--- # Copyright 2014, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Defines that the role will be deployed on a host machine is_metal: true ## Verbosity Options debug: False verbose: True keystone_fatal_deprecations: False ## System info keystone_system_user_name: keystone keystone_system_group_name: keystone keystone_system_service_name: apache2 keystone_system_shell: /bin/bash keystone_system_comment: keystone system user keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}" keystone_rpc_backend: rabbit ## Drivers keystone_auth_methods: "password,token" keystone_identity_driver: "keystone.identity.backends.sql.Identity" # For a sql backed token storage use: "keystone.token.backends.sql.Token" keystone_token_driver: "keystone.token.persistence.backends.memcache.Token" keystone_token_provider: "keystone.token.providers.fernet.Provider" keystone_token_expiration: 43200 keystone_token_cache_time: 3600 # Set the revocation driver used within keystone. keystone_revocation_driver: keystone.contrib.revoke.backends.sql.Revoke keystone_revocation_cache_time: 3600 keystone_revocation_expiration_buffer: 1800 ## Fernet config vars keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys" keystone_fernet_tokens_max_active_keys: 7 # Any of the following rotation times are valid: # reboot, yearly, annually, monthly, weekly, daily, hourly keystone_fernet_rotation: daily keystone_fernet_auto_rotation_script: /opt/keystone-fernet-rotate.sh keystone_cache_expiration_time: 5400 keystone_assignment_driver: keystone.assignment.backends.sql.Assignment keystone_resource_cache_time: 3600 keystone_resource_driver: keystone.resource.backends.sql.Resource keystone_bind_address: 0.0.0.0 ## Memcached servers used within keystone. # String or Comma separated list of servers. keystone_memcached_servers: 127.0.0.1 keystone_memcached_max_compare_and_set_retry: 16 ## DB info keystone_galera_user: keystone keystone_galera_database: keystone # Database tuning keystone_database_idle_timeout: 200 keystone_database_min_pool_size: 5 keystone_database_max_pool_size: 10 keystone_database_pool_timeout: 200 ## Role info keystone_role_name: admin ## Admin info keystone_admin_port: 35357 keystone_admin_user_name: admin keystone_admin_tenant_name: admin keystone_admin_description: Admin Tenant ## Secure Proxy SSL Information #keystone_secure_proxy_ssl_header: X-Forwarded-For ## Service Type and Data keystone_service_region: RegionOne keystone_service_name: keystone keystone_service_port: 5000 keystone_service_proto: http keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}" keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}" keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}" keystone_service_type: identity keystone_service_description: "Keystone Identity Service" keystone_service_user_name: keystone keystone_service_tenant_name: service keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}" keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}" keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}" keystone_service_publicurl_v2: "{{ keystone_service_publicuri }}/v2.0" keystone_service_internalurl_v2: "{{ keystone_service_internaluri }}/v2.0" keystone_service_adminurl_v2: "{{ keystone_service_adminuri }}/v2.0" keystone_service_publicurl_v3: "{{ keystone_service_publicuri }}/v3" keystone_service_internalurl_v3: "{{ keystone_service_internaluri }}/v3" keystone_service_adminurl_v3: "{{ keystone_service_adminuri }}/v3" keystone_service_publicurl: "{{ keystone_service_publicurl_v3 }}" keystone_service_internalurl: "{{ keystone_service_internalurl_v3 }}" keystone_service_adminurl: "{{ keystone_service_adminurl_v3 }}" ## Set this value to override the "public_endpoint" keystone.conf variable #keystone_public_endpoint: ## Apache setup keystone_apache_log_level: info keystone_ssl_enabled: false keystone_ssl_cert: /etc/ssl/certs/apache.cert keystone_ssl_key: /etc/ssl/private/apache.key keystone_ssl_cert_path: /etc/ssl/certs keystone_ssl_protocol: "{{ ssl_protocol }}" keystone_ssl_cipher_suite: "{{ ssl_cipher_suite }}" ## Caching # If set this will enable dog pile cache for keystone. # keystone_cache_backend_argument: url:127.0.0.1:11211 ## LDAP section # Define keystone ldap information here. # See the http://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-ldap-backend.html # for more information on available options. The sections here are defined as key: value pairs. Each # top level key bellow ``keystone_ldap`` is a section. # (EXAMPLE LAYOUT) # keystone_ldap: # ldap: # url: "ldap://127.0.0.1" # user: "root" # password: "secrete" # ... keystone_ldap_identity_driver: keystone.identity.backends.ldap.Identity keystone_ldap_domain_config_dir: /etc/keystone/domains ## Policy vars # Provide a list of access controls to update the default policy.json with. These changes will be merged # with the access controls in the default policy.json. E.g. #keystone_policy_overrides: # identity:create_region: "rule:admin_required" # identity:update_region: "rule:admin_required" # Common apt packages keystone_apt_packages: - apache2 - apache2-utils - debhelper - dh-apparmor - docutils-common - git - libapache2-mod-wsgi - libjs-sphinxdoc - libjs-underscore - libldap2-dev - libsasl2-dev - libxslt1.1 - rsync # Common pip packages keystone_pip_packages: - keystone - keystonemiddleware - ldappool - lxml - MySQL-python - oslo.middleware - pbr - pycrypto - pysaml2 - python-keystoneclient - python-memcached - python-openstackclient - repoze.lru