openstack/charm-keystone
Code Issues Proposed changes
165e875e59
charm-keystone/hooks/keystone_context.py

346 lines
12 KiB
Python
Raw Normal View History

Re-license charm as Apache-2.0 All contributors to this charm have agreed to the switch from GPL v3 to Apache 2.0; switch to Apache-2.0 license as agreed so we can move forward with official project status. Change-Id: Iaee75f59fe51f01da18aa2703a46c3885ade73c0
2016-07-01 17:22:19 +01:00
# Copyright 2016 Canonical Ltd
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
[hopem,r=] Fixes ssl cert sycnhronisation across peers Closes-Bug: 1317782
2015-01-05 17:49:38 +00:00
import os
add support for Federated IDentity (FID) and WebSSO * add support for relating with subordinate charms providing Service Provider functionality via apache2 authentication modules; * enable additional authentication methods on the keystone side to accept parsed assertion data provided via apache2 authentication module variables exported to WSGI environment; * move https frontend and WSGI API apache config files to keystone instead of relying on charm-helpers as modifications are needed there to add IncludeOptional directives. openstack_https_frontend.conf is added on purpose as ServerName cannot be correctly determined after ProxyPass which results in TLS errors during SAML exchange process; * add an additional relation to openstack-dashboard to provide URL information necessary to trust 'origin' parameter in WebSSO URLs used by horizon during the authentication process. Also add a context to render the federation section that is used to render this information in keystone.conf; Subordinates can choose to use different apache2 authentication modules. If those modules support vhost-level variables then multiple subordinates for the same module can be used. For example, mod_auth_mellon can be used multiple times in different vhosts to protect federated token endpoints related to different identity provider and protocol combinations). Trusted dashboard relation could be used to provide dashboard origin URL from a different site via cross-model relations. NOTE: this functionality will be triggered only on Ocata+ (inclusive) Change-Id: I1ef623b0b0e2a9f68cec4be550965c5e15e5f561
2018-04-26 00:36:02 +03:00
import json
[hopem,r=] Fixes ssl cert sycnhronisation across peers Closes-Bug: 1317782
2015-01-05 17:49:38 +00:00
Rewrite charm to get it more in line with other OpenStack charms. Added support for contexts and templating. Makes use of charm-helpers instead of relaying on its own tools (probably could use some additional work). HA is currently non-functional. ETA for fixing: less than 2 days.
2014-02-25 12:34:13 +01:00
from charmhelpers.contrib.openstack import context
from charmhelpers.contrib.hahelpers.cluster import (
determine_apache_port,
Removed sync-master logi
2015-01-12 12:45:22 +00:00
determine_api_port,
Snap install OpenStack in Charms Install OpenStack using snaps. By setting openstack-origin to snap:track/channel or snap:track the charm will use snaps to install rather than debs. If channel is left off it defaults to stable. For example: snap:ocata/edge will install the edge version of Ocata and snap:pike will install the stable version of Pike. Charm helpers sync for snap related helpers. Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac
2017-07-24 11:18:46 -07:00
https,
Rewrite charm to get it more in line with other OpenStack charms. Added support for contexts and templating. Makes use of charm-helpers instead of relaying on its own tools (probably could use some additional work). HA is currently non-functional. ETA for fixing: less than 2 days.
2014-02-25 12:34:13 +01:00
)
[hopem,r=] Fixes ssl cert sycnhronisation across peers Closes-Bug: 1317782
2015-01-05 17:49:38 +00:00
from charmhelpers.core.hookenv import (
Keystone Fernet Token implementation This patchset adds more Fernet token implementation: 1. Adds a cron job to rotate / sync keys to other units. 2. Adds additional tests around gating on config. 3. Adds rotation / syncing with more robust key handling. Change-Id: Ied021ad83c241f241dbb5f9acdede9045e43a8a3
2018-08-05 17:21:49 +01:00
charm_dir,
[hopem,r=] Fix SSL injection for ca/cert/key provided by config.
