diff --git a/ansible-role-requirements.yml b/ansible-role-requirements.yml index 036693abfb..d39b69289a 100644 --- a/ansible-role-requirements.yml +++ b/ansible-role-requirements.yml @@ -68,4 +68,7 @@ src: https://git.openstack.org/openstack/openstack-ansible-rsyslog_server scm: git version: master - +- name: os_keystone + src: https://git.openstack.org/openstack/openstack-ansible-os_keystone + scm: git + version: master diff --git a/playbooks/os-keystone-install.yml b/playbooks/os-keystone-install.yml index ac9199284e..027ada6321 100644 --- a/playbooks/os-keystone-install.yml +++ b/playbooks/os-keystone-install.yml @@ -88,6 +88,57 @@ when: is_metal | bool tags: - keystone-reserved-port + - name: Keystone ensure Rabbitmq vhost + rabbitmq_vhost: + name: "{{ keystone_rabbitmq_vhost }}" + state: "present" + delegate_to: "{{ groups['rabbitmq_all'][0] }}" + when: inventory_hostname == groups['keystone_all'][0] + tags: + - aodh-rabbitmq + - aodh-rabbitmq-vhost + - name: Keystone ensure rabbitmq user + rabbitmq_user: + user: "{{ keystone_rabbitmq_userid }}" + password: "{{ keystone_rabbitmq_password }}" + vhost: "{{ keystone_rabbitmq_vhost }}" + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + state: "present" + delegate_to: "{{ groups['rabbitmq_all'][0] }}" + when: inventory_hostname == groups['keystone_all'][0] + tags: + - aodh-rabbitmq + - aodh-rabbitmq-user + - name: Keystone create DB for service + mysql_db: + login_user: "{{ galera_root_user }}" + login_password: "{{ galera_root_password }}" + login_host: "{{ galera_address }}" + name: "{{ keystone_galera_database }}" + state: "present" + when: inventory_hostname == groups['keystone_all'][0] + delegate_to: "{{ groups['galera_all'][0] }}" + tags: + - mysql-db-setup + - name: Keystone grant access to the DB for the service + mysql_user: + login_user: "{{ galera_root_user }}" + login_password: "{{ galera_root_password }}" + login_host: "{{ galera_address }}" + name: "{{ keystone_galera_database }}" + password: "{{ keystone_container_mysql_password }}" + host: "{{ item }}" + state: "present" + priv: "{{ keystone_galera_database }}.*:ALL" + with_items: + - "localhost" + - "%" + when: inventory_hostname == groups['keystone_all'][0] + delegate_to: "{{ groups['galera_all'][0] }}" + tags: + - mysql-db-setup roles: - role: "os_keystone" keystone_venv_tag: "{{ openstack_release }}" @@ -108,6 +159,13 @@ - "system-crontab-coordination" vars: galera_address: "{{ internal_lb_vip_address }}" - keystone_admin_port: 35357 is_metal: "{{ properties.is_metal|default(false) }}" - + galera_root_user: "root" + keystone_admin_port: 35357 + keystone_galera_user: keystone + keystone_galera_database: keystone + keystone_rabbitmq_userid: keystone + keystone_rabbitmq_vhost: /keystone + keystone_rabbitmq_servers: "{{ rabbitmq_servers }}" + keystone_rabbitmq_port: "{{ rabbitmq_port }}" + keystone_rabbitmq_use_ssl: "{{ rabbitmq_use_ssl }}" diff --git a/playbooks/roles/os_keystone/CONTRIBUTING.rst b/playbooks/roles/os_keystone/CONTRIBUTING.rst deleted file mode 100644 index f2f9a03a9f..0000000000 --- a/playbooks/roles/os_keystone/CONTRIBUTING.rst +++ /dev/null @@ -1,85 +0,0 @@ -OpenStack keystone -################## -:tags: openstack, keystone, cloud, ansible -:category: \*nix - -contributor guidelines -^^^^^^^^^^^^^^^^^^^^^^ - -Filing Bugs ------------ - -Bugs should be filed on Launchpad, not GitHub: "https://bugs.launchpad.net/openstack-ansible" - - -When submitting a bug, or working on a bug, please ensure the following criteria are met: - * The description clearly states or describes the original problem or root cause of the problem. - * Include historical information on how the problem was identified. - * Any relevant logs are included. - * The provided information should be totally self-contained. External access to web services/sites should not be needed. - * Steps to reproduce the problem if possible. - - -Submitting Code ---------------- - -Changes to the project should be submitted for review via the Gerrit tool, following -the workflow documented at: "http://docs.openstack.org/infra/manual/developers.html#development-workflow" - -Pull requests submitted through GitHub will be ignored and closed without regard. - - -Extra ------ - -Tags: - If it's a bug that needs fixing in a branch in addition to Master, add a '\-backport-potential' tag (eg ``juno-backport-potential``). There are predefined tags that will autocomplete. - -Status: - Please leave this alone, it should be New till someone triages the issue. - -Importance: - Should only be touched if it is a Blocker/Gating issue. If it is, please set to High, and only use Critical if you have found a bug that can take down whole infrastructures. - - -Style guide ------------ - -When creating tasks and other roles for use in Ansible please create then using the YAML dictionary format. - -Example YAML dictionary format: - .. code-block:: yaml - - - name: The name of the tasks - module_name: - thing1: "some-stuff" - thing2: "some-other-stuff" - tags: - - some-tag - - some-other-tag - - -Example **NOT** in YAML dictionary format: - .. code-block:: yaml - - - name: The name of the tasks - module_name: thing1="some-stuff" thing2="some-other-stuff" - tags: - - some-tag - - some-other-tag - - -Usage of the ">" and "|" operators should be limited to Ansible conditionals and command modules such as the ansible ``shell`` module. - - -Issues ------- - -When submitting an issue, or working on an issue please ensure the following criteria are met: - * The description clearly states or describes the original problem or root cause of the problem. - * Include historical information on how the problem was identified. - * Any relevant logs are included. - * If the issue is a bug that needs fixing in a branch other than Master, add the ‘backport potential’ tag TO THE ISSUE (not the PR). - * The provided information should be totally self-contained. External access to web services/sites should not be needed. - * If the issue is needed for a hotfix release, add the 'expedite' label. - * Steps to reproduce the problem if possible. diff --git a/playbooks/roles/os_keystone/LICENSE b/playbooks/roles/os_keystone/LICENSE deleted file mode 100644 index e06d208186..0000000000 --- a/playbooks/roles/os_keystone/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ -Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - diff --git a/playbooks/roles/os_keystone/README.rst b/playbooks/roles/os_keystone/README.rst deleted file mode 100644 index 41dcafa8ce..0000000000 --- a/playbooks/roles/os_keystone/README.rst +++ /dev/null @@ -1,22 +0,0 @@ -OpenStack keystone -################## -:tags: openstack, keystone, cloud, ansible -:category: \*nix - -Role to install keystone. This will install keystone using apache. - -This role will install the following: - * keystone - * apache2 - -.. code-block:: yaml - - - name: Installation and setup of Keystone - hosts: keystone_all - user: root - roles: - - { role: "os_keystone", tags: [ "os-keystone" ] } - vars: - external_lb_vip_address: 172.16.24.1 - internal_lb_vip_address: 192.168.0.1 - keystone_galera_address: "{{ internal_lb_vip_address }}" diff --git a/playbooks/roles/os_keystone/defaults/main.yml b/playbooks/roles/os_keystone/defaults/main.yml deleted file mode 100644 index b5d7f792a3..0000000000 --- a/playbooks/roles/os_keystone/defaults/main.yml +++ /dev/null @@ -1,389 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## Verbosity Options -debug: False -verbose: True - -## APT Cache options -cache_timeout: 600 - -# Name of the virtual env to deploy into -keystone_venv_tag: untagged -keystone_venv_bin: "/openstack/venvs/keystone-{{ keystone_venv_tag }}/bin" - -# Set this to enable or disable installing in a venv -keystone_venv_enabled: true - -# The bin path defaults to the venv path however if installation in a -# venv is disabled the bin path will be dynamically set based on the -# system path used when the installing. -keystone_bin: "{{ keystone_venv_bin }}" - -keystone_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/keystone.tgz - -keystone_fatal_deprecations: False - -## System info -keystone_system_user_name: keystone -keystone_system_group_name: keystone -keystone_system_additional_groups: - - ssl_cert -keystone_system_service_name: apache2 -keystone_system_shell: /bin/bash -keystone_system_comment: keystone system user -keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}" - -keystone_rpc_backend: rabbit - -## Drivers -keystone_auth_methods: "password,token" -keystone_identity_driver: sql -# For a sql backed token storage use: "sql" -keystone_token_driver: memcache -keystone_token_provider: fernet -keystone_token_expiration: 43200 -keystone_token_cache_time: 3600 - -# Set the revocation driver used within keystone. -keystone_revocation_driver: sql -keystone_revocation_cache_time: 3600 -keystone_revocation_expiration_buffer: 1800 - -## Fernet config vars -keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys" -keystone_fernet_tokens_max_active_keys: 7 -# Any of the following rotation times are valid: -# reboot, yearly, annually, monthly, weekly, daily, hourly -keystone_fernet_rotation: daily -keystone_fernet_auto_rotation_script: /opt/keystone-fernet-rotate.sh - -keystone_assignment_driver: sql - -keystone_resource_cache_time: 3600 -keystone_resource_driver: sql - -keystone_bind_address: 0.0.0.0 - -## Memcached servers used within keystone. -# String or Comma separated list of servers. -keystone_memcached_servers: 127.0.0.1 -keystone_memcached_max_compare_and_set_retry: 16 - -## DB info -keystone_galera_user: keystone -keystone_galera_database: keystone -# Database tuning -keystone_database_idle_timeout: 200 -keystone_database_min_pool_size: 5 -keystone_database_max_pool_size: 120 -keystone_database_pool_timeout: 30 - -## RabbitMQ info -keystone_rabbitmq_userid: keystone -keystone_rabbitmq_vhost: /keystone - -## Role info -keystone_role_name: admin -keystone_default_role_name: _member_ - -## Admin info -keystone_admin_port: 35357 -keystone_admin_user_name: admin -keystone_admin_tenant_name: admin -keystone_admin_description: Admin Tenant - -## Secure Proxy SSL Information -#keystone_secure_proxy_ssl_header: X-Forwarded-For - -## Service Type and Data -keystone_service_region: RegionOne -keystone_service_name: keystone -keystone_service_port: 5000 -keystone_service_proto: http -keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}" -keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}" -keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}" -keystone_service_type: identity -keystone_service_description: "Keystone Identity Service" -keystone_service_user_name: keystone -keystone_service_tenant_name: service - -keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}" -keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}" -keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}" - -keystone_service_publicurl_v2: "{{ keystone_service_publicuri }}/v2.0" -keystone_service_internalurl_v2: "{{ keystone_service_internaluri }}/v2.0" -keystone_service_adminurl_v2: "{{ keystone_service_adminuri }}/v2.0" - -keystone_service_publicurl_v3: "{{ keystone_service_publicuri }}/v3" -keystone_service_internalurl_v3: "{{ keystone_service_internaluri }}/v3" -keystone_service_adminurl_v3: "{{ keystone_service_adminuri }}/v3" - -keystone_service_publicurl: "{{ keystone_service_publicurl_v3 }}" -keystone_service_internalurl: "{{ keystone_service_internalurl_v3 }}" -keystone_service_adminurl: "{{ keystone_service_adminurl_v3 }}" - -## Set this value to override the "public_endpoint" keystone.conf variable -#keystone_public_endpoint: "{{ keystone_service_publicuri }}" - -## Apache setup -keystone_apache_log_level: info -keystone_apache_servertokens: "Prod" -keystone_apache_serversignature: "Off" -keystone_wsgi_threads: 1 -keystone_wsgi_processes: "{{ ansible_processor_vcpus | default (1) * 2 }}" - -# set keystone_ssl to true to enable SSL configuration on the keystone containers -keystone_ssl: false -keystone_ssl_cert: /etc/ssl/certs/keystone.pem -keystone_ssl_key: /etc/ssl/private/keystone.key -keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem -keystone_ssl_protocol: "{{ ssl_protocol }}" -keystone_ssl_cipher_suite: "{{ ssl_cipher_suite }}" - -# if using a self-signed certificate, set this to true to regenerate it -keystone_ssl_self_signed_regen: false -keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}" - -# Set these in user_variables to deploy custom certificates -#keystone_user_ssl_cert: -#keystone_user_ssl_key: -#keystone_user_ssl_ca_cert: - -## Caching -# If set this will enable dog pile cache for keystone. -# keystone_cache_backend_argument: url:127.0.0.1:11211 - -## LDAP Section -# Define Keystone LDAP domain configuration here. -# This may be used to add configuration for a LDAP identity back-end. -# See the http://docs.openstack.org/admin-guide-cloud/keystone_integrate_with_ldap.html -# -# Each top-level entry is a domain name. Each entry below that are key: value pairs for -# the ldap section in the domain-specific configuraiton file. -# -# (EXAMPLE LAYOUT) -# keystone_ldap: -# Users: -# url: "ldap://127.0.0.1" -# user: "root" -# password: "secrete" -# ... - -keystone_ldap: {} -keystone_ldap_domain_config_dir: /etc/keystone/domains - - -# If you want to regenerate the keystone users SSH keys, on each run, set this var to True -# Otherwise keys will be generated on the first run and not regenerated each run. -keystone_recreate_keys: False - -## Policy vars -# Provide a list of access controls to update the default policy.json with. These changes will be merged -# with the access controls in the default policy.json. E.g. -#keystone_policy_overrides: -# identity:create_region: "rule:admin_required" -# identity:update_region: "rule:admin_required" - -## Federation - -# Enable the following section on the Keystone IdP -#keystone_idp: -# certfile: "/etc/keystone/ssl/idp_signing_cert.pem" -# keyfile: "/etc/keystone/ssl/idp_signing_key.pem" -# self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}" -# regen_cert: false -# idp_entity_id: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/idp" -# idp_sso_endpoint: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/sso" -# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml -# service_providers: -# - id: "sp_1" -# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth -# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP -# # the following settings are optional -# organization_name: example_company -# organization_display_name: Example Corp. -# organization_url: example.com -# contact_company: example_company -# contact_name: John -# contact_surname: Smith -# contact_email: jsmith@example.com -# contact_telephone: 555-55-5555 -# contact_type: technical - -# Enable the following section in order to install and configure -# Keystone as a Resource Service Provider (SP) and to configure -# trusts with specific Identity Providers (IdP). -#keystone_sp: -# cert_duration_years: 5 -# trusted_dashboard_list: -# - "https://{{ external_lb_vip_address }}/auth/websso/" -# - "https://{{ horizon_server_name }}/auth/websso/" -# trusted_idp_list: -# note that only one of these is supported at any one time for now -# - name: "keystone-idp" -# entity_ids: -# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp' -# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata' -# metadata_file: 'metadata-keystone-idp.xml' -# metadata_reload: 1800 -# federated_identities: -# - domain: Default -# project: fedproject -# group: fedgroup -# role: _member_ -# protocols: -# - name: saml2 -# mapping: -# name: keystone-idp-mapping -# rules: -# - remote: -# - type: openstack_user -# local: -# - group: -# name: fedgroup -# domain: -# name: Default -# user: -# name: '{0}' -# attributes: -# - name: openstack_user -# id: openstack_user -# - name: openstack_roles -# id: openstack_roles -# - name: openstack_project -# id: openstack_project -# - name: openstack_user_domain -# id: openstack_user_domain -# - name: openstack_project_domain -# id: openstack_project_domain -# -# - name: 'testshib-idp' -# entity_ids: -# - 'https://idp.testshib.org/idp/shibboleth' -# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml' -# metadata_file: 'metadata-testshib-idp.xml' -# metadata_reload: 1800 -# federated_identities: -# - domain: Default -# project: fedproject -# group: fedgroup -# role: _member_ -# protocols: -# - name: saml2 -# mapping: -# name: testshib-idp-mapping -# rules: -# - remote: -# - type: eppn -# local: -# - group: -# name: fedgroup -# domain: -# name: Default -# - user: -# name: '{0}' -# -# - name: 'adfs-idp' -# entity_ids: -# - 'http://adfs.contoso.com/adfs/services/trust' -# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml' -# metadata_file: 'metadata-adfs-idp.xml' -# metadata_reload: 1800 -# federated_identities: -# - domain: Default -# project: fedproject -# group: fedgroup -# role: _member_ -# protocols: -# - name: saml2 -# mapping: -# name: adfs-idp-mapping -# rules: -# - remote: -# - type: upn -# local: -# - group: -# name: fedgroup -# domain: -# name: Default -# - user: -# name: '{0}' -# attributes: -# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn' -# id: upn - -keystone_service_in_ldap: false - -# Keystone Federation SP Packages -keystone_sp_apt_packages: - - libapache2-mod-shib2 - -# Keystone notification settings -keystone_ceilometer_enabled: false - -# Common apt packages -keystone_apt_packages: - - apache2 - - apache2-utils - - debhelper - - dh-apparmor - - docutils-common - - git - - libapache2-mod-wsgi - - libjs-sphinxdoc - - libjs-underscore - - libldap2-dev - - libsasl2-dev - - libxslt1.1 - - rsync - -keystone_idp_apt_packages: - - ssl-cert - - xmlsec1 - -# Keystone packages that must be installed before anything else -keystone_requires_pip_packages: - - virtualenv - - virtualenv-tools - - python-keystoneclient # Keystoneclient needed to OSA keystone lib - - httplib2 - -# Common pip packages -keystone_pip_packages: - - argparse - - keystone - - keystonemiddleware - - ldappool - - lxml - - PyMySQL - - oslo.log - - oslo.middleware - - pbr - - pycrypto - - pysaml2 - - python-keystoneclient - - python-ldap - - python-memcached - - python-openstackclient - - repoze.lru - -## Tunable overrides -keystone_keystone_conf_overrides: {} -keystone_keystone_default_conf_overrides: {} -keystone_keystone_paste_ini_overrides: {} -keystone_policy_overrides: {} diff --git a/playbooks/roles/os_keystone/files/sso_callback_template.html b/playbooks/roles/os_keystone/files/sso_callback_template.html deleted file mode 100644 index 3364d69e55..0000000000 --- a/playbooks/roles/os_keystone/files/sso_callback_template.html +++ /dev/null @@ -1,22 +0,0 @@ - - - - Keystone WebSSO redirect - - -
- Please wait... -
- - -
- - - diff --git a/playbooks/roles/os_keystone/handlers/main.yml b/playbooks/roles/os_keystone/handlers/main.yml deleted file mode 100644 index 259c53eaa1..0000000000 --- a/playbooks/roles/os_keystone/handlers/main.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Restart Apache - service: - name: "apache2" - state: "restarted" - pattern: "apache2" - register: apache_restart - until: apache_restart|success - retries: 5 - delay: 2 - -- name: Restart Shibd - service: - name: "shibd" - state: "restarted" - pattern: "shibd" - register: shibd_restart - until: shibd_restart|success - retries: 5 - delay: 2 diff --git a/playbooks/roles/os_keystone/library/keystone_sp b/playbooks/roles/os_keystone/library/keystone_sp deleted file mode 100644 index 9b7081e1bc..0000000000 --- a/playbooks/roles/os_keystone/library/keystone_sp +++ /dev/null @@ -1,120 +0,0 @@ -#!/usr/bin/python -# (c) 2015, Kevin Carter -# -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -# import module snippets -from ansible.module_utils.basic import * - - -DOCUMENTATION = """ ---- -module: keystone_sp -version_added: "1.9.2" -short_description: - - Creates a fact for keystone_federated_identities and keystone_protocols -description: - - Sets facts called `keystone_federated_identities` and - `keystone_federated_protocols`, which are lists of hashes built from - keystone_sp using the information in the `federated_identities` and - `protocols` keys. -options: - sp_data: - description: - - Hash to build the service provider lists from - required: true -author: Kevin Carter -""" - -EXAMPLES = """ -# Set the keystone_federated_identities and keystone_federated_protocols facts -- keystone_sp: - sp_data: "{{ keystone_sp }}" - when: keystone_sp is defined -""" - -# Keystone service provider data structure example. -""" -keystone_sp: - trusted_idp_list: - - name: "keystone-idp" - federated_identities: - - domain: Default - project: fedproject - group: fedgroup - role: _member_ - protocols: - - name: saml2 - mapping: - ... - - name: 'testshib-idp' - federated_identities: - - domain: Default - project: fedproject2 - group: fedgroup2 - role: _member_ - protocols: - - name: saml2 - mapping: - ... -""" - - -class KeystoneSp(object): - def __init__(self, module): - """Generate an integer from a name.""" - self.module = module - self.identities_return_list = list() - self.protocols_return_list = list() - self.sp_data = self.module.params['sp_data'] - - def populate_sp_data(self): - trusted_idp_list = self.sp_data['trusted_idp_list'] - for trusted_idp in trusted_idp_list: - federated_identities = trusted_idp.get('federated_identities') - if federated_identities: - self.identities_return_list.extend(federated_identities) - protocols = trusted_idp.get('protocols') - if protocols: - for protocol in protocols: - self.protocols_return_list.append( - {'idp': trusted_idp, 'protocol': protocol}) - - -def main(): - module = AnsibleModule( - argument_spec=dict( - sp_data=dict( - required=True - ) - ), - supports_check_mode=False - ) - try: - ksp = KeystoneSp(module=module) - ksp.populate_sp_data() - module.exit_json( - changed=True, - ansible_facts={ - 'keystone_federated_identities': ksp.identities_return_list, - 'keystone_federated_protocols': ksp.protocols_return_list} - ) - except Exception as exp: - resp = {'stderr': exp} - module.fail_json(msg='Failed Process', **resp) - -if __name__ == '__main__': - main() diff --git a/playbooks/roles/os_keystone/meta/main.yml b/playbooks/roles/os_keystone/meta/main.yml deleted file mode 100644 index 7c2c07bf92..0000000000 --- a/playbooks/roles/os_keystone/meta/main.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -galaxy_info: - author: rcbops - description: Installation and setup of keystone - company: Rackspace - license: Apache2 - min_ansible_version: 1.6.6 - platforms: - - name: Ubuntu - versions: - - trusty - categories: - - cloud - - python - - keystone - - development - - openstack -dependencies: - - apt_package_pinning - - galera_client - - openstack_openrc - - pip_lock_down - - role: memcached_server - when: > - 'memcache' in keystone_token_driver and - 'fernet' not in keystone_token_provider diff --git a/playbooks/roles/os_keystone/tasks/keystone_apache.yml b/playbooks/roles/os_keystone/tasks/keystone_apache.yml deleted file mode 100644 index 5576d127ab..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_apache.yml +++ /dev/null @@ -1,98 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Drop apache2 ports file - template: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: "root" - group: "root" - with_items: - - { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" } - - { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" } - notify: - - Restart Apache - tags: - - keystone-httpd - -- name: Disable default apache site - file: - path: "/etc/apache2/sites-enabled/000-default.conf" - state: "absent" - notify: - - Restart Apache - tags: - - keystone-httpd - -- name: Enabled keystone vhost - file: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - state: "{{ item.state }}" - with_items: - - { src: "/etc/apache2/sites-available/keystone-httpd.conf", dest: "/etc/apache2/sites-enabled/keystone-httpd.conf", state: "link" } - notify: - - Restart Apache - tags: - - keystone-httpd - -- name: Ensure Apache ServerName - lineinfile: - dest: "/etc/apache2/apache2.conf" - line: "ServerName {{ inventory_hostname }}" - notify: - - Restart Apache - tags: - - keystone-httpd - -- name: Ensure Apache ServerTokens - lineinfile: - dest: "/etc/apache2/conf-available/security.conf" - regexp: '^ServerTokens' - line: "ServerTokens {{ keystone_apache_servertokens }}" - notify: - - Restart Apache - tags: - - keystone-httpd - -- name: Ensure Apache ServerSignature - lineinfile: - dest: "/etc/apache2/conf-available/security.conf" - regexp: '^ServerSignature' - line: "ServerSignature {{ keystone_apache_serversignature }}" - notify: - - Restart Apache - tags: - - keystone-httpd - -- name: Enable/disable mod_ssl for apache2 - apache2_module: - name: ssl - state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}" - notify: - - Restart Apache - tags: - - keystone-httpd - - keystone-ssl - -- name: Enable/disable mod_shib2 for apache2 - apache2_module: - name: shib2 - state: "{{ ( keystone_sp is defined ) | ternary('present', 'absent') }}" - ignore_errors: yes - notify: - - Restart Apache - tags: - - keystone-httpd diff --git a/playbooks/roles/os_keystone/tasks/keystone_db_setup.yml b/playbooks/roles/os_keystone/tasks/keystone_db_setup.yml deleted file mode 100644 index d90642229f..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_db_setup.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Create DB for service - mysql_db: - login_user: "{{ galera_root_user }}" - login_password: "{{ galera_root_password }}" - login_host: "{{ keystone_galera_address }}" - name: "{{ keystone_galera_database }}" - state: "present" - tags: - - keystone-db-setup - -- name: Grant access to the DB for the service - mysql_user: - login_user: "{{ galera_root_user }}" - login_password: "{{ galera_root_password }}" - login_host: "{{ keystone_galera_address }}" - name: "{{ keystone_galera_user }}" - password: "{{ keystone_container_mysql_password }}" - host: "{{ item }}" - state: "present" - priv: "{{ keystone_galera_database }}.*:ALL" - with_items: - - "localhost" - - "%" - tags: - - keystone-db-setup - -- name: Perform a Keystone DB sync - command: "{{ keystone_bin }}/keystone-manage db_sync" - become: yes - become_user: "{{ keystone_system_user_name }}" - tags: - - keystone-db-setup - - keystone-db-sync - - keystone-setup - - keystone-command-bin diff --git a/playbooks/roles/os_keystone/tasks/keystone_federation_sp_idp_setup.yml b/playbooks/roles/os_keystone/tasks/keystone_federation_sp_idp_setup.yml deleted file mode 100644 index 9d0bb7eedb..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_federation_sp_idp_setup.yml +++ /dev/null @@ -1,152 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# note that these tasks will run when the id/name parameter is present. -# Providing the id/name without the other required params is a user error. - -# TODO: Revisit this method when Ansible 2 releases -# User with_subelements instead, but in v1.x it's broken -- name: Set keystone_federated_identities fact - keystone_sp: - sp_data: "{{ keystone_sp }}" - tags: - - keystone-federation-sp - -- name: Ensure domain which remote IDP users are mapped onto exists - keystone: - command: ensure_domain - domain_name: "{{ item.domain }}" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - when: item.domain is defined - with_items: keystone_federated_identities - tags: - - keystone-federation-sp - -- name: Ensure project which remote IDP users are mapped onto exists - keystone: - command: ensure_project - project_name: "{{ item.project }}" - domain_name: "{{ item.domain | default('Default') }}" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - when: item.project is defined - with_items: keystone_federated_identities - tags: - - keystone-federation-sp - -- name: Ensure user which remote IDP users are mapped onto exists - keystone: - command: ensure_user - user_name: "{{ item.user }}" - password: "{{ item.password }}" - project_name: "{{ item.project }}" - domain_name: "{{ item.domain | default('Default') }}" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - when: > - item.user is defined and - item.password is defined and - item.project is defined - with_items: keystone_federated_identities - tags: - - keystone-federation-sp - -- name: Ensure Group for external IDP users exists - keystone: - command: ensure_group - group_name: "{{ item.group }}" - domain_name: "{{ item.domain | default('Default') }}" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - when: item.group is defined - with_items: keystone_federated_identities - tags: - - keystone-federation-sp - -- name: Ensure Role for external IDP users exists - keystone: - command: "ensure_role" - role_name: "{{ item.role | default('_member_') }}" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - when: > - item.group is defined and - item.project is defined - with_items: keystone_federated_identities - tags: - - keystone-federation-sp - -- name: Ensure Group/Project/Role mapping exists - keystone: - command: ensure_group_role - group_name: "{{ item.group }}" - project_name: "{{ item.project }}" - role_name: "{{ item.role | default('_member_') }}" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - when: > - item.group is defined and - item.project is defined - with_items: keystone_federated_identities - tags: - - keystone-federation-sp - -- name: Ensure mapping for external IDP attributes exists - keystone: - command: ensure_mapping - mapping_name: "{{ item.protocol.mapping.name }}" - mapping_rules: "{{ item.protocol.mapping.rules }}" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - when: item.protocol.mapping.name is defined - with_items: keystone_federated_protocols - tags: - - keystone-federation-sp - -- name: Ensure external IDP - keystone: - command: ensure_identity_provider - idp_name: "{{ item.name }}" - idp_remote_ids: "{{ item.entity_ids }}" - idp_enabled: true - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - when: item.name is defined - with_items: keystone_sp.trusted_idp_list - tags: - - keystone-federation-sp - -- name: Ensure federation protocol exists - keystone: - command: ensure_protocol - protocol_name: "{{ item.protocol.name }}" - idp_name: "{{ item.idp.name }}" - mapping_name: "{{ item.protocol.mapping.name }}" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - when: item.protocol.name is defined - with_items: keystone_federated_protocols - tags: - - keystone-federation-sp diff --git a/playbooks/roles/os_keystone/tasks/keystone_federation_sp_setup.yml b/playbooks/roles/os_keystone/tasks/keystone_federation_sp_setup.yml deleted file mode 100644 index ba21f0d6d6..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_federation_sp_setup.yml +++ /dev/null @@ -1,101 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Drop Shibboleth Config - template: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: "{{ keystone_system_user_name }}" - group: "{{ keystone_system_group_name }}" - mode: "{{ item.mode|default('0644') }}" - with_items: - - { src: "shibboleth-attribute-map.xml.j2", dest: "/etc/shibboleth/attribute-map.xml" } - - { src: "shibboleth2.xml.j2", dest: "/etc/shibboleth/shibboleth2.xml" } - notify: - - Restart Shibd - tags: - - keystone-config - - keystone-federation-sp - -- name: Generate the Shibboleth SP key-pair - shell: "shib-keygen -h {{ external_lb_vip_address }} -y {{ keystone_sp.cert_duration_years }}" - args: - creates: "/etc/shibboleth/sp-cert.pem" - when: inventory_hostname == groups['keystone_all'][0] - notify: - - Restart Apache - - Restart Shibd - tags: - - keystone-config - - keystone-federation-sp - -- name: Store Shibboleth SP key-pair - memcached: - name: "{{ item.name }}" - file_path: "{{ item.src }}" - state: "present" - server: "{{ memcached_servers }}" - encrypt_string: "{{ memcached_encryption_key }}" - with_items: - - { src: "/etc/shibboleth/sp-cert.pem", name: "keystone_sp_cert" } - - { src: "/etc/shibboleth/sp-key.pem", name: "keystone_sp_key" } - register: memcache_keys - until: memcache_keys|success - retries: 5 - delay: 2 - when: inventory_hostname == groups['keystone_all'][0] - tags: - - keystone-config - - keystone-federation-sp - -- name: Distribute the Shibboleth SP key-pair - memcached: - name: "{{ item.name }}" - file_path: "{{ item.src }}" - state: "retrieve" - file_mode: "{{ item.file_mode }}" - dir_mode: "{{ item.dir_mode }}" - server: "{{ memcached_servers }}" - encrypt_string: "{{ memcached_encryption_key }}" - with_items: - - { src: "/etc/shibboleth/sp-cert.pem", name: "keystone_sp_cert", file_mode: "0640", dir_mode: "0750" } - - { src: "/etc/shibboleth/sp-key.pem", name: "keystone_sp_key", file_mode: "0600", dir_mode: "0750" } - register: memcache_keys - until: memcache_keys|success - retries: 5 - delay: 2 - when: inventory_hostname != groups['keystone_all'][0] - notify: - - Restart Apache - - Restart Shibd - tags: - - keystone-config - - keystone-federation-sp - -- name: Set appropriate file ownership on the Shibboleth SP key-pair - file: - path: "{{ item }}" - owner: "_shibd" - group: "_shibd" - with_items: - - "/etc/shibboleth/sp-cert.pem" - - "/etc/shibboleth/sp-key.pem" - when: inventory_hostname != groups['keystone_all'][0] - notify: - - Restart Apache - - Restart Shibd - tags: - - keystone-config - - keystone-federation-sp diff --git a/playbooks/roles/os_keystone/tasks/keystone_fernet.yml b/playbooks/roles/os_keystone/tasks/keystone_fernet.yml deleted file mode 100644 index 83ab41e46d..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_fernet.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- include: keystone_fernet_keys_create.yml - when: > - inventory_hostname == groups['keystone_all'][0] - -- include: keystone_fernet_keys_distribute.yml - when: > - inventory_hostname == groups['keystone_all'][0] - -- include: keystone_fernet_keys_autorotate.yml diff --git a/playbooks/roles/os_keystone/tasks/keystone_fernet_keys_autorotate.yml b/playbooks/roles/os_keystone/tasks/keystone_fernet_keys_autorotate.yml deleted file mode 100644 index 22086eaec9..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_fernet_keys_autorotate.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This script is being created with mode 0755 intentionally. This is so that the -# script can be executed by root to rotate the keys as needed. The script being -# executed will always change it's user context to the keystone user before -# execution and while the script may be world read/executable its contains only -# the necessary bits that are required to run the rotate and sync commands. -- name: Drop fernet key auto rotate script - template: - src: "keystone-fernet-rotate.sh.j2" - dest: "{{ keystone_fernet_auto_rotation_script }}" - owner: "{{ keystone_system_user_name }}" - group: "{{ keystone_system_group_name }}" - mode: "1755" - tags: - - keystone-fernet-auto-rotate - -# This creates the auto rotation job on the first keystone host. -- name: Create auto rotation job - cron: - name: "Fernet auto rotate job" - special_time: "{{ keystone_fernet_rotation }}" - user: "keystone" - job: "{{ keystone_fernet_auto_rotation_script }}" - cron_file: keystone-fernet-rotate - when: > - inventory_hostname == groups['keystone_all'][0] - tags: - - keystone-fernet-auto-rotate - -# This makes sure that no auto rotation jobs are on any other hosts. -- name: Remove extra auto rotation job - cron: - name: "Fernet auto rotate job" - cron_file: keystone-fernet-rotate - state: "absent" - when: > - inventory_hostname != groups['keystone_all'][0] - tags: - - keystone-fernet-auto-rotate diff --git a/playbooks/roles/os_keystone/tasks/keystone_fernet_keys_create.yml b/playbooks/roles/os_keystone/tasks/keystone_fernet_keys_create.yml deleted file mode 100644 index c4ed0739da..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_fernet_keys_create.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Check if fernet keys already exist - stat: - path: "{{ keystone_fernet_tokens_key_repository }}/0" - register: _fernet_keys - tags: - - keystone-fernet - -- name: Create fernet keys for Keystone - command: > - {{ keystone_bin }}/keystone-manage fernet_setup - --keystone-user "{{ keystone_system_user_name }}" - --keystone-group "{{ keystone_system_group_name }}" - become: yes - become_user: "{{ keystone_system_user_name }}" - when: not _fernet_keys.stat.exists - tags: - - keystone-setup - - keystone-fernet - - keystone-command-bin - -- name: Rotate fernet keys for Keystone - command: > - {{ keystone_bin }}/keystone-manage fernet_rotate - --keystone-user "{{ keystone_system_user_name }}" - --keystone-group "{{ keystone_system_group_name }}" - become: yes - become_user: "{{ keystone_system_user_name }}" - when: _fernet_keys.stat.exists - tags: - - keystone-fernet - - keystone-command-bin diff --git a/playbooks/roles/os_keystone/tasks/keystone_fernet_keys_distribute.yml b/playbooks/roles/os_keystone/tasks/keystone_fernet_keys_distribute.yml deleted file mode 100644 index c9e2f4337a..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_fernet_keys_distribute.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Distribute the fernet key repository - shell: | - rsync -e 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \ - -avz \ - --delete \ - {{ keystone_fernet_tokens_key_repository }}/ \ - {{ keystone_system_user_name }}@{{ hostvars[item]['ansible_ssh_host'] }}:{{ keystone_fernet_tokens_key_repository }}/ - become: yes - become_user: "{{ keystone_system_user_name }}" - with_items: groups['keystone_all'][1:] - tags: - - keystone-fernet-distribute diff --git a/playbooks/roles/os_keystone/tasks/keystone_idp_metadata.yml b/playbooks/roles/os_keystone/tasks/keystone_idp_metadata.yml deleted file mode 100644 index 48eebac406..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_idp_metadata.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Generate IdP metadata - shell: | - {{ keystone_bin }}/keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }} - become: yes - become_user: "{{ keystone_system_user_name }}" - when: keystone_idp is defined - notify: - - Restart Apache - tags: - - keystone-config - - keystone-idp diff --git a/playbooks/roles/os_keystone/tasks/keystone_idp_self_signed_create.yml b/playbooks/roles/os_keystone/tasks/keystone_idp_self_signed_create.yml deleted file mode 100644 index 2ae0094cd1..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_idp_self_signed_create.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Remove IdP self-signed certificate for regen - file: - dest: "{{ keystone_idp.cerfile }}" - state: "absent" - when: > - keystone_idp.regen_cert == true or - keystone_idp.regen_cert == "True" - -- name: Create IdP self-signed ssl cert - command: > - openssl req -new -nodes -sha256 -x509 -subj - "{{ keystone_idp.self_signed_cert_subject }}" - -days 3650 - -keyout {{ keystone_idp.keyfile }} - -out {{ keystone_idp.certfile }} - -extensions v3_ca - creates={{ keystone_idp.certfile }} - when: > - inventory_hostname == groups['keystone_all'][0] - notify: Restart Apache - tags: - - keystone-config - - keystone-idp - -- name: Set appropriate file ownership on the IdP self-signed cert - file: - path: "{{ item }}" - owner: "{{ keystone_system_user_name }}" - group: "{{ keystone_system_group_name }}" - mode: "0640" - with_items: - - "{{ keystone_idp.keyfile }}" - - "{{ keystone_idp.certfile }}" diff --git a/playbooks/roles/os_keystone/tasks/keystone_idp_self_signed_distribute.yml b/playbooks/roles/os_keystone/tasks/keystone_idp_self_signed_distribute.yml deleted file mode 100644 index 089a26bd90..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_idp_self_signed_distribute.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Distribute IdP self-signed certificate - memcached: - name: "{{ item.name }}" - file_path: "{{ item.src }}" - state: "retrieve" - file_mode: "{{ item.file_mode }}" - dir_mode: "{{ item.dir_mode }}" - server: "{{ memcached_servers }}" - encrypt_string: "{{ memcached_encryption_key }}" - with_items: - - { src: "{{ keystone_idp.certfile }}", name: "keystone_idp_cert", file_mode: "0640", dir_mode: "0750" } - - { src: "{{ keystone_idp.keyfile }}", name: "keystone_idp_key", file_mode: "0640", dir_mode: "0750" } - register: memcache_keys - until: memcache_keys|success - retries: 5 - delay: 2 - notify: Restart Apache - tags: - - keystone-idp - -- name: Set appropriate file ownership on the IdP self-signed cert - file: - path: "{{ item }}" - owner: "{{ keystone_system_user_name }}" - group: "{{ keystone_system_group_name }}" - mode: "0640" - with_items: - - "{{ keystone_idp.keyfile }}" - - "{{ keystone_idp.certfile }}" diff --git a/playbooks/roles/os_keystone/tasks/keystone_idp_self_signed_store.yml b/playbooks/roles/os_keystone/tasks/keystone_idp_self_signed_store.yml deleted file mode 100644 index 2d39af0cc2..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_idp_self_signed_store.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Store IdP self-signed certificate - memcached: - name: "{{ item.name }}" - file_path: "{{ item.src }}" - state: "present" - server: "{{ memcached_servers }}" - encrypt_string: "{{ memcached_encryption_key }}" - with_items: - - { src: "{{ keystone_idp.certfile }}", name: "keystone_idp_cert" } - - { src: "{{ keystone_idp.keyfile }}", name: "keystone_idp_key" } - register: memcache_keys - until: memcache_keys|success - retries: 5 - delay: 2 - tags: - - keystone-idp diff --git a/playbooks/roles/os_keystone/tasks/keystone_idp_setup.yml b/playbooks/roles/os_keystone/tasks/keystone_idp_setup.yml deleted file mode 100644 index 4400ad7a7e..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_idp_setup.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- include: keystone_idp_self_signed_create.yml - when: > - inventory_hostname == groups['keystone_all'][0] - -- include: keystone_idp_self_signed_store.yml - when: > - inventory_hostname == groups['keystone_all'][0] - -- include: keystone_idp_self_signed_distribute.yml - when: > - inventory_hostname != groups['keystone_all'][0] - -- include: keystone_idp_metadata.yml - -- include: keystone_idp_sp_setup.yml diff --git a/playbooks/roles/os_keystone/tasks/keystone_idp_sp_setup.yml b/playbooks/roles/os_keystone/tasks/keystone_idp_sp_setup.yml deleted file mode 100644 index bf5ebce070..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_idp_sp_setup.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Register service providers - keystone: - command: "ensure_service_provider" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - sp_name: "{{ item.id }}" - sp_url: "{{ item.sp_url }}" - sp_auth_url: "{{ item.auth_url }}" - with_items: keystone_idp.service_providers - register: add_service_providers - until: add_service_providers|success - retries: 5 - delay: 10 - tags: - - keystone-idp diff --git a/playbooks/roles/os_keystone/tasks/keystone_install.yml b/playbooks/roles/os_keystone/tasks/keystone_install.yml deleted file mode 100644 index 5aeac5f3cc..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_install.yml +++ /dev/null @@ -1,218 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -#TODO(evrardjp): Replace the next 2 tasks by a standard apt with cache -#when https://github.com/ansible/ansible-modules-core/pull/1517 is merged -#in 1.9.x or we move to 2.0 (if tested working) -- name: Check apt last update file - stat: - path: /var/cache/apt - register: apt_cache_stat - tags: - - keystone-apt-packages - -- name: Update apt if needed - apt: - update_cache: yes - when: "ansible_date_time.epoch|float - apt_cache_stat.stat.mtime > {{cache_timeout}}" - tags: - - keystone-apt-packages - -- name: Install apt packages - apt: - pkg: "{{ item }}" - state: latest - register: install_packages - until: install_packages|success - retries: 5 - delay: 2 - with_items: keystone_apt_packages - tags: - - keystone-install - - keystone-apt-packages - -- name: Install IdP apt packages - apt: - pkg: "{{ item }}" - state: latest - register: install_packages - until: install_packages|success - retries: 5 - delay: 2 - with_items: keystone_idp_apt_packages - when: keystone_idp is defined - tags: - - keystone-install - - keystone-apt-packages - -- name: Install SP apt packages - apt: - pkg: "{{ item }}" - state: latest - register: install_packages - until: install_packages|success - retries: 5 - delay: 2 - with_items: keystone_sp_apt_packages - when: keystone_sp is defined - tags: - - keystone-install - - keystone-apt-packages - -- name: Install requires pip packages - pip: - name: "{{ item }}" - state: present - extra_args: "{{ pip_install_options|default('') }}" - register: install_packages - until: install_packages|success - retries: 5 - delay: 2 - with_items: keystone_requires_pip_packages - tags: - - keystone-install - - keystone-pip-packages - -- name: Get local venv checksum - stat: - path: "/var/cache/{{ keystone_venv_download_url | basename }}" - get_md5: False - when: keystone_venv_enabled | bool - register: local_venv_stat - tags: - - keystone-install - - keystone-pip-packages - -- name: Get remote venv checksum - uri: - url: "{{ keystone_venv_download_url | replace('tgz', 'checksum') }}" - return_content: True - when: keystone_venv_enabled | bool - register: remote_venv_checksum - tags: - - keystone-install - - keystone-pip-packages - -# TODO: When project moves to ansible 2 we can pass this a sha256sum which will: -# a) allow us to remove force: yes -# b) allow the module to calculate the checksum of dest file which would -# result in file being downloaded only if provided and dest sha256sum -# checksums differ -- name: Attempt venv download - get_url: - url: "{{ keystone_venv_download_url }}" - dest: "/var/cache/{{ keystone_venv_download_url | basename }}" - force: yes - ignore_errors: true - register: get_venv - when: - - keystone_venv_enabled | bool - - (local_venv_stat.stat.exists == False or - {{ local_venv_stat.stat.checksum is defined and local_venv_stat.stat.checksum != remote_venv_checksum.content | trim }}) - tags: - - keystone-install - - keystone-pip-packages - -- name: Set keystone get_venv fact - set_fact: - keystone_get_venv: "{{ get_venv }}" - when: keystone_venv_enabled | bool - tags: - - keystone-install - - keystone-pip-packages - -- name: Remove existing venv - file: - path: "{{ keystone_venv_bin | dirname }}" - state: absent - when: - - keystone_venv_enabled | bool - - keystone_get_venv | changed - tags: - - keystone-install - - keystone-pip-packages - -- name: Create keystone venv dir - file: - path: "{{ keystone_venv_bin | dirname }}" - state: directory - when: - - keystone_venv_enabled | bool - - keystone_get_venv | changed - tags: - - keystone-install - - keystone-pip-packages - -- name: Unarchive pre-built venv - unarchive: - src: "/var/cache/{{ keystone_venv_download_url | basename }}" - dest: "{{ keystone_venv_bin | dirname }}" - copy: "no" - when: - - keystone_venv_enabled | bool - - keystone_get_venv | changed - notify: - - Restart Apache - tags: - - keystone-install - - keystone-pip-packages - -- name: Update virtualenv path - command: > - virtualenv-tools --update-path=auto {{ keystone_venv_bin | dirname }} - when: - - keystone_venv_enabled | bool - - keystone_get_venv | success - tags: - - keystone-install - - keystone-pip-packages - -- name: Install pip packages (venv) - pip: - name: "{{ item }}" - state: present - virtualenv: "{{ keystone_venv_bin | dirname }}" - virtualenv_site_packages: "no" - extra_args: "{{ pip_install_options|default('') }}" - register: install_packages - until: install_packages|success - retries: 5 - delay: 2 - with_items: keystone_pip_packages - when: - - keystone_venv_enabled | bool - - keystone_get_venv | failed - notify: - - Restart Apache - tags: - - keystone-install - - keystone-pip-packages - -- name: Install pip packages (no venv) - pip: - name: "{{ item }}" - state: present - extra_args: "{{ pip_install_options|default('') }}" - register: install_packages - until: install_packages|success - retries: 5 - delay: 2 - with_items: keystone_pip_packages - when: not keystone_venv_enabled | bool - notify: - - Restart Apache - tags: - - keystone-install - - keystone-pip-packages diff --git a/playbooks/roles/os_keystone/tasks/keystone_key_distribute.yml b/playbooks/roles/os_keystone/tasks/keystone_key_distribute.yml deleted file mode 100644 index 760e6287cd..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_key_distribute.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Create authorized keys file from host vars - authorized_key: - user: "{{ keystone_system_user_name }}" - key: "{{ hostvars[item]['keystone_pubkey'] | b64decode }}" - with_items: groups['keystone_all'] - tags: - - keystone-key - - keystone-key-distribute diff --git a/playbooks/roles/os_keystone/tasks/keystone_key_populate.yml b/playbooks/roles/os_keystone/tasks/keystone_key_populate.yml deleted file mode 100644 index b61ad53fd7..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_key_populate.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Get public key contents and store as var - slurp: - src: "{{ keystone_system_user_home }}/.ssh/id_rsa.pub" - register: keystone_pub - changed_when: false - tags: - - keystone-key - - keystone-key-create - -- name: Register a fact for the keystone pub key - set_fact: - keystone_pubkey: "{{ keystone_pub.content }}" - tags: - - keystone-key - - keystone-key-create diff --git a/playbooks/roles/os_keystone/tasks/keystone_key_setup.yml b/playbooks/roles/os_keystone/tasks/keystone_key_setup.yml deleted file mode 100644 index 6a20891415..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_key_setup.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- include: keystone_key_populate.yml - tags: - - keystone-key - - keystone-key-create - -- include: keystone_key_distribute.yml - tags: - - keystone-key - - keystone-key-distribute diff --git a/playbooks/roles/os_keystone/tasks/keystone_ldap_setup.yml b/playbooks/roles/os_keystone/tasks/keystone_ldap_setup.yml deleted file mode 100644 index c048b7c2a2..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_ldap_setup.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -- name: Create Keystone LDAP domains - keystone: - command: ensure_domain - domain_name: "{{ item.key }}" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - with_dict: keystone_ldap - run_once: true - tags: - - keystone-ldap-domain-create - -- name: Create Keystone LDAP domain configs - template: - src: keystone.domain.conf.j2 - dest: "{{ keystone_ldap_domain_config_dir }}/keystone.{{ item.key }}.conf" - owner: "{{ keystone_system_user_name }}" - group: "{{ keystone_system_group_name }}" - mode: "0644" - with_dict: keystone_ldap - notify: - - Restart Apache - tags: - - keystone-ldap-domain-config - diff --git a/playbooks/roles/os_keystone/tasks/keystone_messaging_setup.yml b/playbooks/roles/os_keystone/tasks/keystone_messaging_setup.yml deleted file mode 100644 index ddd11c2305..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_messaging_setup.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Ensure Rabbitmq vhost - rabbitmq_vhost: - name: "{{ keystone_rabbitmq_vhost }}" - state: "present" - delegate_to: "{{ groups['rabbitmq_all'][0] }}" - tags: - - keystone-rabbitmq - - keystone-rabbitmq-vhost - -- name: Ensure rabbitmq user - rabbitmq_user: - user: "{{ keystone_rabbitmq_userid }}" - password: "{{ keystone_rabbitmq_password }}" - vhost: "{{ keystone_rabbitmq_vhost }}" - configure_priv: ".*" - read_priv: ".*" - write_priv: ".*" - state: "present" - delegate_to: "{{ groups['rabbitmq_all'][0] }}" - tags: - - keystone-rabbitmq - - keystone-rabbitmq-user diff --git a/playbooks/roles/os_keystone/tasks/keystone_post_install.yml b/playbooks/roles/os_keystone/tasks/keystone_post_install.yml deleted file mode 100644 index 7559909f6f..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_post_install.yml +++ /dev/null @@ -1,86 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Copy keystone config - config_template: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: "{{ keystone_system_user_name }}" - group: "{{ keystone_system_group_name }}" - mode: "0644" - config_overrides: "{{ item.config_overrides }}" - config_type: "{{ item.config_type }}" - with_items: - - src: "keystone.conf.j2" - dest: "/etc/keystone/keystone.conf" - config_overrides: "{{ keystone_keystone_conf_overrides }}" - config_type: "ini" - - src: "keystone-paste.ini.j2" - dest: "/etc/keystone/keystone-paste.ini" - config_overrides: "{{ keystone_keystone_paste_ini_overrides }}" - config_type: "ini" - - src: "policy.json.j2" - dest: "/etc/keystone/policy.json" - config_overrides: "{{ keystone_policy_overrides }}" - config_type: "json" - notify: - - Restart Apache - tags: - - keystone-config - -- name: Drop Keystone Configs - copy: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: "{{ keystone_system_user_name }}" - group: "{{ keystone_system_group_name }}" - mode: "{{ item.mode|default('0644') }}" - with_items: - - { src: "sso_callback_template.html", dest: "/etc/keystone/sso_callback_template.html" } - notify: - - Restart Apache - tags: - - keystone-config - -- name: Drop Keystone WSGI Configs - template: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: "{{ keystone_system_user_name }}" - group: "{{ keystone_system_group_name }}" - mode: "{{ item.mode|default('0644') }}" - with_items: - - { src: "keystone-wsgi.py.j2", dest: "/var/www/cgi-bin/keystone/admin", mode: "0755" } - - { src: "keystone-wsgi.py.j2", dest: "/var/www/cgi-bin/keystone/main", mode: "0755" } - notify: - - Restart Apache - tags: - - keystone-config - -- name: Get keystone command path - command: which keystone - register: keystone_command_path - when: - - not keystone_venv_enabled | bool - tags: - - keystone-command-bin - -- name: Set keystone command path - set_fact: - keystone_bin: "{{ keystone_command_path.stdout | dirname }}" - when: - - not keystone_venv_enabled | bool - tags: - - keystone-command-bin diff --git a/playbooks/roles/os_keystone/tasks/keystone_pre_install.yml b/playbooks/roles/os_keystone/tasks/keystone_pre_install.yml deleted file mode 100644 index 3fb9eb1d63..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_pre_install.yml +++ /dev/null @@ -1,124 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: create the system group - group: - name: "{{ keystone_system_group_name }}" - state: "present" - system: "yes" - tags: - - keystone-group - -- name: create additional groups - group: - name: "{{ item }}" - state: "present" - system: "yes" - with_items: keystone_system_additional_groups - tags: - - keystone-group - -- name: Remove old key file(s) if found - file: - path: "{{ item }}" - state: "absent" - with_items: - - "{{ keystone_system_user_home }}/.ssh/authorized_keys" - - "{{ keystone_system_user_home }}/.ssh/id_rsa" - - "{{ keystone_system_user_home }}/.ssh/id_rsa.pub" - when: keystone_recreate_keys | bool - tags: - - keystone-key - - keystone-key-create - -- name: Create the keystone system user - user: - name: "{{ keystone_system_user_name }}" - group: "{{ keystone_system_group_name }}" - groups: "{{ keystone_system_additional_groups | join(',') }}" - comment: "{{ keystone_system_comment }}" - shell: "{{ keystone_system_shell }}" - system: "yes" - createhome: "yes" - home: "{{ keystone_system_user_home }}" - generate_ssh_key: "yes" - tags: - - keystone-user - - keystone-key - - keystone-key-create - -- name: Create keystone dir - file: - path: "{{ item.path }}" - state: directory - owner: "{{ item.owner|default(keystone_system_user_name) }}" - group: "{{ item.group|default(keystone_system_group_name) }}" - mode: "{{ item.mode|default(0755) }}" - with_items: - - { path: "/openstack", mode: "0755", owner: "root", group: "root" } - - { path: "/etc/keystone" } - - { path: "{{ keystone_ldap_domain_config_dir }}" } - - { path: "/etc/keystone/ssl" } - - { path: "{{ keystone_fernet_tokens_key_repository }}", mode: "2750"} - - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" } - - { path: "{{ keystone_system_user_home }}" } - - { path: "/var/www/cgi-bin", owner: root, group: root } - - { path: "/var/www/cgi-bin/keystone" } - tags: - - keystone-dirs - -- name: Create keystone venv dir - file: - path: "{{ item.path }}" - state: directory - with_items: - - { path: "/openstack/venvs" } - - { path: "{{ keystone_venv_bin }}" } - when: keystone_venv_enabled | bool - tags: - - keystone-dirs - -- name: Test for log directory or link - shell: | - if [ -h "/var/log/keystone" ]; then - chown -h {{ keystone_system_user_name }}:{{ keystone_system_group_name }} "/var/log/keystone" - chown -R {{ keystone_system_user_name }}:{{ keystone_system_group_name }} "$(readlink /var/log/keystone)" - else - exit 1 - fi - register: log_dir - failed_when: false - changed_when: log_dir.rc != 0 - tags: - - keystone-dirs - - keystone-logs - -- name: Create keystone log dir - file: - path: "{{ item.path }}" - state: directory - owner: "{{ item.owner|default(keystone_system_user_name) }}" - group: "{{ item.group|default(keystone_system_group_name) }}" - mode: "{{ item.mode|default('0755') }}" - with_items: - - { path: "/var/log/keystone" } - when: log_dir.rc != 0 - tags: - - keystone-dirs - - keystone-logs - -- include: keystone_messaging_setup.yml - when: > - inventory_hostname == groups['keystone_all'][0] diff --git a/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml b/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml deleted file mode 100644 index 174285bdb5..