diff --git a/playbooks/roles/os_keystone/defaults/main.yml b/playbooks/roles/os_keystone/defaults/main.yml index c2ae5574a6..a147d5a830 100644 --- a/playbooks/roles/os_keystone/defaults/main.yml +++ b/playbooks/roles/os_keystone/defaults/main.yml @@ -35,15 +35,15 @@ keystone_rpc_backend: rabbit ## Drivers keystone_auth_methods: "password,token" -keystone_identity_driver: "keystone.identity.backends.sql.Identity" -# For a sql backed token storage use: "keystone.token.backends.sql.Token" -keystone_token_driver: "keystone.token.persistence.backends.memcache.Token" -keystone_token_provider: "keystone.token.providers.fernet.Provider" +keystone_identity_driver: sql +# For a sql backed token storage use: "sql" +keystone_token_driver: memcache +keystone_token_provider: fernet keystone_token_expiration: 43200 keystone_token_cache_time: 3600 # Set the revocation driver used within keystone. -keystone_revocation_driver: keystone.contrib.revoke.backends.sql.Revoke +keystone_revocation_driver: sql keystone_revocation_cache_time: 3600 keystone_revocation_expiration_buffer: 1800 @@ -57,10 +57,10 @@ keystone_fernet_auto_rotation_script: /opt/keystone-fernet-rotate.sh keystone_cache_expiration_time: 5400 -keystone_assignment_driver: keystone.assignment.backends.sql.Assignment +keystone_assignment_driver: sql keystone_resource_cache_time: 3600 -keystone_resource_driver: keystone.resource.backends.sql.Resource +keystone_resource_driver: sql keystone_bind_address: 0.0.0.0 @@ -168,7 +168,7 @@ keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ inter # password: "secrete" # ... -keystone_ldap_identity_driver: keystone.identity.backends.ldap.Identity +keystone_ldap_identity_driver: ldap keystone_ldap_domain_config_dir: /etc/keystone/domains # If you want to regenerate the keystone users SSH keys, on each run, set this var to True diff --git a/playbooks/roles/os_keystone/templates/keystone-paste.ini.j2 b/playbooks/roles/os_keystone/templates/keystone-paste.ini.j2 index 3e195aa521..70db3823dd 100644 --- a/playbooks/roles/os_keystone/templates/keystone-paste.ini.j2 +++ b/playbooks/roles/os_keystone/templates/keystone-paste.ini.j2 @@ -1,70 +1,67 @@ # Keystone PasteDeploy configuration file. [filter:debug] -paste.filter_factory = keystone.common.wsgi:Debug.factory +use = egg:keystone#debug [filter:request_id] -paste.filter_factory = oslo_middleware:RequestId.factory +use = egg:keystone#request_id [filter:build_auth_context] -paste.filter_factory = keystone.middleware:AuthContextMiddleware.factory +use = egg:keystone#build_auth_context [filter:token_auth] -paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory +use = egg:keystone#token_auth [filter:admin_token_auth] -paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory +use = egg:keystone#admin_token_auth [filter:json_body] -paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory +use = egg:keystone#json_body [filter:user_crud_extension] -paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory +use = egg:keystone#user_crud_extension [filter:crud_extension] -paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory +use = egg:keystone#crud_extension [filter:ec2_extension] -paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory +use = egg:keystone#ec2_extension [filter:ec2_extension_v3] -paste.filter_factory = keystone.contrib.ec2:Ec2ExtensionV3.factory +use = egg:keystone#ec2_extension_v3 [filter:federation_extension] -paste.filter_factory = keystone.contrib.federation.routers:FederationExtension.factory +use = egg:keystone#federation_extension [filter:oauth1_extension] -paste.filter_factory = keystone.contrib.oauth1.routers:OAuth1Extension.factory +use = egg:keystone#oauth1_extension [filter:s3_extension] -paste.filter_factory = keystone.contrib.s3:S3Extension.factory +use = egg:keystone#s3_extension [filter:endpoint_filter_extension] -paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory - -[filter:endpoint_policy_extension] -paste.filter_factory = keystone.contrib.endpoint_policy.routers:EndpointPolicyExtension.factory +use = egg:keystone#endpoint_filter_extension [filter:simple_cert_extension] -paste.filter_factory = keystone.contrib.simple_cert:SimpleCertExtension.factory +use = egg:keystone#simple_cert_extension [filter:revoke_extension] -paste.filter_factory = keystone.contrib.revoke.routers:RevokeExtension.factory +use = egg:keystone#revoke_extension [filter:url_normalize] -paste.filter_factory = keystone.middleware:NormalizingFilter.factory +use = egg:keystone#url_normalize [filter:sizelimit] -paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory +use = egg:keystone#sizelimit [app:public_service] -paste.app_factory = keystone.service:public_app_factory +use = egg:keystone#public_service [app:service_v3] -paste.app_factory = keystone.service:v3_app_factory +use = egg:keystone#service_v3 [app:admin_service] -paste.app_factory = keystone.service:admin_app_factory +use = egg:keystone#admin_service [pipeline:public_api] # The last item in this pipeline must be public_service or an equivalent @@ -79,13 +76,13 @@ pipeline = sizelimit url_normalize request_id build_auth_context token_auth admi [pipeline:api_v3] # The last item in this pipeline must be service_v3 or an equivalent # application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension endpoint_policy_extension service_v3 +pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3 [app:public_version_service] -paste.app_factory = keystone.service:public_version_app_factory +use = egg:keystone#public_version_service [app:admin_version_service] -paste.app_factory = keystone.service:admin_version_app_factory +use = egg:keystone#admin_version_service [pipeline:public_version_api] pipeline = sizelimit url_normalize public_version_service diff --git a/playbooks/roles/os_keystone/templates/policy.json.j2 b/playbooks/roles/os_keystone/templates/policy.json.j2 index e7db5ea33c..ebb94b02d0 100644 --- a/playbooks/roles/os_keystone/templates/policy.json.j2 +++ b/playbooks/roles/os_keystone/templates/policy.json.j2 @@ -6,6 +6,7 @@ "admin_or_owner": "rule:admin_required or rule:owner", "token_subject": "user_id:%(target.token.user_id)s", "admin_or_token_subject": "rule:admin_required or rule:token_subject", + "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject", "default": "rule:admin_required", @@ -88,14 +89,13 @@ "identity:update_policy": "rule:admin_required", "identity:delete_policy": "rule:admin_required", - "identity:check_token": "rule:admin_required", - "identity:validate_token": "rule:service_or_admin", + "identity:check_token": "rule:admin_or_token_subject", + "identity:validate_token": "rule:service_admin_or_token_subject", "identity:validate_token_head": "rule:service_or_admin", "identity:revocation_list": "rule:service_or_admin", "identity:revoke_token": "rule:admin_or_token_subject", "identity:create_trust": "user_id:%(trust.trustor_user_id)s", - "identity:get_trust": "rule:admin_or_owner", "identity:list_trusts": "", "identity:list_roles_for_trust": "", "identity:get_role_for_trust": "", @@ -128,6 +128,7 @@ "identity:list_projects_associated_with_endpoint_group": "rule:admin_required", "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", "identity:get_endpoint_group_in_project": "rule:admin_required", + "identity:list_endpoint_groups_for_project": "rule:admin_required", "identity:add_endpoint_group_to_project": "rule:admin_required", "identity:remove_endpoint_group_from_project": "rule:admin_required",