diff --git a/config.yaml b/config.yaml index e3a4f0a1..60fdb196 100644 --- a/config.yaml +++ b/config.yaml @@ -89,6 +89,38 @@ options: description: | By default, all services will log into their corresponding log files. Setting this to True will force all services to log to the syslog. + identity-backend: + type: string + default: "sql" + description: "Keystone identity backend, valid options are:sql,ldap,kvs,pam" + assignment-backend: + type: string + default: "sql" + description: "Keystone assignment backend, valid options are sql,ldap,kvs" + ldap-server: + type: string + default: None + description: "Ldap server address for keystone identity backend" + ldap-user: + type: string + default: None + description: "Username of the ldap identity server" + ldap-password: + type: string + default: None + description: "Password of the ldap identity server" + ldap-suffix: + type: string + default: None + description: "Ldap server suffix to be used by keystone" + ldap-config-flags: + type: string + default: None + description: "comma sperated options for ldap configuration" + ldap-readonly: + type: boolean + default: True + description: "Ldap identity server backend readonly to keystone" # HA configuration settings vip: type: string diff --git a/hooks/keystone_context.py b/hooks/keystone_context.py index 1dc4308e..d4caa0a1 100644 --- a/hooks/keystone_context.py +++ b/hooks/keystone_context.py @@ -101,6 +101,19 @@ class KeystoneContext(context.OSContextGenerator): ctxt['public_port'] = determine_api_port(api_port('keystone-public')) ctxt['debug'] = config('debug') in ['yes', 'true', 'True'] ctxt['verbose'] = config('verbose') in ['yes', 'true', 'True'] + ctxt['identity_backend'] = config('identity-backend') + ctxt['assignment_backend'] = config('assignment-backend') + if config('identity-backend') == 'ldap': + ctxt['ldap_server'] = config('ldap-server') + ctxt['ldap_user'] = config('ldap-user') + ctxt['ldap_password'] = config('ldap-password') + ctxt['ldap_suffix'] = config('ldap-suffix') + ctxt['ldap_readonly'] = config('ldap-readonly') + ldap_flags = config('ldap-config-flags') + if ldap_flags: + flags = context.config_flags_parser(ldap_flags) + ctxt['ldap_config_flags'] = flags + if config('enable-pki') not in ['false', 'False', 'no', 'No']: ctxt['signing'] = True return ctxt diff --git a/templates/icehouse/keystone.conf b/templates/icehouse/keystone.conf index db54eb96..4ae320ef 100644 --- a/templates/icehouse/keystone.conf +++ b/templates/icehouse/keystone.conf @@ -21,7 +21,7 @@ connection = sqlite:////var/lib/keystone/keystone.db idle_timeout = 200 [identity] -driver = keystone.identity.backends.sql.Identity +driver = keystone.identity.backends.{{ identity_backend }}.Identity [credential] driver = keystone.credential.backends.sql.Credential @@ -49,6 +49,7 @@ driver = keystone.policy.backends.sql.Policy driver = keystone.contrib.ec2.backends.sql.Ec2 [assignment] +driver = keystone.assignment.backends.{{ assignment_backend }}.Assignment [oauth1] @@ -65,3 +66,35 @@ config_file = keystone-paste.ini [extra_headers] Distribution = Ubuntu + +[ldap] +{% if identity_backend == 'ldap' -%} +url = {{ ldap_server }} +user = {{ ldap_user }} +password = {{ ldap_password }} +suffix = {{ ldap_suffix }} + +{% if ldap_config_flags -%} +{% for key, value in ldap_config_flags.iteritems() -%} +{{ key }} = {{ value }} +{% endfor -%} +{% endif -%} + +{% if ldap_readonly -%} +user_allow_create = False +user_allow_update = False +user_allow_delete = False + +tenant_allow_create = False +tenant_allow_update = False +tenant_allow_delete = False + +role_allow_create = False +role_allow_update = False +role_allow_delete = False + +group_allow_create = False +group_allow_update = False +group_allow_delete = False +{% endif -%} +{% endif -%}