From 1ee26028ee527e3eba82ff164724ea699efa005f Mon Sep 17 00:00:00 2001 From: Andy McCrae Date: Thu, 23 Jul 2015 14:15:40 +0100 Subject: [PATCH] Adjust SSH key creation method for Keystone This patch ensures that the authorized_keys ansible module, as well as the built in "generate_ssh_keys" flag for user creation, so that we can avoid using shell out commands. Additionally, this moves the key synchronisation to use ansible variables instead of the memcache server. Change-Id: I0072b8d0977ab9aea10dd95080756f6864612013 Closes-Bug: #1477512 --- defaults/main.yml | 4 + tasks/keystone_key_create.yml | 74 ------------------- tasks/keystone_key_distribute.yml | 20 ++--- ...ey_store.yml => keystone_key_populate.yml} | 29 ++++---- tasks/keystone_key_setup.yml | 11 +-- tasks/keystone_pre_install.yml | 16 ++++ 6 files changed, 40 insertions(+), 114 deletions(-) delete mode 100644 tasks/keystone_key_create.yml rename tasks/{keystone_key_store.yml => keystone_key_populate.yml} (53%) diff --git a/defaults/main.yml b/defaults/main.yml index 83ec5503..07b0a937 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -150,6 +150,10 @@ keystone_ssl_cipher_suite: "{{ ssl_cipher_suite }}" keystone_ldap_identity_driver: keystone.identity.backends.ldap.Identity keystone_ldap_domain_config_dir: /etc/keystone/domains +# If you want to regenerate the keystone users SSH keys, on each run, set this var to True +# Otherwise keys will be generated on the first run and not regenerated each run. +keystone_recreate_keys: False + ## Policy vars # Provide a list of access controls to update the default policy.json with. These changes will be merged # with the access controls in the default policy.json. E.g. diff --git a/tasks/keystone_key_create.yml b/tasks/keystone_key_create.yml deleted file mode 100644 index 4484de11..00000000 --- a/tasks/keystone_key_create.yml +++ /dev/null @@ -1,74 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Remove old key file(s) if found - file: - path: "{{ item }}" - state: "absent" - with_items: - - "{{ keystone_system_user_home }}/.ssh/authorized_keys" - - "{{ keystone_system_user_home }}/.ssh/id_rsa" - - "{{ keystone_system_user_home }}/.ssh/id_rsa.pub" - tags: - - keystone-key - - keystone-key-create - -- name: Create the keystone SSH key if it doesnt exist - command: | - ssh-keygen -f {{ keystone_system_user_home }}/.ssh/id_rsa -t rsa -q -N "" - sudo: yes - sudo_user: "{{ keystone_system_user_name }}" - tags: - - keystone-key - - keystone-key-create - -- name: Create empty 'authorized_keys' file - file: - path: "{{ keystone_system_user_home }}/.ssh/authorized_keys" - state: "touch" - tags: - - keystone-key - - keystone-key-create - -- name: Change permissions on the generated keys - file: - path: "{{ item.path }}" - group: "{{ keystone_system_user_name }}" - owner: "{{ keystone_system_user_name }}" - mode: "{{ item.mode }}" - with_items: - - { path: "{{ keystone_system_user_home }}/.ssh/authorized_keys", mode: "0700" } - - { path: "{{ keystone_system_user_home }}/.ssh/id_rsa", mode: "0600" } - - { path: "{{ keystone_system_user_home }}/.ssh/id_rsa.pub", mode: "0644" } - tags: - - keystone-key - - keystone-key-create - -- name: Get public key contents - command: | - cat {{ keystone_system_user_home }}/.ssh/id_rsa.pub - register: keystone_pub - changed_when: false - tags: - - keystone-key - - keystone-key-create - -- name: Build authorized keys - shell: | - echo "{{ keystone_pub.stdout }}" | tee -a {{ keystone_system_user_home }}/.ssh/authorized_keys - delegate_to: "{{ groups['keystone_all'][0] }}" - tags: - - keystone-key - - keystone-key-create diff --git a/tasks/keystone_key_distribute.yml b/tasks/keystone_key_distribute.yml index 8b8f52ae..b41659ad 100644 --- a/tasks/keystone_key_distribute.yml +++ b/tasks/keystone_key_distribute.yml @@ -13,21 +13,11 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Retrieve authorized keys - memcached: - name: "{{ item.name }}" - file_path: "{{ item.src }}" - state: "retrieve" - file_mode: "{{ item.file_mode }}" - dir_mode: "{{ item.dir_mode }}" - server: "{{ memcached_servers }}" - encrypt_string: "{{ memcached_encryption_key }}" - with_items: - - { src: "{{ keystone_system_user_home }}/.ssh/authorized_keys", name: "authorized_keys", file_mode: "0640", dir_mode: "0750" } - register: memcache_keys - until: memcache_keys|success - retries: 5 - delay: 2 +- name: Create authorized keys file from host vars + authorized_key: + user: "{{ keystone_system_user_name }}" + key: "{{ hostvars[item]['keystone_pubkey'] }}" + with_items: groups['keystone_all'] tags: - keystone-key - keystone-key-distribute diff --git a/tasks/keystone_key_store.yml b/tasks/keystone_key_populate.yml similarity index 53% rename from tasks/keystone_key_store.yml rename to tasks/keystone_key_populate.yml index 4c24e778..92b58f93 100644 --- a/tasks/keystone_key_store.yml +++ b/tasks/keystone_key_populate.yml @@ -1,5 +1,5 @@ --- -# Copyright 2015, Rackspace US, Inc. +# Copyright 2014, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,19 +13,18 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Distribute authorized keys for cluster consumption - memcached: - name: "{{ item.name }}" - file_path: "{{ item.src }}" - state: "present" - server: "{{ memcached_servers }}" - encrypt_string: "{{ memcached_encryption_key }}" - with_items: - - { src: "{{ keystone_system_user_home }}/.ssh/authorized_keys", name: "authorized_keys" } - register: memcache_keys - until: memcache_keys|success - retries: 5 - delay: 2 +- name: Get public key contents and store as var + command: | + cat {{ keystone_system_user_home }}/.ssh/id_rsa.pub + register: keystone_pub + changed_when: false tags: - keystone-key - - keystone-key-store + - keystone-key-create + +- name: Register a fact for the keystone pub key + set_fact: + keystone_pubkey: "{{ keystone_pub.stdout }}" + tags: + - keystone-key + - keystone-key-create diff --git a/tasks/keystone_key_setup.yml b/tasks/keystone_key_setup.yml index ba8e7c1c..6a208914 100644 --- a/tasks/keystone_key_setup.yml +++ b/tasks/keystone_key_setup.yml @@ -13,21 +13,12 @@ # See the License for the specific language governing permissions and # limitations under the License. -- include: keystone_key_create.yml +- include: keystone_key_populate.yml tags: - keystone-key - keystone-key-create -- include: keystone_key_store.yml - when: > - inventory_hostname == groups['keystone_all'][0] - tags: - - keystone-key - - keystone-key-store - - include: keystone_key_distribute.yml - when: > - inventory_hostname != groups['keystone_all'][0] tags: - keystone-key - keystone-key-distribute diff --git a/tasks/keystone_pre_install.yml b/tasks/keystone_pre_install.yml index 832f03be..39fbdbf6 100644 --- a/tasks/keystone_pre_install.yml +++ b/tasks/keystone_pre_install.yml @@ -21,6 +21,19 @@ tags: - keystone-group +- name: Remove old key file(s) if found + file: + path: "{{ item }}" + state: "absent" + with_items: + - "{{ keystone_system_user_home }}/.ssh/authorized_keys" + - "{{ keystone_system_user_home }}/.ssh/id_rsa" + - "{{ keystone_system_user_home }}/.ssh/id_rsa.pub" + when: keystone_recreate_keys | bool + tags: + - keystone-key + - keystone-key-create + - name: Create the keystone system user user: name: "{{ keystone_system_user_name }}" @@ -30,8 +43,11 @@ system: "yes" createhome: "yes" home: "{{ keystone_system_user_home }}" + generate_ssh_key: "yes" tags: - keystone-user + - keystone-key + - keystone-key-create - name: Create keystone dir file: