1f051ca9b7
Instead of using long backend/drivers name, use short name and stevedore will load plugins for us. It will prevent this kind of message in logs: Failed to load 'keystone.catalog.backends.sql.Catalog' using stevedore: No 'keystone.catalog' driver found, Also cleanup unit and functional tests that were setting wrong credential & assignment drivers. Change-Id: Id3b8ed63ef9a821eba5374af7ed0fd1c8d755e09
134 lines
5.9 KiB
Puppet
134 lines
5.9 KiB
Puppet
class { '::keystone':
|
|
verbose => true,
|
|
debug => true,
|
|
database_connection => 'mysql://keystone:keystone@127.0.0.1/keystone',
|
|
admin_token => 'admin_token',
|
|
enabled => true,
|
|
# helper for using domains
|
|
using_domain_config => true
|
|
}
|
|
|
|
# Ensure this matches what is in LDAP or keystone will try to recreate
|
|
# the admin user
|
|
class { '::keystone::roles::admin':
|
|
email => 'test@example.com',
|
|
password => 'ChangeMe',
|
|
admin_user_domain => 'domain_1',
|
|
admin_project_domain => 'domain_1',
|
|
service_project_domain => 'domain_1',
|
|
}
|
|
|
|
# Waiting to have keystone::roles::admin being a define instead of a
|
|
# class to make the admin for domain_2.
|
|
keystone_domain { 'domain_2': ensure => present }
|
|
|
|
keystone::ldap_backend { 'domain_1':
|
|
url => 'ldap://ldap.example.com:389',
|
|
user => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
|
|
password => 'SecretPass',
|
|
suffix => 'dc=example,dc=com',
|
|
query_scope => 'sub',
|
|
user_tree_dn => 'cn=users,cn=accounts,dc=example,dc=com',
|
|
user_id_attribute => 'uid',
|
|
user_name_attribute => 'uid',
|
|
user_mail_attribute => 'mail',
|
|
user_allow_create => 'False',
|
|
user_allow_update => 'False',
|
|
user_allow_delete => 'False',
|
|
user_enabled_emulation => 'True',
|
|
user_enabled_emulation_dn => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
|
|
group_tree_dn => 'ou=groups,ou=openstack,dc=example,dc=com',
|
|
group_objectclass => 'organizationalRole',
|
|
group_id_attribute => 'cn',
|
|
group_name_attribute => 'cn',
|
|
group_member_attribute => 'RoleOccupant',
|
|
group_desc_attribute => 'description',
|
|
group_allow_create => 'True',
|
|
group_allow_update => 'True',
|
|
group_allow_delete => 'True',
|
|
project_tree_dn => 'ou=projects,ou=openstack,dc=example,dc=com',
|
|
project_objectclass => 'organizationalUnit',
|
|
project_id_attribute => 'ou',
|
|
project_member_attribute => 'member',
|
|
project_name_attribute => 'ou',
|
|
project_desc_attribute => 'description',
|
|
project_allow_create => 'True',
|
|
project_allow_update => 'True',
|
|
project_allow_delete => 'True',
|
|
project_enabled_emulation => 'True',
|
|
project_enabled_emulation_dn => 'cn=enabled,ou=openstack,dc=example,dc=com',
|
|
role_tree_dn => 'ou=roles,ou=openstack,dc=example,dc=com',
|
|
role_objectclass => 'organizationalRole',
|
|
role_id_attribute => 'cn',
|
|
role_name_attribute => 'cn',
|
|
role_member_attribute => 'roleOccupant',
|
|
role_allow_create => 'True',
|
|
role_allow_update => 'True',
|
|
role_allow_delete => 'True',
|
|
identity_driver => 'ldap',
|
|
use_tls => 'True',
|
|
tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
|
|
tls_req_cert => 'demand',
|
|
use_pool => 'True',
|
|
use_auth_pool => 'True',
|
|
pool_size => 5,
|
|
auth_pool_size => 5,
|
|
pool_retry_max => 3,
|
|
pool_connection_timeout => 120,
|
|
}
|
|
|
|
keystone::ldap_backend { 'domain_2':
|
|
url => 'ldap://ldap.example_2.com:389',
|
|
user => 'uid=bind,cn=users,cn=accounts,dc=example_2,dc=com',
|
|
password => 'SecretPass',
|
|
suffix => 'dc=example_2,dc=com',
|
|
query_scope => 'sub',
|
|
user_tree_dn => 'cn=users,cn=accounts,dc=example_2,dc=com',
|
|
user_id_attribute => 'uid',
|
|
user_name_attribute => 'uid',
|
|
user_mail_attribute => 'mail',
|
|
user_allow_create => 'False',
|
|
user_allow_update => 'False',
|
|
user_allow_delete => 'False',
|
|
user_enabled_emulation => 'True',
|
|
user_enabled_emulation_dn => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example_2,dc=com',
|
|
group_tree_dn => 'ou=groups,ou=openstack,dc=example_2,dc=com',
|
|
group_objectclass => 'organizationalRole',
|
|
group_id_attribute => 'cn',
|
|
group_name_attribute => 'cn',
|
|
group_member_attribute => 'RoleOccupant',
|
|
group_desc_attribute => 'description',
|
|
group_allow_create => 'True',
|
|
group_allow_update => 'True',
|
|
group_allow_delete => 'True',
|
|
project_tree_dn => 'ou=projects,ou=openstack,dc=example_2,dc=com',
|
|
project_objectclass => 'organizationalUnit',
|
|
project_id_attribute => 'ou',
|
|
project_member_attribute => 'member',
|
|
project_name_attribute => 'ou',
|
|
project_desc_attribute => 'description',
|
|
project_allow_create => 'True',
|
|
project_allow_update => 'True',
|
|
project_allow_delete => 'True',
|
|
project_enabled_emulation => 'True',
|
|
project_enabled_emulation_dn => 'cn=enabled,ou=openstack,dc=example_2,dc=com',
|
|
role_tree_dn => 'ou=roles,ou=openstack,dc=example_2,dc=com',
|
|
role_objectclass => 'organizationalRole',
|
|
role_id_attribute => 'cn',
|
|
role_name_attribute => 'cn',
|
|
role_member_attribute => 'roleOccupant',
|
|
role_allow_create => 'True',
|
|
role_allow_update => 'True',
|
|
role_allow_delete => 'True',
|
|
identity_driver => 'ldap',
|
|
use_tls => 'True',
|
|
tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
|
|
tls_req_cert => 'demand',
|
|
use_pool => 'True',
|
|
use_auth_pool => 'True',
|
|
pool_size => 5,
|
|
auth_pool_size => 5,
|
|
pool_retry_max => 3,
|
|
pool_connection_timeout => 120,
|
|
}
|