2015-03-18 14:48:33 +01:00
config,
[hopem,r=] Fixes ssl cert sycnhronisation across peers Closes-Bug: 1317782
2015-01-05 17:49:38 +00:00
log,
Refresh keystone.conf and policy.json for Mitaka and Newton keystone.conf: - Change log_config to log_config_append DEPRECATED - Remove verbose DEPRECATED - Remove eventlet_server section DEPRECATED - Remove ec2 section, no longer available in Keystone It has been moved to the keystonemiddleware package - Update driver names. Using full module path is DEPRECATED - Add resource section and specify admin_project_domain_name and admin_project_name mitaka/policy.json: - Refresh from upstream stable/mitaka - Apply stricter rule:service_role - Allow identity:list_projects to rule:service_role newton/policy.json: - Refresh from upstream stable/newton - Apply stricter rule:service_role - Allow identity:list_projects to rule:service_role hooks/keystone_context.py: - Add admin_domain_name to Keystone context tests/basic_deployment.py: - Add config check for changes for Mitaka and newer releases Partial-Bug: 1636098 Change-Id: Ib267418f34066eaf6e4885627010d2a18e312192
2016-11-08 08:49:36 +01:00
leader_get,
Fix issue with crontab enablement The token flush and token rotate crontabs are re-written when the leader unit changes inline with Juju leadership management. Align contexts used to generate crontabs with Juju leadership status, rather than corosync/pacemaker. Correct use of OpenStackCompareReleases to ensure that releases between ocata and queens don't automatically enable fernet token behaviour. Change-Id: I6db8d006ceac7b61e69f547682c5a49d876cfec6 Closes-Bug: 1816807
2019-02-21 14:58:58 +00:00
is_leader,
Keystone Fernet Token implementation This patchset adds more Fernet token implementation: 1. Adds a cron job to rotate / sync keys to other units. 2. Adds additional tests around gating on config. 3. Adds rotation / syncing with more robust key handling. Change-Id: Ied021ad83c241f241dbb5f9acdede9045e43a8a3
2018-08-05 17:21:49 +01:00
local_unit,
add support for Federated IDentity (FID) and WebSSO * add support for relating with subordinate charms providing Service Provider functionality via apache2 authentication modules; * enable additional authentication methods on the keystone side to accept parsed assertion data provided via apache2 authentication module variables exported to WSGI environment; * move https frontend and WSGI API apache config files to keystone instead of relying on charm-helpers as modifications are needed there to add IncludeOptional directives. openstack_https_frontend.conf is added on purpose as ServerName cannot be correctly determined after ProxyPass which results in TLS errors during SAML exchange process; * add an additional relation to openstack-dashboard to provide URL information necessary to trust 'origin' parameter in WebSSO URLs used by horizon during the authentication process. Also add a context to render the federation section that is used to render this information in keystone.conf; Subordinates can choose to use different apache2 authentication modules. If those modules support vhost-level variables then multiple subordinates for the same module can be used. For example, mod_auth_mellon can be used multiple times in different vhosts to protect federated token endpoints related to different identity provider and protocol combinations). Trusted dashboard relation could be used to provide dashboard origin URL from a different site via cross-model relations. NOTE: this functionality will be triggered only on Ocata+ (inclusive) Change-Id: I1ef623b0b0e2a9f68cec4be550965c5e15e5f561
2018-04-26 00:36:02 +03:00
related_units,
relation_ids,
relation_get,
[hopem,r=] Fixes ssl cert sycnhronisation across peers Closes-Bug: 1317782
2015-01-05 17:49:38 +00:00
)
Support https under multiple networks
2014-09-22 15:23:26 +01:00
Keystone Fernet Token implementation This patchset adds more Fernet token implementation: 1. Adds a cron job to rotate / sync keys to other units. 2. Adds additional tests around gating on config. 3. Adds rotation / syncing with more robust key handling. Change-Id: Ied021ad83c241f241dbb5f9acdede9045e43a8a3
2018-08-05 17:21:49 +01:00
from charmhelpers.contrib.openstack.utils import (
CompareOpenStackReleases,
os_release,
)
Snap install OpenStack in Charms Install OpenStack using snaps. By setting openstack-origin to snap:track/channel or snap:track the charm will use snaps to install rather than debs. If channel is left off it defaults to stable. For example: snap:ocata/edge will install the edge version of Ocata and snap:pike will install the stable version of Pike. Charm helpers sync for snap related helpers. Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac
2017-07-24 11:18:46 -07:00
Add support for Middleware This patch creates a new middleware context to retrieve data from subordinate charm and update the kesytone configuration file. It also allows integration with keystone-middleware interface: https://github.com/openstack-charmers/interface-keystone-middleware This patch uses the subordinate configuration approach to retrieve data from the subordinate charm. Every changes required for paste.ini file will be handled by the subordinate charm. The latter should deal with keystone upgrades. Closes-Bug: #1808597 Change-Id: I4897011fbc791abc97e34e75826579820e80a4f1
2018-12-17 13:46:13 +00:00
class MiddlewareContext(context.OSContextGenerator):
interfaces = ['keystone-middleware']
def __call__(self):
middlewares = []
for rid in relation_ids('keystone-middleware'):
if related_units(rid):
for unit in related_units(rid):
middleware_name = relation_get('middleware_name',
rid=rid,
unit=unit)
if middleware_name:
middlewares.append(middleware_name)
return {
'middlewares': ",".join(middlewares)
}
Remove support for PKI tokens and legacy charm managed certificates These features are disabled by default, a majority of our users provide certificates through configuration. At present the cluster relation carries information required for these features even when they are not enabled. This makes processing of cluster relation changes unnecessarily heavy and vulnerable to bugs. Notice of deprecation and removal in next release was given as part of the 18.05 release notes. Change-Id: I8b07c7e0d5c2c623c115c83dc8aff230b554a986 Closes-Bug: #1755897 Related-Bug: #1744990
2018-04-12 12:10:58 +02:00
class ApacheSSLContext(context.ApacheSSLContext):
Snap install OpenStack in Charms Install OpenStack using snaps. By setting openstack-origin to snap:track/channel or snap:track the charm will use snaps to install rather than debs. If channel is left off it defaults to stable. For example: snap:ocata/edge will install the edge version of Ocata and snap:pike will install the stable version of Pike. Charm helpers sync for snap related helpers. Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac
2017-07-24 11:18:46 -07:00
interfaces = ['https']
external_ports = []
service_namespace = 'keystone'
ssl_dir = os.path.join('/etc/apache2/ssl/', service_namespace)
def __call__(self):
# late import to work around circular dependency
from keystone_utils import (
determine_ports,
)
self.external_ports = determine_ports()
Remove support for PKI tokens and legacy charm managed certificates These features are disabled by default, a majority of our users provide certificates through configuration. At present the cluster relation carries information required for these features even when they are not enabled. This makes processing of cluster relation changes unnecessarily heavy and vulnerable to bugs. Notice of deprecation and removal in next release was given as part of the 18.05 release notes. Change-Id: I8b07c7e0d5c2c623c115c83dc8aff230b554a986 Closes-Bug: #1755897 Related-Bug: #1744990
2018-04-12 12:10:58 +02:00
return super(ApacheSSLContext, self).__call__()
Snap install OpenStack in Charms Install OpenStack using snaps. By setting openstack-origin to snap:track/channel or snap:track the charm will use snaps to install rather than debs. If channel is left off it defaults to stable. For example: snap:ocata/edge will install the edge version of Ocata and snap:pike will install the stable version of Pike. Charm helpers sync for snap related helpers. Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac
2017-07-24 11:18:46 -07:00
Remove support for PKI tokens and legacy charm managed certificates These features are disabled by default, a majority of our users provide certificates through configuration. At present the cluster relation carries information required for these features even when they are not enabled. This makes processing of cluster relation changes unnecessarily heavy and vulnerable to bugs. Notice of deprecation and removal in next release was given as part of the 18.05 release notes. Change-Id: I8b07c7e0d5c2c623c115c83dc8aff230b554a986 Closes-Bug: #1755897 Related-Bug: #1744990
2018-04-12 12:10:58 +02:00
class NginxSSLContext(context.ApacheSSLContext):
Snap install OpenStack in Charms Install OpenStack using snaps. By setting openstack-origin to snap:track/channel or snap:track the charm will use snaps to install rather than debs. If channel is left off it defaults to stable. For example: snap:ocata/edge will install the edge version of Ocata and snap:pike will install the stable version of Pike. Charm helpers sync for snap related helpers. Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac
2017-07-24 11:18:46 -07:00
interfaces = ['https']
external_ports = []
service_namespace = 'keystone'
ssl_dir = ('/var/snap/{}/common/lib/juju_ssl/{}/'
''.format(service_namespace, service_namespace))
def __call__(self):
# late import to work around circular dependency
from keystone_utils import (
determine_ports,
)
self.external_ports = determine_ports()
ret = super(NginxSSLContext, self).__call__()
if not ret:
log("SSL not used", level='DEBUG')
return {}
# Transform for use by Nginx
"""
{'endpoints': [(u'10.5.0.30', u'10.5.0.30', 4990, 4980),
(u'10.5.0.30', u'10.5.0.30', 35347, 35337)],
'ext_ports': [4990, 35347],
'namespace': 'keystone'}
"""
nginx_ret = {}
nginx_ret['ssl'] = https()
nginx_ret['namespace'] = self.service_namespace
endpoints = {}
for ep in ret['endpoints']:
int_address, address, ext, internal = ep
if ext <= 5000:
endpoints['public'] = {
'socket': 'public',
'address': address,
'ext': ext}
elif ext >= 35337:
endpoints['admin'] = {
'socket': 'admin',
'address': address,
'ext': ext}
else:
log("Unrecognized internal port", level='ERROR')
nginx_ret['endpoints'] = endpoints
return nginx_ret
def enable_modules(self):
return
Rewrite charm to get it more in line with other OpenStack charms. Added support for contexts and templating. Makes use of charm-helpers instead of relaying on its own tools (probably could use some additional work). HA is currently non-functional. ETA for fixing: less than 2 days.
2014-02-25 12:34:13 +01:00
class HAProxyContext(context.HAProxyContext):
interfaces = []
def __call__(self):
'''
Extends the main charmhelpers HAProxyContext with a port mapping
specific to this charm.
Also used to extend nova.conf context with correct api_listening_ports
'''
from keystone_utils import api_port
ctxt = super(HAProxyContext, self).__call__()
# determine which port api processes should bind to, depending
# on existence of haproxy + apache frontends
listen_ports = {}
listen_ports['admin_port'] = api_port('keystone-admin')
listen_ports['public_port'] = api_port('keystone-public')
# Apache ports
Enable haproxy for when there is a single unit in a deployment
2014-11-25 10:19:07 +00:00
a_admin_port = determine_apache_port(api_port('keystone-admin'),
singlenode_mode=True)
a_public_port = determine_apache_port(api_port('keystone-public'),
singlenode_mode=True)
Rewrite charm to get it more in line with other OpenStack charms. Added support for contexts and templating. Makes use of charm-helpers instead of relaying on its own tools (probably could use some additional work). HA is currently non-functional. ETA for fixing: less than 2 days.
