Integrated keystone with opentack-common's PKI toggling
This commit is contained in:
John Dewey
@@ -250,7 +250,6 @@ Attributes
|
|||||||
* `keystone["admin_token"]` - Admin token for bootstraping keystone server
|
* `keystone["admin_token"]` - Admin token for bootstraping keystone server
|
||||||
* `keystone["roles"]` - Array of roles to create in the keystone server
|
* `keystone["roles"]` - Array of roles to create in the keystone server
|
||||||
* `keystone["users"]` - Array of users to create in the keystone server
|
* `keystone["users"]` - Array of users to create in the keystone server
|
||||||
* `keystone["pki"]["enabled"]` - Defaults to false. Set to true to enable PKI in `auth_token` middleware.
|
|
||||||
|
|
||||||
License and Author
|
License and Author
|
||||||
==================
|
==================
|
||||||
|
|||||||
@@ -57,18 +57,12 @@ default["keystone"]["users"] = {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
default["keystone"]["nova"]["pki"]["enabled"] = false
|
|
||||||
if node["keystone"]["nova"]["pki"]["enabled"]
|
|
||||||
node.set["keystone"]["signing"]["token_format"] = "PKI"
|
|
||||||
else
|
|
||||||
node.set["keystone"]["signing"]["token_format"] = "UUID"
|
|
||||||
end
|
|
||||||
default["keystone"]["signing"]["certfile"] = "/etc/keystone/ssl/certs/signing_cert.pem"
|
default["keystone"]["signing"]["certfile"] = "/etc/keystone/ssl/certs/signing_cert.pem"
|
||||||
default["keystone"]["signing"]["keyfile"] = "/etc/keystone/ssl/private/signing_key.pem"
|
default["keystone"]["signing"]["keyfile"] = "/etc/keystone/ssl/private/signing_key.pem"
|
||||||
default["keystone"]["signing"]["ca_certs"] = "/etc/keystone/ssl/certs/ca.pem"
|
default["keystone"]["signing"]["ca_certs"] = "/etc/keystone/ssl/certs/ca.pem"
|
||||||
default["keystone"]["signing"]["key_size"] = "1024"
|
default["keystone"]["signing"]["key_size"] = "1024"
|
||||||
default["keystone"]["signing"]["valid_days"] = "3650"
|
default["keystone"]["signing"]["valid_days"] = "3650"
|
||||||
default["keystone"]["signing"]["ca_password"] = "None"
|
default["keystone"]["signing"]["ca_password"] = nil
|
||||||
|
|
||||||
# platform defaults
|
# platform defaults
|
||||||
case platform
|
case platform
|
||||||
|
|||||||
@@ -80,7 +80,7 @@ execute "keystone-manage pki_setup" do
|
|||||||
|
|
||||||
action :nothing
|
action :nothing
|
||||||
|
|
||||||
only_if { node["keystone"]["nova"]["pki"]["enabled"] }
|
only_if { node["openstack"]["signing"]["pki"] }
|
||||||
end
|
end
|
||||||
|
|
||||||
identity_admin_endpoint = endpoint "identity-admin"
|
identity_admin_endpoint = endpoint "identity-admin"
|
||||||
|
|||||||
@@ -58,15 +58,17 @@ driver = keystone.policy.backends.rules.Policy
|
|||||||
driver = keystone.contrib.ec2.backends.sql.Ec2
|
driver = keystone.contrib.ec2.backends.sql.Ec2
|
||||||
|
|
||||||
[signing]
|
[signing]
|
||||||
token_format = <%= node["keystone"]["signing"]["token_format"] %>
|
<% if node["openstack"]["signing"]["pki"] -%>
|
||||||
<% if node["keystone"]["nova"]["pki"]["enabled"] -%>
|
token_format = PKI
|
||||||
certfile = <%= node["keystone"]["signing"]["certfile"] %>
|
certfile = <%= node["keystone"]["signing"]["certfile"] %>
|
||||||
keyfile = <%= node["keystone"]["signing"]["keyfile"] %>
|
keyfile = <%= node["keystone"]["signing"]["keyfile"] %>
|
||||||
ca_certs = <%= node["keystone"]["signing"]["ca_certs"] %>
|
ca_certs = <%= node["keystone"]["signing"]["ca_certs"] %>
|
||||||
key_size = <%= node["keystone"]["signing"]["key_size"] %>
|
key_size = <%= node["keystone"]["signing"]["key_size"] %>
|
||||||
valid_days = <%= node["keystone"]["signing"]["valid_days"] %>
|
valid_days = <%= node["keystone"]["signing"]["valid_days"] %>
|
||||||
ca_password = <%= node["keystone"]["signing"]["ca_password"] %>
|
ca_password = <%= node["keystone"]["signing"]["ca_password"] %>
|
||||||
<% end %>
|
<% else -%>
|
||||||
|
token_format = UUID
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
[filter:debug]
|
[filter:debug]
|
||||||
paste.filter_factory = keystone.common.wsgi:Debug.factory
|
paste.filter_factory = keystone.common.wsgi:Debug.factory
|
||||||
|
|||||||
Reference in New Issue
Block a user