used when filtering assertion parameters from the environment.
# (string value)
@@ -646,16 +814,14 @@
# A domain name that is reserved to allow federated ephemeral users to have a
# domain concept. Note that an admin will not be able to create a domain with
# this name or update an existing domain to this name. You are not advised to
-# change this value unless you really have to. Changing this option to empty
-# string or None will not have any impact and default name will be used.
-# (string value)
+# change this value unless you really have to. (string value)
#federated_domain_name = Federated
# A list of trusted dashboard hosts. Before accepting a Single Sign-On request
# to return a token, the origin host must be a member of the trusted_dashboard
# list. This configuration option may be repeated for multiple values. For
-# example: trusted_dashboard=http://acme.com trusted_dashboard=http://beta.com
-# (multi valued)
+# example: trusted_dashboard=http://acme.com/auth/websso
+# trusted_dashboard=http://beta.com/auth/websso (multi valued)
#trusted_dashboard =
# Location of Single Sign-On callback handler, will return a token to a trusted
@@ -713,8 +879,9 @@
# if domain_specific_drivers_enabled is set to true. (string value)
#domain_config_dir = /etc/keystone/domains
-# Identity backend driver. (string value)
-#driver = keystone.identity.backends.sql.Identity
+# Entrypoint for the identity backend driver in the keystone.identity
+# namespace. Supplied drivers are ldap and sql. (string value)
+#driver = sql
# Toggle for identity caching. This has no effect unless global caching is
# enabled. (boolean value)
@@ -726,6 +893,7 @@
# Maximum supported length for user passwords; decrease to improve performance.
# (integer value)
+# Maximum value: 4096
#max_password_length = 4096
# Maximum number of entities that will be returned in an identity collection.
@@ -739,13 +907,14 @@
# From keystone
#
-# Keystone Identity Mapping backend driver. (string value)
-#driver = keystone.identity.mapping_backends.sql.Mapping
-
-# Public ID generator for user and group entities. The Keystone identity mapper
-# only supports generators that produce no more than 64 characters. (string
-# value)
-#generator = keystone.identity.id_generators.sha256.Generator
+# Entrypoint for the identity mapping backend driver in the
+# keystone.identity.id_mapping namespace. (string value)
+#driver = sql
+
+# Entrypoint for the public ID generator for user and group entities in the
+# keystone.identity.id_generator namespace. The Keystone identity mapper only
+# supports generators that produce no more than 64 characters. (string value)
+#generator = sha256
# The format of user and group IDs changed in Juno for backends that do not
# generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the
@@ -757,7 +926,7 @@
# mapping for even the default LDAP driver. It is only safe to do this if you
# do not already have assignments for users and groups from the default LDAP
# domain, and it is acceptable for Keystone to provide the different IDs to
-# clients than it did previously. Typically this means that the only time you
+# clients than it did previously. Typically this means that the only time you
# can set this value to False is when configuring a fresh installation.
# (boolean value)
#backward_compatible_ids = true
@@ -793,7 +962,9 @@
# From keystone
#
-# URL for connecting to the LDAP server. (string value)
+# URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified
+# as a comma separated string. The first URL to successfully bind is used for
+# the connection. (string value)
#url = ldap://localhost
# User BindDN to query the LDAP server. (string value)
@@ -817,18 +988,18 @@
# your LDAP server supports subtree deletion. (boolean value)
#allow_subtree_delete = false
-# The LDAP scope for queries, this can be either "one" (onelevel/singleLevel)
-# or "sub" (subtree/wholeSubtree). (string value)
+# The LDAP scope for queries, "one" represents oneLevel/singleLevel and "sub"
+# represents subtree/wholeSubtree options. (string value)
+# Allowed values: one, sub
#query_scope = one
# Maximum results per page; a value of zero ("0") disables paging. (integer
# value)
#page_size = 0
-# The LDAP dereferencing option for queries. This can be either "never",
-# "searching", "always", "finding" or "default". The "default" option falls
-# back to using default dereferencing configured by your ldap.conf. (string
-# value)
+# The LDAP dereferencing option for queries. The "default" option falls back to
+# using default dereferencing configured by your ldap.conf. (string value)
+# Allowed values: never, searching, always, finding, default
#alias_dereferencing = default
# Sets the LDAP debugging level for LDAP calls. A value of 0 means that
@@ -840,7 +1011,7 @@
# value)
#chase_referrals = <None>
-# Search base for users. (string value)
+# Search base for users. Defaults to the suffix value. (string value)
#user_tree_dn = <None>
# LDAP search filter for users. (string value)
@@ -856,6 +1027,9 @@
# LDAP attribute mapped to user name. (string value)
#user_name_attribute = sn
+# LDAP attribute mapped to user description. (string value)
+#user_description_attribute = description
+
# LDAP attribute mapped to user email. (string value)
#user_mail_attribute = mail
@@ -887,18 +1061,30 @@
#user_enabled_default = True
# List of attributes stripped off the user on update. (list value)
-#user_attribute_ignore = default_project_id,tenants
+#user_attribute_ignore = default_project_id
# LDAP attribute mapped to default_project_id for users. (string value)
#user_default_project_id_attribute = <None>
# Allow user creation in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Write support for Identity LDAP backends has been deprecated in the M
+# release and will be removed in the O release.
#user_allow_create = true
# Allow user updates in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Write support for Identity LDAP backends has been deprecated in the M
+# release and will be removed in the O release.
#user_allow_update = true
# Allow user deletion in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Write support for Identity LDAP backends has been deprecated in the M
+# release and will be removed in the O release.
#user_allow_delete = true
# If true, Keystone uses an alternative method to determine if a user is
@@ -910,117 +1096,17 @@
# (string value)
#user_enabled_emulation_dn = <None>
+# Use the "group_member_attribute" and "group_objectclass" settings to
+# determine membership in the emulated enabled group. (boolean value)
+#user_enabled_emulation_use_group_config = false
+
# List of additional LDAP attributes used for mapping additional attribute
# mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>,
# where ldap_attr is the attribute in the LDAP entry and user_attr is the
# Identity API attribute. (list value)
#user_additional_attribute_mapping =
-# Search base for projects (string value)
-# Deprecated group/name - [ldap]/tenant_tree_dn
-#project_tree_dn = <None>
-
-# LDAP search filter for projects. (string value)
-# Deprecated group/name - [ldap]/tenant_filter
-#project_filter = <None>
-
-# LDAP objectclass for projects. (string value)
-# Deprecated group/name - [ldap]/tenant_objectclass
-#project_objectclass = groupOfNames
-
-# LDAP attribute mapped to project id. (string value)
-# Deprecated group/name - [ldap]/tenant_id_attribute
-#project_id_attribute = cn
-
-# LDAP attribute mapped to project membership for user. (string value)
-# Deprecated group/name - [ldap]/tenant_member_attribute
-#project_member_attribute = member
-
-# LDAP attribute mapped to project name. (string value)
-# Deprecated group/name - [ldap]/tenant_name_attribute
-#project_name_attribute = ou
-
-# LDAP attribute mapped to project description. (string value)
-# Deprecated group/name - [ldap]/tenant_desc_attribute
-#project_desc_attribute = description
-
-# LDAP attribute mapped to project enabled. (string value)
-# Deprecated group/name - [ldap]/tenant_enabled_attribute
-#project_enabled_attribute = enabled
-
-# LDAP attribute mapped to project domain_id. (string value)
-# Deprecated group/name - [ldap]/tenant_domain_id_attribute
-#project_domain_id_attribute = businessCategory
-
-# List of attributes stripped off the project on update. (list value)
-# Deprecated group/name - [ldap]/tenant_attribute_ignore
-#project_attribute_ignore =
-
-# Allow project creation in LDAP backend. (boolean value)
-# Deprecated group/name - [ldap]/tenant_allow_create
-#project_allow_create = true
-
-# Allow project update in LDAP backend. (boolean value)
-# Deprecated group/name - [ldap]/tenant_allow_update
-#project_allow_update = true
-
-# Allow project deletion in LDAP backend. (boolean value)
-# Deprecated group/name - [ldap]/tenant_allow_delete
-#project_allow_delete = true
-
-# If true, Keystone uses an alternative method to determine if a project is
-# enabled or not by checking if they are a member of the
-# "project_enabled_emulation_dn" group. (boolean value)
-# Deprecated group/name - [ldap]/tenant_enabled_emulation
-#project_enabled_emulation = false
-
-# DN of the group entry to hold enabled projects when using enabled emulation.
-# (string value)
-# Deprecated group/name - [ldap]/tenant_enabled_emulation_dn
-#project_enabled_emulation_dn = <None>
-
-# Additional attribute mappings for projects. Attribute mapping format is
-# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry
-# and user_attr is the Identity API attribute. (list value)
-# Deprecated group/name - [ldap]/tenant_additional_attribute_mapping
-#project_additional_attribute_mapping =
-
-# Search base for roles. (string value)
-#role_tree_dn = <None>
-
-# LDAP search filter for roles. (string value)
-#role_filter = <None>
-
-# LDAP objectclass for roles. (string value)
-#role_objectclass = organizationalRole
-
-# LDAP attribute mapped to role id. (string value)
-#role_id_attribute = cn
-
-# LDAP attribute mapped to role name. (string value)
-#role_name_attribute = ou
-
-# LDAP attribute mapped to role membership. (string value)
-#role_member_attribute = roleOccupant
-
-# List of attributes stripped off the role on update. (list value)
-#role_attribute_ignore =
-
-# Allow role creation in LDAP backend. (boolean value)
-#role_allow_create = true
-
-# Allow role update in LDAP backend. (boolean value)
-#role_allow_update = true
-
-# Allow role deletion in LDAP backend. (boolean value)
-#role_allow_delete = true
-
-# Additional attribute mappings for roles. Attribute mapping format is
-# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry
-# and user_attr is the Identity API attribute. (list value)
-#role_additional_attribute_mapping =
-
-# Search base for groups. (string value)
+# Search base for groups. Defaults to the suffix value. (string value)
#group_tree_dn = <None>
# LDAP search filter for groups. (string value)
@@ -1045,12 +1131,24 @@
#group_attribute_ignore =
# Allow group creation in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Write support for Identity LDAP backends has been deprecated in the M
+# release and will be removed in the O release.
#group_allow_create = true
# Allow group update in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Write support for Identity LDAP backends has been deprecated in the M
+# release and will be removed in the O release.
#group_allow_update = true
# Allow group deletion in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Write support for Identity LDAP backends has been deprecated in the M
+# release and will be removed in the O release.
#group_allow_delete = true
# Additional attribute mappings for groups. Attribute mapping format is
@@ -1068,11 +1166,13 @@
# Enable TLS for communicating with LDAP servers. (boolean value)
#use_tls = false
-# Valid options for tls_req_cert are demand, never, and allow. (string value)
+# Specifies what checks to perform on client certificates in an incoming TLS
+# session. (string value)
+# Allowed values: demand, never, allow
#tls_req_cert = demand
# Enable LDAP connection pooling. (boolean value)
-#use_pool = false
+#use_pool = true
# Connection pool size. (integer value)
#pool_size = 10
@@ -1094,7 +1194,7 @@
# Enable LDAP connection pooling for end user authentication. If use_pool is
# disabled, then this setting is meaningless and is not used at all. (boolean
# value)
-#use_auth_pool = false
+#use_auth_pool = true
# End user auth connection pool size. (integer value)
#auth_pool_size = 100
@@ -1102,6 +1202,11 @@
# End user auth connection lifetime in seconds. (integer value)
#auth_pool_connection_lifetime = 60
+# If the members of the group objectclass are user IDs rather than DNs, set
+# this to true. This is the case when using posixGroup as the group objectclass
+# and OpenDirectory. (boolean value)
+#group_members_are_ids = false
+
[matchmaker_redis]
@@ -1112,22 +1217,29 @@
# Host to locate redis. (string value)
#host = 127.0.0.1
-# Use this port to connect to redis host. (integer value)
+# Use this port to connect to redis host. (port value)
+# Minimum value: 0
+# Maximum value: 65535
#port = 6379
# Password for Redis server (optional). (string value)
-#password = <None>
-
-
-[matchmaker_ring]
-
-#
-# From oslo.messaging
-#
-
-# Matchmaker ring file (JSON). (string value)
-# Deprecated group/name - [DEFAULT]/matchmaker_ringfile
-#ringfile = /etc/oslo/matchmaker_ring.json
+#password =
+
+# List of Redis Sentinel hosts (fault tolerance mode) e.g.