2014-02-25 12:34:13 +01:00
port_mapping = {
'admin-port': [
api_port('keystone-admin'), a_admin_port],
'public-port': [
api_port('keystone-public'), a_public_port],
}
# for haproxy.conf
ctxt['service_ports'] = port_mapping
# for keystone.conf
ctxt['listen_ports'] = listen_ports
return ctxt
class KeystoneContext(context.OSContextGenerator):
interfaces = []
def __call__(self):
Add explicit endpoint configuration
2014-09-21 18:57:48 +01:00
from keystone_utils import (
[hopem,r=] Implement PKI token signing. Closes-Bug: 1309667
2015-02-18 17:20:23 +00:00
api_port, set_admin_token, endpoint_url, resolve_address,
Remove support for PKI tokens and legacy charm managed certificates These features are disabled by default, a majority of our users provide certificates through configuration. At present the cluster relation carries information required for these features even when they are not enabled. This makes processing of cluster relation changes unnecessarily heavy and vulnerable to bugs. Notice of deprecation and removal in next release was given as part of the 18.05 release notes. Change-Id: I8b07c7e0d5c2c623c115c83dc8aff230b554a986 Closes-Bug: #1755897 Related-Bug: #1744990
2018-04-12 12:10:58 +02:00
PUBLIC, ADMIN, ADMIN_DOMAIN,
Add OpenStack Queens support Keystone@Queens removes support for the v2 API; switch default to v3 API from Queens onwards and ensure that charm users can only provide 3 as via the preferred-api-version for >= Queens. Change-Id: I58fcbaa7fc385bef77544be349c7d461e3e5559b
2017-12-18 10:08:54 +00:00
snap_install_requested, get_api_version,
Add explicit endpoint configuration
2014-09-21 18:57:48 +01:00
)
Rewrite charm to get it more in line with other OpenStack charms. Added support for contexts and templating. Makes use of charm-helpers instead of relaying on its own tools (probably could use some additional work). HA is currently non-functional. ETA for fixing: less than 2 days.
2014-02-25 12:34:13 +01:00
ctxt = {}
Ensure configured admin-token is used if provided
2014-03-28 11:34:38 +00:00
ctxt['token'] = set_admin_token(config('admin-token'))
Add OpenStack Queens support Keystone@Queens removes support for the v2 API; switch default to v3 API from Queens onwards and ensure that charm users can only provide 3 as via the preferred-api-version for >= Queens. Change-Id: I58fcbaa7fc385bef77544be349c7d461e3e5559b
2017-12-18 10:08:54 +00:00
ctxt['api_version'] = get_api_version()
Enable Keystone v3 API This changes enables the Keystone v3 api. It can be toggled on and off via the preferred-api-version option. When services join the identity-service relation they will be presented with a new parameter api_version which is the maximum api version the keystone charm supports and matches what was set via preferred-api-version. If preferred-api-version is set to 3 then the charm will render a new policy.json which adds support for domains etc when keystone is checking authorisation. The new policy.json requires an admin domain to be created and specifies that a user is classed as an admin of the whole cloud if they have the admin role against that admin domain. The admin domain, called admin_domain, is created by the charm. The name of this domain is currently not user configurable. The role that enables a user to be classed as an admin is specified by the old charm option admin-role. The charm grants admin-role to the admin-user against the admin_domain. Switching a deployed cloud from preferred-api-version 2 to preferred-api-version 3 is supported. Switching from preferred-api-version 3 to preferred-api-version 2 should work from the charm point of view but may cause problems if there are duplicate users between domains or may have unintended consequences like escalating the privilege of some users so is not recommended. Change-Id: I8eec2a90e0acbf56ee72cb5036a0a21f4a77a2c3
2016-03-07 09:10:53 +00:00
ctxt['admin_role'] = config('admin-role')
if ctxt['api_version'] > 2:
Replace local storage of domain UUIDs with leader storage Currently the Keystone leader charm creates new domains and stores the UUIDs locally on disk. This approach predates charm relation-/ leader- storage, is error prone, and causes problems in HA setups. Move to leader storage and remove old interfaces. There is no need to migrate the on-disk stored data as it is read from the deployment and stored as a part of the upgrade process. Do not set default values for service_tenant_id, admin_domain_id and default_domain_id. This will cause context to be incomplete on peer units until the values are actually available. Change functional tests to run on Keystone cluster to verify contents of configuration and operation of services in clustered environment. Closes-Bug: 1637453 Change-Id: Id0eaf7bfceead627cc691e9b52dd889d60c05fa9
