Merge "Cleanup README.md, config.yaml and templates/"
This commit is contained in:
Zuul
Gerrit Code Review
commit
e472adaf2f
166
README.md
166
README.md
@ -9,54 +9,54 @@ Usage
|
||||
|
||||
The following interfaces are provided:
|
||||
|
||||
- nrpe-external-master: Used to generate Nagios checks.
|
||||
- nrpe-external-master: Used to generate Nagios checks.
|
||||
|
||||
- identity-service: Openstack API endpoints request an entry in the
|
||||
Keystone service catalog + endpoint template catalog. When a relation
|
||||
is established, Keystone receives: service name, region, public_url,
|
||||
admin_url and internal_url. It first checks that the requested service
|
||||
is listed as a supported service. This list should stay updated to
|
||||
support current Openstack core services. If the service is supported,
|
||||
an entry in the service catalog is created, an endpoint template is
|
||||
created and a admin token is generated. The other end of the relation
|
||||
receives the token as well as info on which ports Keystone is listening
|
||||
on.
|
||||
- identity-service: Openstack API endpoints request an entry in the
|
||||
Keystone service catalog + endpoint template catalog. When a relation
|
||||
is established, Keystone receives: `service_name`, `region`, `public_url`,
|
||||
`admin_url` and `internal_url`. It first checks that the requested service
|
||||
is listed as a supported service. This list should stay updated to
|
||||
support current Openstack core services. If the service is supported,
|
||||
an entry in the service catalog is created, an endpoint template is
|
||||
created and a admin token is generated. The other end of the relation
|
||||
receives the token as well as info on which ports Keystone is listening
|
||||
on.
|
||||
|
||||
- keystone-service: This is currently only used by Horizon/dashboard
|
||||
as its interaction with Keystone is different from other Openstack API
|
||||
services. That is, Horizon requests a Keystone role and token exists.
|
||||
During a relation, Horizon requests its configured default role and
|
||||
Keystone responds with a token and the auth + admin ports on which
|
||||
Keystone is listening.
|
||||
- keystone-service: This is currently only used by Horizon/dashboard
|
||||
as its interaction with Keystone is different from other Openstack API
|
||||
services. That is, Horizon requests a Keystone role and token exists.
|
||||
During a relation, Horizon requests its configured default role and
|
||||
Keystone responds with a token and the auth + admin ports on which
|
||||
Keystone is listening.
|
||||
|
||||
- identity-admin: Charms use this relation to obtain the credentials
|
||||
for the admin user. This is intended for charms that automatically
|
||||
provision users, tenants, etc. or that otherwise automate using the
|
||||
Openstack cluster deployment.
|
||||
- identity-admin: Charms use this relation to obtain the credentials
|
||||
for the admin user. This is intended for charms that automatically
|
||||
provision users, tenants, etc. or that otherwise automate using the
|
||||
Openstack cluster deployment.
|
||||
|
||||
- identity-notifications: Used to broadcast messages to any services
|
||||
listening on the interface.
|
||||
- identity-notifications: Used to broadcast messages to any services
|
||||
listening on the interface.
|
||||
|
||||
- identity-credentials: Charms use this relation to obtain keystone
|
||||
credentials without creating a service catalog entry. Set 'username'
|
||||
only on the relation and keystone will set defaults and return
|
||||
authentication details. Possible relation settings:
|
||||
username: Username to be created.
|
||||
project: Project (tenant) name to be created. Defaults to services
|
||||
project.
|
||||
requested_roles: Comma delimited list of roles to be created
|
||||
requested_grants: Comma delimited list of roles to be granted.
|
||||
Defaults to Admin role.
|
||||
domain: Keystone v3 domain the user will be created in. Defaults
|
||||
to the Default domain.
|
||||
- identity-credentials: Charms use this relation to obtain keystone
|
||||
credentials without creating a service catalog entry. Set 'username'
|
||||
only on the relation and keystone will set defaults and return
|
||||
authentication details. Possible relation settings:
|
||||
- `username` Username to be created.
