openstack/tripleo-heat-templates
Code Issues Proposed changes

Enable support for openidc federation in keystone

Browse Source 
This exposes parameters to configure OpenIDC federation in Keystone.

Change-Id: I3e06ca5fde65f3e2c3c084f96209d1b38d5f8b86
Depends-on: Id2ef3558a359883bf3182f50d6a082b1789a900a
This commit is contained in:
Lars Kellogg-Stedman 2018-06-12 14:35:00 -04:00 committed by Nathan Kinder
parent c2c48aae03
commit a0a7c4fa83
3 changed files with 184 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
environments/enable-federation-openidc.yaml Normal file
View File

@ -0,0 +1,63 @@
# *******************************************************************
# This file was created automatically by the sample environment
# generator. Developers should use `tox -e genconfig` to update it.
# Users are recommended to make changes to a copy of the file instead
# of the original, if any customizations are needed.
# *******************************************************************
# title: Enable keystone federation with OpenID Connect
# description: |
# This is an example template on how to configure keystone federation for
# the OpenID Connect protocol. You must modify the parameters to use
# values appropriate for your identity provider.
parameter_defaults:
# A list of methods used for authentication.
# Type: comma_delimited_list
KeystoneAuthMethods: password,token,openid
# The client ID to use when handshaking with your OpenID Connect provider
# Type: string
KeystoneOpenIdcClientId: myclientid
# The client secret to use when handshaking with your OpenID Connect provider
# Type: string
KeystoneOpenIdcClientSecret: myclientsecret
# Passphrase to use when encrypting data for OpenID Connect handshake.
# Type: string
KeystoneOpenIdcCryptoPassphrase: openstack
# The name associated with the IdP in Keystone.
# Type: string
KeystoneOpenIdcIdpName: myidp
# The url that points to your OpenID Connect provider metadata
# Type: string
KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/metadata
# Attribute to be used to obtain the entity ID of the Identity Provider from the environment.
# Type: string
KeystoneOpenIdcRemoteIdAttribute: HTTP_OIDC_ISS
# Response type to be expected from the OpenID Connect provider.
# Type: string
KeystoneOpenIdcResponseType: id_token
# A list of dashboard URLs trusted for single sign-on.
# Type: comma_delimited_list
KeystoneTrustedDashboards: https://dashboard.example.test
# ******************************************************
# Static parameters - these are values that must be
# included in the environment but should not be changed.
# ******************************************************
# Enable support for federated authentication.
# Type: boolean
KeystoneFederationEnable: True
# Enable support for OpenIDC federation.
# Type: boolean
KeystoneOpenIdcEnable: True
# *********************
# End static parameters
# *********************

87
puppet/services/keystone.yaml
View File

@ -313,6 +313,57 @@ parameters:
description: Create the _member_ role, useful for undercloud deployment.
type: boolean
default: False
KeystoneFederationEnable:
type: boolean
default: false
description: Enable support for federated authentication.
KeystoneTrustedDashboards:
type: comma_delimited_list
default: []
description: A list of dashboard URLs trusted for single sign-on.
KeystoneAuthMethods:
type: comma_delimited_list
default: []
description: >-
A list of methods used for authentication.
KeystoneOpenIdcEnable:
type: boolean
default: false
description: Enable support for OpenIDC federation.
KeystoneOpenIdcIdpName:
type: string
default: ''
description: The name associated with the IdP in Keystone.
KeystoneOpenIdcProviderMetadataUrl:
type: string
default: ''
description: The url that points to your OpenID Connect provider metadata
KeystoneOpenIdcClientId:
type: string
default: ''
description: >-
The client ID to use when handshaking with your OpenID Connect provider
KeystoneOpenIdcClientSecret:
type: string
default: ''
description: >-
The client secret to use when handshaking with your OpenID
Connect provider
KeystoneOpenIdcCryptoPassphrase:
type: string
default: 'openstack'
description: >-
Passphrase to use when encrypting data for OpenID Connect handshake.
KeystoneOpenIdcResponseType:
type: string
default: 'id_token'
description: Response type to be expected from the OpenID Connect provider.
KeystoneOpenIdcRemoteIdAttribute:
type: string
default: 'HTTP_OIDC_ISS'
description: >-
Attribute to be used to obtain the entity ID of the Identity Provider
from the environment.
parameter_groups:
- label: deprecated
@ -342,6 +393,8 @@ resources:
conditions:
keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
# Security compliance
@ -497,6 +550,40 @@ outputs:
keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
-
if:
- keystone_federation_enabled
-
keystone_federation_enabled: True
keystone::federation::trusted_dashboards:
get_param: KeystoneTrustedDashboards
- {}
-
if:
- keystone_openidc_enabled
-
keystone_openidc_enabled: True
keystone::federation::openidc::methods:
get_param: KeystoneAuthMethods
keystone::federation::openidc::keystone_public_url:
get_param: [EndpointMap, KeystonePublic, uri_no_suffix]
keystone::federation::openidc::keystone_admin_url:
get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]
keystone::federation::openidc::idp_name:
get_param: KeystoneOpenIdcIdpName
keystone::federation::openidc::openidc_provider_metadata_url:
get_param: KeystoneOpenIdcProviderMetadataUrl
keystone::federation::openidc::openidc_client_id:
get_param: KeystoneOpenIdcClientId
keystone::federation::openidc::openidc_client_secret:
get_param: KeystoneOpenIdcClientSecret
keystone::federation::openidc::openidc_crypto_passphrase:
get_param: KeystoneOpenIdcCryptoPassphrase
keystone::federation::openidc::openidc_response_type:
get_param: KeystoneOpenIdcResponseType
keystone::federation::openidc::remote_id_attribute:
get_param: KeystoneOpenIdcRemoteIdAttribute
- {}
-
if:
- keystone_ldap_domain_enabled

34
sample-env-generator/openidc.yaml Normal file
View File

@ -0,0 +1,34 @@
environments:
-
name: enable-federation-openidc
title: Enable keystone federation with OpenID Connect
files:
puppet/services/keystone.yaml:
parameters:
- KeystoneFederationEnable
- KeystoneAuthMethods
- KeystoneTrustedDashboards
- KeystoneOpenIdcEnable
- KeystoneOpenIdcIdpName
- KeystoneOpenIdcProviderMetadataUrl
- KeystoneOpenIdcClientId
- KeystoneOpenIdcClientSecret
- KeystoneOpenIdcCryptoPassphrase
- KeystoneOpenIdcResponseType
- KeystoneOpenIdcRemoteIdAttribute
sample_values:
KeystoneFederationEnable: True
KeystoneOpenIdcEnable: True
KeystoneAuthMethods: 'password,token,openid'
KeystoneTrustedDashboards: 'https://dashboard.example.test'
KeystoneOpenIdcIdpName: 'myidp'
KeystoneOpenIdcProviderMetadataUrl: 'https://myidp.example.test/metadata'
KeystoneOpenIdcClientId: 'myclientid'
KeystoneOpenIdcClientSecret: 'myclientsecret'
static:
- KeystoneFederationEnable
- KeystoneOpenIdcEnable
description: |
This is an example template on how to configure keystone federation for
the OpenID Connect protocol. You must modify the parameters to use
values appropriate for your identity provider.