2016-11-28 09:33:55 +01:00
ctxt['service_tenant_id'] = \
leader_get(attribute='service_tenant_id')
Refresh keystone.conf and policy.json for Mitaka and Newton keystone.conf: - Change log_config to log_config_append DEPRECATED - Remove verbose DEPRECATED - Remove eventlet_server section DEPRECATED - Remove ec2 section, no longer available in Keystone It has been moved to the keystonemiddleware package - Update driver names. Using full module path is DEPRECATED - Add resource section and specify admin_project_domain_name and admin_project_name mitaka/policy.json: - Refresh from upstream stable/mitaka - Apply stricter rule:service_role - Allow identity:list_projects to rule:service_role newton/policy.json: - Refresh from upstream stable/newton - Apply stricter rule:service_role - Allow identity:list_projects to rule:service_role hooks/keystone_context.py: - Add admin_domain_name to Keystone context tests/basic_deployment.py: - Add config check for changes for Mitaka and newer releases Partial-Bug: 1636098 Change-Id: Ib267418f34066eaf6e4885627010d2a18e312192
2016-11-08 08:49:36 +01:00
ctxt['admin_domain_name'] = ADMIN_DOMAIN
Replace local storage of domain UUIDs with leader storage Currently the Keystone leader charm creates new domains and stores the UUIDs locally on disk. This approach predates charm relation-/ leader- storage, is error prone, and causes problems in HA setups. Move to leader storage and remove old interfaces. There is no need to migrate the on-disk stored data as it is read from the deployment and stored as a part of the upgrade process. Do not set default values for service_tenant_id, admin_domain_id and default_domain_id. This will cause context to be incomplete on peer units until the values are actually available. Change functional tests to run on Keystone cluster to verify contents of configuration and operation of services in clustered environment. Closes-Bug: 1637453 Change-Id: Id0eaf7bfceead627cc691e9b52dd889d60c05fa9
2016-11-28 09:33:55 +01:00
ctxt['admin_domain_id'] = \
leader_get(attribute='admin_domain_id')
ctxt['default_domain_id'] = \
leader_get(attribute='default_domain_id')
Enable haproxy for when there is a single unit in a deployment
2014-11-25 10:19:07 +00:00
ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'),
singlenode_mode=True)
ctxt['public_port'] = determine_api_port(api_port('keystone-public'),
singlenode_mode=True)
more
2015-02-16 11:38:34 +00:00
change string debug and verbose to boolean LP#1398783
2015-10-21 23:54:06 +00:00
ctxt['debug'] = config('debug')
ctxt['verbose'] = config('verbose')
Add token-expiration to allow the time a token should remain valid (in seconds) to be set. Remove token-expiry which seems unused
2015-04-01 07:55:04 +01:00
ctxt['token_expiration'] = config('token-expiration')
more
2015-02-16 11:38:34 +00:00
Support ldap identity backend
2014-08-11 17:23:45 +08:00
ctxt['identity_backend'] = config('identity-backend')
ctxt['assignment_backend'] = config('assignment-backend')
Add initial support for Fernet tokens Starting OpenStack Rocky the currently used `uuid` token format is no longer supported and we need to change to use `fernet` tokens. This change provides basic functionalty to initialize fernet token repository and distribute keys to non-leader units. A configuration option is also added allowing change of token format in a controlled manner prior to upgrading to OpenStack Rocky. Further work is required to implement key rotation, actions etc. and these topics will be addressed in separate commits. The commit also fixes a instance of missing release check for writing of `policy.json`, and a few places where writing of `policy.json` previously was omitted. Change-Id: I1d0ff22a5f091b02f5700412745572c246103e9e
2018-07-24 12:38:37 +02:00
ctxt['token_provider'] = config('token-provider')
Keystone Fernet Token implementation This patchset adds more Fernet token implementation: 1. Adds a cron job to rotate / sync keys to other units. 2. Adds additional tests around gating on config. 3. Adds rotation / syncing with more robust key handling. Change-Id: Ied021ad83c241f241dbb5f9acdede9045e43a8a3
2018-08-05 17:21:49 +01:00
ctxt['fernet_max_active_keys'] = config('fernet-max-active-keys')
Support ldap identity backend
2014-08-11 17:23:45 +08:00
if config('identity-backend') == 'ldap':
ctxt['ldap_server'] = config('ldap-server')
ctxt['ldap_user'] = config('ldap-user')
ctxt['ldap_password'] = config('ldap-password')
ctxt['ldap_suffix'] = config('ldap-suffix')
Support using ldap identity backend
2014-08-12 13:39:51 +08:00
ctxt['ldap_readonly'] = config('ldap-readonly')
Support ldap identity backend
2014-08-11 17:23:45 +08:00
ldap_flags = config('ldap-config-flags')
if ldap_flags:
flags = context.config_flags_parser(ldap_flags)
ctxt['ldap_config_flags'] = flags
Drop v2.0 from base endpoints
2014-09-22 09:32:02 +01:00
# Base endpoint URL's which are used in keystone responses
# to unauthenticated requests to redirect clients to the
# correct auth URL.
ctxt['public_endpoint'] = endpoint_url(
resolve_address(PUBLIC),
Enable Keystone v3 API This changes enables the Keystone v3 api. It can be toggled on and off via the preferred-api-version option. When services join the identity-service relation they will be presented with a new parameter api_version which is the maximum api version the keystone charm supports and matches what was set via preferred-api-version. If preferred-api-version is set to 3 then the charm will render a new policy.json which adds support for domains etc when keystone is checking authorisation. The new policy.json requires an admin domain to be created and specifies that a user is classed as an admin of the whole cloud if they have the admin role against that admin domain. The admin domain, called admin_domain, is created by the charm. The name of this domain is currently not user configurable. The role that enables a user to be classed as an admin is specified by the old charm option admin-role. The charm grants admin-role to the admin-user against the admin_domain. Switching a deployed cloud from preferred-api-version 2 to preferred-api-version 3 is supported. Switching from preferred-api-version 3 to preferred-api-version 2 should work from the charm point of view but may cause problems if there are duplicate users between domains or may have unintended consequences like escalating the privilege of some users so is not recommended. Change-Id: I8eec2a90e0acbf56ee72cb5036a0a21f4a77a2c3
2016-03-07 09:10:53 +00:00
api_port('keystone-public')).replace('v2.0', '')
Drop v2.0 from base endpoints
2014-09-22 09:32:02 +01:00
ctxt['admin_endpoint'] = endpoint_url(
resolve_address(ADMIN),
Enable Keystone v3 API This changes enables the Keystone v3 api. It can be toggled on and off via the preferred-api-version option. When services join the identity-service relation they will be presented with a new parameter api_version which is the maximum api version the keystone charm supports and matches what was set via preferred-api-version. If preferred-api-version is set to 3 then the charm will render a new policy.json which adds support for domains etc when keystone is checking authorisation. The new policy.json requires an admin domain to be created and specifies that a user is classed as an admin of the whole cloud if they have the admin role against that admin domain. The admin domain, called admin_domain, is created by the charm. The name of this domain is currently not user configurable. The role that enables a user to be classed as an admin is specified by the old charm option admin-role. The charm grants admin-role to the admin-user against the admin_domain. Switching a deployed cloud from preferred-api-version 2 to preferred-api-version 3 is supported. Switching from preferred-api-version 3 to preferred-api-version 2 should work from the charm point of view but may cause problems if there are duplicate users between domains or may have unintended consequences like escalating the privilege of some users so is not recommended. Change-Id: I8eec2a90e0acbf56ee72cb5036a0a21f4a77a2c3
2016-03-07 09:10:53 +00:00
api_port('keystone-admin')).replace('v2.0', '')
[hopem,r=] Ensure ssl certs always synced. Partially-Closes-Bug: 1520339
2015-12-07 15:04:38 +01:00
Snap install OpenStack in Charms Install OpenStack using snaps. By setting openstack-origin to snap:track/channel or snap:track the charm will use snaps to install rather than debs. If channel is left off it defaults to stable. For example: snap:ocata/edge will install the edge version of Ocata and snap:pike will install the stable version of Pike. Charm helpers sync for snap related helpers. Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac
2017-07-24 11:18:46 -07:00
if snap_install_requested():
ctxt['domain_config_dir'] = (
'/var/snap/keystone/common/etc/keystone/domains')
ctxt['log_config'] = (
'/var/snap/keystone/common/etc/keystone/logging.conf')
ctxt['paste_config_file'] = (
'/var/snap/keystone/common/etc/keystone/keystone-paste.ini')
else:
ctxt['domain_config_dir'] = '/etc/keystone/domains'
ctxt['log_config'] = ('/etc/keystone/logging.conf')
ctxt['paste_config_file'] = '/etc/keystone/keystone-paste.ini'
Rewrite charm to get it more in line with other OpenStack charms. Added support for contexts and templating. Makes use of charm-helpers instead of relaying on its own tools (probably could use some additional work). HA is currently non-functional. ETA for fixing: less than 2 days.
2014-02-25 12:34:13 +01:00
return ctxt
[hopem,r=gnuoy] Set root logger level to DEBUG in /etc/logging.conf if debug is True otherwise keystone logger remains as WARNING. Closes-Bug: 1407317
2015-01-19 10:45:41 +00:00
class KeystoneLoggingContext(context.OSContextGenerator):
def __call__(self):
Snap install OpenStack in Charms Install OpenStack using snaps. By setting openstack-origin to snap:track/channel or snap:track the charm will use snaps to install rather than debs. If channel is left off it defaults to stable. For example: snap:ocata/edge will install the edge version of Ocata and snap:pike will install the stable version of Pike. Charm helpers sync for snap related helpers. Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac
2017-07-24 11:18:46 -07:00
from keystone_utils import (
snap_install_requested,
)
[hopem,r=gnuoy] Set root logger level to DEBUG in /etc/logging.conf if debug is True otherwise keystone logger remains as WARNING. Closes-Bug: 1407317
2015-01-19 10:45:41 +00:00
ctxt = {}
debug = config('debug')
change string debug and verbose to boolean LP#1398783
2015-10-21 23:54:06 +00:00
if debug:
[hopem,r=gnuoy] Set root logger level to DEBUG in /etc/logging.conf if debug is True otherwise keystone logger remains as WARNING. Closes-Bug: 1407317
2015-01-19 10:45:41 +00:00
ctxt['root_level'] = 'DEBUG'
Ensure log-level config option is applied consistently. Keystone charm currently supports 'log-level' but it is not handled at all. This setting should be applied independently (presumably it was the original intention for this config option) from debug and verbose mode. It also takes care of improper value set by the user which in case user enters a non log-level option the default 'ERROR' is used instead. Change-Id: I53cc0cafed7e56be9d568726f7590a36d3be1a87 Closes-Bug: #1554865 Signed-off-by: Leonardo Borda <leonardo.borda@canonical.com>
2016-03-09 09:13:15 -05:00
log_level = config('log-level')
log_level_accepted_params = ['WARNING', 'INFO', 'DEBUG', 'ERROR']
if log_level in log_level_accepted_params:
ctxt['log_level'] = config('log-level')
else:
log("log-level must be one of the following states "
"(WARNING, INFO, DEBUG, ERROR) keeping the current state.")
