openstack/openstack-ansible-os_keystone
Code Issues Proposed changes
openstack-ansible-os_keystone/tasks/keystone_federation_sp_idp_setup.yml
Jimmy McCrory a08d7b1ce8 Use keystone-manage bootstrap command 
https://review.openstack.org/#/c/255599/ implemented a keystone-manage
bootstrap command as an alternative to using an admin token when
bootstrapping the keystone service. Admin tokens have been deprecated
as of Mitaka and will be removed in Ocata.

The use of this command replaces tasks to create the admin user, its
password, role, and project and the keystone service endpoints.

The keystone_auth_admin_token variable has been removed and its use in
any tasks against the keystone library have been replaced with login
credentials for the admin user.

The functional test has been updated to use the current head of
stable/mitaka and master for keystone and requirements respectively. The
policy and api-paste files have also been updated from the head of
keystone stable/mitaka.

This change will require updates to make use of the same SHAs in the
integrated openstack-ansible repo and in a majority of the OpenStack
service roles' tests.

Change-Id: I720fab85efe11a7512a124e44a73cf67b5f686b5
2016-03-16 21:37:55 -07:00

171 lines
6.2 KiB
YAML
Raw Blame History

---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# note that these tasks will run when the id/name parameter is present.
# Providing the id/name without the other required params is a user error.
# TODO: Revisit this method when Ansible 2 releases
# User with_subelements instead, but in v1.x it's broken
- name: Set keystone_federated_identities fact
keystone_sp:
sp_data: "{{ keystone_sp }}"
tags:
- keystone-federation-sp
- name: Ensure domain which remote IDP users are mapped onto exists
keystone:
command: ensure_domain
domain_name: "{{ item.domain }}"
login_user: "{{ keystone_admin_user_name }}"
login_password: "{{ keystone_auth_admin_password }}"
login_project_name: "{{ keystone_admin_tenant_name }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: item.domain is defined
with_items: keystone_federated_identities
tags:
- keystone-federation-sp
- name: Ensure project which remote IDP users are mapped onto exists
keystone:
command: ensure_project
project_name: "{{ item.project }}"
domain_name: "{{ item.domain | default('Default') }}"
login_user: "{{ keystone_admin_user_name }}"
login_password: "{{ keystone_auth_admin_password }}"
login_project_name: "{{ keystone_admin_tenant_name }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: item.project is defined
with_items: keystone_federated_identities
tags:
- keystone-federation-sp
- name: Ensure user which remote IDP users are mapped onto exists
keystone:
command: ensure_user
user_name: "{{ item.user }}"
password: "{{ item.password }}"
project_name: "{{ item.project }}"
domain_name: "{{ item.domain | default('Default') }}"
login_user: "{{ keystone_admin_user_name }}"
login_password: "{{ keystone_auth_admin_password }}"
login_project_name: "{{ keystone_admin_tenant_name }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: >
item.user is defined and
item.password is defined and
item.project is defined
with_items: keystone_federated_identities
tags:
- keystone-federation-sp
- name: Ensure Group for external IDP users exists
keystone:
command: ensure_group
group_name: "{{ item.group }}"
domain_name: "{{ item.domain | default('Default') }}"
login_user: "{{ keystone_admin_user_name }}"
login_password: "{{ keystone_auth_admin_password }}"
login_project_name: "{{ keystone_admin_tenant_name }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: item.group is defined
with_items: keystone_federated_identities
tags:
- keystone-federation-sp
- name: Ensure Role for external IDP users exists
keystone:
command: "ensure_role"
role_name: "{{ item.role | default('_member_') }}"
login_user: "{{ keystone_admin_user_name }}"
login_password: "{{ keystone_auth_admin_password }}"
login_project_name: "{{ keystone_admin_tenant_name }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: >
item.group is defined and
item.project is defined
with_items: keystone_federated_identities
tags:
- keystone-federation-sp
- name: Ensure Group/Project/Role mapping exists
keystone:
command: ensure_group_role
group_name: "{{ item.group }}"
project_name: "{{ item.project }}"
role_name: "{{ item.role | default('_member_') }}"
login_user: "{{ keystone_admin_user_name }}"
login_password: "{{ keystone_auth_admin_password }}"
login_project_name: "{{ keystone_admin_tenant_name }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: >
item.group is defined and
item.project is defined
with_items: keystone_federated_identities
tags:
- keystone-federation-sp
- name: Ensure mapping for external IDP attributes exists
keystone:
command: ensure_mapping
mapping_name: "{{ item.protocol.mapping.name }}"
mapping_rules: "{{ item.protocol.mapping.rules }}"
login_user: "{{ keystone_admin_user_name }}"
login_password: "{{ keystone_auth_admin_password }}"
login_project_name: "{{ keystone_admin_tenant_name }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: item.protocol.mapping.name is defined
with_items: keystone_federated_protocols
tags:
- keystone-federation-sp
- name: Ensure external IDP
keystone:
command: ensure_identity_provider
idp_name: "{{ item.name }}"
idp_remote_ids: "{{ item.entity_ids }}"
idp_enabled: true
login_user: "{{ keystone_admin_user_name }}"
login_password: "{{ keystone_auth_admin_password }}"
login_project_name: "{{ keystone_admin_tenant_name }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: item.name is defined
with_items: keystone_sp.trusted_idp_list
tags:
- keystone-federation-sp
- name: Ensure federation protocol exists
keystone:
command: ensure_protocol
protocol_name: "{{ item.protocol.name }}"
idp_name: "{{ item.idp.name }}"
mapping_name: "{{ item.protocol.mapping.name }}"
login_user: "{{ keystone_admin_user_name }}"
login_password: "{{ keystone_auth_admin_password }}"
login_project_name: "{{ keystone_admin_tenant_name }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: item.protocol.name is defined
with_items: keystone_federated_protocols
tags:
- keystone-federation-sp
View Git Blame Copy Permalink