bab9bb6b69
Create new directories: ceph config config-files filesystem kernel kernel/kernel-modules ldap logging strorage-drivers tools utilities virt Retire directories: connectivity core devtools support extended Delete two packages: tgt irqbalance Relocated packages: base/ dhcp initscripts libevent lighttpd linuxptp memcached net-snmp novnc ntp openssh pam procps sanlock shadow sudo systemd util-linux vim watchdog ceph/ python-cephclient config/ facter puppet-4.8.2 puppet-modules filesystem/ e2fsprogs nfs-utils nfscheck kernel/ kernel-std kernel-rt kernel/kernel-modules/ mlnx-ofa_kernel ldap/ nss-pam-ldapd openldap logging/ syslog-ng logrotate networking/ lldpd iproute mellanox python-ryu mlx4-config python/ python-2.7.5 python-django python-gunicorn python-setuptools python-smartpm python-voluptuous security/ shim-signed shim-unsigned tboot strorage-drivers/ python-3parclient python-lefthandclient virt/ cloud-init libvirt libvirt-python qemu tools/ storage-topology vm-topology utilities/ tis-extensions namespace-utils nova-utils update-motd Change-Id: I37ade764d873c701b35eac5881eb40412ba64a86 Story: 2002801 Task: 22687 Signed-off-by: Scott Little <scott.little@windriver.com>
441 lines
18 KiB
Diff
441 lines
18 KiB
Diff
From 08bc7eaaa30f2d893ff357376f0d48875f9d1da5 Mon Sep 17 00:00:00 2001
|
|
From: Al Bailey <Al.Bailey@windriver.com>
|
|
Date: Tue, 9 Jan 2018 13:37:50 -0600
|
|
Subject: [PATCH 2/3] WRS: Patch1:
|
|
0001-pike-rebase-squash-titanium-patches.patch
|
|
|
|
---
|
|
lib/puppet/provider/keystone.rb | 79 ++++++++++++++++++++++-
|
|
manifests/db/sync.pp | 3 +
|
|
manifests/init.pp | 76 +++++++++++++++++-----
|
|
manifests/ldap.pp | 7 ++
|
|
manifests/logging.pp | 2 +-
|
|
manifests/resource/service_identity.pp | 7 ++
|
|
manifests/security_compliance.pp | 45 +++++++++++++
|
|
spec/classes/keystone_security_compliance_spec.rb | 19 ++++++
|
|
8 files changed, 220 insertions(+), 18 deletions(-)
|
|
create mode 100644 manifests/security_compliance.pp
|
|
create mode 100644 spec/classes/keystone_security_compliance_spec.rb
|
|
|
|
diff --git a/lib/puppet/provider/keystone.rb b/lib/puppet/provider/keystone.rb
|
|
index 3841418..8eb171d 100644
|
|
--- a/lib/puppet/provider/keystone.rb
|
|
+++ b/lib/puppet/provider/keystone.rb
|
|
@@ -3,6 +3,7 @@ require 'puppet/provider/openstack'
|
|
require 'puppet/provider/openstack/auth'
|
|
require 'puppet/provider/openstack/credentials'
|
|
require File.join(File.dirname(__FILE__), '..','..', 'puppet/provider/keystone/util')
|
|
+require 'hiera_puppet'
|
|
|
|
class Puppet::Provider::Keystone < Puppet::Provider::Openstack
|
|
|
|
@@ -230,12 +231,88 @@ class Puppet::Provider::Keystone < Puppet::Provider::Openstack
|
|
end
|
|
end
|
|
|
|
+ ### WRS Modifications (Start) ###
|
|
+
|
|
+ def self.hiera_lookup(key)
|
|
+ HieraPuppet.lookup(key, :undef, self, nil, :priority)
|
|
+ end
|
|
+
|
|
+ def self.initial_config_primary?
|
|
+ return true if ENV['INITIAL_CONFIG_PRIMARY'] == "true"
|
|
+ end
|
|
+
|
|
+
|
|
+ def self.upgrading?
|
|
+ return true if hiera_lookup('platform::params::controller_upgrade') == true
|
|
+ end
|
|
+
|
|
def self.request(service, action, properties=nil, options={})
|
|
super
|
|
rescue Puppet::Error::OpenstackAuthInputError, Puppet::Error::OpenstackUnauthorizedError => error
|
|
- request_by_service_token(service, action, error, properties, options=options)
|
|
+ if initial_config_primary?
|
|
+ # admin user account might not have been created
|
|
+ request_by_service_token(service, action, error, properties)
|
|
+ else
|
|
+ if upgrading?
|
|
+ # when running the Keystone manifest during an upgrade
|
|
+ # (on controller-1), we need to use an AUTH token and
|
|
+ # a bypass URL since using the default AUTL URL will
|
|
+ # send the Request to the service catalog URL (internalURL),
|
|
+ # running on the non-upgraded controller-0 which cannot
|
|
+ # service this request
|
|
+ request_by_upgrading_token(service, action, error, properties)
|
|
+ else
|
|
+ request_by_admin_credential(service, action, error, properties)
|
|
+ end
|
|
+ end
|
|
end
|
|
|
|
+ def self.request_by_admin_credential(service, action, error, properties=nil)
|
|
+ properties ||= []
|
|
+ @credentials.username = hiera_lookup('openstack::client::params::admin_username')
|
|
+ @credentials.password = hiera_lookup('keystone::admin_password')
|
|
+ @credentials.project_name = 'admin'
|
|
+ @credentials.auth_url = service_url
|
|
+ @credentials.identity_api_version = @credentials.version
|
|
+ if @credentials.version == '3'
|
|
+ @credentials.user_domain_name = hiera_lookup('openstack::client::params::admin_user_domain')
|
|
+ @credentials.project_domain_name = hiera_lookup('openstack::client::params::admin_project_domain')
|
|
+ end
|
|
+ raise error unless @credentials.set?
|
|
+ Puppet::Provider::Openstack.request(service, action, properties, @credentials)
|
|
+ end
|
|
+
|
|
+ def self.get_upgrade_token
|
|
+ upgrade_token_file = hiera_lookup('openstack::keystone::upgrade::upgrade_token_file')
|
|
+ # the upgrade token file may get refreshed by the same Puppet event
|
|
+ # that triggered this call, and therefore may not be available
|
|
+ # immediately. Try for timeout before quitting with error
|
|
+ timeout = 10 # 10 seconds
|
|
+ 1.upto(timeout) do |iter|
|
|
+ if File.exists?(upgrade_token_file)
|
|
+ upgrade_token = File.read(upgrade_token_file).strip
|
|
+ notice("Found #{upgrade_token_file} token file and upgrade token #{upgrade_token}.")
|
|
+ return upgrade_token
|
|
+ else
|
|
+ Puppet.debug("#{upgrade_token_file} not found. Retrying for #{iter} more seconds.")
|
|
+ sleep(1)
|
|
+ end
|
|
+ end
|
|
+ raise(Puppet::ExecutionFailure, "Can't retrieve #{upgrade_token_file} in #{timeout}s retry attempts.")
|
|
+ end
|
|
+
|
|
+
|
|
+ def self.request_by_upgrading_token(service, action, error, properties=nil, options={})
|
|
+ properties ||= []
|
|
+ @credentials.token = get_upgrade_token
|
|
+ @credentials.url = hiera_lookup('openstack::keystone::upgrade::url')
|
|
+ raise error unless @credentials.service_token_set?
