Keystone configuration missing trust configuration settings

Bug #1603254 reported by Adrian Otto on 2016-07-15
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-ansible
Low
Kevin Carter

Bug Description

OSAD sets up keystone[1] with the following configuration stanza in /etc/keystone/keystone.conf in the keystone container:

[resource]
cache_time = 3600
caching = true
driver = sql

In devstack, additional configuration directives are included to allow for delegation of trusts form the admin project/domain:

admin_project_name = admin
admin_project_domain_name = default

This is what the stanza looks like in devstack:

[resource]
admin_project_name = admin
admin_project_domain_name = default
driver = sql

Please add the missing configuration directives to allow for advanced trust delegation, like Magnum uses.

[1] https://github.com/openstack/keystone/blob/07981bddaf2630922ce3811c999d30b74dadc294/keystone/token/providers/common.py#L269-L285

Adrian Otto (aotto) on 2016-07-15
description: updated
Kevin Carter (kevin-carter) wrote :

@Adrian I've looked over this issue and the resulting PR, the change looks fine however it will need to be in master before it's ported to stable/mitaka.

That said, what you're looking to accomplish can already be done without any code changes. Within your "user_variables.yml" file set a config override to add in the items you need. Documentation [ http://docs.openstack.org/developer/openstack-ansible/developer-docs/extending.html?highlight=config_template ].

**overrides you would need**

keystone_keystone_conf_overrides:
  resource:
    admin_project_name: "{{ keystone_admin_tenant_name }}"
    admin_project_domain_name: "default"

With that set in your variable file re-run the "os-keystone-install.yml" play to drop the new bits in place. To make the playbook run faster you can use tags, something like so: ``openstack-ansible os-keystone-install.yml --tags keystone-config``

Changed in openstack-ansible:
status: New → In Progress
importance: Undecided → Low
assignee: nobody → Kevin Carter (kevin-carter)
milestone: none → newton-3

Change abandoned by Christopher Hultin (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/342484

Changed in openstack-ansible:
assignee: Kevin Carter (kevin-carter) → Christopher Hultin (chris-hultin)
Changed in openstack-ansible:
milestone: newton-3 → newton-rc1
Changed in openstack-ansible:
assignee: Christopher Hultin (chris-hultin) → Jesse Pretorius (jesse-pretorius)
Changed in openstack-ansible:
milestone: newton-rc1 → 14.0.0
Changed in openstack-ansible:
assignee: Jesse Pretorius (jesse-pretorius) → Christopher Hultin (chris-hultin)

I think all we need is documentation here. Still worth doing for next release IMO.

tags: added: newton-rc-potential
Changed in openstack-ansible:
assignee: Christopher Hultin (chris-hultin) → Kevin Carter (kevin-carter)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers