Source: 166eced28b15335f816134806bf5bb6b50c222cd

Remove v2 section from template as Queens is v3 only.

Change-Id: Ic2b1215421ad870096fab7e1aee1f7604c1892a2
Closes-Bug: #1774716

* add support for relating with subordinate charms providing Service
Provider functionality via apache2 authentication modules;
* enable additional authentication methods on the keystone side to
accept parsed assertion data provided via apache2 authentication module
variables exported to WSGI environment;
* move https frontend and WSGI API apache config files to keystone
instead of relying on charm-helpers as modifications are needed there to
add IncludeOptional directives. openstack_https_frontend.conf is added
on purpose as ServerName cannot be correctly determined after ProxyPass
which results in TLS errors during SAML exchange process;
* add an additional relation to openstack-dashboard to provide URL
information necessary to trust 'origin' parameter in WebSSO URLs used by
horizon during the authentication process. Also add a context to render
the federation section that is used to render this information in
keystone.conf;

Subordinates can choose to use different apache2 authentication modules.
If those modules support vhost-level variables then multiple
subordinates for the same module can be used. For example,
mod_auth_mellon can be used multiple times in different vhosts to
protect federated token endpoints related to different identity provider
and protocol combinations).

Trusted dashboard relation could be used to provide dashboard origin URL
from a different site via cross-model relations.

NOTE: this functionality will be triggered only on Ocata+ (inclusive)

Change-Id: I1ef623b0b0e2a9f68cec4be550965c5e15e5f561

Drop support for deployment from Git repositories, as deprecated
in the 17.02 charm release.  This feature is unmaintained and has
no known users.

Change-Id: Ic054e29ef55d8890a3130af16b48f105efcf8f6a

Install and configure memcached on the keystone units and configure
keystone to use the cache. This should speed up token access for
existing tokens.

Change-Id: I26af0a97660e5bbe293a32e6b9e3d209338f905a
Closes-Bug: #1722541

Ensure that a valid entry point is used for the uuid token
backend, resolving compatibility with later OpenStack releases.

Change-Id: I566e6a2e9c0aa1fc1afe02dbc9f899cfb0c7a9f6
Closes-Bug: 1722909

Install OpenStack using snaps. By setting openstack-origin to
snap:track/channel or snap:track the charm will use snaps to
install rather than debs. If channel is left off it defaults to
stable. For example: snap:ocata/edge will install the edge version of
Ocata and snap:pike will install the stable version of Pike.

Charm helpers sync for snap related helpers.

Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac

Only enable the [signing] section of the keystone configuration
if PKI token format is in use; other token formats don't have
support for token revocation retrieval.

Note that PKI format tokens are no longer supported >= Pike.

Change-Id: I8179ecc5d37d866588147f639ebc77a870408dfe
Closes-Bug: 1709189

Use the 'uuid' entry point for token configuration; this has been
supported for some time and future proofs the charm against changes
in the internals of keystone.

Change-Id: I9f16a4b38487069379069c698d713f5b498eb718

Refresh v2 and v3 portion of policy.json from upstream keystone
repository @ commit
d4a890a6c8bd6927e229f4b665a982a51c130073

Add functional tests to verify effect of policy

Update functional tests to use keystone_configure_api_version
from charm-helpers

Update functional tests to correctly validate cinder services
when openstack release >= ocata

Enable functional test for ocata, set appropriate cinder
configuration.

Change-Id: Idf07ff3a7c9d7e7eb30792719541319ab3426a41
Closes-Bug: 1651989
Closes-Bug: 1649446

Enable support for domain specific drivers, managed via
configuration files (instead of directly using the API and
database).

Using multiple domains means that calls to users.list must
be scoped to a specific domain; ensure that v3 calls to this
method are appropriately scoped.

Change-Id: I7ed84b7210597ab1633eba343a0c68741a5a8578
Partial-Bug: 1645803

The WSGI template and context code has been moved to charm-helpers.
This change updates the charm to use the common code from charm-helpers.

Change-Id: I6a3efdb0811c8d50c657f6f8b923b076e3de6716

More work is needed on policy changes before we can have fine
grained RBAC for service accounts.

Add service project to cloud_admin rule to maintain service access
to admin-only calls.

Change-Id: I3d6776ec821e97353d63d2709b36efd9091f0123
Closes-Bug: 1655028

keystone.conf:
- Change log_config to log_config_append DEPRECATED
- Remove verbose DEPRECATED
- Remove eventlet_server section DEPRECATED
- Remove ec2 section, no longer available in Keystone
  It has been moved to the keystonemiddleware package
- Update driver names. Using full module path is DEPRECATED
- Add resource section and specify admin_project_domain_name
  and admin_project_name

mitaka/policy.json:
- Refresh from upstream stable/mitaka
- Apply stricter rule:service_role
- Allow identity:list_projects to rule:service_role

newton/policy.json:
- Refresh from upstream stable/newton
- Apply stricter rule:service_role
- Allow identity:list_projects to rule:service_role

hooks/keystone_context.py:
- Add admin_domain_name to Keystone context

tests/basic_deployment.py:
- Add config check for changes for Mitaka and newer releases

Partial-Bug: 1636098
Change-Id: Ib267418f34066eaf6e4885627010d2a18e312192

The default_domain_id is used to specify a domain when the client
hasn't explicitly set one. It defaults to 'default' which is fine
for liberty and previous because the id of the default domain is,
 oddly, 'default' rather than a uuid. On Mitaka and higher it is
a uuid so when keystone assumes the default domains id is 'default'
it fails.

Change-Id: Iaa5e6a07a229815cf2281858cb68a4e120aa2af3
Closes-Bug: 1626889

The keystone charm runs the keystone API under apache2 for liberty
and above. This patch enables the keystone API to run under apache2
when deployed from source for liberty and above.

Change-Id: I5eccf38aad9668248f4f94523d61f7bd40ed5c30

When use_syslog = False, the keystone-token-flush cronjob omits the
keystone username in the cron tab file, which causes cron to skip
the entry and report errors into the cron job. This change fixes
the problem.

Change-Id: I2e96eba9e55d9a7e3b9ade2090f88a74467ba334
Closes-Bug: 1578914

The Kilo release of openstack deprecated the eventlet wsgi server in favor of
using apache with mod_wsgi. This changes disables the keystone service and
adds a vhost to the existing apache server to run keystone using mod_wsgi.

Change-Id: I8125d8081c14550e86cd77b25185f27f500e368b
Closes-Bug: 1515628

Update the [handler_production] and [logger_root] parameters in
logging.conf in order to ensure the logs are written to the
syslogd daemon.

Update to use the /dev/log socket from the syslogd daemon so that
the logging works for both rsyslog and syslog.

Change-Id: I841f856637b9ca90b446025be6ddaadff7ae06cd
Closes-Bug: #1554871
Signed-off-by: Leonardo Borda <leonardo.borda@canonical.com>

This change adds a cron job definition to flush the keystone tokens
once every hour. Without this, the keystone database grows unbounded,
which can be problematic in production environments.

This change introduces a new keystone-token-flush templated cron job,
which will run the keystone-manage token_flush command as the keystone
user once per hour. This change honors the use-syslog setting by
sending output of the command either to the keystone-token-flush.log
file or to the syslog using the logger exec.

Only the juju service leader will have the cron job active in order to
prevent multiple units from running the token_flush at the concurrently.

Change-Id: I21be3b23a8fe66b67fba0654ce498d62b3afc2ac
Closes-Bug: #1467832

Keystone charm currently supports 'log-level' but it is not handled
at all. This setting should be applied independently (presumably it
was the original intention for this config option) from debug
and verbose mode.

It also takes care of improper value set by the user which in case user
enters a non log-level option the default 'ERROR' is used instead.

Change-Id: I53cc0cafed7e56be9d568726f7590a36d3be1a87
Closes-Bug: #1554865
Signed-off-by: Leonardo Borda <leonardo.borda@canonical.com>

This changes enables the Keystone v3 api. It can be toggled on and off via the
preferred-api-version option.

When services join the identity-service relation they will be presented with a
new parameter api_version which is the maximum api version the keystone charm
supports and matches what was set via preferred-api-version.

If preferred-api-version is set to 3 then the charm will render a new
policy.json which adds support for domains etc when keystone is checking
authorisation. The new policy.json requires an admin domain to be created and
specifies that a user is classed as an admin of the whole cloud if they have
the admin role against that admin domain.

The admin domain, called admin_domain, is created by the charm. The name of
this domain is currently not user configurable. The role that enables a user to
be classed as an admin is specified by the old charm option admin-role. The
charm grants admin-role to the admin-user against the admin_domain.

Switching a deployed cloud from preferred-api-version 2 to
preferred-api-version 3 is supported. Switching from preferred-api-version 3 to
preferred-api-version 2 should work from the charm point of view but may cause
problems if there are duplicate users between domains or may have unintended
consequences like escalating the privilege of some users so is not recommended.

Change-Id: I8eec2a90e0acbf56ee72cb5036a0a21f4a77a2c3

Ensure ssl certs always synced.
Partially-Closes-Bug: 1520339

Replace deprecated bind_host with admin_bind_host and
public_bind_host in keystone.conf

Closes-Bug: 1463305

Add token-expiration to allow the time a token should remain valid (in seconds) to be set. Remove token-expiry which seems unused

Adds missing logging.conf template for Essex

Closes-Bug: 1423513

the correct driver.  Fixes bug 1417211.

Set root logger level to DEBUG in /etc/logging.conf
if debug is True otherwise keystone logger remains
as WARNING.

Closes-Bug: 1407317

Set log level to DEBUG in /etc/logging.conf of debug is True

Closes-Bug: 1407317