From a10dee72cf4e89588834919c4f19fefbfb8590c0 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sun, 11 Oct 2020 00:51:06 +0900 Subject: [PATCH] Enforce internal api for token verification This change enforces the usage of internal api for token verification, so that internal requests to keystone uses internal endpoint instead of admin endpoint which is deployed on provisioning network by default. Conflicts: deployment/heat/heat-base-puppet.yaml deployment/nova/nova-api-container-puppet.yaml Change-Id: I8b5ac36ff1da46844d18fa73f835175e52719a63 Closes-Bug: #1899266 (cherry picked from commit 37548ddb40598d9aaece12edf7e0ce4514431e27) --- deployment/aodh/aodh-base.yaml | 1 + deployment/barbican/barbican-api-container-puppet.yaml | 1 + deployment/cinder/cinder-api-container-puppet.yaml | 1 + deployment/deprecated/sahara/sahara-base.yaml | 1 + .../experimental/designate/designate-api-container-puppet.yaml | 1 + deployment/glance/glance-api-container-puppet.yaml | 1 + deployment/gnocchi/gnocchi-api-container-puppet.yaml | 1 + deployment/heat/heat-base-puppet.yaml | 1 + deployment/ironic/ironic-api-container-puppet.yaml | 1 + deployment/ironic/ironic-inspector-container-puppet.yaml | 1 + deployment/manila/manila-api-container-puppet.yaml | 1 + deployment/manila/manila-share-container-puppet.yaml | 1 + deployment/mistral/mistral-base.yaml | 1 + deployment/neutron/neutron-api-container-puppet.yaml | 1 + deployment/nova/nova-api-container-puppet.yaml | 1 + deployment/nova/nova-compute-container-puppet.yaml | 1 + deployment/nova/nova-metadata-container-puppet.yaml | 1 + deployment/nova/novajoin-container-puppet.yaml | 1 + deployment/octavia/octavia-api-container-puppet.yaml | 3 ++- deployment/placement/placement-api-container-puppet.yaml | 1 + deployment/swift/swift-proxy-container-puppet.yaml | 1 + deployment/zaqar/zaqar-container-puppet.yaml | 1 + 22 files changed, 23 insertions(+), 1 deletion(-) diff --git a/deployment/aodh/aodh-base.yaml b/deployment/aodh/aodh-base.yaml index 918e572e74..2e7a87345c 100644 --- a/deployment/aodh/aodh-base.yaml +++ b/deployment/aodh/aodh-base.yaml @@ -107,6 +107,7 @@ outputs: aodh::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } aodh::keystone::authtoken::region_name: {get_param: KeystoneRegion} + aodh::keystone::authtoken::interface: 'internal' aodh::auth::auth_password: {get_param: AodhPassword} aodh::auth::auth_region: {get_param: KeystoneRegion} aodh::auth::auth_project_name: 'service' diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml index 5ad3bd272d..dcd51bb589 100644 --- a/deployment/barbican/barbican-api-container-puppet.yaml +++ b/deployment/barbican/barbican-api-container-puppet.yaml @@ -253,6 +253,7 @@ outputs: barbican::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::project_name: 'service' barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion} + barbican::keystone::authtoken::interface: 'internal' barbican::keystone::notification::enable_keystone_notification: True barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications' barbican::policy::policies: {get_param: BarbicanPolicies} diff --git a/deployment/cinder/cinder-api-container-puppet.yaml b/deployment/cinder/cinder-api-container-puppet.yaml index 172fd08b53..77e340e2df 100644 --- a/deployment/cinder/cinder-api-container-puppet.yaml +++ b/deployment/cinder/cinder-api-container-puppet.yaml @@ -186,6 +186,7 @@ outputs: cinder::keystone::authtoken::user_domain_name: 'Default' cinder::keystone::authtoken::project_domain_name: 'Default' cinder::keystone::authtoken::region_name: {get_param: KeystoneRegion} + cinder::keystone::authtoken::interface: 'internal' cinder::policy::policies: {get_param: CinderApiPolicies} cinder::notification_driver: {get_param: NotificationDriver} cinder::api::default_volume_type: {get_param: CinderDefaultVolumeType} diff --git a/deployment/deprecated/sahara/sahara-base.yaml b/deployment/deprecated/sahara/sahara-base.yaml index 3ffb4053d6..ae6dd88713 100644 --- a/deployment/deprecated/sahara/sahara-base.yaml +++ b/deployment/deprecated/sahara/sahara-base.yaml @@ -117,3 +117,4 @@ outputs: sahara::keystone::authtoken::user_domain_name: 'Default' sahara::keystone::authtoken::project_domain_name: 'Default' sahara::keystone::authtoken::region_name: {get_param: KeystoneRegion} + sahara::keystone::authtoken::interface: 'internal' diff --git a/deployment/experimental/designate/designate-api-container-puppet.yaml b/deployment/experimental/designate/designate-api-container-puppet.yaml index ec2e17b98d..184e97acf3 100644 --- a/deployment/experimental/designate/designate-api-container-puppet.yaml +++ b/deployment/experimental/designate/designate-api-container-puppet.yaml @@ -104,6 +104,7 @@ outputs: designate::keystone::authtoken::project_name: 'service' designate::keystone::authtoken::password: {get_param: DesignatePassword} designate::keystone::authtoken::region_name: {get_param: KeystoneRegion} + designate::keystone::authtoken::interface: 'internal' tripleo::profile::base::designate::api::listen_ip: str_replace: template: diff --git a/deployment/glance/glance-api-container-puppet.yaml b/deployment/glance/glance-api-container-puppet.yaml index eceff9c7cc..9b6b51aec0 100644 --- a/deployment/glance/glance-api-container-puppet.yaml +++ b/deployment/glance/glance-api-container-puppet.yaml @@ -422,6 +422,7 @@ outputs: glance::api::authtoken::region_name: {get_param: KeystoneRegion} glance::api::authtoken::user_domain_name: 'Default' glance::api::authtoken::project_domain_name: 'Default' + glance::api::authtoken::interface: 'internal' glance::api::pipeline: if: - glance_cache_enabled diff --git a/deployment/gnocchi/gnocchi-api-container-puppet.yaml b/deployment/gnocchi/gnocchi-api-container-puppet.yaml index 8fc5b8fe88..22fc1f11e9 100644 --- a/deployment/gnocchi/gnocchi-api-container-puppet.yaml +++ b/deployment/gnocchi/gnocchi-api-container-puppet.yaml @@ -205,6 +205,7 @@ outputs: gnocchi::keystone::authtoken::user_domain_name: 'Default' gnocchi::keystone::authtoken::project_domain_name: 'Default' gnocchi::keystone::authtoken::region_name: {get_param: KeystoneRegion} + gnocchi::keystone::authtoken::interface: 'internal' gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS} gnocchi::wsgi::apache::servername: str_replace: diff --git a/deployment/heat/heat-base-puppet.yaml b/deployment/heat/heat-base-puppet.yaml index fafb3c1ae6..dc95e530b4 100644 --- a/deployment/heat/heat-base-puppet.yaml +++ b/deployment/heat/heat-base-puppet.yaml @@ -178,6 +178,7 @@ outputs: heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } heat::keystone::authtoken::password: {get_param: HeatPassword} heat::keystone::authtoken::region_name: {get_param: KeystoneRegion} + heat::keystone::authtoken::interface: 'internal' heat::keystone::domain::domain_name: 'heat_stack' heat::keystone::domain::domain_admin: 'heat_stack_domain_admin' heat::keystone::domain::domain_admin_email: 'heat_stack_domain_admin@localhost' diff --git a/deployment/ironic/ironic-api-container-puppet.yaml b/deployment/ironic/ironic-api-container-puppet.yaml index c373332080..3ae92222cf 100644 --- a/deployment/ironic/ironic-api-container-puppet.yaml +++ b/deployment/ironic/ironic-api-container-puppet.yaml @@ -143,6 +143,7 @@ outputs: ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} ironic::api::authtoken::region_name: {get_param: KeystoneRegion } + ironic::api::authtoken::interface: 'internal' # NOTE: bind IP is found in hiera replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): diff --git a/deployment/ironic/ironic-inspector-container-puppet.yaml b/deployment/ironic/ironic-inspector-container-puppet.yaml index b7548be67d..7b0a9132bc 100644 --- a/deployment/ironic/ironic-inspector-container-puppet.yaml +++ b/deployment/ironic/ironic-inspector-container-puppet.yaml @@ -274,6 +274,7 @@ outputs: ironic::inspector::authtoken::user_domain_name: 'Default' ironic::inspector::authtoken::project_domain_name: 'Default' ironic::inspector::authtoken::region_name: {get_param: KeystoneRegion} + ironic::inspector::authtoken::interface: 'internal' ironic::inspector::cors::allowed_origin: '*' ironic::inspector::cors::max_age: 