diff --git a/README.rst b/README.rst index 11cbcfe7..c1a226e5 100644 --- a/README.rst +++ b/README.rst @@ -32,7 +32,6 @@ details. # password used by the keystone service to interact with Galera keystone_container_mysql_password: "YourPassword" - keystone_auth_admin_token: "SuperSecreteTestToken" keystone_auth_admin_password: "SuperSecretePassword" keystone_service_password: "secrete" keystone_rabbitmq_password: "secrete" @@ -56,7 +55,6 @@ Example Playbook keystone_venv_tag: "testing" keystone_developer_mode: true keystone_git_install_branch: a55128044f763f5cfe2fdc57c738eaca97636448 - keystone_auth_admin_token: "SuperSecreteTestToken" keystone_auth_admin_password: "SuperSecretePassword" keystone_service_password: "secrete" keystone_rabbitmq_password: "secrete" diff --git a/tasks/keystone_federation_sp_idp_setup.yml b/tasks/keystone_federation_sp_idp_setup.yml index 9d0bb7ee..f0e0f888 100644 --- a/tasks/keystone_federation_sp_idp_setup.yml +++ b/tasks/keystone_federation_sp_idp_setup.yml @@ -28,7 +28,9 @@ keystone: command: ensure_domain domain_name: "{{ item.domain }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: item.domain is defined @@ -41,7 +43,9 @@ command: ensure_project project_name: "{{ item.project }}" domain_name: "{{ item.domain | default('Default') }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: item.project is defined @@ -56,7 +60,9 @@ password: "{{ item.password }}" project_name: "{{ item.project }}" domain_name: "{{ item.domain | default('Default') }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: > @@ -72,7 +78,9 @@ command: ensure_group group_name: "{{ item.group }}" domain_name: "{{ item.domain | default('Default') }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: item.group is defined @@ -84,7 +92,9 @@ keystone: command: "ensure_role" role_name: "{{ item.role | default('_member_') }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: > @@ -100,7 +110,9 @@ group_name: "{{ item.group }}" project_name: "{{ item.project }}" role_name: "{{ item.role | default('_member_') }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: > @@ -115,7 +127,9 @@ command: ensure_mapping mapping_name: "{{ item.protocol.mapping.name }}" mapping_rules: "{{ item.protocol.mapping.rules }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: item.protocol.mapping.name is defined @@ -129,7 +143,9 @@ idp_name: "{{ item.name }}" idp_remote_ids: "{{ item.entity_ids }}" idp_enabled: true - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: item.name is defined @@ -143,7 +159,9 @@ protocol_name: "{{ item.protocol.name }}" idp_name: "{{ item.idp.name }}" mapping_name: "{{ item.protocol.mapping.name }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: item.protocol.name is defined diff --git a/tasks/keystone_idp_sp_setup.yml b/tasks/keystone_idp_sp_setup.yml index bf5ebce0..3263b32b 100644 --- a/tasks/keystone_idp_sp_setup.yml +++ b/tasks/keystone_idp_sp_setup.yml @@ -16,7 +16,9 @@ - name: Register service providers keystone: command: "ensure_service_provider" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" sp_name: "{{ item.id }}" sp_url: "{{ item.sp_url }}" diff --git a/tasks/keystone_ldap_setup.yml b/tasks/keystone_ldap_setup.yml index 5b8383bd..cd7c9b29 100644 --- a/tasks/keystone_ldap_setup.yml +++ b/tasks/keystone_ldap_setup.yml @@ -18,7 +18,9 @@ keystone: command: ensure_domain domain_name: "{{ item.key }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" with_dict: keystone_ldap diff --git a/tasks/keystone_service_setup.yml b/tasks/keystone_service_setup.yml index 174285bd..57ef307e 100644 --- a/tasks/keystone_service_setup.yml +++ b/tasks/keystone_service_setup.yml @@ -42,11 +42,36 @@ - keystone-db-sync - keystone-setup +- name: Bootstrap keystone admin and endpoint + command: | + {{ keystone_bin }}/keystone-manage bootstrap \ + --bootstrap-username {{ keystone_admin_user_name }} \ + --bootstrap-password {{ keystone_auth_admin_password }} \ + --bootstrap-project-name {{ keystone_admin_tenant_name }} \ + --bootstrap-role-name {{ keystone_role_name }} \ + --bootstrap-service-name {{ keystone_service_name }} \ + --bootstrap-region-id {{ keystone_service_region }} \ + --bootstrap-admin-url {{ keystone_service_adminurl }} \ + --bootstrap-public-url {{ keystone_service_publicurl }} \ + --bootstrap-internal-url {{ keystone_service_internalurl }} + become: yes + become_user: "{{ keystone_system_user_name }}" + register: add_service + until: add_service|success + retries: 5 + delay: 10 + tags: + - keystone-api-setup + - keystone-service-add + - keystone-setup + # Create a service tenant - name: Ensure service tenant keystone: command: "ensure_tenant" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" tenant_name: "{{ keystone_service_tenant_name }}" description: "{{ keystone_service_description }}" @@ -59,82 +84,13 @@ - keystone-api-setup - keystone-setup -# Create an admin tenant -- name: Ensure admin tenant - keystone: - command: "ensure_tenant" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - tenant_name: "{{ keystone_admin_tenant_name }}" - description: "{{ keystone_admin_description }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - register: add_service - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-setup - -# Create an admin user -- name: Ensure Admin user - keystone: - command: "ensure_user" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - user_name: "{{ keystone_admin_user_name }}" - tenant_name: "{{ keystone_admin_tenant_name }}" - password: "{{ keystone_auth_admin_password }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - register: add_service - when: not keystone_service_in_ldap | bool - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-setup - -# Create an admin role -- name: Ensure Admin role - keystone: - command: "ensure_role" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - role_name: "{{ keystone_role_name }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - register: add_service - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-setup - -# Add a role to the user -- name: Ensure Admin user to Admin role - keystone: - command: "ensure_user_role" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - user_name: "{{ keystone_admin_user_name }}" - tenant_name: "{{ keystone_admin_tenant_name }}" - role_name: "{{ keystone_role_name }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - register: add_service - when: not keystone_service_in_ldap | bool - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-setup - # Add the default user role - name: Ensure default keystone user role keystone: command: "ensure_role" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" role_name: "{{ keystone_default_role_name }}" insecure: "{{ keystone_service_adminuri_insecure }}" @@ -151,7 +107,9 @@ - name: Ensure Keystone Service keystone: command: "ensure_service" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" service_name: "{{ keystone_service_name }}" service_type: "{{ keystone_service_type }}" @@ -170,7 +128,9 @@ - name: Ensure Keystone user keystone: command: "ensure_user" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" user_name: "{{ keystone_service_user_name }}" tenant_name: "{{ keystone_service_tenant_name }}" @@ -189,7 +149,9 @@ - name: Ensure Keystone user to Admin role keystone: command: "ensure_user_role" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" user_name: "{{ keystone_service_user_name }}" tenant_name: "{{ keystone_service_tenant_name }}" @@ -203,29 +165,3 @@ - keystone-api-setup - keystone-service-add - keystone-setup - -# Create an endpoint -- name: Ensure Keystone Endpoint - keystone: - command: "ensure_endpoint" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - region_name: "{{ keystone_service_region }}" - service_name: "{{ keystone_service_name }}" - service_type: "{{ keystone_service_type }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - endpoint_list: - - url: "{{ keystone_service_publicurl }}" - interface: "public" - - url: "{{ keystone_service_adminurl }}" - interface: "admin" - - url: "{{ keystone_service_internalurl }}" - interface: "internal" - register: add_service - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-service-add - - keystone-setup diff --git a/templates/keystone-paste.ini.j2 b/templates/keystone-paste.ini.j2 index 0d731d0a..4f3b0a28 100644 --- a/templates/keystone-paste.ini.j2 +++ b/templates/keystone-paste.ini.j2 @@ -13,16 +13,16 @@ use = egg:keystone#build_auth_context use = egg:keystone#token_auth [filter:admin_token_auth] +# This is deprecated in the M release and will be removed in the O release. +# Use `keystone-manage bootstrap` and remove this from the pipelines below. use = egg:keystone#admin_token_auth [filter:json_body] use = egg:keystone#json_body -[filter:user_crud_extension] -use = egg:keystone#user_crud_extension - -[filter:crud_extension] -use = egg:keystone#crud_extension +[filter:cors] +use = egg:oslo.middleware#cors +oslo_config_project = keystone [filter:ec2_extension] use = egg:keystone#ec2_extension @@ -33,9 +33,6 @@ use = egg:keystone#ec2_extension_v3 [filter:s3_extension] use = egg:keystone#s3_extension -[filter:simple_cert_extension] -use = egg:keystone#simple_cert_extension - [filter:url_normalize] use = egg:keystone#url_normalize @@ -54,17 +51,17 @@ use = egg:keystone#admin_service [pipeline:public_api] # The last item in this pipeline must be public_service or an equivalent # application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service +pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension public_service [pipeline:admin_api] # The last item in this pipeline must be admin_service or an equivalent # application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service +pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service [pipeline:api_v3] # The last item in this pipeline must be service_v3 or an equivalent # application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3 +pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3 [app:public_version_service] use = egg:keystone#public_version_service @@ -73,10 +70,10 @@ use = egg:keystone#public_version_service use = egg:keystone#admin_version_service [pipeline:public_version_api] -pipeline = sizelimit url_normalize public_version_service +pipeline = cors sizelimit url_normalize public_version_service [pipeline:admin_version_api] -pipeline = sizelimit url_normalize admin_version_service +pipeline = cors sizelimit url_normalize admin_version_service [composite:main] use = egg:Paste#urlmap diff --git a/templates/keystone.conf.j2 b/templates/keystone.conf.j2 index b5789e44..f45ced26 100644 --- a/templates/keystone.conf.j2 +++ b/templates/keystone.conf.j2 @@ -3,7 +3,6 @@ [DEFAULT] verbose = {{ verbose }} debug = {{ debug }} -admin_token = {{ keystone_auth_admin_token }} {% if keystone_public_endpoint is defined %} public_endpoint = {{ keystone_public_endpoint }} {% endif %} diff --git a/templates/policy.json.j2 b/templates/policy.json.j2 index 47aa9efd..797af24d 100644 --- a/templates/policy.json.j2 +++ b/templates/policy.json.j2 @@ -34,7 +34,7 @@ "identity:update_domain": "rule:admin_required", "identity:delete_domain": "rule:admin_required", - "identity:get_project": "rule:admin_required", + "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s", "identity:list_projects": "rule:admin_required", "identity:list_user_projects": "rule:admin_or_owner", "identity:create_project": "rule:admin_required", @@ -75,6 +75,18 @@ "identity:create_role": "rule:admin_required", "identity:update_role": "rule:admin_required", "identity:delete_role": "rule:admin_required", + "identity:get_domain_role": "rule:admin_required", + "identity:list_domain_roles": "rule:admin_required", + "identity:create_domain_role": "rule:admin_required", + "identity:update_domain_role": "rule:admin_required", + "identity:delete_domain_role": "rule:admin_required", + + "identity:get_implied_role": "rule:admin_required ", + "identity:list_implied_roles": "rule:admin_required", + "identity:create_implied_role": "rule:admin_required", + "identity:delete_implied_role": "rule:admin_required", + "identity:list_role_inference_rules": "rule:admin_required", + "identity:check_implied_role": "rule:admin_required", "identity:check_grant": "rule:admin_required", "identity:list_grants": "rule:admin_required", diff --git a/tests/stand-alone.yml b/tests/stand-alone.yml index a6f4cb5f..c37f89af 100644 --- a/tests/stand-alone.yml +++ b/tests/stand-alone.yml @@ -11,7 +11,6 @@ keystone_galera_database: keystone keystone_venv_tag: "testing" keystone_developer_mode: true - keystone_auth_admin_token: "SuperSecreteTestToken" keystone_auth_admin_password: "SuperSecretePassword" keystone_database_enabled: false keystone_service_setup: false diff --git a/tests/test.yml b/tests/test.yml index 5b6b8149..f6d7f530 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -191,9 +191,8 @@ keystone_galera_database: keystone keystone_venv_tag: "testing" keystone_developer_mode: true - keystone_git_install_branch: a55128044f763f5cfe2fdc57c738eaca97636448 - keystone_requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0 - keystone_auth_admin_token: "SuperSecreteTestToken" + keystone_git_install_branch: 9692d40a78651f59db679def493f9712c96e0596 # HEAD of "stable/mitaka" as of 16.03.2016 + keystone_requirements_git_install_branch: 983af4a5d05bfa0f2c1d4ec80e3ee44a5abc2752 # HEAD of "master" as of 16.03.2016 keystone_auth_admin_password: "SuperSecretePassword" keystone_service_password: "secrete" keystone_rabbitmq_password: "secrete"