ac51441e33
Keystone moved from python-ldap to pyldap in the Newton release. This patch ensures pyldap is installed in case a deployer wants to use LDAP backends. Closes-Bug: 1736241 Change-Id: I1aa332ac0905bf80f80d8ff9b5c50746a85bfd59
488 lines
18 KiB
YAML
488 lines
18 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
## Verbosity Options
|
|
debug: False
|
|
|
|
# Set the package install state for distribution and pip packages
|
|
# Options are 'present' and 'latest'
|
|
keystone_package_state: "latest"
|
|
keystone_pip_package_state: "latest"
|
|
|
|
# Role standard API override this option in the OS variable files
|
|
keystone_shibboleth_repo: {}
|
|
|
|
# These variables are used in 'developer mode' in order to allow the role
|
|
# to build an environment directly from a git source without the presence
|
|
# of an OpenStack-Ansible repo_server.
|
|
keystone_git_repo: https://git.openstack.org/openstack/keystone
|
|
keystone_git_install_branch: master
|
|
keystone_developer_mode: false
|
|
keystone_developer_constraints:
|
|
- "git+{{ keystone_git_repo }}@{{ keystone_git_install_branch }}#egg=keystone"
|
|
|
|
# Name of the virtual env to deploy into
|
|
keystone_venv_tag: untagged
|
|
keystone_bin: "/openstack/venvs/keystone-{{ keystone_venv_tag }}/bin"
|
|
|
|
# venv_download, even when true, will use the fallback method of building the
|
|
# venv from scratch if the venv download fails.
|
|
keystone_venv_download: "{{ not keystone_developer_mode | bool }}"
|
|
keystone_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/keystone.tgz
|
|
|
|
keystone_fatal_deprecations: False
|
|
|
|
## System info
|
|
keystone_system_user_name: keystone
|
|
keystone_system_group_name: keystone
|
|
keystone_system_additional_groups:
|
|
- ssl_cert
|
|
|
|
keystone_system_shell: /bin/bash
|
|
keystone_system_comment: keystone system user
|
|
keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}"
|
|
|
|
## Drivers
|
|
keystone_auth_methods: "password,token"
|
|
keystone_identity_driver: sql
|
|
keystone_token_provider: fernet
|
|
keystone_token_expiration: 43200
|
|
keystone_token_cache_time: 3600
|
|
|
|
# Set the revocation driver used within keystone.
|
|
keystone_revocation_driver: sql
|
|
keystone_revocation_cache_time: 3600
|
|
keystone_revocation_expiration_buffer: 1800
|
|
|
|
## Fernet config vars
|
|
keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
|
|
keystone_fernet_tokens_max_active_keys: 7
|
|
# Any of the following rotation times are valid:
|
|
# reboot, yearly, annually, monthly, weekly, daily, hourly
|
|
keystone_fernet_rotation: daily
|
|
keystone_fernet_auto_rotation_script: /opt/keystone-fernet-rotate.sh
|
|
|
|
## Credentials config vars
|
|
keystone_credential_key_repository: /etc/keystone/credential-keys
|
|
# Any of the following rotation times are valid:
|
|
# reboot, yearly, annually, monthly, weekly, daily, hourly
|
|
keystone_credential_rotation: weekly
|
|
keystone_credential_auto_rotation_script: /opt/keystone-credential-rotate.sh
|
|
|
|
keystone_assignment_driver: sql
|
|
|
|
keystone_resource_cache_time: 3600
|
|
keystone_resource_driver: sql
|
|
|
|
keystone_bind_address: 0.0.0.0
|
|
|
|
## Memcached servers used within keystone.
|
|
# String or Comma separated list of servers.
|
|
keystone_memcached_servers: 127.0.0.1
|
|
keystone_memcached_max_compare_and_set_retry: 16
|
|
|
|
## DB info
|
|
keystone_galera_user: keystone
|
|
keystone_galera_database: keystone
|
|
# Database tuning
|
|
keystone_database_enabled: true
|
|
keystone_database_connection_string: mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}/{{ keystone_galera_database }}?charset=utf8
|
|
keystone_database_idle_timeout: 200
|
|
keystone_database_min_pool_size: 5
|
|
keystone_database_max_pool_size: 120
|
|
keystone_database_pool_timeout: 30
|
|
|
|
## RabbitMQ info
|
|
|
|
## Configuration for RPC communications
|
|
keystone_messaging_enabled: true
|
|
keystone_rabbitmq_port: 5671
|
|
keystone_rabbitmq_userid: keystone
|
|
keystone_rabbitmq_vhost: /keystone
|
|
keystone_rabbitmq_servers: localhost
|
|
keystone_rabbitmq_use_ssl: false
|
|
|
|
## Configuration for notifications communication, i.e. [oslo_messaging_notifications]
|
|
keystone_rabbitmq_telemetry_userid: "{{ keystone_rabbitmq_userid }}"
|
|
keystone_rabbitmq_telemetry_password: "{{ keystone_rabbitmq_password }}"
|
|
keystone_rabbitmq_telemetry_vhost: "{{ keystone_rabbitmq_vhost }}"
|
|
keystone_rabbitmq_telemetry_port: "{{ keystone_rabbitmq_port }}"
|
|
keystone_rabbitmq_telemetry_servers: "{{ keystone_rabbitmq_servers }}"
|
|
keystone_rabbitmq_telemetry_use_ssl: "{{ keystone_rabbitmq_use_ssl }}"
|
|
|
|
## Role info
|
|
keystone_role_name: admin
|
|
keystone_default_role_name: _member_
|
|
|
|
## Admin info
|
|
keystone_admin_port: 35357
|
|
keystone_admin_user_name: admin
|
|
keystone_admin_tenant_name: admin
|
|
keystone_admin_description: Admin Tenant
|
|
|
|
## Service Type and Data
|
|
keystone_service_setup: true
|
|
keystone_service_region: RegionOne
|
|
keystone_service_name: keystone
|
|
keystone_service_port: 5000
|
|
keystone_service_type: identity
|
|
keystone_service_description: "Keystone Identity Service"
|
|
keystone_service_user_name: keystone
|
|
keystone_service_tenant_name: service
|
|
|
|
keystone_service_proto: http
|
|
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
|
|
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
|
|
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
|
|
|
|
keystone_service_internaluri_insecure: false
|
|
keystone_service_adminuri_insecure: false
|
|
|
|
keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
|
|
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
|
|
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
|
|
|
|
keystone_service_publicurl_v3: "{{ keystone_service_publicuri }}/v3"
|
|
keystone_service_internalurl_v3: "{{ keystone_service_internaluri }}/v3"
|
|
keystone_service_adminurl_v3: "{{ keystone_service_adminuri }}/v3"
|
|
|
|
keystone_service_publicurl: "{{ keystone_service_publicurl_v3 }}"
|
|
keystone_service_internalurl: "{{ keystone_service_internalurl_v3 }}"
|
|
keystone_service_adminurl: "{{ keystone_service_adminurl_v3 }}"
|
|
|
|
|
|
## Set this value to override the "public_endpoint" keystone.conf variable
|
|
#keystone_public_endpoint: "{{ keystone_service_publicuri }}"
|
|
|
|
# This is the web server that will handle all requests and will act as a
|
|
# reverse proxy to uWSGI. If internal TLS/SSL certificates are configured,
|
|
# they are implemented in this web server's configuration. Using a web server
|
|
# for endpoints is far better for scale and allows the use of additional
|
|
# modules to improve performance or security, leaving uWSGI to only have
|
|
# to be used for running the service.
|
|
#
|
|
# Note:
|
|
# The default is nginx, but apache will be used if Keystone is configured
|
|
# as a Federated Service provider.
|
|
# TODO (odyssey4me): Convert the SP implementation to use nginx instead
|
|
# so that we do not have to be concerned with multiple web servers.
|
|
#
|
|
keystone_web_server: "{{ (keystone_sp != {}) | ternary('apache', 'nginx') }}"
|
|
|
|
## Apache setup
|
|
keystone_apache_log_level: info
|
|
keystone_apache_custom_log_format: combined
|
|
keystone_apache_servertokens: "Prod"
|
|
keystone_apache_serversignature: "Off"
|
|
|
|
## Apache MPM tunables
|
|
keystone_httpd_mpm_backend: event
|
|
keystone_httpd_mpm_start_servers: 2
|
|
keystone_httpd_mpm_min_spare_threads: 25
|
|
keystone_httpd_mpm_max_spare_threads: 75
|
|
keystone_httpd_mpm_thread_limit: 64
|
|
keystone_httpd_mpm_thread_child: 25
|
|
keystone_httpd_mpm_max_requests: 150
|
|
keystone_httpd_mpm_max_conn_child: 0
|
|
|
|
## Nginx setup
|
|
keystone_nginx_access_log_format_combined: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'
|
|
keystone_nginx_access_log_format_extras: '$request_time $upstream_response_time'
|
|
keystone_nginx_ports:
|
|
keystone-wsgi-public: "{{ keystone_service_port }}"
|
|
keystone-wsgi-admin: "{{ keystone_admin_port }}"
|
|
keystone_nginx_extra_conf:
|
|
- keepalive_timeout 70;
|
|
|
|
## uWSGI setup
|
|
keystone_wsgi_threads: 1
|
|
## Cap the maximun number of processes when a user value is unspecified.
|
|
keystone_wsgi_processes_max: 16
|
|
keystone_wsgi_processes: "{{ [[ansible_processor_vcpus|default(1), 1] | max * 2, keystone_wsgi_processes_max] | min }}"
|
|
keystone_wsgi_public_program_name: keystone-wsgi-public
|
|
keystone_wsgi_admin_program_name: keystone-wsgi-admin
|
|
keystone_wsgi_program_names:
|
|
- "{{ keystone_wsgi_public_program_name }}"
|
|
- "{{ keystone_wsgi_admin_program_name }}"
|
|
keystone_uwsgi_ports:
|
|
keystone-wsgi-public:
|
|
http: 37358
|
|
socket: 35358
|
|
keystone-wsgi-admin:
|
|
http: 37359
|
|
socket: 5001
|
|
keystone_uwsgi_ini_overrides: {}
|
|
|
|
# set keystone_ssl to true to enable SSL configuration on the keystone containers
|
|
keystone_ssl: false
|
|
keystone_ssl_cert: /etc/ssl/certs/keystone.pem
|
|
keystone_ssl_key: /etc/ssl/private/keystone.key
|
|
keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
|
|
keystone_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
|
|
keystone_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
|
|
|
|
# if using a self-signed certificate, set this to true to regenerate it
|
|
keystone_ssl_self_signed_regen: false
|
|
keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
|
|
|
|
# Set these variables to deploy custom certificates
|
|
#keystone_user_ssl_cert: <path to cert on ansible deployment host>
|
|
#keystone_user_ssl_key: <path to cert on ansible deployment host>
|
|
#keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
|
|
|
|
# Set to true when terminating SSL/TLS at a load balancer
|
|
keystone_external_ssl: false
|
|
|
|
# External SSL forwarding proto
|
|
keystone_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO
|
|
|
|
## Caching
|
|
# If set this will enable dog pile cache for keystone.
|
|
# keystone_cache_backend_argument: url:127.0.0.1:11211
|
|
|
|
## LDAP Section
|
|
# Define Keystone LDAP domain configuration here.
|
|
# This may be used to add configuration for a LDAP identity back-end.
|
|
# See the http://docs.openstack.org/admin-guide/identity-integrate-with-ldap.html
|
|
#
|
|
# Each top-level entry is a domain name. Each entry below that are key: value pairs for
|
|
# the ldap section in the domain-specific configuraiton file.
|
|
#
|
|
# (EXAMPLE LAYOUT)
|
|
# keystone_ldap:
|
|
# Users:
|
|
# url: "ldap://127.0.0.1"
|
|
# user: "root"
|
|
# password: "secrete"
|
|
# ...
|
|
|
|
keystone_ldap: {}
|
|
keystone_ldap_domain_config_dir: /etc/keystone/domains
|
|
|
|
|
|
# If you want to regenerate the keystone users SSH keys, on each run, set this var to True
|
|
# Otherwise keys will be generated on the first run and not regenerated each run.
|
|
keystone_recreate_keys: False
|
|
|
|
## Policy vars
|
|
# Provide a list of access controls to update the default policy.json with. These changes will be merged
|
|
# with the access controls in the default policy.json. E.g.
|
|
#keystone_policy_overrides:
|
|
# identity:create_region: "rule:admin_required"
|
|
# identity:update_region: "rule:admin_required"
|
|
|
|
## Federation
|
|
|
|
# Enable the following section on the Keystone IdP
|
|
keystone_idp: {}
|
|
#keystone_idp:
|
|
# certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
|
|
# keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
|
|
# self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
|
|
# regen_cert: false
|
|
# idp_entity_id: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/idp"
|
|
# idp_sso_endpoint: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/sso"
|
|
# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
|
|
# service_providers:
|
|
# - id: "sp_1"
|
|
# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
|
|
# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
|
|
# # the following settings are optional
|
|
# organization_name: example_company
|
|
# organization_display_name: Example Corp.
|
|
# organization_url: example.com
|
|
# contact_company: example_company
|
|
# contact_name: John
|
|
# contact_surname: Smith
|
|
# contact_email: jsmith@example.com
|
|
# contact_telephone: 555-55-5555
|
|
# contact_type: technical
|
|
|
|
# Enable the following section in order to install and configure
|
|
# Keystone as a Resource Service Provider (SP) and to configure
|
|
# trusts with specific Identity Providers (IdP).
|
|
keystone_sp: {}
|
|
#keystone_sp:
|
|
# cert_duration_years: 5
|
|
# trusted_dashboard_list:
|
|
# - "https://{{ external_lb_vip_address }}/auth/websso/"
|
|
# - "https://{{ horizon_server_name }}/auth/websso/"
|
|
# trusted_idp_list:
|
|
# note that only one of these is supported at any one time for now
|
|
# - name: "keystone-idp"
|
|
# entity_ids:
|
|
# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp'
|
|
# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata'
|
|
# metadata_file: 'metadata-keystone-idp.xml'
|
|
# metadata_reload: 1800
|
|
# federated_identities:
|
|
# - domain: Default
|
|
# project: fedproject
|
|
# group: fedgroup
|
|
# role: _member_
|
|
# protocols:
|
|
# - name: saml2
|
|
# mapping:
|
|
# name: keystone-idp-mapping
|
|
# rules:
|
|
# - remote:
|
|
# - type: openstack_user
|
|
# local:
|
|
# - group:
|
|
# name: fedgroup
|
|
# domain:
|
|
# name: Default
|
|
# user:
|
|
# name: '{0}'
|
|
# attributes:
|
|
# - name: openstack_user
|
|
# id: openstack_user
|
|
# - name: openstack_roles
|
|
# id: openstack_roles
|
|
# - name: openstack_project
|
|
# id: openstack_project
|
|
# - name: openstack_user_domain
|
|
# id: openstack_user_domain
|
|
# - name: openstack_project_domain
|
|
# id: openstack_project_domain
|
|
#
|
|
# - name: 'testshib-idp'
|
|
# entity_ids:
|
|
# - 'https://idp.testshib.org/idp/shibboleth'
|
|
# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml'
|
|
# metadata_file: 'metadata-testshib-idp.xml'
|
|
# metadata_reload: 1800
|
|
# federated_identities:
|
|
# - domain: Default
|
|
# project: fedproject
|
|
# group: fedgroup
|
|
# role: _member_
|
|
# protocols:
|
|
# - name: saml2
|
|
# mapping:
|
|
# name: testshib-idp-mapping
|
|
# rules:
|
|
# - remote:
|
|
# - type: eppn
|
|
# local:
|
|
# - group:
|
|
# name: fedgroup
|
|
# domain:
|
|
# name: Default
|
|
# - user:
|
|
# name: '{0}'
|
|
#
|
|
# - name: 'adfs-idp'
|
|
# entity_ids:
|
|
# - 'http://adfs.contoso.com/adfs/services/trust'
|
|
# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml'
|
|
# metadata_file: 'metadata-adfs-idp.xml'
|
|
# metadata_reload: 1800
|
|
# federated_identities:
|
|
# - domain: Default
|
|
# project: fedproject
|
|
# group: fedgroup
|
|
# role: _member_
|
|
# protocols:
|
|
# - name: saml2
|
|
# mapping:
|
|
# name: adfs-idp-mapping
|
|
# rules:
|
|
# - remote:
|
|
# - type: upn
|
|
# local:
|
|
# - group:
|
|
# name: fedgroup
|
|
# domain:
|
|
# name: Default
|
|
# - user:
|
|
# name: '{0}'
|
|
# attributes:
|
|
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
|
|
# id: upn
|
|
|
|
keystone_service_in_ldap: false
|
|
|
|
# Keystone notification settings
|
|
keystone_ceilometer_enabled: false
|
|
|
|
# Keystone packages that must be installed before anything else
|
|
keystone_requires_pip_packages:
|
|
- virtualenv
|
|
- virtualenv-tools
|
|
- python-keystoneclient # Keystoneclient needed to OSA keystone lib
|
|
|
|
# Common pip packages
|
|
keystone_pip_packages:
|
|
- keystone
|
|
- ldappool
|
|
- pyldap
|
|
- PyMySQL
|
|
- python-memcached
|
|
- python-openstackclient
|
|
- uWSGI
|
|
|
|
# This variable is used by the repo_build process to determine
|
|
# which host group to check for members of before building the
|
|
# pip packages required by this role. The value is picked up
|
|
# by the py_pkgs lookup.
|
|
keystone_role_project_group: keystone_all
|
|
|
|
#: Tunable file-based overrides
|
|
# The contents of these files, if they exist, are read from the
|
|
# specified path on the deployment host, interpreted by the
|
|
# template engine and copied to the target host. If they do
|
|
# not exist then the default files will be sourced from the
|
|
# service git repository.
|
|
keystone_paste_default_file_path: "/etc/openstack_deploy/keystone/keystone-paste.ini"
|
|
keystone_policy_default_file_path: "/etc/openstack_deploy/keystone/policy.json"
|
|
keystone_sso_callback_file_path: "/etc/openstack_deploy/keystone/sso_callback_template.html"
|
|
|
|
# If the above-mentioned files do not exist, then these
|
|
# paths will be used to find the files from the git config
|
|
# lookup location.
|
|
keystone_git_config_lookup_location: https://git.openstack.org/cgit/openstack/keystone/plain
|
|
keystone_paste_git_file_path: "etc/keystone-paste.ini?h={{ keystone_git_install_branch }}"
|
|
keystone_sso_callback_git_file_path: "etc/sso_callback_template.html?h={{ keystone_git_install_branch }}"
|
|
|
|
#: Tunable var-based overrides
|
|
# The contents of these are templated over the default files.
|
|
keystone_keystone_conf_overrides: {}
|
|
keystone_keystone_default_conf_overrides: {}
|
|
keystone_keystone_paste_ini_overrides: {}
|
|
keystone_policy_overrides: {}
|
|
|
|
keystone_required_secrets:
|
|
- keystone_auth_admin_password
|
|
- keystone_container_mysql_password
|
|
- keystone_rabbitmq_password
|
|
- keystone_service_password
|
|
|
|
keystone_uwsgi_init_overrides: {}
|
|
|
|
## Extra HTTP headers for Keystone
|
|
# Add any additional headers here that Keystone should return.
|
|
#
|
|
# Example:
|
|
#
|
|
# keystone_extra_headers:
|
|
# - parameter: "Access-Control-Expose-Headers"
|
|
# value: "X-Subject-Token"
|
|
# - parameter: "Access-Control-Allow-Headers"
|
|
# value: "Content-Type, X-Auth-Token"
|
|
# - parameter: "Access-Control-Allow-Origin"
|
|
# value: "*"
|
|
keystone_extra_headers: []
|