From 37548ddb40598d9aaece12edf7e0ce4514431e27 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sun, 11 Oct 2020 00:51:06 +0900 Subject: [PATCH] Enforce internal api for token verification This change enforces the usage of internal api for token verification, so that internal requests to keystone uses internal endpoint instead of admin endpoint which is deployed on provisioning network by default. Change-Id: I8b5ac36ff1da46844d18fa73f835175e52719a63 Closes-Bug: #1899266 --- deployment/aodh/aodh-base.yaml | 1 + deployment/barbican/barbican-api-container-puppet.yaml | 1 + deployment/cinder/cinder-api-container-puppet.yaml | 1 + deployment/deprecated/mistral/mistral-base.yaml | 1 + deployment/deprecated/novajoin/novajoin-container-puppet.yaml | 1 + deployment/deprecated/sahara/sahara-base.yaml | 1 + .../experimental/designate/designate-api-container-puppet.yaml | 1 + deployment/glance/glance-api-container-puppet.yaml | 1 + deployment/gnocchi/gnocchi-api-container-puppet.yaml | 1 + deployment/heat/heat-base-puppet.yaml | 1 + deployment/ironic/ironic-api-container-puppet.yaml | 1 + deployment/ironic/ironic-inspector-container-puppet.yaml | 1 + deployment/manila/manila-api-container-puppet.yaml | 1 + deployment/manila/manila-share-container-puppet.yaml | 1 + deployment/neutron/neutron-api-container-puppet.yaml | 1 + deployment/nova/nova-api-container-puppet.yaml | 1 + deployment/nova/nova-compute-container-puppet.yaml | 1 + deployment/nova/nova-metadata-container-puppet.yaml | 1 + deployment/octavia/octavia-api-container-puppet.yaml | 3 ++- deployment/placement/placement-api-container-puppet.yaml | 1 + deployment/swift/swift-proxy-container-puppet.yaml | 1 + deployment/zaqar/zaqar-container-puppet.yaml | 1 + 22 files changed, 23 insertions(+), 1 deletion(-) diff --git a/deployment/aodh/aodh-base.yaml b/deployment/aodh/aodh-base.yaml index 918e572e74..2e7a87345c 100644 --- a/deployment/aodh/aodh-base.yaml +++ b/deployment/aodh/aodh-base.yaml @@ -107,6 +107,7 @@ outputs: aodh::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } aodh::keystone::authtoken::region_name: {get_param: KeystoneRegion} + aodh::keystone::authtoken::interface: 'internal' aodh::auth::auth_password: {get_param: AodhPassword} aodh::auth::auth_region: {get_param: KeystoneRegion} aodh::auth::auth_project_name: 'service' diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml index 8d4e2c7522..e4626b9bb7 100644 --- a/deployment/barbican/barbican-api-container-puppet.yaml +++ b/deployment/barbican/barbican-api-container-puppet.yaml @@ -242,6 +242,7 @@ outputs: barbican::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::project_name: 'service' barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion} + barbican::keystone::authtoken::interface: 'internal' barbican::keystone::notification::enable_keystone_notification: True barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications' barbican::policy::policies: {get_param: BarbicanPolicies} diff --git a/deployment/cinder/cinder-api-container-puppet.yaml b/deployment/cinder/cinder-api-container-puppet.yaml index 053621dbee..1dde966d65 100644 --- a/deployment/cinder/cinder-api-container-puppet.yaml +++ b/deployment/cinder/cinder-api-container-puppet.yaml @@ -182,6 +182,7 @@ outputs: cinder::keystone::authtoken::user_domain_name: 'Default' cinder::keystone::authtoken::project_domain_name: 'Default' cinder::keystone::authtoken::region_name: {get_param: KeystoneRegion} + cinder::keystone::authtoken::interface: 'internal' cinder::policy::policies: {get_param: CinderApiPolicies} cinder::notification_driver: {get_param: NotificationDriver} cinder::api::default_volume_type: {get_param: CinderDefaultVolumeType} diff --git a/deployment/deprecated/mistral/mistral-base.yaml b/deployment/deprecated/mistral/mistral-base.yaml index 2b353a9847..afedf2f636 100644 --- a/deployment/deprecated/mistral/mistral-base.yaml +++ b/deployment/deprecated/mistral/mistral-base.yaml @@ -107,6 +107,7 @@ outputs: mistral::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneV3Internal, uri]} mistral::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} mistral::keystone::authtoken::region_name: {get_param: KeystoneRegion} + mistral::keystone::authtoken::interface: 'internal' mistral::keystone_ec2_uri: list_join: - '' diff --git a/deployment/deprecated/novajoin/novajoin-container-puppet.yaml b/deployment/deprecated/novajoin/novajoin-container-puppet.yaml index 3b867f6ac2..087d167fd5 100644 --- a/deployment/deprecated/novajoin/novajoin-container-puppet.yaml +++ b/deployment/deprecated/novajoin/novajoin-container-puppet.yaml @@ -134,6 +134,7 @@ outputs: nova::metadata::novajoin::authtoken::password: {get_param: NovajoinPassword} nova::metadata::novajoin::authtoken::project_name: 'service' nova::metadata::novajoin::authtoken::region_name: {get_param: KeystoneRegion} + nova::metadata::novajoin::authtoken::interface: 'internal' nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies} service_config_settings: nova_metadata: &nova_vendordata diff --git a/deployment/deprecated/sahara/sahara-base.yaml b/deployment/deprecated/sahara/sahara-base.yaml index 3ffb4053d6..ae6dd88713 100644 --- a/deployment/deprecated/sahara/sahara-base.yaml +++ b/deployment/deprecated/sahara/sahara-base.yaml @@ -117,3 +117,4 @@ outputs: sahara::keystone::authtoken::user_domain_name: 'Default' sahara::keystone::authtoken::project_domain_name: 'Default' sahara::keystone::authtoken::region_name: {get_param: KeystoneRegion} + sahara::keystone::authtoken::interface: 'internal' diff --git a/deployment/experimental/designate/designate-api-container-puppet.yaml b/deployment/experimental/designate/designate-api-container-puppet.yaml index ec2e17b98d..184e97acf3 100644 --- a/deployment/experimental/designate/designate-api-container-puppet.yaml +++ b/deployment/experimental/designate/designate-api-container-puppet.yaml @@ -104,6 +104,7 @@ outputs: designate::keystone::authtoken::project_name: 'service' designate::keystone::authtoken::password: {get_param: DesignatePassword} designate::keystone::authtoken::region_name: {get_param: KeystoneRegion} + designate::keystone::authtoken::interface: 'internal' tripleo::profile::base::designate::api::listen_ip: str_replace: template: diff --git a/deployment/glance/glance-api-container-puppet.yaml b/deployment/glance/glance-api-container-puppet.yaml index a97364426e..137fb1bf35 100644 --- a/deployment/glance/glance-api-container-puppet.yaml +++ b/deployment/glance/glance-api-container-puppet.yaml @@ -431,6 +431,7 @@ outputs: glance::api::authtoken::region_name: {get_param: KeystoneRegion} glance::api::authtoken::user_domain_name: 'Default' glance::api::authtoken::project_domain_name: 'Default' + glance::api::authtoken::interface: 'internal' glance::api::pipeline: if: - glance_cache_enabled diff --git a/deployment/gnocchi/gnocchi-api-container-puppet.yaml b/deployment/gnocchi/gnocchi-api-container-puppet.yaml index 8fc5b8fe88..22fc1f11e9 100644 --- a/deployment/gnocchi/gnocchi-api-container-puppet.yaml +++ b/deployment/gnocchi/gnocchi-api-container-puppet.yaml @@ -205,6 +205,7 @@ outputs: gnocchi::keystone::authtoken::user_domain_name: 'Default' gnocchi::keystone::authtoken::project_domain_name: 'Default' gnocchi::keystone::authtoken::region_name: {get_param: KeystoneRegion} + gnocchi::keystone::authtoken::interface: 'internal' gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS} gnocchi::wsgi::apache::servername: str_replace: diff --git a/deployment/heat/heat-base-puppet.yaml b/deployment/heat/heat-base-puppet.yaml index c36c61cc95..d9e8e79b91 100644 --- a/deployment/heat/heat-base-puppet.yaml +++ b/deployment/heat/heat-base-puppet.yaml @@ -167,6 +167,7 @@ outputs: heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } heat::keystone::authtoken::password: {get_param: HeatPassword} heat::keystone::authtoken::region_name: {get_param: KeystoneRegion} + heat::keystone::authtoken::interface: 'internal' heat::heat_keystone_clients_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] } heat::keystone::domain::domain_name: 'heat_stack' heat::keystone::domain::domain_admin: 'heat_stack_domain_admin' diff --git a/deployment/ironic/ironic-api-container-puppet.yaml b/deployment/ironic/ironic-api-container-puppet.yaml index 803c32a71a..2bf2cbc575 100644 --- a/deployment/ironic/ironic-api-container-puppet.yaml +++ b/deployment/ironic/ironic-api-container-puppet.yaml @@ -143,6 +143,7 @@ outputs: ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} ironic::api::authtoken::region_name: {get_param: KeystoneRegion } + ironic::api::authtoken::interface: 'internal' # NOTE: bind IP is found in hiera replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): diff --git a/deployment/ironic/ironic-inspector-container-puppet.yaml b/deployment/ironic/ironic-inspector-container-puppet.yaml index a9e073280d..720cf967a4 100644 --- a/deployment/ironic/ironic-inspector-container-puppet.yaml +++ b/deployment/ironic/ironic-inspector-container-puppet.yaml @@ -274,6 +274,7 @@ outputs: ironic::inspector::authtoken::user_domain_name: 'Default' ironic::inspector::authtoken::project_domain_name: 'Default' ironic::inspector::authtoken::region_name: {get_param: KeystoneRegion} + ironic::inspector::authtoken::interface: 'internal' ironic::inspector::cors::allowed_origin: '*' ironic::inspector::cors::max_age: 3600 ironic::inspector::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH' diff --git a/deployment/manila/manila-api-container-puppet.yaml b/deployment/manila/manila-api-container-puppet.yaml index 39e7ec71ce..17774bc80f 100644 --- a/deployment/manila/manila-api-container-puppet.yaml +++ b/deployment/manila/manila-api-container-puppet.yaml @@ -138,6 +138,7 @@ outputs: manila::keystone::authtoken::user_domain_name: 'Default' manila::keystone::authtoken::project_domain_name: 'Default' manila::keystone::authtoken::region_name: {get_param: KeystoneRegion} + manila::keystone::authtoken::interface: 'internal' # NOTE: bind IP is found in hiera replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): diff --git a/deployment/manila/manila-share-container-puppet.yaml b/deployment/manila/manila-share-container-puppet.yaml index 965c0f6791..baccc78a46 100644 --- a/deployment/manila/manila-share-container-puppet.yaml +++ b/deployment/manila/manila-share-container-puppet.yaml @@ -99,6 +99,7 @@ outputs: manila::keystone::authtoken::user_domain_name: 'Default' manila::keystone::authtoken::project_domain_name: 'Default' manila::keystone::authtoken::region_name: {get_param: KeystoneRegion} + manila::keystone::authtoken::interface: 'internal' # compute manila::compute::nova::username: 'manila' manila::compute::nova::password: {get_param: ManilaPassword} diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml index 0868e7e54c..c6bf67f889 100644 --- a/deployment/neutron/neutron-api-container-puppet.yaml +++ b/deployment/neutron/neutron-api-container-puppet.yaml @@ -298,6 +298,7 @@ outputs: neutron::keystone::authtoken::user_domain_name: 'Default' neutron::keystone::authtoken::project_domain_name: 'Default' neutron::keystone::authtoken::region_name: {get_param: KeystoneRegion} + neutron::keystone::authtoken::interface: 'internal' neutron::quota::quota_port: {get_param: NeutronPortQuota} neutron::quota::quota_security_group: {get_param: NeutronSecurityGroupQuota} neutron::server::placement::region_name: {get_param: KeystoneRegion} diff --git a/deployment/nova/nova-api-container-puppet.yaml b/deployment/nova/nova-api-container-puppet.yaml index b9ceafe8c7..7e2c3d9d9e 100644 --- a/deployment/nova/nova-api-container-puppet.yaml +++ b/deployment/nova/nova-api-container-puppet.yaml @@ -193,6 +193,7 @@ outputs: nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} nova::keystone::authtoken::region_name: {get_param: KeystoneRegion} + nova::keystone::authtoken::interface: 'internal' nova::api::enabled: true nova::api::default_floating_pool: {get_param: NovaDefaultFloatingPool} nova::api::enable_proxy_headers_parsing: true diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml index ae2eee3f3d..e753ba6160 100644 --- a/deployment/nova/nova-compute-container-puppet.yaml +++ b/deployment/nova/nova-compute-container-puppet.yaml @@ -731,6 +731,7 @@ outputs: nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} nova::keystone::authtoken::region_name: {get_param: KeystoneRegion} + nova::keystone::authtoken::interface: 'internal' nova::cinder::username: 'cinder' nova::cinder::auth_type: 'v3password' nova::cinder::project_name: 'service' diff --git a/deployment/nova/nova-metadata-container-puppet.yaml b/deployment/nova/nova-metadata-container-puppet.yaml index a686b2a2ca..5e2afe4f8a 100644 --- a/deployment/nova/nova-metadata-container-puppet.yaml +++ b/deployment/nova/nova-metadata-container-puppet.yaml @@ -136,6 +136,7 @@ outputs: nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} nova::keystone::authtoken::region_name: {get_param: KeystoneRegion} + nova::keystone::authtoken::interface: 'internal' nova::wsgi::apache_metadata::api_port: '8775' nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS} nova::metadata::local_metadata_per_cell: {get_param: NovaLocalMetadataPerCell} diff --git a/deployment/octavia/octavia-api-container-puppet.yaml b/deployment/octavia/octavia-api-container-puppet.yaml index b4ca85fe3f..028fb39deb 100644 --- a/deployment/octavia/octavia-api-container-puppet.yaml +++ b/deployment/octavia/octavia-api-container-puppet.yaml @@ -165,13 +165,14 @@ outputs: - {get_attr: [OctaviaWorker, role_data, config_settings]} - {get_attr: [OctaviaProviderConfig, role_data, config_settings]} - octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - octavia::policy::policies: {get_param: OctaviaApiPolicies} octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName} octavia::keystone::authtoken::password: {get_param: OctaviaPassword} octavia::keystone::authtoken::user_domain_name: 'Default' octavia::keystone::authtoken::project_domain_name: 'Default' octavia::keystone::authtoken::region_name: {get_param: KeystoneRegion} + octavia::keystone::authtoken::interface: 'internal' + octavia::policy::policies: {get_param: OctaviaApiPolicies} octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor} octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties} octavia::api::service_name: 'httpd' diff --git a/deployment/placement/placement-api-container-puppet.yaml b/deployment/placement/placement-api-container-puppet.yaml index 27de541d17..ac0dec621a 100644 --- a/deployment/placement/placement-api-container-puppet.yaml +++ b/deployment/placement/placement-api-container-puppet.yaml @@ -141,6 +141,7 @@ outputs: placement::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} placement::keystone::authtoken::region_name: {get_param: KeystoneRegion} + placement::keystone::authtoken::interface: 'internal' placement::wsgi::apache::api_port: '8778' placement::wsgi::apache::ssl: {get_param: EnableInternalTLS} # NOTE: bind IP is found in hiera replacing the network name with the local node IP diff --git a/deployment/swift/swift-proxy-container-puppet.yaml b/deployment/swift/swift-proxy-container-puppet.yaml index d62f5c83e6..44d9a43427 100644 --- a/deployment/swift/swift-proxy-container-puppet.yaml +++ b/deployment/swift/swift-proxy-container-puppet.yaml @@ -160,6 +160,7 @@ outputs: swift::proxy::authtoken::password: {get_param: SwiftPassword} swift::proxy::authtoken::project_name: 'service' swift::proxy::authtoken::region_name: {get_param: KeystoneRegion} + swift::proxy::authtoken::interface: 'internal' swift::proxy::s3token::www_authenticate_uri: {get_param: [EndpointMap, KeystoneV3Internal, uri]} swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout} - diff --git a/deployment/zaqar/zaqar-container-puppet.yaml b/deployment/zaqar/zaqar-container-puppet.yaml index e38c2e4d3e..fe64f1d656 100644 --- a/deployment/zaqar/zaqar-container-puppet.yaml +++ b/deployment/zaqar/zaqar-container-puppet.yaml @@ -159,6 +159,7 @@ outputs: zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} zaqar::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} zaqar::keystone::authtoken::region_name: {get_param: KeystoneRegion} + zaqar::keystone::authtoken::interface: 'internal' zaqar::keystone::trust::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} zaqar::logging::debug: if: