From ffcdaf0c92dd57c90a71162495fb6cac006a1513 Mon Sep 17 00:00:00 2001 From: Jesse Pretorius Date: Thu, 16 Mar 2017 00:01:07 +0000 Subject: [PATCH] Source template files from git or deploy host Instead of sourcing the paste/policy files from the role, the deploy host will first be checked, then the git source. This eliminates our need to carry the template files and keep them up to date. It also ensures that if a custom git source or alternative SHA is used, the correct source templates are used. Related-To: I97476c42172cace5601f777e771ba0aa649b05ca Change-Id: I910bb1700bafd48185c15d64401c8f8e93c696ea --- defaults/main.yml | 20 +- files/sso_callback_template.html | 22 -- ...pstream-config-files-d16f27fc1332ed83.yaml | 9 + tasks/keystone_post_install.yml | 29 ++- templates/keystone-paste.ini.j2 | 92 -------- templates/policy.json.j2 | 199 ------------------ 6 files changed, 52 insertions(+), 319 deletions(-) delete mode 100644 files/sso_callback_template.html create mode 100644 releasenotes/notes/keystone-upstream-config-files-d16f27fc1332ed83.yaml delete mode 100644 templates/keystone-paste.ini.j2 delete mode 100644 templates/policy.json.j2 diff --git a/defaults/main.yml b/defaults/main.yml index d8d0b76b..61745e06 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -446,7 +446,25 @@ keystone_pip_packages: # by the py_pkgs lookup. keystone_role_project_group: keystone_all -## Tunable overrides +#: Tunable file-based overrides +# The contents of these files, if they exist, are read from the +# specified path on the deployment host, interpreted by the +# template engine and copied to the target host. If they do +# not exist then the default files will be sourced from the +# service git repository. +keystone_paste_default_file_path: "/etc/openstack_deploy/keystone/keystone-paste.ini" +keystone_policy_default_file_path: "/etc/openstack_deploy/keystone/policy.json" +keystone_sso_callback_file_path: "/etc/openstack_deploy/keystone/sso_callback_template.html" + +# If the above-mentioned files do not exist, then these +# paths will be used to find the files from the git config +# lookup location. +keystone_git_config_lookup_location: https://git.openstack.org/cgit/openstack/keystone/plain +keystone_paste_git_file_path: "etc/keystone-paste.ini?h={{ keystone_git_install_branch }}" +keystone_sso_callback_git_file_path: "etc/sso_callback_template.html?h={{ keystone_git_install_branch }}" + +#: Tunable var-based overrides +# The contents of these are templated over the default files. keystone_keystone_conf_overrides: {} keystone_keystone_default_conf_overrides: {} keystone_keystone_paste_ini_overrides: {} diff --git a/files/sso_callback_template.html b/files/sso_callback_template.html deleted file mode 100644 index 3364d69e..00000000 --- a/files/sso_callback_template.html +++ /dev/null @@ -1,22 +0,0 @@ - - - - Keystone WebSSO redirect - - -
- Please wait... -
- - -
- - - diff --git a/releasenotes/notes/keystone-upstream-config-files-d16f27fc1332ed83.yaml b/releasenotes/notes/keystone-upstream-config-files-d16f27fc1332ed83.yaml new file mode 100644 index 00000000..c0a31c2d --- /dev/null +++ b/releasenotes/notes/keystone-upstream-config-files-d16f27fc1332ed83.yaml @@ -0,0 +1,9 @@ +--- +features: + - The ``os_keystone`` role will now (by default) source the + ``keystone-paste.ini``, ``policy.json`` and ``sso_callback_template.html`` + templates from the service git source instead of from the role. It also + now includes a facility where you can place your own templates in + ``/etc/openstack_deploy/keystone`` (by default) and it will be + deployed to the target host after being interpreted by the + template engine. diff --git a/tasks/keystone_post_install.yml b/tasks/keystone_post_install.yml index df20eb43..3279f14f 100644 --- a/tasks/keystone_post_install.yml +++ b/tasks/keystone_post_install.yml @@ -27,14 +27,31 @@ dest: "/etc/keystone/keystone.conf" config_overrides: "{{ keystone_keystone_conf_overrides }}" config_type: "ini" - - src: "keystone-paste.ini.j2" - dest: "/etc/keystone/keystone-paste.ini" + notify: + - Restart uWSGI on first node + - Restart uWSGI on other nodes + - Restart web server on first node + - Restart web server on other nodes + +- name: Retrieve and config_template upstream files + config_template: + content: "{{ lookup('pipe', item.content) | string }}" + dest: "{{ item.dest }}" + config_overrides: "{{ item.config_overrides }}" + config_type: "{{ item.config_type }}" + with_items: + - dest: "/etc/keystone/keystone-paste.ini" config_overrides: "{{ keystone_keystone_paste_ini_overrides }}" config_type: "ini" - - src: "policy.json.j2" - dest: "/etc/keystone/policy.json-{{ keystone_venv_tag }}" + content: | + cat {{ keystone_paste_default_file_path }} 2>/dev/null || \ + curl -s {{ keystone_git_config_lookup_location }}/{{ keystone_paste_git_file_path }} + - dest: "/etc/keystone/policy.json-{{ keystone_venv_tag }}" config_overrides: "{{ keystone_policy_overrides }}" config_type: "json" + content: | + cat {{ keystone_policy_default_file_path }} 2>/dev/null || \ + echo {} notify: - Restart uWSGI on first node - Restart uWSGI on other nodes @@ -43,7 +60,9 @@ - name: Copy Keystone Federation SP SSO callback template copy: - src: "sso_callback_template.html" + content: | + cat {{ keystone_sso_callback_file_path }} 2>/dev/null || \ + curl -s {{ keystone_git_config_lookup_location }}/{{ keystone_sso_callback_git_file_path }} dest: "/etc/keystone/sso_callback_template.html" owner: "{{ keystone_system_user_name }}" group: "{{ keystone_system_group_name }}" diff --git a/templates/keystone-paste.ini.j2 b/templates/keystone-paste.ini.j2 deleted file mode 100644 index b629b48c..00000000 --- a/templates/keystone-paste.ini.j2 +++ /dev/null @@ -1,92 +0,0 @@ -# Keystone PasteDeploy configuration file. - -[filter:debug] -use = egg:oslo.middleware#debug - -[filter:request_id] -use = egg:oslo.middleware#request_id - -[filter:build_auth_context] -use = egg:keystone#build_auth_context - -[filter:token_auth] -use = egg:keystone#token_auth - -[filter:json_body] -use = egg:keystone#json_body - -[filter:cors] -use = egg:oslo.middleware#cors -oslo_config_project = keystone - -[filter:http_proxy_to_wsgi] -use = egg:oslo.middleware#http_proxy_to_wsgi - -[filter:healthcheck] -use = egg:oslo.middleware#healthcheck - -[filter:ec2_extension] -use = egg:keystone#ec2_extension - -[filter:ec2_extension_v3] -use = egg:keystone#ec2_extension_v3 - -[filter:s3_extension] -use = egg:keystone#s3_extension - -[filter:url_normalize] -use = egg:keystone#url_normalize - -[filter:sizelimit] -use = egg:oslo.middleware#sizelimit - -[filter:osprofiler] -use = egg:osprofiler#osprofiler - -[app:public_service] -use = egg:keystone#public_service - -[app:service_v3] -use = egg:keystone#service_v3 - -[app:admin_service] -use = egg:keystone#admin_service - -[pipeline:public_api] -# The last item in this pipeline must be public_service or an equivalent -# application. It cannot be a filter. -pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service - -[pipeline:admin_api] -# The last item in this pipeline must be admin_service or an equivalent -# application. It cannot be a filter. -pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service - -[pipeline:api_v3] -# The last item in this pipeline must be service_v3 or an equivalent -# application. It cannot be a filter. -pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3 - -[app:public_version_service] -use = egg:keystone#public_version_service - -[app:admin_version_service] -use = egg:keystone#admin_version_service - -[pipeline:public_version_api] -pipeline = healthcheck cors sizelimit osprofiler url_normalize public_version_service - -[pipeline:admin_version_api] -pipeline = healthcheck cors sizelimit osprofiler url_normalize admin_version_service - -[composite:main] -use = egg:Paste#urlmap -/v2.0 = public_api -/v3 = api_v3 -/ = public_version_api - -[composite:admin] -use = egg:Paste#urlmap -/v2.0 = admin_api -/v3 = api_v3 -/ = admin_version_api diff --git a/templates/policy.json.j2 b/templates/policy.json.j2 deleted file mode 100644 index ddf23962..00000000 --- a/templates/policy.json.j2 +++ /dev/null @@ -1,199 +0,0 @@ -{ - "admin_required": "role:admin or is_admin:1", - "service_role": "role:service", - "service_or_admin": "rule:admin_required or rule:service_role", - "owner" : "user_id:%(user_id)s", - "admin_or_owner": "rule:admin_required or rule:owner", - "token_subject": "user_id:%(target.token.user_id)s", - "admin_or_token_subject": "rule:admin_required or rule:token_subject", - "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject", - - "default": "rule:admin_required", - - "identity:get_region": "", - "identity:list_regions": "", - "identity:create_region": "rule:admin_required", - "identity:update_region": "rule:admin_required", - "identity:delete_region": "rule:admin_required", - - "identity:get_service": "rule:admin_required", - "identity:list_services": "rule:admin_required", - "identity:create_service": "rule:admin_required", - "identity:update_service": "rule:admin_required", - "identity:delete_service": "rule:admin_required", - - "identity:get_endpoint": "rule:admin_required", - "identity:list_endpoints": "rule:admin_required", - "identity:create_endpoint": "rule:admin_required", - "identity:update_endpoint": "rule:admin_required", - "identity:delete_endpoint": "rule:admin_required", - - "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s", - "identity:list_domains": "rule:admin_required", - "identity:create_domain": "rule:admin_required", - "identity:update_domain": "rule:admin_required", - "identity:delete_domain": "rule:admin_required", - - "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s", - "identity:list_projects": "rule:admin_required", - "identity:list_user_projects": "rule:admin_or_owner", - "identity:create_project": "rule:admin_required", - "identity:update_project": "rule:admin_required", - "identity:delete_project": "rule:admin_required", - - "identity:get_user": "rule:admin_or_owner", - "identity:list_users": "rule:admin_required", - "identity:create_user": "rule:admin_required", - "identity:update_user": "rule:admin_required", - "identity:delete_user": "rule:admin_required", - "identity:change_password": "rule:admin_or_owner", - - "identity:get_group": "rule:admin_required", - "identity:list_groups": "rule:admin_required", - "identity:list_groups_for_user": "rule:admin_or_owner", - "identity:create_group": "rule:admin_required", - "identity:update_group": "rule:admin_required", - "identity:delete_group": "rule:admin_required", - "identity:list_users_in_group": "rule:admin_required", - "identity:remove_user_from_group": "rule:admin_required", - "identity:check_user_in_group": "rule:admin_required", - "identity:add_user_to_group": "rule:admin_required", - - "identity:get_credential": "rule:admin_required", - "identity:list_credentials": "rule:admin_required", - "identity:create_credential": "rule:admin_required", - "identity:update_credential": "rule:admin_required", - "identity:delete_credential": "rule:admin_required", - - "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - "identity:ec2_list_credentials": "rule:admin_or_owner", - "identity:ec2_create_credential": "rule:admin_or_owner", - "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - - "identity:get_role": "rule:admin_required", - "identity:list_roles": "rule:admin_required", - "identity:create_role": "rule:admin_required", - "identity:update_role": "rule:admin_required", - "identity:delete_role": "rule:admin_required", - "identity:get_domain_role": "rule:admin_required", - "identity:list_domain_roles": "rule:admin_required", - "identity:create_domain_role": "rule:admin_required", - "identity:update_domain_role": "rule:admin_required", - "identity:delete_domain_role": "rule:admin_required", - - "identity:get_implied_role": "rule:admin_required ", - "identity:list_implied_roles": "rule:admin_required", - "identity:create_implied_role": "rule:admin_required", - "identity:delete_implied_role": "rule:admin_required", - "identity:list_role_inference_rules": "rule:admin_required", - "identity:check_implied_role": "rule:admin_required", - - "identity:check_grant": "rule:admin_required", - "identity:list_grants": "rule:admin_required", - "identity:create_grant": "rule:admin_required", - "identity:revoke_grant": "rule:admin_required", - - "identity:list_role_assignments": "rule:admin_required", - "identity:list_role_assignments_for_tree": "rule:admin_required", - - "identity:get_policy": "rule:admin_required", - "identity:list_policies": "rule:admin_required", - "identity:create_policy": "rule:admin_required", - "identity:update_policy": "rule:admin_required", - "identity:delete_policy": "rule:admin_required", - - "identity:check_token": "rule:admin_or_token_subject", - "identity:validate_token": "rule:service_admin_or_token_subject", - "identity:validate_token_head": "rule:service_or_admin", - "identity:revocation_list": "rule:service_or_admin", - "identity:revoke_token": "rule:admin_or_token_subject", - - "identity:create_trust": "user_id:%(trust.trustor_user_id)s", - "identity:list_trusts": "", - "identity:list_roles_for_trust": "", - "identity:get_role_for_trust": "", - "identity:delete_trust": "", - - "identity:create_consumer": "rule:admin_required", - "identity:get_consumer": "rule:admin_required", - "identity:list_consumers": "rule:admin_required", - "identity:delete_consumer": "rule:admin_required", - "identity:update_consumer": "rule:admin_required", - - "identity:authorize_request_token": "rule:admin_required", - "identity:list_access_token_roles": "rule:admin_required", - "identity:get_access_token_role": "rule:admin_required", - "identity:list_access_tokens": "rule:admin_required", - "identity:get_access_token": "rule:admin_required", - "identity:delete_access_token": "rule:admin_required", - - "identity:list_projects_for_endpoint": "rule:admin_required", - "identity:add_endpoint_to_project": "rule:admin_required", - "identity:check_endpoint_in_project": "rule:admin_required", - "identity:list_endpoints_for_project": "rule:admin_required", - "identity:remove_endpoint_from_project": "rule:admin_required", - - "identity:create_endpoint_group": "rule:admin_required", - "identity:list_endpoint_groups": "rule:admin_required", - "identity:get_endpoint_group": "rule:admin_required", - "identity:update_endpoint_group": "rule:admin_required", - "identity:delete_endpoint_group": "rule:admin_required", - "identity:list_projects_associated_with_endpoint_group": "rule:admin_required", - "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", - "identity:get_endpoint_group_in_project": "rule:admin_required", - "identity:list_endpoint_groups_for_project": "rule:admin_required", - "identity:add_endpoint_group_to_project": "rule:admin_required", - "identity:remove_endpoint_group_from_project": "rule:admin_required", - - "identity:create_identity_provider": "rule:admin_required", - "identity:list_identity_providers": "rule:admin_required", - "identity:get_identity_providers": "rule:admin_required", - "identity:update_identity_provider": "rule:admin_required", - "identity:delete_identity_provider": "rule:admin_required", - - "identity:create_protocol": "rule:admin_required", - "identity:update_protocol": "rule:admin_required", - "identity:get_protocol": "rule:admin_required", - "identity:list_protocols": "rule:admin_required", - "identity:delete_protocol": "rule:admin_required", - - "identity:create_mapping": "rule:admin_required", - "identity:get_mapping": "rule:admin_required", - "identity:list_mappings": "rule:admin_required", - "identity:delete_mapping": "rule:admin_required", - "identity:update_mapping": "rule:admin_required", - - "identity:create_service_provider": "rule:admin_required", - "identity:list_service_providers": "rule:admin_required", - "identity:get_service_provider": "rule:admin_required", - "identity:update_service_provider": "rule:admin_required", - "identity:delete_service_provider": "rule:admin_required", - - "identity:get_auth_catalog": "", - "identity:get_auth_projects": "", - "identity:get_auth_domains": "", - - "identity:list_projects_for_user": "", - "identity:list_domains_for_user": "", - - "identity:list_revoke_events": "rule:service_or_admin", - - "identity:create_policy_association_for_endpoint": "rule:admin_required", - "identity:check_policy_association_for_endpoint": "rule:admin_required", - "identity:delete_policy_association_for_endpoint": "rule:admin_required", - "identity:create_policy_association_for_service": "rule:admin_required", - "identity:check_policy_association_for_service": "rule:admin_required", - "identity:delete_policy_association_for_service": "rule:admin_required", - "identity:create_policy_association_for_region_and_service": "rule:admin_required", - "identity:check_policy_association_for_region_and_service": "rule:admin_required", - "identity:delete_policy_association_for_region_and_service": "rule:admin_required", - "identity:get_policy_for_endpoint": "rule:admin_required", - "identity:list_endpoints_for_policy": "rule:admin_required", - - "identity:create_domain_config": "rule:admin_required", - "identity:get_domain_config": "rule:admin_required", - "identity:get_security_compliance_domain_config": "", - "identity:update_domain_config": "rule:admin_required", - "identity:delete_domain_config": "rule:admin_required", - "identity:get_domain_config_default": "rule:admin_required" -}