IRR - Implemented for os_keystone
The change removes and points os_keystone to use the independent os_keystone repo. Change-Id: I1eda2fa91c2ac447cdb09757c678076727222279 Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
parent
669116f923
commit
d1f157c611
@ -68,4 +68,7 @@
|
|||||||
src: https://git.openstack.org/openstack/openstack-ansible-rsyslog_server
|
src: https://git.openstack.org/openstack/openstack-ansible-rsyslog_server
|
||||||
scm: git
|
scm: git
|
||||||
version: master
|
version: master
|
||||||
|
- name: os_keystone
|
||||||
|
src: https://git.openstack.org/openstack/openstack-ansible-os_keystone
|
||||||
|
scm: git
|
||||||
|
version: master
|
||||||
|
@ -88,6 +88,57 @@
|
|||||||
when: is_metal | bool
|
when: is_metal | bool
|
||||||
tags:
|
tags:
|
||||||
- keystone-reserved-port
|
- keystone-reserved-port
|
||||||
|
- name: Keystone ensure Rabbitmq vhost
|
||||||
|
rabbitmq_vhost:
|
||||||
|
name: "{{ keystone_rabbitmq_vhost }}"
|
||||||
|
state: "present"
|
||||||
|
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
|
||||||
|
when: inventory_hostname == groups['keystone_all'][0]
|
||||||
|
tags:
|
||||||
|
- aodh-rabbitmq
|
||||||
|
- aodh-rabbitmq-vhost
|
||||||
|
- name: Keystone ensure rabbitmq user
|
||||||
|
rabbitmq_user:
|
||||||
|
user: "{{ keystone_rabbitmq_userid }}"
|
||||||
|
password: "{{ keystone_rabbitmq_password }}"
|
||||||
|
vhost: "{{ keystone_rabbitmq_vhost }}"
|
||||||
|
configure_priv: ".*"
|
||||||
|
read_priv: ".*"
|
||||||
|
write_priv: ".*"
|
||||||
|
state: "present"
|
||||||
|
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
|
||||||
|
when: inventory_hostname == groups['keystone_all'][0]
|
||||||
|
tags:
|
||||||
|
- aodh-rabbitmq
|
||||||
|
- aodh-rabbitmq-user
|
||||||
|
- name: Keystone create DB for service
|
||||||
|
mysql_db:
|
||||||
|
login_user: "{{ galera_root_user }}"
|
||||||
|
login_password: "{{ galera_root_password }}"
|
||||||
|
login_host: "{{ galera_address }}"
|
||||||
|
name: "{{ keystone_galera_database }}"
|
||||||
|
state: "present"
|
||||||
|
when: inventory_hostname == groups['keystone_all'][0]
|
||||||
|
delegate_to: "{{ groups['galera_all'][0] }}"
|
||||||
|
tags:
|
||||||
|
- mysql-db-setup
|
||||||
|
- name: Keystone grant access to the DB for the service
|
||||||
|
mysql_user:
|
||||||
|
login_user: "{{ galera_root_user }}"
|
||||||
|
login_password: "{{ galera_root_password }}"
|
||||||
|
login_host: "{{ galera_address }}"
|
||||||
|
name: "{{ keystone_galera_database }}"
|
||||||
|
password: "{{ keystone_container_mysql_password }}"
|
||||||
|
host: "{{ item }}"
|
||||||
|
state: "present"
|
||||||
|
priv: "{{ keystone_galera_database }}.*:ALL"
|
||||||
|
with_items:
|
||||||
|
- "localhost"
|
||||||
|
- "%"
|
||||||
|
when: inventory_hostname == groups['keystone_all'][0]
|
||||||
|
delegate_to: "{{ groups['galera_all'][0] }}"
|
||||||
|
tags:
|
||||||
|
- mysql-db-setup
|
||||||
roles:
|
roles:
|
||||||
- role: "os_keystone"
|
- role: "os_keystone"
|
||||||
keystone_venv_tag: "{{ openstack_release }}"
|
keystone_venv_tag: "{{ openstack_release }}"
|
||||||
@ -108,6 +159,13 @@
|
|||||||
- "system-crontab-coordination"
|
- "system-crontab-coordination"
|
||||||
vars:
|
vars:
|
||||||
galera_address: "{{ internal_lb_vip_address }}"
|
galera_address: "{{ internal_lb_vip_address }}"
|
||||||
keystone_admin_port: 35357
|
|
||||||
is_metal: "{{ properties.is_metal|default(false) }}"
|
is_metal: "{{ properties.is_metal|default(false) }}"
|
||||||
|
galera_root_user: "root"
|
||||||
|
keystone_admin_port: 35357
|
||||||
|
keystone_galera_user: keystone
|
||||||
|
keystone_galera_database: keystone
|
||||||
|
keystone_rabbitmq_userid: keystone
|
||||||
|
keystone_rabbitmq_vhost: /keystone
|
||||||
|
keystone_rabbitmq_servers: "{{ rabbitmq_servers }}"
|
||||||
|
keystone_rabbitmq_port: "{{ rabbitmq_port }}"
|
||||||
|
keystone_rabbitmq_use_ssl: "{{ rabbitmq_use_ssl }}"
|
||||||
|
@ -1,85 +0,0 @@
|
|||||||
OpenStack keystone
|
|
||||||
##################
|
|
||||||
:tags: openstack, keystone, cloud, ansible
|
|
||||||
:category: \*nix
|
|
||||||
|
|
||||||
contributor guidelines
|
|
||||||
^^^^^^^^^^^^^^^^^^^^^^
|
|
||||||
|
|
||||||
Filing Bugs
|
|
||||||
-----------
|
|
||||||
|
|
||||||
Bugs should be filed on Launchpad, not GitHub: "https://bugs.launchpad.net/openstack-ansible"
|
|
||||||
|
|
||||||
|
|
||||||
When submitting a bug, or working on a bug, please ensure the following criteria are met:
|
|
||||||
* The description clearly states or describes the original problem or root cause of the problem.
|
|
||||||
* Include historical information on how the problem was identified.
|
|
||||||
* Any relevant logs are included.
|
|
||||||
* The provided information should be totally self-contained. External access to web services/sites should not be needed.
|
|
||||||
* Steps to reproduce the problem if possible.
|
|
||||||
|
|
||||||
|
|
||||||
Submitting Code
|
|
||||||
---------------
|
|
||||||
|
|
||||||
Changes to the project should be submitted for review via the Gerrit tool, following
|
|
||||||
the workflow documented at: "http://docs.openstack.org/infra/manual/developers.html#development-workflow"
|
|
||||||
|
|
||||||
Pull requests submitted through GitHub will be ignored and closed without regard.
|
|
||||||
|
|
||||||
|
|
||||||
Extra
|
|
||||||
-----
|
|
||||||
|
|
||||||
Tags:
|
|
||||||
If it's a bug that needs fixing in a branch in addition to Master, add a '\<release\>-backport-potential' tag (eg ``juno-backport-potential``). There are predefined tags that will autocomplete.
|
|
||||||
|
|
||||||
Status:
|
|
||||||
Please leave this alone, it should be New till someone triages the issue.
|
|
||||||
|
|
||||||
Importance:
|
|
||||||
Should only be touched if it is a Blocker/Gating issue. If it is, please set to High, and only use Critical if you have found a bug that can take down whole infrastructures.
|
|
||||||
|
|
||||||
|
|
||||||
Style guide
|
|
||||||
-----------
|
|
||||||
|
|
||||||
When creating tasks and other roles for use in Ansible please create then using the YAML dictionary format.
|
|
||||||
|
|
||||||
Example YAML dictionary format:
|
|
||||||
.. code-block:: yaml
|
|
||||||
|
|
||||||
- name: The name of the tasks
|
|
||||||
module_name:
|
|
||||||
thing1: "some-stuff"
|
|
||||||
thing2: "some-other-stuff"
|
|
||||||
tags:
|
|
||||||
- some-tag
|
|
||||||
- some-other-tag
|
|
||||||
|
|
||||||
|
|
||||||
Example **NOT** in YAML dictionary format:
|
|
||||||
.. code-block:: yaml
|
|
||||||
|
|
||||||
- name: The name of the tasks
|
|
||||||
module_name: thing1="some-stuff" thing2="some-other-stuff"
|
|
||||||
tags:
|
|
||||||
- some-tag
|
|
||||||
- some-other-tag
|
|
||||||
|
|
||||||
|
|
||||||
Usage of the ">" and "|" operators should be limited to Ansible conditionals and command modules such as the ansible ``shell`` module.
|
|
||||||
|
|
||||||
|
|
||||||
Issues
|
|
||||||
------
|
|
||||||
|
|
||||||
When submitting an issue, or working on an issue please ensure the following criteria are met:
|
|
||||||
* The description clearly states or describes the original problem or root cause of the problem.
|
|
||||||
* Include historical information on how the problem was identified.
|
|
||||||
* Any relevant logs are included.
|
|
||||||
* If the issue is a bug that needs fixing in a branch other than Master, add the ‘backport potential’ tag TO THE ISSUE (not the PR).
|
|
||||||
* The provided information should be totally self-contained. External access to web services/sites should not be needed.
|
|
||||||
* If the issue is needed for a hotfix release, add the 'expedite' label.
|
|
||||||
* Steps to reproduce the problem if possible.
|
|
@ -1,202 +0,0 @@
|
|||||||
Apache License
|
|
||||||
Version 2.0, January 2004
|
|
||||||
http://www.apache.org/licenses/
|
|
||||||
|
|
||||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
|
||||||
|
|
||||||
1. Definitions.
|
|
||||||
|
|
||||||
"License" shall mean the terms and conditions for use, reproduction,
|
|
||||||
and distribution as defined by Sections 1 through 9 of this document.
|
|
||||||
|
|
||||||
"Licensor" shall mean the copyright owner or entity authorized by
|
|
||||||
the copyright owner that is granting the License.
|
|
||||||
|
|
||||||
"Legal Entity" shall mean the union of the acting entity and all
|
|
||||||
other entities that control, are controlled by, or are under common
|
|
||||||
control with that entity. For the purposes of this definition,
|
|
||||||
"control" means (i) the power, direct or indirect, to cause the
|
|
||||||
direction or management of such entity, whether by contract or
|
|
||||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
|
||||||
outstanding shares, or (iii) beneficial ownership of such entity.
|
|
||||||
|
|
||||||
"You" (or "Your") shall mean an individual or Legal Entity
|
|
||||||
exercising permissions granted by this License.
|
|
||||||
|
|
||||||
"Source" form shall mean the preferred form for making modifications,
|
|
||||||
including but not limited to software source code, documentation
|
|
||||||
source, and configuration files.
|
|
||||||
|
|
||||||
"Object" form shall mean any form resulting from mechanical
|
|
||||||
transformation or translation of a Source form, including but
|
|
||||||
not limited to compiled object code, generated documentation,
|
|
||||||
and conversions to other media types.
|
|
||||||
|
|
||||||
"Work" shall mean the work of authorship, whether in Source or
|
|
||||||
Object form, made available under the License, as indicated by a
|
|
||||||
copyright notice that is included in or attached to the work
|
|
||||||
(an example is provided in the Appendix below).
|
|
||||||
|
|
||||||
"Derivative Works" shall mean any work, whether in Source or Object
|
|
||||||
form, that is based on (or derived from) the Work and for which the
|
|
||||||
editorial revisions, annotations, elaborations, or other modifications
|
|
||||||
represent, as a whole, an original work of authorship. For the purposes
|
|
||||||
of this License, Derivative Works shall not include works that remain
|
|
||||||
separable from, or merely link (or bind by name) to the interfaces of,
|
|
||||||
the Work and Derivative Works thereof.
|
|
||||||
|
|
||||||
"Contribution" shall mean any work of authorship, including
|
|
||||||
the original version of the Work and any modifications or additions
|
|
||||||
to that Work or Derivative Works thereof, that is intentionally
|
|
||||||
submitted to Licensor for inclusion in the Work by the copyright owner
|
|
||||||
or by an individual or Legal Entity authorized to submit on behalf of
|
|
||||||
the copyright owner. For the purposes of this definition, "submitted"
|
|
||||||
means any form of electronic, verbal, or written communication sent
|
|
||||||
to the Licensor or its representatives, including but not limited to
|
|
||||||
communication on electronic mailing lists, source code control systems,
|
|
||||||
and issue tracking systems that are managed by, or on behalf of, the
|
|
||||||
Licensor for the purpose of discussing and improving the Work, but
|
|
||||||
excluding communication that is conspicuously marked or otherwise
|
|
||||||
designated in writing by the copyright owner as "Not a Contribution."
|
|
||||||
|
|
||||||
"Contributor" shall mean Licensor and any individual or Legal Entity
|
|
||||||
on behalf of whom a Contribution has been received by Licensor and
|
|
||||||
subsequently incorporated within the Work.
|
|
||||||
|
|
||||||
2. Grant of Copyright License. Subject to the terms and conditions of
|
|
||||||
this License, each Contributor hereby grants to You a perpetual,
|
|
||||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
||||||
copyright license to reproduce, prepare Derivative Works of,
|
|
||||||
publicly display, publicly perform, sublicense, and distribute the
|
|
||||||
Work and such Derivative Works in Source or Object form.
|
|
||||||
|
|
||||||
3. Grant of Patent License. Subject to the terms and conditions of
|
|
||||||
this License, each Contributor hereby grants to You a perpetual,
|
|
||||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
||||||
(except as stated in this section) patent license to make, have made,
|
|
||||||
use, offer to sell, sell, import, and otherwise transfer the Work,
|
|
||||||
where such license applies only to those patent claims licensable
|
|
||||||
by such Contributor that are necessarily infringed by their
|
|
||||||
Contribution(s) alone or by combination of their Contribution(s)
|
|
||||||
with the Work to which such Contribution(s) was submitted. If You
|
|
||||||
institute patent litigation against any entity (including a
|
|
||||||
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
|
||||||
or a Contribution incorporated within the Work constitutes direct
|
|
||||||
or contributory patent infringement, then any patent licenses
|
|
||||||
granted to You under this License for that Work shall terminate
|
|
||||||
as of the date such litigation is filed.
|
|
||||||
|
|
||||||
4. Redistribution. You may reproduce and distribute copies of the
|
|
||||||
Work or Derivative Works thereof in any medium, with or without
|
|
||||||
modifications, and in Source or Object form, provided that You
|
|
||||||
meet the following conditions:
|
|
||||||
|
|
||||||
(a) You must give any other recipients of the Work or
|
|
||||||
Derivative Works a copy of this License; and
|
|
||||||
|
|
||||||
(b) You must cause any modified files to carry prominent notices
|
|
||||||
stating that You changed the files; and
|
|
||||||
|
|
||||||
(c) You must retain, in the Source form of any Derivative Works
|
|
||||||
that You distribute, all copyright, patent, trademark, and
|
|
||||||
attribution notices from the Source form of the Work,
|
|
||||||
excluding those notices that do not pertain to any part of
|
|
||||||
the Derivative Works; and
|
|
||||||
|
|
||||||
(d) If the Work includes a "NOTICE" text file as part of its
|
|
||||||
distribution, then any Derivative Works that You distribute must
|
|
||||||
include a readable copy of the attribution notices contained
|
|
||||||
within such NOTICE file, excluding those notices that do not
|
|
||||||
pertain to any part of the Derivative Works, in at least one
|
|
||||||
of the following places: within a NOTICE text file distributed
|
|
||||||
as part of the Derivative Works; within the Source form or
|
|
||||||
documentation, if provided along with the Derivative Works; or,
|
|
||||||
within a display generated by the Derivative Works, if and
|
|
||||||
wherever such third-party notices normally appear. The contents
|
|
||||||
of the NOTICE file are for informational purposes only and
|
|
||||||
do not modify the License. You may add Your own attribution
|
|
||||||
notices within Derivative Works that You distribute, alongside
|
|
||||||
or as an addendum to the NOTICE text from the Work, provided
|
|
||||||
that such additional attribution notices cannot be construed
|
|
||||||
as modifying the License.
|
|
||||||
|
|
||||||
You may add Your own copyright statement to Your modifications and
|
|
||||||
may provide additional or different license terms and conditions
|
|
||||||
for use, reproduction, or distribution of Your modifications, or
|
|
||||||
for any such Derivative Works as a whole, provided Your use,
|
|
||||||
reproduction, and distribution of the Work otherwise complies with
|
|
||||||
the conditions stated in this License.
|
|
||||||
|
|
||||||
5. Submission of Contributions. Unless You explicitly state otherwise,
|
|
||||||
any Contribution intentionally submitted for inclusion in the Work
|
|
||||||
by You to the Licensor shall be under the terms and conditions of
|
|
||||||
this License, without any additional terms or conditions.
|
|
||||||
Notwithstanding the above, nothing herein shall supersede or modify
|
|
||||||
the terms of any separate license agreement you may have executed
|
|
||||||
with Licensor regarding such Contributions.
|
|
||||||
|
|
||||||
6. Trademarks. This License does not grant permission to use the trade
|
|
||||||
names, trademarks, service marks, or product names of the Licensor,
|
|
||||||
except as required for reasonable and customary use in describing the
|
|
||||||
origin of the Work and reproducing the content of the NOTICE file.
|
|
||||||
|
|
||||||
7. Disclaimer of Warranty. Unless required by applicable law or
|
|
||||||
agreed to in writing, Licensor provides the Work (and each
|
|
||||||
Contributor provides its Contributions) on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
||||||
implied, including, without limitation, any warranties or conditions
|
|
||||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
|
||||||
PARTICULAR PURPOSE. You are solely responsible for determining the
|
|
||||||
appropriateness of using or redistributing the Work and assume any
|
|
||||||
risks associated with Your exercise of permissions under this License.
|
|
||||||
|
|
||||||
8. Limitation of Liability. In no event and under no legal theory,
|
|
||||||
whether in tort (including negligence), contract, or otherwise,
|
|
||||||
unless required by applicable law (such as deliberate and grossly
|
|
||||||
negligent acts) or agreed to in writing, shall any Contributor be
|
|
||||||
liable to You for damages, including any direct, indirect, special,
|
|
||||||
incidental, or consequential damages of any character arising as a
|
|
||||||
result of this License or out of the use or inability to use the
|
|
||||||
Work (including but not limited to damages for loss of goodwill,
|
|
||||||
work stoppage, computer failure or malfunction, or any and all
|
|
||||||
other commercial damages or losses), even if such Contributor
|
|
||||||
has been advised of the possibility of such damages.
|
|
||||||
|
|
||||||
9. Accepting Warranty or Additional Liability. While redistributing
|
|
||||||
the Work or Derivative Works thereof, You may choose to offer,
|
|
||||||
and charge a fee for, acceptance of support, warranty, indemnity,
|
|
||||||
or other liability obligations and/or rights consistent with this
|
|
||||||
License. However, in accepting such obligations, You may act only
|
|
||||||
on Your own behalf and on Your sole responsibility, not on behalf
|
|
||||||
of any other Contributor, and only if You agree to indemnify,
|
|
||||||
defend, and hold each Contributor harmless for any liability
|
|
||||||
incurred by, or claims asserted against, such Contributor by reason
|
|
||||||
of your accepting any such warranty or additional liability.
|
|
||||||
|
|
||||||
END OF TERMS AND CONDITIONS
|
|
||||||
|
|
||||||
APPENDIX: How to apply the Apache License to your work.
|
|
||||||
|
|
||||||
To apply the Apache License to your work, attach the following
|
|
||||||
boilerplate notice, with the fields enclosed by brackets "{}"
|
|
||||||
replaced with your own identifying information. (Don't include
|
|
||||||
the brackets!) The text should be enclosed in the appropriate
|
|
||||||
comment syntax for the file format. We also recommend that a
|
|
||||||
file or class name and description of purpose be included on the
|
|
||||||
same "printed page" as the copyright notice for easier
|
|
||||||
identification within third-party archives.
|
|
||||||
|
|
||||||
Copyright {yyyy} {name of copyright owner}
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
|
|
@ -1,22 +0,0 @@
|
|||||||
OpenStack keystone
|
|
||||||
##################
|
|
||||||
:tags: openstack, keystone, cloud, ansible
|
|
||||||
:category: \*nix
|
|
||||||
|
|
||||||
Role to install keystone. This will install keystone using apache.
|
|
||||||
|
|
||||||
This role will install the following:
|
|
||||||
* keystone
|
|
||||||
* apache2
|
|
||||||
|
|
||||||
.. code-block:: yaml
|
|
||||||
|
|
||||||
- name: Installation and setup of Keystone
|
|
||||||
hosts: keystone_all
|
|
||||||
user: root
|
|
||||||
roles:
|
|
||||||
- { role: "os_keystone", tags: [ "os-keystone" ] }
|
|
||||||
vars:
|
|
||||||
external_lb_vip_address: 172.16.24.1
|
|
||||||
internal_lb_vip_address: 192.168.0.1
|
|
||||||
keystone_galera_address: "{{ internal_lb_vip_address }}"
|
|
@ -1,389 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
## Verbosity Options
|
|
||||||
debug: False
|
|
||||||
verbose: True
|
|
||||||
|
|
||||||
## APT Cache options
|
|
||||||
cache_timeout: 600
|
|
||||||
|
|
||||||
# Name of the virtual env to deploy into
|
|
||||||
keystone_venv_tag: untagged
|
|
||||||
keystone_venv_bin: "/openstack/venvs/keystone-{{ keystone_venv_tag }}/bin"
|
|
||||||
|
|
||||||
# Set this to enable or disable installing in a venv
|
|
||||||
keystone_venv_enabled: true
|
|
||||||
|
|
||||||
# The bin path defaults to the venv path however if installation in a
|
|
||||||
# venv is disabled the bin path will be dynamically set based on the
|
|
||||||
# system path used when the installing.
|
|
||||||
keystone_bin: "{{ keystone_venv_bin }}"
|
|
||||||
|
|
||||||
keystone_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/keystone.tgz
|
|
||||||
|
|
||||||
keystone_fatal_deprecations: False
|
|
||||||
|
|
||||||
## System info
|
|
||||||
keystone_system_user_name: keystone
|
|
||||||
keystone_system_group_name: keystone
|
|
||||||
keystone_system_additional_groups:
|
|
||||||
- ssl_cert
|
|
||||||
keystone_system_service_name: apache2
|
|
||||||
keystone_system_shell: /bin/bash
|
|
||||||
keystone_system_comment: keystone system user
|
|
||||||
keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}"
|
|
||||||
|
|
||||||
keystone_rpc_backend: rabbit
|
|
||||||
|
|
||||||
## Drivers
|
|
||||||
keystone_auth_methods: "password,token"
|
|
||||||
keystone_identity_driver: sql
|
|
||||||
# For a sql backed token storage use: "sql"
|
|
||||||
keystone_token_driver: memcache
|
|
||||||
keystone_token_provider: fernet
|
|
||||||
keystone_token_expiration: 43200
|
|
||||||
keystone_token_cache_time: 3600
|
|
||||||
|
|
||||||
# Set the revocation driver used within keystone.
|
|
||||||
keystone_revocation_driver: sql
|
|
||||||
keystone_revocation_cache_time: 3600
|
|
||||||
keystone_revocation_expiration_buffer: 1800
|
|
||||||
|
|
||||||
## Fernet config vars
|
|
||||||
keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
|
|
||||||
keystone_fernet_tokens_max_active_keys: 7
|
|
||||||
# Any of the following rotation times are valid:
|
|
||||||
# reboot, yearly, annually, monthly, weekly, daily, hourly
|
|
||||||
keystone_fernet_rotation: daily
|
|
||||||
keystone_fernet_auto_rotation_script: /opt/keystone-fernet-rotate.sh
|
|
||||||
|
|
||||||
keystone_assignment_driver: sql
|
|
||||||
|
|
||||||
keystone_resource_cache_time: 3600
|
|
||||||
keystone_resource_driver: sql
|
|
||||||
|
|
||||||
keystone_bind_address: 0.0.0.0
|
|
||||||
|
|
||||||
## Memcached servers used within keystone.
|
|
||||||
# String or Comma separated list of servers.
|
|
||||||
keystone_memcached_servers: 127.0.0.1
|
|
||||||
keystone_memcached_max_compare_and_set_retry: 16
|
|
||||||
|
|
||||||
## DB info
|
|
||||||
keystone_galera_user: keystone
|
|
||||||
keystone_galera_database: keystone
|
|
||||||
# Database tuning
|
|
||||||
keystone_database_idle_timeout: 200
|
|
||||||
keystone_database_min_pool_size: 5
|
|
||||||
keystone_database_max_pool_size: 120
|
|
||||||
keystone_database_pool_timeout: 30
|
|
||||||
|
|
||||||
## RabbitMQ info
|
|
||||||
keystone_rabbitmq_userid: keystone
|
|
||||||
keystone_rabbitmq_vhost: /keystone
|
|
||||||
|
|
||||||
## Role info
|
|
||||||
keystone_role_name: admin
|
|
||||||
keystone_default_role_name: _member_
|
|
||||||
|
|
||||||
## Admin info
|
|
||||||
keystone_admin_port: 35357
|
|
||||||
keystone_admin_user_name: admin
|
|
||||||
keystone_admin_tenant_name: admin
|
|
||||||
keystone_admin_description: Admin Tenant
|
|
||||||
|
|
||||||
## Secure Proxy SSL Information
|
|
||||||
#keystone_secure_proxy_ssl_header: X-Forwarded-For
|
|
||||||
|
|
||||||
## Service Type and Data
|
|
||||||
keystone_service_region: RegionOne
|
|
||||||
keystone_service_name: keystone
|
|
||||||
keystone_service_port: 5000
|
|
||||||
keystone_service_proto: http
|
|
||||||
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
|
|
||||||
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
|
|
||||||
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
|
|
||||||
keystone_service_type: identity
|
|
||||||
keystone_service_description: "Keystone Identity Service"
|
|
||||||
keystone_service_user_name: keystone
|
|
||||||
keystone_service_tenant_name: service
|
|
||||||
|
|
||||||
keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
|
|
||||||
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
|
|
||||||
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
|
|
||||||
|
|
||||||
keystone_service_publicurl_v2: "{{ keystone_service_publicuri }}/v2.0"
|
|
||||||
keystone_service_internalurl_v2: "{{ keystone_service_internaluri }}/v2.0"
|
|
||||||
keystone_service_adminurl_v2: "{{ keystone_service_adminuri }}/v2.0"
|
|
||||||
|
|
||||||
keystone_service_publicurl_v3: "{{ keystone_service_publicuri }}/v3"
|
|
||||||
keystone_service_internalurl_v3: "{{ keystone_service_internaluri }}/v3"
|
|
||||||
keystone_service_adminurl_v3: "{{ keystone_service_adminuri }}/v3"
|
|
||||||
|
|
||||||
keystone_service_publicurl: "{{ keystone_service_publicurl_v3 }}"
|
|
||||||
keystone_service_internalurl: "{{ keystone_service_internalurl_v3 }}"
|
|
||||||
keystone_service_adminurl: "{{ keystone_service_adminurl_v3 }}"
|
|
||||||
|
|
||||||
## Set this value to override the "public_endpoint" keystone.conf variable
|
|
||||||
#keystone_public_endpoint: "{{ keystone_service_publicuri }}"
|
|
||||||
|
|
||||||
## Apache setup
|
|
||||||
keystone_apache_log_level: info
|
|
||||||
keystone_apache_servertokens: "Prod"
|
|
||||||
keystone_apache_serversignature: "Off"
|
|
||||||
keystone_wsgi_threads: 1
|
|
||||||
keystone_wsgi_processes: "{{ ansible_processor_vcpus | default (1) * 2 }}"
|
|
||||||
|
|
||||||
# set keystone_ssl to true to enable SSL configuration on the keystone containers
|
|
||||||
keystone_ssl: false
|
|
||||||
keystone_ssl_cert: /etc/ssl/certs/keystone.pem
|
|
||||||
keystone_ssl_key: /etc/ssl/private/keystone.key
|
|
||||||
keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
|
|
||||||
keystone_ssl_protocol: "{{ ssl_protocol }}"
|
|
||||||
keystone_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
|
|
||||||
|
|
||||||
# if using a self-signed certificate, set this to true to regenerate it
|
|
||||||
keystone_ssl_self_signed_regen: false
|
|
||||||
keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
|
|
||||||
|
|
||||||
# Set these in user_variables to deploy custom certificates
|
|
||||||
#keystone_user_ssl_cert: <path to cert on ansible deployment host>
|
|
||||||
#keystone_user_ssl_key: <path to cert on ansible deployment host>
|
|
||||||
#keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
|
|
||||||
|
|
||||||
## Caching
|
|
||||||
# If set this will enable dog pile cache for keystone.
|
|
||||||
# keystone_cache_backend_argument: url:127.0.0.1:11211
|
|
||||||
|
|
||||||
## LDAP Section
|
|
||||||
# Define Keystone LDAP domain configuration here.
|
|
||||||
# This may be used to add configuration for a LDAP identity back-end.
|
|
||||||
# See the http://docs.openstack.org/admin-guide-cloud/keystone_integrate_with_ldap.html
|
|
||||||
#
|
|
||||||
# Each top-level entry is a domain name. Each entry below that are key: value pairs for
|
|
||||||
# the ldap section in the domain-specific configuraiton file.
|
|
||||||
#
|
|
||||||
# (EXAMPLE LAYOUT)
|
|
||||||
# keystone_ldap:
|
|
||||||
# Users:
|
|
||||||
# url: "ldap://127.0.0.1"
|
|
||||||
# user: "root"
|
|
||||||
# password: "secrete"
|
|
||||||
# ...
|
|
||||||
|
|
||||||
keystone_ldap: {}
|
|
||||||
keystone_ldap_domain_config_dir: /etc/keystone/domains
|
|
||||||
|
|
||||||
|
|
||||||
# If you want to regenerate the keystone users SSH keys, on each run, set this var to True
|
|
||||||
# Otherwise keys will be generated on the first run and not regenerated each run.
|
|
||||||
keystone_recreate_keys: False
|
|
||||||
|
|
||||||
## Policy vars
|
|
||||||
# Provide a list of access controls to update the default policy.json with. These changes will be merged
|
|
||||||
# with the access controls in the default policy.json. E.g.
|
|
||||||
#keystone_policy_overrides:
|
|
||||||
# identity:create_region: "rule:admin_required"
|
|
||||||
# identity:update_region: "rule:admin_required"
|
|
||||||
|
|
||||||
## Federation
|
|
||||||
|
|
||||||
# Enable the following section on the Keystone IdP
|
|
||||||
#keystone_idp:
|
|
||||||
# certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
|
|
||||||
# keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
|
|
||||||
# self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
|
|
||||||
# regen_cert: false
|
|
||||||
# idp_entity_id: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/idp"
|
|
||||||
# idp_sso_endpoint: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/sso"
|
|
||||||
# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
|
|
||||||
# service_providers:
|
|
||||||
# - id: "sp_1"
|
|
||||||
# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
|
|
||||||
# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
|
|
||||||
# # the following settings are optional
|
|
||||||
# organization_name: example_company
|
|
||||||
# organization_display_name: Example Corp.
|
|
||||||
# organization_url: example.com
|
|
||||||
# contact_company: example_company
|
|
||||||
# contact_name: John
|
|
||||||
# contact_surname: Smith
|
|
||||||
# contact_email: jsmith@example.com
|
|
||||||
# contact_telephone: 555-55-5555
|
|
||||||
# contact_type: technical
|
|
||||||
|
|
||||||
# Enable the following section in order to install and configure
|
|
||||||
# Keystone as a Resource Service Provider (SP) and to configure
|
|
||||||
# trusts with specific Identity Providers (IdP).
|
|
||||||
#keystone_sp:
|
|
||||||
# cert_duration_years: 5
|
|
||||||
# trusted_dashboard_list:
|
|
||||||
# - "https://{{ external_lb_vip_address }}/auth/websso/"
|
|
||||||
# - "https://{{ horizon_server_name }}/auth/websso/"
|
|
||||||
# trusted_idp_list:
|
|
||||||
# note that only one of these is supported at any one time for now
|
|
||||||
# - name: "keystone-idp"
|
|
||||||
# entity_ids:
|
|
||||||
# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp'
|
|
||||||
# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata'
|
|
||||||
# metadata_file: 'metadata-keystone-idp.xml'
|
|
||||||
# metadata_reload: 1800
|
|
||||||
# federated_identities:
|
|
||||||
# - domain: Default
|
|
||||||
# project: fedproject
|
|
||||||
# group: fedgroup
|
|
||||||
# role: _member_
|
|
||||||
# protocols:
|
|
||||||
# - name: saml2
|
|
||||||
# mapping:
|
|
||||||
# name: keystone-idp-mapping
|
|
||||||
# rules:
|
|
||||||
# - remote:
|
|
||||||
# - type: openstack_user
|
|
||||||
# local:
|
|
||||||
# - group:
|
|
||||||
# name: fedgroup
|
|
||||||
# domain:
|
|
||||||
# name: Default
|
|
||||||
# user:
|
|
||||||
# name: '{0}'
|
|
||||||
# attributes:
|
|
||||||
# - name: openstack_user
|
|
||||||
# id: openstack_user
|
|
||||||
# - name: openstack_roles
|
|
||||||
# id: openstack_roles
|
|
||||||
# - name: openstack_project
|
|
||||||
# id: openstack_project
|
|
||||||
# - name: openstack_user_domain
|
|
||||||
# id: openstack_user_domain
|
|
||||||
# - name: openstack_project_domain
|
|
||||||
# id: openstack_project_domain
|
|
||||||
#
|
|
||||||
# - name: 'testshib-idp'
|
|
||||||
# entity_ids:
|
|
||||||
# - 'https://idp.testshib.org/idp/shibboleth'
|
|
||||||
# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml'
|
|
||||||
# metadata_file: 'metadata-testshib-idp.xml'
|
|
||||||
# metadata_reload: 1800
|
|
||||||
# federated_identities:
|
|
||||||
# - domain: Default
|
|
||||||
# project: fedproject
|
|
||||||
# group: fedgroup
|
|
||||||
# role: _member_
|
|
||||||
# protocols:
|
|
||||||
# - name: saml2
|
|
||||||
# mapping:
|
|
||||||
# name: testshib-idp-mapping
|
|
||||||
# rules:
|
|
||||||
# - remote:
|
|
||||||
# - type: eppn
|
|
||||||
# local:
|
|
||||||
# - group:
|
|
||||||
# name: fedgroup
|
|
||||||
# domain:
|
|
||||||
# name: Default
|
|
||||||
# - user:
|
|
||||||
# name: '{0}'
|
|
||||||
#
|
|
||||||
# - name: 'adfs-idp'
|
|
||||||
# entity_ids:
|
|
||||||
# - 'http://adfs.contoso.com/adfs/services/trust'
|
|
||||||
# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml'
|
|
||||||
# metadata_file: 'metadata-adfs-idp.xml'
|
|
||||||
# metadata_reload: 1800
|
|
||||||
# federated_identities:
|
|
||||||
# - domain: Default
|
|
||||||
# project: fedproject
|
|
||||||
# group: fedgroup
|
|
||||||
# role: _member_
|
|
||||||
# protocols:
|
|
||||||
# - name: saml2
|
|
||||||
# mapping:
|
|
||||||
# name: adfs-idp-mapping
|
|
||||||
# rules:
|
|
||||||
# - remote:
|
|
||||||
# - type: upn
|
|
||||||
# local:
|
|
||||||
# - group:
|
|
||||||
# name: fedgroup
|
|
||||||
# domain:
|
|
||||||
# name: Default
|
|
||||||
# - user:
|
|
||||||
# name: '{0}'
|
|
||||||
# attributes:
|
|
||||||
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
|
|
||||||
# id: upn
|
|
||||||
|
|
||||||
keystone_service_in_ldap: false
|
|
||||||
|
|
||||||
# Keystone Federation SP Packages
|
|
||||||
keystone_sp_apt_packages:
|
|
||||||
- libapache2-mod-shib2
|
|
||||||
|
|
||||||
# Keystone notification settings
|
|
||||||
keystone_ceilometer_enabled: false
|
|
||||||
|
|
||||||
# Common apt packages
|
|
||||||
keystone_apt_packages:
|
|
||||||
- apache2
|
|
||||||
- apache2-utils
|
|
||||||
- debhelper
|
|
||||||
- dh-apparmor
|
|
||||||
- docutils-common
|
|
||||||
- git
|
|
||||||
- libapache2-mod-wsgi
|
|
||||||
- libjs-sphinxdoc
|
|
||||||
- libjs-underscore
|
|
||||||
- libldap2-dev
|
|
||||||
- libsasl2-dev
|
|
||||||
- libxslt1.1
|
|
||||||
- rsync
|
|
||||||
|
|
||||||
keystone_idp_apt_packages:
|
|
||||||
- ssl-cert
|
|
||||||
- xmlsec1
|
|
||||||
|
|
||||||
# Keystone packages that must be installed before anything else
|
|
||||||
keystone_requires_pip_packages:
|
|
||||||
- virtualenv
|
|
||||||
- virtualenv-tools
|
|
||||||
- python-keystoneclient # Keystoneclient needed to OSA keystone lib
|
|
||||||
- httplib2
|
|
||||||
|
|
||||||
# Common pip packages
|
|
||||||
keystone_pip_packages:
|
|
||||||
- argparse
|
|
||||||
- keystone
|
|
||||||
- keystonemiddleware
|
|
||||||
- ldappool
|
|
||||||
- lxml
|
|
||||||
- PyMySQL
|
|
||||||
- oslo.log
|
|
||||||
- oslo.middleware
|
|
||||||
- pbr
|
|
||||||
- pycrypto
|
|
||||||
- pysaml2
|
|
||||||
- python-keystoneclient
|
|
||||||
- python-ldap
|
|
||||||
- python-memcached
|
|
||||||
- python-openstackclient
|
|
||||||
- repoze.lru
|
|
||||||
|
|
||||||
## Tunable overrides
|
|
||||||
keystone_keystone_conf_overrides: {}
|
|
||||||
keystone_keystone_default_conf_overrides: {}
|
|
||||||
keystone_keystone_paste_ini_overrides: {}
|
|
||||||
keystone_policy_overrides: {}
|
|
@ -1,22 +0,0 @@
|
|||||||
<!DOCTYPE html>
|
|
||||||
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
||||||
<head>
|
|
||||||
<title>Keystone WebSSO redirect</title>
|
|
||||||
</head>
|
|
||||||
<body>
|
|
||||||
<form id="sso" name="sso" action="$host" method="post">
|
|
||||||
Please wait...
|
|
||||||
<br/>
|
|
||||||
<input type="hidden" name="token" id="token" value="$token"/>
|
|
||||||
<noscript>
|
|
||||||
<input type="submit" name="submit_no_javascript" id="submit_no_javascript"
|
|
||||||
value="If your JavaScript is disabled, please click to continue"/>
|
|
||||||
</noscript>
|
|
||||||
</form>
|
|
||||||
<script type="text/javascript">
|
|
||||||
window.onload = function() {
|
|
||||||
document.forms['sso'].submit();
|
|
||||||
}
|
|
||||||
</script>
|
|
||||||
</body>
|
|
||||||
</html>
|
|
@ -1,34 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Restart Apache
|
|
||||||
service:
|
|
||||||
name: "apache2"
|
|
||||||
state: "restarted"
|
|
||||||
pattern: "apache2"
|
|
||||||
register: apache_restart
|
|
||||||
until: apache_restart|success
|
|
||||||
retries: 5
|
|
||||||
delay: 2
|
|
||||||
|
|
||||||
- name: Restart Shibd
|
|
||||||
service:
|
|
||||||
name: "shibd"
|
|
||||||
state: "restarted"
|
|
||||||
pattern: "shibd"
|
|
||||||
register: shibd_restart
|
|
||||||
until: shibd_restart|success
|
|
||||||
retries: 5
|
|
||||||
delay: 2
|
|
@ -1,120 +0,0 @@
|
|||||||
#!/usr/bin/python
|
|
||||||
# (c) 2015, Kevin Carter <kevin.carter@rackspace.com>
|
|
||||||
#
|
|
||||||
# Copyright 2015, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
|
|
||||||
# import module snippets
|
|
||||||
from ansible.module_utils.basic import *
|
|
||||||
|
|
||||||
|
|
||||||
DOCUMENTATION = """
|
|
||||||
---
|
|
||||||
module: keystone_sp
|
|
||||||
version_added: "1.9.2"
|
|
||||||
short_description:
|
|
||||||
- Creates a fact for keystone_federated_identities and keystone_protocols
|
|
||||||
description:
|
|
||||||
- Sets facts called `keystone_federated_identities` and
|
|
||||||
`keystone_federated_protocols`, which are lists of hashes built from
|
|
||||||
keystone_sp using the information in the `federated_identities` and
|
|
||||||
`protocols` keys.
|
|
||||||
options:
|
|
||||||
sp_data:
|
|
||||||
description:
|
|
||||||
- Hash to build the service provider lists from
|
|
||||||
required: true
|
|
||||||
author: Kevin Carter
|
|
||||||
"""
|
|
||||||
|
|
||||||
EXAMPLES = """
|
|
||||||
# Set the keystone_federated_identities and keystone_federated_protocols facts
|
|
||||||
- keystone_sp:
|
|
||||||
sp_data: "{{ keystone_sp }}"
|
|
||||||
when: keystone_sp is defined
|
|
||||||
"""
|
|
||||||
|
|
||||||
# Keystone service provider data structure example.
|
|
||||||
"""
|
|
||||||
keystone_sp:
|
|
||||||
trusted_idp_list:
|
|
||||||
- name: "keystone-idp"
|
|
||||||
federated_identities:
|
|
||||||
- domain: Default
|
|
||||||
project: fedproject
|
|
||||||
group: fedgroup
|
|
||||||
role: _member_
|
|
||||||
protocols:
|
|
||||||
- name: saml2
|
|
||||||
mapping:
|
|
||||||
...
|
|
||||||
- name: 'testshib-idp'
|
|
||||||
federated_identities:
|
|
||||||
- domain: Default
|
|
||||||
project: fedproject2
|
|
||||||
group: fedgroup2
|
|
||||||
role: _member_
|
|
||||||
protocols:
|
|
||||||
- name: saml2
|
|
||||||
mapping:
|
|
||||||
...
|
|
||||||
"""
|
|
||||||
|
|
||||||
|
|
||||||
class KeystoneSp(object):
|
|
||||||
def __init__(self, module):
|
|
||||||
"""Generate an integer from a name."""
|
|
||||||
self.module = module
|
|
||||||
self.identities_return_list = list()
|
|
||||||
self.protocols_return_list = list()
|
|
||||||
self.sp_data = self.module.params['sp_data']
|
|
||||||
|
|
||||||
def populate_sp_data(self):
|
|
||||||
trusted_idp_list = self.sp_data['trusted_idp_list']
|
|
||||||
for trusted_idp in trusted_idp_list:
|
|
||||||
federated_identities = trusted_idp.get('federated_identities')
|
|
||||||
if federated_identities:
|
|
||||||
self.identities_return_list.extend(federated_identities)
|
|
||||||
protocols = trusted_idp.get('protocols')
|
|
||||||
if protocols:
|
|
||||||
for protocol in protocols:
|
|
||||||
self.protocols_return_list.append(
|
|
||||||
{'idp': trusted_idp, 'protocol': protocol})
|
|
||||||
|
|
||||||
|
|
||||||
def main():
|
|
||||||
module = AnsibleModule(
|
|
||||||
argument_spec=dict(
|
|
||||||
sp_data=dict(
|
|
||||||
required=True
|
|
||||||
)
|
|
||||||
),
|
|
||||||
supports_check_mode=False
|
|
||||||
)
|
|
||||||
try:
|
|
||||||
ksp = KeystoneSp(module=module)
|
|
||||||
ksp.populate_sp_data()
|
|
||||||
module.exit_json(
|
|
||||||
changed=True,
|
|
||||||
ansible_facts={
|
|
||||||
'keystone_federated_identities': ksp.identities_return_list,
|
|
||||||
'keystone_federated_protocols': ksp.protocols_return_list}
|
|
||||||
)
|
|
||||||
except Exception as exp:
|
|
||||||
resp = {'stderr': exp}
|
|
||||||
module.fail_json(msg='Failed Process', **resp)
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
|
||||||
main()
|
|
@ -1,40 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
galaxy_info:
|
|
||||||
author: rcbops
|
|
||||||
description: Installation and setup of keystone
|
|
||||||
company: Rackspace
|
|
||||||
license: Apache2
|
|
||||||
min_ansible_version: 1.6.6
|
|
||||||
platforms:
|
|
||||||
- name: Ubuntu
|
|
||||||
versions:
|
|
||||||
- trusty
|
|
||||||
categories:
|
|
||||||
- cloud
|
|
||||||
- python
|
|
||||||
- keystone
|
|
||||||
- development
|
|
||||||
- openstack
|
|
||||||
dependencies:
|
|
||||||
- apt_package_pinning
|
|
||||||
- galera_client
|
|
||||||
- openstack_openrc
|
|
||||||
- pip_lock_down
|
|
||||||
- role: memcached_server
|
|
||||||
when: >
|
|
||||||
'memcache' in keystone_token_driver and
|
|
||||||
'fernet' not in keystone_token_provider
|
|
@ -1,98 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Drop apache2 ports file
|
|
||||||
template:
|
|
||||||
src: "{{ item.src }}"
|
|
||||||
dest: "{{ item.dest }}"
|
|
||||||
owner: "root"
|
|
||||||
group: "root"
|
|
||||||
with_items:
|
|
||||||
- { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
|
|
||||||
- { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" }
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-httpd
|
|
||||||
|
|
||||||
- name: Disable default apache site
|
|
||||||
file:
|
|
||||||
path: "/etc/apache2/sites-enabled/000-default.conf"
|
|
||||||
state: "absent"
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-httpd
|
|
||||||
|
|
||||||
- name: Enabled keystone vhost
|
|
||||||
file:
|
|
||||||
src: "{{ item.src }}"
|
|
||||||
dest: "{{ item.dest }}"
|
|
||||||
state: "{{ item.state }}"
|
|
||||||
with_items:
|
|
||||||
- { src: "/etc/apache2/sites-available/keystone-httpd.conf", dest: "/etc/apache2/sites-enabled/keystone-httpd.conf", state: "link" }
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-httpd
|
|
||||||
|
|
||||||
- name: Ensure Apache ServerName
|
|
||||||
lineinfile:
|
|
||||||
dest: "/etc/apache2/apache2.conf"
|
|
||||||
line: "ServerName {{ inventory_hostname }}"
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-httpd
|
|
||||||
|
|
||||||
- name: Ensure Apache ServerTokens
|
|
||||||
lineinfile:
|
|
||||||
dest: "/etc/apache2/conf-available/security.conf"
|
|
||||||
regexp: '^ServerTokens'
|
|
||||||
line: "ServerTokens {{ keystone_apache_servertokens }}"
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-httpd
|
|
||||||
|
|
||||||
- name: Ensure Apache ServerSignature
|
|
||||||
lineinfile:
|
|
||||||
dest: "/etc/apache2/conf-available/security.conf"
|
|
||||||
regexp: '^ServerSignature'
|
|
||||||
line: "ServerSignature {{ keystone_apache_serversignature }}"
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-httpd
|
|
||||||
|
|
||||||
- name: Enable/disable mod_ssl for apache2
|
|
||||||
apache2_module:
|
|
||||||
name: ssl
|
|
||||||
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-httpd
|
|
||||||
- keystone-ssl
|
|
||||||
|
|
||||||
- name: Enable/disable mod_shib2 for apache2
|
|
||||||
apache2_module:
|
|
||||||
name: shib2
|
|
||||||
state: "{{ ( keystone_sp is defined ) | ternary('present', 'absent') }}"
|
|
||||||
ignore_errors: yes
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-httpd
|
|
@ -1,50 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Create DB for service
|
|
||||||
mysql_db:
|
|
||||||
login_user: "{{ galera_root_user }}"
|
|
||||||
login_password: "{{ galera_root_password }}"
|
|
||||||
login_host: "{{ keystone_galera_address }}"
|
|
||||||
name: "{{ keystone_galera_database }}"
|
|
||||||
state: "present"
|
|
||||||
tags:
|
|
||||||
- keystone-db-setup
|
|
||||||
|
|
||||||
- name: Grant access to the DB for the service
|
|
||||||
mysql_user:
|
|
||||||
login_user: "{{ galera_root_user }}"
|
|
||||||
login_password: "{{ galera_root_password }}"
|
|
||||||
login_host: "{{ keystone_galera_address }}"
|
|
||||||
name: "{{ keystone_galera_user }}"
|
|
||||||
password: "{{ keystone_container_mysql_password }}"
|
|
||||||
host: "{{ item }}"
|
|
||||||
state: "present"
|
|
||||||
priv: "{{ keystone_galera_database }}.*:ALL"
|
|
||||||
with_items:
|
|
||||||
- "localhost"
|
|
||||||
- "%"
|
|
||||||
tags:
|
|
||||||
- keystone-db-setup
|
|
||||||
|
|
||||||
- name: Perform a Keystone DB sync
|
|
||||||
command: "{{ keystone_bin }}/keystone-manage db_sync"
|
|
||||||
become: yes
|
|
||||||
become_user: "{{ keystone_system_user_name }}"
|
|
||||||
tags:
|
|
||||||
- keystone-db-setup
|
|
||||||
- keystone-db-sync
|
|
||||||
- keystone-setup
|
|
||||||
- keystone-command-bin
|
|
@ -1,152 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
# note that these tasks will run when the id/name parameter is present.
|
|
||||||
# Providing the id/name without the other required params is a user error.
|
|
||||||
|
|
||||||
# TODO: Revisit this method when Ansible 2 releases
|
|
||||||
# User with_subelements instead, but in v1.x it's broken
|
|
||||||
- name: Set keystone_federated_identities fact
|
|
||||||
keystone_sp:
|
|
||||||
sp_data: "{{ keystone_sp }}"
|
|
||||||
tags:
|
|
||||||
- keystone-federation-sp
|
|
||||||
|
|
||||||
- name: Ensure domain which remote IDP users are mapped onto exists
|
|
||||||
keystone:
|
|
||||||
command: ensure_domain
|
|
||||||
domain_name: "{{ item.domain }}"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
when: item.domain is defined
|
|
||||||
with_items: keystone_federated_identities
|
|
||||||
tags:
|
|
||||||
- keystone-federation-sp
|
|
||||||
|
|
||||||
- name: Ensure project which remote IDP users are mapped onto exists
|
|
||||||
keystone:
|
|
||||||
command: ensure_project
|
|
||||||
project_name: "{{ item.project }}"
|
|
||||||
domain_name: "{{ item.domain | default('Default') }}"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
when: item.project is defined
|
|
||||||
with_items: keystone_federated_identities
|
|
||||||
tags:
|
|
||||||
- keystone-federation-sp
|
|
||||||
|
|
||||||
- name: Ensure user which remote IDP users are mapped onto exists
|
|
||||||
keystone:
|
|
||||||
command: ensure_user
|
|
||||||
user_name: "{{ item.user }}"
|
|
||||||
password: "{{ item.password }}"
|
|
||||||
project_name: "{{ item.project }}"
|
|
||||||
domain_name: "{{ item.domain | default('Default') }}"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
when: >
|
|
||||||
item.user is defined and
|
|
||||||
item.password is defined and
|
|
||||||
item.project is defined
|
|
||||||
with_items: keystone_federated_identities
|
|
||||||
tags:
|
|
||||||
- keystone-federation-sp
|
|
||||||
|
|
||||||
- name: Ensure Group for external IDP users exists
|
|
||||||
keystone:
|
|
||||||
command: ensure_group
|
|
||||||
group_name: "{{ item.group }}"
|
|
||||||
domain_name: "{{ item.domain | default('Default') }}"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
when: item.group is defined
|
|
||||||
with_items: keystone_federated_identities
|
|
||||||
tags:
|
|
||||||
- keystone-federation-sp
|
|
||||||
|
|
||||||
- name: Ensure Role for external IDP users exists
|
|
||||||
keystone:
|
|
||||||
command: "ensure_role"
|
|
||||||
role_name: "{{ item.role | default('_member_') }}"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
when: >
|
|
||||||
item.group is defined and
|
|
||||||
item.project is defined
|
|
||||||
with_items: keystone_federated_identities
|
|
||||||
tags:
|
|
||||||
- keystone-federation-sp
|
|
||||||
|
|
||||||
- name: Ensure Group/Project/Role mapping exists
|
|
||||||
keystone:
|
|
||||||
command: ensure_group_role
|
|
||||||
group_name: "{{ item.group }}"
|
|
||||||
project_name: "{{ item.project }}"
|
|
||||||
role_name: "{{ item.role | default('_member_') }}"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
when: >
|
|
||||||
item.group is defined and
|
|
||||||
item.project is defined
|
|
||||||
with_items: keystone_federated_identities
|
|
||||||
tags:
|
|
||||||
- keystone-federation-sp
|
|
||||||
|
|
||||||
- name: Ensure mapping for external IDP attributes exists
|
|
||||||
keystone:
|
|
||||||
command: ensure_mapping
|
|
||||||
mapping_name: "{{ item.protocol.mapping.name }}"
|
|
||||||
mapping_rules: "{{ item.protocol.mapping.rules }}"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
when: item.protocol.mapping.name is defined
|
|
||||||
with_items: keystone_federated_protocols
|
|
||||||
tags:
|
|
||||||
- keystone-federation-sp
|
|
||||||
|
|
||||||
- name: Ensure external IDP
|
|
||||||
keystone:
|
|
||||||
command: ensure_identity_provider
|
|
||||||
idp_name: "{{ item.name }}"
|
|
||||||
idp_remote_ids: "{{ item.entity_ids }}"
|
|
||||||
idp_enabled: true
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
when: item.name is defined
|
|
||||||
with_items: keystone_sp.trusted_idp_list
|
|
||||||
tags:
|
|
||||||
- keystone-federation-sp
|
|
||||||
|
|
||||||
- name: Ensure federation protocol exists
|
|
||||||
keystone:
|
|
||||||
command: ensure_protocol
|
|
||||||
protocol_name: "{{ item.protocol.name }}"
|
|
||||||
idp_name: "{{ item.idp.name }}"
|
|
||||||
mapping_name: "{{ item.protocol.mapping.name }}"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
when: item.protocol.name is defined
|
|
||||||
with_items: keystone_federated_protocols
|
|
||||||
tags:
|
|
||||||
- keystone-federation-sp
|
|
@ -1,101 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2015, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Drop Shibboleth Config
|
|
||||||
template:
|
|
||||||
src: "{{ item.src }}"
|
|
||||||
dest: "{{ item.dest }}"
|
|
||||||
owner: "{{ keystone_system_user_name }}"
|
|
||||||
group: "{{ keystone_system_group_name }}"
|
|
||||||
mode: "{{ item.mode|default('0644') }}"
|
|
||||||
with_items:
|
|
||||||
- { src: "shibboleth-attribute-map.xml.j2", dest: "/etc/shibboleth/attribute-map.xml" }
|
|
||||||
- { src: "shibboleth2.xml.j2", dest: "/etc/shibboleth/shibboleth2.xml" }
|
|
||||||
notify:
|
|
||||||
- Restart Shibd
|
|
||||||
tags:
|
|
||||||
- keystone-config
|
|
||||||
- keystone-federation-sp
|
|
||||||
|
|
||||||
- name: Generate the Shibboleth SP key-pair
|
|
||||||
shell: "shib-keygen -h {{ external_lb_vip_address }} -y {{ keystone_sp.cert_duration_years }}"
|
|
||||||
args:
|
|
||||||
creates: "/etc/shibboleth/sp-cert.pem"
|
|
||||||
when: inventory_hostname == groups['keystone_all'][0]
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
- Restart Shibd
|
|
||||||
tags:
|
|
||||||
- keystone-config
|
|
||||||
- keystone-federation-sp
|
|
||||||
|
|
||||||
- name: Store Shibboleth SP key-pair
|
|
||||||
memcached:
|
|
||||||
name: "{{ item.name }}"
|
|
||||||
file_path: "{{ item.src }}"
|
|
||||||
state: "present"
|
|
||||||
server: "{{ memcached_servers }}"
|
|
||||||
encrypt_string: "{{ memcached_encryption_key }}"
|
|
||||||
with_items:
|
|
||||||
- { src: "/etc/shibboleth/sp-cert.pem", name: "keystone_sp_cert" }
|
|
||||||
- { src: "/etc/shibboleth/sp-key.pem", name: "keystone_sp_key" }
|
|
||||||
register: memcache_keys
|
|
||||||
until: memcache_keys|success
|
|
||||||
retries: 5
|
|
||||||
delay: 2
|
|
||||||
when: inventory_hostname == groups['keystone_all'][0]
|
|
||||||
tags:
|
|
||||||
- keystone-config
|
|
||||||
- keystone-federation-sp
|
|
||||||
|
|
||||||
- name: Distribute the Shibboleth SP key-pair
|
|
||||||
memcached:
|
|
||||||
name: "{{ item.name }}"
|
|
||||||
file_path: "{{ item.src }}"
|
|
||||||
state: "retrieve"
|
|
||||||
file_mode: "{{ item.file_mode }}"
|
|
||||||
dir_mode: "{{ item.dir_mode }}"
|
|
||||||
server: "{{ memcached_servers }}"
|
|
||||||
encrypt_string: "{{ memcached_encryption_key }}"
|
|
||||||
with_items:
|
|
||||||
- { src: "/etc/shibboleth/sp-cert.pem", name: "keystone_sp_cert", file_mode: "0640", dir_mode: "0750" }
|
|
||||||
- { src: "/etc/shibboleth/sp-key.pem", name: "keystone_sp_key", file_mode: "0600", dir_mode: "0750" }
|
|
||||||
register: memcache_keys
|
|
||||||
until: memcache_keys|success
|
|
||||||
retries: 5
|
|
||||||
delay: 2
|
|
||||||
when: inventory_hostname != groups['keystone_all'][0]
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
- Restart Shibd
|
|
||||||
tags:
|
|
||||||
- keystone-config
|
|
||||||
- keystone-federation-sp
|
|
||||||
|
|
||||||
- name: Set appropriate file ownership on the Shibboleth SP key-pair
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
owner: "_shibd"
|
|
||||||
group: "_shibd"
|
|
||||||
with_items:
|
|
||||||
- "/etc/shibboleth/sp-cert.pem"
|
|
||||||
- "/etc/shibboleth/sp-key.pem"
|
|
||||||
when: inventory_hostname != groups['keystone_all'][0]
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
- Restart Shibd
|
|
||||||
tags:
|
|
||||||
- keystone-config
|
|
||||||
- keystone-federation-sp
|
|
@ -1,24 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2015, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- include: keystone_fernet_keys_create.yml
|
|
||||||
when: >
|
|
||||||
inventory_hostname == groups['keystone_all'][0]
|
|
||||||
|
|
||||||
- include: keystone_fernet_keys_distribute.yml
|
|
||||||
when: >
|
|
||||||
inventory_hostname == groups['keystone_all'][0]
|
|
||||||
|
|
||||||
- include: keystone_fernet_keys_autorotate.yml
|
|
@ -1,53 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2015, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
# This script is being created with mode 0755 intentionally. This is so that the
|
|
||||||
# script can be executed by root to rotate the keys as needed. The script being
|
|
||||||
# executed will always change it's user context to the keystone user before
|
|
||||||
# execution and while the script may be world read/executable its contains only
|
|
||||||
# the necessary bits that are required to run the rotate and sync commands.
|
|
||||||
- name: Drop fernet key auto rotate script
|
|
||||||
template:
|
|
||||||
src: "keystone-fernet-rotate.sh.j2"
|
|
||||||
dest: "{{ keystone_fernet_auto_rotation_script }}"
|
|
||||||
owner: "{{ keystone_system_user_name }}"
|
|
||||||
group: "{{ keystone_system_group_name }}"
|
|
||||||
mode: "1755"
|
|
||||||
tags:
|
|
||||||
- keystone-fernet-auto-rotate
|
|
||||||
|
|
||||||
# This creates the auto rotation job on the first keystone host.
|
|
||||||
- name: Create auto rotation job
|
|
||||||
cron:
|
|
||||||
name: "Fernet auto rotate job"
|
|
||||||
special_time: "{{ keystone_fernet_rotation }}"
|
|
||||||
user: "keystone"
|
|
||||||
job: "{{ keystone_fernet_auto_rotation_script }}"
|
|
||||||
cron_file: keystone-fernet-rotate
|
|
||||||
when: >
|
|
||||||
inventory_hostname == groups['keystone_all'][0]
|
|
||||||
tags:
|
|
||||||
- keystone-fernet-auto-rotate
|
|
||||||
|
|
||||||
# This makes sure that no auto rotation jobs are on any other hosts.
|
|
||||||
- name: Remove extra auto rotation job
|
|
||||||
cron:
|
|
||||||
name: "Fernet auto rotate job"
|
|
||||||
cron_file: keystone-fernet-rotate
|
|
||||||
state: "absent"
|
|
||||||
when: >
|
|
||||||
inventory_hostname != groups['keystone_all'][0]
|
|
||||||
tags:
|
|
||||||
- keystone-fernet-auto-rotate
|
|
@ -1,46 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2015, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Check if fernet keys already exist
|
|
||||||
stat:
|
|
||||||
path: "{{ keystone_fernet_tokens_key_repository }}/0"
|
|
||||||
register: _fernet_keys
|
|
||||||
tags:
|
|
||||||
- keystone-fernet
|
|
||||||
|
|
||||||
- name: Create fernet keys for Keystone
|
|
||||||
command: >
|
|
||||||
{{ keystone_bin }}/keystone-manage fernet_setup
|
|
||||||
--keystone-user "{{ keystone_system_user_name }}"
|
|
||||||
--keystone-group "{{ keystone_system_group_name }}"
|
|
||||||
become: yes
|
|
||||||
become_user: "{{ keystone_system_user_name }}"
|
|
||||||
when: not _fernet_keys.stat.exists
|
|
||||||
tags:
|
|
||||||
- keystone-setup
|
|
||||||
- keystone-fernet
|
|
||||||
- keystone-command-bin
|
|
||||||
|
|
||||||
- name: Rotate fernet keys for Keystone
|
|
||||||
command: >
|
|
||||||
{{ keystone_bin }}/keystone-manage fernet_rotate
|
|
||||||
--keystone-user "{{ keystone_system_user_name }}"
|
|
||||||
--keystone-group "{{ keystone_system_group_name }}"
|
|
||||||
become: yes
|
|
||||||
become_user: "{{ keystone_system_user_name }}"
|
|
||||||
when: _fernet_keys.stat.exists
|
|
||||||
tags:
|
|
||||||
- keystone-fernet
|
|
||||||
- keystone-command-bin
|
|
@ -1,27 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2015, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Distribute the fernet key repository
|
|
||||||
shell: |
|
|
||||||
rsync -e 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
|
|
||||||
-avz \
|
|
||||||
--delete \
|
|
||||||
{{ keystone_fernet_tokens_key_repository }}/ \
|
|
||||||
{{ keystone_system_user_name }}@{{ hostvars[item]['ansible_ssh_host'] }}:{{ keystone_fernet_tokens_key_repository }}/
|
|
||||||
become: yes
|
|
||||||
become_user: "{{ keystone_system_user_name }}"
|
|
||||||
with_items: groups['keystone_all'][1:]
|
|
||||||
tags:
|
|
||||||
- keystone-fernet-distribute
|
|
@ -1,26 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Generate IdP metadata
|
|
||||||
shell: |
|
|
||||||
{{ keystone_bin }}/keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }}
|
|
||||||
become: yes
|
|
||||||
become_user: "{{ keystone_system_user_name }}"
|
|
||||||
when: keystone_idp is defined
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-config
|
|
||||||
- keystone-idp
|
|
@ -1,48 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Remove IdP self-signed certificate for regen
|
|
||||||
file:
|
|
||||||
dest: "{{ keystone_idp.cerfile }}"
|
|
||||||
state: "absent"
|
|
||||||
when: >
|
|
||||||
keystone_idp.regen_cert == true or
|
|
||||||
keystone_idp.regen_cert == "True"
|
|
||||||
|
|
||||||
- name: Create IdP self-signed ssl cert
|
|
||||||
command: >
|
|
||||||
openssl req -new -nodes -sha256 -x509 -subj
|
|
||||||
"{{ keystone_idp.self_signed_cert_subject }}"
|
|
||||||
-days 3650
|
|
||||||
-keyout {{ keystone_idp.keyfile }}
|
|
||||||
-out {{ keystone_idp.certfile }}
|
|
||||||
-extensions v3_ca
|
|
||||||
creates={{ keystone_idp.certfile }}
|
|
||||||
when: >
|
|
||||||
inventory_hostname == groups['keystone_all'][0]
|
|
||||||
notify: Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-config
|
|
||||||
- keystone-idp
|
|
||||||
|
|
||||||
- name: Set appropriate file ownership on the IdP self-signed cert
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
owner: "{{ keystone_system_user_name }}"
|
|
||||||
group: "{{ keystone_system_group_name }}"
|
|
||||||
mode: "0640"
|
|
||||||
with_items:
|
|
||||||
- "{{ keystone_idp.keyfile }}"
|
|
||||||
- "{{ keystone_idp.certfile }}"
|
|
@ -1,44 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Distribute IdP self-signed certificate
|
|
||||||
memcached:
|
|
||||||
name: "{{ item.name }}"
|
|
||||||
file_path: "{{ item.src }}"
|
|
||||||
state: "retrieve"
|
|
||||||
file_mode: "{{ item.file_mode }}"
|
|
||||||
dir_mode: "{{ item.dir_mode }}"
|
|
||||||
server: "{{ memcached_servers }}"
|
|
||||||
encrypt_string: "{{ memcached_encryption_key }}"
|
|
||||||
with_items:
|
|
||||||
- { src: "{{ keystone_idp.certfile }}", name: "keystone_idp_cert", file_mode: "0640", dir_mode: "0750" }
|
|
||||||
- { src: "{{ keystone_idp.keyfile }}", name: "keystone_idp_key", file_mode: "0640", dir_mode: "0750" }
|
|
||||||
register: memcache_keys
|
|
||||||
until: memcache_keys|success
|
|
||||||
retries: 5
|
|
||||||
delay: 2
|
|
||||||
notify: Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-idp
|
|
||||||
|
|
||||||
- name: Set appropriate file ownership on the IdP self-signed cert
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
owner: "{{ keystone_system_user_name }}"
|
|
||||||
group: "{{ keystone_system_group_name }}"
|
|
||||||
mode: "0640"
|
|
||||||
with_items:
|
|
||||||
- "{{ keystone_idp.keyfile }}"
|
|
||||||
- "{{ keystone_idp.certfile }}"
|
|
@ -1,31 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Store IdP self-signed certificate
|
|
||||||
memcached:
|
|
||||||
name: "{{ item.name }}"
|
|
||||||
file_path: "{{ item.src }}"
|
|
||||||
state: "present"
|
|
||||||
server: "{{ memcached_servers }}"
|
|
||||||
encrypt_string: "{{ memcached_encryption_key }}"
|
|
||||||
with_items:
|
|
||||||
- { src: "{{ keystone_idp.certfile }}", name: "keystone_idp_cert" }
|
|
||||||
- { src: "{{ keystone_idp.keyfile }}", name: "keystone_idp_key" }
|
|
||||||
register: memcache_keys
|
|
||||||
until: memcache_keys|success
|
|
||||||
retries: 5
|
|
||||||
delay: 2
|
|
||||||
tags:
|
|
||||||
- keystone-idp
|
|
@ -1,30 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- include: keystone_idp_self_signed_create.yml
|
|
||||||
when: >
|
|
||||||
inventory_hostname == groups['keystone_all'][0]
|
|
||||||
|
|
||||||
- include: keystone_idp_self_signed_store.yml
|
|
||||||
when: >
|
|
||||||
inventory_hostname == groups['keystone_all'][0]
|
|
||||||
|
|
||||||
- include: keystone_idp_self_signed_distribute.yml
|
|
||||||
when: >
|
|
||||||
inventory_hostname != groups['keystone_all'][0]
|
|
||||||
|
|
||||||
- include: keystone_idp_metadata.yml
|
|
||||||
|
|
||||||
- include: keystone_idp_sp_setup.yml
|
|
@ -1,30 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Register service providers
|
|
||||||
keystone:
|
|
||||||
command: "ensure_service_provider"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
sp_name: "{{ item.id }}"
|
|
||||||
sp_url: "{{ item.sp_url }}"
|
|
||||||
sp_auth_url: "{{ item.auth_url }}"
|
|
||||||
with_items: keystone_idp.service_providers
|
|
||||||
register: add_service_providers
|
|
||||||
until: add_service_providers|success
|
|
||||||
retries: 5
|
|
||||||
delay: 10
|
|
||||||
tags:
|
|
||||||
- keystone-idp
|
|
@ -1,218 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
#TODO(evrardjp): Replace the next 2 tasks by a standard apt with cache
|
|
||||||
#when https://github.com/ansible/ansible-modules-core/pull/1517 is merged
|
|
||||||
#in 1.9.x or we move to 2.0 (if tested working)
|
|
||||||
- name: Check apt last update file
|
|
||||||
stat:
|
|
||||||
path: /var/cache/apt
|
|
||||||
register: apt_cache_stat
|
|
||||||
tags:
|
|
||||||
- keystone-apt-packages
|
|
||||||
|
|
||||||
- name: Update apt if needed
|
|
||||||
apt:
|
|
||||||
update_cache: yes
|
|
||||||
when: "ansible_date_time.epoch|float - apt_cache_stat.stat.mtime > {{cache_timeout}}"
|
|
||||||
tags:
|
|
||||||
- keystone-apt-packages
|
|
||||||
|
|
||||||
- name: Install apt packages
|
|
||||||
apt:
|
|
||||||
pkg: "{{ item }}"
|
|
||||||
state: latest
|
|
||||||
register: install_packages
|
|
||||||
until: install_packages|success
|
|
||||||
retries: 5
|
|
||||||
delay: 2
|
|
||||||
with_items: keystone_apt_packages
|
|
||||||
tags:
|
|
||||||
- keystone-install
|
|
||||||
- keystone-apt-packages
|
|
||||||
|
|
||||||
- name: Install IdP apt packages
|
|
||||||
apt:
|
|
||||||
pkg: "{{ item }}"
|
|
||||||
state: latest
|
|
||||||
register: install_packages
|
|
||||||
until: install_packages|success
|
|
||||||
retries: 5
|
|
||||||
delay: 2
|
|
||||||
with_items: keystone_idp_apt_packages
|
|
||||||
when: keystone_idp is defined
|
|
||||||
tags:
|
|
||||||
- keystone-install
|
|
||||||
- keystone-apt-packages
|
|
||||||
|
|
||||||
- name: Install SP apt packages
|
|
||||||
apt:
|
|
||||||
pkg: "{{ item }}"
|
|
||||||
state: latest
|
|
||||||
register: install_packages
|
|
||||||
until: install_packages|success
|
|
||||||
retries: 5
|
|
||||||
delay: 2
|
|
||||||
with_items: keystone_sp_apt_packages
|
|
||||||
when: keystone_sp is defined
|
|
||||||
tags:
|
|
||||||
- keystone-install
|
|
||||||
- keystone-apt-packages
|
|
||||||
|
|
||||||
- name: Install requires pip packages
|
|
||||||
pip:
|
|
||||||
name: "{{ item }}"
|
|
||||||
state: present
|
|
||||||
extra_args: "{{ pip_install_options|default('') }}"
|
|
||||||
register: install_packages
|
|
||||||
until: install_packages|success
|
|
||||||
retries: 5
|
|
||||||
delay: 2
|
|
||||||
with_items: keystone_requires_pip_packages
|
|
||||||
tags:
|
|
||||||
- keystone-install
|
|
||||||
- keystone-pip-packages
|
|
||||||
|
|
||||||
- name: Get local venv checksum
|
|
||||||
stat:
|
|
||||||
path: "/var/cache/{{ keystone_venv_download_url | basename }}"
|
|
||||||
get_md5: False
|
|
||||||
when: keystone_venv_enabled | bool
|
|
||||||
register: local_venv_stat
|
|
||||||
tags:
|
|
||||||
- keystone-install
|
|
||||||
- keystone-pip-packages
|
|
||||||
|
|
||||||
- name: Get remote venv checksum
|
|
||||||
uri:
|
|
||||||
url: "{{ keystone_venv_download_url | replace('tgz', 'checksum') }}"
|
|
||||||
return_content: True
|
|
||||||
when: keystone_venv_enabled | bool
|
|
||||||
register: remote_venv_checksum
|
|
||||||
tags:
|
|
||||||
- keystone-install
|
|
||||||
- keystone-pip-packages
|
|
||||||
|
|
||||||
# TODO: When project moves to ansible 2 we can pass this a sha256sum which will:
|
|
||||||
# a) allow us to remove force: yes
|
|
||||||
# b) allow the module to calculate the checksum of dest file which would
|
|
||||||
# result in file being downloaded only if provided and dest sha256sum
|
|
||||||
# checksums differ
|
|
||||||
- name: Attempt venv download
|
|
||||||
get_url:
|
|
||||||
url: "{{ keystone_venv_download_url }}"
|
|
||||||
dest: "/var/cache/{{ keystone_venv_download_url | basename }}"
|
|
||||||
force: yes
|
|
||||||
ignore_errors: true
|
|
||||||
register: get_venv
|
|
||||||
when:
|
|
||||||
- keystone_venv_enabled | bool
|
|
||||||
- (local_venv_stat.stat.exists == False or
|
|
||||||
{{ local_venv_stat.stat.checksum is defined and local_venv_stat.stat.checksum != remote_venv_checksum.content | trim }})
|
|
||||||
tags:
|
|
||||||
- keystone-install
|
|
||||||
- keystone-pip-packages
|
|
||||||
|
|
||||||
- name: Set keystone get_venv fact
|
|
||||||
set_fact:
|
|
||||||
keystone_get_venv: "{{ get_venv }}"
|
|
||||||
when: keystone_venv_enabled | bool
|
|
||||||
tags:
|
|
||||||
- keystone-install
|
|
||||||
- keystone-pip-packages
|
|
||||||
|
|
||||||
- name: Remove existing venv
|
|
||||||
file:
|
|
||||||
path: "{{ keystone_venv_bin | dirname }}"
|
|
||||||
state: absent
|
|
||||||
when:
|
|
||||||
- keystone_venv_enabled | bool
|
|
||||||
- keystone_get_venv | changed
|
|
||||||
tags:
|
|
||||||
- keystone-install
|
|
||||||
- keystone-pip-packages
|
|
||||||
|
|
||||||
- name: Create keystone venv dir
|
|
||||||
file:
|
|
||||||
path: "{{ keystone_venv_bin | dirname }}"
|
|
||||||
state: directory
|
|
||||||
when:
|
|
||||||
- keystone_venv_enabled | bool
|
|
||||||
- keystone_get_venv | changed
|
|
||||||
tags:
|
|
||||||
- keystone-install
|
|
||||||
- keystone-pip-packages
|
|
||||||
|
|
||||||
- name: Unarchive pre-built venv
|
|
||||||
unarchive:
|
|
||||||
src: "/var/cache/{{ keystone_venv_download_url | basename }}"
|
|
||||||
dest: "{{ keystone_venv_bin | dirname }}"
|
|
||||||
copy: "no"
|
|
||||||
when:
|
|
||||||
- keystone_venv_enabled | bool
|
|
||||||
- keystone_get_venv | changed
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-install
|
|
||||||
- keystone-pip-packages
|
|
||||||
|
|
||||||
- name: Update virtualenv path
|
|
||||||
command: >
|
|
||||||
virtualenv-tools --update-path=auto {{ keystone_venv_bin | dirname }}
|
|
||||||
when:
|
|
||||||
- keystone_venv_enabled | bool
|
|
||||||
- keystone_get_venv | success
|
|
||||||
tags:
|
|
||||||
- keystone-install
|
|
||||||
- keystone-pip-packages
|
|
||||||
|
|
||||||
- name: Install pip packages (venv)
|
|
||||||
pip:
|
|
||||||
name: "{{ item }}"
|
|
||||||
state: present
|
|
||||||
virtualenv: "{{ keystone_venv_bin | dirname }}"
|
|
||||||
virtualenv_site_packages: "no"
|
|
||||||
extra_args: "{{ pip_install_options|default('') }}"
|
|
||||||
register: install_packages
|
|
||||||
until: install_packages|success
|
|
||||||
retries: 5
|
|
||||||
delay: 2
|
|
||||||
with_items: keystone_pip_packages
|
|
||||||
when:
|
|
||||||
- keystone_venv_enabled | bool
|
|
||||||
- keystone_get_venv | failed
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-install
|
|
||||||
- keystone-pip-packages
|
|
||||||
|
|
||||||
- name: Install pip packages (no venv)
|
|
||||||
pip:
|
|
||||||
name: "{{ item }}"
|
|
||||||
state: present
|
|
||||||
extra_args: "{{ pip_install_options|default('') }}"
|
|
||||||
register: install_packages
|
|
||||||
until: install_packages|success
|
|
||||||
retries: 5
|
|
||||||
delay: 2
|
|
||||||
with_items: keystone_pip_packages
|
|
||||||
when: not keystone_venv_enabled | bool
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-install
|
|
||||||
- keystone-pip-packages
|
|
@ -1,23 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2015, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Create authorized keys file from host vars
|
|
||||||
authorized_key:
|
|
||||||
user: "{{ keystone_system_user_name }}"
|
|
||||||
key: "{{ hostvars[item]['keystone_pubkey'] | b64decode }}"
|
|
||||||
with_items: groups['keystone_all']
|
|
||||||
tags:
|
|
||||||
- keystone-key
|
|
||||||
- keystone-key-distribute
|
|
@ -1,30 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Get public key contents and store as var
|
|
||||||
slurp:
|
|
||||||
src: "{{ keystone_system_user_home }}/.ssh/id_rsa.pub"
|
|
||||||
register: keystone_pub
|
|
||||||
changed_when: false
|
|
||||||
tags:
|
|
||||||
- keystone-key
|
|
||||||
- keystone-key-create
|
|
||||||
|
|
||||||
- name: Register a fact for the keystone pub key
|
|
||||||
set_fact:
|
|
||||||
keystone_pubkey: "{{ keystone_pub.content }}"
|
|
||||||
tags:
|
|
||||||
- keystone-key
|
|
||||||
- keystone-key-create
|
|
@ -1,24 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2015, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- include: keystone_key_populate.yml
|
|
||||||
tags:
|
|
||||||
- keystone-key
|
|
||||||
- keystone-key-create
|
|
||||||
|
|
||||||
- include: keystone_key_distribute.yml
|
|
||||||
tags:
|
|
||||||
- keystone-key
|
|
||||||
- keystone-key-distribute
|
|
@ -1,41 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2015, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
|
|
||||||
- name: Create Keystone LDAP domains
|
|
||||||
keystone:
|
|
||||||
command: ensure_domain
|
|
||||||
domain_name: "{{ item.key }}"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
with_dict: keystone_ldap
|
|
||||||
run_once: true
|
|
||||||
tags:
|
|
||||||
- keystone-ldap-domain-create
|
|
||||||
|
|
||||||
- name: Create Keystone LDAP domain configs
|
|
||||||
template:
|
|
||||||
src: keystone.domain.conf.j2
|
|
||||||
dest: "{{ keystone_ldap_domain_config_dir }}/keystone.{{ item.key }}.conf"
|
|
||||||
owner: "{{ keystone_system_user_name }}"
|
|
||||||
group: "{{ keystone_system_group_name }}"
|
|
||||||
mode: "0644"
|
|
||||||
with_dict: keystone_ldap
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-ldap-domain-config
|
|
||||||
|
|
@ -1,37 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Ensure Rabbitmq vhost
|
|
||||||
rabbitmq_vhost:
|
|
||||||
name: "{{ keystone_rabbitmq_vhost }}"
|
|
||||||
state: "present"
|
|
||||||
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
|
|
||||||
tags:
|
|
||||||
- keystone-rabbitmq
|
|
||||||
- keystone-rabbitmq-vhost
|
|
||||||
|
|
||||||
- name: Ensure rabbitmq user
|
|
||||||
rabbitmq_user:
|
|
||||||
user: "{{ keystone_rabbitmq_userid }}"
|
|
||||||
password: "{{ keystone_rabbitmq_password }}"
|
|
||||||
vhost: "{{ keystone_rabbitmq_vhost }}"
|
|
||||||
configure_priv: ".*"
|
|
||||||
read_priv: ".*"
|
|
||||||
write_priv: ".*"
|
|
||||||
state: "present"
|
|
||||||
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
|
|
||||||
tags:
|
|
||||||
- keystone-rabbitmq
|
|
||||||
- keystone-rabbitmq-user
|
|
@ -1,86 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Copy keystone config
|
|
||||||
config_template:
|
|
||||||
src: "{{ item.src }}"
|
|
||||||
dest: "{{ item.dest }}"
|
|
||||||
owner: "{{ keystone_system_user_name }}"
|
|
||||||
group: "{{ keystone_system_group_name }}"
|
|
||||||
mode: "0644"
|
|
||||||
config_overrides: "{{ item.config_overrides }}"
|
|
||||||
config_type: "{{ item.config_type }}"
|
|
||||||
with_items:
|
|
||||||
- src: "keystone.conf.j2"
|
|
||||||
dest: "/etc/keystone/keystone.conf"
|
|
||||||
config_overrides: "{{ keystone_keystone_conf_overrides }}"
|
|
||||||
config_type: "ini"
|
|
||||||
- src: "keystone-paste.ini.j2"
|
|
||||||
dest: "/etc/keystone/keystone-paste.ini"
|
|
||||||
config_overrides: "{{ keystone_keystone_paste_ini_overrides }}"
|
|
||||||
config_type: "ini"
|
|
||||||
- src: "policy.json.j2"
|
|
||||||
dest: "/etc/keystone/policy.json"
|
|
||||||
config_overrides: "{{ keystone_policy_overrides }}"
|
|
||||||
config_type: "json"
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-config
|
|
||||||
|
|
||||||
- name: Drop Keystone Configs
|
|
||||||
copy:
|
|
||||||
src: "{{ item.src }}"
|
|
||||||
dest: "{{ item.dest }}"
|
|
||||||
owner: "{{ keystone_system_user_name }}"
|
|
||||||
group: "{{ keystone_system_group_name }}"
|
|
||||||
mode: "{{ item.mode|default('0644') }}"
|
|
||||||
with_items:
|
|
||||||
- { src: "sso_callback_template.html", dest: "/etc/keystone/sso_callback_template.html" }
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-config
|
|
||||||
|
|
||||||
- name: Drop Keystone WSGI Configs
|
|
||||||
template:
|
|
||||||
src: "{{ item.src }}"
|
|
||||||
dest: "{{ item.dest }}"
|
|
||||||
owner: "{{ keystone_system_user_name }}"
|
|
||||||
group: "{{ keystone_system_group_name }}"
|
|
||||||
mode: "{{ item.mode|default('0644') }}"
|
|
||||||
with_items:
|
|
||||||
- { src: "keystone-wsgi.py.j2", dest: "/var/www/cgi-bin/keystone/admin", mode: "0755" }
|
|
||||||
- { src: "keystone-wsgi.py.j2", dest: "/var/www/cgi-bin/keystone/main", mode: "0755" }
|
|
||||||
notify:
|
|
||||||
- Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-config
|
|
||||||
|
|
||||||
- name: Get keystone command path
|
|
||||||
command: which keystone
|
|
||||||
register: keystone_command_path
|
|
||||||
when:
|
|
||||||
- not keystone_venv_enabled | bool
|
|
||||||
tags:
|
|
||||||
- keystone-command-bin
|
|
||||||
|
|
||||||
- name: Set keystone command path
|
|
||||||
set_fact:
|
|
||||||
keystone_bin: "{{ keystone_command_path.stdout | dirname }}"
|
|
||||||
when:
|
|
||||||
- not keystone_venv_enabled | bool
|
|
||||||
tags:
|
|
||||||
- keystone-command-bin
|
|
@ -1,124 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: create the system group
|
|
||||||
group:
|
|
||||||
name: "{{ keystone_system_group_name }}"
|
|
||||||
state: "present"
|
|
||||||
system: "yes"
|
|
||||||
tags:
|
|
||||||
- keystone-group
|
|
||||||
|
|
||||||
- name: create additional groups
|
|
||||||
group:
|
|
||||||
name: "{{ item }}"
|
|
||||||
state: "present"
|
|
||||||
system: "yes"
|
|
||||||
with_items: keystone_system_additional_groups
|
|
||||||
tags:
|
|
||||||
- keystone-group
|
|
||||||
|
|
||||||
- name: Remove old key file(s) if found
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: "absent"
|
|
||||||
with_items:
|
|
||||||
- "{{ keystone_system_user_home }}/.ssh/authorized_keys"
|
|
||||||
- "{{ keystone_system_user_home }}/.ssh/id_rsa"
|
|
||||||
- "{{ keystone_system_user_home }}/.ssh/id_rsa.pub"
|
|
||||||
when: keystone_recreate_keys | bool
|
|
||||||
tags:
|
|
||||||
- keystone-key
|
|
||||||
- keystone-key-create
|
|
||||||
|
|
||||||
- name: Create the keystone system user
|
|
||||||
user:
|
|
||||||
name: "{{ keystone_system_user_name }}"
|
|
||||||
group: "{{ keystone_system_group_name }}"
|
|
||||||
groups: "{{ keystone_system_additional_groups | join(',') }}"
|
|
||||||
comment: "{{ keystone_system_comment }}"
|
|
||||||
shell: "{{ keystone_system_shell }}"
|
|
||||||
system: "yes"
|
|
||||||
createhome: "yes"
|
|
||||||
home: "{{ keystone_system_user_home }}"
|
|
||||||
generate_ssh_key: "yes"
|
|
||||||
tags:
|
|
||||||
- keystone-user
|
|
||||||
- keystone-key
|
|
||||||
- keystone-key-create
|
|
||||||
|
|
||||||
- name: Create keystone dir
|
|
||||||
file:
|
|
||||||
path: "{{ item.path }}"
|
|
||||||
state: directory
|
|
||||||
owner: "{{ item.owner|default(keystone_system_user_name) }}"
|
|
||||||
group: "{{ item.group|default(keystone_system_group_name) }}"
|
|
||||||
mode: "{{ item.mode|default(0755) }}"
|
|
||||||
with_items:
|
|
||||||
- { path: "/openstack", mode: "0755", owner: "root", group: "root" }
|
|
||||||
- { path: "/etc/keystone" }
|
|
||||||
- { path: "{{ keystone_ldap_domain_config_dir }}" }
|
|
||||||
- { path: "/etc/keystone/ssl" }
|
|
||||||
- { path: "{{ keystone_fernet_tokens_key_repository }}", mode: "2750"}
|
|
||||||
- { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
|
|
||||||
- { path: "{{ keystone_system_user_home }}" }
|
|
||||||
- { path: "/var/www/cgi-bin", owner: root, group: root }
|
|
||||||
- { path: "/var/www/cgi-bin/keystone" }
|
|
||||||
tags:
|
|
||||||
- keystone-dirs
|
|
||||||
|
|
||||||
- name: Create keystone venv dir
|
|
||||||
file:
|
|
||||||
path: "{{ item.path }}"
|
|
||||||
state: directory
|
|
||||||
with_items:
|
|
||||||
- { path: "/openstack/venvs" }
|
|
||||||
- { path: "{{ keystone_venv_bin }}" }
|
|
||||||
when: keystone_venv_enabled | bool
|
|
||||||
tags:
|
|
||||||
- keystone-dirs
|
|
||||||
|
|
||||||
- name: Test for log directory or link
|
|
||||||
shell: |
|
|
||||||
if [ -h "/var/log/keystone" ]; then
|
|
||||||
chown -h {{ keystone_system_user_name }}:{{ keystone_system_group_name }} "/var/log/keystone"
|
|
||||||
chown -R {{ keystone_system_user_name }}:{{ keystone_system_group_name }} "$(readlink /var/log/keystone)"
|
|
||||||
else
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
register: log_dir
|
|
||||||
failed_when: false
|
|
||||||
changed_when: log_dir.rc != 0
|
|
||||||
tags:
|
|
||||||
- keystone-dirs
|
|
||||||
- keystone-logs
|
|
||||||
|
|
||||||
- name: Create keystone log dir
|
|
||||||
file:
|
|
||||||
path: "{{ item.path }}"
|
|
||||||
state: directory
|
|
||||||
owner: "{{ item.owner|default(keystone_system_user_name) }}"
|
|
||||||
group: "{{ item.group|default(keystone_system_group_name) }}"
|
|
||||||
mode: "{{ item.mode|default('0755') }}"
|
|
||||||
with_items:
|
|
||||||
- { path: "/var/log/keystone" }
|
|
||||||
when: log_dir.rc != 0
|
|
||||||
tags:
|
|
||||||
- keystone-dirs
|
|
||||||
- keystone-logs
|
|
||||||
|
|
||||||
- include: keystone_messaging_setup.yml
|
|
||||||
when: >
|
|
||||||
inventory_hostname == groups['keystone_all'][0]
|
|
@ -1,231 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Restart service
|
|
||||||
service:
|
|
||||||
name: "{{ keystone_system_service_name }}"
|
|
||||||
state: restarted
|
|
||||||
pattern: "{{ keystone_system_service_name }}"
|
|
||||||
tags:
|
|
||||||
- keystone-db-sync
|
|
||||||
- keystone-setup
|
|
||||||
|
|
||||||
- name: Wait for keystone admin to come up
|
|
||||||
wait_for:
|
|
||||||
host: "{{ ansible_ssh_host }}"
|
|
||||||
port: "{{ keystone_admin_port }}"
|
|
||||||
timeout: 25
|
|
||||||
delay: 10
|
|
||||||
tags:
|
|
||||||
- keystone-db-sync
|
|
||||||
- keystone-setup
|
|
||||||
|
|
||||||
- name: Wait for keystone service to come up
|
|
||||||
wait_for:
|
|
||||||
host: "{{ ansible_ssh_host }}"
|
|
||||||
port: "{{ keystone_service_port }}"
|
|
||||||
timeout: 25
|
|
||||||
delay: 10
|
|
||||||
tags:
|
|
||||||
- keystone-db-sync
|
|
||||||
- keystone-setup
|
|
||||||
|
|
||||||
# Create a service tenant
|
|
||||||
- name: Ensure service tenant
|
|
||||||
keystone:
|
|
||||||
command: "ensure_tenant"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
tenant_name: "{{ keystone_service_tenant_name }}"
|
|
||||||
description: "{{ keystone_service_description }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
register: add_service
|
|
||||||
until: add_service|success
|
|
||||||
retries: 5
|
|
||||||
delay: 10
|
|
||||||
tags:
|
|
||||||
- keystone-api-setup
|
|
||||||
- keystone-setup
|
|
||||||
|
|
||||||
# Create an admin tenant
|
|
||||||
- name: Ensure admin tenant
|
|
||||||
keystone:
|
|
||||||
command: "ensure_tenant"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
tenant_name: "{{ keystone_admin_tenant_name }}"
|
|
||||||
description: "{{ keystone_admin_description }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
register: add_service
|
|
||||||
until: add_service|success
|
|
||||||
retries: 5
|
|
||||||
delay: 10
|
|
||||||
tags:
|
|
||||||
- keystone-api-setup
|
|
||||||
- keystone-setup
|
|
||||||
|
|
||||||
# Create an admin user
|
|
||||||
- name: Ensure Admin user
|
|
||||||
keystone:
|
|
||||||
command: "ensure_user"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
user_name: "{{ keystone_admin_user_name }}"
|
|
||||||
tenant_name: "{{ keystone_admin_tenant_name }}"
|
|
||||||
password: "{{ keystone_auth_admin_password }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
register: add_service
|
|
||||||
when: not keystone_service_in_ldap | bool
|
|
||||||
until: add_service|success
|
|
||||||
retries: 5
|
|
||||||
delay: 10
|
|
||||||
tags:
|
|
||||||
- keystone-api-setup
|
|
||||||
- keystone-setup
|
|
||||||
|
|
||||||
# Create an admin role
|
|
||||||
- name: Ensure Admin role
|
|
||||||
keystone:
|
|
||||||
command: "ensure_role"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
role_name: "{{ keystone_role_name }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
register: add_service
|
|
||||||
until: add_service|success
|
|
||||||
retries: 5
|
|
||||||
delay: 10
|
|
||||||
tags:
|
|
||||||
- keystone-api-setup
|
|
||||||
- keystone-setup
|
|
||||||
|
|
||||||
# Add a role to the user
|
|
||||||
- name: Ensure Admin user to Admin role
|
|
||||||
keystone:
|
|
||||||
command: "ensure_user_role"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
user_name: "{{ keystone_admin_user_name }}"
|
|
||||||
tenant_name: "{{ keystone_admin_tenant_name }}"
|
|
||||||
role_name: "{{ keystone_role_name }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
register: add_service
|
|
||||||
when: not keystone_service_in_ldap | bool
|
|
||||||
until: add_service|success
|
|
||||||
retries: 5
|
|
||||||
delay: 10
|
|
||||||
tags:
|
|
||||||
- keystone-api-setup
|
|
||||||
- keystone-setup
|
|
||||||
|
|
||||||
# Add the default user role
|
|
||||||
- name: Ensure default keystone user role
|
|
||||||
keystone:
|
|
||||||
command: "ensure_role"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
role_name: "{{ keystone_default_role_name }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
register: add_member_role
|
|
||||||
when: not keystone_service_in_ldap | bool
|
|
||||||
until: add_member_role|success
|
|
||||||
retries: 5
|
|
||||||
delay: 10
|
|
||||||
tags:
|
|
||||||
- keystone-api-setup
|
|
||||||
- keystone-setup
|
|
||||||
|
|
||||||
# Create a service
|
|
||||||
- name: Ensure Keystone Service
|
|
||||||
keystone:
|
|
||||||
command: "ensure_service"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
service_name: "{{ keystone_service_name }}"
|
|
||||||
service_type: "{{ keystone_service_type }}"
|
|
||||||
description: "{{ keystone_service_description }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
register: add_service
|
|
||||||
until: add_service|success
|
|
||||||
retries: 5
|
|
||||||
delay: 10
|
|
||||||
tags:
|
|
||||||
- keystone-api-setup
|
|
||||||
- keystone-service-add
|
|
||||||
- keystone-setup
|
|
||||||
|
|
||||||
# Create a service user
|
|
||||||
- name: Ensure Keystone user
|
|
||||||
keystone:
|
|
||||||
command: "ensure_user"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
user_name: "{{ keystone_service_user_name }}"
|
|
||||||
tenant_name: "{{ keystone_service_tenant_name }}"
|
|
||||||
password: "{{ keystone_service_password }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
register: add_service
|
|
||||||
until: add_service|success
|
|
||||||
retries: 5
|
|
||||||
delay: 10
|
|
||||||
tags:
|
|
||||||
- keystone-api-setup
|
|
||||||
- keystone-service-add
|
|
||||||
- keystone-setup
|
|
||||||
|
|
||||||
# Add a role to the user
|
|
||||||
- name: Ensure Keystone user to Admin role
|
|
||||||
keystone:
|
|
||||||
command: "ensure_user_role"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
user_name: "{{ keystone_service_user_name }}"
|
|
||||||
tenant_name: "{{ keystone_service_tenant_name }}"
|
|
||||||
role_name: "{{ keystone_role_name }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
register: add_service
|
|
||||||
until: add_service|success
|
|
||||||
retries: 5
|
|
||||||
delay: 10
|
|
||||||
tags:
|
|
||||||
- keystone-api-setup
|
|
||||||
- keystone-service-add
|
|
||||||
- keystone-setup
|
|
||||||
|
|
||||||
# Create an endpoint
|
|
||||||
- name: Ensure Keystone Endpoint
|
|
||||||
keystone:
|
|
||||||
command: "ensure_endpoint"
|
|
||||||
token: "{{ keystone_auth_admin_token }}"
|
|
||||||
endpoint: "{{ keystone_service_adminurl }}"
|
|
||||||
region_name: "{{ keystone_service_region }}"
|
|
||||||
service_name: "{{ keystone_service_name }}"
|
|
||||||
service_type: "{{ keystone_service_type }}"
|
|
||||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
||||||
endpoint_list:
|
|
||||||
- url: "{{ keystone_service_publicurl }}"
|
|
||||||
interface: "public"
|
|
||||||
- url: "{{ keystone_service_adminurl }}"
|
|
||||||
interface: "admin"
|
|
||||||
- url: "{{ keystone_service_internalurl }}"
|
|
||||||
interface: "internal"
|
|
||||||
register: add_service
|
|
||||||
until: add_service|success
|
|
||||||
retries: 5
|
|
||||||
delay: 10
|
|
||||||
tags:
|
|
||||||
- keystone-api-setup
|
|
||||||
- keystone-service-add
|
|
||||||
- keystone-setup
|
|
@ -1,25 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2015, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- include: keystone_ssl_self_signed.yml
|
|
||||||
when: >
|
|
||||||
keystone_ssl | bool and
|
|
||||||
(keystone_user_ssl_cert is not defined or keystone_user_ssl_key is not defined)
|
|
||||||
tags:
|
|
||||||
- keystone-ssl
|
|
||||||
|
|
||||||
- include: keystone_ssl_user_provided.yml
|
|
||||||
tags:
|
|
||||||
- keystone-ssl
|
|
@ -1,36 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2015, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Remove self signed cert for regen
|
|
||||||
file:
|
|
||||||
dest: "{{ keystone_ssl_cert }}"
|
|
||||||
state: "absent"
|
|
||||||
when: keystone_ssl_self_signed_regen | bool
|
|
||||||
tags:
|
|
||||||
- keystone-ssl
|
|
||||||
|
|
||||||
- name: Create self-signed Apache ssl cert
|
|
||||||
command: >
|
|
||||||
openssl req -new -nodes -sha256 -x509 -subj
|
|
||||||
"{{ keystone_ssl_self_signed_subject }}"
|
|
||||||
-days 3650
|
|
||||||
-keyout {{ keystone_ssl_key }}
|
|
||||||
-out {{ keystone_ssl_cert }}
|
|
||||||
-extensions v3_ca
|
|
||||||
creates={{ keystone_ssl_cert }}
|
|
||||||
notify: Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-configs
|
|
||||||
- keystone-ssl
|
|
@ -1,35 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Distribute self signed cert and key
|
|
||||||
memcached:
|
|
||||||
name: "{{ item.name }}"
|
|
||||||
file_path: "{{ item.src }}"
|
|
||||||
state: "retrieve"
|
|
||||||
file_mode: "{{ item.file_mode }}"
|
|
||||||
dir_mode: "{{ item.dir_mode }}"
|
|
||||||
server: "{{ memcached_servers }}"
|
|
||||||
encrypt_string: "{{ memcached_encryption_key }}"
|
|
||||||
with_items:
|
|
||||||
- { src: "{{ keystone_ssl_cert }}", name: "keystone_ssl_cert", file_mode: "0644", dir_mode: "0755" }
|
|
||||||
- { src: "{{ keystone_ssl_key }}", name: "keystone_ssl_key", file_mode: "0640", dir_mode: "0750" }
|
|
||||||
register: memcache_keys
|
|
||||||
until: memcache_keys|success
|
|
||||||
retries: 5
|
|
||||||
delay: 2
|
|
||||||
notify: Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-config
|
|
||||||
- keystone-ssl
|
|
@ -1,31 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2015, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Store self signed cert and key
|
|
||||||
memcached:
|
|
||||||
name: "{{ item.name }}"
|
|
||||||
file_path: "{{ item.src }}"
|
|
||||||
state: "present"
|
|
||||||
server: "{{ memcached_servers }}"
|
|
||||||
encrypt_string: "{{ memcached_encryption_key }}"
|
|
||||||
with_items:
|
|
||||||
- { src: "{{ keystone_ssl_cert }}", name: "keystone_ssl_cert" }
|
|
||||||
- { src: "{{ keystone_ssl_key }}", name: "keystone_ssl_key" }
|
|
||||||
register: memcache_keys
|
|
||||||
until: memcache_keys|success
|
|
||||||
retries: 5
|
|
||||||
delay: 2
|
|
||||||
tags:
|
|
||||||
- keystone-ssl
|
|
@ -1,26 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2015, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- include: keystone_ssl_key_create.yml
|
|
||||||
when: >
|
|
||||||
inventory_hostname == groups['keystone_all'][0]
|
|
||||||
|
|
||||||
- include: keystone_ssl_key_store.yml
|
|
||||||
when: >
|
|
||||||
inventory_hostname == groups['keystone_all'][0]
|
|
||||||
|
|
||||||
- include: keystone_ssl_key_distribute.yml
|
|
||||||
when: >
|
|
||||||
inventory_hostname != groups['keystone_all'][0]
|
|
@ -1,53 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2015, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Drop user provided ssl cert
|
|
||||||
copy:
|
|
||||||
src: "{{ keystone_user_ssl_cert }}"
|
|
||||||
dest: "{{ keystone_ssl_cert }}"
|
|
||||||
owner: "root"
|
|
||||||
group: "root"
|
|
||||||
mode: "0644"
|
|
||||||
when: keystone_user_ssl_cert is defined
|
|
||||||
notify: Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-configs
|
|
||||||
- keystone-ssl
|
|
||||||
|
|
||||||
- name: Drop user provided ssl key
|
|
||||||
copy:
|
|
||||||
src: "{{ keystone_user_ssl_key }}"
|
|
||||||
dest: "{{ keystone_ssl_key }}"
|
|
||||||
owner: "root"
|
|
||||||
group: "root"
|
|
||||||
mode: "0640"
|
|
||||||
when: keystone_user_ssl_key is defined
|
|
||||||
notify: Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-configs
|
|
||||||
- keystone-ssl
|
|
||||||
|
|
||||||
- name: Drop user provided ssl CA cert
|
|
||||||
copy:
|
|
||||||
src: "{{ keystone_user_ssl_ca_cert }}"
|
|
||||||
dest: "{{ keystone_ssl_ca_cert }}"
|
|
||||||
owner: "root"
|
|
||||||
group: "root"
|
|
||||||
mode: "0644"
|
|
||||||
when: keystone_user_ssl_ca_cert is defined
|
|
||||||
notify: Restart Apache
|
|
||||||
tags:
|
|
||||||
- keystone-configs
|
|
||||||
- keystone-ssl
|
|
@ -1,23 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Add keystone token_flush cron job
|
|
||||||
cron:
|
|
||||||
name: "Clear out stale keystone tokens"
|
|
||||||
minute: 0
|
|
||||||
job: "{{ keystone_bin }}/keystone-manage token_flush"
|
|
||||||
user: "{{ keystone_system_user_name }}"
|
|
||||||
tags:
|
|
||||||
- keystone-config
|
|
@ -1,65 +0,0 @@
|
|||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- include: keystone_pre_install.yml
|
|
||||||
- include: keystone_install.yml
|
|
||||||
- include: keystone_post_install.yml
|
|
||||||
|
|
||||||
- include: keystone_key_setup.yml
|
|
||||||
tags:
|
|
||||||
- keystone-key
|
|
||||||
- keystone-key-distribute
|
|
||||||
|
|
||||||
- include: keystone_fernet.yml
|
|
||||||
tags:
|
|
||||||
- keystone-fernet
|
|
||||||
when: >
|
|
||||||
'fernet' in keystone_token_provider
|
|
||||||
|
|
||||||
- include: keystone_federation_sp_setup.yml
|
|
||||||
when: >
|
|
||||||
keystone_sp is defined
|
|
||||||
|
|
||||||
- include: keystone_db_setup.yml
|
|
||||||
when: >
|
|
||||||
inventory_hostname == groups['keystone_all'][0]
|
|
||||||
|
|
||||||
- include: keystone_token_cleanup.yml
|
|
||||||
when: >
|
|
||||||
'sql' in keystone_token_driver
|
|
||||||
|
|
||||||
- include: keystone_ssl.yml
|
|
||||||
- include: keystone_apache.yml
|
|
||||||
|
|
||||||
- include: keystone_service_setup.yml
|
|
||||||
when: >
|
|
||||||
inventory_hostname == groups['keystone_all'][0]
|
|
||||||
|
|
||||||
- include: keystone_ldap_setup.yml
|
|
||||||
tags:
|
|
||||||
- keystone-config
|
|
||||||
- keystone-ldap
|
|
||||||
|
|
||||||
- include: keystone_federation_sp_idp_setup.yml
|
|
||||||
when: >
|
|
||||||
keystone_sp is defined and
|
|
||||||
inventory_hostname == groups['keystone_all'][0]
|
|
||||||
|
|
||||||
- name: Flush handlers
|
|
||||||
meta: flush_handlers
|
|
||||||
|
|
||||||
- include: keystone_idp_setup.yml
|
|
||||||
when: >
|
|
||||||
keystone_idp is defined
|
|
@ -1,56 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
# Copyright 2015, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
# {{ ansible_managed }}
|
|
||||||
|
|
||||||
# This script is being created with mode 0755 intentionally. This is so that the
|
|
||||||
# script can be executed by root to rotate the keys as needed. The script being
|
|
||||||
# executed will always change it's user context to the keystone user before
|
|
||||||
# execution and while the script may be world read/executable its contains only
|
|
||||||
# the necessary bits that are required to run the rotate and sync commands.
|
|
||||||
|
|
||||||
function autorotate {
|
|
||||||
# Rotate the keys
|
|
||||||
{{ keystone_bin }}/keystone-manage fernet_rotate \
|
|
||||||
--keystone-user "{{ keystone_system_user_name }}" \
|
|
||||||
--keystone-group "{{ keystone_system_group_name }}"
|
|
||||||
{% for host in groups['keystone_all'] %}
|
|
||||||
|
|
||||||
{% if inventory_hostname != host %}
|
|
||||||
|
|
||||||
# Fernet sync job to "{{ host }}"
|
|
||||||
rsync -e 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
|
|
||||||
-avz \
|
|
||||||
--delete \
|
|
||||||
{{ keystone_fernet_tokens_key_repository }}/ \
|
|
||||||
{{ keystone_system_user_name }}@{{ hostvars[host]['ansible_ssh_host'] }}:{{ keystone_fernet_tokens_key_repository }}/
|
|
||||||
|
|
||||||
{%- endif %}
|
|
||||||
|
|
||||||
{%- endfor %}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
if [ "$(id -u)" == "0" ];then
|
|
||||||
# Change the script context to always execute as the "{{ keystone_system_user_name }}" user.
|
|
||||||
su - "{{ keystone_system_user_name }}" -s "/bin/bash" -c bash << EOC
|
|
||||||
{{ keystone_fernet_auto_rotation_script }}
|
|
||||||
EOC
|
|
||||||
elif [ "$(whoami)" == "{{ keystone_system_user_name }}" ];then
|
|
||||||
logger $(autorotate)
|
|
||||||
else
|
|
||||||
echo "Failed - you do not have permission to rotate, or you've executed the job as the wrong user."
|
|
||||||
exit 99
|
|
||||||
fi
|
|
@ -1,89 +0,0 @@
|
|||||||
# {{ ansible_managed }}
|
|
||||||
|
|
||||||
<VirtualHost *:{{ keystone_service_port }}>
|
|
||||||
WSGIDaemonProcess keystone-service user={{ keystone_system_user_name }} group={{ keystone_system_group_name }} processes={{ keystone_wsgi_processes }} threads={{ keystone_wsgi_threads }} display-name=%{GROUP}
|
|
||||||
WSGIProcessGroup keystone-service
|
|
||||||
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
|
|
||||||
WSGIApplicationGroup %{GLOBAL}
|
|
||||||
WSGIPassAuthorization On
|
|
||||||
|
|
||||||
<IfVersion >= 2.4>
|
|
||||||
ErrorLogFormat "%{cu}t %M"
|
|
||||||
</IfVersion>
|
|
||||||
|
|
||||||
LogLevel {{ keystone_apache_log_level }}
|
|
||||||
ErrorLog /var/log/keystone/keystone-apache-error.log
|
|
||||||
CustomLog /var/log/keystone/ssl_access.log combined
|
|
||||||
Options +FollowSymLinks
|
|
||||||
|
|
||||||
{% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
|
|
||||||
SSLEngine on
|
|
||||||
SSLCertificateFile {{ keystone_ssl_cert }}
|
|
||||||
SSLCertificateKeyFile {{ keystone_ssl_key }}
|
|
||||||
{% if keystone_user_ssl_ca_cert is defined -%}
|
|
||||||
SSLCACertificateFile {{ keystone_ssl_ca_cert }}
|
|
||||||
{% endif -%}
|
|
||||||
SSLCompression Off
|
|
||||||
SSLProtocol {{ keystone_ssl_protocol }}
|
|
||||||
SSLHonorCipherOrder On
|
|
||||||
SSLCipherSuite {{ keystone_ssl_cipher_suite }}
|
|
||||||
SSLOptions +StdEnvVars +ExportCertData
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if keystone_sp is defined -%}
|
|
||||||
ShibURLScheme {{ keystone_service_publicuri_proto }}
|
|
||||||
|
|
||||||
<Location /Shibboleth.sso>
|
|
||||||
SetHandler shib
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
<Location /v3/auth/OS-FEDERATION/websso/saml2>
|
|
||||||
AuthType shibboleth
|
|
||||||
ShibRequestSetting requireSession 1
|
|
||||||
ShibRequestSetting exportAssertion 1
|
|
||||||
ShibRequireSession On
|
|
||||||
ShibExportAssertion On
|
|
||||||
Require valid-user
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
|
|
||||||
ShibRequestSetting requireSession 1
|
|
||||||
AuthType shibboleth
|
|
||||||
ShibExportAssertion Off
|
|
||||||
Require valid-user
|
|
||||||
</LocationMatch>
|
|
||||||
|
|
||||||
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1
|
|
||||||
{% endif %}
|
|
||||||
</VirtualHost>
|
|
||||||
|
|
||||||
<VirtualHost *:{{ keystone_admin_port }}>
|
|
||||||
WSGIDaemonProcess keystone-admin user={{ keystone_system_user_name }} group={{ keystone_system_group_name }} processes={{ keystone_wsgi_processes }} threads={{ keystone_wsgi_threads }} display-name=%{GROUP}
|
|
||||||
WSGIProcessGroup keystone-admin
|
|
||||||
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
|
|
||||||
WSGIApplicationGroup %{GLOBAL}
|
|
||||||
WSGIPassAuthorization On
|
|
||||||
|
|
||||||
<IfVersion >= 2.4>
|
|
||||||
ErrorLogFormat "%{cu}t %M"
|
|
||||||
</IfVersion>
|
|
||||||
|
|
||||||
LogLevel {{ keystone_apache_log_level }}
|
|
||||||
ErrorLog /var/log/keystone/keystone-apache-error.log
|
|
||||||
CustomLog /var/log/keystone/ssl_access.log combined
|
|
||||||
Options +FollowSymLinks
|
|
||||||
|
|
||||||
{% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" -%}
|
|
||||||
SSLEngine on
|
|
||||||
SSLCertificateFile {{ keystone_ssl_cert }}
|
|
||||||
SSLCertificateKeyFile {{ keystone_ssl_key }}
|
|
||||||
{% if keystone_user_ssl_ca_cert is defined -%}
|
|
||||||
SSLCACertificateFile {{ keystone_ssl_ca_cert }}
|
|
||||||
{% endif -%}
|
|
||||||
SSLCompression Off
|
|
||||||
SSLProtocol {{ keystone_ssl_protocol }}
|
|
||||||
SSLHonorCipherOrder On
|
|
||||||
SSLCipherSuite {{ keystone_ssl_cipher_suite }}
|
|
||||||
SSLOptions +StdEnvVars +ExportCertData
|
|
||||||
{% endif %}
|
|
||||||
</VirtualHost>
|
|
@ -1,91 +0,0 @@
|
|||||||
# Keystone PasteDeploy configuration file.
|
|
||||||
|
|
||||||
[filter:debug]
|
|
||||||
use = egg:oslo.middleware#debug
|
|
||||||
|
|
||||||
[filter:request_id]
|
|
||||||
use = egg:oslo.middleware#request_id
|
|
||||||
|
|
||||||
[filter:build_auth_context]
|
|
||||||
use = egg:keystone#build_auth_context
|
|
||||||
|
|
||||||
[filter:token_auth]
|
|
||||||
use = egg:keystone#token_auth
|
|
||||||
|
|
||||||
[filter:admin_token_auth]
|
|
||||||
use = egg:keystone#admin_token_auth
|
|
||||||
|
|
||||||
[filter:json_body]
|
|
||||||
use = egg:keystone#json_body
|
|
||||||
|
|
||||||
[filter:user_crud_extension]
|
|
||||||
use = egg:keystone#user_crud_extension
|
|
||||||
|
|
||||||
[filter:crud_extension]
|
|
||||||
use = egg:keystone#crud_extension
|
|
||||||
|
|
||||||
[filter:ec2_extension]
|
|
||||||
use = egg:keystone#ec2_extension
|
|
||||||
|
|
||||||
[filter:ec2_extension_v3]
|
|
||||||
use = egg:keystone#ec2_extension_v3
|
|
||||||
|
|
||||||
[filter:s3_extension]
|
|
||||||
use = egg:keystone#s3_extension
|
|
||||||
|
|
||||||
[filter:simple_cert_extension]
|
|
||||||
use = egg:keystone#simple_cert_extension
|
|
||||||
|
|
||||||
[filter:url_normalize]
|
|
||||||
use = egg:keystone#url_normalize
|
|
||||||
|
|
||||||
[filter:sizelimit]
|
|
||||||
use = egg:oslo.middleware#sizelimit
|
|
||||||
|
|
||||||
[app:public_service]
|
|
||||||
use = egg:keystone#public_service
|
|
||||||
|
|
||||||
[app:service_v3]
|
|
||||||
use = egg:keystone#service_v3
|
|
||||||
|
|
||||||
[app:admin_service]
|
|
||||||
use = egg:keystone#admin_service
|
|
||||||
|
|
||||||
[pipeline:public_api]
|
|
||||||
# The last item in this pipeline must be public_service or an equivalent
|
|
||||||
# application. It cannot be a filter.
|
|
||||||
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service
|
|
||||||
|
|
||||||
[pipeline:admin_api]
|
|
||||||
# The last item in this pipeline must be admin_service or an equivalent
|
|
||||||
# application. It cannot be a filter.
|
|
||||||
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service
|
|
||||||
|
|
||||||
[pipeline:api_v3]
|
|
||||||
# The last item in this pipeline must be service_v3 or an equivalent
|
|
||||||
# application. It cannot be a filter.
|
|
||||||
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3
|
|
||||||
|
|
||||||
[app:public_version_service]
|
|
||||||
use = egg:keystone#public_version_service
|
|
||||||
|
|
||||||
[app:admin_version_service]
|
|
||||||
use = egg:keystone#admin_version_service
|
|
||||||
|
|
||||||
[pipeline:public_version_api]
|
|
||||||
pipeline = sizelimit url_normalize public_version_service
|
|
||||||
|
|
||||||
[pipeline:admin_version_api]
|
|
||||||
pipeline = sizelimit url_normalize admin_version_service
|
|
||||||
|
|
||||||
[composite:main]
|
|
||||||
use = egg:Paste#urlmap
|
|
||||||
/v2.0 = public_api
|
|
||||||
/v3 = api_v3
|
|
||||||
/ = public_version_api
|
|
||||||
|
|
||||||
[composite:admin]
|
|
||||||
use = egg:Paste#urlmap
|
|
||||||
/v2.0 = admin_api
|
|
||||||
/v3 = api_v3
|
|
||||||
/ = admin_version_api
|
|
@ -1,4 +0,0 @@
|
|||||||
# {{ ansible_managed }}
|
|
||||||
|
|
||||||
Listen {{ keystone_service_port }}
|
|
||||||
Listen {{ keystone_admin_port }}
|
|
@ -1,48 +0,0 @@
|
|||||||
# Copyright 2013 OpenStack Foundation
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
import os
|
|
||||||
|
|
||||||
{% if keystone_venv_enabled | bool %}
|
|
||||||
activate_this = os.path.expanduser("{{ keystone_venv_bin }}/activate_this.py")
|
|
||||||
execfile(activate_this, dict(__file__=activate_this))
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
import os
|
|
||||||
|
|
||||||
from oslo_log import log
|
|
||||||
from oslo_log import versionutils
|
|
||||||
|
|
||||||
from keystone.i18n import _LW
|
|
||||||
from keystone.server import wsgi as wsgi_server
|
|
||||||
|
|
||||||
|
|
||||||
name = os.path.basename(__file__)
|
|
||||||
LOG = log.getLogger(__name__)
|
|
||||||
|
|
||||||
|
|
||||||
def deprecation_warning():
|
|
||||||
versionutils.report_deprecated_feature(
|
|
||||||
LOG,
|
|
||||||
_LW('httpd/keystone.py is deprecated as of Mitaka'
|
|
||||||
' in favor of keystone-wsgi-admin and keystone-wsgi-public'
|
|
||||||
' and may be removed in O.')
|
|
||||||
)
|
|
||||||
|
|
||||||
# NOTE(ldbragst): 'application' is required in this context by WSGI spec.
|
|
||||||
# The following is a reference to Python Paste Deploy documentation
|
|
||||||
# http://pythonpaste.org/deploy/
|
|
||||||
application = wsgi_server.initialize_application(
|
|
||||||
name,
|
|
||||||
post_log_configured_function=deprecation_warning)
|
|
@ -1,165 +0,0 @@
|
|||||||
# {{ ansible_managed }}
|
|
||||||
|
|
||||||
[DEFAULT]
|
|
||||||
verbose = {{ verbose }}
|
|
||||||
debug = {{ debug }}
|
|
||||||
admin_token = {{ keystone_auth_admin_token }}
|
|
||||||
{% if keystone_public_endpoint is defined %}
|
|
||||||
public_endpoint = {{ keystone_public_endpoint }}
|
|
||||||
{% endif %}
|
|
||||||
admin_endpoint = {{ keystone_service_adminuri }}
|
|
||||||
fatal_deprecations = {{ keystone_fatal_deprecations }}
|
|
||||||
member_role_name = {{ keystone_default_role_name }}
|
|
||||||
|
|
||||||
{% if keystone_ssl | bool and keystone_secure_proxy_ssl_header is defined %}
|
|
||||||
secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
log_file = keystone.log
|
|
||||||
log_dir = /var/log/keystone
|
|
||||||
rpc_backend = {{ keystone_rpc_backend }}
|
|
||||||
|
|
||||||
{% if keystone_ceilometer_enabled %}
|
|
||||||
notification_driver = messagingv2
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if 'memcache' in keystone_token_driver and 'fernet' not in keystone_token_provider %}
|
|
||||||
[memcache]
|
|
||||||
servers = {{ keystone_memcached_servers }}
|
|
||||||
max_compare_and_set_retry = {{ keystone_memcached_max_compare_and_set_retry }}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if keystone_cache_backend_argument is defined %}
|
|
||||||
[cache]
|
|
||||||
backend = dogpile.cache.memcached
|
|
||||||
backend_argument = {{ keystone_cache_backend_argument }}
|
|
||||||
config_prefix = cache.keystone
|
|
||||||
distributed_lock = True
|
|
||||||
enabled = true
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
|
|
||||||
[revoke]
|
|
||||||
caching = true
|
|
||||||
driver = {{ keystone_revocation_driver }}
|
|
||||||
expiration_buffer = {{ keystone_revocation_expiration_buffer }}
|
|
||||||
cache_time = {{ keystone_revocation_cache_time }}
|
|
||||||
|
|
||||||
|
|
||||||
[auth]
|
|
||||||
{% if keystone_sp is defined %}
|
|
||||||
methods = {{ keystone_auth_methods }},saml2
|
|
||||||
saml2 = keystone.auth.plugins.mapped.Mapped
|
|
||||||
{% else %}
|
|
||||||
methods = {{ keystone_auth_methods }}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
[database]
|
|
||||||
connection = mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}/{{ keystone_galera_database }}?charset=utf8
|
|
||||||
idle_timeout = {{ keystone_database_idle_timeout }}
|
|
||||||
min_pool_size = {{ keystone_database_min_pool_size }}
|
|
||||||
max_pool_size = {{ keystone_database_max_pool_size }}
|
|
||||||
pool_timeout = {{ keystone_database_pool_timeout }}
|
|
||||||
|
|
||||||
|
|
||||||
[fernet_tokens]
|
|
||||||
key_repository = {{ keystone_fernet_tokens_key_repository }}
|
|
||||||
max_active_keys = {{ keystone_fernet_tokens_max_active_keys }}
|
|
||||||
|
|
||||||
|
|
||||||
[identity]
|
|
||||||
{% if keystone_ldap.Default is not defined %}
|
|
||||||
driver = sql
|
|
||||||
{% endif %}
|
|
||||||
{% if keystone_ldap | length > 0 %}
|
|
||||||
domain_config_dir = {{ keystone_ldap_domain_config_dir }}
|
|
||||||
domain_specific_drivers_enabled = True
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
|
|
||||||
[assignment]
|
|
||||||
driver = {{ keystone_assignment_driver }}
|
|
||||||
|
|
||||||
|
|
||||||
[resource]
|
|
||||||
cache_time = {{ keystone_resource_cache_time }}
|
|
||||||
caching = true
|
|
||||||
driver = {{ keystone_resource_driver }}
|
|
||||||
|
|
||||||
|
|
||||||
[token]
|
|
||||||
enforce_token_bind = permissive
|
|
||||||
expiration = {{ keystone_token_expiration }}
|
|
||||||
caching = true
|
|
||||||
cache_time = {{ keystone_token_cache_time }}
|
|
||||||
provider = {{ keystone_token_provider }}
|
|
||||||
{% if 'fernet' not in keystone_token_provider %}
|
|
||||||
driver = {{ keystone_token_driver }}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