|
||||
- `project` Project (tenant) name to be created. Defaults to services
|
||||
project.
|
||||
- `requested_roles` Comma delimited list of roles to be created
|
||||
- `requested_grants` Comma delimited list of roles to be granted.
|
||||
Defaults to Admin role.
|
||||
- `domain` Keystone v3 domain the user will be created in. Defaults
|
||||
to the Default domain.
|
||||
|
||||
Database
|
||||
--------
|
||||
|
||||
Keystone requires a database. By default, a local sqlite database is used.
|
||||
The charm supports relations to a shared-db via mysql-shared interface. When
|
||||
a new data store is configured, the charm ensures the minimum administrator
|
||||
credentials exist (as configured via charm configuration)
|
||||
Keystone requires a database. The charm supports relation to a shared database
|
||||
server through the `mysql-shared` interface. When a new data store is
|
||||
configured, the charm ensures the minimum administrator credentials exist (as
|
||||
configured in charm configuration)
|
||||
|
||||
HA/Clustering
|
||||
-------------
|
||||
@ -70,9 +70,9 @@ the VIP is a valid IP on the subnet for one of the node's interfaces and each
|
||||
node has an interface in said subnet. The VIP becomes a highly-available API
|
||||
endpoint.
|
||||
|
||||
At a minimum, the config option 'vip' must be set in order to use virtual IP
|
||||
At a minimum, the config option `vip` must be set in order to use virtual IP
|
||||
HA. If multiple networks are being used, a VIP should be provided for each
|
||||
network, separated by spaces. Optionally, vip_iface or vip_cidr may be
|
||||
network, separated by spaces. Optionally, `vip_iface` or `vip_cidr` may be
|
||||
specified.
|
||||
|
||||
To use DNS high availability there are several prerequisites. However, DNS HA
|
||||
@ -82,71 +82,48 @@ environments. MAAS 2.0 requires Juju 2.0 or greater. The clustered nodes must
|
||||
have static or "reserved" IP addresses registered in MAAS. The DNS hostname(s)
|
||||
must be pre-registered in MAAS before use with DNS HA.
|
||||
|
||||
At a minimum, the config option 'dns-ha' must be set to true and at least one
|
||||
of 'os-public-hostname', 'os-internal-hostname' or 'os-internal-hostname' must
|
||||
be set in order to use DNS HA. One or more of the above hostnames may be set.
|
||||
At a minimum, the configuration option `dns-ha` must be set to true and at
|
||||
least one of `os-public-hostname`, `os-internal-hostname` or
|
||||
`os-internal-hostname` must be set in order to use DNS HA. One or more of the
|
||||
above hostnames may be set.
|
||||
|
||||
The charm will throw an exception in the following circumstances:
|
||||
If neither 'vip' nor 'dns-ha' is set and the charm is related to hacluster
|
||||
If both 'vip' and 'dns-ha' are set as they are mutually exclusive
|
||||
If 'dns-ha' is set and none of the os-{admin,internal,public}-hostname(s) are set
|
||||
|
||||
SSL/HTTPS
|
||||
- If neither `vip` nor `dns-ha` is set and the charm is related to hacluster
|
||||
|
||||
- If both `vip` and `dns-ha` are set as they are mutually exclusive
|
||||
|
||||
- If `dns-ha` is set and none of the `os-{admin,internal,public}-hostname`
|
||||
configuration options are set
|
||||
|
||||
TLS/HTTPS
|
||||
---------
|
||||
|
||||
Support for SSL and https endpoint is provided via various charm configuration
|
||||
Support for TLS and https endpoints can be enabled through configuration
|
||||
options.
|
||||
|
||||
To enable SSL and https endpoint with a charm-generated CA, set the following
|
||||
configuration options:
|
||||
To enable TLS and https endpoints with a certificate signed by your own
|
||||
Certificate Authority, set the following configuration options:
|
||||
|
||||
- use-https - if enabled this option tells Keystone to configure the identity
|
||||
endpoint as https, and the keystone charm will generate its own CA and sync
|
||||
across peers. The cert will be distributed to all service endpoints which
|
||||
will be configured to use https.
