From 474773b771639d757c6bede3998c4f58dfd570e6 Mon Sep 17 00:00:00 2001
From: Ian Cordasco <ian.cordasco@rackspace.com>
Date: Tue, 24 Mar 2015 21:09:41 -0500
Subject: [PATCH] Update Keystone config and policy for Kilo

Keystone's config file updated with new options that need to be exposed
as configurable options (e.g., Proxy Forwarded SSL Header).

Keystone's default policy file has also changed in Kilo so we are
pulling in an updated copy to match the new version.

Partially implements blueprint: master-kilofication

Change-Id: Ib98e54940acfa9627e6d10c10964d87528b4a9b7
---
 defaults/main.yml          |  3 +++
 files/policy.json          | 22 +++++++++++++++++-----
 templates/keystone.conf.j2 | 13 +++++++++----
 3 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 01bc4323..2378fa1d 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -77,6 +77,9 @@ keystone_admin_user_name: admin
 keystone_admin_tenant_name: admin
 keystone_admin_description: Admin Tenant
 
+## Secure Proxy SSL Information
+#keystone_secure_proxy_ssl_header: X-Forwarded-For
+
 ## Service Type and Data
 keystone_service_region: RegionOne
 keystone_service_name: keystone
diff --git a/files/policy.json b/files/policy.json
index af65205e..e7db5ea3 100644
--- a/files/policy.json
+++ b/files/policy.json
@@ -4,6 +4,8 @@
     "service_or_admin": "rule:admin_required or rule:service_role",
     "owner" : "user_id:%(user_id)s",
     "admin_or_owner": "rule:admin_required or rule:owner",
+    "token_subject": "user_id:%(target.token.user_id)s",
+    "admin_or_token_subject": "rule:admin_required or rule:token_subject",
 
     "default": "rule:admin_required",
 
@@ -62,7 +64,7 @@
     "identity:update_credential": "rule:admin_required",
     "identity:delete_credential": "rule:admin_required",
 
-    "identity:ec2_get_credential": "rule:admin_or_owner",
+    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
     "identity:ec2_list_credentials": "rule:admin_or_owner",
     "identity:ec2_create_credential": "rule:admin_or_owner",
     "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
@@ -90,13 +92,12 @@
     "identity:validate_token": "rule:service_or_admin",
     "identity:validate_token_head": "rule:service_or_admin",
     "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_owner",
+    "identity:revoke_token": "rule:admin_or_token_subject",
 
     "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
     "identity:get_trust": "rule:admin_or_owner",
     "identity:list_trusts": "",
     "identity:list_roles_for_trust": "",
-    "identity:check_role_for_trust": "",
     "identity:get_role_for_trust": "",
     "identity:delete_trust": "",
 
@@ -126,7 +127,7 @@
     "identity:delete_endpoint_group": "rule:admin_required",
     "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
     "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
+    "identity:get_endpoint_group_in_project": "rule:admin_required",
     "identity:add_endpoint_group_to_project": "rule:admin_required",
     "identity:remove_endpoint_group_from_project": "rule:admin_required",
 
@@ -148,6 +149,12 @@
     "identity:delete_mapping": "rule:admin_required",
     "identity:update_mapping": "rule:admin_required",
 
+    "identity:create_service_provider": "rule:admin_required",
+    "identity:list_service_providers": "rule:admin_required",
+    "identity:get_service_provider": "rule:admin_required",
+    "identity:update_service_provider": "rule:admin_required",
+    "identity:delete_service_provider": "rule:admin_required",
+
     "identity:get_auth_catalog": "",
     "identity:get_auth_projects": "",
     "identity:get_auth_domains": "",
@@ -167,5 +174,10 @@
     "identity:check_policy_association_for_region_and_service": "rule:admin_required",
     "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
     "identity:get_policy_for_endpoint": "rule:admin_required",
-    "identity:list_endpoints_for_policy": "rule:admin_required"
+    "identity:list_endpoints_for_policy": "rule:admin_required",
+
+    "identity:create_domain_config": "rule:admin_required",
+    "identity:get_domain_config": "rule:admin_required",
+    "identity:update_domain_config": "rule:admin_required",
+    "identity:delete_domain_config": "rule:admin_required"
 }
diff --git a/templates/keystone.conf.j2 b/templates/keystone.conf.j2
index 8e45a9b7..065e28e2 100644
--- a/templates/keystone.conf.j2
+++ b/templates/keystone.conf.j2
@@ -10,11 +10,12 @@ public_endpoint = {{ keystone_public_endpoint }}
 admin_endpoint = {{ keystone_service_adminuri }}
 fatal_deprecations = {{ keystone_fatal_deprecations }}
 
+{% if keystone_ssl_enabled == true and  keystone_secure_proxy_ssl_header is defined %}
+secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }}
+{% endif %}
+
 log_file = keystone.log
 log_dir = /var/log/keystone
-rabbit_hosts = {{ rabbitmq_servers }}
-rabbit_userid = {{ rabbitmq_userid }}
-rabbit_password = {{ rabbitmq_password }}
 rpc_backend = {{ keystone_rpc_backend }}
 
 
@@ -85,8 +86,12 @@ cache_time = {{ keystone_token_cache_time }}
 provider = {{ keystone_token_provider }}
 driver = {{ keystone_token_driver }}
 
-
 [eventlet_server]
 admin_bind_host = {{ keystone_bind_address }}
 admin_port = {{ keystone_admin_port }}
 public_port = {{ keystone_service_port }}
+
+[oslo_messaging_rabbit]
+rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_userid = {{ rabbitmq_userid }}
+rabbit_password = {{ rabbitmq_password }}