978853 – token_format should be configurable

Bug 978853 - token_format should be configurable

Summary: token_format should be configurable

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-packstack
Sub Component:
Version:	3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	async
Target Release:	3.0
Assignee:	Martin Magr
QA Contact:	Nir Magnezi
Docs Contact:
URL:
Whiteboard:
Depends On:	975050 975153
Blocks:
TreeView+	depends on / blocked

Reported:	2013-06-27 08:30 UTC by Martin Magr
Modified:	2016-04-26 20:34 UTC (History)
CC List:	12 users (show)
Fixed In Version:	openstack-packstack-2013.1.1-0.23.dev642.el6ost
Doc Type:	Enhancement
Doc Text:	PackStack now allows user selection of the token format to be used by the Identity service (Keystone). The new configuration key is CONFIG_KEYSTONE_TOKEN_FORMAT controls which token format is used. Valid values are UUID of PKI. The recommended value for new deployments is PKI.
Clone Of:	975153
Clones:	984683 (view as bug list)
Environment:
Last Closed:	2013-07-15 19:17:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	33410	None	None	None	Never
OpenStack gerrit	34694	None	None	None	Never
Red Hat Product Errata	RHBA-2013:1058	normal	SHIPPED_LIVE	Red Hat OpenStack 3.0 bug fix advisory	2013-07-15 23:16:24 UTC

Description Martin Magr 2013-06-27 08:30:12 UTC

+++ This bug was initially created as a clone of Bug #975153 +++

+++ This bug was initially created as a clone of Bug #975050 +++

Description of problem:
in Grizzly the default token_format changed from UUID to PKI.

While in the RHOS 3.0 release, we primarily worked with UUID, we would like to follow upstream in the future.

For RHOS 4.0, we would like to use PKI by default from packstack.

Perhaps as a 3.0.z release of packstack, it would be ideal to have the option to turn on PKI tokens but not affect existing answer files.  That is, prompt the user for a token type, and the default should be 'UUID', but allow 'PKI'.

Version-Release number of selected component (if applicable):
openstack-packstack-2013.1.1-0.17.dev631.el6ost.noarch

--- Additional comment from Adam Young on 2013-06-17 13:38:01 EDT ---

Specifically, we should not force the token format to be UUID tokens.  This was done by a puppet module chance in 3.0 but has been changed in upstream puppet to align with upstream Keystone.

Comment 1 Martin Magr 2013-06-27 08:36:36 UTC

Backported to Grizzly branch.

Comment 3 Alan Pevec 2013-07-11 18:39:26 UTC

Note that upstream packstack grizzly has "DEFAULT_VALUE"   : 'PKI'
but RHOS rpm includes additional patch which keeps default UUID:
 http://pkgs.devel.redhat.com/cgit/rpms/openstack-packstack/tree/0007-token_format-bz975050.patch?h=rh-grizzly-rhel-6

Comment 4 Nir Magnezi 2013-07-14 09:31:23 UTC

Verified NVR: openstack-packstack-2013.1.1-0.23.dev642.el6ost.noarch
* Verified With RHOS

Verification Steps:
===================
1. Installed packstack and generated an answer-file
2. Verified that an attribute named CONFIG_KEYSTONE_TOKEN_FORMAT was added to the file.
3. Verified that CONFIG_KEYSTONE_TOKEN_FORMAT default value is UUID
4. Installed Openstack with UUID Configured
5. Installed Openstack with PKI Configured

Result:
=======
1. Both installations (steps 4,5) passed OK.
2. Sanity tests passed OK.

Comment 6 errata-xmlrpc 2013-07-15 19:17:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1058.html

Note You need to log in before you can comment on or make changes to this bug.