tripleo

[RFE] Allow puppet to configure Keystone API session persistence in Queens

Bug #1779744 reported by Andrew Austin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Andrew Austin
tripleo stein-1

Bug Description

Currently in Queens, puppet-tripleo does not allow for configuring the Keystone API to use cookie-based session persistence. This prevents an operator from deploying an overcloud with SAML integration purely through TripleO as this piece must be configured manually after deployment and reconfigured after any update to the overcloud stack.

https://review.openstack.org/#/c/577309 in master branch resolves this issue and allows for semi-automated deployment of SAML integration when used with a customized Keystone container image and an environment file.

The tripleo-saml blueprint that is outstanding calls for both this patch and heat template work for user friendliness, but the puppet change by itself could be backported to stable/queens to allow for some path forward for an operator wanting to use SAML federation without post-deployment configuration.

Andrew Austin (marbindrakon)
Changed in tripleo:
assignee: nobody → Andrew Austin (marbindrakon)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on puppet-tripleo (stable/queens)

Change abandoned by Emilien Macchi (<email address hidden>) on branch: stable/queens
Review: https://review.openstack.org/579660
Reason: The gate is suffering of timeouts, we need to clear it. Please do not restore or recheck this patch, I'll take care of it when gate is stable again.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/queens)

Reviewed: https://review.openstack.org/579660
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=47ec9ce49b0a9e26701f63c9841ab2f982f7af32
Submitter: Zuul
Branch: stable/queens

commit 47ec9ce49b0a9e26701f63c9841ab2f982f7af32
Author: Andrew Austin <email address hidden>
Date: Thu Jun 21 22:08:51 2018 +0000

    Add mechanism for cookie-based sessions in endpoints.

    In order to allow SAML integration, we need to persist sessions for
    the Keystone public API. Rather than use a one-off resource, this
    patch introduces a generic mechanism for adding cookie-based sessions
    to any endpoint that uses the endpoint resource and uses that mechanism
    to provide a session persistence option for the Keystone public API.

    Closes-Bug: #1779744
    Change-Id: I7e1c9a4ddc8b849b487b863635b8c45fc935a751
    (cherry picked from commit 37bc58d9b1b1d8586d5134fd4f1d230bfd152eda)

tags: added: in-stable-queens
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: none → rocky-3
importance: Undecided → Medium
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: rocky-3 → rocky-rc1
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: rocky-rc1 → stein-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 8.3.5

This issue was fixed in the openstack/puppet-tripleo 8.3.5 release.

Andrew Austin (marbindrakon)
Changed in tripleo:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.