disabling the admin_token after bootstrap
The keystone documentation highly recommends disabling the admin_token authentication after the initial bootstrap because it exposes a major attack vector. A patch in puppet-keystone [1] added the support to remove admin_token_auth keyword from the pipeline lists. This patch aims to use this new class when deploying Keystone. [1] https://review.openstack.org/#/c/256248 Change-Id: Ic545005122a0f7b92b8a9d3f1e4978b397bfc9c2
This commit is contained in:
parent
e75159f71c
commit
7346b2076a
|
@ -43,5 +43,10 @@ class openstack_integration::keystone (
|
||||||
class { '::keystone::endpoint':
|
class { '::keystone::endpoint':
|
||||||
default_domain => $default_domain,
|
default_domain => $default_domain,
|
||||||
}
|
}
|
||||||
|
class { '::keystone::disable_admin_token_auth': }
|
||||||
|
class { '::openstack_extras::auth_file':
|
||||||
|
password => 'a_big_secret',
|
||||||
|
project_domain => $default_domain,
|
||||||
|
user_domain => $default_domain,
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue