Merge "Add support for deploying Keystone with Fernet"

2015-06-22 17:31:57 +00:00 · 2015-06-22 17:31:57 +00:00 · 9a868c3753
commit 9a868c3753
parent 394c7960bf 9e4a02482d
9 changed files with 169 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -45,6 +45,10 @@ keystone_revocation_driver: keystone.contrib.revoke.backends.sql.Revoke
 keystone_revocation_cache_time: 3600
 keystone_revocation_expiration_buffer: 1800

+## Fernet config vars
+keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
+keystone_fernet_tokens_max_active_keys: 3
+
 keystone_cache_expiration_time: 5400

 keystone_assignment_driver: keystone.assignment.backends.sql.Assignment
@ -161,6 +165,7 @@ keystone_apt_packages:
  - libldap2-dev
  - libsasl2-dev
  - libxslt1.1
+  - rsync

 # Common pip packages
 keystone_pip_packages:
--- a/tasks/keystone_fernet.yml
+++ b/tasks/keystone_fernet.yml
@ -0,0 +1,29 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- include: keystone_fernet_keys_create.yml
+  when: >
+    inventory_hostname == groups['keystone_all'][0]
+
+- include: keystone_fernet_keys_fetch.yml
+  when: >
+    inventory_hostname == groups['keystone_all'][0]
+
+- include: keystone_fernet_keys_distribute.yml
+  when: >
+    inventory_hostname != groups['keystone_all'][0] and
+    inventory_hostname in groups['keystone_all']
+
+- include: keystone_fernet_cleanup.yml
--- a/tasks/keystone_fernet_cleanup.yml
+++ b/tasks/keystone_fernet_cleanup.yml
@ -0,0 +1,24 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Clean up the local key clone
+  local_action:
+    module: file
+      path="/tmp/{{ keystone_fernet_tokens_key_repository|basename }}"
+      state=absent
+  tags:
+    - keystone-cleanup
+    - keystone-setup
+    - keystone-fernet
--- a/tasks/keystone_fernet_keys_create.yml
+++ b/tasks/keystone_fernet_keys_create.yml
@ -0,0 +1,38 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Check if fernet keys already exist
+  stat:
+    path: "{{ keystone_fernet_tokens_key_repository }}/0"
+  register: _fernet_keys
+  tags:
+    - keystone-fernet
+
+- name: Create fernet keys for Keystone
+  command: keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}"
+  sudo: yes
+  sudo_user: "{{ keystone_system_user_name }}"
+  when: not _fernet_keys.stat.exists
+  tags:
+    - keystone-setup
+    - keystone-fernet
+
+- name: Rotate fernet keys for Keystone
+  command: keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}"
+  sudo: yes
+  sudo_user: "{{ keystone_system_user_name }}"
+  when: _fernet_keys.stat.exists
+  tags:
+    - keystone-fernet
--- a/tasks/keystone_fernet_keys_distribute.yml
+++ b/tasks/keystone_fernet_keys_distribute.yml
@ -0,0 +1,24 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Distribute the fernet keys to the other keystone containers
+  synchronize:
+    src: "/tmp/{{ keystone_fernet_tokens_key_repository|basename }}"
+    dest: "{{ keystone_fernet_tokens_key_repository|dirname }}"
+    recursive: yes
+    delete: yes
+  tags:
+    - keystone-setup
+    - keystone-fernet
--- a/tasks/keystone_fernet_keys_fetch.yml
+++ b/tasks/keystone_fernet_keys_fetch.yml
@ -0,0 +1,24 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Fetch the fernet key repository
+  synchronize:
+    src: "{{ keystone_fernet_tokens_key_repository }}"
+    dest: /tmp/
+    recursive: yes
+    mode: pull
+  tags:
+    - keystone-setup
+    - keystone-fernet
--- a/tasks/keystone_pre_install.yml
+++ b/tasks/keystone_pre_install.yml
@ -50,6 +50,21 @@
  tags:
    - keystone-dirs

+- name: Create keystone fernet-keys dir
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    owner: "{{ item.owner|default(keystone_system_user_name) }}"
+    group: "{{ item.group|default(keystone_system_group_name) }}"
+    mode: "{{ item.mode }}"
+  with_items:
+    - { path: "{{ keystone_fernet_tokens_key_repository }}", mode: '0750' }
+  when: >
+    'fernet' in keystone_token_provider
+  tags:
+    - keystone-dirs
+    - keystone-fernet
+
 - name: Test for log directory or link
  shell: |
    if [ -h "/var/log/keystone"  ]; then
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -15,6 +15,11 @@

 - include: keystone_pre_install.yml
 - include: keystone_install.yml
+
+- include: keystone_fernet.yml
+  when: >
+    'fernet' in keystone_token_provider
+
 - include: keystone_post_install.yml

 - include: keystone_db_setup.yml
--- a/templates/keystone.conf.j2
+++ b/templates/keystone.conf.j2
@ -54,6 +54,11 @@ max_pool_size = {{ keystone_database_max_pool_size }}
 pool_timeout = {{ keystone_database_pool_timeout }}


+[fernet_keys]
+key_repository = {{ keystone_fernet_tokens_key_repository }}
+max_active_keys = {{ keystone_fernet_tokens_max_active_keys }}
+
+
 [identity]
 driver = {{ keystone_identity_driver }}
 {% if keystone_ldap is defined %}