Merge "Add sssd service parameters for ldap domains"
This commit is contained in:
commit
ab0a2d38aa
|
@ -1034,6 +1034,19 @@ SERVICE_PARAM_SECTION_IDENTITY_CONFIG = 'config'
|
|||
SERVICE_PARAM_IDENTITY_CONFIG_TOKEN_EXPIRATION = 'token_expiration'
|
||||
SERVICE_PARAM_IDENTITY_CONFIG_TOKEN_EXPIRATION_DEFAULT = 3600
|
||||
|
||||
SERVICE_PARAM_SECTION_IDENTITY_LDAP_DOMAIN1 = 'ldap-domain1'
|
||||
SERVICE_PARAM_SECTION_IDENTITY_LDAP_DOMAIN2 = 'ldap-domain2'
|
||||
SERVICE_PARAM_SECTION_IDENTITY_LDAP_DOMAIN3 = 'ldap-domain3'
|
||||
SERVICE_PARAM_NAME_IDENTITY_LDAP_DOMAIN = 'domain_name'
|
||||
SERVICE_PARAM_NAME_IDENTITY_LDAP_DOMAIN_DEFAULT = 'undef'
|
||||
SERVICE_PARAM_NAME_IDENTITY_LDAP_URI = 'ldap_uri'
|
||||
SERVICE_PARAM_NAME_IDENTITY_LDAP_ACCESS_FILTER = 'ldap_access_filter'
|
||||
SERVICE_PARAM_NAME_IDENTITY_LDAP_SEARCH_BASE = 'ldap_search_base'
|
||||
SERVICE_PARAM_NAME_IDENTITY_LDAP_USER_SEARCH_BASE = 'ldap_user_search_base'
|
||||
SERVICE_PARAM_NAME_IDENTITY_LDAP_GROUP_SEARCH_BASE = 'ldap_group_search_base'
|
||||
SERVICE_PARAM_NAME_IDENTITY_LDAP_DEFAULT_BIND_DN = 'ldap_default_bind_dn'
|
||||
SERVICE_PARAM_NAME_IDENTITY_LDAP_DEFAULT_AUTH_TOK = 'ldap_default_authtok'
|
||||
|
||||
SERVICE_PARAM_PARAMETER_NAME_EXTERNAL_ADMINURL = 'external-admin-url'
|
||||
|
||||
# Platform Service Parameters
|
||||
|
|
|
@ -225,6 +225,23 @@ def _validate_cri_class_format(name, value):
|
|||
"\n" + msg_example)))
|
||||
|
||||
|
||||
def _validate_ldap_uri(name, value):
|
||||
"""Check if the ldap domain uri is valid"""
|
||||
|
||||
parsed_value = urlparse(value)
|
||||
if not parsed_value.netloc or parsed_value.scheme != "ldaps":
|
||||
raise wsme.exc.ClientSideError(_(
|
||||
"Parameter '%s' must be a valid ldap uri." % name))
|
||||
|
||||
|
||||
def _validate_ldap_dn(name, value):
|
||||
"""Check if ldap dn is valid"""
|
||||
|
||||
if len(re.findall(r"([^\,]|\\.)*", value)):
|
||||
raise wsme.exc.ClientSideError(_(
|
||||
"Parameter '%s' must be a valid dn." % name))
|
||||
|
||||
|
||||
def _get_network_pool_from_ip_address(ip, networks):
|
||||
for name in networks:
|
||||
try:
|
||||
|
@ -517,6 +534,48 @@ PLATFORM_CONFIG_PARAMETER_RESOURCE = {
|
|||
constants.SERVICE_PARAM_NAME_PLAT_CONFIG_VIRTUAL: 'platform::params::virtual_system',
|
||||
}
|
||||
|
||||
IDENTITY_LDAP_PARAMETER_OPTIONAL = [
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DOMAIN,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_URI,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_ACCESS_FILTER,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_SEARCH_BASE,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_USER_SEARCH_BASE,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_GROUP_SEARCH_BASE,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DEFAULT_BIND_DN,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DEFAULT_AUTH_TOK,
|
||||
]
|
||||
|
||||
IDENTITY_LDAP_PARAMETER_VALIDATOR = {
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DOMAIN:
|
||||
_validate_not_empty,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_URI:
|
||||
_validate_not_empty,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_ACCESS_FILTER:
|
||||
_validate_not_empty,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_SEARCH_BASE:
|
||||
_validate_not_empty,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_USER_SEARCH_BASE:
|
||||
_validate_not_empty,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_GROUP_SEARCH_BASE:
|
||||
_validate_not_empty,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DEFAULT_BIND_DN:
|
||||
_validate_not_empty,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DEFAULT_AUTH_TOK:
|
||||
_validate_not_empty,
|
||||
}
|
||||
|
||||
IDENTITY_LDAP_PARAMETER_RESOURCE = {
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DOMAIN: 'platform::sssd::params::domain_name',
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_URI: 'platform::sssd::params::ldap_uri',
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_ACCESS_FILTER: 'platform::sssd::params::ldap_access_filter',
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_SEARCH_BASE: 'platform::sssd::params::ldap_search_base',
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_USER_SEARCH_BASE: 'platform::sssd::params::ldap_user_search_base',
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_GROUP_SEARCH_BASE: 'platform::sssd::params::ldap_group_search_base',
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DEFAULT_BIND_DN: 'platform::sssd::params::ldap_default_bind_dn',
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DEFAULT_AUTH_TOK: 'platform::sssd::params::ldap_default_authtok',
|
||||
|
||||
}
|
||||
|
||||
IDENTITY_CONFIG_PARAMETER_OPTIONAL = [
|
||||
constants.SERVICE_PARAM_IDENTITY_CONFIG_TOKEN_EXPIRATION,
|
||||
]
|
||||
|
@ -1002,6 +1061,21 @@ SERVICE_PARAMETER_SCHEMA = {
|
|||
SERVICE_PARAM_VALIDATOR: IDENTITY_CONFIG_PARAMETER_VALIDATOR,
|
||||
SERVICE_PARAM_RESOURCE: IDENTITY_CONFIG_PARAMETER_RESOURCE,
|
||||
},
|
||||
constants.SERVICE_PARAM_SECTION_IDENTITY_LDAP_DOMAIN1: {
|
||||
SERVICE_PARAM_OPTIONAL: IDENTITY_LDAP_PARAMETER_OPTIONAL,
|
||||
SERVICE_PARAM_VALIDATOR: IDENTITY_LDAP_PARAMETER_VALIDATOR,
|
||||
SERVICE_PARAM_RESOURCE: IDENTITY_LDAP_PARAMETER_RESOURCE,
|
||||
},
|
||||
constants.SERVICE_PARAM_SECTION_IDENTITY_LDAP_DOMAIN2: {
|
||||
SERVICE_PARAM_OPTIONAL: IDENTITY_LDAP_PARAMETER_OPTIONAL,
|
||||
SERVICE_PARAM_VALIDATOR: IDENTITY_LDAP_PARAMETER_VALIDATOR,
|
||||
SERVICE_PARAM_RESOURCE: IDENTITY_LDAP_PARAMETER_RESOURCE,
|
||||
},
|
||||
constants.SERVICE_PARAM_SECTION_IDENTITY_LDAP_DOMAIN3: {
|
||||
SERVICE_PARAM_OPTIONAL: IDENTITY_LDAP_PARAMETER_OPTIONAL,
|
||||
SERVICE_PARAM_VALIDATOR: IDENTITY_LDAP_PARAMETER_VALIDATOR,
|
||||
SERVICE_PARAM_RESOURCE: IDENTITY_LDAP_PARAMETER_RESOURCE,
|
||||
},
|
||||
constants.SERVICE_PARAM_SECTION_SECURITY_COMPLIANCE: {
|
||||
SERVICE_PARAM_OPTIONAL: PLATFORM_KEYSTONE_PARAMETER_OPTIONAL,
|
||||
SERVICE_PARAM_VALIDATOR: PLATFORM_KEYSTONE_PARAMETER_VALIDATOR,
|
||||
|
|
|
@ -9959,12 +9959,25 @@ class ConductorManager(service.PeriodicService):
|
|||
|
||||
if do_apply:
|
||||
if service == constants.SERVICE_TYPE_IDENTITY:
|
||||
config_dict = {
|
||||
"personalities": personalities,
|
||||
"classes": ['platform::haproxy::runtime',
|
||||
'openstack::keystone::server::runtime']
|
||||
}
|
||||
self._config_apply_runtime_manifest(context, config_uuid, config_dict)
|
||||
remote_ldap_domains = [constants.SERVICE_PARAM_SECTION_IDENTITY_LDAP_DOMAIN1,
|
||||
constants.SERVICE_PARAM_SECTION_IDENTITY_LDAP_DOMAIN2,
|
||||
constants.SERVICE_PARAM_SECTION_IDENTITY_LDAP_DOMAIN3]
|
||||
|
||||
personalities = [constants.CONTROLLER]
|
||||
if section in remote_ldap_domains:
|
||||
config_dict = {
|
||||
'personalities': personalities,
|
||||
"classes": ['platform::sssd::domain::runtime']
|
||||
}
|
||||
LOG.info("Applying SSSD domain runtime manifest")
|
||||
self._config_apply_runtime_manifest(context, config_uuid, config_dict)
|
||||
else:
|
||||
config_dict = {
|
||||
"personalities": personalities,
|
||||