|
|
+ Puppet::Provider::Openstack.request(service, action, properties, @credentials, options)
|
|
+ end
|
|
+
|
|
+ ### WRS Additions (End) ###
|
|
+
|
|
+
|
|
def self.request_by_service_token(service, action, error, properties=nil, options={})
|
|
properties ||= []
|
|
@credentials.token = admin_token
|
|
diff --git a/manifests/db/sync.pp b/manifests/db/sync.pp
|
|
index cee869b..cea217c 100644
|
|
--- a/manifests/db/sync.pp
|
|
+++ b/manifests/db/sync.pp
|
|
@@ -36,5 +36,8 @@ class keystone::db::sync(
|
|
],
|
|
notify => Anchor['keystone::dbsync::end'],
|
|
tag => 'keystone-exec',
|
|
+ # Only do the db sync if both controllers are running the same software
|
|
+ # version. Avoids impacting mate controller during an upgrade.
|
|
+ onlyif => "test $::controller_sw_versions_match = true",
|
|
}
|
|
}
|
|
diff --git a/manifests/init.pp b/manifests/init.pp
|
|
index 2adc685..4d79d30 100644
|
|
--- a/manifests/init.pp
|
|
+++ b/manifests/init.pp
|
|
@@ -28,6 +28,15 @@
|
|
# The admin_token has been deprecated by the Keystone service and this
|
|
# will be deprecated in a future changeset. Required.
|
|
#
|
|
+# [*upgrade_token_cmd*]
|
|
+# (optional) WRS - if we are in an upgrade scenario, an upgrade token
|
|
+# will be required to bypass authentication.
|
|
+# Defaults to undef
|
|
+#
|
|
+# [*upgrade_token_file*]
|
|
+# (optional) WRS - the file where the upgrade token will be stowed
|
|
+# Defaults to undef
|
|
+#
|
|
# [*admin_password*]
|
|
# Keystone password for the admin user. This is not the admin_token.
|
|
# This is the password that the admin user signs into keystone with.
|
|
@@ -663,6 +672,8 @@
|
|
#
|
|
class keystone(
|
|
$admin_token,
|
|
+ $upgrade_token_cmd = undef,
|
|
+ $upgrade_token_file = undef,
|
|
$admin_password = undef,
|
|
$package_ensure = 'present',
|
|
$client_package_ensure = 'present',
|
|
@@ -857,10 +868,13 @@ admin_token will be removed in a later release")
|
|
|
|
keystone_config {
|
|
'DEFAULT/admin_token': value => $admin_token, secret => true;
|
|
+ # WRS: the following options are deprecated for removal
|
|
+ # however public_bind_host and admin_bind_host are still required as long as
|
|
+ # keystone is running under eventlet
|
|
'DEFAULT/public_bind_host': value => $public_bind_host;
|
|
'DEFAULT/admin_bind_host': value => $admin_bind_host;
|
|
- 'DEFAULT/public_port': value => $public_port;
|
|
- 'DEFAULT/admin_port': value => $admin_port;
|
|
+ #'DEFAULT/public_port': value => $public_port;
|
|
+ #'DEFAULT/admin_port': value => $admin_port;
|
|
'DEFAULT/member_role_id': value => $member_role_id;
|
|
'DEFAULT/member_role_name': value => $member_role_name;
|
|
'paste_deploy/config_file': value => $paste_config;
|
|
@@ -897,18 +911,21 @@ admin_token will be removed in a later release")
|
|
# ssl config
|
|
if ($enable_ssl) {
|
|
keystone_config {
|
|
- 'ssl/enable': value => true;
|
|
+ # WRS ssl/enable is deprecated for removal
|
|
+ #'ssl/enable': value => true;
|
|
'ssl/certfile': value => $ssl_certfile;
|
|
'ssl/keyfile': value => $ssl_keyfile;
|
|
'ssl/ca_certs': value => $ssl_ca_certs;
|
|
'ssl/ca_key': value => $ssl_ca_key;
|
|
'ssl/cert_subject': value => $ssl_cert_subject;
|
|
}
|
|
- } else {
|
|
- keystone_config {
|
|
- 'ssl/enable': value => false;
|
|
- }
|
|
}
|
|
+ # WRS ssl/enable is deprecated for removal
|
|
+ # else {
|
|
+ # keystone_config {
|
|
+ # 'ssl/enable': value => false;
|
|
+ # }
|
|
+ #}
|
|
|
|
if !is_service_default($memcache_servers) or !is_service_default($cache_memcache_servers) {
|
|
Service<| title == 'memcached' |> -> Anchor['keystone::service::begin']
|
|
@@ -1016,14 +1033,15 @@ Fernet or UUID tokens are recommended.")
