ff2ed22c90
This change adds a number of new tasks that are dependent on the value of the Keystone token provider (keystone_token_provider) user variable. If the keystone_token_provider user_variable is set to keystone.token.providers.fernet.Provider then the playbooks will appropriately create the fernet keys and distribute them to the rest of the keystone containers. This also implements key rotation for generated fernet keys similar to how the os_nova roles implement key rotation. Finally, we also need to build cryptography from master for now. Currently, 0.8.x and 0.9.x use versions of cffi<1.0 which causes a bug when used with mod_wsgi and Apache. This is fixed in cryptography master and will be released in 1.0. Closes-bug: 1463569 Change-Id: I8605e0490a8889d57c6b1b7e03e078fb0da978ab
184 lines
6.2 KiB
YAML
184 lines
6.2 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Defines that the role will be deployed on a host machine
|
|
is_metal: true
|
|
|
|
## Verbosity Options
|
|
debug: False
|
|
verbose: True
|
|
keystone_fatal_deprecations: False
|
|
|
|
## System info
|
|
keystone_system_user_name: keystone
|
|
keystone_system_group_name: keystone
|
|
keystone_system_service_name: apache2
|
|
keystone_system_shell: /bin/false
|
|
keystone_system_comment: keystone system user
|
|
keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}"
|
|
|
|
keystone_rpc_backend: rabbit
|
|
|
|
## Drivers
|
|
keystone_auth_methods: "password,token"
|
|
keystone_identity_driver: "keystone.identity.backends.sql.Identity"
|
|
# For a sql backed token storage use: "keystone.token.backends.sql.Token"
|
|
keystone_token_driver: "keystone.token.persistence.backends.memcache.Token"
|
|
keystone_token_provider: "keystone.token.providers.uuid.Provider"
|
|
keystone_token_expiration: 43200
|
|
keystone_token_cache_time: 3600
|
|
|
|
# Set the revocation driver used within keystone.
|
|
keystone_revocation_driver: keystone.contrib.revoke.backends.sql.Revoke
|
|
keystone_revocation_cache_time: 3600
|
|
keystone_revocation_expiration_buffer: 1800
|
|
|
|
## Fernet config vars
|
|
keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
|
|
keystone_fernet_tokens_max_active_keys: 3
|
|
|
|
keystone_cache_expiration_time: 5400
|
|
|
|
keystone_assignment_driver: keystone.assignment.backends.sql.Assignment
|
|
|
|
keystone_resource_cache_time: 3600
|
|
keystone_resource_driver: keystone.resource.backends.sql.Resource
|
|
|
|
keystone_bind_address: 0.0.0.0
|
|
|
|
## Memcached servers used within keystone.
|
|
# String or Comma separated list of servers.
|
|
keystone_memcached_servers: 127.0.0.1
|
|
keystone_memcached_max_compare_and_set_retry: 16
|
|
|
|
## DB info
|
|
keystone_galera_user: keystone
|
|
keystone_galera_database: keystone
|
|
# Database tuning
|
|
keystone_database_idle_timeout: 200
|
|
keystone_database_min_pool_size: 5
|
|
keystone_database_max_pool_size: 10
|
|
keystone_database_pool_timeout: 200
|
|
|
|
## Role info
|
|
keystone_role_name: admin
|
|
|
|
## Admin info
|
|
keystone_admin_port: 35357
|
|
keystone_admin_user_name: admin
|
|
keystone_admin_tenant_name: admin
|
|
keystone_admin_description: Admin Tenant
|
|
|
|
## Secure Proxy SSL Information
|
|
#keystone_secure_proxy_ssl_header: X-Forwarded-For
|
|
|
|
## Service Type and Data
|
|
keystone_service_region: RegionOne
|
|
keystone_service_name: keystone
|
|
keystone_service_port: 5000
|
|
keystone_service_proto: http
|
|
keystone_service_publicuri_proto: "{{ keystone_service_proto }}"
|
|
keystone_service_adminuri_proto: "{{ keystone_service_proto }}"
|
|
keystone_service_internaluri_proto: "{{ keystone_service_proto }}"
|
|
keystone_service_type: identity
|
|
keystone_service_description: "Keystone Identity Service"
|
|
keystone_service_user_name: keystone
|
|
keystone_service_tenant_name: service
|
|
|
|
keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
|
|
keystone_service_publicurl: "{{ keystone_service_publicuri }}/v2.0"
|
|
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
|
|
keystone_service_internalurl: "{{ keystone_service_internaluri }}/v2.0"
|
|
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
|
|
keystone_service_adminurl: "{{ keystone_service_adminuri }}/v2.0"
|
|
|
|
keystone_service_publicuri_v3: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
|
|
keystone_service_publicurl_v3: "{{ keystone_service_publicuri_v3 }}/v3"
|
|
keystone_service_internaluri_v3: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
|
|
keystone_service_internalurl_v3: "{{ keystone_service_internaluri_v3 }}/v3"
|
|
keystone_service_adminuri_v3: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
|
|
keystone_service_adminurl_v3: "{{ keystone_service_adminuri_v3 }}/v3"
|
|
|
|
## Set this value to override the "public_endpoint" keystone.conf variable
|
|
#keystone_public_endpoint:
|
|
|
|
## Apache setup
|
|
keystone_apache_log_level: info
|
|
|
|
keystone_ssl_enabled: false
|
|
keystone_ssl_cert: /etc/ssl/certs/apache.cert
|
|
keystone_ssl_key: /etc/ssl/private/apache.key
|
|
keystone_ssl_cert_path: /etc/ssl/certs
|
|
keystone_ssl_protocol: "{{ ssl_protocol }}"
|
|
keystone_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
|
|
|
|
## Caching
|
|
# If set this will enable dog pile cache for keystone.
|
|
# keystone_cache_backend_argument: url:127.0.0.1:11211
|
|
|
|
## LDAP section
|
|
# Define keystone ldap information here.
|
|
# See the http://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-ldap-backend.html
|
|
# for more information on available options. The sections here are defined as key: value pairs. Each
|
|
# top level key bellow ``keystone_ldap`` is a section.
|
|
# (EXAMPLE LAYOUT)
|
|
# keystone_ldap:
|
|
# ldap:
|
|
# url: "ldap://127.0.0.1"
|
|
# user: "root"
|
|
# password: "secrete"
|
|
# ...
|
|
|
|
keystone_ldap_identity_driver: keystone.identity.backends.ldap.Identity
|
|
keystone_ldap_domain_config_dir: /etc/keystone/domains
|
|
|
|
## Policy vars
|
|
# Provide a list of access controls to update the default policy.json with. These changes will be merged
|
|
# with the access controls in the default policy.json. E.g.
|
|
#keystone_policy_overrides:
|
|
# identity:create_region: "rule:admin_required"
|
|
# identity:update_region: "rule:admin_required"
|
|
|
|
# Common apt packages
|
|
keystone_apt_packages:
|
|
- apache2
|
|
- apache2-utils
|
|
- debhelper
|
|
- dh-apparmor
|
|
- docutils-common
|
|
- git
|
|
- libapache2-mod-wsgi
|
|
- libjs-sphinxdoc
|
|
- libjs-underscore
|
|
- libldap2-dev
|
|
- libsasl2-dev
|
|
- libxslt1.1
|
|
- rsync
|
|
|
|
# Common pip packages
|
|
keystone_pip_packages:
|
|
- keystone
|
|
- keystonemiddleware
|
|
- ldappool
|
|
- lxml
|
|
- MySQL-python
|
|
- oslo.middleware
|
|
- pbr
|
|
- pycrypto
|
|
- pysaml2
|
|
- python-keystoneclient
|
|
- python-memcached
|
|
- repoze.lru
|