"classes": ['platform::haproxy::runtime',
|
||||
'openstack::keystone::server::runtime']
|
||||
}
|
||||
self._config_apply_runtime_manifest(context, config_uuid, config_dict)
|
||||
|
||||
elif service == constants.SERVICE_TYPE_HORIZON:
|
||||
config_dict = {
|
||||
|
|
|
@ -4,7 +4,11 @@
|
|||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
from oslo_log import log as logging
|
||||
from sysinv.puppet import base
|
||||
from sysinv.common import constants
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class SssdPuppet(base.BasePuppet):
|
||||
|
@ -12,6 +16,7 @@ class SssdPuppet(base.BasePuppet):
|
|||
|
||||
SERVICE_NAME = 'ldap'
|
||||
SERVICE_USER = 'ldapadmin'
|
||||
identity_service_parameters = []
|
||||
|
||||
def get_secure_system_config(self):
|
||||
config = {}
|
||||
|
@ -19,8 +24,28 @@ class SssdPuppet(base.BasePuppet):
|
|||
nss = self._get_nss_parameters()
|
||||
pam = self._get_pam_parameters()
|
||||
|
||||
# update local domain
|
||||
domains.update({'controller': self._get_local_domain()})
|
||||
|
||||
# retrieve service parameters for service identity
|
||||
self.identity_service_parameters = self._get_service_parameters(
|
||||
constants.SERVICE_TYPE_IDENTITY)
|
||||
|
||||
if self.identity_service_parameters is not None:
|
||||
LOG.info('UPDATE Remote LDAP Domains')
|
||||
# update remote domains
|
||||
remote_domains = [constants.SERVICE_PARAM_SECTION_IDENTITY_LDAP_DOMAIN1,
|
||||
constants.SERVICE_PARAM_SECTION_IDENTITY_LDAP_DOMAIN2,
|
||||
constants.SERVICE_PARAM_SECTION_IDENTITY_LDAP_DOMAIN3]
|
||||
for domain in remote_domains:
|
||||
domain_name = self._get_service_parameter_domain_name(
|
||||
self.identity_service_parameters,
|
||||
domain)
|
||||
if domain_name != "undef":
|
||||
domains.update({domain_name: self._get_ldap_domain(
|
||||
self.identity_service_parameters,
|
||||
domain)})
|
||||
|
||||
config.update(
|
||||
{
|
||||
'platform::sssd::params::domains': domains,
|
||||
|
@ -30,9 +55,103 @@ class SssdPuppet(base.BasePuppet):
|
|||
|
||||
return config
|
||||
|
||||
def _get_ldap_domain_service_parameter_value(self, service_parameters,
|
||||
domain, parameter_name, default):
|
||||
for param in service_parameters:
|
||||
if param['section'] == domain and param['name'] == parameter_name:
|
||||
return param['value']
|
||||
return default
|
||||
|
||||
def _get_service_parameter_domain_name(self, service_parameters, domain):
|
||||
|
||||
domain_name = self._get_ldap_domain_service_parameter_value(
|
||||
service_parameters,
|
||||
domain,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DOMAIN,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DOMAIN_DEFAULT,
|
||||
)
|
||||
return domain_name
|
||||
|
||||
def _get_service_parameter_ldap_uri(self, service_parameters, domain):
|
||||
|
||||
ldap_uri = self._get_ldap_domain_service_parameter_value(
|
||||
service_parameters,
|
||||
domain,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_URI,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DOMAIN_DEFAULT,
|
||||
)
|
||||
|
||||
return ldap_uri
|
||||
|
||||
def _get_service_parameter_access_filter(self, service_parameters, domain):
|
||||
|
||||
access_filter = self._get_ldap_domain_service_parameter_value(
|
||||
service_parameters,
|
||||
domain,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_ACCESS_FILTER,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DOMAIN_DEFAULT,
|
||||
)
|
||||
|
||||
return access_filter
|
||||
|
||||
def _get_service_parameter_search_base(self, service_parameters, domain):
|
||||
|
||||
search_base = self._get_ldap_domain_service_parameter_value(
|
||||
service_parameters,
|
||||
domain,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_SEARCH_BASE,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DOMAIN_DEFAULT,
|
||||
)
|
||||
|
||||
return search_base
|
||||
|
||||
def _get_service_parameter_user_search_base(self, service_parameters, domain):
|
||||
|
||||
user_search_base = self._get_ldap_domain_service_parameter_value(
|
||||
service_parameters,
|
||||
domain,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_USER_SEARCH_BASE,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DOMAIN_DEFAULT,
|
||||
)
|
||||
|
||||
return user_search_base
|
||||
|
||||
def _get_service_parameter_group_search_base(self, service_parameters, domain):
|
||||
|
||||
group_search_base = self._get_ldap_domain_service_parameter_value(
|
||||
service_parameters,
|
||||
domain,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_GROUP_SEARCH_BASE,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DOMAIN_DEFAULT,
|
||||
)
|
||||
|
||||
return group_search_base
|
||||
|
||||
def _get_service_parameter_default_bind_dn(self, service_parameters, domain):
|
||||
|
||||
bind_dn = self._get_ldap_domain_service_parameter_value(
|
||||
service_parameters,
|
||||
domain,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DEFAULT_BIND_DN,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DOMAIN_DEFAULT,
|
||||
)
|
||||
|
||||
return bind_dn
|
||||
|
||||
def _get_service_parameter_default_authtok(self, service_parameters, domain):
|
||||
|
||||
authtok = self._get_ldap_domain_service_parameter_value(
|
||||
service_parameters,
|
||||
domain,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DEFAULT_AUTH_TOK,
|
||||
constants.SERVICE_PARAM_NAME_IDENTITY_LDAP_DOMAIN_DEFAULT,
|
||||
)
|
||||
|
||||
return authtok
|
||||
|
||||
def _get_local_domain(self):
|
||||
binding_pass = self._get_keyring_password(self.SERVICE_NAME,
|
||||
self.SERVICE_USER)
|
||||
self.SERVICE_USER)
|
||||
|
||||
# sssd supports the debug levels (from sssd.conf manual page):
|
||||
# 0, 0x0010: Fatal failures. Anything that would prevent SSSD
|
||||
|
@ -76,6 +195,30 @@ class SssdPuppet(base.BasePuppet):
|
|||
|
||||
return domain_parameters
|
||||
|
||||
def _get_ldap_domain(self, service_parameters, domain):
|
||||
domain_parameters = {
|
||||
'cache_credentials': 'true',
|
||||
'debug_level': '0x0270',
|
||||
'id_provider': 'ldap',
|
||||
'ldap_uri': self._get_service_parameter_ldap_uri(
|
||||
service_parameters, domain),
|
||||
"ldap_access_filter": self._get_service_parameter_access_filter(
|
||||
service_parameters, domain),
|
||||
"ldap_search_base": self._get_service_parameter_search_base(
|
||||
service_parameters, domain),
|
||||
"ldap_user_search_base": self._get_service_parameter_user_search_base(
|
||||
service_parameters, domain),
|
||||
"ldap_group_search_base": self._get_service_parameter_group_search_base(
|
||||
service_parameters, domain),
|
||||
"ldap_default_bind_dn": self._get_service_parameter_default_bind_dn(
|
||||
service_parameters, domain),
|
||||
"ldap_default_authtok": self._get_service_parameter_default_authtok(
|
||||
service_parameters, domain),
|
||||
'fallback_homedir': '/home/%u',
|
||||
}
|
||||
|
||||
return domain_parameters
|
||||
|
||||
def _get_nss_parameters(self):
|
||||
# reconnection_retries = 3 Number of times services should
|
||||
# attempt to reconnect in the event of a Data Provider crash
|
||||
|
|
Loading…
Reference in New Issue