|
|
Fernet or UUID tokens are recommended.")
|
|
}
|
|
|
|
- keystone_config {
|
|
- 'signing/certfile': value => $signing_certfile;
|
|
- 'signing/keyfile': value => $signing_keyfile;
|
|
- 'signing/ca_certs': value => $signing_ca_certs;
|
|
- 'signing/ca_key': value => $signing_ca_key;
|
|
- 'signing/cert_subject': value => $signing_cert_subject;
|
|
- 'signing/key_size': value => $signing_key_size;
|
|
- }
|
|
+ # WRS: the following signing options are deprecated for removal
|
|
+ #keystone_config {
|
|
+ # 'signing/certfile': value => $signing_certfile;
|
|
+ # 'signing/keyfile': value => $signing_keyfile;
|
|
+ # 'signing/ca_certs': value => $signing_ca_certs;
|
|
+ # 'signing/ca_key': value => $signing_ca_key;
|
|
+ # 'signing/cert_subject': value => $signing_cert_subject;
|
|
+ # 'signing/key_size': value => $signing_key_size;
|
|
+ #}
|
|
|
|
# Only do pki_setup if we were asked to do so. This is needed
|
|
# regardless of the token provider since token revocation lists
|
|
@@ -1089,6 +1107,9 @@ Fernet or UUID tokens are recommended.")
|
|
heartbeat_rate => $rabbit_heartbeat_rate,
|
|
}
|
|
|
|
+ # WRS: The following options are deprecated for removal
|
|
+ # however they are still required as long as keystone
|
|
+ # is running under eventlet
|
|
keystone_config {
|
|
'eventlet_server/admin_workers': value => $admin_workers;
|
|
'eventlet_server/public_workers': value => $public_workers;
|
|
@@ -1135,7 +1156,8 @@ Fernet or UUID tokens are recommended.")
|
|
validate => false,
|
|
}
|
|
}
|
|
- warning("Keystone under Eventlet has been deprecated during the Kilo cycle. \
|
|
+ # Drop this to info.
|
|
+ info("Keystone under Eventlet has been deprecated during the Kilo cycle. \
|
|
Support for deploying under eventlet will be dropped as of the M-release of OpenStack.")
|
|
} elsif $service_name == 'httpd' {
|
|
include ::apache::params
|
|
@@ -1280,6 +1302,27 @@ running as a standalone service, or httpd for being run by a httpd server")
|
|
}
|
|
}
|
|
|
|
+ # WRS: Now that the keystone service has started,
|
|
+ # check if we are in an Upgrade scenario, and generate
|
|
+ # an upgrade token which will be used to bypass Keystone
|
|
+ # authentication (specifically the service catalog) for
|
|
+ # all operations during upgrades.
|
|
+ # This operation is similar to the keystone bootstrap
|
|
+ # operation (above) which would generate an admin
|
|
+ # token, and therefore also requires the database to
|
|
+ # be up and running and configured and is only run once,
|
|
+ # so we don't need to notify the service
|
|
+ if $upgrade_token_cmd and $upgrade_token_file {
|
|
+ exec { 'upgrade token issue':
|
|
+ command => "${upgrade_token_cmd} > ${upgrade_token_file}",
|
|
+ path => '/usr/bin',
|
|
+ creates => $upgrade_token_file,
|
|
+ subscribe => Service[$service_name],
|
|
+ notify => Anchor['keystone::service::end'],
|
|
+ tag => 'keystone-exec',
|
|
+ }
|
|
+ }
|
|
+
|
|
if $using_domain_config {
|
|
validate_absolute_path($domain_config_directory)
|
|
# Better than ensure resource. We don't want to conflict with any
|
|
@@ -1311,4 +1354,5 @@ running as a standalone service, or httpd for being run by a httpd server")
|
|
{'value' => $domain_config_directory}
|
|
)
|
|
}
|
|
+
|
|
}
|
|
diff --git a/manifests/ldap.pp b/manifests/ldap.pp
|
|
index 11620bf..728ca40 100644
|
|
--- a/manifests/ldap.pp
|
|
+++ b/manifests/ldap.pp
|
|
@@ -4,6 +4,11 @@
|
|
#
|
|
# === parameters:
|
|
#
|
|
+# [*debug_level*]
|
|
+# LDAP debugging level for LDAP calls; a value of zero("0") disables
|
|
+# debugging. (integer value)
|
|
+# Defaults to 'undef'
|
|
+#
|
|
# [*url*]
|
|
# URL for connecting to the LDAP server. (string value)
|
|
# Defaults to 'undef'
|
|
@@ -384,6 +389,7 @@
|
|
# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
|
|
#
|
|
class keystone::ldap(
|
|
+ $debug_level = undef,
|
|
$url = undef,
|
|
$user = undef,
|
|
$password = undef,
|
|
@@ -494,6 +500,7 @@ class keystone::ldap(
|
|
}
|
|
|
|
keystone_config {
|
|
+ 'ldap/debug_level': value => $debug_level;
|
|
'ldap/url': value => $url;
|
|
'ldap/user': value => $user;
|
|
'ldap/password': value => $password, secret => true;
|
|
diff --git a/manifests/logging.pp b/manifests/logging.pp
|
|
index e737c4f..3d8df63 100644
|
|
--- a/manifests/logging.pp
|
|
+++ b/manifests/logging.pp
|
|
@@ -110,7 +110,7 @@ class keystone::logging(
|
|
$log_file = $::os_service_default,
|
|
$debug = $::os_service_default,
|
|
$logging_context_format_string = $::os_service_default,
|
|
- $logging_default_format_string = $::os_service_default,
|
|
+ $logging_default_format_string = 'keystone:log %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s',
|
|
$logging_debug_format_suffix = $::os_service_default,
|
|
$logging_exception_prefix = $::os_service_default,
|
|
$logging_user_identity_format = $::os_service_default,
|
|
diff --git a/manifests/resource/service_identity.pp b/manifests/resource/service_identity.pp
|
|
index 09e7d94..243c9ec 100644
|
|
--- a/manifests/resource/service_identity.pp
|
|
+++ b/manifests/resource/service_identity.pp
|
|
@@ -187,6 +187,8 @@ define keystone::resource::service_identity(
|
|
if $service_type {
|
|
ensure_resource('keystone_service', "${service_name_real}::${service_type}", {
|
|
'ensure' => $ensure,
|
|
+ 'name' => $service_name_real,
|
|
+ 'type' => $service_type,
|
|
'description' => $service_description,
|
|
})
|
|
} else {
|
|
@@ -199,6 +201,9 @@ define keystone::resource::service_identity(
|
|
if $public_url and $admin_url and $internal_url {
|
|
ensure_resource('keystone_endpoint', "${region}/${service_name_real}::${service_type}", {
|
|
'ensure' => $ensure,
|
|
+ 'name' => $service_name_real,
|
|
+ 'type' => $service_type,
|
|
+ 'region' => $region,
|
|
'public_url' => $public_url,
|
|
'admin_url' => $admin_url,
|
|
'internal_url' => $internal_url,
|
|
@@ -210,6 +215,8 @@ define keystone::resource::service_identity(
|
|
if $public_url and $admin_url and $internal_url {
|
|
ensure_resource('keystone_endpoint', "${region}/${service_name_real}", {
|
|
'ensure' => $ensure,
|
|
+ 'name' => $service_name_real,
|
|
+ 'region' => $region,
|
|
'public_url' => $public_url,
|
|
'admin_url' => $admin_url,
|
|
'internal_url' => $internal_url,
|
|
diff --git a/manifests/security_compliance.pp b/manifests/security_compliance.pp
|
|
new file mode 100644
|
|
index 0000000..64830ec
|
|
--- /dev/null
|
|
+++ b/manifests/security_compliance.pp
|
|
@@ -0,0 +1,45 @@
|
|
+# == class: keystone::security_compliance
|
|
+#
|
|
+# Implements security compliance configuration for keystone.
