openstack-ansible-os_keystone/templates/keystone.conf.j2
Ian Cordasco 9e4a02482d Add support for deploying Keystone with Fernet
This change adds a number of new tasks that are dependent on the value
of the Keystone token provider (keystone_token_provider) user variable.

If the keystone_token_provider user_variable is set to
keystone.token.providers.fernet.Provider then the playbooks will
appropriately create the fernet keys and distribute them to the rest of
the keystone containers.

This also implements key rotation for generated fernet keys similar to
how the os_nova roles implement key rotation.

Finally, we also need to build cryptography from master for now.
Currently, 0.8.x and 0.9.x use versions of cffi<1.0 which causes a bug
when used with mod_wsgi and Apache. This is fixed in cryptography master
and will be released in 1.0.

Closes-bug: 1463569
Change-Id: I8605e0490a8889d57c6b1b7e03e078fb0da978ab
2015-06-22 08:53:53 -05:00

97 lines
2.6 KiB
Django/Jinja

# {{ ansible_managed }}
[DEFAULT]
verbose = {{ verbose }}
debug = {{ debug }}
admin_token = {{ keystone_auth_admin_token }}
{% if keystone_public_endpoint is defined %}
public_endpoint = {{ keystone_public_endpoint }}
{% endif %}
admin_endpoint = {{ keystone_service_adminuri }}
fatal_deprecations = {{ keystone_fatal_deprecations }}
{% if keystone_ssl_enabled == true and keystone_secure_proxy_ssl_header is defined %}
secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }}
{% endif %}
log_file = keystone.log
log_dir = /var/log/keystone
rpc_backend = {{ keystone_rpc_backend }}
[memcache]
servers = {{ keystone_memcached_servers }}
max_compare_and_set_retry = {{ keystone_memcached_max_compare_and_set_retry }}
{% if keystone_cache_backend_argument is defined %}
[cache]
backend = dogpile.cache.memcached
backend_argument = {{ keystone_cache_backend_argument }}
config_prefix = cache.keystone
distributed_lock = True
expiration_time = {{ keystone_cache_expiration_time }}
enabled = true
{% endif %}
[revoke]
caching = true
driver = {{ keystone_revocation_driver }}
expiration_buffer = {{ keystone_revocation_expiration_buffer }}
cache_time = {{ keystone_revocation_cache_time }}
[auth]
methods = {{ keystone_auth_methods }}
[database]
connection = mysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}/{{ keystone_galera_database }}?charset=utf8
idle_timeout = {{ keystone_database_idle_timeout }}
min_pool_size = {{ keystone_database_min_pool_size }}
max_pool_size = {{ keystone_database_max_pool_size }}
pool_timeout = {{ keystone_database_pool_timeout }}
[fernet_keys]
key_repository = {{ keystone_fernet_tokens_key_repository }}
max_active_keys = {{ keystone_fernet_tokens_max_active_keys }}
[identity]
driver = {{ keystone_identity_driver }}
{% if keystone_ldap is defined %}
domain_config_dir = {{ keystone_ldap_domain_config_dir }}
domain_specific_drivers_enabled = True
{% endif %}
[assignment]
driver = {{ keystone_assignment_driver }}
[resource]
cache_time = {{ keystone_resource_cache_time }}
caching = true
driver = {{ keystone_resource_driver }}
[token]
enforce_token_bind = permissive
expiration = {{ keystone_token_expiration }}
caching = true
cache_time = {{ keystone_token_cache_time }}
provider = {{ keystone_token_provider }}
driver = {{ keystone_token_driver }}
[eventlet_server]
admin_bind_host = {{ keystone_bind_address }}
admin_port = {{ keystone_admin_port }}
public_port = {{ keystone_service_port }}
[oslo_messaging_rabbit]
rabbit_hosts = {{ rabbitmq_servers }}
rabbit_userid = {{ rabbitmq_userid }}
rabbit_password = {{ rabbitmq_password }}