3600 ironic::inspector::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH' diff --git a/deployment/manila/manila-api-container-puppet.yaml b/deployment/manila/manila-api-container-puppet.yaml index 6708ca1c0f..e4b4a1874c 100644 --- a/deployment/manila/manila-api-container-puppet.yaml +++ b/deployment/manila/manila-api-container-puppet.yaml @@ -138,6 +138,7 @@ outputs: manila::keystone::authtoken::user_domain_name: 'Default' manila::keystone::authtoken::project_domain_name: 'Default' manila::keystone::authtoken::region_name: {get_param: KeystoneRegion} + manila::keystone::authtoken::interface: 'internal' # NOTE: bind IP is found in hiera replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): diff --git a/deployment/manila/manila-share-container-puppet.yaml b/deployment/manila/manila-share-container-puppet.yaml index 591667f6c1..689e139cfc 100644 --- a/deployment/manila/manila-share-container-puppet.yaml +++ b/deployment/manila/manila-share-container-puppet.yaml @@ -99,6 +99,7 @@ outputs: manila::keystone::authtoken::user_domain_name: 'Default' manila::keystone::authtoken::project_domain_name: 'Default' manila::keystone::authtoken::region_name: {get_param: KeystoneRegion} + manila::keystone::authtoken::interface: 'internal' # compute manila::compute::nova::username: 'manila' manila::compute::nova::password: {get_param: ManilaPassword} diff --git a/deployment/mistral/mistral-base.yaml b/deployment/mistral/mistral-base.yaml index 5ba93c116c..213b2b95be 100644 --- a/deployment/mistral/mistral-base.yaml +++ b/deployment/mistral/mistral-base.yaml @@ -107,6 +107,7 @@ outputs: mistral::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneV3Internal, uri]} mistral::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} mistral::keystone::authtoken::region_name: {get_param: KeystoneRegion} + mistral::keystone::authtoken::interface: 'internal' mistral::keystone_ec2_uri: list_join: - '' diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml index 0b52a808ba..2b6142deb2 100644 --- a/deployment/neutron/neutron-api-container-puppet.yaml +++ b/deployment/neutron/neutron-api-container-puppet.yaml @@ -308,6 +308,7 @@ outputs: neutron::keystone::authtoken::user_domain_name: 'Default' neutron::keystone::authtoken::project_domain_name: 'Default' neutron::keystone::authtoken::region_name: {get_param: KeystoneRegion} + neutron::keystone::authtoken::interface: 'internal' neutron::quota::quota_port: {get_param: NeutronPortQuota} neutron::quota::quota_security_group: {get_param: NeutronSecurityGroupQuota} neutron::server::sync_db: true diff --git a/deployment/nova/nova-api-container-puppet.yaml b/deployment/nova/nova-api-container-puppet.yaml index 2378c292e5..31e3087a36 100644 --- a/deployment/nova/nova-api-container-puppet.yaml +++ b/deployment/nova/nova-api-container-puppet.yaml @@ -225,6 +225,7 @@ outputs: nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} nova::keystone::authtoken::region_name: {get_param: KeystoneRegion} + nova::keystone::authtoken::interface: 'internal' nova::api::max_limit: {get_param: NovaApiMaxLimit} nova::api::enabled: true nova::api::default_floating_pool: {get_param: NovaDefaultFloatingPool} diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml index a099dbc957..d71ce2793c 100644 --- a/deployment/nova/nova-compute-container-puppet.yaml +++ b/deployment/nova/nova-compute-container-puppet.yaml @@ -836,6 +836,7 @@ outputs: nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} nova::keystone::authtoken::region_name: {get_param: KeystoneRegion} + nova::keystone::authtoken::interface: 'internal' nova::cinder::username: 'cinder' nova::cinder::auth_type: 'v3password' nova::cinder::project_name: 'service' diff --git a/deployment/nova/nova-metadata-container-puppet.yaml b/deployment/nova/nova-metadata-container-puppet.yaml index a107c7aff3..bee6a46873 100644 --- a/deployment/nova/nova-metadata-container-puppet.yaml +++ b/deployment/nova/nova-metadata-container-puppet.yaml @@ -163,6 +163,7 @@ outputs: nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} nova::keystone::authtoken::region_name: {get_param: KeystoneRegion} + nova::keystone::authtoken::interface: 'internal' nova::wsgi::apache_metadata::api_port: '8775' nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS} nova::metadata::local_metadata_per_cell: {get_param: NovaLocalMetadataPerCell} diff --git a/deployment/nova/novajoin-container-puppet.yaml b/deployment/nova/novajoin-container-puppet.yaml index 0f148e4fcd..ce703c8692 100644 --- a/deployment/nova/novajoin-container-puppet.yaml +++ b/deployment/nova/novajoin-container-puppet.yaml @@ -134,6 +134,7 @@ outputs: nova::metadata::novajoin::authtoken::password: {get_param: NovajoinPassword} nova::metadata::novajoin::authtoken::project_name: 'service' nova::metadata::novajoin::authtoken::region_name: {get_param: KeystoneRegion} + nova::metadata::novajoin::authtoken::interface: 'internal' nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies} service_config_settings: nova_metadata: &nova_vendordata diff --git a/deployment/octavia/octavia-api-container-puppet.yaml b/deployment/octavia/octavia-api-container-puppet.yaml index c4ea12be71..3d9fb44e06 100644 --- a/deployment/octavia/octavia-api-container-puppet.yaml +++ b/deployment/octavia/octavia-api-container-puppet.yaml @@ -165,13 +165,14 @@ outputs: - {get_attr: [OctaviaWorker, role_data, config_settings]} - {get_attr: [OctaviaProviderConfig, role_data, config_settings]} - octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - octavia::policy::policies: {get_param: OctaviaApiPolicies} octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName} octavia::keystone::authtoken::password: {get_param: OctaviaPassword} octavia::keystone::authtoken::user_domain_name: 'Default' octavia::keystone::authtoken::project_domain_name: 'Default' octavia::keystone::authtoken::region_name: {get_param: KeystoneRegion} + octavia::keystone::authtoken::interface: 'internal' + octavia::policy::policies: {get_param: OctaviaApiPolicies} octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor} octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties} octavia::api::sync_db: true diff --git a/deployment/placement/placement-api-container-puppet.yaml b/deployment/placement/placement-api-container-puppet.yaml index 27de541d17..ac0dec621a 100644 --- a/deployment/placement/placement-api-container-puppet.yaml +++ b/deployment/placement/placement-api-container-puppet.yaml @@ -141,6 +141,7 @@ outputs: placement::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} placement::keystone::authtoken::region_name: {get_param: KeystoneRegion} + placement::keystone::authtoken::interface: 'internal' placement::wsgi::apache::api_port: '8778' placement::wsgi::apache::ssl: {get_param: EnableInternalTLS} # NOTE: bind IP is found in hiera replacing the network name with the local node IP diff --git a/deployment/swift/swift-proxy-container-puppet.yaml b/deployment/swift/swift-proxy-container-puppet.yaml index d14b5b03c0..1df7b25a77 100644 --- a/deployment/swift/swift-proxy-container-puppet.yaml +++ b/deployment/swift/swift-proxy-container-puppet.yaml @@ -168,6 +168,7 @@ outputs: swift::proxy::authtoken::password: {get_param: SwiftPassword} swift::proxy::authtoken::project_name: 'service' swift::proxy::authtoken::region_name: {get_param: KeystoneRegion} + swift::proxy::authtoken::interface: 'internal' swift::proxy::s3token::www_authenticate_uri: {get_param: [EndpointMap, KeystoneV3Internal, uri]} swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout} - diff --git a/deployment/zaqar/zaqar-container-puppet.yaml b/deployment/zaqar/zaqar-container-puppet.yaml index 55aea11d5d..a103563835 100644 --- a/deployment/zaqar/zaqar-container-puppet.yaml +++ b/deployment/zaqar/zaqar-container-puppet.yaml @@ -159,6 +159,7 @@ outputs: zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} zaqar::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} zaqar::keystone::authtoken::region_name: {get_param: KeystoneRegion} + zaqar::keystone::authtoken::interface: 'internal' zaqar::keystone::trust::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} zaqar::logging::debug: if: