Update Keystone config and policy for Kilo

Keystone's config file updated with new options that need to be exposed
as configurable options (e.g., Proxy Forwarded SSL Header).

Keystone's default policy file has also changed in Kilo so we are
pulling in an updated copy to match the new version.

Partially implements blueprint: master-kilofication

Change-Id: Ib98e54940acfa9627e6d10c10964d87528b4a9b7
This commit is contained in:
Ian Cordasco 2015-03-24 21:09:41 -05:00 committed by Jesse Pretorius
parent 149cde6e17
commit 474773b771
3 changed files with 29 additions and 9 deletions

View File

@ -77,6 +77,9 @@ keystone_admin_user_name: admin
keystone_admin_tenant_name: admin keystone_admin_tenant_name: admin
keystone_admin_description: Admin Tenant keystone_admin_description: Admin Tenant
## Secure Proxy SSL Information
#keystone_secure_proxy_ssl_header: X-Forwarded-For
## Service Type and Data ## Service Type and Data
keystone_service_region: RegionOne keystone_service_region: RegionOne
keystone_service_name: keystone keystone_service_name: keystone

View File

@ -4,6 +4,8 @@
"service_or_admin": "rule:admin_required or rule:service_role", "service_or_admin": "rule:admin_required or rule:service_role",
"owner" : "user_id:%(user_id)s", "owner" : "user_id:%(user_id)s",
"admin_or_owner": "rule:admin_required or rule:owner", "admin_or_owner": "rule:admin_required or rule:owner",
"token_subject": "user_id:%(target.token.user_id)s",
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
"default": "rule:admin_required", "default": "rule:admin_required",
@ -62,7 +64,7 @@
"identity:update_credential": "rule:admin_required", "identity:update_credential": "rule:admin_required",
"identity:delete_credential": "rule:admin_required", "identity:delete_credential": "rule:admin_required",
"identity:ec2_get_credential": "rule:admin_or_owner", "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:ec2_list_credentials": "rule:admin_or_owner", "identity:ec2_list_credentials": "rule:admin_or_owner",
"identity:ec2_create_credential": "rule:admin_or_owner", "identity:ec2_create_credential": "rule:admin_or_owner",
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
@ -90,13 +92,12 @@
"identity:validate_token": "rule:service_or_admin", "identity:validate_token": "rule:service_or_admin",
"identity:validate_token_head": "rule:service_or_admin", "identity:validate_token_head": "rule:service_or_admin",
"identity:revocation_list": "rule:service_or_admin", "identity:revocation_list": "rule:service_or_admin",
"identity:revoke_token": "rule:admin_or_owner", "identity:revoke_token": "rule:admin_or_token_subject",
"identity:create_trust": "user_id:%(trust.trustor_user_id)s", "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
"identity:get_trust": "rule:admin_or_owner", "identity:get_trust": "rule:admin_or_owner",
"identity:list_trusts": "", "identity:list_trusts": "",
"identity:list_roles_for_trust": "", "identity:list_roles_for_trust": "",
"identity:check_role_for_trust": "",
"identity:get_role_for_trust": "", "identity:get_role_for_trust": "",
"identity:delete_trust": "", "identity:delete_trust": "",
@ -126,7 +127,7 @@
"identity:delete_endpoint_group": "rule:admin_required", "identity:delete_endpoint_group": "rule:admin_required",
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required", "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
"identity:list_endpoint_groups_for_project": "rule:admin_required", "identity:get_endpoint_group_in_project": "rule:admin_required",
"identity:add_endpoint_group_to_project": "rule:admin_required", "identity:add_endpoint_group_to_project": "rule:admin_required",
"identity:remove_endpoint_group_from_project": "rule:admin_required", "identity:remove_endpoint_group_from_project": "rule:admin_required",
@ -148,6 +149,12 @@
"identity:delete_mapping": "rule:admin_required", "identity:delete_mapping": "rule:admin_required",
"identity:update_mapping": "rule:admin_required", "identity:update_mapping": "rule:admin_required",
"identity:create_service_provider": "rule:admin_required",
"identity:list_service_providers": "rule:admin_required",
"identity:get_service_provider": "rule:admin_required",
"identity:update_service_provider": "rule:admin_required",
"identity:delete_service_provider": "rule:admin_required",
"identity:get_auth_catalog": "", "identity:get_auth_catalog": "",
"identity:get_auth_projects": "", "identity:get_auth_projects": "",
"identity:get_auth_domains": "", "identity:get_auth_domains": "",
@ -167,5 +174,10 @@
"identity:check_policy_association_for_region_and_service": "rule:admin_required", "identity:check_policy_association_for_region_and_service": "rule:admin_required",
"identity:delete_policy_association_for_region_and_service": "rule:admin_required", "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
"identity:get_policy_for_endpoint": "rule:admin_required", "identity:get_policy_for_endpoint": "rule:admin_required",
"identity:list_endpoints_for_policy": "rule:admin_required" "identity:list_endpoints_for_policy": "rule:admin_required",
"identity:create_domain_config": "rule:admin_required",
"identity:get_domain_config": "rule:admin_required",
"identity:update_domain_config": "rule:admin_required",
"identity:delete_domain_config": "rule:admin_required"
} }

View File

@ -10,11 +10,12 @@ public_endpoint = {{ keystone_public_endpoint }}
admin_endpoint = {{ keystone_service_adminuri }} admin_endpoint = {{ keystone_service_adminuri }}
fatal_deprecations = {{ keystone_fatal_deprecations }} fatal_deprecations = {{ keystone_fatal_deprecations }}
{% if keystone_ssl_enabled == true and keystone_secure_proxy_ssl_header is defined %}
secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }}
{% endif %}
log_file = keystone.log log_file = keystone.log
log_dir = /var/log/keystone log_dir = /var/log/keystone
rabbit_hosts = {{ rabbitmq_servers }}
rabbit_userid = {{ rabbitmq_userid }}
rabbit_password = {{ rabbitmq_password }}
rpc_backend = {{ keystone_rpc_backend }} rpc_backend = {{ keystone_rpc_backend }}
@ -85,8 +86,12 @@ cache_time = {{ keystone_token_cache_time }}
provider = {{ keystone_token_provider }} provider = {{ keystone_token_provider }}
driver = {{ keystone_token_driver }} driver = {{ keystone_token_driver }}
[eventlet_server] [eventlet_server]
admin_bind_host = {{ keystone_bind_address }} admin_bind_host = {{ keystone_bind_address }}
admin_port = {{ keystone_admin_port }} admin_port = {{ keystone_admin_port }}
public_port = {{ keystone_service_port }} public_port = {{ keystone_service_port }}
[oslo_messaging_rabbit]
rabbit_hosts = {{ rabbitmq_servers }}
rabbit_userid = {{ rabbitmq_userid }}
rabbit_password = {{ rabbitmq_password }}