openstack/openstack-ansible-os_keystone
Code Issues Proposed changes
openstack-ansible-os_keystone/defaults/main.yml
Jesse Pretorius 5637fecc98 Add project group to role 
This patch adds a var used by the repo_build process to determine
which host group to check for members of before building the pip
packages required by this role. This provides the ability to
optimise the repo build process to only building the packages
that are required for an environment.

Depends-On: Idda16b4f382eee57c7469af898859d6d81d4eb30
Change-Id: Iedb4c0c91daa291f881a9fc00c5b8c40bb312ce3
2016-08-04 05:16:03 +01:00

423 lines
15 KiB
YAML
Raw Blame History

---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Verbosity Options
debug: False
# Set the package install state for distribution packages
# Options are 'present' and 'latest'
keystone_package_state: "latest"
# These variables are used in 'developer mode' in order to allow the role
# to build an environment directly from a git source without the presence
# of an OpenStack-Ansible repo_server.
keystone_git_repo: https://git.openstack.org/openstack/keystone
keystone_git_install_branch: master
keystone_requirements_git_repo: https://git.openstack.org/openstack/requirements
keystone_requirements_git_install_branch: master
keystone_developer_mode: false
keystone_developer_constraints:
- "git+{{ keystone_git_repo }}@{{ keystone_git_install_branch }}#egg=keystone"
# Name of the virtual env to deploy into
keystone_venv_tag: untagged
keystone_bin: "/openstack/venvs/keystone-{{ keystone_venv_tag }}/bin"
keystone_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/keystone.tgz
keystone_fatal_deprecations: False
## System info
keystone_system_user_name: keystone
keystone_system_group_name: keystone
keystone_system_additional_groups:
- ssl_cert
keystone_system_service_name: apache2
keystone_system_shell: /bin/bash
keystone_system_comment: keystone system user
keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}"
keystone_rpc_backend: rabbit
## Drivers
keystone_auth_methods: "password,token"
keystone_identity_driver: sql
# For a sql backed token storage use: "sql"
keystone_token_driver: memcache
keystone_token_provider: fernet
keystone_token_expiration: 43200
keystone_token_cache_time: 3600
# Set the revocation driver used within keystone.
keystone_revocation_driver: sql
keystone_revocation_cache_time: 3600
keystone_revocation_expiration_buffer: 1800
## Fernet config vars
keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
keystone_fernet_tokens_max_active_keys: 7
# Any of the following rotation times are valid:
# reboot, yearly, annually, monthly, weekly, daily, hourly
keystone_fernet_rotation: daily
keystone_fernet_auto_rotation_script: /opt/keystone-fernet-rotate.sh
keystone_assignment_driver: sql
keystone_resource_cache_time: 3600
keystone_resource_driver: sql
keystone_bind_address: 0.0.0.0
## Memcached servers used within keystone.
# String or Comma separated list of servers.
keystone_memcached_servers: 127.0.0.1
keystone_memcached_max_compare_and_set_retry: 16
## DB info
keystone_galera_user: keystone
keystone_galera_database: keystone
# Database tuning
keystone_database_enabled: true
keystone_database_connection_string: mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}/{{ keystone_galera_database }}?charset=utf8
keystone_database_idle_timeout: 200
keystone_database_min_pool_size: 5
keystone_database_max_pool_size: 120
keystone_database_pool_timeout: 30
## RabbitMQ info
## Configuration for RPC communications
keystone_messaging_enabled: true
keystone_rabbitmq_port: 5671
keystone_rabbitmq_userid: keystone
keystone_rabbitmq_vhost: /keystone
keystone_rabbitmq_servers: localhost
keystone_rabbitmq_use_ssl: false
## Configuration for notifications communication, i.e. [oslo_messaging_notifications]
keystone_rabbitmq_telemetry_userid: "{{ keystone_rabbitmq_userid }}"
keystone_rabbitmq_telemetry_password: "{{ keystone_rabbitmq_password }}"
keystone_rabbitmq_telemetry_vhost: "{{ keystone_rabbitmq_vhost }}"
keystone_rabbitmq_telemetry_port: "{{ keystone_rabbitmq_port }}"
keystone_rabbitmq_telemetry_servers: "{{ keystone_rabbitmq_servers }}"
keystone_rabbitmq_telemetry_use_ssl: "{{ keystone_rabbitmq_use_ssl }}"
## Role info
keystone_role_name: admin
keystone_default_role_name: _member_
## Admin info
keystone_admin_port: 35357
keystone_admin_user_name: admin
keystone_admin_tenant_name: admin
keystone_admin_description: Admin Tenant
## Service Type and Data
keystone_service_setup: true
keystone_service_region: RegionOne
keystone_service_name: keystone
keystone_service_port: 5000
keystone_service_type: identity
keystone_service_description: "Keystone Identity Service"
keystone_service_user_name: keystone
keystone_service_tenant_name: service
keystone_service_proto: http
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
keystone_service_internaluri_insecure: false
keystone_service_adminuri_insecure: false
keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
keystone_service_publicurl_v2: "{{ keystone_service_publicuri }}/v2.0"
keystone_service_internalurl_v2: "{{ keystone_service_internaluri }}/v2.0"
keystone_service_adminurl_v2: "{{ keystone_service_adminuri }}/v2.0"
keystone_service_publicurl_v3: "{{ keystone_service_publicuri }}/v3"
keystone_service_internalurl_v3: "{{ keystone_service_internaluri }}/v3"
keystone_service_adminurl_v3: "{{ keystone_service_adminuri }}/v3"
keystone_service_publicurl: "{{ keystone_service_publicurl_v3 }}"
keystone_service_internalurl: "{{ keystone_service_internalurl_v3 }}"
keystone_service_adminurl: "{{ keystone_service_adminurl_v3 }}"
## Set this value to override the "public_endpoint" keystone.conf variable
#keystone_public_endpoint: "{{ keystone_service_publicuri }}"
## Apache setup
keystone_apache_log_level: info
keystone_apache_custom_log_format: combined
keystone_apache_servertokens: "Prod"
keystone_apache_serversignature: "Off"
keystone_wsgi_threads: 1
keystone_wsgi_processes: "{{ ansible_processor_vcpus | default (1) * 2 }}"
## Apache MPM tunables
keystone_httpd_mpm_backend: event
keystone_httpd_mpm_start_servers: 2
keystone_httpd_mpm_min_spare_threads: 25
keystone_httpd_mpm_max_spare_threads: 75
keystone_httpd_mpm_thread_limit: 64
keystone_httpd_mpm_thread_child: 25
keystone_httpd_mpm_max_requests: 150
keystone_httpd_mpm_max_conn_child: 0
# set keystone_ssl to true to enable SSL configuration on the keystone containers
keystone_ssl: false
keystone_ssl_cert: /etc/ssl/certs/keystone.pem
keystone_ssl_key: /etc/ssl/private/keystone.key
keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
keystone_ssl_protocol: "{{ ssl_protocol|default('ALL -SSLv2 -SSLv3') }}"
keystone_ssl_cipher_suite: "{{ ssl_cipher_suite|default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS') }}"
# if using a self-signed certificate, set this to true to regenerate it
keystone_ssl_self_signed_regen: false
keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
# Set these variables to deploy custom certificates
#keystone_user_ssl_cert: <path to cert on ansible deployment host>
#keystone_user_ssl_key: <path to cert on ansible deployment host>
#keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
# Set to true when terminating SSL/TLS at a load balancer
keystone_external_ssl: false
# External SSL forwarding proto
keystone_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO
## Caching
# If set this will enable dog pile cache for keystone.
# keystone_cache_backend_argument: url:127.0.0.1:11211
## LDAP Section
# Define Keystone LDAP domain configuration here.
# This may be used to add configuration for a LDAP identity back-end.
# See the http://docs.openstack.org/admin-guide-cloud/keystone_integrate_with_ldap.html
#
# Each top-level entry is a domain name. Each entry below that are key: value pairs for
# the ldap section in the domain-specific configuraiton file.
#
# (EXAMPLE LAYOUT)
# keystone_ldap:
# Users:
# url: "ldap://127.0.0.1"
# user: "root"
# password: "secrete"
# ...
keystone_ldap: {}
keystone_ldap_domain_config_dir: /etc/keystone/domains
# If you want to regenerate the keystone users SSH keys, on each run, set this var to True
# Otherwise keys will be generated on the first run and not regenerated each run.
keystone_recreate_keys: False
## Policy vars
# Provide a list of access controls to update the default policy.json with. These changes will be merged
# with the access controls in the default policy.json. E.g.
#keystone_policy_overrides:
# identity:create_region: "rule:admin_required"
# identity:update_region: "rule:admin_required"
## Federation
# Enable the following section on the Keystone IdP
keystone_idp: {}
#keystone_idp:
# certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
# keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
# self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
# regen_cert: false
# idp_entity_id: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/idp"
# idp_sso_endpoint: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/sso"
# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
# service_providers:
# - id: "sp_1"
# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
# # the following settings are optional
# organization_name: example_company
# organization_display_name: Example Corp.
# organization_url: example.com
# contact_company: example_company
# contact_name: John
# contact_surname: Smith
# contact_email: jsmith@example.com
# contact_telephone: 555-55-5555
# contact_type: technical
# Enable the following section in order to install and configure
# Keystone as a Resource Service Provider (SP) and to configure
# trusts with specific Identity Providers (IdP).
keystone_sp: {}
#keystone_sp:
# cert_duration_years: 5
# trusted_dashboard_list:
# - "https://{{ external_lb_vip_address }}/auth/websso/"
# - "https://{{ horizon_server_name }}/auth/websso/"
# trusted_idp_list:
# note that only one of these is supported at any one time for now
# - name: "keystone-idp"
# entity_ids:
# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp'
# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata'
# metadata_file: 'metadata-keystone-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: Default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: keystone-idp-mapping
# rules:
# - remote:
# - type: openstack_user
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# user:
# name: '{0}'
# attributes:
# - name: openstack_user
# id: openstack_user
# - name: openstack_roles
# id: openstack_roles
# - name: openstack_project
# id: openstack_project
# - name: openstack_user_domain
# id: openstack_user_domain
# - name: openstack_project_domain
# id: openstack_project_domain
#
# - name: 'testshib-idp'
# entity_ids:
# - 'https://idp.testshib.org/idp/shibboleth'
# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml'
# metadata_file: 'metadata-testshib-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: Default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: testshib-idp-mapping
# rules:
# - remote:
# - type: eppn
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# - user:
# name: '{0}'
#
# - name: 'adfs-idp'
# entity_ids:
# - 'http://adfs.contoso.com/adfs/services/trust'
# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml'
# metadata_file: 'metadata-adfs-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: Default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: adfs-idp-mapping
# rules:
# - remote:
# - type: upn
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# - user:
# name: '{0}'
# attributes:
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
# id: upn
keystone_service_in_ldap: false
# Keystone Federation SP Packages
keystone_sp_apt_packages:
- libapache2-mod-shib2
# Keystone notification settings
keystone_ceilometer_enabled: false
# Keystone packages that must be installed before anything else
keystone_requires_pip_packages:
- virtualenv
- virtualenv-tools
- python-keystoneclient # Keystoneclient needed to OSA keystone lib
- httplib2
# Common pip packages
keystone_pip_packages:
- argparse
- keystone
- keystonemiddleware
- ldappool
- lxml
- PyMySQL
- oslo.log
- oslo.middleware
- pbr
- pycrypto
- pysaml2
- python-keystoneclient
- python-ldap
- python-memcached
- python-openstackclient
- repoze.lru
# This variable is used by the repo_build process to determine
# which host group to check for members of before building the
# pip packages required by this role. The value is picked up
# by the py_pkgs lookup.
keystone_role_project_group: keystone_all
## Tunable overrides
keystone_keystone_conf_overrides: {}
keystone_keystone_default_conf_overrides: {}
keystone_keystone_paste_ini_overrides: {}
keystone_policy_overrides: {}
keystone_required_secrets:
- keystone_auth_admin_password
- keystone_container_mysql_password
- keystone_rabbitmq_password
- keystone_service_password
View Git Blame Copy Permalink