openstack/openstack-ansible-os_keystone
Code Issues Proposed changes

Federated openid support using auth_mod_openidc

Browse Source 
This patch adds support for using mod_auth_openidc instead of shibboleth for
supporting users who have a preference to use oidc for federation. A new
variable called apache_mod is added to keystone_sp allowing the auth library
to be selected. If left undefined shibboleth auth module will continue to be
installed by default maintaining backward compatibility.

This patch does not support simultaneous use of shibboleth and mod_auth_openidc
primarily because shib2 depends on libcurl3 but mod_auth_openidc depends on
libcurl4 which cannot coexist on Ubuntu. This can be resolved when there is a
shib3 package available in a future release of Ubuntu.

Change-Id: I80031f7d3f0fcc2029cd6861dcb6687e8a9f0a2e
This commit is contained in:
Georgina 2020-01-30 13:06:30 +00:00 committed by Georgina Shippey
parent 92d5f3ccfb
commit 47fe909d54
10 changed files with 127 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
defaults/main.yml
View File

@ -329,6 +329,7 @@ keystone_idp: {}
keystone_sp: {} keystone_sp: {}
#keystone_sp: #keystone_sp:
# cert_duration_years: 5 # cert_duration_years: 5
# apache_mod: shibboleth #or mod_auth_openidc
# trusted_dashboard_list: # trusted_dashboard_list:
# - "https://{{ external_lb_vip_address }}/auth/websso/" # - "https://{{ external_lb_vip_address }}/auth/websso/"
# - "https://{{ horizon_server_name }}/auth/websso/" # - "https://{{ horizon_server_name }}/auth/websso/"
@ -425,6 +426,34 @@ keystone_sp: {}
# attributes: # attributes:
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn' # - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
# id: upn # id: upn
#
# - name: "keycloak-oidc-idp"
# oidc_provider_metadata_url: https://identity-provider/.well-known/openid-configuration
# oidc_client_id: keystone
# oidc_client_secret: secret
# oidc_crypto_passphrase: random string
# oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth
# entity_ids:
# - 'https://identity-provider/openid-endpoint/'
# federated_identities:
# - domain: default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: openid
# mapping:
# name: keycloak-oidc-idp-openid-mapping
# rules:
# - remote:
# - type: OIDC-email
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# user:
# name: '{0}'
keystone_service_in_ldap: false keystone_service_in_ldap: false

16
releasenotes/notes/mod-auth-openidc-102bd253b677f3fc.yaml Normal file
View File

@ -0,0 +1,16 @@
---
features:
- Added support for using mod_auth_openidc instead of shibboleth as a
service provider for supporting users who have a preference to use OIDC
for federation. Mod_auth_openidc is the apache module that is recommended
in the keystone documentation for implementing openidc.
Added a variable to called apache_mod to keystone_sp, if left undefined
shibboleth will continue to be installed by default provided keystone_sp is
not empty. Mod_auth_openidc will not be installed unless it is spelled
correctly, any misspellings will result in a shibboleth install.
Note that installing shibboleth on Debian based metal distro deployments
may break services that depend on libcurl4, as shib2 requires libcurl3,
and they are unable to coexist. This can be resolved when there is a
shib3 package available in a future release of Ubuntu/Debian.
There is currently no support for simultaneous use of shibboleth2 and
mod_auth_openidc.

22
tasks/keystone_apache.yml
View File

@ -32,6 +32,17 @@
owner: "{{ keystone_apache_default_log_owner }}" owner: "{{ keystone_apache_default_log_owner }}"
group: "{{ keystone_apache_default_log_grp }}" group: "{{ keystone_apache_default_log_grp }}"
- name: Place apache2 config files
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "root"
group: "root"
with_items: "{{ keystone_apache_configs }}"
notify:
- Manage LB
- Restart web server
## NOTE(cloudnull): ## NOTE(cloudnull):
## Module enable/disable process is only functional on Debian and SUSE based systems. ## Module enable/disable process is only functional on Debian and SUSE based systems.
- name: Enable/disable apache2 modules - name: Enable/disable apache2 modules
@ -58,17 +69,6 @@
- Manage LB - Manage LB
- Restart web server - Restart web server
- name: Drop apache2 config files
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "root"
group: "root"
with_items: "{{ keystone_apache_configs }}"
notify:
- Manage LB
- Restart web server
- name: Disable default apache site - name: Disable default apache site
file: file:
path: "{{ item }}" path: "{{ item }}"

0
tasks/keystone_federation_sp_setup.yml → tasks/keystone_federation_sp_shib_setup.yml
View File

20
tasks/main.yml
View File

@ -48,6 +48,21 @@
tags: tags:
- always - always
- name: Fact for apache module shibboleth to be installed
set_fact:
keystone_sp_apache_mod_shib:
"{{ (keystone_sp != {} and
(keystone_sp.apache_mod is undefined or
(keystone_sp.apache_mod is defined and keystone_sp.apache_mod != 'mod_auth_openidc'))
) | ternary('true', 'false') }}"
- name: Fact for apache module mod_auth_openidc to be installed
set_fact:
keystone_sp_apache_mod_auth_openidc:
"{{ (keystone_sp != {} and
keystone_sp.apache_mod is defined and keystone_sp.apache_mod == 'mod_auth_openidc')
| ternary('true', 'false') }}"
- import_tasks: db_setup.yml - import_tasks: db_setup.yml
when: when:
- "keystone_services['keystone-wsgi-public']['group'] in group_names" - "keystone_services['keystone-wsgi-public']['group'] in group_names"
@ -123,8 +138,9 @@
tags: tags:
- keystone-config - keystone-config
- import_tasks: keystone_federation_sp_setup.yml - import_tasks: keystone_federation_sp_shib_setup.yml
when: keystone_sp != {} when:
- keystone_sp_apache_mod_shib
tags: tags:
- keystone-config - keystone-config

41
templates/keystone-httpd.conf.j2
View File

@ -18,7 +18,7 @@ Listen {{ keystone_service_port }}
Header set Content-Security-Policy "default-src 'self' https: wss:;" Header set Content-Security-Policy "default-src 'self' https: wss:;"
{% if keystone_sp != {} -%} {% if keystone_sp != {} -%}
Header set Content-Security-Policy "script-src 'sha256-oBahlBFQem+nMs1JwgcBB03Hy8nRh5e8qEGTOcxmAuM=';" Header set Content-Security-Policy "script-src 'sha256-oBahlBFQem+nMs1JwgcBB03Hy8nRh5e8qEGTOcxmAuM=';"
{% endif %} {% endif -%}
Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}" Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
{% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%} {% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
@ -33,9 +33,36 @@ Listen {{ keystone_service_port }}
SSLHonorCipherOrder On SSLHonorCipherOrder On
SSLCipherSuite {{ keystone_ssl_cipher_suite }} SSLCipherSuite {{ keystone_ssl_cipher_suite }}
SSLOptions +StdEnvVars +ExportCertData SSLOptions +StdEnvVars +ExportCertData
{% endif -%}
{% if keystone_sp_apache_mod_auth_openidc -%}
OIDCClaimPrefix "{{ keystone_sp.trusted_idp_list.0.oidc_claim_prefix | default('OIDC-') }}"
OIDCResponseType "{{ keystone_sp.trusted_idp_list.0.oidc_resp_type | default('id_token') }}"
OIDCScope "{{ keystone_sp.trusted_idp_list.0.idc_scope | default('openid email profile') }}"
OIDCProviderMetadataURL {{ keystone_sp.trusted_idp_list.0.oidc_provider_metadata_url }}
OIDCClientID {{ keystone_sp.trusted_idp_list.0.oidc_client_id }}
OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}
OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }}
OIDCRedirectURI {{ keystone_sp.trusted_idp_list.0.oidc_redirect_uri }}
{% if keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri is defined -%}
OIDCOAuthVerifyJwksUri {{ keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri }}
{% endif %} {% endif %}
{% if keystone_sp != {} -%} <Location /v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth>
Require valid-user
AuthType auth-openidc
</Location>
<Location /v3/auth/OS-FEDERATION/websso/openid>
Require valid-user
AuthType openid-connect
</Location>
<Location /v3/auth/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/websso>
Require valid-user
AuthType openid-connect
</Location>
{% endif %}
{%- if keystone_sp_apache_mod_shib -%}
ShibURLScheme {{ keystone_service_publicuri_proto }} ShibURLScheme {{ keystone_service_publicuri_proto }}
<Location /Shibboleth.sso> <Location /Shibboleth.sso>
@ -57,19 +84,21 @@ Listen {{ keystone_service_port }}
ShibExportAssertion Off ShibExportAssertion Off
Require valid-user Require valid-user
</LocationMatch> </LocationMatch>
{% endif %} {% endif %}
{% if keystone_sp != {} -%}
<Directory /var/www/cgi-bin/keystone> <Directory /var/www/cgi-bin/keystone>
Options Indexes FollowSymLinks MultiViews Options Indexes FollowSymLinks MultiViews
AllowOverride All AllowOverride All
Order allow,deny Order allow,deny
allow from all allow from all
</Directory> </Directory>
{% if keystone_sp != {} -%}
ProxyPass /Shibboleth.sso !
{% endif %} {% endif %}
{% if keystone_sp_apache_mod_shib -%}
ProxyPass /Shibboleth.sso !
{% endif -%}
ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/ ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/
</VirtualHost> </VirtualHost>

