--- # Copyright 2014, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ## Verbosity Options debug: False # Set the package install state for distribution and pip packages # Options are 'present' and 'latest' keystone_package_state: "latest" keystone_pip_package_state: "latest" # Set installation method. keystone_install_method: "source" # Role standard API override this option in the OS variable files keystone_shibboleth_repo: {} # These variables are used in 'developer mode' in order to allow the role # to build an environment directly from a git source without the presence # of an OpenStack-Ansible repo_server. keystone_git_repo: https://git.openstack.org/openstack/keystone keystone_git_install_branch: master keystone_developer_mode: false keystone_developer_constraints: - "git+{{ keystone_git_repo }}@{{ keystone_git_install_branch }}#egg=keystone" # Name of the virtual env to deploy into keystone_venv_tag: untagged keystone_bin: "{{ _keystone_bin }}" # venv_download, even when true, will use the fallback method of building the # venv from scratch if the venv download fails. keystone_venv_download: "{{ not keystone_developer_mode | bool }}" keystone_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/keystone.tgz keystone_fatal_deprecations: False ## System info keystone_system_user_name: keystone keystone_system_group_name: keystone keystone_system_additional_groups: - ssl_cert keystone_system_shell: /bin/bash keystone_system_comment: keystone system user keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}" ## Drivers keystone_auth_methods: "password,token" keystone_identity_driver: sql keystone_token_provider: fernet keystone_token_expiration: 43200 keystone_token_cache_time: 3600 # Set the revocation driver used within keystone. keystone_revocation_driver: sql keystone_revocation_cache_time: 3600 keystone_revocation_expiration_buffer: 1800 ## Fernet config vars keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys" keystone_fernet_tokens_max_active_keys: 7 # Any of the following rotation times are valid: # reboot, yearly, annually, monthly, weekly, daily, hourly keystone_fernet_rotation: daily keystone_fernet_auto_rotation_script: /opt/keystone-fernet-rotate.sh ## Credentials config vars keystone_credential_key_repository: /etc/keystone/credential-keys # Any of the following rotation times are valid: # reboot, yearly, annually, monthly, weekly, daily, hourly keystone_credential_rotation: weekly keystone_credential_auto_rotation_script: /opt/keystone-credential-rotate.sh keystone_assignment_driver: sql keystone_resource_cache_time: 3600 keystone_resource_driver: sql keystone_bind_address: 0.0.0.0 ## Database info keystone_database_connection_string: >- mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}/{{ keystone_galera_database }}?charset=utf8{% if keystone_galera_use_ssl | bool %}&ssl_ca={{ keystone_galera_ssl_ca_cert }}{% endif %} keystone_galera_user: keystone keystone_galera_database: keystone ## Database SSL keystone_galera_use_ssl: "{{ galera_use_ssl | default(False) }}" keystone_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}" # Database tuning keystone_database_enabled: true keystone_database_idle_timeout: 200 keystone_database_min_pool_size: 5 keystone_database_max_pool_size: 120 keystone_database_pool_timeout: 30 ## Oslo Messaging keystone_messaging_enabled: true # RPC keystone_oslomsg_rpc_transport: rabbit keystone_oslomsg_rpc_servers: 127.0.0.1 keystone_oslomsg_rpc_port: 5672 keystone_oslomsg_rpc_use_ssl: False keystone_oslomsg_rpc_userid: keystone keystone_oslomsg_rpc_vhost: /keystone # Notify keystone_oslomsg_notify_transport: rabbit keystone_oslomsg_notify_servers: 127.0.0.1 keystone_oslomsg_notify_port: 5672 keystone_oslomsg_notify_use_ssl: False keystone_oslomsg_notify_userid: keystone keystone_oslomsg_notify_vhost: /keystone ## Role info keystone_role_name: admin keystone_default_role_name: _member_ ## Admin info keystone_admin_port: 35357 keystone_admin_user_name: admin keystone_admin_tenant_name: admin keystone_admin_description: Admin Tenant ## Service Type and Data keystone_service_setup: true keystone_service_region: RegionOne keystone_service_name: keystone keystone_service_port: 5000 keystone_service_type: identity keystone_service_description: "Keystone Identity Service" keystone_service_user_name: keystone keystone_service_tenant_name: service keystone_service_proto: http keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}" keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}" keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}" keystone_service_internaluri_insecure: false keystone_service_adminuri_insecure: false keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}" keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}" keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}" ## Set this value to override the "public_endpoint" keystone.conf variable #keystone_public_endpoint: "{{ keystone_service_publicuri }}" # This is the web server that will handle all requests and will act as a # reverse proxy to uWSGI. If internal TLS/SSL certificates are configured, # they are implemented in this web server's configuration. Using a web server # for endpoints is far better for scale and allows the use of additional # modules to improve performance or security, leaving uWSGI to only have # to be used for running the service. # # Note: # The default is nginx, but apache will be used if Keystone is configured # as a Federated Service provider. # TODO (odyssey4me): Convert the SP implementation to use nginx instead # so that we do not have to be concerned with multiple web servers. # keystone_web_server: "{{ (keystone_sp != {}) | ternary('apache', 'nginx') }}" ## Apache setup keystone_apache_log_level: info keystone_apache_custom_log_format: combined keystone_apache_servertokens: "Prod" keystone_apache_serversignature: "Off" ## Apache MPM tunables keystone_httpd_mpm_backend: event keystone_httpd_mpm_start_servers: 2 keystone_httpd_mpm_min_spare_threads: 25 keystone_httpd_mpm_max_spare_threads: 75 keystone_httpd_mpm_thread_limit: 64 keystone_httpd_mpm_thread_child: 25 keystone_httpd_mpm_max_requests: 150 keystone_httpd_mpm_max_conn_child: 0 ## Nginx setup keystone_nginx_access_log_format_combined: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"' keystone_nginx_access_log_format_extras: '$request_time $upstream_response_time' keystone_nginx_ports: keystone-wsgi-public: "{{ keystone_service_port }}" keystone-wsgi-admin: "{{ keystone_admin_port }}" keystone_nginx_extra_conf: - keepalive_timeout 70; ## uWSGI setup keystone_wsgi_threads: 1 ## Cap the maximun number of processes when a user value is unspecified. keystone_wsgi_processes_max: 16 keystone_wsgi_processes: "{{ [[ansible_processor_vcpus|default(1), 1] | max * 2, keystone_wsgi_processes_max] | min }}" keystone_uwsgi_ports: keystone-wsgi-public: http: 37358 socket: 35358 keystone-wsgi-admin: http: 37359 socket: 5001 keystone_uwsgi_ini_overrides: {} # set keystone_ssl to true to enable SSL configuration on the keystone containers keystone_ssl: false keystone_ssl_cert: /etc/ssl/certs/keystone.pem keystone_ssl_key: /etc/ssl/private/keystone.key keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem keystone_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}" keystone_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}" # if using a self-signed certificate, set this to true to regenerate it keystone_ssl_self_signed_regen: false keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}" # Set these variables to deploy custom certificates #keystone_user_ssl_cert: #keystone_user_ssl_key: #keystone_user_ssl_ca_cert: # Set to true when terminating SSL/TLS at a load balancer keystone_external_ssl: false # External SSL forwarding proto keystone_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO ## Caching # This is a list of strings, each string contains a cache server's # information (IP:port for example) # The cache_servers default backend is memcached, so this variable # should point to a list of memcached servers. # If empty, caching is disabled. keystone_cache_servers: [] ## LDAP Section # Define Keystone LDAP domain configuration here. # This may be used to add configuration for a LDAP identity back-end. # See the http://docs.openstack.org/admin-guide/identity-integrate-with-ldap.html # # Each top-level entry is a domain name. Each entry below that are key: value pairs for # the ldap section in the domain-specific configuraiton file. # # (EXAMPLE LAYOUT) # keystone_ldap: # Users: # url: "ldap://127.0.0.1" # user: "root" # password: "secrete" # ... keystone_ldap: {} keystone_ldap_domain_config_dir: /etc/keystone/domains # If you want to regenerate the keystone users SSH keys, on each run, set this var to True # Otherwise keys will be generated on the first run and not regenerated each run. keystone_recreate_keys: False ## Policy vars # Provide a list of access controls to update the default policy.json with. These changes will be merged # with the access controls in the default policy.json. E.g. #keystone_policy_overrides: # identity:create_region: "rule:admin_required" # identity:update_region: "rule:admin_required" ## Federation # Enable the following section on the Keystone IdP keystone_idp: {} #keystone_idp: # certfile: "/etc/keystone/ssl/idp_signing_cert.pem" # keyfile: "/etc/keystone/ssl/idp_signing_key.pem" # self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}" # regen_cert: false # idp_entity_id: "{{ keystone_service_publicuri }}/v3//OS-FEDERATION/saml2/idp" # idp_sso_endpoint: "{{ keystone_service_publicuri }}/v3/OS-FEDERATION/saml2/sso" # idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml # service_providers: # - id: "sp_1" # auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth # sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP # # the following settings are optional # organization_name: example_company # organization_display_name: Example Corp. # organization_url: example.com # contact_company: example_company # contact_name: John # contact_surname: Smith # contact_email: jsmith@example.com # contact_telephone: 555-55-5555 # contact_type: technical # Enable the following section in order to install and configure # Keystone as a Resource Service Provider (SP) and to configure # trusts with specific Identity Providers (IdP). keystone_sp: {} #keystone_sp: # cert_duration_years: 5 # trusted_dashboard_list: # - "https://{{ external_lb_vip_address }}/auth/websso/" # - "https://{{ horizon_server_name }}/auth/websso/" # trusted_idp_list: # note that only one of these is supported at any one time for now # - name: "keystone-idp" # entity_ids: # - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp' # metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata' # metadata_file: 'metadata-keystone-idp.xml' # metadata_reload: 1800 # federated_identities: # - domain: Default # project: fedproject # group: fedgroup # role: _member_ # protocols: # - name: saml2 # mapping: # name: keystone-idp-mapping # rules: # - remote: # - type: openstack_user # local: # - group: # name: fedgroup # domain: # name: Default # user: # name: '{0}' # attributes: # - name: openstack_user # id: openstack_user # - name: openstack_roles # id: openstack_roles # - name: openstack_project # id: openstack_project # - name: openstack_user_domain # id: openstack_user_domain # - name: openstack_project_domain # id: openstack_project_domain # # - name: 'testshib-idp' # entity_ids: # - 'https://idp.testshib.org/idp/shibboleth' # metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml' # metadata_file: 'metadata-testshib-idp.xml' # metadata_reload: 1800 # federated_identities: # - domain: Default # project: fedproject # group: fedgroup # role: _member_ # protocols: # - name: saml2 # mapping: # name: testshib-idp-mapping # rules: # - remote: # - type: eppn # local: # - group: # name: fedgroup # domain: # name: Default # - user: # name: '{0}' # # - name: 'adfs-idp' # entity_ids: # - 'http://adfs.contoso.com/adfs/services/trust' # metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml' # metadata_file: 'metadata-adfs-idp.xml' # metadata_reload: 1800 # federated_identities: # - domain: Default # project: fedproject # group: fedgroup # role: _member_ # protocols: # - name: saml2 # mapping: # name: adfs-idp-mapping # rules: # - remote: # - type: upn # local: # - group: # name: fedgroup # domain: # name: Default # - user: # name: '{0}' # attributes: # - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn' # id: upn keystone_service_in_ldap: false # Keystone notification settings keystone_ceilometer_enabled: false # Keystone packages that must be installed before anything else keystone_requires_pip_packages: - virtualenv # Common pip packages keystone_pip_packages: - keystone - ldappool - pyldap - PyMySQL - python-memcached - python-openstackclient - uWSGI # This variable is used by the repo_build process to determine # which host group to check for members of before building the # pip packages required by this role. The value is picked up # by the py_pkgs lookup. keystone_role_project_group: keystone_all #: Tunable file-based overrides # The contents of these files, if they exist, are read from the # specified path on the deployment host, interpreted by the # template engine and copied to the target host. If they do # not exist then the default files will be sourced from the # service git repository. keystone_paste_default_file_path: "/etc/openstack_deploy/keystone/keystone-paste.ini" keystone_policy_default_file_path: "/etc/openstack_deploy/keystone/policy.json" keystone_sso_callback_file_path: "/etc/openstack_deploy/keystone/sso_callback_template.html" # If the above-mentioned files do not exist, then the defaults # inside the venvs will be used, but cached at this location # on the deployment host. Using the cache makes the re-use # of the files faster when deploying, but is also required in # order to still be able to apply the config_template override. keystone_config_cache_path: "{{ lookup('env', 'HOME') | default('/opt', true) }}/cache/keystone" keystone_config_cache_path_owner: "{{ lookup('env', 'USER') | default('root', true) }}" #: Tunable var-based overrides # The contents of these are templated over the default files. keystone_keystone_conf_overrides: {} keystone_keystone_default_conf_overrides: {} keystone_keystone_paste_ini_overrides: {} keystone_policy_overrides: {} keystone_required_secrets: - keystone_auth_admin_password - keystone_container_mysql_password - keystone_oslomsg_rpc_password - keystone_oslomsg_notify_password - keystone_rabbitmq_password - keystone_service_password keystone_uwsgi_init_overrides: {} ## Service Name-Group Mapping keystone_services: keystone-wsgi-public: service_name: "keystone-wsgi-public" init_config_overrides: "{{ keystone_uwsgi_init_overrides }}" execstarts: "{{ keystone_uwsgi_bin }}/uwsgi --autoload --ini /etc/uwsgi/keystone-wsgi-public.ini" keystone-wsgi-admin: service_name: "keystone-wsgi-admin" init_config_overrides: "{{ keystone_uwsgi_init_overrides }}" execstarts: "{{ keystone_uwsgi_bin }}/uwsgi --autoload --ini /etc/uwsgi/keystone-wsgi-admin.ini" ## Extra HTTP headers for Keystone # Add any additional headers here that Keystone should return. # # Example: # # keystone_extra_headers: # - parameter: "Access-Control-Expose-Headers" # value: "X-Subject-Token" # - parameter: "Access-Control-Allow-Headers" # value: "Content-Type, X-Auth-Token" # - parameter: "Access-Control-Allow-Origin" # value: "*" keystone_extra_headers: [] # List of trusted IPs which can pass X-Forwarded-For keystone_set_real_ip_from: []