def keystone_fid_service_provider_broken(): if CompareOpenStackReleases(os_release('keystone')) < 'ocata': log('Ignoring keystone-fid-service-provider relation as it is' ' not supported on releases older than Ocata') return restart_keystone()
def keystone_fid_service_provider_changed(): if get_api_version() < 3: log('Identity federation is only supported with keystone v3') return if CompareOpenStackReleases(os_release('keystone')) < 'ocata': log('Ignoring keystone-fid-service-provider relation as it is' ' not supported on releases older than Ocata') return # for the join case a keystone public-facing hostname and service # port need to be set update_keystone_fid_service_provider(relation_id=relation_id()) # handle relation data updates (if any), e.g. remote_id_attribute # and a restart will be handled via a nonce, not restart_on_change CONFIGS.write(KEYSTONE_CONF) # The relation is container-scoped so this keystone unit's unitdata # will only contain a nonce of a single fid subordinate for a given # fid backend (relation id) restart_nonce = relation_get('restart-nonce') if restart_nonce: nonce = json.loads(restart_nonce) # multiplex by relation id for multiple federated identity # provider charms fid_nonce_key = 'fid-restart-nonce-{}'.format(relation_id()) db = unitdata.kv() if restart_nonce != db.get(fid_nonce_key): restart_keystone() db.set(fid_nonce_key, nonce) db.flush()
def domain_backend_changed(relation_id=None, unit=None): if get_api_version() < 3: log('Domain specific backend identity configuration only supported ' 'with Keystone v3 API, skipping domain creation and ' 'restart.') return domain_name = relation_get(attribute='domain-name', unit=unit, rid=relation_id) if domain_name: # NOTE(jamespage): Only create domain data from lead # unit when clustered and database # is configured and created. if is_leader() and is_db_ready() and is_db_initialised(): create_or_show_domain(domain_name) # NOTE(jamespage): Deployment may have multiple domains, # with different identity backends so # ensure that a domain specific nonce # is checked for restarts of keystone restart_nonce = relation_get(attribute='restart-nonce', unit=unit, rid=relation_id) domain_nonce_key = 'domain-restart-nonce-{}'.format(domain_name) db = unitdata.kv() if restart_nonce != db.get(domain_nonce_key): restart_keystone() db.set(domain_nonce_key, restart_nonce) db.flush()