Update heat keystone_authtoken config

This patch implements a slight re-ordering of some configuration in order to match the pattern used in other roles (for easier comparison). It also updates the keystone_authtoken configuration to a more up to date set of configuration entries. Upgrade Notes: In order to standardise the location of data in the 'signing_dir' (which is only used when PKI tokens are implemeted), the default location of this data has been changed from '/var/cache/heat' to '{{ heat_system_home_folder }}/cache/heat'. By default this translates to '/var/lib/heat/cache/heat'. DocImpact UpgradeImpact Implements: blueprint liberty-release Change-Id: I7d3768a5629bb202883e82fe0c9c52fb0ca38b97 Co-Authored-By: Miguel Grinberg <miguelgrinberg50@gmail.com>
2015-10-16 16:24:50 +01:00 · 2015-10-16 16:24:50 +01:00 · c12e7397b2
commit c12e7397b2
parent 9fc2b0727a
2 changed files with 39 additions and 13 deletions
--- a/playbooks/roles/os_heat/defaults/main.yml
+++ b/playbooks/roles/os_heat/defaults/main.yml
@ -54,8 +54,8 @@ heat_rpc_backend: heat.openstack.common.rpc.impl_kombu
 ## Heat User / Group
 heat_system_user_name: heat
 heat_system_group_name: heat
-heat_system_comment: heat system user
 heat_system_shell: /bin/false
+heat_system_comment: heat system user
 heat_system_home_folder: "/var/lib/{{ heat_system_user_name }}"

 ## Default domain
@ -79,18 +79,24 @@ heat_profiler_enabled: false
 heat_profiler_trace_sqlalchemy: false

 ## Auth
+heat_service_region: RegionOne
 heat_service_project_name: "service"
 heat_service_user_name: "heat"
-heat_service_project_domain_name: "Default"
-heat_service_user_domain_name: "Default"
-
-## Keystone authentication middleware
+heat_service_role_name: admin
+heat_service_project_domain_id: default
+heat_service_user_domain_id: default
 heat_keystone_auth_plugin: password

+## Trustee Auth
+heat_service_trustee_project_name: "service"
+heat_service_trustee_user_name: "heat"
+heat_service_trustee_password: "{{ heat_service_password }}"
+heat_service_trustee_project_domain_id: "default"
+heat_service_trustee_user_domain_id: "default"
+heat_keystone_trustee_auth_plugin: password
+
 ## Heat api service type and data
 heat_service_name: heat
-heat_service_role_name: admin
-heat_service_region: RegionOne
 heat_service_description: "Heat Orchestration Service"
 heat_service_port: 8004
 heat_service_proto: http
--- a/playbooks/roles/os_heat/templates/heat.conf.j2
+++ b/playbooks/roles/os_heat/templates/heat.conf.j2
@ -38,6 +38,11 @@ endpoint_type = {{ heat_clients_endpoint }}
 [clients_heat]
 endpoint_type = {{ heat_clients_heat_endpoint }}

+[clients_keystone]
+insecure = {{ keystone_service_internaluri_insecure | bool }}
+endpoint_type = {{ heat_clients_endpoint }}
+auth_uri = {{ keystone_service_internaluri }}
+
 [database]
 connection = mysql+pymysql://{{ heat_galera_user }}:{{ heat_container_mysql_password }}@{{ heat_galera_address }}/{{ heat_galera_database }}?charset=utf8

@ -69,12 +74,15 @@ trace_sqlalchemy = {{ heat_profiler_trace_sqlalchemy }}

 [keystone_authtoken]
 insecure = {{ keystone_service_internaluri_insecure | bool }}
-signing_dir = /var/cache/heat
-identity_uri = {{ keystone_service_adminuri }}
-auth_uri = {{ keystone_service_internalurl }}
-admin_tenant_name = {{ heat_service_project_name }}
-admin_user = {{ heat_service_user_name }}
-admin_password = {{ heat_service_password }}
+auth_plugin = {{ heat_keystone_auth_plugin }}
+signing_dir = {{ heat_system_home_folder }}/cache/heat
+auth_url = {{ keystone_service_adminuri }}
+auth_uri = {{ keystone_service_internaluri }}
+project_domain_id = {{ heat_service_project_domain_id }}
+user_domain_id = {{ heat_service_user_domain_id }}
+project_name = {{ heat_service_project_name }}
+username = {{ heat_service_user_name }}
+password = {{ heat_service_password }}

 memcached_servers = {{ memcached_servers }}

@ -87,3 +95,15 @@ memcache_secret_key = {{ memcached_encryption_key }}

 # if your keystone deployment uses PKI, and you value security over performance:
 check_revocations_for_cached = False
+
+[trustee]
+insecure = {{ keystone_service_internaluri_insecure | bool }}
+auth_plugin = {{ heat_keystone_trustee_auth_plugin }}
+signing_dir = {{ heat_system_home_folder }}/cache/heat
+auth_url = {{ keystone_service_adminuri }}
+auth_uri = {{ keystone_service_internaluri }}
+project_domain_id = {{ heat_service_trustee_project_domain_id }}
+user_domain_id = {{ heat_service_trustee_user_domain_id }}
+project_name = {{ heat_service_trustee_project_name }}
+username = {{ heat_service_trustee_user_name }}
+password = {{ heat_service_trustee_password }}