Update Keystone config and policy for Kilo
Keystone's config file updated with new options that need to be exposed as configurable options (e.g., Proxy Forwarded SSL Header). Keystone's default policy file has also changed in Kilo so we are pulling in an updated copy to match the new version. Partially implements blueprint: master-kilofication Change-Id: Ib98e54940acfa9627e6d10c10964d87528b4a9b7
This commit is contained in:
parent
4c4fbe25c3
commit
f810a7ff14
@ -77,6 +77,9 @@ keystone_admin_user_name: admin
|
|||||||
keystone_admin_tenant_name: admin
|
keystone_admin_tenant_name: admin
|
||||||
keystone_admin_description: Admin Tenant
|
keystone_admin_description: Admin Tenant
|
||||||
|
|
||||||
|
## Secure Proxy SSL Information
|
||||||
|
#keystone_secure_proxy_ssl_header: X-Forwarded-For
|
||||||
|
|
||||||
## Service Type and Data
|
## Service Type and Data
|
||||||
keystone_service_region: RegionOne
|
keystone_service_region: RegionOne
|
||||||
keystone_service_name: keystone
|
keystone_service_name: keystone
|
||||||
|
@ -4,6 +4,8 @@
|
|||||||
"service_or_admin": "rule:admin_required or rule:service_role",
|
"service_or_admin": "rule:admin_required or rule:service_role",
|
||||||
"owner" : "user_id:%(user_id)s",
|
"owner" : "user_id:%(user_id)s",
|
||||||
"admin_or_owner": "rule:admin_required or rule:owner",
|
"admin_or_owner": "rule:admin_required or rule:owner",
|
||||||
|
"token_subject": "user_id:%(target.token.user_id)s",
|
||||||
|
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
|
||||||
|
|
||||||
"default": "rule:admin_required",
|
"default": "rule:admin_required",
|
||||||
|
|
||||||
@ -62,7 +64,7 @@
|
|||||||
"identity:update_credential": "rule:admin_required",
|
"identity:update_credential": "rule:admin_required",
|
||||||
"identity:delete_credential": "rule:admin_required",
|
"identity:delete_credential": "rule:admin_required",
|
||||||
|
|
||||||
"identity:ec2_get_credential": "rule:admin_or_owner",
|
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||||
"identity:ec2_list_credentials": "rule:admin_or_owner",
|
"identity:ec2_list_credentials": "rule:admin_or_owner",
|
||||||
"identity:ec2_create_credential": "rule:admin_or_owner",
|
"identity:ec2_create_credential": "rule:admin_or_owner",
|
||||||
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||||
@ -90,13 +92,12 @@
|
|||||||
"identity:validate_token": "rule:service_or_admin",
|
"identity:validate_token": "rule:service_or_admin",
|
||||||
"identity:validate_token_head": "rule:service_or_admin",
|
"identity:validate_token_head": "rule:service_or_admin",
|
||||||
"identity:revocation_list": "rule:service_or_admin",
|
"identity:revocation_list": "rule:service_or_admin",
|
||||||
"identity:revoke_token": "rule:admin_or_owner",
|
"identity:revoke_token": "rule:admin_or_token_subject",
|
||||||
|
|
||||||
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
|
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
|
||||||
"identity:get_trust": "rule:admin_or_owner",
|
"identity:get_trust": "rule:admin_or_owner",
|
||||||
"identity:list_trusts": "",
|
"identity:list_trusts": "",
|
||||||
"identity:list_roles_for_trust": "",
|
"identity:list_roles_for_trust": "",
|
||||||
"identity:check_role_for_trust": "",
|
|
||||||
"identity:get_role_for_trust": "",
|
"identity:get_role_for_trust": "",
|
||||||
"identity:delete_trust": "",
|
"identity:delete_trust": "",
|
||||||
|
|
||||||
@ -126,7 +127,7 @@
|
|||||||
"identity:delete_endpoint_group": "rule:admin_required",
|
"identity:delete_endpoint_group": "rule:admin_required",
|
||||||
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
|
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
|
||||||
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
|
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
|
||||||
"identity:list_endpoint_groups_for_project": "rule:admin_required",
|
"identity:get_endpoint_group_in_project": "rule:admin_required",
|
||||||
"identity:add_endpoint_group_to_project": "rule:admin_required",
|
"identity:add_endpoint_group_to_project": "rule:admin_required",
|
||||||
"identity:remove_endpoint_group_from_project": "rule:admin_required",
|
"identity:remove_endpoint_group_from_project": "rule:admin_required",
|
||||||
|
|
||||||
@ -148,6 +149,12 @@
|
|||||||
"identity:delete_mapping": "rule:admin_required",
|
"identity:delete_mapping": "rule:admin_required",
|
||||||
"identity:update_mapping": "rule:admin_required",
|
"identity:update_mapping": "rule:admin_required",
|
||||||
|
|
||||||
|
"identity:create_service_provider": "rule:admin_required",
|
||||||
|
"identity:list_service_providers": "rule:admin_required",
|
||||||
|
"identity:get_service_provider": "rule:admin_required",
|
||||||
|
"identity:update_service_provider": "rule:admin_required",
|
||||||
|
"identity:delete_service_provider": "rule:admin_required",
|
||||||
|
|
||||||
"identity:get_auth_catalog": "",
|
"identity:get_auth_catalog": "",
|
||||||
"identity:get_auth_projects": "",
|
"identity:get_auth_projects": "",
|
||||||
"identity:get_auth_domains": "",
|
"identity:get_auth_domains": "",
|
||||||
@ -167,5 +174,10 @@
|
|||||||
"identity:check_policy_association_for_region_and_service": "rule:admin_required",
|
"identity:check_policy_association_for_region_and_service": "rule:admin_required",
|
||||||
"identity:delete_policy_association_for_region_and_service": "rule:admin_required",
|
"identity:delete_policy_association_for_region_and_service": "rule:admin_required",
|
||||||
"identity:get_policy_for_endpoint": "rule:admin_required",
|
"identity:get_policy_for_endpoint": "rule:admin_required",
|
||||||
"identity:list_endpoints_for_policy": "rule:admin_required"
|
"identity:list_endpoints_for_policy": "rule:admin_required",
|
||||||
|
|
||||||
|
"identity:create_domain_config": "rule:admin_required",
|
||||||
|
"identity:get_domain_config": "rule:admin_required",
|
||||||
|
"identity:update_domain_config": "rule:admin_required",
|
||||||
|
"identity:delete_domain_config": "rule:admin_required"
|
||||||
}
|
}
|
||||||
|
@ -10,11 +10,12 @@ public_endpoint = {{ keystone_public_endpoint }}
|
|||||||
admin_endpoint = {{ keystone_service_adminuri }}
|
admin_endpoint = {{ keystone_service_adminuri }}
|
||||||
fatal_deprecations = {{ keystone_fatal_deprecations }}
|
fatal_deprecations = {{ keystone_fatal_deprecations }}
|
||||||
|
|
||||||
|
{% if keystone_ssl_enabled == true and keystone_secure_proxy_ssl_header is defined %}
|
||||||
|
secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
log_file = keystone.log
|
log_file = keystone.log
|
||||||
log_dir = /var/log/keystone
|
log_dir = /var/log/keystone
|
||||||
rabbit_hosts = {{ rabbitmq_servers }}
|
|
||||||
rabbit_userid = {{ rabbitmq_userid }}
|
|
||||||
rabbit_password = {{ rabbitmq_password }}
|
|
||||||
rpc_backend = {{ keystone_rpc_backend }}
|
rpc_backend = {{ keystone_rpc_backend }}
|
||||||
|
|
||||||
|
|
||||||
@ -85,8 +86,12 @@ cache_time = {{ keystone_token_cache_time }}
|
|||||||
provider = {{ keystone_token_provider }}
|
provider = {{ keystone_token_provider }}
|
||||||
driver = {{ keystone_token_driver }}
|
driver = {{ keystone_token_driver }}
|
||||||
|
|
||||||
|
|
||||||
[eventlet_server]
|
[eventlet_server]
|
||||||
admin_bind_host = {{ keystone_bind_address }}
|
admin_bind_host = {{ keystone_bind_address }}
|
||||||
admin_port = {{ keystone_admin_port }}
|
admin_port = {{ keystone_admin_port }}
|
||||||
public_port = {{ keystone_service_port }}
|
public_port = {{ keystone_service_port }}
|
||||||
|
|
||||||
|
[oslo_messaging_rabbit]
|
||||||
|
rabbit_hosts = {{ rabbitmq_servers }}
|
||||||
|
rabbit_userid = {{ rabbitmq_userid }}
|
||||||
|
rabbit_password = {{ rabbitmq_password }}
|
||||||
|
Loading…
Reference in New Issue
Block a user