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml +++ /dev/null @@ -1,231 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Restart service - service: - name: "{{ keystone_system_service_name }}" - state: restarted - pattern: "{{ keystone_system_service_name }}" - tags: - - keystone-db-sync - - keystone-setup - -- name: Wait for keystone admin to come up - wait_for: - host: "{{ ansible_ssh_host }}" - port: "{{ keystone_admin_port }}" - timeout: 25 - delay: 10 - tags: - - keystone-db-sync - - keystone-setup - -- name: Wait for keystone service to come up - wait_for: - host: "{{ ansible_ssh_host }}" - port: "{{ keystone_service_port }}" - timeout: 25 - delay: 10 - tags: - - keystone-db-sync - - keystone-setup - -# Create a service tenant -- name: Ensure service tenant - keystone: - command: "ensure_tenant" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - tenant_name: "{{ keystone_service_tenant_name }}" - description: "{{ keystone_service_description }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - register: add_service - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-setup - -# Create an admin tenant -- name: Ensure admin tenant - keystone: - command: "ensure_tenant" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - tenant_name: "{{ keystone_admin_tenant_name }}" - description: "{{ keystone_admin_description }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - register: add_service - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-setup - -# Create an admin user -- name: Ensure Admin user - keystone: - command: "ensure_user" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - user_name: "{{ keystone_admin_user_name }}" - tenant_name: "{{ keystone_admin_tenant_name }}" - password: "{{ keystone_auth_admin_password }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - register: add_service - when: not keystone_service_in_ldap | bool - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-setup - -# Create an admin role -- name: Ensure Admin role - keystone: - command: "ensure_role" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - role_name: "{{ keystone_role_name }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - register: add_service - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-setup - -# Add a role to the user -- name: Ensure Admin user to Admin role - keystone: - command: "ensure_user_role" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - user_name: "{{ keystone_admin_user_name }}" - tenant_name: "{{ keystone_admin_tenant_name }}" - role_name: "{{ keystone_role_name }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - register: add_service - when: not keystone_service_in_ldap | bool - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-setup - -# Add the default user role -- name: Ensure default keystone user role - keystone: - command: "ensure_role" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - role_name: "{{ keystone_default_role_name }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - register: add_member_role - when: not keystone_service_in_ldap | bool - until: add_member_role|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-setup - -# Create a service -- name: Ensure Keystone Service - keystone: - command: "ensure_service" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - service_name: "{{ keystone_service_name }}" - service_type: "{{ keystone_service_type }}" - description: "{{ keystone_service_description }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - register: add_service - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-service-add - - keystone-setup - -# Create a service user -- name: Ensure Keystone user - keystone: - command: "ensure_user" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - user_name: "{{ keystone_service_user_name }}" - tenant_name: "{{ keystone_service_tenant_name }}" - password: "{{ keystone_service_password }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - register: add_service - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-service-add - - keystone-setup - -# Add a role to the user -- name: Ensure Keystone user to Admin role - keystone: - command: "ensure_user_role" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - user_name: "{{ keystone_service_user_name }}" - tenant_name: "{{ keystone_service_tenant_name }}" - role_name: "{{ keystone_role_name }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - register: add_service - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-service-add - - keystone-setup - -# Create an endpoint -- name: Ensure Keystone Endpoint - keystone: - command: "ensure_endpoint" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - region_name: "{{ keystone_service_region }}" - service_name: "{{ keystone_service_name }}" - service_type: "{{ keystone_service_type }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - endpoint_list: - - url: "{{ keystone_service_publicurl }}" - interface: "public" - - url: "{{ keystone_service_adminurl }}" - interface: "admin" - - url: "{{ keystone_service_internalurl }}" - interface: "internal" - register: add_service - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-service-add - - keystone-setup diff --git a/playbooks/roles/os_keystone/tasks/keystone_ssl.yml b/playbooks/roles/os_keystone/tasks/keystone_ssl.yml deleted file mode 100644 index 8c79413300..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_ssl.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- include: keystone_ssl_self_signed.yml - when: > - keystone_ssl | bool and - (keystone_user_ssl_cert is not defined or keystone_user_ssl_key is not defined) - tags: - - keystone-ssl - -- include: keystone_ssl_user_provided.yml - tags: - - keystone-ssl diff --git a/playbooks/roles/os_keystone/tasks/keystone_ssl_key_create.yml b/playbooks/roles/os_keystone/tasks/keystone_ssl_key_create.yml deleted file mode 100644 index 9791f84f70..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_ssl_key_create.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Remove self signed cert for regen - file: - dest: "{{ keystone_ssl_cert }}" - state: "absent" - when: keystone_ssl_self_signed_regen | bool - tags: - - keystone-ssl - -- name: Create self-signed Apache ssl cert - command: > - openssl req -new -nodes -sha256 -x509 -subj - "{{ keystone_ssl_self_signed_subject }}" - -days 3650 - -keyout {{ keystone_ssl_key }} - -out {{ keystone_ssl_cert }} - -extensions v3_ca - creates={{ keystone_ssl_cert }} - notify: Restart Apache - tags: - - keystone-configs - - keystone-ssl diff --git a/playbooks/roles/os_keystone/tasks/keystone_ssl_key_distribute.yml b/playbooks/roles/os_keystone/tasks/keystone_ssl_key_distribute.yml deleted file mode 100644 index 55ccb444b4..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_ssl_key_distribute.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Distribute self signed cert and key - memcached: - name: "{{ item.name }}" - file_path: "{{ item.src }}" - state: "retrieve" - file_mode: "{{ item.file_mode }}" - dir_mode: "{{ item.dir_mode }}" - server: "{{ memcached_servers }}" - encrypt_string: "{{ memcached_encryption_key }}" - with_items: - - { src: "{{ keystone_ssl_cert }}", name: "keystone_ssl_cert", file_mode: "0644", dir_mode: "0755" } - - { src: "{{ keystone_ssl_key }}", name: "keystone_ssl_key", file_mode: "0640", dir_mode: "0750" } - register: memcache_keys - until: memcache_keys|success - retries: 5 - delay: 2 - notify: Restart Apache - tags: - - keystone-config - - keystone-ssl diff --git a/playbooks/roles/os_keystone/tasks/keystone_ssl_key_store.yml b/playbooks/roles/os_keystone/tasks/keystone_ssl_key_store.yml deleted file mode 100644 index 6971ac065f..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_ssl_key_store.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Store self signed cert and key - memcached: - name: "{{ item.name }}" - file_path: "{{ item.src }}" - state: "present" - server: "{{ memcached_servers }}" - encrypt_string: "{{ memcached_encryption_key }}" - with_items: - - { src: "{{ keystone_ssl_cert }}", name: "keystone_ssl_cert" } - - { src: "{{ keystone_ssl_key }}", name: "keystone_ssl_key" } - register: memcache_keys - until: memcache_keys|success - retries: 5 - delay: 2 - tags: - - keystone-ssl diff --git a/playbooks/roles/os_keystone/tasks/keystone_ssl_self_signed.yml b/playbooks/roles/os_keystone/tasks/keystone_ssl_self_signed.yml deleted file mode 100644 index a55991d2be..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_ssl_self_signed.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- include: keystone_ssl_key_create.yml - when: > - inventory_hostname == groups['keystone_all'][0] - -- include: keystone_ssl_key_store.yml - when: > - inventory_hostname == groups['keystone_all'][0] - -- include: keystone_ssl_key_distribute.yml - when: > - inventory_hostname != groups['keystone_all'][0] diff --git a/playbooks/roles/os_keystone/tasks/keystone_ssl_user_provided.yml b/playbooks/roles/os_keystone/tasks/keystone_ssl_user_provided.yml deleted file mode 100644 index e0f7a6fbd7..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_ssl_user_provided.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Drop user provided ssl cert - copy: - src: "{{ keystone_user_ssl_cert }}" - dest: "{{ keystone_ssl_cert }}" - owner: "root" - group: "root" - mode: "0644" - when: keystone_user_ssl_cert is defined - notify: Restart Apache - tags: - - keystone-configs - - keystone-ssl - -- name: Drop user provided ssl key - copy: - src: "{{ keystone_user_ssl_key }}" - dest: "{{ keystone_ssl_key }}" - owner: "root" - group: "root" - mode: "0640" - when: keystone_user_ssl_key is defined - notify: Restart Apache - tags: - - keystone-configs - - keystone-ssl - -- name: Drop user provided ssl CA cert - copy: - src: "{{ keystone_user_ssl_ca_cert }}" - dest: "{{ keystone_ssl_ca_cert }}" - owner: "root" - group: "root" - mode: "0644" - when: keystone_user_ssl_ca_cert is defined - notify: Restart Apache - tags: - - keystone-configs - - keystone-ssl diff --git a/playbooks/roles/os_keystone/tasks/keystone_token_cleanup.yml b/playbooks/roles/os_keystone/tasks/keystone_token_cleanup.yml deleted file mode 100644 index 0a785c687f..0000000000 --- a/playbooks/roles/os_keystone/tasks/keystone_token_cleanup.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Add keystone token_flush cron job - cron: - name: "Clear out stale keystone tokens" - minute: 0 - job: "{{ keystone_bin }}/keystone-manage token_flush" - user: "{{ keystone_system_user_name }}" - tags: - - keystone-config diff --git a/playbooks/roles/os_keystone/tasks/main.yml b/playbooks/roles/os_keystone/tasks/main.yml deleted file mode 100644 index f7b278f4d4..0000000000 --- a/playbooks/roles/os_keystone/tasks/main.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- include: keystone_pre_install.yml -- include: keystone_install.yml -- include: keystone_post_install.yml - -- include: keystone_key_setup.yml - tags: - - keystone-key - - keystone-key-distribute - -- include: keystone_fernet.yml - tags: - - keystone-fernet - when: > - 'fernet' in keystone_token_provider - -- include: keystone_federation_sp_setup.yml - when: > - keystone_sp is defined - -- include: keystone_db_setup.yml - when: > - inventory_hostname == groups['keystone_all'][0] - -- include: keystone_token_cleanup.yml - when: > - 'sql' in keystone_token_driver - -- include: keystone_ssl.yml -- include: keystone_apache.yml - -- include: keystone_service_setup.yml - when: > - inventory_hostname == groups['keystone_all'][0] - -- include: keystone_ldap_setup.yml - tags: - - keystone-config - - keystone-ldap - -- include: keystone_federation_sp_idp_setup.yml - when: > - keystone_sp is defined and - inventory_hostname == groups['keystone_all'][0] - -- name: Flush handlers - meta: flush_handlers - -- include: keystone_idp_setup.yml - when: > - keystone_idp is defined diff --git a/playbooks/roles/os_keystone/templates/keystone-fernet-rotate.sh.j2 b/playbooks/roles/os_keystone/templates/keystone-fernet-rotate.sh.j2 deleted file mode 100644 index 4323902738..0000000000 --- a/playbooks/roles/os_keystone/templates/keystone-fernet-rotate.sh.j2 +++ /dev/null @@ -1,56 +0,0 @@ -#!