+# [host:port, host1:port ... ] (list value)
+#sentinel_hosts =
+
+# Redis replica set name. (string value)
+#sentinel_group_name = oslo-messaging-zeromq
+
+# Time in ms to wait between connection attempts. (integer value)
+#wait_timeout = 500
+
+# Time in ms to wait before the transaction is killed. (integer value)
+#check_timeout = 20000
+
+# Timeout in ms on blocking socket operations (integer value)
+#socket_timeout = 1000
[memcache]
@@ -1171,8 +1283,9 @@
# From keystone
#
-# Credential backend driver. (string value)
-#driver = keystone.contrib.oauth1.backends.sql.OAuth1
+# Entrypoint for the OAuth backend driver in the keystone.oauth1 namespace.
+# (string value)
+#driver = sql
# Duration (in seconds) for the OAuth Request Token. (integer value)
#request_token_duration = 28800
@@ -1188,8 +1301,15 @@
#
# role-assignment inheritance to projects from owning domain or from projects
-# higher in the hierarchy can be optionally enabled. (boolean value)
-#enabled = false
+# higher in the hierarchy can be optionally disabled. In the future, this
+# option will be removed and the hierarchy will be always enabled. (boolean
+# value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: The option to enable the OS-INHERIT extension has been deprecated in
+# the M release and will be removed in the O release. The OS-INHERIT extension
+# will be enabled by default.
+#enabled = true
[oslo_messaging_amqp]
@@ -1222,7 +1342,7 @@
# Deprecated group/name - [amqp1]/trace
#trace = false
-# CA certificate PEM file for verifing server certificate (string value)
+# CA certificate PEM file to verify server certificate (string value)
# Deprecated group/name - [amqp1]/ssl_ca_file
#ssl_ca_file =
@@ -1242,71 +1362,47 @@
# Deprecated group/name - [amqp1]/allow_insecure_clients
#allow_insecure_clients = false
-
-[oslo_messaging_qpid]
+# Space separated list of acceptable SASL mechanisms (string value)
+# Deprecated group/name - [amqp1]/sasl_mechanisms
+#sasl_mechanisms =
+
+# Path to directory that contains the SASL configuration (string value)
+# Deprecated group/name - [amqp1]/sasl_config_dir
+#sasl_config_dir =
+
+# Name of configuration file (without .conf suffix) (string value)
+# Deprecated group/name - [amqp1]/sasl_config_name
+#sasl_config_name =
+
+# User name for message broker authentication (string value)
+# Deprecated group/name - [amqp1]/username
+#username =
+
+# Password for message broker authentication (string value)
+# Deprecated group/name - [amqp1]/password
+#password =
+
+
+[oslo_messaging_notifications]
#
# From oslo.messaging
#
-# Use durable queues in AMQP. (boolean value)
-# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
-#amqp_durable_queues = false
-
-# Auto-delete queues in AMQP. (boolean value)
-# Deprecated group/name - [DEFAULT]/amqp_auto_delete
-#amqp_auto_delete = false
-
-# Size of RPC connection pool. (integer value)
-# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
-#rpc_conn_pool_size = 30
-
-# Qpid broker hostname. (string value)
-# Deprecated group/name - [DEFAULT]/qpid_hostname
-#qpid_hostname = localhost
-
-# Qpid broker port. (integer value)
-# Deprecated group/name - [DEFAULT]/qpid_port
-#qpid_port = 5672
-
-# Qpid HA cluster host:port pairs. (list value)
-# Deprecated group/name - [DEFAULT]/qpid_hosts
-#qpid_hosts = $qpid_hostname:$qpid_port
-
-# Username for Qpid connection. (string value)
-# Deprecated group/name - [DEFAULT]/qpid_username
-#qpid_username =
-
-# Password for Qpid connection. (string value)
-# Deprecated group/name - [DEFAULT]/qpid_password
-#qpid_password =
-
-# Space separated list of SASL mechanisms to use for auth. (string value)
-# Deprecated group/name - [DEFAULT]/qpid_sasl_mechanisms
-#qpid_sasl_mechanisms =
-
-# Seconds between connection keepalive heartbeats. (integer value)
-# Deprecated group/name - [DEFAULT]/qpid_heartbeat
-#qpid_heartbeat = 60
-
-# Transport to use, either 'tcp' or 'ssl'. (string value)
-# Deprecated group/name - [DEFAULT]/qpid_protocol
-#qpid_protocol = tcp
-
-# Whether to disable the Nagle algorithm. (boolean value)
-# Deprecated group/name - [DEFAULT]/qpid_tcp_nodelay
-#qpid_tcp_nodelay = true
-
-# The number of prefetched messages held by receiver. (integer value)
-# Deprecated group/name - [DEFAULT]/qpid_receiver_capacity
-#qpid_receiver_capacity = 1
-
-# The qpid topology version to use. Version 1 is what was originally used by
-# impl_qpid. Version 2 includes some backwards-incompatible changes that allow
-# broker federation to work. Users should update to version 2 when they are
-# able to take everything down, as it requires a clean break. (integer value)
-# Deprecated group/name - [DEFAULT]/qpid_topology_version
-#qpid_topology_version = 1
+# The Drivers(s) to handle sending notifications. Possible values are
+# messaging, messagingv2, routing, log, test, noop (multi valued)
+# Deprecated group/name - [DEFAULT]/notification_driver
+#driver =
+
+# A URL representing the messaging driver to use for notifications. If not set,
+# we fall back to the same configuration used for RPC. (string value)
+# Deprecated group/name - [DEFAULT]/notification_transport_url
+#transport_url = <None>
+
+# AMQP topic used for OpenStack notifications. (list value)
+# Deprecated group/name - [rpc_notifier2]/topics
+# Deprecated group/name - [DEFAULT]/notification_topics
+#topics = notifications
[oslo_messaging_rabbit]
@@ -1316,6 +1412,7 @@
#
# Use durable queues in AMQP. (boolean value)
+# Deprecated group/name - [DEFAULT]/amqp_durable_queues
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues = false
@@ -1323,10 +1420,6 @@
# Deprecated group/name - [DEFAULT]/amqp_auto_delete
#amqp_auto_delete = false
-# Size of RPC connection pool. (integer value)
-# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
-#rpc_conn_pool_size = 30
-
# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and
# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some
# distributions. (string value)
@@ -1350,11 +1443,28 @@
# Deprecated group/name - [DEFAULT]/kombu_reconnect_delay
#kombu_reconnect_delay = 1.0
+# EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not
+# be used. This option may notbe available in future versions. (string value)
+#kombu_compression = <None>
+
+# How long to wait a missing client beforce abandoning to send it its replies.
+# This value should not be longer than rpc_response_timeout. (integer value)
+# Deprecated group/name - [DEFAULT]/kombu_reconnect_timeout
+#kombu_missing_consumer_retry_timeout = 60
+
+# Determines how the next RabbitMQ node is chosen in case the one we are
+# currently connected to becomes unavailable. Takes effect only if more than
+# one RabbitMQ node is provided in config. (string value)
+# Allowed values: round-robin, shuffle
+#kombu_failover_strategy = round-robin
+
# The RabbitMQ broker address where a single node is used. (string value)
# Deprecated group/name - [DEFAULT]/rabbit_host
#rabbit_host = localhost
-# The RabbitMQ broker port where a single node is used. (integer value)
+# The RabbitMQ broker port where a single node is used. (port value)
+# Minimum value: 0
+# Maximum value: 65535
# Deprecated group/name - [DEFAULT]/rabbit_port
#rabbit_port = 5672
@@ -1390,21 +1500,38 @@
# Deprecated group/name - [DEFAULT]/rabbit_retry_backoff
#rabbit_retry_backoff = 2
+# Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
+# (integer value)
+#rabbit_interval_max = 30
+
# Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry
# count). (integer value)
# Deprecated group/name - [DEFAULT]/rabbit_max_retries
#rabbit_max_retries = 0
-# Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you
-# must wipe the RabbitMQ database. (boolean value)
+# Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this
+# option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring
+# is no longer controlled by the x-ha-policy argument when declaring a queue.
+# If you just want to make sure that all queues (except those with auto-
+# generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy
+# HA '^(?!amq\.).*' '{"ha-mode": "all"}' " (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_ha_queues
#rabbit_ha_queues = false
+# Positive integer representing duration in seconds for queue TTL (x-expires).
+# Queues which are unused for the duration of the TTL are automatically
+# deleted. The parameter affects only reply and fanout queues. (integer value)
+# Minimum value: 1
+#rabbit_transient_queues_ttl = 1800
+
+# Specifies the number of messages to prefetch. Setting to zero allows
+# unlimited messages. (integer value)
+#rabbit_qos_prefetch_count = 0
+
# Number of seconds after which the Rabbit broker is considered down if
-# heartbeat's keep-alive fails (0 disables the heartbeat, >0 enables it.
-# Enabling heartbeats requires kombu>=3.0.7 and amqp>=1.4.0). EXPERIMENTAL
-# (integer value)
-#heartbeat_timeout_threshold = 0
+# heartbeat's keep-alive fails (0 disable the heartbeat). EXPERIMENTAL (integer
+# value)
+#heartbeat_timeout_threshold = 60
# How often times during the heartbeat_timeout_threshold we check the
# heartbeat. (integer value)
@@ -1414,6 +1541,104 @@
# Deprecated group/name - [DEFAULT]/fake_rabbit
#fake_rabbit = false
+# Maximum number of channels to allow (integer value)
+#channel_max = <None>
+
+# The maximum byte size for an AMQP frame (integer value)
+#frame_max = <None>
+
+# How often to send heartbeats for consumer's connections (integer value)
+#heartbeat_interval = 1
+
+# Enable SSL (boolean value)
+#ssl = <None>
+
+# Arguments passed to ssl.wrap_socket (dict value)
+#ssl_options = <None>
+
+# Set socket timeout in seconds for connection's socket (floating point value)
+#socket_timeout = 0.25
+
+# Set TCP_USER_TIMEOUT in seconds for connection's socket (floating point
+# value)
+#tcp_user_timeout = 0.25
+
+# Set delay for reconnection to some host which has connection error (floating
+# point value)
+#host_connection_reconnect_delay = 0.25
+
+# Maximum number of connections to keep queued. (integer value)
+#pool_max_size = 10
+
+# Maximum number of connections to create above `pool_max_size`. (integer
+# value)
+#pool_max_overflow = 0
+
+# Default number of seconds to wait for a connections to available (integer
+# value)
+#pool_timeout = 30
+
+# Lifetime of a connection (since creation) in seconds or None for no
+# recycling. Expired connections are closed on acquire. (integer value)
+#pool_recycle = 600
+
+# Threshold at which inactive (since release) connections are considered stale
+# in seconds or None for no staleness. Stale connections are closed on acquire.
+# (integer value)
+#pool_stale = 60
+
+# Persist notification messages. (boolean value)
+#notification_persistence = false
+
+# Exchange name for for sending notifications (string value)
+#default_notification_exchange = ${control_exchange}_notification
+
+# Max number of not acknowledged message which RabbitMQ can send to
+# notification listener. (integer value)
+#notification_listener_prefetch_count = 100
+
+# Reconnecting retry count in case of connectivity problem during sending
+# notification, -1 means infinite retry. (integer value)
+#default_notification_retry_attempts = -1
+
+# Reconnecting retry delay in case of connectivity problem during sending
+# notification message (floating point value)
+#notification_retry_delay = 0.25
+
+# Time to live for rpc queues without consumers in seconds. (integer value)
+#rpc_queue_expiration = 60
+
+# Exchange name for sending RPC messages (string value)
+#default_rpc_exchange = ${control_exchange}_rpc
+
+# Exchange name for receiving RPC replies (string value)
+#rpc_reply_exchange = ${control_exchange}_rpc_reply
+
+# Max number of not acknowledged message which RabbitMQ can send to rpc
+# listener. (integer value)
+#rpc_listener_prefetch_count = 100
+
+# Max number of not acknowledged message which RabbitMQ can send to rpc reply
+# listener. (integer value)
+#rpc_reply_listener_prefetch_count = 100
+
+# Reconnecting retry count in case of connectivity problem during sending
+# reply. -1 means infinite retry during rpc_timeout (integer value)
+#rpc_reply_retry_attempts = -1
+
+# Reconnecting retry delay in case of connectivity problem during sending
+# reply. (floating point value)
+#rpc_reply_retry_delay = 0.25
+
+# Reconnecting retry count in case of connectivity problem during sending RPC
+# message, -1 means infinite retry. If actual retry attempts in not 0 the rpc
+# request could be processed more then one time (integer value)
+#default_rpc_retry_attempts = -1
+
+# Reconnecting retry delay in case of connectivity problem during sending RPC
+# message (floating point value)
+#rpc_retry_delay = 0.25
+
[oslo_middleware]
@@ -1426,6 +1651,13 @@
# Deprecated group/name - [DEFAULT]/max_request_body_size
#max_request_body_size = 114688
+# The HTTP Header that will be used to determine what the original request
+# protocol scheme was, even if it was hidden by an SSL termination proxy.
