Updated keystone to use fernet as the default

This change simply enables fernet to be the default token backend and disables the keystone memcached configuration for token storage. Change-Id: I1037a7fce567e476f07a5d3c220379d656248160 Related-Bug: #1463569
2015-06-19 16:24:06 -05:00 · 2015-06-19 16:24:06 -05:00 · cfde337673
commit cfde337673
parent 7a8873415c
5 changed files with 18 additions and 7 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -36,7 +36,7 @@ keystone_auth_methods: "password,token"
 keystone_identity_driver: "keystone.identity.backends.sql.Identity"
 # For a sql backed token storage use: "keystone.token.backends.sql.Token"
 keystone_token_driver: "keystone.token.persistence.backends.memcache.Token"
-keystone_token_provider: "keystone.token.providers.uuid.Provider"
+keystone_token_provider: "keystone.token.providers.fernet.Provider"
 keystone_token_expiration: 43200
 keystone_token_cache_time: 3600

@ -47,7 +47,7 @@ keystone_revocation_expiration_buffer: 1800

 ## Fernet config vars
 keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
-keystone_fernet_tokens_max_active_keys: 3
+keystone_fernet_tokens_max_active_keys: 7

 keystone_cache_expiration_time: 5400

--- a/meta/main.yml
+++ b/meta/main.yml
@ -34,4 +34,7 @@ dependencies:
  - galera_client
  - openstack_openrc
  - pip_lock_down
-  - memcached_server
+  - role: memcached_server
+    when: >
+      'memcache' in keystone_token_driver and
+      'fernet' not in keystone_token_provider
--- a/tasks/keystone_fernet_cleanup.yml
+++ b/tasks/keystone_fernet_cleanup.yml
@ -18,6 +18,8 @@
    module: file
      path="/tmp/{{ keystone_fernet_tokens_key_repository|basename }}"
      state=absent
+  when: >
+    inventory_hostname == groups['keystone_all'][0]
  tags:
    - keystone-cleanup
    - keystone-setup
--- a/tasks/keystone_fernet_keys_create.yml
+++ b/tasks/keystone_fernet_keys_create.yml
@ -21,7 +21,9 @@
    - keystone-fernet

 - name: Create fernet keys for Keystone
-  command: keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}"
+  command: >
+    keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}"
+                                 --keystone-group "{{ keystone_system_group_name }}"
  sudo: yes
  sudo_user: "{{ keystone_system_user_name }}"
  when: not _fernet_keys.stat.exists
@ -30,7 +32,9 @@
    - keystone-fernet

 - name: Rotate fernet keys for Keystone
-  command: keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}"
+  command: >
+    keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}"
+                                  --keystone-group "{{ keystone_system_group_name }}"
  sudo: yes
  sudo_user: "{{ keystone_system_user_name }}"
  when: _fernet_keys.stat.exists
--- a/templates/keystone.conf.j2
+++ b/templates/keystone.conf.j2
@ -18,11 +18,11 @@ log_file = keystone.log
 log_dir = /var/log/keystone
 rpc_backend = {{ keystone_rpc_backend }}

-
+{% if 'memcache' in keystone_token_driver and 'fernet' not in keystone_token_provider %}
 [memcache]
 servers = {{ keystone_memcached_servers }}
 max_compare_and_set_retry = {{ keystone_memcached_max_compare_and_set_retry }}
-
+{% endif %}

 {% if keystone_cache_backend_argument is defined %}
 [cache]
@ -83,7 +83,9 @@ expiration = {{ keystone_token_expiration }}
 caching = true
 cache_time = {{ keystone_token_cache_time }}
 provider = {{ keystone_token_provider }}
+{% if 'fernet' not in keystone_token_provider %}
 driver = {{ keystone_token_driver }}
+{% endif %}

 [eventlet_server]
 admin_bind_host = {{ keystone_bind_address }}