Updated keystone to use fernet as the default
This change simply enables fernet to be the default token backend and disables the keystone memcached configuration for token storage. Change-Id: I1037a7fce567e476f07a5d3c220379d656248160 Related-Bug: #1463569
This commit is contained in:
parent
2086f6edb1
commit
4798dab6a2
@ -36,7 +36,7 @@ keystone_auth_methods: "password,token"
|
||||
keystone_identity_driver: "keystone.identity.backends.sql.Identity"
|
||||
# For a sql backed token storage use: "keystone.token.backends.sql.Token"
|
||||
keystone_token_driver: "keystone.token.persistence.backends.memcache.Token"
|
||||
keystone_token_provider: "keystone.token.providers.uuid.Provider"
|
||||
keystone_token_provider: "keystone.token.providers.fernet.Provider"
|
||||
keystone_token_expiration: 43200
|
||||
keystone_token_cache_time: 3600
|
||||
|
||||
@ -47,7 +47,7 @@ keystone_revocation_expiration_buffer: 1800
|
||||
|
||||
## Fernet config vars
|
||||
keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
|
||||
keystone_fernet_tokens_max_active_keys: 3
|
||||
keystone_fernet_tokens_max_active_keys: 7
|
||||
|
||||
keystone_cache_expiration_time: 5400
|
||||
|
||||
|
@ -34,4 +34,7 @@ dependencies:
|
||||
- galera_client
|
||||
- openstack_openrc
|
||||
- pip_lock_down
|
||||
- memcached_server
|
||||
- role: memcached_server
|
||||
when: >
|
||||
'memcache' in keystone_token_driver and
|
||||
'fernet' not in keystone_token_provider
|
||||
|
@ -18,6 +18,8 @@
|
||||
module: file
|
||||
path="/tmp/{{ keystone_fernet_tokens_key_repository|basename }}"
|
||||
state=absent
|
||||
when: >
|
||||
inventory_hostname == groups['keystone_all'][0]
|
||||
tags:
|
||||
- keystone-cleanup
|
||||
- keystone-setup
|
||||
|
@ -21,7 +21,9 @@
|
||||
- keystone-fernet
|
||||
|
||||
- name: Create fernet keys for Keystone
|
||||
command: keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}"
|
||||
command: >
|
||||
keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}"
|
||||
--keystone-group "{{ keystone_system_group_name }}"
|
||||
sudo: yes
|
||||
sudo_user: "{{ keystone_system_user_name }}"
|
||||
when: not _fernet_keys.stat.exists
|
||||
@ -30,7 +32,9 @@
|
||||
- keystone-fernet
|
||||
|
||||
- name: Rotate fernet keys for Keystone
|
||||
command: keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}"
|
||||
command: >
|
||||
keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}"
|
||||
--keystone-group "{{ keystone_system_group_name }}"
|
||||
sudo: yes
|
||||
sudo_user: "{{ keystone_system_user_name }}"
|
||||
when: _fernet_keys.stat.exists
|
||||
|
@ -18,11 +18,11 @@ log_file = keystone.log
|
||||
log_dir = /var/log/keystone
|
||||
rpc_backend = {{ keystone_rpc_backend }}
|
||||
|
||||
|
||||
{% if 'memcache' in keystone_token_driver and 'fernet' not in keystone_token_provider %}
|
||||
[memcache]
|
||||
servers = {{ keystone_memcached_servers }}
|
||||
max_compare_and_set_retry = {{ keystone_memcached_max_compare_and_set_retry }}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% if keystone_cache_backend_argument is defined %}
|
||||
[cache]
|
||||
@ -83,7 +83,9 @@ expiration = {{ keystone_token_expiration }}
|
||||
caching = true
|
||||
cache_time = {{ keystone_token_cache_time }}
|
||||
provider = {{ keystone_token_provider }}
|
||||
{% if 'fernet' not in keystone_token_provider %}
|
||||
driver = {{ keystone_token_driver }}
|
||||
{% endif %}
|
||||
|
||||
[eventlet_server]
|
||||
admin_bind_host = {{ keystone_bind_address }}
|
||||
|
Loading…
Reference in New Issue
Block a user