+# (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#secure_proxy_ssl_header = X-Forwarded-Proto
+
[oslo_policy]
@@ -1467,8 +1699,9 @@
# From keystone
#
-# Policy backend driver. (string value)
-#driver = keystone.policy.backends.sql.Policy
+# Entrypoint for the policy backend driver in the keystone.policy namespace.
+# Supplied drivers are rules and sql. (string value)
+#driver = sql
# Maximum number of entities that will be returned in a policy collection.
# (integer value)
@@ -1481,8 +1714,10 @@
# From keystone
#
-# Resource backend driver. If a resource driver is not specified, the
-# assignment driver will choose the resource driver. (string value)
+# Entrypoint for the resource backend driver in the keystone.resource
+# namespace. Only an SQL driver is supplied. If a resource driver is not
+# specified, the assignment driver will choose the resource driver. (string
+# value)
#driver = <None>
# Toggle for resource caching. This has no effect unless global caching is
@@ -1500,6 +1735,31 @@
# Deprecated group/name - [assignment]/list_limit
#list_limit = <None>
+# Name of the domain that owns the `admin_project_name`. Defaults to None.
+# (string value)
+#admin_project_domain_name = <None>
+
+# Special project for performing administrative operations on remote services.
+# Tokens scoped to this project will contain the key/value
+# `is_admin_project=true`. Defaults to None. (string value)
+#admin_project_name = <None>
+
+# Whether the names of projects are restricted from containing url reserved
+# characters. If set to new, attempts to create or update a project with a url
+# unsafe name will return an error. In addition, if set to strict, attempts to
+# scope a token using an unsafe project name will return an error. (string
+# value)
+# Allowed values: off, new, strict
+#project_name_url_safe = off
+
+# Whether the names of domains are restricted from containing url reserved
+# characters. If set to new, attempts to create or update a domain with a url
+# unsafe name will return an error. In addition, if set to strict, attempts to
+# scope a token using a domain name which is unsafe will return an error.
+# (string value)
+# Allowed values: off, new, strict
+#domain_name_url_safe = off
+
[revoke]
@@ -1507,9 +1767,10 @@
# From keystone
#
-# An implementation of the backend for persisting revocation events. (string
-# value)
-#driver = keystone.contrib.revoke.backends.sql.Revoke
+# Entrypoint for an implementation of the backend for persisting revocation
+# events in the keystone.revoke namespace. Supplied drivers are kvs and sql.
+# (string value)
+#driver = sql
# This value (calculated in seconds) is added to token expiration before a
# revocation event may be removed from the backend. (integer value)
@@ -1532,7 +1793,8 @@
# From keystone
#
-# Role backend driver. (string value)
+# Entrypoint for the role backend driver in the keystone.role namespace.
+# Supplied drivers are ldap and sql. (string value)
#driver = <None>
# Toggle for role caching. This has no effect unless global caching is enabled.
@@ -1610,8 +1872,9 @@
# Telephone number of contact person. (string value)
#idp_contact_telephone = <None>
-# Contact type. Allowed values are: technical, support, administrative billing,
-# and other (string value)
+# The contact type describing the main point of contact for the identity
+# provider. (string value)
+# Allowed values: technical, support, administrative, billing, other
#idp_contact_type = other
# Path to the Identity Provider Metadata file. This file should be generated
@@ -1623,6 +1886,17 @@
#relay_state_prefix = ss:mem:
+[shadow_users]
+
+#
+# From keystone
+#
+
+# Entrypoint for the shadow users backend driver in the
+# keystone.identity.shadow_users namespace. (string value)
+#driver = sql
+
+
[signing]
#
@@ -1632,27 +1906,56 @@
# Path of the certfile for token signing. For non-production environments, you
# may be interested in using `keystone-manage pki_setup` to generate self-
# signed certificates. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: PKI token support has been deprecated in the M release and will be
+# removed in the O release. Fernet or UUID tokens are recommended.
#certfile = /etc/keystone/ssl/certs/signing_cert.pem
# Path of the keyfile for token signing. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: PKI token support has been deprecated in the M release and will be
+# removed in the O release. Fernet or UUID tokens are recommended.
#keyfile = /etc/keystone/ssl/private/signing_key.pem
# Path of the CA for token signing. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: PKI token support has been deprecated in the M release and will be
+# removed in the O release. Fernet or UUID tokens are recommended.
#ca_certs = /etc/keystone/ssl/certs/ca.pem
# Path of the CA key for token signing. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: PKI token support has been deprecated in the M release and will be
+# removed in the O release. Fernet or UUID tokens are recommended.
#ca_key = /etc/keystone/ssl/private/cakey.pem
# Key size (in bits) for token signing cert (auto generated certificate).
# (integer value)
+# Minimum value: 1024
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: PKI token support has been deprecated in the M release and will be
+# removed in the O release. Fernet or UUID tokens are recommended.
#key_size = 2048
# Days the token signing cert is valid for (auto generated certificate).
# (integer value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: PKI token support has been deprecated in the M release and will be
+# removed in the O release. Fernet or UUID tokens are recommended.
#valid_days = 3650
# Certificate subject (auto generated certificate) for token signing. (string
# value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: PKI token support has been deprecated in the M release and will be
+# removed in the O release. Fernet or UUID tokens are recommended.
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
@@ -1666,6 +1969,7 @@
#ca_key = /etc/keystone/ssl/private/cakey.pem
# SSL key length (in bits) (auto generated certificate). (integer value)
+# Minimum value: 1024
#key_size = 1024
# Days the certificate is valid for once signed (auto generated certificate).
@@ -1695,13 +1999,15 @@
# Amount of time a token should remain valid (in seconds). (integer value)
#expiration = 3600
-# Controls the token construction, validation, and revocation operations. Core
-# providers are "keystone.token.providers.[fernet|pkiz|pki|uuid].Provider".
-# (string value)
-#provider = keystone.token.providers.uuid.Provider
-
-# Token persistence backend driver. (string value)
-#driver = keystone.token.persistence.backends.sql.Token
+# Controls the token construction, validation, and revocation operations.
+# Entrypoint in the keystone.token.provider namespace. Core providers are
+# [fernet|pkiz|pki|uuid]. (string value)
+#provider = uuid
+
+# Entrypoint for the token persistence backend driver in the
+# keystone.token.persistence namespace. Supplied drivers are kvs, memcache,
+# memcache_pool, and sql. (string value)
+#driver = sql
# Toggle for token system caching. This has no effect unless global caching is
# enabled. (boolean value)
@@ -1727,8 +2033,42 @@
# that hashlib supports. WARNING: Before changing this value, the auth_token
# middleware must be configured with the hash_algorithms, otherwise token
# revocation will not be processed correctly. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: PKI token support has been deprecated in the M release and will be
+# removed in the O release. Fernet or UUID tokens are recommended.
#hash_algorithm = md5
+# Add roles to token that are not explicitly added, but that are linked
+# implicitly to other roles. (boolean value)
+#infer_roles = true
+
+
+[tokenless_auth]
+
+#
+# From keystone
+#
+
+# The list of trusted issuers to further filter the certificates that are
+# allowed to participate in the X.509 tokenless authorization. If the option is
+# absent then no certificates will be allowed. The naming format for the
+# attributes of a Distinguished Name(DN) must be separated by a comma and
+# contain no spaces. This configuration option may be repeated for multiple
+# values. For example: trusted_issuer=CN=john,OU=keystone,O=openstack
+# trusted_issuer=CN=mary,OU=eng,O=abc (multi valued)
+#trusted_issuer =
+
+# The protocol name for the X.509 tokenless authorization along with the option
+# issuer_attribute below can look up its corresponding mapping. (string value)
+#protocol = x509
+
+# The issuer attribute that is served as an IdP ID for the X.509 tokenless
+# authorization along with the protocol to look up its corresponding mapping.
+# It is the environment variable in the WSGI environment that references to the
+# issuer of the client certificate. (string value)
+#issuer_attribute = SSL_CLIENT_I_DN
+
[trust]
@@ -1746,5 +2086,6 @@
# Maximum depth of trust redelegation. (integer value)
#max_redelegation_count = 3
-# Trust backend driver. (string value)
-#driver = keystone.trust.backends.sql.Trust
+# Entrypoint for the trust backend driver in the keystone.trust namespace.
+# (string value)
+#driver = sql
--- a/components/openstack/keystone/files/keystone.stencil Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/files/keystone.stencil Wed Sep 07 14:48:41 2016 -0700
@@ -75,7 +75,7 @@
PidFile /var/lib/keystone/keystone.httpd.pid
-ServerName 127.0.0.1
+ServerName $%{config/servername}
Listen $%{config/public_port}
Listen $%{config/admin_port}
--- a/components/openstack/keystone/files/keystone.xml Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/files/keystone.xml Wed Sep 07 14:48:41 2016 -0700
@@ -104,6 +104,7 @@
<propval name='error_log' type='astring'
value='/var/log/keystone/keystone_error.log'/>
<propval name='public_port' type='count' value='5000'/>
+ <propval name='servername' type='astring' value='127.0.0.1'/>
<propval name='use_tls' type='boolean' value='false'/>
</property_group>
</instance>
@@ -157,6 +158,15 @@
</description>
</prop_pattern>
+ <prop_pattern required='true' type='astring' name='servername'>
+ <description>
+ <loctext xml:lang='C'>
+ The Apache ServerName Directive. Hostname and port that the
+ server uses to identify itself.
+ </loctext>
+ </description>
+ </prop_pattern>
+
<prop_pattern required='false' type='astring' name='ssl_cert_file'>
<description>
<loctext xml:lang='C'>
--- a/components/openstack/keystone/keystone.p5m Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/keystone.p5m Wed Sep 07 14:48:41 2016 -0700
@@ -28,7 +28,7 @@
set name=pkg.summary value="OpenStack Keystone (Identity Service)"
set name=pkg.description \
value="OpenStack Keystone is a service that provides Identity, Token, Catalog, and Policy services for use specifically by projects in the OpenStack family."
