Merge "Add support for deploying Keystone with Fernet"

defaults/main.yml

@@ -45,6 +45,10 @@ keystone_revocation_driver: keystone.contrib.revoke.backends.sql.Revoke
 keystone_revocation_cache_time: 3600
 keystone_revocation_expiration_buffer: 1800
 
+## Fernet config vars
+keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
+keystone_fernet_tokens_max_active_keys: 3
+
 keystone_cache_expiration_time: 5400
 
 keystone_assignment_driver: keystone.assignment.backends.sql.Assignment
@@ -161,6 +165,7 @@ keystone_apt_packages:
   - libldap2-dev
   - libsasl2-dev
   - libxslt1.1
+  - rsync
 
 # Common pip packages
 keystone_pip_packages:

tasks/keystone_fernet.yml

@@ -0,0 +1,29 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- include: keystone_fernet_keys_create.yml
+  when: >
+    inventory_hostname == groups['keystone_all'][0]
+
+- include: keystone_fernet_keys_fetch.yml
+  when: >
+    inventory_hostname == groups['keystone_all'][0]
+
+- include: keystone_fernet_keys_distribute.yml
+  when: >
+    inventory_hostname != groups['keystone_all'][0] and
+    inventory_hostname in groups['keystone_all']
+
+- include: keystone_fernet_cleanup.yml

tasks/keystone_fernet_cleanup.yml

@@ -0,0 +1,24 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Clean up the local key clone
+  local_action:
+    module: file
+      path="/tmp/{{ keystone_fernet_tokens_key_repository|basename }}"
+      state=absent
+  tags:
+    - keystone-cleanup
+    - keystone-setup
+    - keystone-fernet

tasks/keystone_fernet_keys_create.yml

@@ -0,0 +1,38 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Check if fernet keys already exist
+  stat:
+    path: "{{ keystone_fernet_tokens_key_repository }}/0"
+  register: _fernet_keys
+  tags:
+    - keystone-fernet
+
+- name: Create fernet keys for Keystone
+  command: keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}"
+  sudo: yes
+  sudo_user: "{{ keystone_system_user_name }}"
+  when: not _fernet_keys.stat.exists
+  tags:
+    - keystone-setup
+    - keystone-fernet
+
+- name: Rotate fernet keys for Keystone
+  command: keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}"
+  sudo: yes
+  sudo_user: "{{ keystone_system_user_name }}"
+  when: _fernet_keys.stat.exists
+  tags:
+    - keystone-fernet

tasks/keystone_fernet_keys_distribute.yml

@@ -0,0 +1,24 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Distribute the fernet keys to the other keystone containers
+  synchronize:
+    src: "/tmp/{{ keystone_fernet_tokens_key_repository|basename }}"
+    dest: "{{ keystone_fernet_tokens_key_repository|dirname }}"
+    recursive: yes
+    delete: yes
+  tags:
+    - keystone-setup
+    - keystone-fernet

tasks/keystone_fernet_keys_fetch.yml

@@ -0,0 +1,24 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Fetch the fernet key repository
+  synchronize:
+    src: "{{ keystone_fernet_tokens_key_repository }}"
+    dest: /tmp/
+    recursive: yes
+    mode: pull
+  tags:
+    - keystone-setup
+    - keystone-fernet

tasks/keystone_pre_install.yml

@@ -50,6 +50,21 @@
   tags:
     - keystone-dirs
 
+- name: Create keystone fernet-keys dir
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    owner: "{{ item.owner|default(keystone_system_user_name) }}"
+    group: "{{ item.group|default(keystone_system_group_name) }}"
+    mode: "{{ item.mode }}"
+  with_items:
+    - { path: "{{ keystone_fernet_tokens_key_repository }}", mode: '0750' }
+  when: >
+    'fernet' in keystone_token_provider
+  tags:
+    - keystone-dirs
+    - keystone-fernet
+
 - name: Test for log directory or link
   shell: |
     if [ -h "/var/log/keystone"  ]; then

tasks/main.yml

@@ -15,6 +15,11 @@
 
 - include: keystone_pre_install.yml
 - include: keystone_install.yml
+
+- include: keystone_fernet.yml
+  when: >
+    'fernet' in keystone_token_provider
+
 - include: keystone_post_install.yml
 
 - include: keystone_db_setup.yml

templates/keystone.conf.j2

@@ -54,6 +54,11 @@ max_pool_size = {{ keystone_database_max_pool_size }}
 pool_timeout = {{ keystone_database_pool_timeout }}
 
 
+[fernet_keys]
+key_repository = {{ keystone_fernet_tokens_key_repository }}
+max_active_keys = {{ keystone_fernet_tokens_max_active_keys }}
+
+
 [identity]
 driver = {{ keystone_identity_driver }}
 {% if keystone_ldap is defined %}