OpenStack-Ansible

Kilo changes for Keystone

Registered by Ian Cordasco

Overview
########

This blueprint collects all the changes that are necessary to make the
Keystone playbook ready for Kilo.

Problem Description
-------------------

The configuration files need to be updated for Kilo.

Proposed Change
---------------

After an analysis of the changes between Juno and Kilo, I (sigmavirus24) have
come up with the following list of changes, all in the keystone.conf.j2
template:

New Options
+++++++++++

- ``[DEFAULT]/max_project_tree_depth``

- ``[DEFAULT]/secure_proxy_ssl_header``

- ``[trust]/max_redelegation_count``

- ``[trust]/driver``

New Groups
++++++++++

- ``[oslo_messaging_amqp]``

- ``[oslo_messaging_qpid]``

- ``[oslo_messaging_rabbit]``

- ``[oslo_middleware]``

- ``[resource]``

- ``[role]``

Moved Options
+++++++++++++

- ``[DEFAULT]/policy_file => [oslo_policy]/policy_file``

- ``[DEFAULT]/policy_file => [oslo_policy]/policy_file``

- ``[DEFAULT]/policy_dirs => [oslo_policy]/policy_dirs``

Deprecated Options
++++++++++++++++++

- ``[signing]/format`` for ``[token]/provider``

Changed Options
+++++++++++++++

- ``[token]/provider`` expects one of [pki|pkiz|uuid]

Recommended Values
++++++++++++++++++

- ``[token]/hash_algorithm`` should be ``sha256``

Playbook Impact
---------------

Minor impact localized to the keystone.conf template file.

Alternatives
------------

None.

Security Impact
---------------

None. Switching token hash algorighm from the MD5 default to SHA256 will improve security.

Performance Impact
------------------

None.

End User Impact
---------------

No user impacting changes.

Deployer Impact
---------------

No change.

Developer Impact
----------------

No change.

Dependencies
------------

If the MD5 token hashing is changed to use SHA256, then Horizon and other
services have to be changed in the same way.

Documentation Impact
--------------------

No changes to docs.

References
----------

os-ansible-deployment juno version of the keystone.conf.j2
https://github.com/stackforge/os-ansible-deployment/blob/15fb287eaa4a756d5e4e21be71a64a6af2170c9b/playbooks/roles/os_keystone/templates/keystone.conf.j2

Current keystone example keystone.conf
https://github.com/openstack/keystone/blob/0555d68c6bc9371e5c952146621a6422804bfe08/etc/keystone.conf.sample

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
Ian Cordasco
Direction:
Needs approval
Assignee:
None
Definition:
Obsolete
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Kevin Carter

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/keystone-kilofication,n,z

Addressed by: https://review.openstack.org/167475
    Keystone config changes for Kilo

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.