Browse Source

Multidomains support

Support of multidomains creation was added for MOS8.0

Change-Id: Ie082cfa8b5e3b5478362335b125eccb12308efed
Maksym Yatsenko 3 years ago
parent
commit
c410425b57

+ 25
- 0
deployment_scripts/puppet/modules/plugin_ldap/lib/puppet/parser/functions/parse_it.rb View File

@@ -0,0 +1,25 @@
1
+module Puppet::Parser::Functions
2
+  newfunction(:parse_it, :type => :rvalue, :doc => <<-EOS
3
+This function parses text area, create hash and returns values
4
+for keystone domain creation
5
+EOS
6
+  ) do |args|
7
+
8
+    param_hash = {}
9
+    cert_chain = args[0].slice!(/^(ca_chain=-----BEGIN CERTIFICATE-----)(.*[\r\n])+(-----END CERTIFICATE-----[\s\S]*?)$/)
10
+
11
+    if cert_chain
12
+      splited_cert_chain = cert_chain.split('=',2)
13
+      param_hash[splited_cert_chain[0]] = splited_cert_chain[1]
14
+    end
15
+
16
+    splited_text = args[0].split("\n")
17
+    splited_text.each do |item|
18
+      splited_line = item.split('=',2)
19
+      param_hash[splited_line[0]] = splited_line[1]
20
+    end
21
+
22
+    return param_hash
23
+  end
24
+end
25
+

+ 57
- 83
deployment_scripts/puppet/modules/plugin_ldap/manifests/controller.pp View File

@@ -2,13 +2,13 @@ class plugin_ldap::controller {
2 2
 
3 3
   include ::apache::params
4 4
 
5
-  $management_vip             = hiera('management_vip')
5
+  $management_vip = hiera('management_vip')
6 6
 
7 7
   ## if AD is used, in order to properly display if account is enabled or disabled
8
-  ## additional parameters need to be set.
8
+  ## additional parameters should be set.
9 9
   if $::fuel_settings['ldap']['user_enabled_attribute'] == 'userAccountControl' {
10 10
     $user_enabled_default = 512
11
-    $user_enabled_mask   = 2
11
+    $user_enabled_mask    = 2
12 12
   }
13 13
 
14 14
   $identity_driver        = 'keystone.identity.backends.ldap.Identity'
@@ -24,6 +24,7 @@ class plugin_ldap::controller {
24 24
   $user_name_attribute    = $::fuel_settings['ldap']['user_name_attribute']
25 25
   $user_pass_attribute    = $::fuel_settings['ldap']['user_pass_attribute']
26 26
   $user_enabled_attribute = $::fuel_settings['ldap']['user_enabled_attribute']
27
+  $additional_domains     = $::fuel_settings['ldap']['additional_domains']
27 28
 
28 29
   $user_allow_create      = false
29 30
   $user_allow_update      = false
@@ -43,28 +44,7 @@ class plugin_ldap::controller {
43 44
 
44 45
   $domain                 = $::fuel_settings['ldap']['domain']
45 46
   $use_tls                = $::fuel_settings['ldap']['use_tls']
46
-
47
-  if $use_tls {
48
-    $ca_chain       = pick($::fuel_settings['ldap']['ca_chain'], false)
49
-    $cacertfile     = '/usr/local/share/ca-certificates/cacert-ldap.crt'
50
-
51
-    if $ca_chain {
52
-      $tls_cacertdir = '/etc/ssl/certs'
53
-    }
54
-    else {
55
-      $tls_cacertdir = ''
56
-    }
57
-
58
-    if $ca_chain {
59
-      file { $cacertfile:
60
-        ensure  => file,
61
-        mode    => 0644,
62
-        content => $ca_chain,
63
-      }
64
-      ~>
65
-      exec { '/usr/sbin/update-ca-certificates': }
66
-    }
67
-  }
47
+  $ca_chain               = pick($::fuel_settings['ldap']['ca_chain'], false)
68 48
 
69 49
   file { '/etc/keystone/domains':
70 50
     ensure => 'directory',
@@ -73,81 +53,75 @@ class plugin_ldap::controller {
73 53
     mode   => '755',
74 54
   }
75 55
 
76
-  file { "/etc/keystone/domains/keystone.${domain}.conf":
77
-    ensure  => 'file',
78
-    owner   => 'root',
79
-    group   => 'root',
80
-    mode    => '644',
81
-    require => File['/etc/keystone/domains'],
82
-     }
83
-
84
-  File["/etc/keystone/domains/keystone.${domain}.conf"] -> Keystone_config <||>
85
-
86 56
   keystone_config {
87 57
     "identity/domain_specific_drivers_enabled": value => 'True';
88 58
   }
89 59
 
90
-  Keystone_config {
91
-    provider => 'ini_setting_domain',
60
+  plugin_ldap::keystone {$domain:
61
+    domain                 => $domain,
62
+    identity_driver        => $identity_driver,
63
+    url                    => $url,
64
+    use_tls                => $use_tls,
65
+    ca_chain               => $ca_chain,
66
+    suffix                 => $suffix,
67
+    user                   => $user,
68
+    password               => $password,
69
+    query_scope            => $query_scope,
70
+    user_tree_dn           => $user_tree_dn,
71
+    user_filter            => $user_filter,
72
+    user_objectclass       => $user_objectclass,
73
+    user_id_attribute      => $user_id_attribute,
74
+    user_name_attribute    => $user_name_attribute,
75
+    user_pass_attribute    => $user_pass_attribute,
76
+    user_enabled_attribute => $user_enabled_attribute,
77
+    user_enabled_default   => $user_enabled_default,
78
+    user_enabled_mask      => $user_enabled_mask,
79
+    user_allow_create      => $user_allow_create,
80
+    user_allow_update      => $user_allow_update,
81
+    user_allow_delete      => $user_allow_delete,
82
+    group_tree_dn          => $group_tree_dn,
83
+    group_filter           => $group_filter,
84
+    group_objectclass      => $group_objectclass,
85
+    group_id_attribute     => $group_id_attribute,
86
+    group_name_attribute   => $group_name_attribute,
87
+    group_member_attribute => $group_member_attribute,
88
+    group_desc_attribute   => $group_desc_attribute,
89
+    group_allow_create     => $group_allow_create,
90
+    group_allow_update     => $group_allow_update,
91
+    group_allow_delete     => $group_allow_delete,
92 92
   }
93 93
 
94
-  keystone_config {
95
-    "${domain}/identity/driver":        value  => $identity_driver;
96
-    "${domain}/ldap/url":                    value => $url;
97
-    "${domain}/ldap/use_tls":                value => $use_tls;
98
-    "${domain}/ldap/tls_cacertdir":          value => $tls_cacertdir;
99
-    "${domain}/ldap/suffix":                 value => $suffix;
100
-    "${domain}/ldap/user":                   value => $user;
101
-    "${domain}/ldap/password":               value => $password;
102
-    "${domain}/ldap/query_scope":            value => $query_scope;
103
-    "${domain}/ldap/user_tree_dn":           value => $user_tree_dn;
104
-    "${domain}/ldap/user_filter":            value => $user_filter;
105
-    "${domain}/ldap/user_objectclass":       value => $user_objectclass;
106
-    "${domain}/ldap/user_id_attribute":      value => $user_id_attribute;
107
-    "${domain}/ldap/user_name_attribute":    value => $user_name_attribute;
108
-    "${domain}/ldap/user_pass_attribute":    value => $user_pass_attribute;
109
-    "${domain}/ldap/user_enabled_attribute": value => $user_enabled_attribute;
110
-    "${domain}/ldap/user_enabled_default":   value => $user_enabled_default;
111
-    "${domain}/ldap/user_enabled_mask":      value => $user_enabled_mask;
112
-    "${domain}/ldap/user_allow_create":      value => $user_allow_create;
113
-    "${domain}/ldap/user_allow_update":      value => $user_allow_update;
114
-    "${domain}/ldap/user_allow_delete":      value => $user_allow_delete;
115
-    "${domain}/ldap/group_tree_dn":          value => $group_tree_dn;
116
-    "${domain}/ldap/group_filter":           value => $group_filter;
117
-    "${domain}/ldap/group_objectclass":      value => $group_objectclass;
118
-    "${domain}/ldap/group_id_attribute":     value => $group_id_attribute;
119
-    "${domain}/ldap/group_name_attribute":   value => $group_name_attribute;
120
-    "${domain}/ldap/group_member_attribute": value => $group_member_attribute;
121
-    "${domain}/ldap/group_desc_attribute":   value => $group_desc_attribute;
122
-    "${domain}/ldap/group_allow_create":     value => $group_allow_create;
123
-    "${domain}/ldap/group_allow_update":     value => $group_allow_update;
124
-    "${domain}/ldap/group_allow_delete":     value => $group_allow_delete;
125
-  } ~>
94
+  Plugin_ldap::Keystone<||> ~>
126 95
   service { 'httpd':
127
-    name     => "$apache::params::service_name",
128
-    ensure   => running,
96
+    name   => "$apache::params::service_name",
97
+    ensure => running,
129 98
   }
130 99
 