|
|
+#
|
|
+# === parameters:
|
|
+#
|
|
+# [*unique_last_password_count*]
|
|
+# This controls the number of previous user password iterations
|
|
+# to keep in history, in order to enforce that newly created passwords
|
|
+# are unique. Setting the value to 1 (the default) disables this feature.
|
|
+# (integer value)
|
|
+# Defaults to 'undef'
|
|
+#
|
|
+# [*password_regex*]
|
|
+# The regular expression used to validate password strength
|
|
+# requirements. By default, the regular expression will match
|
|
+# any password. (string value)
|
|
+# Defaults to 'undef'
|
|
+#
|
|
+# [*password_regex_description*]
|
|
+# If a password fails to match the regular expression (*password_regex*),
|
|
+# the contents of this configuration will be returned to users to explain
|
|
+# why their requested password was insufficient. (string value)
|
|
+# Defaults to 'undef'
|
|
+#
|
|
+# === DEPRECATED group/name
|
|
+#
|
|
+# == Copyright
|
|
+#
|
|
+# Copyright 2017 Wind River Systems, unless otherwise noted.
|
|
+#
|
|
+class keystone::security_compliance(
|
|
+ $unique_last_password_count = undef,
|
|
+ $password_regex = undef,
|
|
+ $password_regex_description = undef,
|
|
+) {
|
|
+
|
|
+ include ::keystone::deps
|
|
+
|
|
+ keystone_config {
|
|
+ 'security_compliance/unique_last_password_count': value => $unique_last_password_count;
|
|
+ 'security_compliance/password_regex': value => $password_regex;
|
|
+ 'security_compliance/password_regex_description': value => $password_regex_description;
|
|
+ }
|
|
+}
|
|
diff --git a/spec/classes/keystone_security_compliance_spec.rb b/spec/classes/keystone_security_compliance_spec.rb
|
|
new file mode 100644
|
|
index 0000000..d0d4724
|
|
--- /dev/null
|
|
+++ b/spec/classes/keystone_security_compliance_spec.rb
|
|
@@ -0,0 +1,19 @@
|
|
+require 'spec_helper'
|
|
+
|
|
+describe 'keystone::security_compliance' do
|
|
+ describe 'with basic params' do
|
|
+ let :params do
|
|
+ {
|
|
+ :unique_last_password_count => 2,
|
|
+ :password_regex => '^(?=.*\d)(?=.*[a-zA-Z]).{7,}$',
|
|
+ :password_regex_description => 'password must be at least 7 characters long and contain 1 digit',
|
|
+ }
|
|
+ end
|
|
+ it 'should have basic params' do
|
|
+ # basic params
|
|
+ is_expected.to contain_keystone_config('security_compliance/unique_last_password_count').with_value('2')
|
|
+ is_expected.to contain_keystone_config('security_compliance/password_regex').with_value('^(?=.*\d)(?=.*[a-zA-Z]).{7,}$')
|
|
+ is_expected.to contain_keystone_config('security_compliance/password_regex_description').with_value('password must be at least 7 characters long and contain 1 digit')
|
|
+ end
|
|
+ end
|
|
+end
|
|
--
|
|
1.8.3.1
|
|
|