Updated keystone to use fernet as the default
This change simply enables fernet to be the default token backend and disables the keystone memcached configuration for token storage. Change-Id: I1037a7fce567e476f07a5d3c220379d656248160 Related-Bug: #1463569
This commit is contained in:
parent
2086f6edb1
commit
4798dab6a2
@ -36,7 +36,7 @@ keystone_auth_methods: "password,token"
|
|||||||
keystone_identity_driver: "keystone.identity.backends.sql.Identity"
|
keystone_identity_driver: "keystone.identity.backends.sql.Identity"
|
||||||
# For a sql backed token storage use: "keystone.token.backends.sql.Token"
|
# For a sql backed token storage use: "keystone.token.backends.sql.Token"
|
||||||
keystone_token_driver: "keystone.token.persistence.backends.memcache.Token"
|
keystone_token_driver: "keystone.token.persistence.backends.memcache.Token"
|
||||||
keystone_token_provider: "keystone.token.providers.uuid.Provider"
|
keystone_token_provider: "keystone.token.providers.fernet.Provider"
|
||||||
keystone_token_expiration: 43200
|
keystone_token_expiration: 43200
|
||||||
keystone_token_cache_time: 3600
|
keystone_token_cache_time: 3600
|
||||||
|
|
||||||
@ -47,7 +47,7 @@ keystone_revocation_expiration_buffer: 1800
|
|||||||
|
|
||||||
## Fernet config vars
|
## Fernet config vars
|
||||||
keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
|
keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
|
||||||
keystone_fernet_tokens_max_active_keys: 3
|
keystone_fernet_tokens_max_active_keys: 7
|
||||||
|
|
||||||
keystone_cache_expiration_time: 5400
|
keystone_cache_expiration_time: 5400
|
||||||
|
|
||||||
|
@ -34,4 +34,7 @@ dependencies:
|
|||||||
- galera_client
|
- galera_client
|
||||||
- openstack_openrc
|
- openstack_openrc
|
||||||
- pip_lock_down
|
- pip_lock_down
|
||||||
- memcached_server
|
- role: memcached_server
|
||||||
|
when: >
|
||||||
|
'memcache' in keystone_token_driver and
|
||||||
|
'fernet' not in keystone_token_provider
|
||||||
|
@ -18,6 +18,8 @@
|
|||||||
module: file
|
module: file
|
||||||
path="/tmp/{{ keystone_fernet_tokens_key_repository|basename }}"
|
path="/tmp/{{ keystone_fernet_tokens_key_repository|basename }}"
|
||||||
state=absent
|
state=absent
|
||||||
|
when: >
|
||||||
|
inventory_hostname == groups['keystone_all'][0]
|
||||||
tags:
|
tags:
|
||||||
- keystone-cleanup
|
- keystone-cleanup
|
||||||
- keystone-setup
|
- keystone-setup
|
||||||
|
@ -21,7 +21,9 @@
|
|||||||
- keystone-fernet
|
- keystone-fernet
|
||||||
|
|
||||||
- name: Create fernet keys for Keystone
|
- name: Create fernet keys for Keystone
|
||||||
command: keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}"
|
command: >
|
||||||
|
keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}"
|
||||||
|
--keystone-group "{{ keystone_system_group_name }}"
|
||||||
sudo: yes
|
sudo: yes
|
||||||
sudo_user: "{{ keystone_system_user_name }}"
|
sudo_user: "{{ keystone_system_user_name }}"
|
||||||
when: not _fernet_keys.stat.exists
|
when: not _fernet_keys.stat.exists
|
||||||
@ -30,7 +32,9 @@
|
|||||||
- keystone-fernet
|
- keystone-fernet
|
||||||
|
|
||||||
- name: Rotate fernet keys for Keystone
|
- name: Rotate fernet keys for Keystone
|
||||||
command: keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}"
|
command: >
|
||||||
|
keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}"
|
||||||
|
--keystone-group "{{ keystone_system_group_name }}"
|
||||||
sudo: yes
|
sudo: yes
|
||||||
sudo_user: "{{ keystone_system_user_name }}"
|
sudo_user: "{{ keystone_system_user_name }}"
|
||||||
when: _fernet_keys.stat.exists
|
when: _fernet_keys.stat.exists
|
||||||
|
@ -18,11 +18,11 @@ log_file = keystone.log
|
|||||||
log_dir = /var/log/keystone
|
log_dir = /var/log/keystone
|
||||||
rpc_backend = {{ keystone_rpc_backend }}
|
rpc_backend = {{ keystone_rpc_backend }}
|
||||||
|
|
||||||
|
{% if 'memcache' in keystone_token_driver and 'fernet' not in keystone_token_provider %}
|
||||||
[memcache]
|
[memcache]
|
||||||
servers = {{ keystone_memcached_servers }}
|
servers = {{ keystone_memcached_servers }}
|
||||||
max_compare_and_set_retry = {{ keystone_memcached_max_compare_and_set_retry }}
|
max_compare_and_set_retry = {{ keystone_memcached_max_compare_and_set_retry }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% if keystone_cache_backend_argument is defined %}
|
{% if keystone_cache_backend_argument is defined %}
|
||||||
[cache]
|
[cache]
|
||||||
@ -83,7 +83,9 @@ expiration = {{ keystone_token_expiration }}
|
|||||||
caching = true
|
caching = true
|
||||||
cache_time = {{ keystone_token_cache_time }}
|
cache_time = {{ keystone_token_cache_time }}
|
||||||
provider = {{ keystone_token_provider }}
|
provider = {{ keystone_token_provider }}
|
||||||
|
{% if 'fernet' not in keystone_token_provider %}
|
||||||
driver = {{ keystone_token_driver }}
|
driver = {{ keystone_token_driver }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
[eventlet_server]
|
[eventlet_server]
|
||||||
admin_bind_host = {{ keystone_bind_address }}
|
admin_bind_host = {{ keystone_bind_address }}
|
||||||
|
Loading…
Reference in New Issue
Block a user