|
||||
- `ssl_ca`
|
||||
|
||||
- https-service-endpoints - if enabled this option tells Keystone to configure
|
||||
ALL endpoints as https. Under this model the keystone charm will generate its
|
||||
own CA and sync across peers. The cert will be distributed to all service
|
||||
endpoints which will be configured to use https as well as configuring
|
||||
themselves to be used as https.
|
||||
- `ssl_cert`
|
||||
|
||||
To enable SSL and https endpoint with your own CA, SSL cert, and key set the
|
||||
following configuration options: ssl_ca, ssl_cert, and ssl_key. The user can
|
||||
provide SSL cert and key using ssl_cert and ssl_key only when the cert is
|
||||
signed by a trusted CA. These options should not be used with use-https and
|
||||
https-service-endpoints.
|
||||
- `ssl_key`
|
||||
|
||||
When the charm configures itself as a CA (generally only recommended for test
|
||||
purposes) it will elect an "ssl-cert-master" whose duty is to generate the CA
|
||||
and certs and ensure they are distributed across all peers. This leader is
|
||||
distinct from the charm leader as elected by Juju so that if the Juju leader
|
||||
switches we still have the ability to know which unit held the last-known-good
|
||||
copy of CA/cert data. If the Juju leader switches the charm should eventually
|
||||
work it out and migrate the ssl-cert-master to the new leader unit.
|
||||
Example bundle usage:
|
||||
|
||||
One side-effect of this is that if the unit currently elected as
|
||||
ssl-cert-master goes down, the remaining peer units or indeed any new units
|
||||
will not be able to sync the ssl data of the master or re-elect a new master.
|
||||
This does currently require manual intervention to resolve. If no action is
|
||||
taken, it will be assumed that this unit may come back at some point and
|
||||
therefore must be known to be in-sync with the rest before continuing.
|
||||
keystone:
|
||||
charm: cs:keystone
|
||||
num_units: 1
|
||||
options:
|
||||
ssl_ca: include-base64://path-to-base64-encoded-ca-data
|
||||
ssl_cert: include-base64://path-to-base64-encoded-certificate-data
|
||||
ssl_key: include-base64://path-to-base64-encoded-key-data
|
||||
|
||||
It is possible to check which unit is the ssl-cert-master with:
|
||||
|
||||
~$ juju run --unit keystone/0 "relation-ids cluster"
|
||||
cluster:6
|
||||
~$ juju run --unit keystone/0 "relation-get -r cluster:6 ssl-cert-master keystone/0"
|
||||
keystone/0
|
||||
|
||||
If the master unit goes down and you want to manually migrate it to another
|
||||
unit (that you are 100% sure holds an authoritative copy of the ssl certs)
|
||||
you can do:
|
||||
|
||||
~$ juju run --unit keystone/0 "relation-set -r cluster:6 ssl-cert-master=keystone/1"
|
||||
|
||||
Where keystone/1 is known to hold a good copy of the CA/cert info and is
|
||||
preferrably also the cluster leader.
|
||||
NOTE: If your certificate is signed by a Certificate Authority present in the
|
||||
CA Certificate Store in operating systems used in your deployment you do not
|
||||
need to provide the `ssl_ca` configuration option.
|
||||
|
||||
Network Space support
|
||||
---------------------
|
||||
@ -174,5 +151,4 @@ Alternatively these can also be provided as part of a juju native bundle configu
|
||||
|
||||
NOTE: Spaces must be configured in the underlying provider prior to attempting to use them.
|
||||
|
||||
NOTE: Existing deployments using os\-\*-network configuration options will continue to function; these options are preferred over any network space binding provided if set.
|
||||
|
||||
NOTE: Existing deployments using `os\-\*-network` configuration options will continue to function; these options are preferred over any network space binding provided if set.
