Improve Keystone Apache configuration

This patch does the following:

1. Introduces two new Keystone variables which are useful for
   debugging the Keystone service. The values are defaulted
   to the same values as before the patch.
   - keystone_wsgi_processes: number of wsgi processes to run
   - keystone_wsgi_threads: number of wsgi threads to run

4. Moves the keystone service and admin processes into their
   own wsgi groups for better isolation.

5. Sets each wsgi process to run under the keystone group.

6. Bring the configuration file in line with the upstream
   recommended configuration as at 4 Aug 2015 in order to
   overcome import race conditions.

Change-Id: I861d1ef233dd6121452dc0e9e590d2d9f9b7973e
Closes-Bug: #1481339

playbooks/roles/os_keystone/defaults/main.yml

@@ -124,6 +124,8 @@ keystone_service_adminurl: "{{ keystone_service_adminurl_v3 }}"
 
 ## Apache setup
 keystone_apache_log_level: info
+keystone_wsgi_threads: "{{ ansible_processor_vcpus | default(2) // 2 }}"
+keystone_wsgi_processes: "{{ ansible_processor_vcpus | default(1) }}"
 
 keystone_ssl_enabled: false
 keystone_ssl_cert_path: /etc/ssl/certs

playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2

@@ -1,10 +1,16 @@
 # {{ ansible_managed }}
 
-{% set threads = ansible_processor_vcpus|default(2) // 2 %}
-
-WSGIDaemonProcess keystone user={{ keystone_system_user_name }} group=nogroup processes={{ ansible_processor_cores|default(1) }} threads={{ threads if threads > 0 else 1 }}
-
 <VirtualHost *:{{ keystone_service_port }}>
+    WSGIDaemonProcess     keystone-service user={{ keystone_system_user_name }} group={{ keystone_system_group_name }} processes={{ keystone_wsgi_processes }} threads={{ keystone_wsgi_threads }} display-name=%{GROUP}
+    WSGIProcessGroup      keystone-service
+    WSGIScriptAlias       / /var/www/cgi-bin/keystone/main
+    WSGIApplicationGroup  %{GLOBAL}
+    WSGIPassAuthorization On
+
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+
     LogLevel  {{  keystone_apache_log_level }}
     ErrorLog  /var/log/keystone/keystone-apache-error.log
     CustomLog /var/log/keystone/ssl_access.log combined
@@ -50,12 +56,19 @@ WSGIDaemonProcess keystone user={{ keystone_system_user_name }} group=nogroup pr
 
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1
     {%- endif %}
-
-    WSGIScriptAlias /  /var/www/cgi-bin/keystone/main
-    WSGIProcessGroup keystone
 </VirtualHost>
 
 <VirtualHost *:{{ keystone_admin_port }}>
+    WSGIDaemonProcess     keystone-admin user={{ keystone_system_user_name }} group={{ keystone_system_group_name }} processes={{ keystone_wsgi_processes }} threads={{ keystone_wsgi_threads }} display-name=%{GROUP}
+    WSGIProcessGroup      keystone-admin
+    WSGIScriptAlias       / /var/www/cgi-bin/keystone/admin
+    WSGIApplicationGroup  %{GLOBAL}
+    WSGIPassAuthorization On
+
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+
     LogLevel  {{  keystone_apache_log_level }}
     ErrorLog  /var/log/keystone/keystone-apache-error.log
     CustomLog /var/log/keystone/ssl_access.log combined
@@ -75,7 +88,4 @@ WSGIDaemonProcess keystone user={{ keystone_system_user_name }} group=nogroup pr
     SSLCipherSuite {{ keystone_ssl_cipher_suite }}
     SSLOptions +StdEnvVars +ExportCertData
     {% endif %}
-
-    WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
-    WSGIProcessGroup keystone
 </VirtualHost>