openstack/openstack-ansible
Code Issues Proposed changes
Files
87655627ff69b459d3c577c23ede8bd6a2b4589d
openstack-ansible/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2
Jesse Pretorius 4b35b3e929 Keystone SSL cert/key distribution and configuration 
This patch adds the option to provide an SSL certificate for the
Keystone service (either self-signed or user provided) and to
configure the endpoints and Keystone service appropriately.

* A new boolean variable called 'keystone_ssl' enables/disables
  the configuration of SSL for the Keystone service.

* The server key/certificate (and optionally a CA cert) are
  distributed to all keystone containers and used for the setup
  of SSL endpoints if the appropriate protocol is set.

* The internal/public and the admin endpoints can be set to be
  served via http or https seperately via the
  'keystone_service_*_proto' variables.

* The logic to determine the appropriate load balancing
  configuration based on the Keystone endpoint protocol has
  been implemented in the haproxy vars.

* Two new variables have been implemented for a user-provided
  server key and certificate:
  - keystone_user_ssl_cert: <path to cert on deployment host>
  - keystone_user_ssl_key: <path to cert on deployment host>
  If either of these is not defined, but a Keystone endpoint
  has been configured for SSL, then the missing cert/key
  will be self generated on the first Keystone container and
  distributed to the other containers.

* A new variable has been implemented for a user-provided CA
  certificate:
  - keystone_user_ssl_ca_cert: <path to cert on deployment host>

* A new variable called 'keystone_ssl_self_signed_subject' has
  been implemented to allow the user to override the certificate
  properties, such as the CN and subjectAltName.

Upgrade notes:

* The SSL-based client authentication configuration in Apache
  has been removed as it appears to be unused.

* The minimum Ansible version for the os_keystone and
  haproxy_server roles have been increased to v1.9.0 as it's
  the minimum version that supports ternary filters.

* The boolean 'keystone_ssl_enabled' has been renamed to
  'keystone_ssl'. This maintains a pattern set in the haproxy
  role for enablement of ssl offloading in the load balancer.

* The Apache configuration appropriately implements the
  'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
  directive in order to ensure that the appropriate signing
  certificate is provided to the browser.

* The 'keystone_self_signed_regen' variable has been renamed
  to 'keystone_ssl_self_signed_regen'.

* The default names for the deployed keys/certificates have been
  changed:
  - /etc/ssl/certs/apache.cert  > /etc/ssl/certs/keystone.pem
  - /etc/ssl/private/apache.key > /etc/ssl/private/keystone.key

DocImpact
Partial-Bug: #1466827
Implements: blueprint keystone-federation
Change-Id: I4c5ea7b6bfc3d7d7230a7440fa501241826c9dee
Co-Authored-By: Miguel Grinberg <miguelgrinberg50@gmail.com>
2015-08-19 07:51:09 +00:00

90 lines
3.2 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
<VirtualHost *:{{ keystone_service_port }}>
WSGIDaemonProcess keystone-service user={{ keystone_system_user_name }} group={{ keystone_system_group_name }} processes={{ keystone_wsgi_processes }} threads={{ keystone_wsgi_threads }} display-name=%{GROUP}
WSGIProcessGroup keystone-service
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel {{ keystone_apache_log_level }}
ErrorLog /var/log/keystone/keystone-apache-error.log
CustomLog /var/log/keystone/ssl_access.log combined
Options +FollowSymLinks
{% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
SSLEngine on
SSLCertificateFile {{ keystone_ssl_cert }}
SSLCertificateKeyFile {{ keystone_ssl_key }}
{% if keystone_user_ssl_ca_cert is defined -%}
SSLCACertificateFile {{ keystone_ssl_ca_cert }}
{% endif -%}
SSLCompression Off
SSLProtocol {{ keystone_ssl_protocol }}
SSLHonorCipherOrder On
SSLCipherSuite {{ keystone_ssl_cipher_suite }}
SSLOptions +StdEnvVars +ExportCertData
{% endif %}
{% if keystone_sp is defined -%}
ShibURLScheme {{ keystone_service_publicuri_proto }}
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<Location /v3/auth/OS-FEDERATION/websso/saml2>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting exportAssertion 1
ShibRequireSession On
ShibExportAssertion On
Require valid-user
</Location>
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
ShibRequestSetting requireSession 1
AuthType shibboleth
ShibExportAssertion Off
Require valid-user
</LocationMatch>
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1
{%- endif %}
</VirtualHost>
<VirtualHost *:{{ keystone_admin_port }}>
WSGIDaemonProcess keystone-admin user={{ keystone_system_user_name }} group={{ keystone_system_group_name }} processes={{ keystone_wsgi_processes }} threads={{ keystone_wsgi_threads }} display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel {{ keystone_apache_log_level }}
ErrorLog /var/log/keystone/keystone-apache-error.log
CustomLog /var/log/keystone/ssl_access.log combined
Options +FollowSymLinks
{% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" -%}
SSLEngine on
SSLCertificateFile {{ keystone_ssl_cert }}
SSLCertificateKeyFile {{ keystone_ssl_key }}
{% if keystone_user_ssl_ca_cert is defined -%}
SSLCACertificateFile {{ keystone_ssl_ca_cert }}
{% endif -%}
SSLCompression Off
SSLProtocol {{ keystone_ssl_protocol }}
SSLHonorCipherOrder On
SSLCipherSuite {{ keystone_ssl_cipher_suite }}
SSLOptions +StdEnvVars +ExportCertData
{% endif %}
</VirtualHost>
View Git Blame Copy Permalink