-set name=pkg.human-version value="Kilo $(COMPONENT_VERSION)"
+set name=pkg.human-version value="Mitaka $(COMPONENT_VERSION)"
set name=com.oracle.info.description \
value="Keystone, the OpenStack identity service"
set name=com.oracle.info.tpno value=$(TPNO)
@@ -42,7 +42,8 @@
set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
set name=openstack.upgrade-id reboot-needed=true value=$(COMPONENT_BE_VERSION)
set name=org.opensolaris.arc-caseid value=PSARC/2013/350 value=PSARC/2014/048 \
- value=PSARC/2014/209 value=PSARC/2015/110 value=PSARC/2015/535
+ value=PSARC/2014/209 value=PSARC/2015/110 value=PSARC/2015/535 \
+ value=PSARC/2016/455
set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
#
dir path=etc/keystone owner=keystone group=keystone mode=0700
@@ -87,14 +88,16 @@
file path=usr/lib/python$(PYVER)/vendor-packages/keystone-$(COMPONENT_VERSION)-py$(PYVER).egg-info/requires.txt
file path=usr/lib/python$(PYVER)/vendor-packages/keystone-$(COMPONENT_VERSION)-py$(PYVER).egg-info/top_level.txt
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/V8_backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/V8_backends/sql.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/V8_role_backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/V8_role_backends/sql.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/backends/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/backends/ldap.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/backends/sql.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/controllers.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/core.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/role_backends/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/role_backends/ldap.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/role_backends/sql.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/routers.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/assignment/schema.py
@@ -109,29 +112,30 @@
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/auth/plugins/password.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/auth/plugins/saml2.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/auth/plugins/token.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/auth/plugins/totp.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/auth/routers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/backends.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/backends/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/backends/kvs.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/backends/sql.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/backends/templated.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/controllers.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/core.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/routers.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/catalog/schema.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/clean.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/cli.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/cmd/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/cmd/all.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/cmd/cli.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/cmd/manage.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/authorization.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/base64utils.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/cache/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/cache/_memcache_pool.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/cache/_context_cache.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/cache/backends/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/cache/backends/memcache_pool.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/cache/backends/mongo.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/cache/backends/noop.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/cache/core.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/clean.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/config.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/controller.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/dependency.py
@@ -145,13 +149,11 @@
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/kvs/backends/inmemdb.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/kvs/backends/memcached.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/kvs/core.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/kvs/legacy.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/ldap/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/ldap/core.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/manager.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/models.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/openssl.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/pemutils.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/router.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/core.py
@@ -159,38 +161,45 @@
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/manage.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/migrate.cfg
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/044_icehouse.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/045_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/046_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/047_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/048_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/049_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/050_fk_consistent_indexes.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/051_add_id_mapping.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/052_add_auth_url_to_region.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/053_endpoint_to_region_association.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/054_add_actor_id_index.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/055_add_indexes_to_token_table.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/056_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/057_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/058_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/059_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/060_placeholder.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/061_add_parent_project.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/062_drop_assignment_role_fk.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/063_drop_region_auth_url.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/064_drop_user_and_group_fk.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/065_add_domain_config.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/066_fixup_service_name_value.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/067_drop_redundant_mysql_index.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/067_kilo.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/068_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/069_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/070_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/071_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/072_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/073_insert_assignment_inherited_pk.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/074_add_is_domain_project.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/075_confirm_config_registration.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/076_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/077_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/078_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/079_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/080_placeholder.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/081_add_endpoint_policy_table.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/082_add_federation_tables.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/083_add_oauth1_tables.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/084_add_revoke_tables.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/085_add_endpoint_filtering_table.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/086_add_duplicate_constraint_trusts.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/087_implied_roles.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/088_domain_specific_roles.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/089_add_root_of_all_domains.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/090_add_local_user_and_password_tables.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/091_migrate_data_to_local_user_and_password_tables.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/092_make_implied_roles_fks_cascaded.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/093_migrate_domains_to_projects.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/094_add_federated_user_table.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/095_add_integer_pkey_to_revocation_event_table.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/096_drop_role_name_constraint.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migrate_repo/versions/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/sql/migration_helpers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/tokenless_auth.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/utils.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/validation/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/validation/parameter_types.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/validation/validators.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/common/wsgi.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/config.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/admin_crud/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/admin_crud/core.py
@@ -202,40 +211,23 @@
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/backends/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/backends/catalog_sql.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/backends/sql.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/controllers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/core.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/migrate_repo/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/migrate_repo/migrate.cfg
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/migrate_repo/versions/001_add_endpoint_filtering_table.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/migrate_repo/versions/002_add_endpoint_groups.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/migrate_repo/versions/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/routers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_filter/schema.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/backends/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/backends/sql.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/controllers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/core.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/migrate_repo/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/migrate_repo/migrate.cfg
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/migrate_repo/versions/001_add_endpoint_policy_table.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/migrate_repo/versions/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/endpoint_policy/routers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/configuration.rst
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/controllers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/core.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/migrate_repo/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/migrate_repo/migrate.cfg
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/migrate_repo/versions/001_example_table.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/migrate_repo/versions/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/example/routers.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/backends/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/backends/sql.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/controllers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/core.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/idp.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/migrate_repo/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/migrate_repo/migrate.cfg
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/migrate_repo/versions/001_add_identity_provider_table.py
@@ -248,13 +240,9 @@
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/migrate_repo/versions/008_add_relay_state_to_sp.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/migrate_repo/versions/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/routers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/schema.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/federation/utils.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/backends/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/backends/sql.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/controllers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/core.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/migrate_repo/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/migrate_repo/migrate.cfg
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/migrate_repo/versions/001_add_oauth_tables.py
@@ -264,29 +252,21 @@
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/migrate_repo/versions/005_consumer_id_index.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/migrate_repo/versions/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/routers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/oauth1/validator.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/backends/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/backends/kvs.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/backends/sql.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/controllers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/core.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/migrate_repo/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/migrate_repo/migrate.cfg
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/migrate_repo/versions/001_revoke_table.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/migrate_repo/versions/002_add_audit_id_and_chain_to_revoke_table.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/migrate_repo/versions/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/model.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/revoke/routers.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/s3/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/s3/core.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/simple_cert/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/simple_cert/controllers.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/simple_cert/core.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/simple_cert/routers.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/user_crud/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/contrib/user_crud/core.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/controllers.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/credential/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/credential/backends/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/credential/backends/sql.py
@@ -294,9 +274,25 @@
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/credential/core.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/credential/routers.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/credential/schema.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/endpoint_policy/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/endpoint_policy/backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/endpoint_policy/backends/sql.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/endpoint_policy/controllers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/endpoint_policy/core.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/endpoint_policy/routers.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/exception.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/hacking/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/hacking/checks.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/V8_backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/V8_backends/sql.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/backends/sql.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/constants.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/controllers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/core.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/idp.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/routers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/schema.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/federation/utils.py
link path=usr/lib/python$(PYVER)/vendor-packages/keystone/httpd/admin \
target=keystone.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/httpd/keystone.py
@@ -316,23 +312,24 @@
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/identity/mapping_backends/mapping.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/identity/mapping_backends/sql.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/identity/routers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/identity/schema.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/identity/shadow_backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/identity/shadow_backends/sql.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/middleware/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/middleware/auth.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/middleware/core.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/middleware/ec2_token.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/models/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/models/revoke_model.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/models/token_model.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/notifications.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/README
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/_i18n.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/eventlet_backdoor.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/fileutils.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/loopingcall.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/service.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/systemd.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/threadgroup.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/openstack/common/versionutils.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/oauth1/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/oauth1/backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/oauth1/backends/sql.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/oauth1/controllers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/oauth1/core.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/oauth1/routers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/oauth1/schema.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/oauth1/validator.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/policy/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/policy/backends/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/policy/backends/rules.py
@@ -341,9 +338,10 @@
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/policy/core.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/policy/routers.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/policy/schema.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/V8_backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/V8_backends/sql.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/backends/__init__.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/backends/ldap.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/backends/sql.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/config_backends/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/config_backends/sql.py
@@ -351,13 +349,21 @@
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/core.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/routers.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/resource/schema.py
-file path=usr/lib/python$(PYVER)/vendor-packages/keystone/routers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/revoke/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/revoke/backends/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/revoke/backends/sql.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/revoke/controllers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/revoke/core.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/revoke/model.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/revoke/routers.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/server/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/server/backends.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/server/common.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/server/eventlet.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/server/wsgi.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/service.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/_simple_cert.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/controllers.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/persistence/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/persistence/backends/__init__.py
@@ -377,6 +383,7 @@
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/providers/pkiz.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/providers/uuid.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/routers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/token/utils.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/trust/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/trust/backends/__init__.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/trust/backends/sql.py
@@ -384,6 +391,13 @@
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/trust/core.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/trust/routers.py
file path=usr/lib/python$(PYVER)/vendor-packages/keystone/trust/schema.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/v2_crud/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/v2_crud/admin_crud.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/v2_crud/user_crud.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/version/__init__.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/version/controllers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/version/routers.py
+file path=usr/lib/python$(PYVER)/vendor-packages/keystone/version/service.py
dir path=var/lib/keystone owner=keystone group=keystone mode=0700
dir path=var/log/keystone owner=keystone group=keystone mode=0700
#
@@ -393,8 +407,9 @@
#
license keystone.license license="Apache v2.0"
-# To upgrade to Kilo version, Juno version of the package must be on the system
-depend type=origin fmri=cloud/openstack/[email protected] root-image=true
+# To upgrade to the Mitaka version, the Kilo version of the package must be on
+# the system
+depend type=origin fmri=cloud/openstack/[email protected] root-image=true
# force a dependency on package delivering httpd(8)
depend type=require fmri=__TBD pkg.debug.depend.file=usr/apache2/2.4/bin/httpd
@@ -435,10 +450,6 @@
# out.
depend type=require fmri=library/python/keystoneclient-$(PYV)
-# force a dependency on keystonemiddleware; pkgdepend work is needed to flush
-# this out.
-depend type=require fmri=library/python/keystonemiddleware-$(PYV)
-
# force a dependency on ldappool; pkgdepend work is needed to flush this out.
depend type=require fmri=library/python/ldappool-$(PYV)
@@ -452,6 +463,9 @@
# out.
depend type=require fmri=library/python/openstackclient-$(PYV)
+# force a dependency on oslo.cache; pkgdepend work is needed to flush this out.
+depend type=require fmri=library/python/oslo.cache-$(PYV)
+
# force a dependency on oslo.concurrency; pkgdepend work is needed to flush this
# out.
depend type=require fmri=library/python/oslo.concurrency-$(PYV)
@@ -459,6 +473,10 @@
# force a dependency on oslo.config; pkgdepend work is needed to flush this out.
depend type=require fmri=library/python/oslo.config-$(PYV)
+# force a dependency on oslo.context; pkgdepend work is needed to flush this
+# out.
+depend type=require fmri=library/python/oslo.context-$(PYV)
+
# force a dependency on oslo.db; pkgdepend work is needed to flush this out.
depend type=require fmri=library/python/oslo.db-$(PYV)
@@ -483,6 +501,10 @@
# this out.
depend type=require fmri=library/python/oslo.serialization-$(PYV)
+# force a dependency on oslo.service; pkgdepend work is needed to flush this
+# out.
+depend type=require fmri=library/python/oslo.service-$(PYV)
+
# force a dependency on oslo.utils; pkgdepend work is needed to flush this out.
depend type=require fmri=library/python/oslo.utils-$(PYV)
@@ -502,18 +524,14 @@
# force a dependency on python-ldap; pkgdepend work is needed to flush this out.
depend type=require fmri=library/python/python-ldap-$(PYV)
-# force a dependency on python-memcached; pkgdepend work is needed to flush this
-# out.
-depend type=require fmri=library/python/python-memcached-$(PYV)
-
# force a dependency on routes; pkgdepend work is needed to flush this out.
depend type=require fmri=library/python/routes-$(PYV)
-# force a dependency on setuptools; pkgdepend work is needed to flush this out.
-depend type=require fmri=library/python/setuptools-$(PYV)
-
# force a dependency on six; pkgdepend work is needed to flush this out.
depend type=require fmri=library/python/six-$(PYV)
+# force a dependency on stevedore; pkgdepend work is needed to flush this out.
+depend type=require fmri=library/python/stevedore-$(PYV)
+
# force a dependency on webob; pkgdepend work is needed to flush this out.
depend type=require fmri=library/python/webob-$(PYV)
--- a/components/openstack/keystone/patches/CVE-2015-7546.patch Wed Sep 07 14:48:41 2016 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,195 +0,0 @@
-From 9c9c1331e0c004897d5f4c5847f7143b56373f10 Mon Sep 17 00:00:00 2001
-From: Brant Knudson <[email protected]>
-Date: Tue, 1 Dec 2015 11:09:14 -0600
-Subject: [PATCH] Add audit IDs to revocation events
-
-The revoked tokens' audit ID is now included in the data returned in
-the revocation list.
-
-Closes-Bug: 1490804
-Change-Id: Ifcf88f1158bebddc4f927121fbf4136fb53b659f
-(cherry picked from commit d5378f173da14a34ca010271477337879002d6d0)
-Conflicts:
- keystone/tests/unit/test_backend.py
----
- keystone/tests/unit/test_backend.py | 39 ++++++++++++++++++++----------
- keystone/tests/unit/test_backend_sql.py | 3 ++-
- keystone/token/persistence/backends/kvs.py | 9 +++++++
- keystone/token/persistence/backends/sql.py | 12 ++++++++-
- 4 files changed, 48 insertions(+), 15 deletions(-)
-
-diff --git a/keystone/tests/unit/test_backend.py b/keystone/tests/unit/test_backend.py
-index 6cf0649..9c82502 100644
---- a/keystone/tests/unit/test_backend.py
-+++ b/keystone/tests/unit/test_backend.py
-@@ -3778,7 +3778,9 @@ class TokenTests(object):
- token_id = self._create_token_id()
- data = {'id': token_id, 'a': 'b',
- 'trust_id': None,
-- 'user': {'id': 'testuserid'}}
-+ 'user': {'id': 'testuserid'},
-+ 'token_data': {'access': {'token': {
-+ 'audit_ids': [uuid.uuid4().hex]}}}}
- data_ref = self.token_provider_api._persistence.create_token(token_id,
- data)
- expires = data_ref.pop('expires')
-@@ -3813,7 +3815,8 @@ class TokenTests(object):
- # FIXME(morganfainberg): These tokens look nothing like "Real" tokens.
- # This should be fixed when token issuance is cleaned up.
- data = {'id': token_id, 'a': 'b',
-- 'user': {'id': user_id}}
-+ 'user': {'id': user_id},
-+ 'access': {'token': {'audit_ids': [uuid.uuid4().hex]}}}
- if tenant_id is not None:
- data['tenant'] = {'id': tenant_id, 'name': tenant_id}
- if tenant_id is NULL_OBJECT:
-@@ -3822,7 +3825,7 @@ class TokenTests(object):
- data['expires'] = expires
- if trust_id is not None:
- data['trust_id'] = trust_id
-- data.setdefault('access', {}).setdefault('trust', {})
-+ data['access'].setdefault('trust', {})
- # Testuserid2 is used here since a trustee will be different in
- # the cases of impersonation and therefore should not match the
- # token's user_id.
-@@ -3988,17 +3991,21 @@ class TokenTests(object):
-
- self.assertEqual(data_ref, new_data_ref)
-
-- def check_list_revoked_tokens(self, token_ids):
-- revoked_ids = [x['id']
-- for x in self.token_provider_api.list_revoked_tokens()]
-+ def check_list_revoked_tokens(self, token_infos):
-+ revocation_list = self.token_provider_api.list_revoked_tokens()
-+ revoked_ids = [x['id'] for x in revocation_list]
-+ revoked_audit_ids = [x['audit_id'] for x in revocation_list]
- self._assert_revoked_token_list_matches_token_persistence(revoked_ids)
-- for token_id in token_ids:
-+ for token_id, audit_id in token_infos:
- self.assertIn(token_id, revoked_ids)
-+ self.assertIn(audit_id, revoked_audit_ids)
-
- def delete_token(self):
- token_id = uuid.uuid4().hex
-+ audit_id = uuid.uuid4().hex
- data = {'id_hash': token_id, 'id': token_id, 'a': 'b',
-- 'user': {'id': 'testuserid'}}
-+ 'user': {'id': 'testuserid'},
-+ 'token_data': {'token': {'audit_ids': [audit_id]}}}
- data_ref = self.token_provider_api._persistence.create_token(token_id,
- data)
- self.token_provider_api._persistence.delete_token(token_id)
-@@ -4010,7 +4017,7 @@ class TokenTests(object):
- exception.TokenNotFound,
- self.token_provider_api._persistence.delete_token,
- data_ref['id'])
-- return token_id
-+ return (token_id, audit_id)
-
- def test_list_revoked_tokens_returns_empty_list(self):
- revoked_ids = [x['id']
-@@ -4061,12 +4068,16 @@ class TokenTests(object):
- token_data = {'id_hash': token_id, 'id': token_id, 'a': 'b',
- 'expires': expire_time,
- 'trust_id': None,
-- 'user': {'id': 'testuserid'}}
-+ 'user': {'id': 'testuserid'},
-+ 'token_data': {'token': {
-+ 'audit_ids': [uuid.uuid4().hex]}}}
- token2_id = uuid.uuid4().hex
- token2_data = {'id_hash': token2_id, 'id': token2_id, 'a': 'b',
- 'expires': expire_time,
- 'trust_id': None,
-- 'user': {'id': 'testuserid'}}
-+ 'user': {'id': 'testuserid'},
-+ 'token_data': {'token': {
-+ 'audit_ids': [uuid.uuid4().hex]}}}
- # Create 2 Tokens.
- self.token_provider_api._persistence.create_token(token_id,
- token_data)
-@@ -4101,7 +4112,8 @@ class TokenTests(object):
- def _test_predictable_revoked_pki_token_id(self, hash_fn):
- token_id = self._create_token_id()
- token_id_hash = hash_fn(token_id).hexdigest()
-- token = {'user': {'id': uuid.uuid4().hex}}
-+ token = {'user': {'id': uuid.uuid4().hex},
-+ 'token_data': {'token': {'audit_ids': [uuid.uuid4().hex]}}}
-
- self.token_provider_api._persistence.create_token(token_id, token)
- self.token_provider_api._persistence.delete_token(token_id)
-@@ -4123,7 +4135,8 @@ class TokenTests(object):
-
- def test_predictable_revoked_uuid_token_id(self):
- token_id = uuid.uuid4().hex
-- token = {'user': {'id': uuid.uuid4().hex}}
-+ token = {'user': {'id': uuid.uuid4().hex},
-+ 'token_data': {'token': {'audit_ids': [uuid.uuid4().hex]}}}
-
- self.token_provider_api._persistence.create_token(token_id, token)
- self.token_provider_api._persistence.delete_token(token_id)
-diff --git a/keystone/tests/unit/test_backend_sql.py b/keystone/tests/unit/test_backend_sql.py
-index a7c63bf..7adc936 100644
---- a/keystone/tests/unit/test_backend_sql.py
-+++ b/keystone/tests/unit/test_backend_sql.py
-@@ -441,7 +441,8 @@ class SqlToken(SqlTests, test_backend.TokenTests):
- # necessary.
-
- expected_query_args = (token_sql.TokenModel.id,
-- token_sql.TokenModel.expires)
-+ token_sql.TokenModel.expires,
-+ token_sql.TokenModel.extra,)
-
- with mock.patch.object(token_sql, 'sql') as mock_sql:
- tok = token_sql.Token()
-diff --git a/keystone/token/persistence/backends/kvs.py b/keystone/token/persistence/backends/kvs.py
-index b4807bf..9a7ccea 100644
---- a/keystone/token/persistence/backends/kvs.py
-+++ b/keystone/token/persistence/backends/kvs.py
-@@ -211,6 +211,15 @@ class Token(token.persistence.Driver):
- subsecond=True)
- revoked_token_data['id'] = data['id']
-
-+ token_data = data['token_data']
-+ if 'access' in token_data:
-+ # It's a v2 token.
-+ audit_ids = token_data['access']['token']['audit_ids']
-+ else:
-+ # It's a v3 token.
-+ audit_ids = token_data['token']['audit_ids']
-+ revoked_token_data['audit_id'] = audit_ids[0]
-+
- token_list = self._get_key_or_default(self.revocation_key, default=[])
- if not isinstance(token_list, list):
- # NOTE(morganfainberg): In the case that the revocation list is not
-diff --git a/keystone/token/persistence/backends/sql.py b/keystone/token/persistence/backends/sql.py
-index 08c3a21..7c5c11d 100644
---- a/keystone/token/persistence/backends/sql.py
-+++ b/keystone/token/persistence/backends/sql.py
-@@ -228,13 +228,23 @@ class Token(token.persistence.Driver):
- session = sql.get_session()
- tokens = []
- now = timeutils.utcnow()
-- query = session.query(TokenModel.id, TokenModel.expires)
-+ query = session.query(TokenModel.id, TokenModel.expires,
-+ TokenModel.extra)
- query = query.filter(TokenModel.expires > now)
- token_references = query.filter_by(valid=False)
- for token_ref in token_references:
-+ token_data = token_ref[2]['token_data']
-+ if 'access' in token_data:
-+ # It's a v2 token.
-+ audit_ids = token_data['access']['token']['audit_ids']
-+ else:
-+ # It's a v3 token.
-+ audit_ids = token_data['token']['audit_ids']
-+
- record = {
- 'id': token_ref[0],
- 'expires': token_ref[1],
-+ 'audit_id': audit_ids[0],
- }
- tokens.append(record)
- return tokens
---
-1.9.1
-
--- a/components/openstack/keystone/patches/launchpad-1459816+.patch Wed Sep 07 14:48:41 2016 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,420 +0,0 @@
-The following in-house jumbo patch constitutes the upstream changes in
-Kilo for the following changesets
-
- fa43b6f6d196ea7780de4530c1d59bd43bc0b6de
- 82449dd550b4724fc90e1f2c16ae5f3237eebd25
- e614b299408b65a6558888b1f4930a9b641f1920
- 6cd2e5eccdad0005c4a69d85aa6918cfc33062c5
- 19f3ad9eca9e9d73e6a147b06d66d4dcb66d2934
-
-which address a number of issues with tools/sample_data.sh including
-switching from the deprecated keystoneclient to the new openstackclient
-commands.
-
-commit fa43b6f6d196ea7780de4530c1d59bd43bc0b6de
-Author: phil-hopkins-a <[email protected]>
-Date: Thu May 28 15:34:57 2015 -0500
-
- updates sample_data script to use the new openstack commands
-
- Cleans up the sample_data script to replace the keystoneclient commands
- with the new openstackclient commands
-
- Change-Id: Id68ff2b466e582a0c2f4418d173f7d63c14f5f37
- Closes-Bug: #1459816
-
-commit 82449dd550b4724fc90e1f2c16ae5f3237eebd25
-Author: Eric Brown <[email protected]>
-Date: Sun Jul 12 22:47:27 2015 -0700
-
- Replace reference of ksc with osc
-
- The leading comment in sample_data.sh still references the old
- python-keystoneclient when its python-openstackclient that is
- used to populate sample data.
-
- This patch also makes a minor fix of the Swift service description.
-
- TrivialFix
-
- Change-Id: Ie4f5729dcc0b3a6164470d11ba91ddaaec0bb022
-
-commit e614b299408b65a6558888b1f4930a9b641f1920
-Author: Ghe Rivero <[email protected]>
-Date: Sat Aug 1 05:00:05 2015 +0200
-
- Update exported variables for openstack client
-
- When using openstack client to populate an initial keystone
- deployment, instead of the former keystone client, the env.
- variables needed are OS_TOKEN and OS_URL instead of the
- previous OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT
-
- Change-Id: I79dcd56896945267cf1c8ff4378ffff63048e155
-
-commit 6cd2e5eccdad0005c4a69d85aa6918cfc33062c5
-Author: Ghe Rivero <[email protected]>
-Date: Sat Aug 1 05:16:28 2015 +0200
-
- Missing ADMIN_USER in sample_data.sh
-
- When moving from keystone to openstack client, the initialization of
- the ADMIN_USER variable was removed, making the script to fail.
-
- Change-Id: Iee2d5b1cbed6c93e335a4b4dbad3034a2f8e29ed
-
-commit 19f3ad9eca9e9d73e6a147b06d66d4dcb66d2934
-Author: Ghe Rivero <[email protected]>
-Date: Sun Aug 2 17:57:37 2015 +0200
-
- Create neutron service in sample_data.sh
-
- With the addition of Neutron to the sample_data.sh script, all services
- required by the compute starter kit tag [1] are created (plus swift and ec2
- compatible credentials)
-
- [1] http://governance.openstack.org/reference/tags/compute_starter_kit.html
-
- Change-Id: Iebc4f6b005e0466fe60691d964c7dea0e0eee947
-
---- keystone-2015.1.2/doc/source/developing.rst.~1~ 2015-10-13 10:18:02.000000000 -0700
-+++ keystone-2015.1.2/doc/source/developing.rst 2016-02-05 23:16:41.873683648 -0800
-@@ -75,6 +75,7 @@ place:
- $ bin/keystone-manage db_sync
-
- .. _`python-keystoneclient`: https://github.com/openstack/python-keystoneclient
-+.. _`openstackclient`: https://git.openstack.org/cgit/openstack/python-openstackclient
-
- If the above commands result in a ``KeyError``, or they fail on a
- ``.pyc`` file with the message, ``You can only have one Python script per
-@@ -158,18 +159,24 @@ data for use with keystone:
-
- .. code-block:: bash
-
-- $ OS_SERVICE_TOKEN=ADMIN tools/with_venv.sh tools/sample_data.sh
-+ $ OS_TOKEN=ADMIN tools/with_venv.sh tools/sample_data.sh
-
- Notice it requires a service token read from an environment variable for
- authentication. The default value "ADMIN" is from the ``admin_token``
- option in the ``[DEFAULT]`` section in ``etc/keystone.conf``.
-
- Once run, you can see the sample data that has been created by using the
--`python-keystoneclient`_ command-line interface:
-+`openstackclient`_ command-line interface:
-
- .. code-block:: bash
-
-- $ tools/with_venv.sh keystone --os-token ADMIN --os-endpoint http://127.0.0.1:35357/v2.0/ user-list
-+ $ tools/with_venv.sh openstack --os-token ADMIN --os-url http://127.0.0.1:35357/v2.0/ user list
-+
-+The `openstackclient`_ can be installed using the following:
-+
-+.. code-block:: bash
-+
-+ $ tools/with_venv.sh pip install python-openstackclient
-
- Filtering responsibilities between controllers and drivers
- ----------------------------------------------------------
---- keystone-2015.1.2/tools/sample_data.sh.~1~ 2015-10-13 10:18:02.000000000 -0700
-+++ keystone-2015.1.2/tools/sample_data.sh 2016-02-05 23:16:41.875371581 -0800
-@@ -14,14 +14,14 @@
- # License for the specific language governing permissions and limitations
- # under the License.
-
--# Sample initial data for Keystone using python-keystoneclient
-+# Sample initial data for Keystone using python-openstackclient
- #
- # This script is based on the original DevStack keystone_data.sh script.
- #
- # It demonstrates how to bootstrap Keystone with an administrative user
--# using the OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT environment variables
--# and the administrative API. It will get the admin_token (OS_SERVICE_TOKEN)
--# and admin_port from keystone.conf if available.
-+# using the OS_TOKEN and OS_URL environment variables and the administrative
-+# API. It will get the admin_token (OS_TOKEN) and admin_port from
-+# keystone.conf if available.
- #
- # Disable creation of endpoints by setting DISABLE_ENDPOINTS environment variable.
- # Use this with the Catalog Templated backend.
-@@ -36,17 +36,25 @@
- # service nova admin
- # service ec2 admin
- # service swift admin
-+# service neutron admin
-
- # By default, passwords used are those in the OpenStack Install and Deploy Manual.
- # One can override these (publicly known, and hence, insecure) passwords by setting the appropriate
- # environment variables. A common default password for all the services can be used by
- # setting the "SERVICE_PASSWORD" environment variable.
-
-+# Test to verify that the openstackclient is installed, if not exit
-+type openstack >/dev/null 2>&1 || {
-+ echo >&2 "openstackclient is not installed. Please install it to use this script. Aborting."
-+ exit 1
-+ }
-+
- ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete}
- NOVA_PASSWORD=${NOVA_PASSWORD:-${SERVICE_PASSWORD:-nova}}
- GLANCE_PASSWORD=${GLANCE_PASSWORD:-${SERVICE_PASSWORD:-glance}}
- EC2_PASSWORD=${EC2_PASSWORD:-${SERVICE_PASSWORD:-ec2}}
- SWIFT_PASSWORD=${SWIFT_PASSWORD:-${SERVICE_PASSWORD:-swiftpass}}
-+NEUTRON_PASSWORD=${NEUTRON_PASSWORD:-${SERVICE_PASSWORD:-neutron}}
-
- CONTROLLER_PUBLIC_ADDRESS=${CONTROLLER_PUBLIC_ADDRESS:-localhost}
- CONTROLLER_ADMIN_ADDRESS=${CONTROLLER_ADMIN_ADDRESS:-localhost}
-@@ -79,14 +87,14 @@ if [[ -r "$KEYSTONE_CONF" ]]; then
- fi
- fi
-
--export OS_SERVICE_TOKEN=${OS_SERVICE_TOKEN:-$CONFIG_SERVICE_TOKEN}
--if [[ -z "$OS_SERVICE_TOKEN" ]]; then
-+export OS_TOKEN=${OS_TOKEN:-$CONFIG_SERVICE_TOKEN}
-+if [[ -z "$OS_TOKEN" ]]; then
- echo "No service token found."
-- echo "Set OS_SERVICE_TOKEN manually from keystone.conf admin_token."
-+ echo "Set OS_TOKEN manually from keystone.conf admin_token."
- exit 1
- fi
-
--export OS_SERVICE_ENDPOINT=${OS_SERVICE_ENDPOINT:-http://$CONTROLLER_PUBLIC_ADDRESS:${CONFIG_ADMIN_PORT:-35357}/v2.0}
-+export OS_URL=${OS_URL:-http://$CONTROLLER_PUBLIC_ADDRESS:${CONFIG_ADMIN_PORT:-35357}/v2.0}
-
- function get_id () {
- echo `"$@" | grep ' id ' | awk '{print $4}'`
-@@ -95,141 +103,160 @@ function get_id () {
- #
- # Default tenant
- #
--DEMO_TENANT=$(get_id keystone tenant-create --name=demo \
-- --description "Default Tenant")
-+openstack project create demo \
-+ --description "Default Tenant"
-
--ADMIN_USER=$(get_id keystone user-create --name=admin \
-- --pass="${ADMIN_PASSWORD}")
-+openstack user create admin --project demo \
-+ --password "${ADMIN_PASSWORD}"
-
--ADMIN_ROLE=$(get_id keystone role-create --name=admin)
-+openstack role create admin
-
--keystone user-role-add --user-id $ADMIN_USER \
-- --role-id $ADMIN_ROLE \
-- --tenant-id $DEMO_TENANT
-+openstack role add --user admin \
-+ --project demo\
-+ admin
-
- #
- # Service tenant
- #
--SERVICE_TENANT=$(get_id keystone tenant-create --name=service \
-- --description "Service Tenant")
-+openstack project create service \
-+ --description "Service Tenant"
-+
-+openstack user create glance --project service\
-+ --password "${GLANCE_PASSWORD}"
-+
-+openstack role add --user glance \
-+ --project service \
-+ admin
-+
-+openstack user create nova --project service\
-+ --password "${NOVA_PASSWORD}"
-+
-+openstack role add --user nova \
-+ --project service \
-+ admin
-+
-+openstack user create ec2 --project service \
-+ --password "${EC2_PASSWORD}"
-+
-+openstack role add --user ec2 \
-+ --project service \
-+ admin
-
--GLANCE_USER=$(get_id keystone user-create --name=glance \
-- --pass="${GLANCE_PASSWORD}")
-+openstack user create swift --project service \
-+ --password "${SWIFT_PASSWORD}" \
-
--keystone user-role-add --user-id $GLANCE_USER \
-- --role-id $ADMIN_ROLE \
-- --tenant-id $SERVICE_TENANT
--
--NOVA_USER=$(get_id keystone user-create --name=nova \
-- --pass="${NOVA_PASSWORD}" \
-- --tenant-id $SERVICE_TENANT)
--
--keystone user-role-add --user-id $NOVA_USER \
-- --role-id $ADMIN_ROLE \
-- --tenant-id $SERVICE_TENANT
--
--EC2_USER=$(get_id keystone user-create --name=ec2 \
-- --pass="${EC2_PASSWORD}" \
-- --tenant-id $SERVICE_TENANT)
--
--keystone user-role-add --user-id $EC2_USER \
-- --role-id $ADMIN_ROLE \
-- --tenant-id $SERVICE_TENANT
--
--SWIFT_USER=$(get_id keystone user-create --name=swift \
-- --pass="${SWIFT_PASSWORD}" \
-- --tenant-id $SERVICE_TENANT)
--
--keystone user-role-add --user-id $SWIFT_USER \
-- --role-id $ADMIN_ROLE \
-- --tenant-id $SERVICE_TENANT
-+openstack role add --user swift \
-+ --project service \
-+ admin
-+
-+openstack user create neutron --project service \
-+ --password "${NEUTRON_PASSWORD}" \
-+
-+openstack role add --user neutron \
-+ --project service \
-+ admin
-
- #
- # Keystone service
- #
--KEYSTONE_SERVICE=$(get_id \
--keystone service-create --name=keystone \
-- --type=identity \
-- --description="Keystone Identity Service")
-+openstack service create --name keystone \
-+ --description "Keystone Identity Service" \
-+ identity
- if [[ -z "$DISABLE_ENDPOINTS" ]]; then
-- keystone endpoint-create --region RegionOne --service-id $KEYSTONE_SERVICE \
-+ openstack endpoint create --region RegionOne \
- --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:\$(public_port)s/v2.0" \
- --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:\$(admin_port)s/v2.0" \
-- --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:\$(public_port)s/v2.0"
-+ --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:\$(public_port)s/v2.0" \
-+ keystone
- fi
-
- #
- # Nova service
- #
--NOVA_SERVICE=$(get_id \
--keystone service-create --name=nova \
-- --type=compute \
-- --description="Nova Compute Service")
-+openstack service create --name=nova \
-+ --description="Nova Compute Service" \
-+ compute
- if [[ -z "$DISABLE_ENDPOINTS" ]]; then
-- keystone endpoint-create --region RegionOne --service-id $NOVA_SERVICE \
-+ openstack endpoint create --region RegionOne \
- --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:8774/v2/\$(tenant_id)s" \
- --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:8774/v2/\$(tenant_id)s" \
-- --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8774/v2/\$(tenant_id)s"
-+ --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8774/v2/\$(tenant_id)s" \
-+ nova
- fi
-
- #
- # Volume service
- #
--VOLUME_SERVICE=$(get_id \
--keystone service-create --name=volume \
-- --type=volume \
-- --description="Nova Volume Service")
-+openstack service create --name=volume \
-+ --description="Cinder Volume Service" \
-+ volume
- if [[ -z "$DISABLE_ENDPOINTS" ]]; then
-- keystone endpoint-create --region RegionOne --service-id $VOLUME_SERVICE \
-+ openstack endpoint create --region RegionOne \
- --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:8776/v1/\$(tenant_id)s" \
- --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:8776/v1/\$(tenant_id)s" \
-- --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8776/v1/\$(tenant_id)s"
-+ --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8776/v1/\$(tenant_id)s" \
-+ volume
- fi
-
- #
- # Image service
- #
--GLANCE_SERVICE=$(get_id \
--keystone service-create --name=glance \
-- --type=image \
-- --description="Glance Image Service")
-+openstack service create --name=glance \
-+ --description="Glance Image Service" \
-+ image
- if [[ -z "$DISABLE_ENDPOINTS" ]]; then
-- keystone endpoint-create --region RegionOne --service-id $GLANCE_SERVICE \
-+ openstack endpoint create --region RegionOne \
- --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:9292" \
- --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:9292" \
-- --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:9292"
-+ --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:9292" \
-+ glance
- fi
-
- #
- # EC2 service
- #
--EC2_SERVICE=$(get_id \
--keystone service-create --name=ec2 \
-- --type=ec2 \
-- --description="EC2 Compatibility Layer")
-+openstack service create --name=ec2 \
-+ --description="EC2 Compatibility Layer" \
-+ ec2
- if [[ -z "$DISABLE_ENDPOINTS" ]]; then
-- keystone endpoint-create --region RegionOne --service-id $EC2_SERVICE \
-+ openstack endpoint create --region RegionOne \
- --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:8773/services/Cloud" \
- --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:8773/services/Admin" \
-- --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8773/services/Cloud"
-+ --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8773/services/Cloud" \
-+ ec2
- fi
-
- #
- # Swift service
- #
--SWIFT_SERVICE=$(get_id \
--keystone service-create --name=swift \
-- --type="object-store" \
-- --description="Swift Service")
-+openstack service create --name=swift \
-+ --description="Swift Object Storage Service" \
-+ object-store
- if [[ -z "$DISABLE_ENDPOINTS" ]]; then
-- keystone endpoint-create --region RegionOne --service-id $SWIFT_SERVICE \
-+ openstack endpoint create --region RegionOne \
- --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:8080/v1/AUTH_\$(tenant_id)s" \
- --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:8080/v1" \
-- --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8080/v1/AUTH_\$(tenant_id)s"
-+ --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8080/v1/AUTH_\$(tenant_id)s" \
-+ swift
-+fi
-+
-+#
-+# Neutron service
-+#
-+openstack service create --name=neutron \
-+ --description="Neutron Network Service" \
-+ network
-+if [[ -z "$DISABLE_ENDPOINTS" ]]; then
-+ openstack endpoint create --region RegionOne \
-+ --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:9696" \
-+ --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:9696" \
-+ --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:9696" \
-+ neutron
- fi
-
- # create ec2 creds and parse the secret and access key returned
--RESULT=$(keystone ec2-credentials-create --tenant-id=$SERVICE_TENANT --user-id=$ADMIN_USER)
-+ADMIN_USER=$(get_id openstack user show admin)
-+RESULT=$(openstack ec2 credentials create --project service --user $ADMIN_USER)
- ADMIN_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'`
- ADMIN_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'`
-
--- a/components/openstack/keystone/patches/mysql_cluster_support.patch Wed Sep 07 14:48:41 2016 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,348 +0,0 @@
-This patchset is for bug:
-
-22725754 - Keystone needs to support MySQL Cluster
-
-This fixes the following aspects of Keystone:
-1. Implementation of an oslo.db configuration parameter to specify the MySQL
- storage engine (mysql_storage_engine).
-2. Replacement of hardcoded SQL statements that set the engine to "InnoDB"
- to the above configuration value.
-3. Logic to handle SQL differences between MySQL InnoDB and MySQL Cluster (NDB).
- This includes column lengths, constraints, foreign keys, and indexes.
-
-This has not been committed upstream, but has been filed in launchpad:
-
-https://bugs.launchpad.net/keystone/+bug/1564110
-
-
---- keystone-2015.1.2/keystone/contrib/endpoint_policy/migrate_repo/versions/001_add_endpoint_policy_table.py.orig 2016-02-17 11:31:28.370731100 -0700
-+++ keystone-2015.1.2/keystone/contrib/endpoint_policy/migrate_repo/versions/001_add_endpoint_policy_table.py 2016-02-19 13:15:20.604166480 -0700
-@@ -13,7 +13,9 @@
- # under the License.
-
- import sqlalchemy as sql
-+from oslo_config import cfg
-
-+CONF = cfg.CONF
-
- def upgrade(migrate_engine):
- # Upgrade operations go here. Don't create your own engine; bind
-@@ -34,7 +36,7 @@ def upgrade(migrate_engine):
- sql.Column('region_id', sql.String(64),
- nullable=True),
- sql.UniqueConstraint('endpoint_id', 'service_id', 'region_id'),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- endpoint_policy_table.create(migrate_engine, checkfirst=True)
---- keystone-2015.1.2/keystone/contrib/federation/migrate_repo/versions/001_add_identity_provider_table.py.orig 2016-02-17 11:31:28.364528948 -0700
-+++ keystone-2015.1.2/keystone/contrib/federation/migrate_repo/versions/001_add_identity_provider_table.py 2016-02-19 13:14:23.091304897 -0700
-@@ -11,7 +11,9 @@
- # under the License.
-
- import sqlalchemy as sql
-+from oslo_config import cfg
-
-+CONF = cfg.CONF
-
- def upgrade(migrate_engine):
- meta = sql.MetaData()
-@@ -23,7 +25,7 @@ def upgrade(migrate_engine):
- sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('enabled', sql.Boolean, nullable=False),
- sql.Column('description', sql.Text(), nullable=True),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- idp_table.create(migrate_engine, checkfirst=True)
-@@ -36,7 +38,7 @@ def upgrade(migrate_engine):
- sql.ForeignKey('identity_provider.id', ondelete='CASCADE'),
- primary_key=True),
- sql.Column('mapping_id', sql.String(64), nullable=True),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- federation_protocol_table.create(migrate_engine, checkfirst=True)
---- keystone-2015.1.2/keystone/contrib/federation/migrate_repo/versions/007_add_remote_id_table.py.orig 2016-02-17 11:31:28.369152519 -0700
-+++ keystone-2015.1.2/keystone/contrib/federation/migrate_repo/versions/007_add_remote_id_table.py 2016-02-19 13:14:36.794647452 -0700
-@@ -11,7 +11,9 @@
- # under the License.
-
- import sqlalchemy as orm
-+from oslo_config import cfg
-
-+CONF = cfg.CONF
-
- def upgrade(migrate_engine):
- meta = orm.MetaData()
-@@ -27,7 +29,7 @@ def upgrade(migrate_engine):
- orm.Column('remote_id',
- orm.String(255),
- primary_key=True),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- remote_id_table.create(migrate_engine, checkfirst=True)
---- keystone-2015.1.2/keystone/contrib/federation/migrate_repo/versions/005_add_service_provider_table.py.orig 2016-02-17 11:31:28.366074588 -0700
-+++ keystone-2015.1.2/keystone/contrib/federation/migrate_repo/versions/005_add_service_provider_table.py 2016-02-19 13:16:25.569156414 -0700
-@@ -11,7 +11,9 @@
- # under the License.
-
- import sqlalchemy as sql
-+from oslo_config import cfg
-
-+CONF = cfg.CONF
-
- def upgrade(migrate_engine):
- meta = sql.MetaData()
-@@ -25,7 +27,7 @@ def upgrade(migrate_engine):
- sql.Column('enabled', sql.Boolean, nullable=False),
- sql.Column('description', sql.Text(), nullable=True),
- sql.Column('sp_url', sql.String(256), nullable=True),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- sp_table.create(migrate_engine, checkfirst=True)
---- keystone-2015.1.2/keystone/contrib/federation/migrate_repo/versions/002_add_mapping_tables.py.orig 2016-02-17 11:31:28.367627604 -0700
-+++ keystone-2015.1.2/keystone/contrib/federation/migrate_repo/versions/002_add_mapping_tables.py 2016-02-19 13:14:46.042762324 -0700
-@@ -11,7 +11,9 @@
- # under the License.
-
- import sqlalchemy as sql
-+from oslo_config import cfg
-
-+CONF = cfg.CONF
-
- def upgrade(migrate_engine):
- meta = sql.MetaData()
-@@ -22,6 +24,6 @@ def upgrade(migrate_engine):
- meta,
- sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('rules', sql.Text(), nullable=False),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine ,
- mysql_charset='utf8')
- mapping_table.create(migrate_engine, checkfirst=True)
---- keystone-2015.1.2/keystone/common/sql/migration_helpers.py.orig 2016-02-17 11:31:28.355333466 -0700
-+++ keystone-2015.1.2/keystone/common/sql/migration_helpers.py 2016-02-19 10:15:36.520071425 -0700
-@@ -164,9 +164,9 @@ def _fix_federation_tables(engine):
- # alter table to execute
- engine.execute("SET foreign_key_checks = 0")
- # * Make the tables using InnoDB engine
-- engine.execute("ALTER TABLE identity_provider Engine=InnoDB")
-- engine.execute("ALTER TABLE federation_protocol Engine=InnoDB")
-- engine.execute("ALTER TABLE mapping Engine=InnoDB")
-+ engine.execute("ALTER TABLE identity_provider Engine=%s" % CONF.database.mysql_storage_engine)
-+ engine.execute("ALTER TABLE federation_protocol Engine=%s" % CONF.database.mysql_storage_engine)
-+ engine.execute("ALTER TABLE mapping Engine=%s" % CONF.database.mysql_storage_engine)
- # * Make the tables using utf8 encoding
- engine.execute("ALTER TABLE identity_provider "
- "CONVERT TO CHARACTER SET utf8")
---- keystone-2015.1.2/keystone/common/sql/migrate_repo/versions/051_add_id_mapping.py.orig 2016-02-17 11:31:28.357606093 -0700
-+++ keystone-2015.1.2/keystone/common/sql/migrate_repo/versions/051_add_id_mapping.py 2016-02-19 13:10:31.212704447 -0700
-@@ -13,9 +13,10 @@
- # under the License.
-
- import sqlalchemy as sql
--
- from keystone.identity.mapping_backends import mapping
-+from oslo_config import cfg
-
-+CONF = cfg.CONF
-
- MAPPING_TABLE = 'id_mapping'
-
-@@ -36,6 +37,6 @@ def upgrade(migrate_engine):
- name='entity_type'),
- nullable=False),
- sql.UniqueConstraint('domain_id', 'local_id', 'entity_type'),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
- mapping_table.create(migrate_engine, checkfirst=True)
---- keystone-2015.1.2/keystone/common/sql/migrate_repo/versions/044_icehouse.py.orig 2016-02-17 11:31:28.359732657 -0700
-+++ keystone-2015.1.2/keystone/common/sql/migrate_repo/versions/044_icehouse.py 2016-02-19 13:12:49.670971345 -0700
-@@ -47,7 +47,7 @@ def upgrade(migrate_engine):
- sql.Column('blob', ks_sql.JsonBlob, nullable=False),
- sql.Column('type', sql.String(length=255), nullable=False),
- sql.Column('extra', ks_sql.JsonBlob.impl),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- domain = sql.Table(
-@@ -56,7 +56,7 @@ def upgrade(migrate_engine):
- sql.Column('name', sql.String(length=64), nullable=False),
- sql.Column('enabled', sql.Boolean, default=True, nullable=False),
- sql.Column('extra', ks_sql.JsonBlob.impl),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- endpoint = sql.Table(
-@@ -70,7 +70,7 @@ def upgrade(migrate_engine):
- sql.Column('extra', ks_sql.JsonBlob.impl),
- sql.Column('enabled', sql.Boolean, nullable=False, default=True,
- server_default='1'),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- group = sql.Table(
-@@ -80,7 +80,7 @@ def upgrade(migrate_engine):
- sql.Column('name', sql.String(length=64), nullable=False),
- sql.Column('description', sql.Text),
- sql.Column('extra', ks_sql.JsonBlob.impl),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- policy = sql.Table(
-@@ -89,7 +89,7 @@ def upgrade(migrate_engine):
- sql.Column('type', sql.String(length=255), nullable=False),
- sql.Column('blob', ks_sql.JsonBlob, nullable=False),
- sql.Column('extra', ks_sql.JsonBlob.impl),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- project = sql.Table(
-@@ -100,7 +100,7 @@ def upgrade(migrate_engine):
- sql.Column('description', sql.Text),
- sql.Column('enabled', sql.Boolean),
- sql.Column('domain_id', sql.String(length=64), nullable=False),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- role = sql.Table(
-@@ -108,7 +108,7 @@ def upgrade(migrate_engine):
- sql.Column('id', sql.String(length=64), primary_key=True),
- sql.Column('name', sql.String(length=255), nullable=False),
- sql.Column('extra', ks_sql.JsonBlob.impl),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- service = sql.Table(
-@@ -118,7 +118,7 @@ def upgrade(migrate_engine):
- sql.Column('enabled', sql.Boolean, nullable=False, default=True,
- server_default='1'),
- sql.Column('extra', ks_sql.JsonBlob.impl),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- token = sql.Table(
-@@ -129,7 +129,7 @@ def upgrade(migrate_engine):
- sql.Column('valid', sql.Boolean, default=True, nullable=False),
- sql.Column('trust_id', sql.String(length=64)),
- sql.Column('user_id', sql.String(length=64)),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- trust = sql.Table(
-@@ -143,7 +143,7 @@ def upgrade(migrate_engine):
- sql.Column('expires_at', sql.DateTime),
- sql.Column('remaining_uses', sql.Integer, nullable=True),
- sql.Column('extra', ks_sql.JsonBlob.impl),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- trust_role = sql.Table(
-@@ -152,7 +152,7 @@ def upgrade(migrate_engine):
- nullable=False),
- sql.Column('role_id', sql.String(length=64), primary_key=True,
- nullable=False),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- user = sql.Table(
-@@ -164,14 +164,14 @@ def upgrade(migrate_engine):
- sql.Column('enabled', sql.Boolean),
- sql.Column('domain_id', sql.String(length=64), nullable=False),
- sql.Column('default_project_id', sql.String(length=64)),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- user_group_membership = sql.Table(
- 'user_group_membership', meta,
- sql.Column('user_id', sql.String(length=64), primary_key=True),
- sql.Column('group_id', sql.String(length=64), primary_key=True),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- region = sql.Table(
-@@ -181,7 +181,7 @@ def upgrade(migrate_engine):
- sql.Column('description', sql.String(255), nullable=False),
- sql.Column('parent_region_id', sql.String(64), nullable=True),
- sql.Column('extra', sql.Text()),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- assignment = sql.Table(
-@@ -199,7 +199,7 @@ def upgrade(migrate_engine):
- sql.Column('role_id', sql.String(64), nullable=False),
- sql.Column('inherited', sql.Boolean, default=False, nullable=False),
- sql.PrimaryKeyConstraint('type', 'actor_id', 'target_id', 'role_id'),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
-
- # create all tables
---- keystone-2015.1.2/keystone/common/sql/migrate_repo/versions/065_add_domain_config.py.orig 2016-02-17 11:31:28.361388817 -0700
-+++ keystone-2015.1.2/keystone/common/sql/migrate_repo/versions/065_add_domain_config.py 2016-02-19 13:10:34.283121353 -0700
-@@ -11,8 +11,10 @@
- # under the License.
-
- import sqlalchemy as sql
--
- from keystone.common import sql as ks_sql
-+from oslo_config import cfg
-+
-+CONF = cfg.CONF
-
- WHITELIST_TABLE = 'whitelisted_config'
- SENSITIVE_TABLE = 'sensitive_config'
-@@ -29,7 +31,7 @@ def upgrade(migrate_engine):
- sql.Column('group', sql.String(255), primary_key=True),
- sql.Column('option', sql.String(255), primary_key=True),
- sql.Column('value', ks_sql.JsonBlob.impl, nullable=False),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
- whitelist_table.create(migrate_engine, checkfirst=True)
-
-@@ -40,6 +42,6 @@ def upgrade(migrate_engine):
- sql.Column('group', sql.String(255), primary_key=True),
- sql.Column('option', sql.String(255), primary_key=True),
- sql.Column('value', ks_sql.JsonBlob.impl, nullable=False),
-- mysql_engine='InnoDB',
-+ mysql_engine=CONF.database.mysql_storage_engine,
- mysql_charset='utf8')
- sensitive_table.create(migrate_engine, checkfirst=True)
---- keystone-2015.1.2/keystone/tests/unit/test_sql_upgrade.py.orig 2016-02-17 11:31:28.362966631 -0700
-+++ keystone-2015.1.2/keystone/tests/unit/test_sql_upgrade.py 2016-02-19 10:47:11.044395387 -0700
-@@ -663,9 +663,9 @@ class SqlUpgradeTests(SqlMigrateBase):
- noninnodb = connection.execute("SELECT table_name "
- "from information_schema.TABLES "
- "where TABLE_SCHEMA='%(database)s' "
-- "and ENGINE!='InnoDB' "
-+ "and ENGINE!='%(mysql_storage_engine)s' "
- "and TABLE_NAME!='migrate_version'" %
-- dict(database=database))
-+ dict(database=database, mysql_storage_engine=CONF.database.mysql_storage_engine))
- names = [x[0] for x in noninnodb]
- self.assertEqual([], names,
- "Non-InnoDB tables exist")
--- a/components/openstack/keystone/patches/no-federation.patch Wed Sep 07 14:48:41 2016 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,14 +0,0 @@
-In-house patch to remove the Federation extension from the default
-Keystone pipeline as this is not currently supported on Solaris.