131
-  keystone_domain { "${domain}":
132
-    ensure  => present,
133
-    enabled => true,
100
+#Create domains using info from text area 'List of additional Domains'
101
+  if $additional_domains {
102
+    $domains_list = split($additional_domains, '^$')
103
+    plugin_ldap::multiple_domain { $domains_list:
104
+      identity_driver => $identity_driver,
105
+    }
134 106
   }
135 107
 
136 108
   file_line { 'OPENSTACK_KEYSTONE_URL':
137
-    path => '/etc/openstack-dashboard/local_settings.py',
138
-    line => "OPENSTACK_KEYSTONE_URL = \"http://${management_vip}:5000/v3/\"",
109
+    path  => '/etc/openstack-dashboard/local_settings.py',
110
+    line  => "OPENSTACK_KEYSTONE_URL = \"http://${management_vip}:5000/v3/\"",
139 111
     match => "^OPENSTACK_KEYSTONE_URL = .*$",
140
-  } ~> Service ['httpd']
112
+  }
141 113
 
142 114
   file_line { 'OPENSTACK_API_VERSIONS':
143
-    path => '/etc/openstack-dashboard/local_settings.py',
144
-    line => "OPENSTACK_API_VERSIONS = { \"identity\": 3 }",
115
+    path  => '/etc/openstack-dashboard/local_settings.py',
116
+    line  => "OPENSTACK_API_VERSIONS = { \"identity\": 3 }",
145 117
     match => "^# OPENSTACK_API_VERSIONS = {.*$",
146
-  } ~> Service ['httpd']
118
+  }
147 119
 
148 120
   file_line { 'OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT':
149
-    path => '/etc/openstack-dashboard/local_settings.py',
150
-    line => "OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True",
121
+    path  => '/etc/openstack-dashboard/local_settings.py',
122
+    line  => "OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True",
151 123
     match => "^# OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = .*$",
152
-  } ~> Service ['httpd']
124
+  }
125
+
126
+  File_line<||> ~> Service ['httpd']
153 127
 }

+ 110
- 0
deployment_scripts/puppet/modules/plugin_ldap/manifests/keystone.pp View File

