80ae141beb
The keystone documentation highly recommends disabling the admin_token authentication after the initial bootstrap because it exposes a major attack vector. This patch adds a new class, keystone::disable_admin_token_auth, which uses ini_subsetting to remove the admin_token_auth keyword from the pipeline lists. After the first puppet run, users who use this class with the default values will need to provide some other way for puppet to authenticate to keystone. The keystone providers can all read from /root/openrc or from OS_* environment variables. The openstack_extras::auth_file class can be used to create the openrc file. This class must be declared after the main keystone class because it uses the restart_keystone exec from the main class. This patch moves this exec out of the $default_domain conditional so that it is available to reference from the keystone::pipeline class. This is safe to do because it is a refreshonly exec, so even though it is unconditionally declared, it will only be activated if the default domain resource activates it, or the keystone::disable_admin_token_auth class activates it, or both. It will only restart keystone once no matter how many times it is activated. Change-Id: If8a7e1639189f46e16fc996fd7919eb784d24971 Depends-On: Idc3b938e37b792636ec7c2702bf8429467b78d66
46 lines
1.6 KiB
Puppet
46 lines
1.6 KiB
Puppet
#
|
|
# Class to manage and secure the keystone-paste.ini pipeline configuration.
|
|
#
|
|
# The keystone module uses the admin_token parameter in keystone.conf to
|
|
# bootstrap the basic setup of an admin user, project, and domain. However, the
|
|
# admin_token provides an easy vector of attack for production keystone
|
|
# installations. Including this class will remove the admin_token_auth
|
|
# from the paste pipeline to improve security. After this class is run,
|
|
# future puppet runs must have an openrc file with valid keystone v3
|
|
# admin credentials in /root/openrc available, or else must be run with
|
|
# valid keystone v3 credentials set as environment variables.
|
|
#
|
|
class keystone::disable_admin_token_auth {
|
|
Ini_subsetting {
|
|
require => Class['keystone::roles::admin'],
|
|
}
|
|
|
|
if $::keystone::manage_service and $::keystone::enabled {
|
|
Ini_subsetting {
|
|
notify => Exec['restart_keystone'],
|
|
}
|
|
}
|
|
|
|
ini_subsetting { 'public_api/admin_token_auth':
|
|
ensure => absent,
|
|
path => '/etc/keystone/keystone-paste.ini',
|
|
section => 'pipeline:public_api',
|
|
setting => 'pipeline',
|
|
subsetting => 'admin_token_auth',
|
|
}
|
|
ini_subsetting { 'admin_api/admin_token_auth':
|
|
ensure => absent,
|
|
path => '/etc/keystone/keystone-paste.ini',
|
|
section => 'pipeline:admin_api',
|
|
setting => 'pipeline',
|
|
subsetting => 'admin_token_auth',
|
|
}
|
|
ini_subsetting { 'api_v3/admin_token_auth':
|
|
ensure => absent,
|
|
path => '/etc/keystone/keystone-paste.ini',
|
|
section => 'pipeline:api_v3',
|
|
setting => 'pipeline',
|
|
subsetting => 'admin_token_auth',
|
|
}
|
|
}
|