Merge "Enable all services to use Keystone 'insecurely'"

This commit is contained in:
Jenkins 2015-07-10 16:53:24 +00:00 committed by Gerrit Code Review
commit f5388b61e4
24 changed files with 126 additions and 15 deletions

View File

@ -153,6 +153,8 @@ keystone_service_adminurl_v3: "{{ keystone_service_adminuri_v3 }}/v3"
keystone_cache_backend_argument: "url:{% for host in groups['memcached'] %}{{ hostvars[host]['container_address'] }}{% if not loop.last %},{% endif %}{% endfor %}:{{ memcached_port }}"
keystone_memcached_servers: "{% for host in groups['keystone_all'] %}{{ hostvars[host]['container_address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}"
keystone_service_region: "{{ service_region }}"
keystone_service_adminuri_insecure: false
keystone_service_internaluri_insecure: false
## Horizon

View File

@ -53,8 +53,16 @@ options:
description:
- which version of the glance api to use
choices:
- 1 (default)
- 1
- 2
default: 1
insecure:
description:
- Explicitly allow client to perform "insecure" TLS
choices:
- false
- true
default: false
author: Hugh Saunders
"""
@ -114,7 +122,9 @@ class ManageGlance(object):
def _keystone_authenticate(self):
"""Authenticate with Keystone."""
openrc = self._parse_openrc()
self.keystone = ksclient.Client(username=openrc['OS_USERNAME'],
insecure = self.module.params['insecure']
self.keystone = ksclient.Client(insecure=insecure,
username=openrc['OS_USERNAME'],
password=openrc['OS_PASSWORD'],
tenant_name=openrc['OS_TENANT_NAME'],
auth_url=openrc['OS_AUTH_URL'])
@ -209,7 +219,9 @@ def main():
image_container_format=dict(required=False),
image_disk_format=dict(required=False),
image_is_public=dict(required=False, choices=BOOLEANS),
api_version=dict(default='1', required=False, choices=['1', '2'])
api_version=dict(default='1', required=False, choices=['1', '2']),
insecure=dict(default=False, required=False,
choices=BOOLEANS + ['True', 'False'])
),
supports_check_mode=False
)

View File

@ -121,6 +121,13 @@ options:
'ensure_endpoint', 'ensure_role', 'ensure_user',
'ensure_user_role', 'ensure_tenant']
required: true
insecure:
description:
- Explicitly allow client to perform "insecure" TLS
choices:
- false
- true
default: false
requirements: [ python-keystoneclient ]
author: Kevin Carter
"""
@ -357,7 +364,8 @@ class ManageKeystone(object):
'login_user',
'login_password',
'login_tenant_name',
'token'
'token',
'insecure'
]
variables_dict = self._get_vars(variables, required=required_vars)
@ -366,6 +374,7 @@ class ManageKeystone(object):
login_password = variables_dict.pop('login_password')
login_tenant_name = variables_dict.pop('login_tenant_name')
token = variables_dict.pop('token')
insecure = variables_dict.pop('insecure')
if token is None:
if login_tenant_name is None:
@ -386,9 +395,14 @@ class ManageKeystone(object):
)
if token:
self.keystone = client.Client(endpoint=endpoint, token=token)
self.keystone = client.Client(
insecure=insecure,
endpoint=endpoint,
token=token
)
else:
self.keystone = client.Client(
insecure=insecure,
auth_url=endpoint,
username=login_user,
password=login_password,
@ -797,6 +811,11 @@ def main():
required=True,
choices=COMMAND_MAP.keys()
),
insecure=dict(
default=False,
required=False,
choices=BOOLEANS + ['True', 'False']
),
return_code=dict(
type='str',
default='0'

View File

@ -58,9 +58,16 @@ options:
router_external:
description:
- Specify router:external' when creating network
external_gateway_info
external_gateway_info:
description:
- Specify external_gateway_info when creating router
insecure:
description:
- Explicitly allow client to perform "insecure" TLS
choices:
- false
- true
default: false
author: Hugh Saunders
"""
@ -247,7 +254,9 @@ class ManageNeutron(object):
def _keystone_authenticate(self):
"""Authenticate with Keystone."""
openrc = self._parse_openrc()
self.keystone = ksclient.Client(username=openrc['OS_USERNAME'],
insecure = self.module.params['insecure']
self.keystone = ksclient.Client(insecure=insecure,
username=openrc['OS_USERNAME'],
password=openrc['OS_PASSWORD'],
tenant_name=openrc['OS_TENANT_NAME'],
auth_url=openrc['OS_AUTH_URL'])
@ -396,7 +405,9 @@ def main():
router_external=dict(required=False),
router_name=dict(required=False),
external_gateway_info=dict(required=False),
tenant_id=dict(required=False)
tenant_id=dict(required=False),
insecure=dict(default=False, required=False,
choices=BOOLEANS + ['True', 'False'])
),
supports_check_mode=False
)

View File

@ -23,6 +23,9 @@ openrc_os_username: admin
openrc_os_tenant_name: admin
openrc_os_auth_url: "http://127.0.0.1:5000"
## Deliberately allow access to SSL endpoints with bad certificates
openrc_insecure: "{{ (keystone_service_adminuri_insecure | bool or keystone_service_internaluri_insecure | bool) | default(false) }}"
## Create file
openrc_file_dest: "{{ ansible_env.HOME }}/openrc"
openrc_file_owner: "{{ ansible_user_id }}"

View File

@ -13,3 +13,15 @@ export OS_PASSWORD={{ openrc_os_password }}
export OS_TENANT_NAME={{ openrc_os_tenant_name }}
export OS_AUTH_URL={{ openrc_os_auth_url }}
export OS_NO_CACHE=1
{% if openrc_insecure | bool %}
# Convenience Aliases for Self-Signed Certs
alias cinder='cinder --insecure'
alias glance='glance --insecure'
alias heat='heat --insecure'
alias keystone='keystone --insecure'
alias neutron='neutron --insecure'
alias nova='nova --insecure'
alias openstack='openstack --insecure'
alias swift='swift --insecure'
{% endif %}

View File

@ -22,6 +22,7 @@
service_name: "{{ service_name }}"
service_type: "{{ service_type }}"
description: "{{ service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -40,6 +41,7 @@
user_name: "{{ service_user_name }}"
tenant_name: "{{ service_tenant_name }}"
password: "{{ service_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -58,6 +60,7 @@
user_name: "{{ service_user_name }}"
tenant_name: "{{ service_tenant_name }}"
role_name: "{{ role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -79,6 +82,7 @@
publicurl: "{{ service_publicurl }}"
adminurl: "{{ service_internalurl }}"
internalurl: "{{ service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5

View File

@ -116,6 +116,7 @@ profiler_enabled = {{ cinder_profiler_enabled }}
trace_sqlalchemy = {{ cinder_profiler_trace_sqlalchemy }}
[keystone_authtoken]
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_plugin = {{ cinder_keystone_auth_plugin }}
signing_dir = /var/cache/cinder
auth_url = {{ keystone_service_adminuri }}

View File

@ -22,6 +22,7 @@
service_name: "{{ glance_service_name }}"
service_type: "{{ glance_service_type }}"
description: "{{ glance_service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -40,6 +41,7 @@
user_name: "{{ glance_service_user_name }}"
tenant_name: "{{ glance_service_project_name }}"
password: "{{ glance_service_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -58,6 +60,7 @@
user_name: "{{ glance_service_user_name }}"
tenant_name: "{{ glance_service_project_name }}"
role_name: "{{ glance_role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -79,6 +82,7 @@
publicurl: "{{ glance_service_publicurl }}"
adminurl: "{{ glance_service_internalurl }}"
internalurl: "{{ glance_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5

View File

@ -55,6 +55,7 @@ task_executor = {{ glance_task_executor }}
connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ glance_galera_address }}/{{ glance_galera_database }}?charset=utf8
[keystone_authtoken]
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_plugin = {{ glance_keystone_auth_plugin }}
signing_dir = {{ glance_system_user_home }}/cache/api
auth_url = {{ keystone_service_adminuri }}

View File

@ -27,6 +27,7 @@ rabbit_password = {{ rabbitmq_password }}
connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ glance_galera_address }}/{{ glance_galera_database }}?charset=utf8
[keystone_authtoken]
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_plugin = {{ glance_keystone_auth_plugin }}
signing_dir = {{ glance_system_user_home }}/cache/registry/
auth_url = {{ keystone_service_adminuri }}

View File

@ -22,6 +22,7 @@
service_name: "{{ service_name }}"
service_type: "{{ service_type }}"
description: "{{ service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -40,6 +41,7 @@
user_name: "{{ service_user_name }}"
tenant_name: "{{ service_tenant_name }}"
password: "{{ service_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -58,6 +60,7 @@
user_name: "{{ service_user_name }}"
tenant_name: "{{ service_tenant_name }}"
role_name: "{{ role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -79,6 +82,7 @@
publicurl: "{{ service_publicurl }}"
internalurl: "{{ service_internalurl }}"
adminurl: "{{ service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5

View File

@ -68,6 +68,7 @@ trace_sqlalchemy = {{ heat_profiler_trace_sqlalchemy }}
[keystone_authtoken]
insecure = {{ keystone_service_internaluri_insecure | bool }}
signing_dir = /var/cache/heat
identity_uri = {{ keystone_service_adminuri }}
auth_uri = {{ keystone_service_internalurl }}

View File

@ -197,11 +197,7 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
# ("saml2", _("Security Assertion Markup Language")))
# Disable SSL certificate checks (useful for self-signed certificates):
{% if horizon_self_signed == true %}
OPENSTACK_SSL_NO_VERIFY = True
{% else %}
OPENSTACK_SSL_NO_VERIFY = False
{% endif %}
OPENSTACK_SSL_NO_VERIFY = {{ keystone_service_internaluri_insecure | bool }}
{% if horizon_cacert_pem is defined %}
# The CA certificate to use to verify SSL connections

View File

@ -50,6 +50,7 @@
endpoint: "{{ keystone_service_adminurl }}"
tenant_name: "{{ keystone_service_tenant_name }}"
description: "{{ keystone_service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -66,6 +67,7 @@
endpoint: "{{ keystone_service_adminurl }}"
tenant_name: "{{ keystone_admin_tenant_name }}"
description: "{{ keystone_admin_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -83,6 +85,7 @@
user_name: "{{ keystone_admin_user_name }}"
tenant_name: "{{ keystone_admin_tenant_name }}"
password: "{{ keystone_auth_admin_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -98,6 +101,7 @@
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
role_name: "{{ keystone_role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -115,6 +119,7 @@
user_name: "{{ keystone_admin_user_name }}"
tenant_name: "{{ keystone_admin_tenant_name }}"
role_name: "{{ keystone_role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -132,6 +137,7 @@
service_name: "{{ keystone_service_name }}"
service_type: "{{ keystone_service_type }}"
description: "{{ keystone_service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -150,6 +156,7 @@
user_name: "{{ keystone_service_user_name }}"
tenant_name: "{{ keystone_service_tenant_name }}"
password: "{{ keystone_service_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -168,6 +175,7 @@
user_name: "{{ keystone_service_user_name }}"
tenant_name: "{{ keystone_service_tenant_name }}"
role_name: "{{ keystone_role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -189,6 +197,7 @@
publicurl: "{{ keystone_service_publicurl }}"
adminurl: "{{ keystone_service_adminurl }}"
internalurl: "{{ keystone_service_internalurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5

View File

@ -36,7 +36,7 @@
# These are used in the Neutron HA Cron job script, and processed in the template.
- name: Creating Job Facts
set_fact:
do_job: ". /root/openrc && /opt/neutron-ha-tool.py --l3-agent-migrate"
do_job: ". /root/openrc && /opt/neutron-ha-tool.py {% if keystone_service_internaluri_insecure | bool %}--insecure {% endif %}--l3-agent-migrate"
sleep_time: "{{ hashed_name.int_value }}"
tags:
- neutron-ha-tool

View File

@ -22,6 +22,7 @@
service_name: "{{ service_name }}"
service_type: "{{ service_type }}"
description: "{{ service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -40,6 +41,7 @@
user_name: "{{ service_user_name }}"
tenant_name: "{{ service_tenant_name }}"
password: "{{ service_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -58,6 +60,7 @@
user_name: "{{ service_user_name }}"
tenant_name: "{{ service_tenant_name }}"
role_name: "{{ role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -79,6 +82,7 @@
publicurl: "{{ service_publicurl }}"
adminurl: "{{ service_internalurl }}"
internalurl: "{{ service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5

View File

@ -94,6 +94,7 @@ root_helper = sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
[keystone_authtoken]
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_plugin = {{ neutron_keystone_auth_plugin }}
signing_dir = /var/cache/neutron
auth_url = {{ keystone_service_adminuri }}

View File

@ -22,6 +22,7 @@
service_name: "{{ service_name }}"
service_type: "{{ service_type }}"
description: "{{ service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -40,6 +41,7 @@
user_name: "{{ service_user_name }}"
tenant_name: "{{ service_tenant_name }}"
password: "{{ service_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -58,6 +60,7 @@
user_name: "{{ service_user_name }}"
tenant_name: "{{ service_tenant_name }}"
role_name: "{{ role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -79,6 +82,7 @@
publicurl: "{{ service_publicurl }}"
adminurl: "{{ service_internalurl }}"
internalurl: "{{ service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5

View File

@ -165,6 +165,7 @@ enabled = false
[keystone_authtoken]
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_plugin = {{ nova_keystone_auth_plugin }}
signing_dir = {{ nova_system_home_folder }}/cache/api
auth_url = {{ keystone_service_adminuri }}

View File

@ -22,6 +22,7 @@
service_name: "{{ swift_service_name }}"
service_type: "{{ swift_service_type }}"
description: "{{ swift_service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -40,6 +41,7 @@
user_name: "{{ swift_service_user_name }}"
tenant_name: "{{ swift_service_project_name }}"
password: "{{ swift_service_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -58,6 +60,7 @@
user_name: "{{ swift_service_user_name }}"
tenant_name: "{{ swift_service_project_name }}"
role_name: "{{ swift_service_role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -73,6 +76,7 @@
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
role_name: "{{ swift_operator_role }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -90,6 +94,7 @@
user_name: "{{ swift_dispersion_user }}"
tenant_name: "{{ swift_service_project_name }}"
password: "{{ swift_dispersion_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -139,6 +144,7 @@
user_name: "{{ swift_dispersion_user }}"
tenant_name: "{{ swift_service_project_name }}"
role_name: "{{ swift_operator_role }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -160,6 +166,7 @@
publicurl: "{{ swift_service_publicurl }}"
adminurl: "{{ swift_service_internalurl }}"
internalurl: "{{ swift_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5

View File

@ -54,6 +54,7 @@ user_test_tester3 = testing3
{% elif swift_authtoken_active %}
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_plugin = {{ swift_keystone_auth_plugin }}
auth_url = {{ keystone_service_adminuri }}
auth_uri = {{ keystone_service_internaluri }}

View File

@ -22,6 +22,7 @@
image_container_format: bare
image_disk_format: qcow2
image_is_public: True
insecure: "{{ keystone_service_internaluri_insecure }}"
tags:
- tempest-setup
- tempest-config
@ -40,6 +41,7 @@
tenant_name: "{{ item }}"
description: "{{ item }} Tenant"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -59,6 +61,7 @@
password: "{{ item }}"
description: "{{ item }} User"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -77,6 +80,7 @@
user_name: "{{ item }}"
role_name: heat_stack_owner
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -93,6 +97,7 @@
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
role_name: "reseller_admin"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -106,6 +111,7 @@
token: "{{ keystone_auth_admin_token }}"
role_name: remote_image
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -119,6 +125,7 @@
token: "{{ keystone_auth_admin_token }}"
tenant_name: demo
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
@ -140,6 +147,7 @@
openrc_path: /root/openrc
net_name: private
tenant_id: "{{ keystone_demo_tenant_id }}"
insecure: "{{ keystone_service_internaluri_insecure }}"
tags:
- tempest-setup
- tempest-config
@ -159,6 +167,7 @@
provider_network_type: flat
provider_physical_network: flat
router_external: true
insecure: "{{ keystone_service_internaluri_insecure }}"
tags:
- tempest-setup
- tempest-config
@ -178,6 +187,7 @@
subnet_name: private-subnet
cidr: "{{ tempest_private_subnet_cidr }}"
tenant_id: "{{ keystone_demo_tenant_id }}"
insecure: "{{ keystone_service_internaluri_insecure }}"
tags:
- tempest-setup
@ -188,6 +198,7 @@
net_name: public
subnet_name: public-subnet
cidr: "{{ tempest_public_subnet_cidr }}"
insecure: "{{ keystone_service_internaluri_insecure }}"
tags:
- tempest-setup
@ -198,6 +209,7 @@
router_name: router
external_gateway_info: public
tenant_id: "{{ keystone_demo_tenant_id }}"
insecure: "{{ keystone_service_internaluri_insecure }}"
tags:
- tempest-setup
@ -207,6 +219,7 @@
openrc_path: /root/openrc
router_name: router
subnet_name: private-subnet
insecure: "{{ keystone_service_internaluri_insecure }}"
tags:
- tempest-setup

View File

@ -112,7 +112,7 @@ alt_password = alt_demo
alt_username = alt_demo
auth_version = v2
catalog_type = identity
disable_ssl_certificate_validation = false
disable_ssl_certificate_validation = {{ keystone_service_internaluri_insecure | bool }}
endpoint_type = internalURL
password = demo
tenant_name = demo