)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":38651,"name":"Taavi Ansper","display_name":"TafkaMax","email":"taaviansperr@gmail.com","username":"taaviansper"},"change_message_id":"9fba9eb48628c146bee4c5a86f8fce3b93f48f77","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"ff4540f0_5fa5b1b0","updated":"2026-04-03 10:10:13.000000000","message":"2025.2-only change of https://review.opendev.org/c/openstack/kolla-ansible/+/983279\n\nDue to python-openstackclient not working properly in master branch after this change: https://review.opendev.org/c/openstack/python-openstackclient/+/975971","commit_id":"07c63a67807d46e757eae90e47af8715ad46bfbe"},{"author":{"_account_id":37203,"name":"Bertrand Lanson","display_name":"Bertrand Lanson","email":"bertrand.lanson@infomaniak.com","username":"lanson","status":"Infomaniak Network SA"},"change_message_id":"8fac22cd42ac4948467bb9ff3ab90754fc32bc20","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":17,"id":"3aa10f76_c0f98c61","updated":"2026-04-24 22:28:49.000000000","message":"nitpicks here and there but otherwise LGTM","commit_id":"200c102a366666e595824f97934a965aaa2f1c98"}],"ansible/roles/keystone/defaults/main.yml":[{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"7a668868b9d2a05de6063e414b364b85d5f10a07","unresolved":true,"context_lines":[{"line_number":262,"context_line":"keystone_host_federation_base_folder: \"{{ node_config_directory }}/{% if keystone_wsgi_provider \u003d\u003d \u0027uwsgi\u0027 %}keystone-httpd{% else %}keystone{% endif %}/federation\""},{"line_number":263,"context_line":"keystone_host_federation_oidc_metadata_folder: \"{{ keystone_host_federation_base_folder }}/oidc/metadata\""},{"line_number":264,"context_line":"keystone_host_federation_oidc_idp_certificate_folder: \"{{ keystone_host_federation_base_folder }}/oidc/cert\""},{"line_number":265,"context_line":"keystone_host_federation_oidc_attribute_mappings_folder: \"{{ keystone_host_federation_base_folder }}/oidc/attribute_maps\""},{"line_number":266,"context_line":"keystone_federation_oidc_jwks_uri: \"\""},{"line_number":267,"context_line":"keystone_federation_oidc_additional_options: {}"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"b9c2df60_c6f597f7","line":265,"updated":"2026-04-09 10:16:55.000000000","message":"this is failing in CI:\n\nhttps://c6fd057898d80590a835-66f615728c2509811faa1d1728f27489.ssl.cf2.rackcdn.com/openstack/20736d5e78a348b4b4131687c94e9bfe/primary/logs/ansible/deploy\n\n    },\n    \"item\": {\n        \"file\": \"/etc/kolla/config/keystone/federation/oidc/attribute_maps/attribute_mapping.json\",\n        \"name\": \"sso_oidc_mapping\"\n    },\n    \"msg\": \"non-zero return code\",\n    \"rc\": 1,\n    \"start\": \"2026-04-03 10:30:12.385768\",\n    \"stderr\": \"\",\n    \"stderr_lines\": [],\n    \"stdout\": \"Error occurred trying to read from file /var/lib/kolla/config_files/federation/oidc/attribute_maps/attribute_mapping.json\",\n    \"stdout_lines\": [\n        \"Error occurred trying to read from file /var/lib/kolla/config_files/federation/oidc/attribute_maps/attribute_mapping.json\"\n    ]\n}\n\neasiest fix would be to change attribute mapping only back to keystone config tree.","commit_id":"07c63a67807d46e757eae90e47af8715ad46bfbe"},{"author":{"_account_id":38651,"name":"Taavi Ansper","display_name":"TafkaMax","email":"taaviansperr@gmail.com","username":"taaviansper"},"change_message_id":"e49d13956a9bb66f8c64867f0f234dfea32f268b","unresolved":true,"context_lines":[{"line_number":262,"context_line":"keystone_host_federation_base_folder: \"{{ node_config_directory }}/{% if keystone_wsgi_provider \u003d\u003d \u0027uwsgi\u0027 %}keystone-httpd{% else %}keystone{% endif %}/federation\""},{"line_number":263,"context_line":"keystone_host_federation_oidc_metadata_folder: \"{{ keystone_host_federation_base_folder }}/oidc/metadata\""},{"line_number":264,"context_line":"keystone_host_federation_oidc_idp_certificate_folder: \"{{ keystone_host_federation_base_folder }}/oidc/cert\""},{"line_number":265,"context_line":"keystone_host_federation_oidc_attribute_mappings_folder: \"{{ keystone_host_federation_base_folder }}/oidc/attribute_maps\""},{"line_number":266,"context_line":"keystone_federation_oidc_jwks_uri: \"\""},{"line_number":267,"context_line":"keystone_federation_oidc_additional_options: {}"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"8b4c093a_53ce3c8f","line":265,"in_reply_to":"631e74c7_ad8b3e5f","updated":"2026-04-12 19:28:48.000000000","message":"Ugh. Using the openstack.cloud modules something is quite not right in the kolla-ansible toolbox liking. \n\n    \"msg\": \"Task failed: Finalization of task args for \u0027openstack.cloud.federation_mapping\u0027 failed: Error while resolving value for \u0027rules\u0027: The filter plugin \u0027ansible.builtin.from_json\u0027 failed: Expecting property name enclosed in double quotes: line 1 column 3 (char 2)\"\n    \n\nOne way would to make 2025.2 a custom logic to copy federation files for BOTH keystone and keystone-httpd containers and then use the old python-openstackclient logic, but run the commands from inside the keystone container that has the client installed and the config files mounted.","commit_id":"07c63a67807d46e757eae90e47af8715ad46bfbe"},{"author":{"_account_id":38651,"name":"Taavi Ansper","display_name":"TafkaMax","email":"taaviansperr@gmail.com","username":"taaviansper"},"change_message_id":"3d511b6ff669320db8e617ff0eb12856302c5f0c","unresolved":false,"context_lines":[{"line_number":262,"context_line":"keystone_host_federation_base_folder: \"{{ node_config_directory }}/{% if keystone_wsgi_provider \u003d\u003d \u0027uwsgi\u0027 %}keystone-httpd{% else %}keystone{% endif %}/federation\""},{"line_number":263,"context_line":"keystone_host_federation_oidc_metadata_folder: \"{{ keystone_host_federation_base_folder }}/oidc/metadata\""},{"line_number":264,"context_line":"keystone_host_federation_oidc_idp_certificate_folder: \"{{ keystone_host_federation_base_folder }}/oidc/cert\""},{"line_number":265,"context_line":"keystone_host_federation_oidc_attribute_mappings_folder: \"{{ keystone_host_federation_base_folder }}/oidc/attribute_maps\""},{"line_number":266,"context_line":"keystone_federation_oidc_jwks_uri: \"\""},{"line_number":267,"context_line":"keystone_federation_oidc_additional_options: {}"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"04cb8da5_31d3387b","line":265,"in_reply_to":"8b4c093a_53ce3c8f","updated":"2026-04-24 20:29:41.000000000","message":"OK. So in conclusion. I was not able to use openstack.cloud module in 2025.2 due to the abovementioned issue. I am not sure who or what is the culprit. I feel it might be the kolla-toolbox before it was reworked recently.\n\nAnyway, because the keystone-httpd container does not have python-openstackclient installed all of the \"central command commands\" for configuring IDP need to be done from the keystone container. But for the config to work the files need to be present in the keystone-httpd container. Looking at the currently logic I therefor decided to just copy over the config files from /etc/kolla/keystone/federation (or whatever might be the config folder, as it is a variable) and copy them to the keystone-httpd folder. It is very similar how the fix works in the launchpad report.\n\nBecause the role deletes previous files beforehand I added the same logic to the copied files, so they are also deleted before adding new files.","commit_id":"07c63a67807d46e757eae90e47af8715ad46bfbe"},{"author":{"_account_id":38651,"name":"Taavi Ansper","display_name":"TafkaMax","email":"taaviansperr@gmail.com","username":"taaviansper"},"change_message_id":"ee14f2d8ba0263d03f168b9160ad372825952fbb","unresolved":true,"context_lines":[{"line_number":262,"context_line":"keystone_host_federation_base_folder: \"{{ node_config_directory }}/{% if keystone_wsgi_provider \u003d\u003d \u0027uwsgi\u0027 %}keystone-httpd{% else %}keystone{% endif %}/federation\""},{"line_number":263,"context_line":"keystone_host_federation_oidc_metadata_folder: \"{{ keystone_host_federation_base_folder }}/oidc/metadata\""},{"line_number":264,"context_line":"keystone_host_federation_oidc_idp_certificate_folder: \"{{ keystone_host_federation_base_folder }}/oidc/cert\""},{"line_number":265,"context_line":"keystone_host_federation_oidc_attribute_mappings_folder: \"{{ keystone_host_federation_base_folder }}/oidc/attribute_maps\""},{"line_number":266,"context_line":"keystone_federation_oidc_jwks_uri: \"\""},{"line_number":267,"context_line":"keystone_federation_oidc_additional_options: {}"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"631e74c7_ad8b3e5f","line":265,"in_reply_to":"b9c2df60_c6f597f7","updated":"2026-04-11 12:20:46.000000000","message":"Hmm, this should be actually the main fix. With 2025.2 and later if not using apache WSGI you need to put the federation files under keystone-httpd directory. I had the wrong paths as I was testing the apache WSGI in the CI. I changed all of the paths back to keystone-httpd.\n\nEDIT: OK I think I found the issue. With the old logic we need to run the commands from the keystone-httpd container instead of the keystone container.\n\nEDIT2: After changing the container to \"OCI runtime exec failed: exec failed: unable to start container process: exec: \\\"openstack\\\": executable file not found in $PATH\", I REALLY think we should move the federation config to openstack.cloud modules instead it would make it a lot easier.","commit_id":"07c63a67807d46e757eae90e47af8715ad46bfbe"}],"releasenotes/notes/bug-2134455-idp-fixes-stable-2025-2-only-b4931b7577e54dac.yaml":[{"author":{"_account_id":37203,"name":"Bertrand Lanson","display_name":"Bertrand Lanson","email":"bertrand.lanson@infomaniak.com","username":"lanson","status":"Infomaniak Network SA"},"change_message_id":"8fac22cd42ac4948467bb9ff3ab90754fc32bc20","unresolved":true,"context_lines":[{"line_number":6,"context_line":"    migration to the uwsgi container the federation logic remained in"},{"line_number":7,"context_line":"    the keystone-httpd container, but the federation files were never"},{"line_number":8,"context_line":"    mounted there."},{"line_number":9,"context_line":"    `LP#2134455 https://launchpad.net/bugs/2134455`"},{"line_number":10,"context_line":"other:"},{"line_number":11,"context_line":"  - |"},{"line_number":12,"context_line":"    Add more CI coverage for Federation codepath."}],"source_content_type":"text/x-yaml","patch_set":17,"id":"1e499eac_0e406168","line":9,"updated":"2026-04-24 22:28:49.000000000","message":"Should be I think\n\n```suggestion\n    `LP#2134455 \u003chttps://launchpad.net/bugs/2134455\u003e`__\n```","commit_id":"200c102a366666e595824f97934a965aaa2f1c98"},{"author":{"_account_id":38651,"name":"Taavi Ansper","display_name":"TafkaMax","email":"taaviansperr@gmail.com","username":"taaviansper"},"change_message_id":"e801331c2e5b5e477e3d5e603b200da953fbc00a","unresolved":false,"context_lines":[{"line_number":6,"context_line":"    migration to the uwsgi container the federation logic remained in"},{"line_number":7,"context_line":"    the keystone-httpd container, but the federation files were never"},{"line_number":8,"context_line":"    mounted there."},{"line_number":9,"context_line":"    `LP#2134455 https://launchpad.net/bugs/2134455`"},{"line_number":10,"context_line":"other:"},{"line_number":11,"context_line":"  - |"},{"line_number":12,"context_line":"    Add more CI coverage for Federation codepath."}],"source_content_type":"text/x-yaml","patch_set":17,"id":"06a6434b_8f0b6236","line":9,"in_reply_to":"1e499eac_0e406168","updated":"2026-04-25 10:12:19.000000000","message":"Done","commit_id":"200c102a366666e595824f97934a965aaa2f1c98"}],"tests/templates/keystone-federation/attribute_mapping.json":[{"author":{"_account_id":37203,"name":"Bertrand Lanson","display_name":"Bertrand Lanson","email":"bertrand.lanson@infomaniak.com","username":"lanson","status":"Infomaniak Network SA"},"change_message_id":"8fac22cd42ac4948467bb9ff3ab90754fc32bc20","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":17,"id":"fefed9f8_55931383","line":44,"updated":"2026-04-24 22:28:49.000000000","message":"nit extra newline (:","commit_id":"200c102a366666e595824f97934a965aaa2f1c98"},{"author":{"_account_id":38651,"name":"Taavi Ansper","display_name":"TafkaMax","email":"taaviansperr@gmail.com","username":"taaviansper"},"change_message_id":"e801331c2e5b5e477e3d5e603b200da953fbc00a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":17,"id":"564b617a_84c57438","line":44,"in_reply_to":"fefed9f8_55931383","updated":"2026-04-25 10:12:19.000000000","message":"Done","commit_id":"200c102a366666e595824f97934a965aaa2f1c98"}],"tests/templates/keystone-federation/idp.example.org%2Frealms%2Fexample.provider.j2":[{"author":{"_account_id":37203,"name":"Bertrand Lanson","display_name":"Bertrand Lanson","email":"bertrand.lanson@infomaniak.com","username":"lanson","status":"Infomaniak Network SA"},"change_message_id":"c3d2253605dfa5ad35501ba06dfbf2b82e6fdc26","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":17,"id":"c0bd8825_cdea0e8c","line":325,"updated":"2026-04-24 22:30:44.000000000","message":"nit extra newline (:","commit_id":"200c102a366666e595824f97934a965aaa2f1c98"},{"author":{"_account_id":38651,"name":"Taavi Ansper","display_name":"TafkaMax","email":"taaviansperr@gmail.com","username":"taaviansper"},"change_message_id":"e801331c2e5b5e477e3d5e603b200da953fbc00a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":17,"id":"71ea658e_575ad537","line":325,"in_reply_to":"c0bd8825_cdea0e8c","updated":"2026-04-25 10:12:19.000000000","message":"Done","commit_id":"200c102a366666e595824f97934a965aaa2f1c98"}]}