puppet-barbican

pipeline definition is updated incorrectly

Bug #1946378 reported by Takashi Kajinami
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-barbican
Fix Released
High
Takashi Kajinami

Bug Description

Currently barbican::api updates the barbican_api pipeline according to auth_strategy, but this usage if quite outdated since Barbican defaulted to keystone authentication[1].

[1] https://github.com/openstack/barbican/commit/497db2c776a569ea18b86b781103101d3a5723ad

There are some problems we should fix.

- The default barbican-api-keystone pipenile is always used. We should change the pipeline for v1 API when we don't use keystone

- The barbican_api pipeline should not be updated if auth_strategy = 'keystone'

- The pipeline definition doesn't include the http_proxy_to_wsgi middleware.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-barbican (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/puppet-barbican/+/813041

Changed in puppet-barbican:
status: New → In Progress
Takashi Kajinami (kajinamit)
Changed in puppet-barbican:
importance: Undecided → High
assignee: nobody → Takashi Kajinami (kajinamit)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-barbican (master)

Reviewed: https://review.opendev.org/c/openstack/puppet-barbican/+/813041
Committed: https://opendev.org/openstack/puppet-barbican/commit/e9836301999d7baf134139b6e00021cceb3e969f
Submitter: "Zuul (22348)"
Branch: master

commit e9836301999d7baf134139b6e00021cceb3e969f
Author: Takashi Kajinami <email address hidden>
Date: Fri Oct 8 00:06:11 2021 +0900

    Do not update barbican_api pipeline when keystone auth is used

    The barbican_api pipeline is not longer used by default and the current
    default pipeline, barbican-api, includes the required middleware to
    use keystone auth.
    This change removes the logic to tweak the barbican_api pipeline when
    keystone auth is used.

    One remaining knwon issue is that current barbican_api_paste_ini
    doesn't support updating the root composite to replace the pipeline
    used by the one without keystoneauth.
    Currently usage of auth_strategy != 'keystone' just shows warning and
    users should manually edit the pipeline.

    Closes-Bug: #1946378
    Change-Id: I34fecc5265cbc9bc6d5b46b5a96f056b47b64c59

Changed in puppet-barbican:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-barbican 20.0.0

This issue was fixed in the openstack/puppet-barbican 20.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-barbican (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/puppet-barbican/+/853843

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-barbican (master)

Reviewed: https://review.opendev.org/c/openstack/puppet-barbican/+/853843
Committed: https://opendev.org/openstack/puppet-barbican/commit/5d4084a9511794c5d39c837f863c9db986d28ba4
Submitter: "Zuul (22348)"
Branch: master

commit 5d4084a9511794c5d39c837f863c9db986d28ba4
Author: Takashi Kajinami <email address hidden>
Date: Sat Aug 20 12:08:06 2022 +0900

    Remove the temporal logic to fix barbican_api pipeline

    The old wrong value should be fixed when the deployment is updated to
    stable/yoga, and the logic is no longer used in stable/zed and later.

    Related-Bug: #1946378
    Change-Id: I699847c127e5890857446585ededc9d860b0dc78

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.