|
||||
|
||||
33
config.yaml
33
config.yaml
@ -55,10 +55,6 @@ options:
|
||||
description: |
|
||||
Apply system hardening. Supports a space-delimited list of modules
|
||||
to run. Supported modules currently include os, ssh, apache and mysql.
|
||||
config-file:
|
||||
type: string
|
||||
default: "/etc/keystone/keystone.conf"
|
||||
description: "Location of keystone configuration file"
|
||||
service-port:
|
||||
type: int
|
||||
default: 5000
|
||||
@ -148,14 +144,6 @@ options:
|
||||
twice the number of CPU cores a service unit has. When deployed in
|
||||
a LXD container, this default value will be capped to 4 workers
|
||||
unless this configuration option is set.
|
||||
enable-pki:
|
||||
type: string
|
||||
default: "false"
|
||||
description: |
|
||||
Enable PKI token signing.
|
||||
.
|
||||
[DEPRECATED] This option should no longer be used.
|
||||
This option will be removed in a future release.
|
||||
preferred-api-version:
|
||||
type: int
|
||||
default:
|
||||
@ -384,27 +372,6 @@ options:
|
||||
order for this charm to function correctly, the privacy extension must be
|
||||
disabled and a non-temporary address must be configured/available on
|
||||
your network interface.
|
||||
https-service-endpoints:
|
||||
type: string
|
||||
default: "False"
|
||||
description: |
|
||||
Manage SSL certificates for all service endpoints. This option
|
||||
should be False when specifying ssl\_\* options.
|
||||
.
|
||||
[DEPRECATED] This option should no longer be used.
|
||||
Provide SSL certificate data through the ssl\_\* options.
|
||||
This option will be removed in a future release.
|
||||
use-https:
|
||||
type: string
|
||||
default: "no"
|
||||
description: |
|
||||
Use SSL for Keystone itself using a charm-generated CA. Set to
|
||||
'yes' to enable it. This option should be 'no' when specifying ssl\_\*
|
||||
options.
|
||||
.
|
||||
[DEPRECATED] This option should no longer be used.
|
||||
Provide SSL certificate data through the ssl\_\* options.
|
||||
This option will be removed in a future release.
|
||||
ssl_cert:
|
||||
type: string
|
||||
default:
|
||||
|
||||
@ -1,93 +0,0 @@
|
||||
# essex
|
||||
###############################################################################
|
||||
# [ WARNING ]
|
||||
# Configuration file maintained by Juju. Local changes may be overwritten.
|
||||
###############################################################################
|
||||
[DEFAULT]
|
||||
admin_token = {{ token }}
|
||||
admin_port = {{ admin_port }}
|
||||
public_port = {{ public_port }}
|
||||
use_syslog = {{ use_syslog }}
|
||||
log_config = /etc/keystone/logging.conf
|
||||
debug = {{ debug }}
|
||||
verbose = {{ verbose }}
|
||||
|
||||
[sql]
|
||||
{% if database_host -%}
|
||||
connection = {{ database_type }}://{{ database_user }}:{{ database_password }}@{{ database_host }}/{{ database }}{% if database_ssl_ca %}?ssl_ca={{ database_ssl_ca }}{% if database_ssl_cert %}&ssl_cert={{ database_ssl_cert }}&ssl_key={{ database_ssl_key }}{% endif %}{% endif %}
|
||||
{% else -%}
|
||||
connection = sqlite:////var/lib/keystone/keystone.db
|
||||
{% endif -%}
|
||||
idle_timeout = 200
|
||||
|
||||
[identity]