ctxt['log_level'] = None
Snap install OpenStack in Charms Install OpenStack using snaps. By setting openstack-origin to snap:track/channel or snap:track the charm will use snaps to install rather than debs. If channel is left off it defaults to stable. For example: snap:ocata/edge will install the edge version of Ocata and snap:pike will install the stable version of Pike. Charm helpers sync for snap related helpers. Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac
2017-07-24 11:18:46 -07:00
if snap_install_requested():
ctxt['log_file'] = (
'/var/snap/keystone/common/log/keystone.log')
else:
ctxt['log_file'] = '/var/log/keystone/keystone.log'
[hopem,r=gnuoy] Set root logger level to DEBUG in /etc/logging.conf if debug is True otherwise keystone logger remains as WARNING. Closes-Bug: 1407317
2015-01-19 10:45:41 +00:00
return ctxt
Install cron job to flush keystone tokens. This change adds a cron job definition to flush the keystone tokens once every hour. Without this, the keystone database grows unbounded, which can be problematic in production environments. This change introduces a new keystone-token-flush templated cron job, which will run the keystone-manage token_flush command as the keystone user once per hour. This change honors the use-syslog setting by sending output of the command either to the keystone-token-flush.log file or to the syslog using the logger exec. Only the juju service leader will have the cron job active in order to prevent multiple units from running the token_flush at the concurrently. Change-Id: I21be3b23a8fe66b67fba0654ce498d62b3afc2ac Closes-Bug: #1467832
2016-03-06 12:19:47 -07:00
class TokenFlushContext(context.OSContextGenerator):
def __call__(self):
ctxt = {
Fix issue with crontab enablement The token flush and token rotate crontabs are re-written when the leader unit changes inline with Juju leadership management. Align contexts used to generate crontabs with Juju leadership status, rather than corosync/pacemaker. Correct use of OpenStackCompareReleases to ensure that releases between ocata and queens don't automatically enable fernet token behaviour. Change-Id: I6db8d006ceac7b61e69f547682c5a49d876cfec6 Closes-Bug: 1816807
2019-02-21 14:58:58 +00:00
'token_flush': (not fernet_enabled() and is_leader())
Keystone Fernet Token implementation This patchset adds more Fernet token implementation: 1. Adds a cron job to rotate / sync keys to other units. 2. Adds additional tests around gating on config. 3. Adds rotation / syncing with more robust key handling. Change-Id: Ied021ad83c241f241dbb5f9acdede9045e43a8a3
2018-08-05 17:21:49 +01:00
}
return ctxt
class FernetCronContext(context.OSContextGenerator):
def __call__(self):
token_expiration = int(config('token-expiration'))
ctxt = {
Fix issue with crontab enablement The token flush and token rotate crontabs are re-written when the leader unit changes inline with Juju leadership management. Align contexts used to generate crontabs with Juju leadership status, rather than corosync/pacemaker. Correct use of OpenStackCompareReleases to ensure that releases between ocata and queens don't automatically enable fernet token behaviour. Change-Id: I6db8d006ceac7b61e69f547682c5a49d876cfec6 Closes-Bug: 1816807
2019-02-21 14:58:58 +00:00
'enabled': (fernet_enabled() and is_leader()),
Keystone Fernet Token implementation This patchset adds more Fernet token implementation: 1. Adds a cron job to rotate / sync keys to other units. 2. Adds additional tests around gating on config. 3. Adds rotation / syncing with more robust key handling. Change-Id: Ied021ad83c241f241dbb5f9acdede9045e43a8a3
2018-08-05 17:21:49 +01:00
'unit_name': local_unit(),
'charm_dir': charm_dir(),
'minute': ('*/5' if token_expiration > 300 else '*')
Install cron job to flush keystone tokens. This change adds a cron job definition to flush the keystone tokens once every hour. Without this, the keystone database grows unbounded, which can be problematic in production environments. This change introduces a new keystone-token-flush templated cron job, which will run the keystone-manage token_flush command as the keystone user once per hour. This change honors the use-syslog setting by sending output of the command either to the keystone-token-flush.log file or to the syslog using the logger exec. Only the juju service leader will have the cron job active in order to prevent multiple units from running the token_flush at the concurrently. Change-Id: I21be3b23a8fe66b67fba0654ce498d62b3afc2ac Closes-Bug: #1467832
2016-03-06 12:19:47 -07:00
}
return ctxt
add support for Federated IDentity (FID) and WebSSO * add support for relating with subordinate charms providing Service Provider functionality via apache2 authentication modules; * enable additional authentication methods on the keystone side to accept parsed assertion data provided via apache2 authentication module variables exported to WSGI environment; * move https frontend and WSGI API apache config files to keystone instead of relying on charm-helpers as modifications are needed there to add IncludeOptional directives. openstack_https_frontend.conf is added on purpose as ServerName cannot be correctly determined after ProxyPass which results in TLS errors during SAML exchange process; * add an additional relation to openstack-dashboard to provide URL information necessary to trust 'origin' parameter in WebSSO URLs used by horizon during the authentication process. Also add a context to render the federation section that is used to render this information in keystone.conf; Subordinates can choose to use different apache2 authentication modules. If those modules support vhost-level variables then multiple subordinates for the same module can be used. For example, mod_auth_mellon can be used multiple times in different vhosts to protect federated token endpoints related to different identity provider and protocol combinations). Trusted dashboard relation could be used to provide dashboard origin URL from a different site via cross-model relations. NOTE: this functionality will be triggered only on Ocata+ (inclusive) Change-Id: I1ef623b0b0e2a9f68cec4be550965c5e15e5f561
2018-04-26 00:36:02 +03:00
Keystone Fernet Token implementation This patchset adds more Fernet token implementation: 1. Adds a cron job to rotate / sync keys to other units. 2. Adds additional tests around gating on config. 3. Adds rotation / syncing with more robust key handling. Change-Id: Ied021ad83c241f241dbb5f9acdede9045e43a8a3
2018-08-05 17:21:49 +01:00
def fernet_enabled():
"""Helper function for determinining whether Fernet tokens are enabled.