@@ -0,0 +1,110 @@
1
+define plugin_ldap::keystone (
2
+  $domain                 = undef,
3
+  $identity_driver        = undef,
4
+  $url                    = undef,
5
+  $use_tls                = undef,
6
+  $ca_chain               = undef,
7
+  $suffix                 = undef,
8
+  $user                   = undef,
9
+  $password               = undef,
10
+  $query_scope            = undef,
11
+  $user_tree_dn           = undef,
12
+  $user_filter            = undef,
13
+  $user_objectclass       = undef,
14
+  $user_id_attribute      = undef,
15
+  $user_name_attribute    = undef,
16
+  $user_pass_attribute    = undef,
17
+  $user_enabled_attribute = undef,
18
+  $user_enabled_default   = undef,
19
+  $user_enabled_mask      = undef,
20
+  $user_allow_create      = undef,
21
+  $user_allow_update      = undef,
22
+  $user_allow_delete      = undef,
23
+  $group_tree_dn          = undef,
24
+  $group_filter           = undef,
25
+  $group_objectclass      = undef,
26
+  $group_id_attribute     = undef,
27
+  $group_name_attribute   = undef,
28
+  $group_member_attribute = undef,
29
+  $group_desc_attribute   = undef,
30
+  $group_allow_create     = undef,
31
+  $group_allow_update     = undef,
32
+  $group_allow_delete     = undef,
33
+){
34
+
35
+  if $use_tls {
36
+    $cacertfile = "/usr/local/share/ca-certificates/cacert-ldap-${domain}.crt"
37
+
38
+    if $ca_chain {
39
+      $tls_cacertdir = '/etc/ssl/certs'
40
+    }
41
+    else {
42
+      $tls_cacertdir = ''
43
+    }
44
+
45
+    if $ca_chain {
46
+      file { $cacertfile:
47
+        ensure  => file,
48
+        mode    => 0644,
49
+        content => $ca_chain,
50
+      }
51
+      ~>
52
+      exec { "$domain" :
53
+        command => '/usr/sbin/update-ca-certificates'
54
+      }
55
+    }
56
+  }
57
+
58
+  file { "/etc/keystone/domains/keystone.${domain}.conf":
59
+    ensure  => 'file',
60
+    owner   => 'root',
61
+    group   => 'root',
62
+    mode    => '644',
63
+    require => File['/etc/keystone/domains'],
64
+  }
65
+
66
+  File["/etc/keystone/domains/keystone.${domain}.conf"] -> Keystone_config <||>
67
+
68
+  Keystone_config {
69
+    provider => 'ini_setting_domain',
70
+  }
71
+
72
+  keystone_config {
73
+    "${domain}/identity/driver":             value => $identity_driver;
74
+    "${domain}/ldap/url":                    value => $url;
75
+    "${domain}/ldap/use_tls":                value => $use_tls;
76
+    "${domain}/ldap/tls_cacertdir":          value => $tls_cacertdir;
77
+    "${domain}/ldap/suffix":                 value => $suffix;
78
+    "${domain}/ldap/user":                   value => $user;
79
+    "${domain}/ldap/password":               value => $password;
80
+    "${domain}/ldap/query_scope":            value => $query_scope;
81
+    "${domain}/ldap/user_tree_dn":           value => $user_tree_dn;
82
+    "${domain}/ldap/user_filter":            value => $user_filter;
83
+    "${domain}/ldap/user_objectclass":       value => $user_objectclass;
84
+    "${domain}/ldap/user_id_attribute":      value => $user_id_attribute;
85
+    "${domain}/ldap/user_name_attribute":    value => $user_name_attribute;
86
+    "${domain}/ldap/user_pass_attribute":    value => $user_pass_attribute;
87
+    "${domain}/ldap/user_enabled_attribute": value => $user_enabled_attribute;
88
+    "${domain}/ldap/user_enabled_default":   value => $user_enabled_default;
89
+    "${domain}/ldap/user_enabled_mask":      value => $user_enabled_mask;
90
+    "${domain}/ldap/user_allow_create":      value => $user_allow_create;
91
+    "${domain}/ldap/user_allow_update":      value => $user_allow_update;
92
+    "${domain}/ldap/user_allow_delete":      value => $user_allow_delete;
93
+    "${domain}/ldap/group_tree_dn":          value => $group_tree_dn;
94
+    "${domain}/ldap/group_filter":           value => $group_filter;
95
+    "${domain}/ldap/group_objectclass":      value => $group_objectclass;
96
+    "${domain}/ldap/group_id_attribute":     value => $group_id_attribute;
97
+    "${domain}/ldap/group_name_attribute":   value => $group_name_attribute;
98
+    "${domain}/ldap/group_member_attribute": value => $group_member_attribute;
99
+    "${domain}/ldap/group_desc_attribute":   value => $group_desc_attribute;
100
+    "${domain}/ldap/group_allow_create":     value => $group_allow_create;
101
+    "${domain}/ldap/group_allow_update":     value => $group_allow_update;
102
+    "${domain}/ldap/group_allow_delete":     value => $group_allow_delete;
103
+  }
104
+
105
+  keystone_domain { "${domain}":
106
+    ensure  => present,
107
+    enabled => true,
108
+  }
109
+
110
+}

+ 40
- 0
deployment_scripts/puppet/modules/plugin_ldap/manifests/multiple_domain.pp View File

@@ -0,0 +1,40 @@
1
+define plugin_ldap::multiple_domain (
2
+  $domain_info     = $title,
3
+  $identity_driver = undef
4
+){
5
+  $domain_params_hash = parse_it($domain_info)
6
+  plugin_ldap::keystone { "$domain_params_hash['domain']" :
7
+    domain                 => $domain_params_hash['domain'],
8
+    identity_driver        => $identity_driver,
9
+    url                    => $domain_params_hash['url'],
10
+    use_tls                => $domain_params_hash['use_tls'],
11
+    ca_chain               => $domain_params_hash['ca_chain'],
12
+    suffix                 => $domain_params_hash['suffix'],
13
+    user                   => $domain_params_hash['user'],
14
+    password               => $domain_params_hash['password'],
15
+    query_scope            => $domain_params_hash['query_scope'],
16
+    user_tree_dn           => $domain_params_hash['user_tree_dn'],
17
+    user_filter            => $domain_params_hash['user_filter'],
18
+    user_objectclass       => $domain_params_hash['user_objectclass'],
19
+    user_id_attribute      => $domain_params_hash['user_id_attribute'],
20
+    user_name_attribute    => $domain_params_hash['user_name_attribute'],
21
+    user_pass_attribute    => $domain_params_hash['user_pass_attribute'],
22
+    user_enabled_attribute => $domain_params_hash['user_enabled_attribute'],
23
+    user_enabled_default   => $domain_params_hash['user_enabled_default'],
24
+    user_enabled_mask      => $domain_params_hash['user_enabled_mask'],
25
+    user_allow_create      => $domain_params_hash['user_allow_create'],
26
+    user_allow_update      => $domain_params_hash['user_allow_update'],
27
+    user_allow_delete      => $domain_params_hash['user_allow_delete'],
28
+    group_tree_dn          => $domain_params_hash['group_tree_dn'],
29
+    group_filter           => $domain_params_hash['group_filter'],
30
+    group_objectclass      => $domain_params_hash['group_objectclass'],
31
+    group_id_attribute     => $domain_params_hash['group_id_attribute'],
32
+    group_name_attribute   => $domain_params_hash['group_name_attribute'],
33
+    group_member_attribute => $domain_params_hash['group_member_attribute'],
34
+    group_desc_attribute   => $domain_params_hash['group_desc_attribute'],
35
+    group_allow_create     => $domain_params_hash['group_allow_create'],
36
+    group_allow_update     => $domain_params_hash['group_allow_update'],
37
+    group_allow_delete     => $domain_params_hash['group_allow_delete'],
38
+  }
39
+
40
+}

+ 6
- 0
environment_config.yaml View File

@@ -146,3 +146,9 @@ attributes:
146 146
     description: 'LDAP attribute mapped to description.'
147 147
     weight: 105
148 148
     type: "text"
149
+  additional_domains:
150
+    type: "textarea"
151
+    weight: 110
152
+    value: ''
153
+    label: "List of additional Domains"
154
+    description: "Blocks of additional domains/parameters that should be created"

+ 4
- 4
metadata.yaml View File

@@ -1,16 +1,16 @@
1 1
 name: ldap
2 2
 title: LDAP plugin for Keystone
3
-version: '1.0.0'
3
+version: '2.0.0'
4 4
 description: Enable to use LDAP authentication backend for Keystone
5
-fuel_version: ['7.0']
5
+fuel_version: ['8.0']
6 6
 licenses: ['Apache License Version 2.0']
7 7
 authors: ['Mirantis']
8 8
 homepage: 'https://github.com/stackforge/fuel-plugin-ldap'
9 9
 groups: ['network']
10 10
 releases:
11 11
   - os: ubuntu
12
-    version: 2015.1-7.0
13
-    mode: ['ha', 'multinode']
12
+    version: liberty-8.0
13
+    mode: ['ha']
14 14
     deployment_scripts_path: deployment_scripts/
15 15
     repository_path: repositories/ubuntu
16 16
 package_version: '3.0.0'

Loading…
Cancel
Save