# We need to /temporarily/ disable catalog caching due to [1], once
|
|
||||||
# upstream keystone bug [2] is fixed we can remove this [catalog]
|
|
||||||
# section entirely.
|
|
||||||
# [1] https://review.openstack.org/#/c/215212/
|
|
||||||
# [2] https://review.openstack.org/#/c/271536/
|
|
||||||
[catalog]
|
|
||||||
caching = false
|
|
||||||
|
|
||||||
{% if keystone_idp is defined %}
|
|
||||||
[saml]
|
|
||||||
certfile = "{{ keystone_idp.certfile }}"
|
|
||||||
keyfile = "{{ keystone_idp.keyfile }}"
|
|
||||||
idp_entity_id = "{{ keystone_idp.idp_entity_id }}"
|
|
||||||
idp_sso_endpoint = "{{ keystone_idp.idp_sso_endpoint }}"
|
|
||||||
idp_metadata_path = "{{ keystone_idp.idp_metadata_path }}"
|
|
||||||
{% if keystone_idp.organization_name is defined %}
|
|
||||||
idp_organization_name = {{ keystone_idp.organization_name }}
|
|
||||||
{% endif %}
|
|
||||||
{% if keystone_idp.organization_display_name is defined %}
|
|
||||||
idp_organization_display_name = {{ keystone_idp.organization_display_name }}
|
|
||||||
{% endif %}
|
|
||||||
{% if keystone_idp.organization_url is defined %}
|
|
||||||
idp_organization_url = {{ keystone_idp.organization_url }}
|
|
||||||
{% endif %}
|
|
||||||
{% if keystone_idp.contact_company is defined %}
|
|
||||||
idp_contact_company = {{ keystone_idp.contact_company }}
|
|
||||||
{% endif %}
|
|
||||||
{% if keystone_idp.contact_name is defined %}
|
|
||||||
idp_contact_name = {{ keystone_idp.contact_name }}
|
|
||||||
{% endif %}
|
|
||||||
{% if keystone_idp.contact_surname is defined %}
|
|
||||||
idp_contact_surname = {{ keystone_idp.contact_surname }}
|
|
||||||
{% endif %}
|
|
||||||
{% if keystone_idp.contact_email is defined %}
|
|
||||||
idp_contact_email = {{ keystone_idp.contact_email }}
|
|
||||||
{% endif %}
|
|
||||||
{% if keystone_idp.contact_telephone is defined %}
|
|
||||||
idp_contact_telephone = {{ keystone_idp.contact_telephone }}
|
|
||||||
{% endif %}
|
|
||||||
{% if keystone_idp.contact_type is defined %}
|
|
||||||
idp_contact_type = {{ keystone_idp.contact_type }}
|
|
||||||
{% endif %}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
[eventlet_server]
|
|
||||||
admin_bind_host = {{ keystone_bind_address }}
|
|
||||||
admin_port = {{ keystone_admin_port }}
|
|
||||||
public_port = {{ keystone_service_port }}
|
|
||||||
|
|
||||||
[oslo_messaging_rabbit]
|
|
||||||
rabbit_port = {{ rabbitmq_port }}
|
|
||||||
rabbit_userid = {{ keystone_rabbitmq_userid }}
|
|
||||||
rabbit_password = {{ keystone_rabbitmq_password }}
|
|
||||||
rabbit_virtual_host = {{ keystone_rabbitmq_vhost }}
|
|
||||||
rabbit_hosts = {{ rabbitmq_servers }}
|
|
||||||
rabbit_use_ssl = {{ rabbitmq_use_ssl }}
|
|
||||||
|
|
||||||
{% if keystone_sp is defined %}
|
|
||||||
[federation]
|
|
||||||
remote_id_attribute = Shib-Identity-Provider
|
|
||||||
{% if keystone_sp.trusted_dashboard_list is defined %}
|
|
||||||
{% for item in keystone_sp.trusted_dashboard_list %}
|
|
||||||
trusted_dashboard = {{ item }}
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
{% endif %}
|
|
@ -1,9 +0,0 @@
|
|||||||
# {{ ansible_managed }}
|
|
||||||
|
|
||||||
[identity]
|
|
||||||
driver = ldap
|
|
||||||
|
|
||||||
[ldap]
|
|
||||||
{% for key, value in item.value | dictsort %}
|
|
||||||
{{ key }} = {{ value }}
|
|
||||||
{% endfor %}
|
|
@ -1,186 +0,0 @@
|
|||||||
{
|
|
||||||
"admin_required": "role:admin or is_admin:1",
|
|
||||||
"service_role": "role:service",
|
|
||||||
"service_or_admin": "rule:admin_required or rule:service_role",
|
|
||||||
"owner" : "user_id:%(user_id)s",
|
|
||||||
"admin_or_owner": "rule:admin_required or rule:owner",
|
|
||||||
"token_subject": "user_id:%(target.token.user_id)s",
|
|
||||||
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
|
|
||||||
"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
|
|
||||||
|
|
||||||
"default": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:get_region": "",
|
|
||||||
"identity:list_regions": "",
|
|
||||||
"identity:create_region": "rule:admin_required",
|
|
||||||
"identity:update_region": "rule:admin_required",
|
|
||||||
"identity:delete_region": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:get_service": "rule:admin_required",
|
|
||||||
"identity:list_services": "rule:admin_required",
|
|
||||||
"identity:create_service": "rule:admin_required",
|
|
||||||
"identity:update_service": "rule:admin_required",
|
|
||||||
"identity:delete_service": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:get_endpoint": "rule:admin_required",
|
|
||||||
"identity:list_endpoints": "rule:admin_required",
|
|
||||||
"identity:create_endpoint": "rule:admin_required",
|
|
||||||
"identity:update_endpoint": "rule:admin_required",
|
|
||||||
"identity:delete_endpoint": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:get_domain": "rule:admin_required",
|
|
||||||
"identity:list_domains": "rule:admin_required",
|
|
||||||
"identity:create_domain": "rule:admin_required",
|
|
||||||
"identity:update_domain": "rule:admin_required",
|
|
||||||
"identity:delete_domain": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:get_project": "rule:admin_required",
|
|
||||||
"identity:list_projects": "rule:admin_required",
|
|
||||||
"identity:list_user_projects": "rule:admin_or_owner",
|
|
||||||
"identity:create_project": "rule:admin_required",
|
|
||||||
"identity:update_project": "rule:admin_required",
|
|
||||||
"identity:delete_project": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:get_user": "rule:admin_required",
|
|
||||||
"identity:list_users": "rule:admin_required",
|
|
||||||
"identity:create_user": "rule:admin_required",
|
|
||||||
"identity:update_user": "rule:admin_required",
|
|
||||||
"identity:delete_user": "rule:admin_required",
|
|
||||||
"identity:change_password": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"identity:get_group": "rule:admin_required",
|
|
||||||
"identity:list_groups": "rule:admin_required",
|
|
||||||
"identity:list_groups_for_user": "rule:admin_or_owner",
|
|
||||||
"identity:create_group": "rule:admin_required",
|
|
||||||
"identity:update_group": "rule:admin_required",
|
|
||||||
"identity:delete_group": "rule:admin_required",
|
|
||||||
"identity:list_users_in_group": "rule:admin_required",
|
|
||||||
"identity:remove_user_from_group": "rule:admin_required",
|
|
||||||
"identity:check_user_in_group": "rule:admin_required",
|
|
||||||
"identity:add_user_to_group": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:get_credential": "rule:admin_required",
|
|
||||||
"identity:list_credentials": "rule:admin_required",
|
|
||||||
"identity:create_credential": "rule:admin_required",
|
|
||||||
"identity:update_credential": "rule:admin_required",
|
|
||||||
"identity:delete_credential": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
|
||||||
"identity:ec2_list_credentials": "rule:admin_or_owner",
|
|
||||||
"identity:ec2_create_credential": "rule:admin_or_owner",
|
|
||||||
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
|
||||||
|
|
||||||
"identity:get_role": "rule:admin_required",
|
|
||||||
"identity:list_roles": "rule:admin_required",
|
|
||||||
"identity:create_role": "rule:admin_required",
|
|
||||||
"identity:update_role": "rule:admin_required",
|
|
||||||
"identity:delete_role": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:check_grant": "rule:admin_required",
|
|
||||||
"identity:list_grants": "rule:admin_required",
|
|
||||||
"identity:create_grant": "rule:admin_required",
|
|
||||||
"identity:revoke_grant": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:list_role_assignments": "rule:admin_required",
|
|
||||||
"identity:list_role_assignments_for_tree": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:get_policy": "rule:admin_required",
|
|
||||||
"identity:list_policies": "rule:admin_required",
|
|
||||||
"identity:create_policy": "rule:admin_required",
|
|
||||||
"identity:update_policy": "rule:admin_required",
|
|
||||||
"identity:delete_policy": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:check_token": "rule:admin_or_token_subject",
|
|
||||||
"identity:validate_token": "rule:service_admin_or_token_subject",
|
|
||||||
"identity:validate_token_head": "rule:service_or_admin",
|
|
||||||
"identity:revocation_list": "rule:service_or_admin",
|
|
||||||
"identity:revoke_token": "rule:admin_or_token_subject",
|
|
||||||
|
|
||||||
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
|
|
||||||
"identity:list_trusts": "",
|
|
||||||
"identity:list_roles_for_trust": "",
|
|
||||||
"identity:get_role_for_trust": "",
|
|
||||||
"identity:delete_trust": "",
|
|
||||||
|
|
||||||
"identity:create_consumer": "rule:admin_required",
|
|
||||||
"identity:get_consumer": "rule:admin_required",
|
|
||||||
"identity:list_consumers": "rule:admin_required",
|
|
||||||
"identity:delete_consumer": "rule:admin_required",
|
|
||||||
"identity:update_consumer": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:authorize_request_token": "rule:admin_required",
|
|
||||||
"identity:list_access_token_roles": "rule:admin_required",
|
|
||||||
"identity:get_access_token_role": "rule:admin_required",
|
|
||||||
"identity:list_access_tokens": "rule:admin_required",
|
|
||||||
"identity:get_access_token": "rule:admin_required",
|
|
||||||
"identity:delete_access_token": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:list_projects_for_endpoint": "rule:admin_required",
|
|
||||||
"identity:add_endpoint_to_project": "rule:admin_required",
|
|
||||||
"identity:check_endpoint_in_project": "rule:admin_required",
|
|
||||||
"identity:list_endpoints_for_project": "rule:admin_required",
|
|
||||||
"identity:remove_endpoint_from_project": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:create_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:list_endpoint_groups": "rule:admin_required",
|
|
||||||
"identity:get_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:update_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:delete_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:get_endpoint_group_in_project": "rule:admin_required",
|
|
||||||
"identity:list_endpoint_groups_for_project": "rule:admin_required",
|
|
||||||
"identity:add_endpoint_group_to_project": "rule:admin_required",
|
|
||||||
"identity:remove_endpoint_group_from_project": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:create_identity_provider": "rule:admin_required",
|
|
||||||
"identity:list_identity_providers": "rule:admin_required",
|
|
||||||
"identity:get_identity_providers": "rule:admin_required",
|
|
||||||
"identity:update_identity_provider": "rule:admin_required",
|
|
||||||
"identity:delete_identity_provider": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:create_protocol": "rule:admin_required",
|
|
||||||
"identity:update_protocol": "rule:admin_required",
|
|
||||||
"identity:get_protocol": "rule:admin_required",
|
|
||||||
"identity:list_protocols": "rule:admin_required",
|
|
||||||
"identity:delete_protocol": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:create_mapping": "rule:admin_required",
|
|
||||||
"identity:get_mapping": "rule:admin_required",
|
|
||||||
"identity:list_mappings": "rule:admin_required",
|
|
||||||
"identity:delete_mapping": "rule:admin_required",
|
|
||||||
"identity:update_mapping": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:create_service_provider": "rule:admin_required",
|
|
||||||
"identity:list_service_providers": "rule:admin_required",
|
|
||||||
"identity:get_service_provider": "rule:admin_required",
|
|
||||||
"identity:update_service_provider": "rule:admin_required",
|
|
||||||
"identity:delete_service_provider": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:get_auth_catalog": "",
|
|
||||||
"identity:get_auth_projects": "",
|
|
||||||
"identity:get_auth_domains": "",
|
|
||||||
|
|
||||||
"identity:list_projects_for_groups": "",
|
|
||||||
"identity:list_domains_for_groups": "",
|
|
||||||
|
|
||||||
"identity:list_revoke_events": "",
|
|
||||||
|
|
||||||
"identity:create_policy_association_for_endpoint": "rule:admin_required",
|
|
||||||
"identity:check_policy_association_for_endpoint": "rule:admin_required",
|
|
||||||
"identity:delete_policy_association_for_endpoint": "rule:admin_required",
|
|
||||||
"identity:create_policy_association_for_service": "rule:admin_required",
|
|
||||||
"identity:check_policy_association_for_service": "rule:admin_required",
|
|
||||||
"identity:delete_policy_association_for_service": "rule:admin_required",
|
|
||||||
"identity:create_policy_association_for_region_and_service": "rule:admin_required",
|
|
||||||
"identity:check_policy_association_for_region_and_service": "rule:admin_required",
|
|
||||||
"identity:delete_policy_association_for_region_and_service": "rule:admin_required",
|
|
||||||
"identity:get_policy_for_endpoint": "rule:admin_required",
|
|
||||||
"identity:list_endpoints_for_policy": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:create_domain_config": "rule:admin_required",
|
|
||||||
"identity:get_domain_config": "rule:admin_required",
|
|
||||||
"identity:update_domain_config": "rule:admin_required",
|
|
||||||
"identity:delete_domain_config": "rule:admin_required",
|
|
||||||
"identity:get_domain_config_default": "rule:admin_required"
|
|
||||||
}
|
|
@ -1,63 +0,0 @@
|
|||||||
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map"
|
|
||||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
|
||||||
|
|
||||||
<!--
|
|
||||||
The below default attributes are standard for a Shibboleth
|
|
||||||
Identity Provider and will likely work with many other
|
|
||||||
standard SAML2 Identity Providers.
|
|
||||||
-->
|
|
||||||
|
|
||||||
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
|
|
||||||
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
|
|
||||||
</Attribute>
|
|
||||||
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
|
|
||||||
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
|
|
||||||
</Attribute>
|
|
||||||
|
|
||||||
<Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
|
|
||||||
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
|
|
||||||
</Attribute>
|
|
||||||
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
|
|
||||||
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
|
|
||||||
</Attribute>
|
|
||||||
|
|
||||||
<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
|
|
||||||
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
|
|
||||||
</Attribute>
|
|
||||||
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
|
|
||||||
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
|
|
||||||
</Attribute>
|
|
||||||
|
|
||||||
<Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
|
|
||||||
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
|
|
||||||
|
|
||||||
<!-- A persistent id attribute that supports personalized anonymous access. -->
|
|
||||||
|
|
||||||
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
|
|
||||||
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
|
|
||||||
</Attribute>
|
|
||||||
|
|
||||||
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
|
|
||||||
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
|
|
||||||
</Attribute>
|
|
||||||
|
|
||||||
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
|
|
||||||
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
|
|
||||||
</Attribute>
|
|
||||||
|
|
||||||
<!--
|
|
||||||
The following attributes have been configured through Ansible.
|
|
||||||
-->
|
|
||||||
{% for idp in keystone_sp.trusted_idp_list %}
|
|
||||||
{% if idp.protocols is defined %}
|
|
||||||
{% for protocol in idp.protocols %}
|
|
||||||
{% if protocol.name == "saml2" and protocol.attributes is defined %}
|
|
||||||
{% for attr in protocol.attributes %}
|
|
||||||
<Attribute{% for k in attr %} {{ k }}="{{ attr[k] }}"{% endfor %}/>
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
</Attributes>
|
|
@ -1,104 +0,0 @@
|
|||||||
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
|
|
||||||
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
|
|
||||||
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
|
||||||
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
|
||||||
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
|
|
||||||
clockSkew="180">
|
|
||||||
|
|
||||||
<!-- The entityID is the name by which your IdP will know your SP. -->
|
|
||||||
<ApplicationDefaults entityID="{{ keystone_service_publicuri }}/shibboleth">
|
|
||||||
|
|
||||||
<!-- You should use secure cookies if at all possible. See cookieProps in this Wiki article. -->
|
|
||||||
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions -->
|
|
||||||
<Sessions lifetime="28800"
|
|
||||||
timeout="3600"
|
|
||||||
relayState="ss:mem"
|
|
||||||
checkAddress="false"
|
|
||||||
handlerSSL="{% if keystone_ssl | bool %}true{% else %}false{% endif %}"
|
|
||||||
{% if keystone_service_publicuri_proto == "https" %}cookieProps="; path=/; secure"{% endif %}>
|
|
||||||
|
|
||||||
<!-- Triggers a login request directly to the IdP. -->
|
|
||||||
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
|
|
||||||
<SSO ECP="true" entityID="{{ keystone_sp.trusted_idp_list.0.entity_ids.0 }}">
|
|
||||||
SAML2 SAML1
|
|
||||||
</SSO>
|
|
||||||
|
|
||||||
<!-- SAML and local-only logout. -->
|
|
||||||
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout -->
|
|
||||||
<Logout>SAML2 Local</Logout>
|
|
||||||
|
|
||||||
<!--
|
|
||||||
Handlers allow you to interact with the SP and gather more information.
|
|
||||||
Attribute values received by the SP through SAML will be visible at:
|
|
||||||
{{ keystone_service_publicuri }}/Shibboleth.sso/Session
|
|
||||||
-->
|
|
||||||
|
|
||||||
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
|
|
||||||
<Handler type="MetadataGenerator"
|
|
||||||
Location="/Metadata"
|
|
||||||
signing="false"/>
|
|
||||||
|
|
||||||
<!-- Status reporting service. -->
|
|
||||||
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
|
|
||||||
|
|
||||||
<!-- Session diagnostic service. -->
|
|
||||||
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
|
|
||||||
|
|
||||||
<!-- JSON feed of discovery information. -->
|
|
||||||
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
|
|
||||||
</Sessions>
|
|
||||||
|
|
||||||
<!--
|
|
||||||
Allows overriding of error template information/filenames. You can
|
|
||||||
also add attributes with values that can be plugged into the templates.
|
|
||||||
-->
|
|
||||||
<Errors supportContact="root@localhost"
|
|
||||||
helpLocation="/about.html"
|
|
||||||
styleSheet="/shibboleth-sp/main.css"/>
|
|
||||||
|
|
||||||
<!--
|
|
||||||
Loads and trusts a list of metadata files which describes
|
|
||||||
the trusted IdP's and how to communicate with them.
|
|
||||||
-->
|
|
||||||
{% if keystone_sp.trusted_idp_list is defined -%}
|
|
||||||
{% for item in keystone_sp.trusted_idp_list %}
|
|
||||||
<MetadataProvider type="XML"
|
|
||||||
uri="{{ item.metadata_uri }}"
|
|
||||||
backingFilePath="{{ item.metadata_file }}"
|
|
||||||
reloadInterval="{{ item.metadata_reload }}" />
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
<!-- Map to extract attributes from SAML assertions. -->
|
|
||||||
<AttributeExtractor type="XML"
|
|
||||||
validate="true"
|
|
||||||
reloadChanges="false"
|
|
||||||
path="attribute-map.xml"/>
|
|
||||||
|
|
||||||
<!-- Use a SAML query if no attributes are supplied during SSO. -->
|
|
||||||
<AttributeResolver type="Query" subjectMatch="true"/>
|
|
||||||
|
|
||||||
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
|
|
||||||
<AttributeFilter type="XML"
|
|
||||||
validate="true"
|
|
||||||
path="attribute-policy.xml"/>
|
|
||||||
|
|
||||||
<!-- Your SP generated these credentials. They're used to talk to IdP's. -->
|
|
||||||
<CredentialResolver type="File"
|
|
||||||
key="sp-key.pem"
|
|
||||||
certificate="sp-cert.pem"/>
|
|
||||||
|
|
||||||
</ApplicationDefaults>
|
|
||||||
|
|
||||||
<!-- Policies that determine how to process and authenticate runtime messages. -->
|
|
||||||
<SecurityPolicyProvider type="XML"
|
|
||||||
validate="true"
|
|
||||||
path="security-policy.xml"/>
|
|
||||||
|
|
||||||
<!-- Low-level configuration about protocols and bindings available for use. -->
|
|
||||||
<ProtocolProvider type="XML"
|
|
||||||
validate="true"
|
|
||||||
reloadChanges="false"
|
|
||||||
path="protocols.xml"/>
|
|
||||||
|
|
||||||
</SPConfig>
|
|
Loading…
Reference in New Issue
Block a user