Updated keystone to use fernet as the default

This change simply enables fernet to be the default token backend
and disables the keystone memcached configuration for token storage.

Change-Id: I1037a7fce567e476f07a5d3c220379d656248160
Related-Bug: #1463569
This commit is contained in:
kevin 2015-06-19 16:24:06 -05:00 committed by Ian Cordasco
parent 2086f6edb1
commit 4798dab6a2
5 changed files with 18 additions and 7 deletions

View File

@ -36,7 +36,7 @@ keystone_auth_methods: "password,token"
keystone_identity_driver: "keystone.identity.backends.sql.Identity" keystone_identity_driver: "keystone.identity.backends.sql.Identity"
# For a sql backed token storage use: "keystone.token.backends.sql.Token" # For a sql backed token storage use: "keystone.token.backends.sql.Token"
keystone_token_driver: "keystone.token.persistence.backends.memcache.Token" keystone_token_driver: "keystone.token.persistence.backends.memcache.Token"
keystone_token_provider: "keystone.token.providers.uuid.Provider" keystone_token_provider: "keystone.token.providers.fernet.Provider"
keystone_token_expiration: 43200 keystone_token_expiration: 43200
keystone_token_cache_time: 3600 keystone_token_cache_time: 3600
@ -47,7 +47,7 @@ keystone_revocation_expiration_buffer: 1800
## Fernet config vars ## Fernet config vars
keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys" keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
keystone_fernet_tokens_max_active_keys: 3 keystone_fernet_tokens_max_active_keys: 7
keystone_cache_expiration_time: 5400 keystone_cache_expiration_time: 5400

View File

@ -34,4 +34,7 @@ dependencies:
- galera_client - galera_client
- openstack_openrc - openstack_openrc
- pip_lock_down - pip_lock_down
- memcached_server - role: memcached_server
when: >
'memcache' in keystone_token_driver and
'fernet' not in keystone_token_provider

View File

@ -18,6 +18,8 @@
module: file module: file
path="/tmp/{{ keystone_fernet_tokens_key_repository|basename }}" path="/tmp/{{ keystone_fernet_tokens_key_repository|basename }}"
state=absent state=absent
when: >
inventory_hostname == groups['keystone_all'][0]
tags: tags:
- keystone-cleanup - keystone-cleanup
- keystone-setup - keystone-setup

View File

@ -21,7 +21,9 @@
- keystone-fernet - keystone-fernet
- name: Create fernet keys for Keystone - name: Create fernet keys for Keystone
command: keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}" command: >
keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"
sudo: yes sudo: yes
sudo_user: "{{ keystone_system_user_name }}" sudo_user: "{{ keystone_system_user_name }}"
when: not _fernet_keys.stat.exists when: not _fernet_keys.stat.exists
@ -30,7 +32,9 @@
- keystone-fernet - keystone-fernet
- name: Rotate fernet keys for Keystone - name: Rotate fernet keys for Keystone
command: keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}" command: >
keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"
sudo: yes sudo: yes
sudo_user: "{{ keystone_system_user_name }}" sudo_user: "{{ keystone_system_user_name }}"
when: _fernet_keys.stat.exists when: _fernet_keys.stat.exists

View File

@ -18,11 +18,11 @@ log_file = keystone.log
log_dir = /var/log/keystone log_dir = /var/log/keystone
rpc_backend = {{ keystone_rpc_backend }} rpc_backend = {{ keystone_rpc_backend }}
{% if 'memcache' in keystone_token_driver and 'fernet' not in keystone_token_provider %}
[memcache] [memcache]
servers = {{ keystone_memcached_servers }} servers = {{ keystone_memcached_servers }}
max_compare_and_set_retry = {{ keystone_memcached_max_compare_and_set_retry }} max_compare_and_set_retry = {{ keystone_memcached_max_compare_and_set_retry }}
{% endif %}
{% if keystone_cache_backend_argument is defined %} {% if keystone_cache_backend_argument is defined %}
[cache] [cache]
@ -83,7 +83,9 @@ expiration = {{ keystone_token_expiration }}
caching = true caching = true
cache_time = {{ keystone_token_cache_time }} cache_time = {{ keystone_token_cache_time }}
provider = {{ keystone_token_provider }} provider = {{ keystone_token_provider }}
{% if 'fernet' not in keystone_token_provider %}
driver = {{ keystone_token_driver }} driver = {{ keystone_token_driver }}
{% endif %}
[eventlet_server] [eventlet_server]
admin_bind_host = {{ keystone_bind_address }} admin_bind_host = {{ keystone_bind_address }}