Merge "Fix handling options for mitaka,newton" into release/2019.2.0
diff --git a/README.rst b/README.rst
index 6ce524f..b0b4caa 100644
--- a/README.rst
+++ b/README.rst
@@ -884,16 +884,16 @@
keystone:
server:
security_compliance:
- disable_user_account_days_inactive: 90
- lockout_failure_attempts: 5
+ disable_user_account_days_inactive: 365
+ lockout_failure_attempts: 60
lockout_duration: 600
- password_expires_days: 90
- unique_last_password_count: 10
+ password_expires_days: 730
+ unique_last_password_count: 5
minimum_password_age: 0
- password_regex: '^(?=.*\d)(?=.*[a-zA-Z]).{7,}$$'
- password_regex_description: 'Your password must contains at least 1 letter, 1 digit, and have a minimum length of 7 characters'
- change_password_upon_first_use: true
-
+ password_regex: '^[a-zA-Z0-9~!@#%^&\*_=+]{32,}$$'
+ password_regex_description: |
+ 'Your password could contains capital letters, lowercase letters, digits, symbols "~ ! @ # % ^ & * _ = +" and have a minimum length of 32 characters'
+ change_password_upon_first_use: False
Define extra user options.
-------------------------
diff --git a/_modules/keystonev3/common.py b/_modules/keystonev3/common.py
index 9f2c8b1..abea33d 100644
--- a/_modules/keystonev3/common.py
+++ b/_modules/keystonev3/common.py
@@ -102,12 +102,14 @@
kwargs.pop(k)
url, json = func(*args, **kwargs)
response = None
+ last_exception = None
for i in range(connect_retries):
try:
response = getattr(adapter, method)(
url, connect_retries=connect_retries,
json=json)
except Exception as e:
+ last_exception = e
if not hasattr(e, 'http_status') or (e.http_status >= 500
or e.http_status == 0):
msg = ("Got retriable exception when contacting "
@@ -116,7 +118,13 @@
log.error(msg % (connect_retry_delay, i, connect_retries))
time.sleep(connect_retry_delay)
continue
- break
+ else:
+ break
+ else:
+ last_exception = None
+ break
+ if last_exception:
+ raise KeystoneException(last_exception.message)
if not response or not response.content:
return {}
try:
diff --git a/_states/keystonev3.py b/_states/keystonev3.py
index f7b6f60..d390c14 100644
--- a/_states/keystonev3.py
+++ b/_states/keystonev3.py
@@ -251,7 +251,7 @@
'user_create', name=name, cloud_name=cloud_name, **kwargs
)
except Exception as e:
- log.error('Keystone user create failed with {}'.format(e))
+ log.error('Keystone user create failed with: {}'.format(e))
return _create_failed(name, 'user')
return _created(name, 'user', resp)
diff --git a/keystone/client/resources/v3.sls b/keystone/client/resources/v3.sls
index 8f58f0c..8cac028 100644
--- a/keystone/client/resources/v3.sls
+++ b/keystone/client/resources/v3.sls
@@ -214,6 +214,8 @@
{%- if role.role_domain_id is defined %}
- role_domain_id: {{ role.role_domain_id }}
{%- endif %}
+ - require:
+ - keystone_user_{{ user_name }}
{%- elif role.get('status', 'assigned') == 'unassigned' %}
diff --git a/keystone/server.sls b/keystone/server.sls
index 2c9e6b1..886b5e8 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -425,7 +425,7 @@
- runas: 'keystone'
- unless:
. /var/lib/keystone/keystonercv3; openstack endpoint list --service identity --interface internal -f value -c URL |grep {{ server.bind.get('port', 5000) }}
- {%- if grains.get('noservices', False) %}
+ {%- if server.get('role', 'secondary') != 'primary' or grains.get('noservices', False) %}
- onlyif: /bin/false
{%- endif %}
- require:
diff --git a/tests/pillar/cluster.sls b/tests/pillar/cluster.sls
index 24b17f4..11e0e7d 100644
--- a/tests/pillar/cluster.sls
+++ b/tests/pillar/cluster.sls
@@ -30,14 +30,15 @@
notification_format: cadf
security_compliance:
disable_user_account_days_inactive: 90
- lockout_failure_attempts: 5
+ lockout_failure_attempts: 60
lockout_duration: 600
- password_expires_days: 90
- unique_last_password_count: 10
+ password_expires_days: 730
+ unique_last_password_count: 5
minimum_password_age: 0
- password_regex: '^(?=.*\d)(?=.*[a-zA-Z]).{7,}$$'
- password_regex_description: 'Your password must contains at least 1 letter, 1 digit, and have a minimum length of 7 characters'
- change_password_upon_first_use: True
+ password_regex: '^[a-zA-Z0-9]{32,}$$'
+ password_regex_description: |
+ Your password could contains capital letters, lowercase letters, digits and have a minimum length of 32 characters
+ change_password_upon_first_use: False
logging:
log_appender: false
log_handlers:
diff --git a/tests/pillar/single.sls b/tests/pillar/single.sls
index 3570ed1..7227af7 100644
--- a/tests/pillar/single.sls
+++ b/tests/pillar/single.sls
@@ -31,14 +31,15 @@
notification_format: cadf
security_compliance:
disable_user_account_days_inactive: 90
- lockout_failure_attempts: 5
+ lockout_failure_attempts: 60
lockout_duration: 600
- password_expires_days: 90
- unique_last_password_count: 10
+ password_expires_days: 730
+ unique_last_password_count: 5
minimum_password_age: 0
- password_regex: '^(?=.*\d)(?=.*[a-zA-Z]).{7,}$$'
- password_regex_description: 'Your password must contains at least 1 letter, 1 digit, and have a minimum length of 7 characters'
- change_password_upon_first_use: True
+ password_regex: '^[a-zA-Z0-9]{32,}$$'
+ password_regex_description: |
+ Your password could contains capital letters, lowercase letters, digits and have a minimum length of 32 characters
+ change_password_upon_first_use: False
logging:
log_appender: false
log_handlers: