Update Keystone config and policy for Kilo

Keystone's config file updated with new options that need to be exposed
as configurable options (e.g., Proxy Forwarded SSL Header).

Keystone's default policy file has also changed in Kilo so we are
pulling in an updated copy to match the new version.

Partially implements blueprint: master-kilofication

Change-Id: Ib98e54940acfa9627e6d10c10964d87528b4a9b7
This commit is contained in:
Ian Cordasco 2015-03-24 21:09:41 -05:00 committed by Jesse Pretorius
parent 4c4fbe25c3
commit f810a7ff14
3 changed files with 29 additions and 9 deletions

View File

@ -77,6 +77,9 @@ keystone_admin_user_name: admin
keystone_admin_tenant_name: admin keystone_admin_tenant_name: admin
keystone_admin_description: Admin Tenant keystone_admin_description: Admin Tenant
## Secure Proxy SSL Information
#keystone_secure_proxy_ssl_header: X-Forwarded-For
## Service Type and Data ## Service Type and Data
keystone_service_region: RegionOne keystone_service_region: RegionOne
keystone_service_name: keystone keystone_service_name: keystone

View File

@ -4,6 +4,8 @@
"service_or_admin": "rule:admin_required or rule:service_role", "service_or_admin": "rule:admin_required or rule:service_role",
"owner" : "user_id:%(user_id)s", "owner" : "user_id:%(user_id)s",
"admin_or_owner": "rule:admin_required or rule:owner", "admin_or_owner": "rule:admin_required or rule:owner",
"token_subject": "user_id:%(target.token.user_id)s",
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
"default": "rule:admin_required", "default": "rule:admin_required",
@ -62,7 +64,7 @@
"identity:update_credential": "rule:admin_required", "identity:update_credential": "rule:admin_required",
"identity:delete_credential": "rule:admin_required", "identity:delete_credential": "rule:admin_required",
"identity:ec2_get_credential": "rule:admin_or_owner", "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:ec2_list_credentials": "rule:admin_or_owner", "identity:ec2_list_credentials": "rule:admin_or_owner",
"identity:ec2_create_credential": "rule:admin_or_owner", "identity:ec2_create_credential": "rule:admin_or_owner",
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
@ -90,13 +92,12 @@
"identity:validate_token": "rule:service_or_admin", "identity:validate_token": "rule:service_or_admin",
"identity:validate_token_head": "rule:service_or_admin", "identity:validate_token_head": "rule:service_or_admin",
"identity:revocation_list": "rule:service_or_admin", "identity:revocation_list": "rule:service_or_admin",
"identity:revoke_token": "rule:admin_or_owner", "identity:revoke_token": "rule:admin_or_token_subject",
"identity:create_trust": "user_id:%(trust.trustor_user_id)s", "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
"identity:get_trust": "rule:admin_or_owner", "identity:get_trust": "rule:admin_or_owner",
"identity:list_trusts": "", "identity:list_trusts": "",
"identity:list_roles_for_trust": "", "identity:list_roles_for_trust": "",
"identity:check_role_for_trust": "",
"identity:get_role_for_trust": "", "identity:get_role_for_trust": "",
"identity:delete_trust": "", "identity:delete_trust": "",
@ -126,7 +127,7 @@
"identity:delete_endpoint_group": "rule:admin_required", "identity:delete_endpoint_group": "rule:admin_required",
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required", "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
"identity:list_endpoint_groups_for_project": "rule:admin_required", "identity:get_endpoint_group_in_project": "rule:admin_required",
"identity:add_endpoint_group_to_project": "rule:admin_required", "identity:add_endpoint_group_to_project": "rule:admin_required",
"identity:remove_endpoint_group_from_project": "rule:admin_required", "identity:remove_endpoint_group_from_project": "rule:admin_required",
@ -148,6 +149,12 @@
"identity:delete_mapping": "rule:admin_required", "identity:delete_mapping": "rule:admin_required",
"identity:update_mapping": "rule:admin_required", "identity:update_mapping": "rule:admin_required",
"identity:create_service_provider": "rule:admin_required",
"identity:list_service_providers": "rule:admin_required",
"identity:get_service_provider": "rule:admin_required",
"identity:update_service_provider": "rule:admin_required",
"identity:delete_service_provider": "rule:admin_required",
"identity:get_auth_catalog": "", "identity:get_auth_catalog": "",
"identity:get_auth_projects": "", "identity:get_auth_projects": "",
"identity:get_auth_domains": "", "identity:get_auth_domains": "",
@ -167,5 +174,10 @@
"identity:check_policy_association_for_region_and_service": "rule:admin_required", "identity:check_policy_association_for_region_and_service": "rule:admin_required",
"identity:delete_policy_association_for_region_and_service": "rule:admin_required", "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
"identity:get_policy_for_endpoint": "rule:admin_required", "identity:get_policy_for_endpoint": "rule:admin_required",
"identity:list_endpoints_for_policy": "rule:admin_required" "identity:list_endpoints_for_policy": "rule:admin_required",
"identity:create_domain_config": "rule:admin_required",
"identity:get_domain_config": "rule:admin_required",
"identity:update_domain_config": "rule:admin_required",
"identity:delete_domain_config": "rule:admin_required"
} }

View File

@ -10,11 +10,12 @@ public_endpoint = {{ keystone_public_endpoint }}
admin_endpoint = {{ keystone_service_adminuri }} admin_endpoint = {{ keystone_service_adminuri }}
fatal_deprecations = {{ keystone_fatal_deprecations }} fatal_deprecations = {{ keystone_fatal_deprecations }}
{% if keystone_ssl_enabled == true and keystone_secure_proxy_ssl_header is defined %}
secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }}
{% endif %}
log_file = keystone.log log_file = keystone.log
log_dir = /var/log/keystone log_dir = /var/log/keystone
rabbit_hosts = {{ rabbitmq_servers }}
rabbit_userid = {{ rabbitmq_userid }}
rabbit_password = {{ rabbitmq_password }}
rpc_backend = {{ keystone_rpc_backend }} rpc_backend = {{ keystone_rpc_backend }}
@ -85,8 +86,12 @@ cache_time = {{ keystone_token_cache_time }}
provider = {{ keystone_token_provider }} provider = {{ keystone_token_provider }}
driver = {{ keystone_token_driver }} driver = {{ keystone_token_driver }}
[eventlet_server] [eventlet_server]
admin_bind_host = {{ keystone_bind_address }} admin_bind_host = {{ keystone_bind_address }}
admin_port = {{ keystone_admin_port }} admin_port = {{ keystone_admin_port }}
public_port = {{ keystone_service_port }} public_port = {{ keystone_service_port }}
[oslo_messaging_rabbit]
rabbit_hosts = {{ rabbitmq_servers }}
rabbit_userid = {{ rabbitmq_userid }}
rabbit_password = {{ rabbitmq_password }}