|
||||
driver = keystone.identity.backends.sql.Identity
|
||||
|
||||
[catalog]
|
||||
driver = keystone.catalog.backends.sql.Catalog
|
||||
|
||||
[token]
|
||||
driver = keystone.token.backends.sql.Token
|
||||
expiration = 86400
|
||||
|
||||
[policy]
|
||||
driver = keystone.policy.backends.rules.Policy
|
||||
|
||||
[ec2]
|
||||
driver = keystone.contrib.ec2.backends.sql.Ec2
|
||||
|
||||
[filter:debug]
|
||||
paste.filter_factory = keystone.common.wsgi:Debug.factory
|
||||
|
||||
[filter:token_auth]
|
||||
paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
|
||||
|
||||
[filter:admin_token_auth]
|
||||
paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
|
||||
|
||||
[filter:xml_body]
|
||||
paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
|
||||
|
||||
[filter:json_body]
|
||||
paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
|
||||
|
||||
[filter:crud_extension]
|
||||
paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
|
||||
|
||||
[filter:ec2_extension]
|
||||
paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
|
||||
|
||||
[app:public_service]
|
||||
paste.app_factory = keystone.service:public_app_factory
|
||||
|
||||
[app:admin_service]
|
||||
paste.app_factory = keystone.service:admin_app_factory
|
||||
|
||||
[pipeline:public_api]
|
||||
pipeline = token_auth admin_token_auth xml_body json_body debug ec2_extension public_service
|
||||
|
||||
[pipeline:admin_api]
|
||||
pipeline = token_auth admin_token_auth xml_body json_body debug ec2_extension crud_extension admin_service
|
||||
|
||||
[app:public_version_service]
|
||||
paste.app_factory = keystone.service:public_version_app_factory
|
||||
|
||||
[app:admin_version_service]
|
||||
paste.app_factory = keystone.service:admin_version_app_factory
|
||||
|
||||
[pipeline:public_version_api]
|
||||
pipeline = xml_body public_version_service
|
||||
|
||||
[pipeline:admin_version_api]
|
||||
pipeline = xml_body admin_version_service
|
||||
|
||||
[composite:main]
|
||||
use = egg:Paste#urlmap
|
||||
/v2.0 = public_api
|
||||
/ = public_version_api
|
||||
|
||||
[composite:admin]
|
||||
use = egg:Paste#urlmap
|
||||
/v2.0 = admin_api
|
||||
/ = admin_version_api
|
||||
|
||||
@ -1,39 +0,0 @@
|
||||
[loggers]
|
||||
keys=root
|
||||
|
||||
[formatters]
|
||||
keys=normal,normal_with_name,debug
|
||||
|
||||
[handlers]
|
||||
keys=production,file,devel
|
||||
|
||||
[logger_root]
|
||||
level=WARNING
|
||||
handlers=file
|
||||
|
||||
[handler_production]
|
||||
class=handlers.SysLogHandler
|
||||
level=ERROR
|
||||
formatter=normal_with_name
|
||||
args=(('localhost', handlers.SYSLOG_UDP_PORT), handlers.SysLogHandler.LOG_USER)
|
||||
|
||||
[handler_file]
|
||||
class=FileHandler
|
||||
level=DEBUG
|
||||
formatter=normal_with_name
|
||||
args=('/var/log/keystone/keystone.log', 'a')
|
||||
|
||||
[handler_devel]
|
||||
class=StreamHandler
|
||||
level=NOTSET
|
||||
formatter=debug
|
||||
args=(sys.stdout,)
|
||||
|
||||
[formatter_normal]
|
||||
format=%(asctime)s %(levelname)s %(message)s
|
||||
|
||||
[formatter_normal_with_name]
|
||||
format=(%(name)s): %(asctime)s %(levelname)s %(message)s
|
||||
|
||||
[formatter_debug]
|
||||
format=(%(name)s): %(asctime)s %(levelname)s %(module)s %(funcName)s %(message)s
|
||||
@ -1,112 +0,0 @@
|
||||
# folsom
|
||||
###############################################################################
|
||||
# [ WARNING ]
|
||||
# Configuration file maintained by Juju. Local changes may be overwritten.
|
||||
###############################################################################
|
||||
[DEFAULT]
|
||||
admin_token = {{ token }}
|
||||
admin_port = {{ admin_port }}
|
||||
public_port = {{ public_port }}
|
||||
use_syslog = {{ use_syslog }}
|
||||
log_config = /etc/keystone/logging.conf
|
||||
debug = {{ debug }}
|
||||
verbose = {{ verbose }}
|
||||
|
||||
[sql]
|
||||
{% if database_host -%}
|
||||
connection = {{ database_type }}://{{ database_user }}:{{ database_password }}@{{ database_host }}/{{ database }}{% if database_ssl_ca %}?ssl_ca={{ database_ssl_ca }}{% if database_ssl_cert %}&ssl_cert={{ database_ssl_cert }}&ssl_key={{ database_ssl_key }}{% endif %}{% endif %}
|
||||
{% else -%}
|
||||
connection = sqlite:////var/lib/keystone/keystone.db
|
||||
{% endif -%}
|
||||
idle_timeout = 200
|
||||
|
||||
[identity]
|
||||
driver = keystone.identity.backends.sql.Identity
|
||||
|
||||
[catalog]
|
||||
driver = keystone.catalog.backends.sql.Catalog
|
||||
|
||||
[token]
|
||||
driver = keystone.token.backends.sql.Token
|
||||
expiration = 86400
|
||||
|
||||
[policy]
|
||||
driver = keystone.policy.backends.rules.Policy
|
||||
|
||||
[ec2]
|
||||
driver = keystone.contrib.ec2.backends.sql.Ec2
|
||||
|
||||
[signing]
|
||||
token_format = UUID
|
||||
key_size = 2048
|
||||
valid_days = 3650
|
||||
|
||||
[filter:debug]
|
||||
paste.filter_factory = keystone.common.wsgi:Debug.factory
|
||||
|
||||
[filter:token_auth]
|
||||
paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
|
||||
|
||||
[filter:admin_token_auth]
|
||||
paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
|
||||
|
||||
[filter:xml_body]
|
||||
paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
|
||||
|
||||
[filter:json_body]
|
||||
paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
|
||||
|
||||
[filter:user_crud_extension]
|
||||
paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
|
||||
|
||||
[filter:crud_extension]
|
||||
paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
|
||||
|
||||
[filter:ec2_extension]
|
||||
paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
|
||||
|
||||
[filter:s3_extension]
|
||||
paste.filter_factory = keystone.contrib.s3:S3Extension.factory
|
||||
|
||||
[filter:url_normalize]
|
||||
paste.filter_factory = keystone.middleware:NormalizingFilter.factory
|
||||
|
||||
[filter:stats_monitoring]
|
||||
paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
|
||||
|
||||
[filter:stats_reporting]
|
||||
paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
|
||||
|
||||
[app:public_service]
|
||||
paste.app_factory = keystone.service:public_app_factory
|
||||
|
||||
[app:admin_service]
|
||||
paste.app_factory = keystone.service:admin_app_factory
|
||||
|
||||
[pipeline:public_api]
|
||||
pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service
|
||||
|
||||
[pipeline:admin_api]
|
||||
pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service
|
||||
|
||||
[app:public_version_service]
|
||||
paste.app_factory = keystone.service:public_version_app_factory
|
||||
|
||||
[app:admin_version_service]
|
||||
paste.app_factory = keystone.service:admin_version_app_factory
|
||||
|
||||
[pipeline:public_version_api]
|
||||
pipeline = stats_monitoring url_normalize xml_body public_version_service
|
||||
|
||||
[pipeline:admin_version_api]
|
||||
pipeline = stats_monitoring url_normalize xml_body admin_version_service
|
||||
|
||||
[composite:main]
|
||||
use = egg:Paste#urlmap
|
||||
/v2.0 = public_api
|
||||
/ = public_version_api
|
||||
|
||||
[composite:admin]
