Adjust SSH key creation method for Keystone

This patch ensures that the authorized_keys ansible module, as well as the built in "generate_ssh_keys" flag for user creation, so that we can avoid using shell out commands. Additionally, this moves the key synchronisation to use ansible variables instead of the memcache server. Change-Id: I0072b8d0977ab9aea10dd95080756f6864612013 Closes-Bug: #1477512
2015-07-23 14:15:40 +01:00 · 2015-07-23 14:15:40 +01:00 · 1ee26028ee
commit 1ee26028ee
parent 89c86fc671
6 changed files with 40 additions and 114 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -150,6 +150,10 @@ keystone_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
 keystone_ldap_identity_driver: keystone.identity.backends.ldap.Identity
 keystone_ldap_domain_config_dir: /etc/keystone/domains

+# If you want to regenerate the keystone users SSH keys, on each run, set this var to True
+# Otherwise keys will be generated on the first run and not regenerated each run.
+keystone_recreate_keys: False
+
 ## Policy vars
 # Provide a list of access controls to update the default policy.json with. These changes will be merged
 # with the access controls in the default policy.json. E.g.
--- a/tasks/keystone_key_create.yml
+++ b/tasks/keystone_key_create.yml
@ -1,74 +0,0 @@
---
-# Copyright 2015, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
- name: Remove old key file(s) if found
-  file:
-    path: "{{ item }}"
-    state: "absent"
-  with_items:
-    - "{{ keystone_system_user_home }}/.ssh/authorized_keys"
-    - "{{ keystone_system_user_home }}/.ssh/id_rsa"
-    - "{{ keystone_system_user_home }}/.ssh/id_rsa.pub"
-  tags:
-    - keystone-key
-    - keystone-key-create
-
- name: Create the keystone SSH key if it doesnt exist
-  command: |
-    ssh-keygen -f {{ keystone_system_user_home }}/.ssh/id_rsa -t rsa -q -N ""
-  sudo: yes
-  sudo_user: "{{ keystone_system_user_name }}"
-  tags:
-    - keystone-key
-    - keystone-key-create
-
- name: Create empty 'authorized_keys' file
-  file:
-    path: "{{ keystone_system_user_home }}/.ssh/authorized_keys"
-    state: "touch"
-  tags:
-    - keystone-key
-    - keystone-key-create
-
- name: Change permissions on the generated keys
-  file:
-    path: "{{ item.path }}"
-    group: "{{ keystone_system_user_name }}"
-    owner: "{{ keystone_system_user_name }}"
-    mode: "{{ item.mode }}"
-  with_items:
-    - { path: "{{ keystone_system_user_home }}/.ssh/authorized_keys", mode: "0700" }
-    - { path: "{{ keystone_system_user_home }}/.ssh/id_rsa", mode: "0600" }
-    - { path: "{{ keystone_system_user_home }}/.ssh/id_rsa.pub", mode: "0644" }
-  tags:
-    - keystone-key
-    - keystone-key-create
-
- name: Get public key contents
-  command: |
-    cat {{ keystone_system_user_home }}/.ssh/id_rsa.pub
-  register: keystone_pub
-  changed_when: false
-  tags:
-    - keystone-key
-    - keystone-key-create
-
- name: Build authorized keys
-  shell: |
-    echo "{{ keystone_pub.stdout }}" | tee -a {{ keystone_system_user_home }}/.ssh/authorized_keys
-  delegate_to: "{{ groups['keystone_all'][0] }}"
-  tags:
-    - keystone-key
-    - keystone-key-create
--- a/tasks/keystone_key_distribute.yml
+++ b/tasks/keystone_key_distribute.yml
@ -13,21 +13,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- name: Retrieve authorized keys
-  memcached:
-    name: "{{ item.name }}"
-    file_path: "{{ item.src }}"
-    state: "retrieve"
-    file_mode: "{{ item.file_mode }}"
-    dir_mode: "{{ item.dir_mode }}"
-    server: "{{ memcached_servers }}"
-    encrypt_string: "{{ memcached_encryption_key }}"
-  with_items:
-    - { src: "{{ keystone_system_user_home }}/.ssh/authorized_keys", name: "authorized_keys", file_mode: "0640", dir_mode: "0750" }
-  register: memcache_keys
-  until: memcache_keys|success
-  retries: 5
-  delay: 2
+- name: Create authorized keys file from host vars
+  authorized_key:
+    user: "{{ keystone_system_user_name }}"
+    key: "{{ hostvars[item]['keystone_pubkey'] }}"
+  with_items: groups['keystone_all']
  tags:
    - keystone-key
    - keystone-key-distribute
--- a/tasks/keystone_key_populate.yml
+++ b/tasks/keystone_key_populate.yml
@ -1,5 +1,5 @@
 ---
-# Copyright 2015, Rackspace US, Inc.
+# Copyright 2014, Rackspace US, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -13,19 +13,18 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- name: Distribute authorized keys for cluster consumption
-  memcached:
-    name: "{{ item.name }}"
-    file_path: "{{ item.src }}"
-    state: "present"
-    server: "{{ memcached_servers }}"
-    encrypt_string: "{{ memcached_encryption_key }}"
-  with_items:
-    - { src: "{{ keystone_system_user_home }}/.ssh/authorized_keys", name: "authorized_keys" }
-  register: memcache_keys
-  until: memcache_keys|success
-  retries: 5
-  delay: 2
+- name: Get public key contents and store as var
+  command: |
+    cat {{ keystone_system_user_home }}/.ssh/id_rsa.pub
+  register: keystone_pub
+  changed_when: false
  tags:
    - keystone-key
-    - keystone-key-store
+    - keystone-key-create
+
+- name: Register a fact for the keystone pub key
+  set_fact:
+     keystone_pubkey: "{{ keystone_pub.stdout }}"
+  tags:
+    - keystone-key
+    - keystone-key-create
--- a/tasks/keystone_key_setup.yml
+++ b/tasks/keystone_key_setup.yml
@ -13,21 +13,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: keystone_key_create.yml
+- include: keystone_key_populate.yml
  tags:
    - keystone-key
    - keystone-key-create

- include: keystone_key_store.yml
-  when: >
-    inventory_hostname == groups['keystone_all'][0]
-  tags:
-    - keystone-key
-    - keystone-key-store
-
 - include: keystone_key_distribute.yml
-  when: >
-    inventory_hostname != groups['keystone_all'][0]
  tags:
    - keystone-key
    - keystone-key-distribute
--- a/tasks/keystone_pre_install.yml
+++ b/tasks/keystone_pre_install.yml
@ -21,6 +21,19 @@
  tags:
    - keystone-group

+- name: Remove old key file(s) if found
+  file:
+    path: "{{ item }}"
+    state: "absent"
+  with_items:
+    - "{{ keystone_system_user_home }}/.ssh/authorized_keys"
+    - "{{ keystone_system_user_home }}/.ssh/id_rsa"
+    - "{{ keystone_system_user_home }}/.ssh/id_rsa.pub"
+  when: keystone_recreate_keys | bool
+  tags:
+    - keystone-key
+    - keystone-key-create
+
 - name: Create the keystone system user
  user:
    name: "{{ keystone_system_user_name }}"
@ -30,8 +43,11 @@
    system: "yes"
    createhome: "yes"
    home: "{{ keystone_system_user_home }}"
+    generate_ssh_key: "yes"
  tags:
    - keystone-user
+    - keystone-key
+    - keystone-key-create

 - name: Create keystone dir
  file: