puppet-keystone

add apache mod_wsgi support

Bug #1348728 reported by Richard Megginson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-keystone
Fix Released
Undecided
Richard Megginson
puppet-keystone 5.0.0 "5.0.0"
Icehouse
Fix Committed
Undecided
Unassigned

Bug Description

Going forward, keystone should be run as an apache mod_wsgi application, instead of a standalone eventlet daemon, for the purposes of security, performance, et. al. There should be a puppet option to allow setting up keystone as a mod_wsgi application.

For production enviroments, which may have large token values, and other large http fields, it is not recommended to run keystone with mod_wsgi until https://bugs.launchpad.net/keystone/+bug/1255321 is fixed.

Revision history for this message
Richard Megginson (rmeggins) wrote :

See https://bugs.launchpad.net/puppet-horizon/+bug/1348729

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/109676

Changed in puppet-keystone:
assignee: nobody → Richard Megginson (rmeggins)
status: New → In Progress
OpenStack Infra (hudson-openstack)
Changed in puppet-keystone:
assignee: Richard Megginson (rmeggins) → Nathan Kinder (nkinder)
Nathan Kinder (nkinder)
Changed in puppet-keystone:
assignee: Nathan Kinder (nkinder) → nobody
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (master)

Reviewed: https://review.openstack.org/109676
Committed: https://git.openstack.org/cgit/stackforge/puppet-keystone/commit/?id=879f87270a8fbc861d55b8e31388c2c97028711a
Submitter: Jenkins
Branch: master

commit 879f87270a8fbc861d55b8e31388c2c97028711a
Author: Rich Megginson <email address hidden>
Date: Thu Jul 17 16:22:34 2014 -0600

    setup keystone using apache mod_wsgi

    Allow keystone to be set up to use apache mod_wsgi as the server
    instead of a standalone eventlet service. There is a new keystone
    class parameter: service_name. The default is 'keystone', which will
    set up the standalone eventlet service. If 'httpd' is used, the
    keystone class will skip creating the keystone service, which also means
    no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is
    then used to configure apache mod_wsgi to serve keystone.

    Had to remove the File resource default in the keystone class. When
    using wsgi::apache, the apache class and other classes are included.
    Since puppet uses dynamic scoping, this overrides the file resources
    in those classes as well. keystone now explicitly sets all of the
    parameters in files/directory resources.

    Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de
    Closes-Bug: #1348728

Changed in puppet-keystone:
status: In Progress → Fix Committed
Richard Megginson (rmeggins)
Changed in puppet-keystone:
assignee: nobody → Richard Megginson (rmeggins)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-keystone (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/136885

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (stable/icehouse)

Reviewed: https://review.openstack.org/136885
Committed: https://git.openstack.org/cgit/stackforge/puppet-keystone/commit/?id=bab7304c88a065aa3f4d3a970d82abdb65cb9169
Submitter: Jenkins
Branch: stable/icehouse

commit bab7304c88a065aa3f4d3a970d82abdb65cb9169
Author: Rich Megginson <email address hidden>
Date: Thu Jul 17 16:22:34 2014 -0600

    setup keystone using apache mod_wsgi

    Allow keystone to be set up to use apache mod_wsgi as the server
    instead of a standalone eventlet service. There is a new keystone
    class parameter: service_name. The default is 'keystone', which will
    set up the standalone eventlet service. If 'httpd' is used, the
    keystone class will skip creating the keystone service, which also means
    no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is
    then used to configure apache mod_wsgi to serve keystone.

    Had to remove the File resource default in the keystone class. When
    using wsgi::apache, the apache class and other classes are included.
    Since puppet uses dynamic scoping, this overrides the file resources
    in those classes as well. keystone now explicitly sets all of the
    parameters in files/directory resources.

    Closes-Bug: #1348728
    (cherry picked from commit 879f87270a8fbc861d55b8e31388c2c97028711a)

    Conflicts:
     manifests/init.pp
     manifests/params.pp
     spec/classes/keystone_spec.rb

    Change-Id: Ia228cb3c582c2890f35e1f0ee11e0fef69179523

tags: added: in-stable-icehouse
Mathieu Gagné (mgagne)
Changed in puppet-keystone:
milestone: none → 5.0.0
Mathieu Gagné (mgagne)
Changed in puppet-keystone:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.