From 4798dab6a232e8bd2ce9635c57b4bfd0f2351a57 Mon Sep 17 00:00:00 2001
From: kevin <kevin.carter@rackspace.com>
Date: Fri, 19 Jun 2015 16:24:06 -0500
Subject: [PATCH] Updated keystone to use fernet as the default

This change simply enables fernet to be the default token backend
and disables the keystone memcached configuration for token storage.

Change-Id: I1037a7fce567e476f07a5d3c220379d656248160
Related-Bug: #1463569
---
 playbooks/roles/os_keystone/defaults/main.yml             | 4 ++--
 playbooks/roles/os_keystone/meta/main.yml                 | 5 ++++-
 .../roles/os_keystone/tasks/keystone_fernet_cleanup.yml   | 2 ++
 .../os_keystone/tasks/keystone_fernet_keys_create.yml     | 8 ++++++--
 playbooks/roles/os_keystone/templates/keystone.conf.j2    | 6 ++++--
 5 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/playbooks/roles/os_keystone/defaults/main.yml b/playbooks/roles/os_keystone/defaults/main.yml
index a9709f9c6b..be7ab2d945 100644
--- a/playbooks/roles/os_keystone/defaults/main.yml
+++ b/playbooks/roles/os_keystone/defaults/main.yml
@@ -36,7 +36,7 @@ keystone_auth_methods: "password,token"
 keystone_identity_driver: "keystone.identity.backends.sql.Identity"
 # For a sql backed token storage use: "keystone.token.backends.sql.Token"
 keystone_token_driver: "keystone.token.persistence.backends.memcache.Token"
-keystone_token_provider: "keystone.token.providers.uuid.Provider"
+keystone_token_provider: "keystone.token.providers.fernet.Provider"
 keystone_token_expiration: 43200
 keystone_token_cache_time: 3600
 
@@ -47,7 +47,7 @@ keystone_revocation_expiration_buffer: 1800
 
 ## Fernet config vars
 keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
-keystone_fernet_tokens_max_active_keys: 3
+keystone_fernet_tokens_max_active_keys: 7
 
 keystone_cache_expiration_time: 5400
 
diff --git a/playbooks/roles/os_keystone/meta/main.yml b/playbooks/roles/os_keystone/meta/main.yml
index b81945f0a7..7c2c07bf92 100644
--- a/playbooks/roles/os_keystone/meta/main.yml
+++ b/playbooks/roles/os_keystone/meta/main.yml
@@ -34,4 +34,7 @@ dependencies:
   - galera_client
   - openstack_openrc
   - pip_lock_down
-  - memcached_server
+  - role: memcached_server
+    when: >
+      'memcache' in keystone_token_driver and
+      'fernet' not in keystone_token_provider
diff --git a/playbooks/roles/os_keystone/tasks/keystone_fernet_cleanup.yml b/playbooks/roles/os_keystone/tasks/keystone_fernet_cleanup.yml
index 79c80b8b1b..d60e9c8b7a 100644
--- a/playbooks/roles/os_keystone/tasks/keystone_fernet_cleanup.yml
+++ b/playbooks/roles/os_keystone/tasks/keystone_fernet_cleanup.yml
@@ -18,6 +18,8 @@
     module: file
       path="/tmp/{{ keystone_fernet_tokens_key_repository|basename }}"
       state=absent
+  when: >
+    inventory_hostname == groups['keystone_all'][0]
   tags:
     - keystone-cleanup
     - keystone-setup
diff --git a/playbooks/roles/os_keystone/tasks/keystone_fernet_keys_create.yml b/playbooks/roles/os_keystone/tasks/keystone_fernet_keys_create.yml
index e8ea58b5fe..39a5b7095e 100644
--- a/playbooks/roles/os_keystone/tasks/keystone_fernet_keys_create.yml
+++ b/playbooks/roles/os_keystone/tasks/keystone_fernet_keys_create.yml
@@ -21,7 +21,9 @@
     - keystone-fernet
 
 - name: Create fernet keys for Keystone
-  command: keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}"
+  command: >
+    keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}"
+                                 --keystone-group "{{ keystone_system_group_name }}"
   sudo: yes
   sudo_user: "{{ keystone_system_user_name }}"
   when: not _fernet_keys.stat.exists
@@ -30,7 +32,9 @@
     - keystone-fernet
 
 - name: Rotate fernet keys for Keystone
-  command: keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}"
+  command: >
+    keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}"
+                                  --keystone-group "{{ keystone_system_group_name }}"
   sudo: yes
   sudo_user: "{{ keystone_system_user_name }}"
   when: _fernet_keys.stat.exists
diff --git a/playbooks/roles/os_keystone/templates/keystone.conf.j2 b/playbooks/roles/os_keystone/templates/keystone.conf.j2
index a0d9ea6a1f..fbd3eb00af 100644
--- a/playbooks/roles/os_keystone/templates/keystone.conf.j2
+++ b/playbooks/roles/os_keystone/templates/keystone.conf.j2
@@ -18,11 +18,11 @@ log_file = keystone.log
 log_dir = /var/log/keystone
 rpc_backend = {{ keystone_rpc_backend }}
 
-
+{% if 'memcache' in keystone_token_driver and 'fernet' not in keystone_token_provider %}
 [memcache]
 servers = {{ keystone_memcached_servers }}
 max_compare_and_set_retry = {{ keystone_memcached_max_compare_and_set_retry }}
-
+{% endif %}
 
 {% if keystone_cache_backend_argument is defined %}
 [cache]
@@ -83,7 +83,9 @@ expiration = {{ keystone_token_expiration }}
 caching = true
 cache_time = {{ keystone_token_cache_time }}
 provider = {{ keystone_token_provider }}
+{% if 'fernet' not in keystone_token_provider %}
 driver = {{ keystone_token_driver }}
+{% endif %}
 
 [eventlet_server]
 admin_bind_host = {{ keystone_bind_address }}