/usr/bin/env bash -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# {{ ansible_managed }} - -# This script is being created with mode 0755 intentionally. This is so that the -# script can be executed by root to rotate the keys as needed. The script being -# executed will always change it's user context to the keystone user before -# execution and while the script may be world read/executable its contains only -# the necessary bits that are required to run the rotate and sync commands. - -function autorotate { - # Rotate the keys - {{ keystone_bin }}/keystone-manage fernet_rotate \ - --keystone-user "{{ keystone_system_user_name }}" \ - --keystone-group "{{ keystone_system_group_name }}" - {% for host in groups['keystone_all'] %} - - {% if inventory_hostname != host %} - - # Fernet sync job to "{{ host }}" - rsync -e 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \ - -avz \ - --delete \ - {{ keystone_fernet_tokens_key_repository }}/ \ - {{ keystone_system_user_name }}@{{ hostvars[host]['ansible_ssh_host'] }}:{{ keystone_fernet_tokens_key_repository }}/ - - {%- endif %} - - {%- endfor %} - -} - -if [ "$(id -u)" == "0" ];then -# Change the script context to always execute as the "{{ keystone_system_user_name }}" user. -su - "{{ keystone_system_user_name }}" -s "/bin/bash" -c bash << EOC - {{ keystone_fernet_auto_rotation_script }} -EOC -elif [ "$(whoami)" == "{{ keystone_system_user_name }}" ];then - logger $(autorotate) -else - echo "Failed - you do not have permission to rotate, or you've executed the job as the wrong user." - exit 99 -fi diff --git a/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2 b/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2 deleted file mode 100644 index 578bd81196..0000000000 --- a/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2 +++ /dev/null @@ -1,89 +0,0 @@ -# {{ ansible_managed }} - - - WSGIDaemonProcess keystone-service user={{ keystone_system_user_name }} group={{ keystone_system_group_name }} processes={{ keystone_wsgi_processes }} threads={{ keystone_wsgi_threads }} display-name=%{GROUP} - WSGIProcessGroup keystone-service - WSGIScriptAlias / /var/www/cgi-bin/keystone/main - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - - = 2.4> - ErrorLogFormat "%{cu}t %M" - - - LogLevel {{ keystone_apache_log_level }} - ErrorLog /var/log/keystone/keystone-apache-error.log - CustomLog /var/log/keystone/ssl_access.log combined - Options +FollowSymLinks - - {% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%} - SSLEngine on - SSLCertificateFile {{ keystone_ssl_cert }} - SSLCertificateKeyFile {{ keystone_ssl_key }} - {% if keystone_user_ssl_ca_cert is defined -%} - SSLCACertificateFile {{ keystone_ssl_ca_cert }} - {% endif -%} - SSLCompression Off - SSLProtocol {{ keystone_ssl_protocol }} - SSLHonorCipherOrder On - SSLCipherSuite {{ keystone_ssl_cipher_suite }} - SSLOptions +StdEnvVars +ExportCertData - {% endif %} - - {% if keystone_sp is defined -%} - ShibURLScheme {{ keystone_service_publicuri_proto }} - - - SetHandler shib - - - - AuthType shibboleth - ShibRequestSetting requireSession 1 - ShibRequestSetting exportAssertion 1 - ShibRequireSession On - ShibExportAssertion On - Require valid-user - - - - ShibRequestSetting requireSession 1 - AuthType shibboleth - ShibExportAssertion Off - Require valid-user - - - WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1 - {% endif %} - - - - WSGIDaemonProcess keystone-admin user={{ keystone_system_user_name }} group={{ keystone_system_group_name }} processes={{ keystone_wsgi_processes }} threads={{ keystone_wsgi_threads }} display-name=%{GROUP} - WSGIProcessGroup keystone-admin - WSGIScriptAlias / /var/www/cgi-bin/keystone/admin - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - - = 2.4> - ErrorLogFormat "%{cu}t %M" - - - LogLevel {{ keystone_apache_log_level }} - ErrorLog /var/log/keystone/keystone-apache-error.log - CustomLog /var/log/keystone/ssl_access.log combined - Options +FollowSymLinks - - {% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" -%} - SSLEngine on - SSLCertificateFile {{ keystone_ssl_cert }} - SSLCertificateKeyFile {{ keystone_ssl_key }} - {% if keystone_user_ssl_ca_cert is defined -%} - SSLCACertificateFile {{ keystone_ssl_ca_cert }} - {% endif -%} - SSLCompression Off - SSLProtocol {{ keystone_ssl_protocol }} - SSLHonorCipherOrder On - SSLCipherSuite {{ keystone_ssl_cipher_suite }} - SSLOptions +StdEnvVars +ExportCertData - {% endif %} - diff --git a/playbooks/roles/os_keystone/templates/keystone-paste.ini.j2 b/playbooks/roles/os_keystone/templates/keystone-paste.ini.j2 deleted file mode 100644 index 0d731d0a7f..0000000000 --- a/playbooks/roles/os_keystone/templates/keystone-paste.ini.j2 +++ /dev/null @@ -1,91 +0,0 @@ -# Keystone PasteDeploy configuration file. - -[filter:debug] -use = egg:oslo.middleware#debug - -[filter:request_id] -use = egg:oslo.middleware#request_id - -[filter:build_auth_context] -use = egg:keystone#build_auth_context - -[filter:token_auth] -use = egg:keystone#token_auth - -[filter:admin_token_auth] -use = egg:keystone#admin_token_auth - -[filter:json_body] -use = egg:keystone#json_body - -[filter:user_crud_extension] -use = egg:keystone#user_crud_extension - -[filter:crud_extension] -use = egg:keystone#crud_extension - -[filter:ec2_extension] -use = egg:keystone#ec2_extension - -[filter:ec2_extension_v3] -use = egg:keystone#ec2_extension_v3 - -[filter:s3_extension] -use = egg:keystone#s3_extension - -[filter:simple_cert_extension] -use = egg:keystone#simple_cert_extension - -[filter:url_normalize] -use = egg:keystone#url_normalize - -[filter:sizelimit] -use = egg:oslo.middleware#sizelimit - -[app:public_service] -use = egg:keystone#public_service - -[app:service_v3] -use = egg:keystone#service_v3 - -[app:admin_service] -use = egg:keystone#admin_service - -[pipeline:public_api] -# The last item in this pipeline must be public_service or an equivalent -# application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service - -[pipeline:admin_api] -# The last item in this pipeline must be admin_service or an equivalent -# application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service - -[pipeline:api_v3] -# The last item in this pipeline must be service_v3 or an equivalent -# application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3 - -[app:public_version_service] -use = egg:keystone#public_version_service - -[app:admin_version_service] -use = egg:keystone#admin_version_service - -[pipeline:public_version_api] -pipeline = sizelimit url_normalize public_version_service - -[pipeline:admin_version_api] -pipeline = sizelimit url_normalize admin_version_service - -[composite:main] -use = egg:Paste#urlmap -/v2.0 = public_api -/v3 = api_v3 -/ = public_version_api - -[composite:admin] -use = egg:Paste#urlmap -/v2.0 = admin_api -/v3 = api_v3 -/ = admin_version_api diff --git a/playbooks/roles/os_keystone/templates/keystone-ports.conf.j2 b/playbooks/roles/os_keystone/templates/keystone-ports.conf.j2 deleted file mode 100644 index 35891dc19c..0000000000 --- a/playbooks/roles/os_keystone/templates/keystone-ports.conf.j2 +++ /dev/null @@ -1,4 +0,0 @@ -# {{ ansible_managed }} - -Listen {{ keystone_service_port }} -Listen {{ keystone_admin_port }} diff --git a/playbooks/roles/os_keystone/templates/keystone-wsgi.py.j2 b/playbooks/roles/os_keystone/templates/keystone-wsgi.py.j2 deleted file mode 100644 index 400ee7f8b4..0000000000 --- a/playbooks/roles/os_keystone/templates/keystone-wsgi.py.j2 +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright 2013 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import os - -{% if keystone_venv_enabled | bool %} -activate_this = os.path.expanduser("{{ keystone_venv_bin }}/activate_this.py") -execfile(activate_this, dict(__file__=activate_this)) -{% endif %} - -import os - -from oslo_log import log -from oslo_log import versionutils - -from keystone.i18n import _LW -from keystone.server import wsgi as wsgi_server - - -name = os.path.basename(__file__) -LOG = log.getLogger(__name__) - - -def deprecation_warning(): - versionutils.report_deprecated_feature( - LOG, - _LW('httpd/keystone.py is deprecated as of Mitaka' - ' in favor of keystone-wsgi-admin and keystone-wsgi-public' - ' and may be removed in O.') - ) - -# NOTE(ldbragst): 'application' is required in this context by WSGI spec. -# The following is a reference to Python Paste Deploy documentation -# http://pythonpaste.org/deploy/ -application = wsgi_server.initialize_application( - name, - post_log_configured_function=deprecation_warning) diff --git a/playbooks/roles/os_keystone/templates/keystone.conf.j2 b/playbooks/roles/os_keystone/templates/keystone.conf.j2 deleted file mode 100644 index 1318256813..0000000000 --- a/playbooks/roles/os_keystone/templates/keystone.conf.j2 +++ /dev/null @@ -1,165 +0,0 @@ -# {{ ansible_managed }} - -[DEFAULT] -verbose = {{ verbose }} -debug = {{ debug }} -admin_token = {{ keystone_auth_admin_token }} -{% if keystone_public_endpoint is defined %} -public_endpoint = {{ keystone_public_endpoint }} -{% endif %} -admin_endpoint = {{ keystone_service_adminuri }} -fatal_deprecations = {{ keystone_fatal_deprecations }} -member_role_name = {{ keystone_default_role_name }} - -{% if keystone_ssl | bool and keystone_secure_proxy_ssl_header is defined %} -secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }} -{% endif %} - -log_file = keystone.log -log_dir = /var/log/keystone -rpc_backend = {{ keystone_rpc_backend }} - -{% if keystone_ceilometer_enabled %} -notification_driver = messagingv2 -{% endif %} - -{% if 'memcache' in keystone_token_driver and 'fernet' not in keystone_token_provider %} -[memcache] -servers = {{ keystone_memcached_servers }} -max_compare_and_set_retry = {{ keystone_memcached_max_compare_and_set_retry }} -{% endif %} - -{% if keystone_cache_backend_argument is defined %} -[cache] -backend = dogpile.cache.memcached -backend_argument = {{ keystone_cache_backend_argument }} -config_prefix = cache.keystone -distributed_lock = True -enabled = true -{% endif %} - - -[revoke] -caching = true -driver = {{ keystone_revocation_driver }} -expiration_buffer = {{ keystone_revocation_expiration_buffer }} -cache_time = {{ keystone_revocation_cache_time }} - - -[auth] -{% if keystone_sp is defined %} -methods = {{ keystone_auth_methods }},saml2 -saml2 = keystone.auth.plugins.mapped.Mapped -{% else %} -methods = {{ keystone_auth_methods }} -{% endif %} - -[database] -connection = mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}/{{ keystone_galera_database }}?charset=utf8 -idle_timeout = {{ keystone_database_idle_timeout }} -min_pool_size = {{ keystone_database_min_pool_size }} -max_pool_size = {{ keystone_database_max_pool_size }} -pool_timeout = {{ keystone_database_pool_timeout }} - - -[fernet_tokens] -key_repository = {{ keystone_fernet_tokens_key_repository }} -max_active_keys = {{ keystone_fernet_tokens_max_active_keys }} - - -[identity] -{% if keystone_ldap.Default is not defined %} -driver = sql -{% endif %} -{% if keystone_ldap | length > 0 %} -domain_config_dir = {{ keystone_ldap_domain_config_dir }} -domain_specific_drivers_enabled = True -{% endif %} - - -[assignment] -driver = {{ keystone_assignment_driver }} - - -[resource] -cache_time = {{ keystone_resource_cache_time }} -caching = true -driver = {{ keystone_resource_driver }} - - -[token] -enforce_token_bind = permissive -expiration = {{ keystone_token_expiration }} -caching = true -cache_time = {{ keystone_token_cache_time }} -provider = {{ keystone_token_provider }} -{% if 'fernet' not in keystone_token_provider %} -driver = {{ keystone_token_driver }} -{% endif %} - -# We need to /temporarily/ disable catalog caching due to [1], once -# upstream keystone bug [2] is fixed we can remove this [catalog] -# section entirely. -# [1] https://review.openstack.org/#/c/215212/ -# [2] https://review.openstack.org/#/c/271536/ -[catalog] -caching = false - -{% if keystone_idp is defined %} -[saml] -certfile = "{{ keystone_idp.certfile }}" -keyfile = "{{ keystone_idp.keyfile }}" -idp_entity_id = "{{ keystone_idp.idp_entity_id }}" -idp_sso_endpoint = "{{ keystone_idp.idp_sso_endpoint }}" -idp_metadata_path = "{{ keystone_idp.idp_metadata_path }}" -{% if keystone_idp.organization_name is defined %} -idp_organization_name = {{ keystone_idp.organization_name }} -{% endif %} -{% if keystone_idp.organization_display_name is defined %} -idp_organization_display_name = {{ keystone_idp.organization_display_name }} -{% endif %} -{% if keystone_idp.organization_url is defined %} -idp_organization_url = {{ keystone_idp.organization_url }} -{% endif %} -{% if keystone_idp.contact_company is defined %} -idp_contact_company = {{ keystone_idp.contact_company }} -{% endif %} -{% if keystone_idp.contact_name is defined %} -idp_contact_name = {{ keystone_idp.contact_name }} -{% endif %} -{% if keystone_idp.contact_surname is defined %} -idp_contact_surname = {{ keystone_idp.contact_surname }} -{% endif %} -{% if keystone_idp.contact_email is defined %} -idp_contact_email = {{ keystone_idp.contact_email }} -{% endif %} -{% if keystone_idp.contact_telephone is defined %} -idp_contact_telephone = {{ keystone_idp.contact_telephone }} -{% endif %} -{% if keystone_idp.contact_type is defined %} -idp_contact_type = {{ keystone_idp.contact_type }} -{% endif %} -{% endif %} - -[eventlet_server] -admin_bind_host = {{ keystone_bind_address }} -admin_port = {{ keystone_admin_port }} -public_port = {{ keystone_service_port }} - -[oslo_messaging_rabbit] -rabbit_port = {{ rabbitmq_port }} -rabbit_userid = {{ keystone_rabbitmq_userid }} -rabbit_password = {{ keystone_rabbitmq_password }} -rabbit_virtual_host = {{ keystone_rabbitmq_vhost }} -rabbit_hosts = {{ rabbitmq_servers }} -rabbit_use_ssl = {{ rabbitmq_use_ssl }} - -{% if keystone_sp is defined %} -[federation] -remote_id_attribute = Shib-Identity-Provider -{% if keystone_sp.trusted_dashboard_list is defined %} -{% for item in keystone_sp.trusted_dashboard_list %} -trusted_dashboard = {{ item }} -{% endfor %} -{% endif %} -{% endif %} diff --git a/playbooks/roles/os_keystone/templates/keystone.domain.conf.j2 b/playbooks/roles/os_keystone/templates/keystone.domain.conf.j2 deleted file mode 100644 index bec3f328d2..0000000000 --- a/playbooks/roles/os_keystone/templates/keystone.domain.conf.j2 +++ /dev/null @@ -1,9 +0,0 @@ -# {{ ansible_managed }} - -[identity] -driver = ldap - -[ldap] -{% for key, value in item.value | dictsort %} -{{ key }} = {{ value }} -{% endfor %} diff --git a/playbooks/roles/os_keystone/templates/policy.json.j2 b/playbooks/roles/os_keystone/templates/policy.json.j2 deleted file mode 100644 index 47aa9efd81..0000000000 --- a/playbooks/roles/os_keystone/templates/policy.json.j2 +++ /dev/null @@ -1,186 +0,0 @@ -{ - "admin_required": "role:admin or is_admin:1", - "service_role": "role:service", - "service_or_admin": "rule:admin_required or rule:service_role", - "owner" : "user_id:%(user_id)s", - "admin_or_owner": "rule:admin_required or rule:owner", - "token_subject": "user_id:%(target.token.user_id)s", - "admin_or_token_subject": "rule:admin_required or rule:token_subject", - "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject", - - "default": "rule:admin_required", - - "identity:get_region": "", - "identity:list_regions": "", - "identity:create_region": "rule:admin_required", - "identity:update_region": "rule:admin_required", - "identity:delete_region": "rule:admin_required", - - "identity:get_service": "rule:admin_required", - "identity:list_services": "rule:admin_required", - "identity:create_service": "rule:admin_required", - "identity:update_service": "rule:admin_required", - "identity:delete_service": "rule:admin_required", - - "identity:get_endpoint": "rule:admin_required", - "identity:list_endpoints": "rule:admin_required", - "identity:create_endpoint": "rule:admin_required", - "identity:update_endpoint": "rule:admin_required", - "identity:delete_endpoint": "rule:admin_required", - - "identity:get_domain": "rule:admin_required", - "identity:list_domains": "rule:admin_required", - "identity:create_domain": "rule:admin_required", - "identity:update_domain": "rule:admin_required", - "identity:delete_domain": "rule:admin_required", - - "identity:get_project": "rule:admin_required", - "identity:list_projects": "rule:admin_required", - "identity:list_user_projects": "rule:admin_or_owner", - "identity:create_project": "rule:admin_required", - "identity:update_project": "rule:admin_required", - "identity:delete_project": "rule:admin_required", - - "identity:get_user": "rule:admin_required", - "identity:list_users": "rule:admin_required", - "identity:create_user": "rule:admin_required", - "identity:update_user": "rule:admin_required", - "identity:delete_user": "rule:admin_required", - "identity:change_password": "rule:admin_or_owner", - - "identity:get_group": "rule:admin_required", - "identity:list_groups": "rule:admin_required", - "identity:list_groups_for_user": "rule:admin_or_owner", - "identity:create_group": "rule:admin_required", - "identity:update_group": "rule:admin_required", - "identity:delete_group": "rule:admin_required", - "identity:list_users_in_group": "rule:admin_required", - "identity:remove_user_from_group": "rule:admin_required", - "identity:check_user_in_group": "rule:admin_required", - "identity:add_user_to_group": "rule:admin_required", - - "identity:get_credential": "rule:admin_required", - "identity:list_credentials": "rule:admin_required", - "identity:create_credential": "rule:admin_required", - "identity:update_credential": "rule:admin_required", - "identity:delete_credential": "rule:admin_required", - - "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - "identity:ec2_list_credentials": "rule:admin_or_owner", - "identity:ec2_create_credential": "rule:admin_or_owner", - "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - - "identity:get_role": "rule:admin_required", - "identity:list_roles": "rule:admin_required", - "identity:create_role": "rule:admin_required", - "identity:update_role": "rule:admin_required", - "identity:delete_role": "rule:admin_required", - - "identity:check_grant": "rule:admin_required", - "identity:list_grants": "rule:admin_required", - "identity:create_grant": "rule:admin_required", - "identity:revoke_grant": "rule:admin_required", - - "identity:list_role_assignments": "rule:admin_required", - "identity:list_role_assignments_for_tree": "rule:admin_required", - - "identity:get_policy": "rule:admin_required", - "identity:list_policies": "rule:admin_required", - "identity:create_policy": "rule:admin_required", - "identity:update_policy": "rule:admin_required", - "identity:delete_policy": "rule:admin_required", - - "identity:check_token": "rule:admin_or_token_subject", - "identity:validate_token": "rule:service_admin_or_token_subject", - "identity:validate_token_head": "rule:service_or_admin", - "identity:revocation_list": "rule:service_or_admin", - "identity:revoke_token": "rule:admin_or_token_subject", - - "identity:create_trust": "user_id:%(trust.trustor_user_id)s", - "identity:list_trusts": "", - "identity:list_roles_for_trust": "", - "identity:get_role_for_trust": "", - "identity:delete_trust": "", - - "identity:create_consumer": "rule:admin_required", - "identity:get_consumer": "rule:admin_required", - "identity:list_consumers": "rule:admin_required", - "identity:delete_consumer": "rule:admin_required", - "identity:update_consumer": "rule:admin_required", - - "identity:authorize_request_token": "rule:admin_required", - "identity:list_access_token_roles": "rule:admin_required", - "identity:get_access_token_role": "rule:admin_required", - "identity:list_access_tokens": "rule:admin_required", - "identity:get_access_token": "rule:admin_required", - "identity:delete_access_token": "rule:admin_required", - - "identity:list_projects_for_endpoint": "rule:admin_required", - "identity:add_endpoint_to_project": "rule:admin_required", - "identity:check_endpoint_in_project": "rule:admin_required", - "identity:list_endpoints_for_project": "rule:admin_required", - "identity:remove_endpoint_from_project": "rule:admin_required", - - "identity:create_endpoint_group": "rule:admin_required", - "identity:list_endpoint_groups": "rule:admin_required", - "identity:get_endpoint_group": "rule:admin_required", - "identity:update_endpoint_group": "rule:admin_required", - "identity:delete_endpoint_group": "rule:admin_required", - "identity:list_projects_associated_with_endpoint_group": "rule:admin_required", - "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", - "identity:get_endpoint_group_in_project": "rule:admin_required", - "identity:list_endpoint_groups_for_project": "rule:admin_required", - "identity:add_endpoint_group_to_project": "rule:admin_required", - "identity:remove_endpoint_group_from_project": "rule:admin_required", - - "identity:create_identity_provider": "rule:admin_required", - "identity:list_identity_providers": "rule:admin_required", - "identity:get_identity_providers": "rule:admin_required", - "identity:update_identity_provider": "rule:admin_required", - "identity:delete_identity_provider": "rule:admin_required", - - "identity:create_protocol": "rule:admin_required", - "identity:update_protocol": "rule:admin_required", - "identity:get_protocol": "rule:admin_required", - "identity:list_protocols": "rule:admin_required", - "identity:delete_protocol": "rule:admin_required", - - "identity:create_mapping": "rule:admin_required", - "identity:get_mapping": "rule:admin_required", - "identity:list_mappings": "rule:admin_required", - "identity:delete_mapping": "rule:admin_required", - "identity:update_mapping": "rule:admin_required", - - "identity:create_service_provider": "rule:admin_required", - "identity:list_service_providers": "rule:admin_required", - "identity:get_service_provider": "rule:admin_required", - "identity:update_service_provider": "rule:admin_required", - "identity:delete_service_provider": "rule:admin_required", - - "identity:get_auth_catalog": "", - "identity:get_auth_projects": "", - "identity:get_auth_domains": "", - - "identity:list_projects_for_groups": "", - "identity:list_domains_for_groups": "", - - "identity:list_revoke_events": "", - - "identity:create_policy_association_for_endpoint": "rule:admin_required", - "identity:check_policy_association_for_endpoint": "rule:admin_required", - "identity:delete_policy_association_for_endpoint": "rule:admin_required", - "identity:create_policy_association_for_service": "rule:admin_required", - "identity:check_policy_association_for_service": "rule:admin_required", - "identity:delete_policy_association_for_service": "rule:admin_required", - "identity:create_policy_association_for_region_and_service": "rule:admin_required", - "identity:check_policy_association_for_region_and_service": "rule:admin_required", - "identity:delete_policy_association_for_region_and_service": "rule:admin_required", - "identity:get_policy_for_endpoint": "rule:admin_required", - "identity:list_endpoints_for_policy": "rule:admin_required", - - "identity:create_domain_config": "rule:admin_required", - "identity:get_domain_config": "rule:admin_required", - "identity:update_domain_config": "rule:admin_required", - "identity:delete_domain_config": "rule:admin_required", - "identity:get_domain_config_default": "rule:admin_required" -} diff --git a/playbooks/roles/os_keystone/templates/shibboleth-attribute-map.xml.j2 b/playbooks/roles/os_keystone/templates/shibboleth-attribute-map.xml.j2 deleted file mode 100644 index 7e5271d0b1..0000000000 --- a/playbooks/roles/os_keystone/templates/shibboleth-attribute-map.xml.j2 +++ /dev/null @@ -1,63 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - {% for idp in keystone_sp.trusted_idp_list %} - {% if idp.protocols is defined %} - {% for protocol in idp.protocols %} - {% if protocol.name == "saml2" and protocol.attributes is defined %} - {% for attr in protocol.attributes %} - - {% endfor %} - {% endif %} - {% endfor %} - {% endif %} - {% endfor %} - - diff --git a/playbooks/roles/os_keystone/templates/shibboleth2.xml.j2 b/playbooks/roles/os_keystone/templates/shibboleth2.xml.j2 deleted file mode 100644 index 4b38a8422b..0000000000 --- a/playbooks/roles/os_keystone/templates/shibboleth2.xml.j2 +++ /dev/null @@ -1,104 +0,0 @@ - - - - - - - - - - - - - SAML2 SAML1 - - - - - SAML2 Local - - - - - - - - - - - - - - - - - - - - -{% if keystone_sp.trusted_idp_list is defined -%} - {% for item in keystone_sp.trusted_idp_list %} - - {% endfor %} -{% endif %} - - - - - - - - - - - - - - - - - - - - - -