-
---- keystone-2015.1.2/etc/keystone-paste.ini.~1~ 2015-10-13 10:18:02.000000000 -0700
-+++ keystone-2015.1.2/etc/keystone-paste.ini 2016-05-28 23:30:44.744506171 -0700
-@@ -79,7 +79,7 @@ pipeline = sizelimit url_normalize reque
- [pipeline:api_v3]
- # The last item in this pipeline must be service_v3 or an equivalent
- # application. It cannot be a filter.
--pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension endpoint_policy_extension service_v3
-+pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension oauth1_extension endpoint_filter_extension endpoint_policy_extension service_v3
-
- [app:public_version_service]
- paste.app_factory = keystone.service:public_version_app_factory
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/keystone/patches/no-pysaml2.patch Wed Sep 07 14:48:41 2016 -0700
@@ -0,0 +1,61 @@
+We don't currently have pysaml2 in Solaris because of its
+dependency on pycrypto.
+
+This patch makes the pysaml2 dependency in keystone optional.
+The saml_idp_metadata command of keystone-manage and
+federation_routers are disabled if the modules that depend
+on pysaml2 cannot be loaded.
+
+This patch is not suitable for pushing upstream.
+
+--- keystone-9.0.0/keystone/version/service.py.~1~ 2016-04-06 23:37:38.000000000 -0800
++++ keystone-9.0.0/keystone/version/service.py 2016-05-18 20:25:46.012718550 -0800
+@@ -26,7 +26,6 @@ from keystone.catalog import routers as
+ from keystone.common import wsgi
+ from keystone.credential import routers as credential_routers
+ from keystone.endpoint_policy import routers as endpoint_policy_routers
+-from keystone.federation import routers as federation_routers
+ from keystone.i18n import _LW
+ from keystone.identity import routers as identity_routers
+ from keystone.oauth1 import routers as oauth1_routers
+@@ -139,12 +138,17 @@ def v3_app_factory(global_conf, **local_
+ policy_routers,
+ resource_routers,
+ revoke_routers,
+- federation_routers,
+ oauth1_routers,
+ # TODO(morganfainberg): Remove the simple_cert router
+ # when PKI and PKIZ tokens are removed.
+ simple_cert_ext]
+
++ try:
++ from keystone.federation import routers as federation_routers
++ all_api_routers.append(federation_routers)
++ except:
++ pass
++
+ if CONF.trust.enabled:
+ all_api_routers.append(trust_routers)
+
+--- keystone-9.0.0/keystone/cmd/cli.py.~1~ 2016-04-06 23:37:38.000000000 -0800
++++ keystone-9.0.0/keystone/cmd/cli.py 2016-05-19 00:26:16.105127235 -0800
+@@ -32,7 +32,6 @@ from keystone.common import sql
+ from keystone.common.sql import migration_helpers
+ from keystone.common import utils
+ from keystone import exception
+-from keystone.federation import idp
+ from keystone.federation import utils as mapping_engine
+ from keystone.i18n import _, _LW, _LI
+ from keystone.server import backends
+@@ -848,6 +847,11 @@ class SamlIdentityProviderMetadata(BaseA
+
+ @staticmethod
+ def main():
++ try:
++ from keystone.federation import idp
++ except:
++ raise ValueError(_('saml_idp_metadata not currently supported; '
++ 'pysaml2 is required.'))
+ metadata = idp.MetadataGenerator().generate_metadata()
+ print(metadata.to_string())
+
--- a/components/openstack/keystone/patches/requirements.patch Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/patches/requirements.patch Wed Sep 07 14:48:41 2016 -0700
@@ -1,71 +1,25 @@
In-house patch to remove unnecessary dependencies from Keystone's
requirements files. The specific reasons are as follows:
-iso8601 Not applicable
-
-netaddr Not applicable
-
Paste Not applicable
-posix-ipc Not applicable
-
pysaml2 Not applicable to Solaris
---- keystone-2015.1.2/keystone.egg-info/requires.txt.~1~ 2015-10-13 10:22:09.000000000 -0700
-+++ keystone-2015.1.2/keystone.egg-info/requires.txt 2016-02-02 00:30:30.677285834 -0800
-@@ -2,16 +2,13 @@ pbr!=0.7,<1.0,>=0.6
- WebOb>=1.2.3
- eventlet!=0.17.0,>=0.16.1
- greenlet>=0.3.2
--netaddr>=0.7.12
- PasteDeploy>=1.5.0
--Paste
- Routes!=2.0,>=1.12.3
- cryptography>=0.8 # Apache-2.0
- six>=1.9.0
- SQLAlchemy<=0.9.99,>=0.9.7
- sqlalchemy-migrate!=0.9.8,<0.10.0,>=0.9.5
- passlib
--iso8601>=0.1.9
- python-keystoneclient<1.4.0,>=1.2.0
- keystonemiddleware<1.6.0,>=1.5.0
- oslo.concurrency<1.9.0,>=1.8.2 # Apache-2.0
-@@ -25,9 +22,7 @@ oslo.policy<0.4.0,>=0.3.1 # Apache-2.0
- oslo.serialization<1.5.0,>=1.4.0 # Apache-2.0
- oslo.utils!=1.4.1,<1.5.0,>=1.4.0 # Apache-2.0
- oauthlib>=0.6
--pysaml2
- dogpile.cache>=0.5.3
- jsonschema<3.0.0,>=2.0.0
- pycadf<0.9.0,>=0.8.0
--posix-ipc
- msgpack-python>=0.4.0
---- keystone-2015.1.2/requirements.txt.~1~ 2015-10-13 10:18:02.000000000 -0700
-+++ keystone-2015.1.2/requirements.txt 2016-02-02 00:30:59.005350937 -0800
-@@ -6,16 +6,13 @@ pbr!=0.7,<1.0,>=0.6
- WebOb>=1.2.3
- eventlet!=0.17.0,>=0.16.1
- greenlet>=0.3.2
--netaddr>=0.7.12
- PasteDeploy>=1.5.0
--Paste
- Routes!=2.0,>=1.12.3
- cryptography>=0.8 # Apache-2.0
- six>=1.9.0
- SQLAlchemy<=0.9.99,>=0.9.7
- sqlalchemy-migrate!=0.9.8,<0.10.0,>=0.9.5
- passlib
--iso8601>=0.1.9
- python-keystoneclient<1.4.0,>=1.2.0
- keystonemiddleware<1.6.0,>=1.5.0
- oslo.concurrency<1.9.0,>=1.8.2 # Apache-2.0
-@@ -29,9 +26,7 @@ oslo.policy<0.4.0,>=0.3.1 # Apache-2.0
- oslo.serialization<1.5.0,>=1.4.0 # Apache-2.0
- oslo.utils!=1.4.1,<1.5.0,>=1.4.0 # Apache-2.0
- oauthlib>=0.6
--pysaml2
- dogpile.cache>=0.5.3
- jsonschema<3.0.0,>=2.0.0
- pycadf<0.9.0,>=0.8.0
--posix-ipc
- msgpack-python>=0.4.0
+--- keystone-9.0.2/requirements.txt.~1~ 2016-05-26 11:34:30.000000000 -0800
++++ keystone-9.0.2/requirements.txt 2016-06-27 18:17:38.084276305 -0800
+@@ -7,7 +7,6 @@ WebOb>=1.2.3 # MIT
+ eventlet!=0.18.3,>=0.18.2 # MIT
+ greenlet>=0.3.2 # MIT
+ PasteDeploy>=1.5.0 # MIT
+-Paste # MIT
+ Routes!=2.0,!=2.1,!=2.3.0,>=1.12.3;python_version=='2.7' # MIT
+ Routes!=2.0,!=2.3.0,>=1.12.3;python_version!='2.7' # MIT
+ cryptography!=1.3.0,>=1.0 # BSD/Apache-2.0
+@@ -32,7 +31,6 @@ oslo.serialization>=1.10.0 # Apache-2.0
+ oslo.service>=1.0.0 # Apache-2.0
+ oslo.utils>=3.5.0 # Apache-2.0
+ oauthlib>=0.6 # BSD
+-pysaml2<4.0.3,>=2.4.0 # Apache-2.0
+ dogpile.cache>=0.5.7 # BSD
+ jsonschema!=2.5.0,<3.0.0,>=2.0.0 # MIT
+ pycadf!=2.0.0,>=1.1.0 # Apache-2.0
--- a/components/openstack/keystone/patches/sample-data.sh.patch Wed Sep 07 14:48:41 2016 -0700
+++ b/components/openstack/keystone/patches/sample-data.sh.patch Wed Sep 07 14:48:41 2016 -0700
@@ -7,8 +7,8 @@
It also includes a change to use the standard Solaris tr(1) rather than
GNU sed.
---- keystone-2015.1.2/tools/sample_data.sh.~2~ 2016-02-07 01:41:04.218073379 -0800
-+++ keystone-2015.1.2/tools/sample_data.sh 2016-02-07 01:44:19.119595020 -0800
+--- keystone-9.1.0/tools/sample_data.sh.~1~ 2016-07-05 08:27:02.000000000 -0700
++++ keystone-9.1.0/tools/sample_data.sh 2016-08-24 02:06:51.106133355 -0700
@@ -23,8 +23,8 @@
# API. It will get the admin_token (OS_TOKEN) and admin_port from
# keystone.conf if available.
@@ -20,18 +20,24 @@
#
# A EC2-compatible credential is created for the admin user and
# placed in etc/ec2rc.
-@@ -37,11 +37,15 @@
- # service ec2 admin
- # service swift admin
- # service neutron admin
+@@ -33,15 +33,19 @@
+ # -------------------------------------------------------
+ # demo admin admin
+ # service glance service
+-# service nova service
++# service nova admin, service
+ # service ec2 service
+ # service swift service
+-# service neutron service
-
-# By default, passwords used are those in the OpenStack Install and Deploy Manual.
-# One can override these (publicly known, and hence, insecure) passwords by setting the appropriate
-# environment variables. A common default password for all the services can be used by
-# setting the "SERVICE_PASSWORD" environment variable.
-+# service cinder admin
-+# service heat admin
-+# service ironic admin
++# service neutron admin, service
++# service cinder service
++# service heat service
++# service ironic service
+
+# By default, passwords used are those in the OpenStack Install and Deploy
+# Manual. One can override these (publicly known, and hence, insecure)
@@ -124,9 +130,26 @@
fi
fi
-@@ -156,6 +204,29 @@ openstack role add --user neutron \
+@@ -139,6 +187,10 @@ openstack user create nova --project ser
+
+ openstack role add --user nova \
--project service \
- admin
++ admin
++
++openstack role add --user nova \
++ --project service \
+ service
+
+ openstack user create ec2 --project service \
+@@ -160,8 +212,35 @@ openstack user create neutron --project
+
+ openstack role add --user neutron \
+ --project service \
++ admin
++
++openstack role add --user neutron \
++ --project service \
+ service
+openstack user create cinder --project service \
+ --password "${CINDER_PASSWORD}"
@@ -154,7 +177,7 @@
#
# Keystone service
#
-@@ -178,24 +249,32 @@ openstack service create --name=nova \
+@@ -184,24 +263,32 @@ openstack service create --name=nova \
compute
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
openstack endpoint create --region RegionOne \
@@ -195,7 +218,7 @@
fi
#
-@@ -206,9 +285,9 @@ openstack service create --name=glance \
+@@ -212,9 +299,9 @@ openstack service create --name=glance \
image
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
openstack endpoint create --region RegionOne \
@@ -208,7 +231,7 @@
glance
fi
-@@ -220,9 +299,9 @@ openstack service create --name=ec2 \
+@@ -226,9 +313,9 @@ openstack service create --name=ec2 \
ec2
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
openstack endpoint create --region RegionOne \
@@ -221,7 +244,7 @@
ec2
fi
-@@ -234,9 +313,11 @@ openstack service create --name=swift \
+@@ -240,9 +327,11 @@ openstack service create --name=swift \
object-store
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
openstack endpoint create --region RegionOne \
@@ -236,7 +259,7 @@
swift
fi
-@@ -248,12 +329,48 @@ openstack service create --name=neutron
+@@ -254,12 +343,48 @@ openstack service create --name=neutron
network
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
openstack endpoint create --region RegionOne \