6f3751cc96
* add support for relating with subordinate charms providing Service Provider functionality via apache2 authentication modules; * enable additional authentication methods on the keystone side to accept parsed assertion data provided via apache2 authentication module variables exported to WSGI environment; * move https frontend and WSGI API apache config files to keystone instead of relying on charm-helpers as modifications are needed there to add IncludeOptional directives. openstack_https_frontend.conf is added on purpose as ServerName cannot be correctly determined after ProxyPass which results in TLS errors during SAML exchange process; * add an additional relation to openstack-dashboard to provide URL information necessary to trust 'origin' parameter in WebSSO URLs used by horizon during the authentication process. Also add a context to render the federation section that is used to render this information in keystone.conf; Subordinates can choose to use different apache2 authentication modules. If those modules support vhost-level variables then multiple subordinates for the same module can be used. For example, mod_auth_mellon can be used multiple times in different vhosts to protect federated token endpoints related to different identity provider and protocol combinations). Trusted dashboard relation could be used to provide dashboard origin URL from a different site via cross-model relations. NOTE: this functionality will be triggered only on Ocata+ (inclusive) Change-Id: I1ef623b0b0e2a9f68cec4be550965c5e15e5f561
95 lines
2.9 KiB
Plaintext
95 lines
2.9 KiB
Plaintext
# Configuration file maintained by Juju. Local changes may be overwritten.
|
|
|
|
{% if port -%}
|
|
Listen {{ port }}
|
|
{% endif -%}
|
|
|
|
{% if admin_port -%}
|
|
Listen {{ admin_port }}
|
|
{% endif -%}
|
|
|
|
{% if public_port -%}
|
|
Listen {{ public_port }}
|
|
{% endif -%}
|
|
|
|
{% if port -%}
|
|
<VirtualHost *:{{ port }}>
|
|
WSGIDaemonProcess {{ service_name }} processes={{ processes }} threads={{ threads }} user={{ service_name }} group={{ service_name }} \
|
|
display-name=%{GROUP}
|
|
WSGIProcessGroup {{ service_name }}
|
|
WSGIScriptAlias / {{ script }}
|
|
WSGIApplicationGroup %{GLOBAL}
|
|
WSGIPassAuthorization On
|
|
<IfVersion >= 2.4>
|
|
ErrorLogFormat "%{cu}t %M"
|
|
</IfVersion>
|
|
ErrorLog /var/log/apache2/{{ service_name }}_error.log
|
|
CustomLog /var/log/apache2/{{ service_name }}_access.log combined
|
|
|
|
<Directory /usr/bin>
|
|
<IfVersion >= 2.4>
|
|
Require all granted
|
|
</IfVersion>
|
|
<IfVersion < 2.4>
|
|
Order allow,deny
|
|
Allow from all
|
|
</IfVersion>
|
|
</Directory>
|
|
IncludeOptional /etc/apache2/mellon*/sp-location*.conf
|
|
</VirtualHost>
|
|
{% endif -%}
|
|
|
|
{% if admin_port -%}
|
|
<VirtualHost *:{{ admin_port }}>
|
|
WSGIDaemonProcess {{ service_name }}-admin processes={{ admin_processes }} threads={{ threads }} user={{ service_name }} group={{ service_name }} \
|
|
display-name=%{GROUP}
|
|
WSGIProcessGroup {{ service_name }}-admin
|
|
WSGIScriptAlias / {{ admin_script }}
|
|
WSGIApplicationGroup %{GLOBAL}
|
|
WSGIPassAuthorization On
|
|
<IfVersion >= 2.4>
|
|
ErrorLogFormat "%{cu}t %M"
|
|
</IfVersion>
|
|
ErrorLog /var/log/apache2/{{ service_name }}_error.log
|
|
CustomLog /var/log/apache2/{{ service_name }}_access.log combined
|
|
|
|
<Directory /usr/bin>
|
|
<IfVersion >= 2.4>
|
|
Require all granted
|
|
</IfVersion>
|
|
<IfVersion < 2.4>
|
|
Order allow,deny
|
|
Allow from all
|
|
</IfVersion>
|
|
</Directory>
|
|
IncludeOptional /etc/apache2/mellon*/sp-location*.conf
|
|
</VirtualHost>
|
|
{% endif -%}
|
|
|
|
{% if public_port -%}
|
|
<VirtualHost *:{{ public_port }}>
|
|
WSGIDaemonProcess {{ service_name }}-public processes={{ public_processes }} threads={{ threads }} user={{ service_name }} group={{ service_name }} \
|
|
display-name=%{GROUP}
|
|
WSGIProcessGroup {{ service_name }}-public
|
|
WSGIScriptAlias / {{ public_script }}
|
|
WSGIApplicationGroup %{GLOBAL}
|
|
WSGIPassAuthorization On
|
|
<IfVersion >= 2.4>
|
|
ErrorLogFormat "%{cu}t %M"
|
|
</IfVersion>
|
|
ErrorLog /var/log/apache2/{{ service_name }}_error.log
|
|
CustomLog /var/log/apache2/{{ service_name }}_access.log combined
|
|
|
|
<Directory /usr/bin>
|
|
<IfVersion >= 2.4>
|
|
Require all granted
|
|
</IfVersion>
|
|
<IfVersion < 2.4>
|
|
Order allow,deny
|
|
Allow from all
|
|
</IfVersion>
|
|
</Directory>
|
|
IncludeOptional /etc/apache2/mellon*/sp-location*.conf
|
|
</VirtualHost>
|
|
{% endif -%}
|