Implement multi-domain LDAP configuration for Keystone

This patch changes the keystone_ldap configuration to allow multiple LDAP identity back-end configurations to be implemented. Example implementation in user_variables.yml: keystone_ldap: Users: url: "ldap://10.10.10.10" user: "root" password: "secrete" ... Admins: url: "ldap://20.20.20.20" user: "root" password: "secrete" ... This will place two configuration files into /etc/keystone/domains/, both of which will be configured to use the LDAP driver. - keystone.Users.conf - keystone.Admins.conf Each first level key entry is a domain name. Each entry below that are key-value pairs for the 'ldap' section in the configuration file. Note that the reason why only LDAP is catered for is due to the fact that LDAP is the only supported driver in OpenStack for Domain-specific configuration files. Also the reason that only the identity back-end is catered for is that the LDAP driver for the role, resource and assignment back-ends have been deprecated and are scheduled for removal in Mitaka. UpgradeImpact: - keystone_ldap's first key tier is now the domain name. An existing keystone_ldap configuration entry can be converted by renaming the 'ldap' key to the domain name 'Default'. **Note** that the domain name entry is case-sensitive. - keystone_ldap_identity_driver has been removed, as the driver for ldap is now simply 'ldap' and there are no other back-end options for Keystone at this time. Change-Id: Ifa4c42f7dbcc40a256a3156f74f0150384f9ab87
2015-12-15 16:55:53 +00:00 · 2015-12-15 16:55:53 +00:00 · 54808a7802
parent 86013b33c4
commit 54808a7802
10 changed files with 118 additions and 50 deletions
--- a/doc/source/install-guide/configure-keystone.rst
+++ b/doc/source/install-guide/configure-keystone.rst
@ -17,38 +17,47 @@ options.

 .. _Securing services with SSL certificates: configure-sslcertificates.html

-Special considerations when using LDAP or AD backends
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Implementing LDAP (or AD) Back-Ends
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

-Configuring LDAP or Active Directory (AD) backends for keystone can make
-deployment easier, but there are special considerations for these types of
-deployments.
+In many environments there may already be a LDAP (or Active Directory) service
+available which already has Users, Groups and User-Group assignment data.
+Keystone can be configured to make use of the LDAP service using
+Domain-specific Back-End configuration.

-Creating users
-""""""""""""""
+While it is possible to set the Keystone Identity Back-End to use LDAP for
+the Default domain, this is not recommended. It is a better practice to use
+the Default domain for service accounts and to configure additional Domains
+for LDAP services which provide general User/Group data.

-During an OpenStack-Ansible deployment, the individual roles that deploy
-various OpenStack services will attempt to create users in keystone. For
-deployments where keystone uses LDAP as an authentication backend, these users
-must be created **prior** to the running the OpenStack-Ansible playbooks. The
-tasks for adding keystone users within individual role playbooks will be
-skipped.
+Example implementation in user_variables.yml:

-Stacked authentication
-""""""""""""""""""""""
+keystone_ldap:
+  Users:
+    url: "ldap://10.10.10.10"
+    user: "root"
+    password: "secrete"
+    ...
+  Admins:
+    url: "ldap://20.20.20.20"
+    user: "root"
+    password: "secrete"
+    ...

-Some deployers may prefer to use "stacked" authentication where some users
-exist in a SQL backend while other users exist in an LDAP or Active Directory
-(AD) backend. This can be useful for deploys who want to reduce the number of
-service accounts that must exist in LDAP or AD.
+This will place two configuration files into /etc/keystone/domains/, both of
+which will be configured to use the LDAP driver.

-For more details on stacked authentication, see `Matt Fischer's blog post`_ or
-review IBM's documentation titled `Configure OpenStack Keystone support for
-domain-specific corporate directories`_.
+ - keystone.Users.conf
+ - keystone.Admins.conf

-.. _Matt Fischer's blog post: http://www.mattfischer.com/blog/?p=576
-.. _Configure OpenStack Keystone support for domain-specific corporate directories: http://www.ibm.com/developerworks/cloud/library/cl-configure-keystone-ldap-and-active-directory/index.html
+Each first level key entry is a domain name. Each entry below that are
+key-value pairs for the 'ldap' section in the configuration file.

--------------
+More details regarding valid configuration for the LDAP Identity Back-End can
+be found in the `Keystone Developer Documentation`_ and the
+`OpenStack Admin Guide`_.
+
+.. _Keystone Developer Documentation: http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider
+.. _OpenStack Admin Guide: http://docs.openstack.org/admin-guide-cloud/keystone_integrate_identity_backend_ldap.html

 .. include:: navigation.txt
--- a/playbooks/inventory/group_vars/hosts.yml
+++ b/playbooks/inventory/group_vars/hosts.yml
@ -87,7 +87,7 @@ dhcp_domain: openstacklocal
 #openstack_service_internaluri_proto: http

 ## LDAP enabled toggle
-service_ldap_backend_enabled: "{{ keystone_ldap is defined }}"
+service_ldap_backend_enabled: "{{ keystone_ldap is defined and keystone_ldap.Default is defined }}"


 ## Aodh
--- a/playbooks/roles/os_keystone/defaults/main.yml
+++ b/playbooks/roles/os_keystone/defaults/main.yml
@ -165,22 +165,26 @@ keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ inter
 # If set this will enable dog pile cache for keystone.
 # keystone_cache_backend_argument: url:127.0.0.1:11211

-## LDAP section
-# Define keystone ldap information here.
+## LDAP Section
+# Define Keystone LDAP domain configuration here.
+# This may be used to add configuration for a LDAP identity back-end.
 # See the http://docs.openstack.org/admin-guide-cloud/keystone_integrate_with_ldap.html
-# for more information on available options. The sections here are defined as key: value pairs. Each
-# top level key bellow ``keystone_ldap`` is a section.
+#
+# Each top-level entry is a domain name. Each entry below that are key: value pairs for
+# the ldap section in the domain-specific configuraiton file.
+#
 # (EXAMPLE LAYOUT)
 # keystone_ldap:
-#   ldap:
+#   Users:
 #     url: "ldap://127.0.0.1"
 #     user: "root"
 #     password: "secrete"
 #     ...

-keystone_ldap_identity_driver: ldap
+keystone_ldap: {}
 keystone_ldap_domain_config_dir: /etc/keystone/domains

+
 # If you want to regenerate the keystone users SSH keys, on each run, set this var to True
 # Otherwise keys will be generated on the first run and not regenerated each run.
 keystone_recreate_keys: False
--- a/playbooks/roles/os_keystone/tasks/keystone_ldap_setup.yml
+++ b/playbooks/roles/os_keystone/tasks/keystone_ldap_setup.yml
@ -0,0 +1,41 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+- name: Create Keystone LDAP domains
+  keystone:
+    command: ensure_domain
+    domain_name: "{{ item.key }}"
+    token: "{{ keystone_auth_admin_token }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  with_dict: keystone_ldap
+  run_once: true
+  tags:
+    - keystone-ldap-domain-create
+
+- name: Create Keystone LDAP domain configs
+  template:
+    src: keystone.domain.conf.j2
+    dest: "{{ keystone_ldap_domain_config_dir }}/keystone.{{ item.key }}.conf"
+    owner: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+    mode: "0644"
+  with_dict: keystone_ldap
+  notify:
+    - Restart Apache
+  tags:
+    - keystone-ldap-domain-config
+
--- a/playbooks/roles/os_keystone/tasks/keystone_post_install.yml
+++ b/playbooks/roles/os_keystone/tasks/keystone_post_install.yml
@ -27,10 +27,6 @@
      dest: "/etc/keystone/keystone.conf"
      config_overrides: "{{ keystone_keystone_conf_overrides }}"
      config_type: "ini"
-    - src: "keystone.Default.conf.j2"
-      dest: "{{ keystone_ldap_domain_config_dir }}/keystone.Default.conf"
-      config_overrides: "{{ keystone_keystone_default_conf_overrides }}"
-      config_type: "ini"
    - src: "keystone-paste.ini.j2"
      dest: "/etc/keystone/keystone-paste.ini"
      config_overrides: "{{ keystone_keystone_paste_ini_overrides }}"
--- a/playbooks/roles/os_keystone/tasks/main.yml
+++ b/playbooks/roles/os_keystone/tasks/main.yml
@ -47,6 +47,11 @@
  when: >
    inventory_hostname == groups['keystone_all'][0]

+- include: keystone_ldap_setup.yml
+  tags:
+    - keystone-config
+    - keystone-ldap
+
 - include: keystone_federation_sp_idp_setup.yml
  when: >
    keystone_sp is defined and
--- a/playbooks/roles/os_keystone/templates/keystone.Default.conf.j2
+++ b/playbooks/roles/os_keystone/templates/keystone.Default.conf.j2
@ -1,12 +0,0 @@
-# LDAP configuration options
-{% if keystone_ldap is defined %}
-[identity]
-driver = {{ keystone_ldap_identity_driver }}
-
-{% for section in keystone_ldap|dictsort %}
-[{{ section.0 }}]
-{% for key, value in section.1.items() %}
-{{ key }} = {{ value }}
-{% endfor %}
-{% endfor %}
-{% endif %}
--- a/playbooks/roles/os_keystone/templates/keystone.conf.j2
+++ b/playbooks/roles/os_keystone/templates/keystone.conf.j2
@ -64,8 +64,10 @@ max_active_keys = {{ keystone_fernet_tokens_max_active_keys }}


 [identity]
-driver = {{ keystone_identity_driver }}
-{% if keystone_ldap is defined and keystone_ldap.ldap %}
+{% if keystone_ldap.Default is not defined %}
+driver = sql
+{% endif %}
+{% if keystone_ldap | length > 0 %}
 domain_config_dir = {{ keystone_ldap_domain_config_dir }}
 domain_specific_drivers_enabled = True
 {% endif %}
--- a/playbooks/roles/os_keystone/templates/keystone.domain.conf.j2
+++ b/playbooks/roles/os_keystone/templates/keystone.domain.conf.j2
@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+
+[identity]
+driver = ldap
+
+[ldap]
+{% for key, value in item.value | dictsort %}
+{{ key }} = {{ value }}
+{% endfor %}
--- a/releasenotes/notes/multiple-ldap-domains-f188f65678216587.yaml
+++ b/releasenotes/notes/multiple-ldap-domains-f188f65678216587.yaml
@ -0,0 +1,14 @@
+---
+features:
+ - Keystone can now be configured for multiple LDAP or Active Directory
+   identity back-ends. Configuration of this feature is documented in the
+   `Keystone Configuration <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-keystone.html>`_
+   section of the `Install Guide <http://docs.openstack.org/developer/openstack-ansible/install-guide/>`_.
+upgrade:
+ - The first tier of the ``keystone_ldap`` dictionary variable now relates to
+   the Keystone Domain name. An existing ``keystone_ldap`` configuration entry
+   can be converted by renaming the ``ldap`` key to the domain name 'Default'.
+   **Note** that the domain name entry is case-sensitive.
+ - The ``keystone_ldap_identity_driver`` variable has been removed. The driver
+   for an LDAP back-end in Keystone now simply uses the value 'ldap'. There
+   are no other back-end options for Keystone at this time.