:returns: True if the fernet keys should be configured.
:rtype: bool
"""
cmp_release = CompareOpenStackReleases(os_release('keystone'))
if cmp_release < 'ocata':
return False
Fix issue with crontab enablement The token flush and token rotate crontabs are re-written when the leader unit changes inline with Juju leadership management. Align contexts used to generate crontabs with Juju leadership status, rather than corosync/pacemaker. Correct use of OpenStackCompareReleases to ensure that releases between ocata and queens don't automatically enable fernet token behaviour. Change-Id: I6db8d006ceac7b61e69f547682c5a49d876cfec6 Closes-Bug: 1816807
2019-02-21 14:58:58 +00:00
elif cmp_release >= 'ocata' and cmp_release < 'rocky':
Keystone Fernet Token implementation This patchset adds more Fernet token implementation: 1. Adds a cron job to rotate / sync keys to other units. 2. Adds additional tests around gating on config. 3. Adds rotation / syncing with more robust key handling. Change-Id: Ied021ad83c241f241dbb5f9acdede9045e43a8a3
2018-08-05 17:21:49 +01:00
return config('token-provider') == 'fernet'
else:
return True
add support for Federated IDentity (FID) and WebSSO * add support for relating with subordinate charms providing Service Provider functionality via apache2 authentication modules; * enable additional authentication methods on the keystone side to accept parsed assertion data provided via apache2 authentication module variables exported to WSGI environment; * move https frontend and WSGI API apache config files to keystone instead of relying on charm-helpers as modifications are needed there to add IncludeOptional directives. openstack_https_frontend.conf is added on purpose as ServerName cannot be correctly determined after ProxyPass which results in TLS errors during SAML exchange process; * add an additional relation to openstack-dashboard to provide URL information necessary to trust 'origin' parameter in WebSSO URLs used by horizon during the authentication process. Also add a context to render the federation section that is used to render this information in keystone.conf; Subordinates can choose to use different apache2 authentication modules. If those modules support vhost-level variables then multiple subordinates for the same module can be used. For example, mod_auth_mellon can be used multiple times in different vhosts to protect federated token endpoints related to different identity provider and protocol combinations). Trusted dashboard relation could be used to provide dashboard origin URL from a different site via cross-model relations. NOTE: this functionality will be triggered only on Ocata+ (inclusive) Change-Id: I1ef623b0b0e2a9f68cec4be550965c5e15e5f561
2018-04-26 00:36:02 +03:00
class KeystoneFIDServiceProviderContext(context.OSContextGenerator):
interfaces = ['keystone-fid-service-provider']
def __call__(self):
fid_sp_keys = ['protocol-name', 'remote-id-attribute']
fid_sps = []
for rid in relation_ids("keystone-fid-service-provider"):
for unit in related_units(rid):
rdata = relation_get(unit=unit, rid=rid)
if set(rdata).issuperset(set(fid_sp_keys)):
fid_sps.append({
k: json.loads(v) for k, v in rdata.items()
if k in fid_sp_keys
})
# populate the context with data from one or more
# service providers
ctxt = ({'fid_sps': fid_sps}
if fid_sps else {})
return ctxt
class WebSSOTrustedDashboardContext(context.OSContextGenerator):
interfaces = ['websso-trusted-dashboard']
def __call__(self):
trusted_dashboard_keys = ['scheme', 'hostname', 'path']
trusted_dashboards = set()
for rid in relation_ids("websso-trusted-dashboard"):
for unit in related_units(rid):
rdata = relation_get(unit=unit, rid=rid)
if set(rdata).issuperset(set(trusted_dashboard_keys)):
scheme = rdata.get('scheme')
hostname = rdata.get('hostname')
path = rdata.get('path')
url = '{}{}{}'.format(scheme, hostname, path)
trusted_dashboards.add(url)
# populate the context with data from one or more
# service providers
ctxt = ({'trusted_dashboards': trusted_dashboards}
if trusted_dashboards else {})
return ctxt
Copy Permalink