|
||||
use = egg:Paste#urlmap
|
||||
/v2.0 = admin_api
|
||||
/ = admin_version_api
|
||||
@ -1,131 +0,0 @@
|
||||
# grizzly
|
||||
###############################################################################
|
||||
# [ WARNING ]
|
||||
# Configuration file maintained by Juju. Local changes may be overwritten.
|
||||
###############################################################################
|
||||
[DEFAULT]
|
||||
admin_token = {{ token }}
|
||||
admin_port = {{ admin_port }}
|
||||
public_port = {{ public_port }}
|
||||
use_syslog = {{ use_syslog }}
|
||||
log_config = /etc/keystone/logging.conf
|
||||
debug = {{ debug }}
|
||||
verbose = {{ verbose }}
|
||||
|
||||
[sql]
|
||||
{% if database_host -%}
|
||||
connection = {{ database_type }}://{{ database_user }}:{{ database_password }}@{{ database_host }}/{{ database }}{% if database_ssl_ca %}?ssl_ca={{ database_ssl_ca }}{% if database_ssl_cert %}&ssl_cert={{ database_ssl_cert }}&ssl_key={{ database_ssl_key }}{% endif %}{% endif %}
|
||||
{% else -%}
|
||||
connection = sqlite:////var/lib/keystone/keystone.db
|
||||
{% endif -%}
|
||||
idle_timeout = 200
|
||||
|
||||
[identity]
|
||||
driver = keystone.identity.backends.sql.Identity
|
||||
|
||||
[trust]
|
||||
driver = keystone.trust.backends.sql.Trust
|
||||
|
||||
[catalog]
|
||||
driver = keystone.catalog.backends.sql.Catalog
|
||||
|
||||
[token]
|
||||
driver = keystone.token.backends.sql.Token
|
||||
|
||||
[policy]
|
||||
driver = keystone.policy.backends.sql.Policy
|
||||
|
||||
[ec2]
|
||||
driver = keystone.contrib.ec2.backends.sql.Ec2
|
||||
|
||||
[signing]
|
||||
token_format = UUID
|
||||
|
||||
[auth]
|
||||
methods = password,token
|
||||
password = keystone.auth.plugins.password.Password
|
||||
token = keystone.auth.plugins.token.Token
|
||||
|
||||
[filter:debug]
|
||||
paste.filter_factory = keystone.common.wsgi:Debug.factory
|
||||
|
||||
[filter:token_auth]
|
||||
paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
|
||||
|
||||
[filter:admin_token_auth]
|
||||
paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
|
||||
|
||||
[filter:xml_body]
|
||||
paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
|
||||
|
||||
[filter:json_body]
|
||||
paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
|
||||
|
||||
[filter:user_crud_extension]
|
||||
paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
|
||||
|
||||
[filter:crud_extension]
|
||||
paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
|
||||
|
||||
[filter:ec2_extension]
|
||||
paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
|
||||
|
||||
[filter:s3_extension]
|
||||
paste.filter_factory = keystone.contrib.s3:S3Extension.factory
|
||||
|
||||
[filter:url_normalize]
|
||||
paste.filter_factory = keystone.middleware:NormalizingFilter.factory
|
||||
|
||||
[filter:sizelimit]
|
||||
paste.filter_factory = keystone.middleware:RequestBodySizeLimiter.factory
|
||||
|
||||
[filter:stats_monitoring]
|
||||
paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
|
||||
|
||||
[filter:stats_reporting]
|
||||
paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
|
||||
|
||||
[filter:access_log]
|
||||
paste.filter_factory = keystone.contrib.access:AccessLogMiddleware.factory
|
||||
|
||||
[app:public_service]
|
||||
paste.app_factory = keystone.service:public_app_factory
|
||||
|
||||
[app:service_v3]
|
||||
paste.app_factory = keystone.service:v3_app_factory
|
||||
|
||||
[app:admin_service]
|
||||
paste.app_factory = keystone.service:admin_app_factory
|
||||
|
||||
[pipeline:public_api]
|
||||
pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service
|
||||
|
||||
[pipeline:admin_api]
|
||||
pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service
|
||||
|
||||
[pipeline:api_v3]
|
||||
pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension service_v3
|
||||
|
||||
[app:public_version_service]
|
||||
paste.app_factory = keystone.service:public_version_app_factory
|
||||
|
||||
[app:admin_version_service]
|
||||
paste.app_factory = keystone.service:admin_version_app_factory
|
||||
|
||||
[pipeline:public_version_api]
|
||||
pipeline = access_log sizelimit stats_monitoring url_normalize xml_body public_version_service
|
||||
|
||||
[pipeline:admin_version_api]
|
||||
pipeline = access_log sizelimit stats_monitoring url_normalize xml_body admin_version_service
|
||||
|
||||
[composite:main]
|
||||
use = egg:Paste#urlmap
|
||||
/v2.0 = public_api
|
||||
/v3 = api_v3
|
||||
/ = public_version_api
|
||||
|
||||
[composite:admin]
|
||||
use = egg:Paste#urlmap
|
||||
/v2.0 = admin_api
|
||||
/v3 = api_v3
|
||||
/ = admin_version_api
|
||||
@ -1,64 +0,0 @@
|
||||
# havana
|
||||
###############################################################################
|
||||
# [ WARNING ]
|
||||
# Configuration file maintained by Juju. Local changes may be overwritten.
|
||||
###############################################################################
|
||||
[DEFAULT]
|
||||
admin_token = {{ token }}
|
||||
admin_port = {{ admin_port }}
|
||||
public_port = {{ public_port }}
|
||||
use_syslog = {{ use_syslog }}
|
||||
log_config = /etc/keystone/logging.conf
|
||||
debug = {{ debug }}
|
||||
verbose = {{ verbose }}
|
||||
|
||||
[sql]
|
||||
{% if database_host -%}
|
||||
connection = {{ database_type }}://{{ database_user }}:{{ database_password }}@{{ database_host }}/{{ database }}{% if database_ssl_ca %}?ssl_ca={{ database_ssl_ca }}{% if database_ssl_cert %}&ssl_cert={{ database_ssl_cert }}&ssl_key={{ database_ssl_key }}{% endif %}{% endif %}
|
||||
{% else -%}
|
||||
connection = sqlite:////var/lib/keystone/keystone.db
|
||||
{% endif -%}
|
||||
idle_timeout = 200
|
||||
|
||||
[identity]
|
||||
driver = keystone.identity.backends.sql.Identity
|
||||
|
||||
[credential]
|
||||
driver = keystone.credential.backends.sql.Credential
|
||||
|
||||
[trust]
|
||||
driver = keystone.trust.backends.sql.Trust
|
||||
|
||||
[os_inherit]
|
||||
|
||||
[catalog]
|
||||
driver = keystone.catalog.backends.sql.Catalog
|
||||
|
||||
[endpoint_filter]
|
||||
|
||||
[token]
|
||||
driver = keystone.token.backends.sql.Token
|
||||
provider = keystone.token.providers.uuid.Provider
|
||||
|
||||
[cache]
|
||||
|
||||
[policy]
|
||||
driver = keystone.policy.backends.sql.Policy
|
||||
|
||||
[ec2]
|
||||
driver = keystone.contrib.ec2.backends.sql.Ec2
|
||||
|
||||
[assignment]
|
||||
|
||||
[oauth1]
|
||||
|
||||
[signing]
|
||||
|
||||
[auth]
|
||||
methods = external,password,token,oauth1
|
||||
password = keystone.auth.plugins.password.Password
|
||||
token = keystone.auth.plugins.token.Token
|
||||
oauth1 = keystone.auth.plugins.oauth1.OAuth
|
||||
|
||||
[paste_deploy]
|
||||
config_file = keystone-paste.ini
|
||||
@ -316,7 +316,6 @@ class TestKeystoneUtils(CharmTestCase):
|
||||
self.test_config.set('admin-port', 80)
|
||||
self.test_config.set('service-port', 81)
|
||||
self.https.return_value = False
|
||||
self.test_config.set('https-service-endpoints', 'False')
|
||||
self.get_local_endpoint.return_value = 'http://localhost:80/v2.0/'
|
||||
self.relation_ids.return_value = ['cluster/0']
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user