Update Keystone config and policy for Kilo

Keystone's config file updated with new options that need to be exposed as configurable options (e.g., Proxy Forwarded SSL Header). Keystone's default policy file has also changed in Kilo so we are pulling in an updated copy to match the new version. Partially implements blueprint: master-kilofication Change-Id: Ib98e54940acfa9627e6d10c10964d87528b4a9b7
2015-03-24 21:09:41 -05:00 · 2015-03-24 21:09:41 -05:00 · f810a7ff14
commit f810a7ff14
parent 4c4fbe25c3
3 changed files with 29 additions and 9 deletions
--- a/playbooks/roles/os_keystone/defaults/main.yml
+++ b/playbooks/roles/os_keystone/defaults/main.yml
@ -77,6 +77,9 @@ keystone_admin_user_name: admin
 keystone_admin_tenant_name: admin
 keystone_admin_description: Admin Tenant

+## Secure Proxy SSL Information
+#keystone_secure_proxy_ssl_header: X-Forwarded-For
+
 ## Service Type and Data
 keystone_service_region: RegionOne
 keystone_service_name: keystone
--- a/playbooks/roles/os_keystone/files/policy.json
+++ b/playbooks/roles/os_keystone/files/policy.json
@ -4,6 +4,8 @@
    "service_or_admin": "rule:admin_required or rule:service_role",
    "owner" : "user_id:%(user_id)s",
    "admin_or_owner": "rule:admin_required or rule:owner",
+    "token_subject": "user_id:%(target.token.user_id)s",
+    "admin_or_token_subject": "rule:admin_required or rule:token_subject",

    "default": "rule:admin_required",

@ -62,7 +64,7 @@
    "identity:update_credential": "rule:admin_required",
    "identity:delete_credential": "rule:admin_required",

-    "identity:ec2_get_credential": "rule:admin_or_owner",
+    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
    "identity:ec2_list_credentials": "rule:admin_or_owner",
    "identity:ec2_create_credential": "rule:admin_or_owner",
    "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
@ -90,13 +92,12 @@
    "identity:validate_token": "rule:service_or_admin",
    "identity:validate_token_head": "rule:service_or_admin",
    "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_owner",
+    "identity:revoke_token": "rule:admin_or_token_subject",

    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
    "identity:get_trust": "rule:admin_or_owner",
    "identity:list_trusts": "",
    "identity:list_roles_for_trust": "",
-    "identity:check_role_for_trust": "",
    "identity:get_role_for_trust": "",
    "identity:delete_trust": "",

@ -126,7 +127,7 @@
    "identity:delete_endpoint_group": "rule:admin_required",
    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
+    "identity:get_endpoint_group_in_project": "rule:admin_required",
    "identity:add_endpoint_group_to_project": "rule:admin_required",
    "identity:remove_endpoint_group_from_project": "rule:admin_required",

@ -148,6 +149,12 @@
    "identity:delete_mapping": "rule:admin_required",
    "identity:update_mapping": "rule:admin_required",

+    "identity:create_service_provider": "rule:admin_required",
+    "identity:list_service_providers": "rule:admin_required",
+    "identity:get_service_provider": "rule:admin_required",
+    "identity:update_service_provider": "rule:admin_required",
+    "identity:delete_service_provider": "rule:admin_required",
+
    "identity:get_auth_catalog": "",
    "identity:get_auth_projects": "",
    "identity:get_auth_domains": "",
@ -167,5 +174,10 @@
    "identity:check_policy_association_for_region_and_service": "rule:admin_required",
    "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
    "identity:get_policy_for_endpoint": "rule:admin_required",
-    "identity:list_endpoints_for_policy": "rule:admin_required"
+    "identity:list_endpoints_for_policy": "rule:admin_required",
+
+    "identity:create_domain_config": "rule:admin_required",
+    "identity:get_domain_config": "rule:admin_required",
+    "identity:update_domain_config": "rule:admin_required",
+    "identity:delete_domain_config": "rule:admin_required"
 }
--- a/playbooks/roles/os_keystone/templates/keystone.conf.j2
+++ b/playbooks/roles/os_keystone/templates/keystone.conf.j2
@ -10,11 +10,12 @@ public_endpoint = {{ keystone_public_endpoint }}
 admin_endpoint = {{ keystone_service_adminuri }}
 fatal_deprecations = {{ keystone_fatal_deprecations }}

+{% if keystone_ssl_enabled == true and  keystone_secure_proxy_ssl_header is defined %}
+secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }}
+{% endif %}
+
 log_file = keystone.log
 log_dir = /var/log/keystone
-rabbit_hosts = {{ rabbitmq_servers }}
-rabbit_userid = {{ rabbitmq_userid }}
-rabbit_password = {{ rabbitmq_password }}
 rpc_backend = {{ keystone_rpc_backend }}


@ -85,8 +86,12 @@ cache_time = {{ keystone_token_cache_time }}
 provider = {{ keystone_token_provider }}
 driver = {{ keystone_token_driver }}

-
 [eventlet_server]
 admin_bind_host = {{ keystone_bind_address }}
 admin_port = {{ keystone_admin_port }}
 public_port = {{ keystone_service_port }}
+
+[oslo_messaging_rabbit]
+rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_userid = {{ rabbitmq_userid }}
+rabbit_password = {{ rabbitmq_password }}