10
templates/keystone.conf.j2
View File

@ -43,11 +43,7 @@ cache_time = {{ keystone_revocation_cache_time }}
[auth] [auth]
{% if keystone_sp != {} %} methods = {{ keystone_auth_methods }}{% if keystone_sp_apache_mod_shib %},saml2{% endif %}{% if keystone_sp_apache_mod_auth_openidc %},openid{% endif %}
methods = {{ keystone_auth_methods }},saml2
{% else %}
methods = {{ keystone_auth_methods }}
{% endif %}
{% if keystone_database_enabled | bool %} {% if keystone_database_enabled | bool %}
@ -132,7 +128,11 @@ key_repository = {{ keystone_credential_key_repository }}
{% if keystone_sp != {} %} {% if keystone_sp != {} %}
[federation] [federation]
{% if keystone_sp_apache_mod_auth_openidc %}
remote_id_attribute = HTTP_OIDC_ISS
{% elif keystone_sp_apache_mod_shib %}
remote_id_attribute = Shib-Identity-Provider remote_id_attribute = Shib-Identity-Provider
{% endif %}
{% if keystone_sp.trusted_dashboard_list is defined %} {% if keystone_sp.trusted_dashboard_list is defined %}
{% for item in keystone_sp.trusted_dashboard_list %} {% for item in keystone_sp.trusted_dashboard_list %}
trusted_dashboard = {{ item }} trusted_dashboard = {{ item }}

8
vars/debian.yml
View File

@ -57,7 +57,9 @@ keystone_idp_distro_packages:
- xmlsec1 - xmlsec1
keystone_sp_distro_packages: keystone_sp_distro_packages:
- libapache2-mod-shib2 - "{{ keystone_sp_apache_mod_shib | ternary('libcurl3', 'libcurl4') }}"
- "{{ keystone_sp_apache_mod_auth_openidc | ternary('libapache2-mod-auth-openidc',
'libapache2-mod-shib2') }}"
keystone_developer_mode_distro_packages: keystone_developer_mode_distro_packages:
- build-essential - build-essential
@ -86,7 +88,9 @@ keystone_apache_modules:
- name: "ssl" - name: "ssl"
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}" state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
- name: "shib2" - name: "shib2"
state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}" state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
- name: "auth_openidc"
state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
- name: "proxy_uwsgi" - name: "proxy_uwsgi"
state: "present" state: "present"
- name: "headers" - name: "headers"

3
vars/redhat.yml
View File

@ -50,7 +50,8 @@ keystone_idp_distro_packages:
- xmlsec1 - xmlsec1
keystone_sp_distro_packages: keystone_sp_distro_packages:
- shibboleth - "{{ keystone_sp_apache_mod_auth_openidc | ternary('mod_auth_openidc',
'shibboleth') }}"
keystone_developer_mode_distro_packages: keystone_developer_mode_distro_packages:
- gcc - gcc

7
vars/suse.yml
View File

@ -51,7 +51,8 @@ keystone_idp_distro_packages:
- xmlsec1 - xmlsec1
keystone_sp_distro_packages: keystone_sp_distro_packages:
- shibboleth-sp - "{{ keystone_sp_apache_mod_auth_openidc | ternary('apache2-mod_auth_openidc',
'shibboleth-sp') }}"
keystone_developer_mode_distro_packages: keystone_developer_mode_distro_packages:
- "{{ (ansible_distribution_version is version ('42', '>=')) | ternary('patterns-openSUSE-devel_basis', 'patterns-devel-base-devel_basis') }}" - "{{ (ansible_distribution_version is version ('42', '>=')) | ternary('patterns-openSUSE-devel_basis', 'patterns-devel-base-devel_basis') }}"
@ -85,7 +86,9 @@ keystone_apache_modules:
- name: "ssl" - name: "ssl"
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}" state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
- name: "shib2" - name: "shib2"
state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}" state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
- name: "auth_openidc"
state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
- name: "proxy" - name: "proxy"
state: "present" state: "present"
- name: "proxy_http" - name: "proxy_http"