openstack-ansible

Keystone configuration missing trust configuration settings

Bug #1603254 reported by Adrian Otto
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-ansible
In Progress
Low
Unassigned
openstack-ansible 14.0.0

Bug Description

OSAD sets up keystone[1] with the following configuration stanza in /etc/keystone/keystone.conf in the keystone container:

[resource]
cache_time = 3600
caching = true
driver = sql

In devstack, additional configuration directives are included to allow for delegation of trusts form the admin project/domain:

admin_project_name = admin
admin_project_domain_name = default

This is what the stanza looks like in devstack:

[resource]
admin_project_name = admin
admin_project_domain_name = default
driver = sql

Please add the missing configuration directives to allow for advanced trust delegation, like Magnum uses.

[1] https://github.com/openstack/keystone/blob/07981bddaf2630922ce3811c999d30b74dadc294/keystone/token/providers/common.py#L269-L285

See original description
Adrian Otto (aotto)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-os_keystone (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/342484

Revision history for this message
Kevin Carter (kevin-carter) wrote :

@Adrian I've looked over this issue and the resulting PR, the change looks fine however it will need to be in master before it's ported to stable/mitaka.

That said, what you're looking to accomplish can already be done without any code changes. Within your "user_variables.yml" file set a config override to add in the items you need. Documentation [ http://docs.openstack.org/developer/openstack-ansible/developer-docs/extending.html?highlight=config_template ].

**overrides you would need**

keystone_keystone_conf_overrides:
  resource:
    admin_project_name: "{{ keystone_admin_tenant_name }}"
    admin_project_domain_name: "default"

With that set in your variable file re-run the "os-keystone-install.yml" play to drop the new bits in place. To make the playbook run faster you can use tags, something like so: ``openstack-ansible os-keystone-install.yml --tags keystone-config``

Changed in openstack-ansible:
status: New → In Progress
importance: Undecided → Low
assignee: nobody → Kevin Carter (kevin-carter)
milestone: none → newton-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on openstack-ansible-os_keystone (stable/mitaka)

Change abandoned by Christopher Hultin (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/342484

Changed in openstack-ansible:
assignee: Kevin Carter (kevin-carter) → Christopher Hultin (chris-hultin)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-os_keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/342887

Jesse Pretorius (jesse-pretorius)
Changed in openstack-ansible:
milestone: newton-3 → newton-rc1
OpenStack Infra (hudson-openstack)
Changed in openstack-ansible:
assignee: Christopher Hultin (chris-hultin) → Jesse Pretorius (jesse-pretorius)
Jesse Pretorius (jesse-pretorius)
Changed in openstack-ansible:
milestone: newton-rc1 → 14.0.0
Jesse Pretorius (jesse-pretorius)
Changed in openstack-ansible:
assignee: Jesse Pretorius (jesse-pretorius) → Christopher Hultin (chris-hultin)
Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

I think all we need is documentation here. Still worth doing for next release IMO.

tags: added: newton-rc-potential
OpenStack Infra (hudson-openstack)
Changed in openstack-ansible:
assignee: Christopher Hultin (chris-hultin) → Kevin Carter (kevin-carter)
Kevin Carter (kevin-carter)
Changed in openstack-ansible:
assignee: Kevin Carter (kevin-carter) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.