openstack/openstack-ansible
Code Issues Proposed changes

IRR - Implemented for os_keystone

Browse Source 
The change removes and points os_keystone to use the independent
os_keystone repo.

Change-Id: I1eda2fa91c2ac447cdb09757c678076727222279
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
Kevin Carter 2016-02-12 11:03:27 -06:00 committed by Jesse Pretorius (odyssey4me)
parent 669116f923
commit d1f157c611
51 changed files with 64 additions and 3600 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ansible-role-requirements.yml
View File

@ -68,4 +68,7 @@
src: https://git.openstack.org/openstack/openstack-ansible-rsyslog_server
scm: git
version: master
- name: os_keystone
src: https://git.openstack.org/openstack/openstack-ansible-os_keystone
scm: git
version: master

62
playbooks/os-keystone-install.yml
View File

@ -88,6 +88,57 @@
when: is_metal | bool
tags:
- keystone-reserved-port
- name: Keystone ensure Rabbitmq vhost
rabbitmq_vhost:
name: "{{ keystone_rabbitmq_vhost }}"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
when: inventory_hostname == groups['keystone_all'][0]
tags:
- aodh-rabbitmq
- aodh-rabbitmq-vhost
- name: Keystone ensure rabbitmq user
rabbitmq_user:
user: "{{ keystone_rabbitmq_userid }}"
password: "{{ keystone_rabbitmq_password }}"
vhost: "{{ keystone_rabbitmq_vhost }}"
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
when: inventory_hostname == groups['keystone_all'][0]
tags:
- aodh-rabbitmq
- aodh-rabbitmq-user
- name: Keystone create DB for service
mysql_db:
login_user: "{{ galera_root_user }}"
login_password: "{{ galera_root_password }}"
login_host: "{{ galera_address }}"
name: "{{ keystone_galera_database }}"
state: "present"
when: inventory_hostname == groups['keystone_all'][0]
delegate_to: "{{ groups['galera_all'][0] }}"
tags:
- mysql-db-setup
- name: Keystone grant access to the DB for the service
mysql_user:
login_user: "{{ galera_root_user }}"
login_password: "{{ galera_root_password }}"
login_host: "{{ galera_address }}"
name: "{{ keystone_galera_database }}"
password: "{{ keystone_container_mysql_password }}"
host: "{{ item }}"
state: "present"
priv: "{{ keystone_galera_database }}.*:ALL"
with_items:
- "localhost"
- "%"
when: inventory_hostname == groups['keystone_all'][0]
delegate_to: "{{ groups['galera_all'][0] }}"
tags:
- mysql-db-setup
roles:
- role: "os_keystone"
keystone_venv_tag: "{{ openstack_release }}"
@ -108,6 +159,13 @@
- "system-crontab-coordination"
vars:
galera_address: "{{ internal_lb_vip_address }}"
keystone_admin_port: 35357
is_metal: "{{ properties.is_metal|default(false) }}"
galera_root_user: "root"
keystone_admin_port: 35357
keystone_galera_user: keystone
keystone_galera_database: keystone
keystone_rabbitmq_userid: keystone
keystone_rabbitmq_vhost: /keystone
keystone_rabbitmq_servers: "{{ rabbitmq_servers }}"
keystone_rabbitmq_port: "{{ rabbitmq_port }}"
keystone_rabbitmq_use_ssl: "{{ rabbitmq_use_ssl }}"

85
playbooks/roles/os_keystone/CONTRIBUTING.rst
View File

@ -1,85 +0,0 @@
OpenStack keystone
##################
:tags: openstack, keystone, cloud, ansible
:category: \*nix
contributor guidelines
^^^^^^^^^^^^^^^^^^^^^^
Filing Bugs
-----------
Bugs should be filed on Launchpad, not GitHub: "https://bugs.launchpad.net/openstack-ansible"
When submitting a bug, or working on a bug, please ensure the following criteria are met:
* The description clearly states or describes the original problem or root cause of the problem.
* Include historical information on how the problem was identified.
* Any relevant logs are included.
* The provided information should be totally self-contained. External access to web services/sites should not be needed.
* Steps to reproduce the problem if possible.
Submitting Code
---------------
Changes to the project should be submitted for review via the Gerrit tool, following
the workflow documented at: "http://docs.openstack.org/infra/manual/developers.html#development-workflow"
Pull requests submitted through GitHub will be ignored and closed without regard.
Extra
-----
Tags:
If it's a bug that needs fixing in a branch in addition to Master, add a '\<release\>-backport-potential' tag (eg ``juno-backport-potential``). There are predefined tags that will autocomplete.
Status:
Please leave this alone, it should be New till someone triages the issue.
Importance:
Should only be touched if it is a Blocker/Gating issue. If it is, please set to High, and only use Critical if you have found a bug that can take down whole infrastructures.
Style guide
-----------
When creating tasks and other roles for use in Ansible please create then using the YAML dictionary format.
Example YAML dictionary format:
.. code-block:: yaml
- name: The name of the tasks
module_name:
thing1: "some-stuff"
thing2: "some-other-stuff"
tags:
- some-tag
- some-other-tag
Example **NOT** in YAML dictionary format:
.. code-block:: yaml
- name: The name of the tasks
module_name: thing1="some-stuff" thing2="some-other-stuff"
tags:
- some-tag
- some-other-tag
Usage of the ">" and "|" operators should be limited to Ansible conditionals and command modules such as the ansible ``shell`` module.
Issues
------
When submitting an issue, or working on an issue please ensure the following criteria are met:
* The description clearly states or describes the original problem or root cause of the problem.
* Include historical information on how the problem was identified.
* Any relevant logs are included.
* If the issue is a bug that needs fixing in a branch other than Master, add the backport potential tag TO THE ISSUE (not the PR).
* The provided information should be totally self-contained. External access to web services/sites should not be needed.
* If the issue is needed for a hotfix release, add the 'expedite' label.
* Steps to reproduce the problem if possible.

202
playbooks/roles/os_keystone/LICENSE
View File

@ -1,202 +0,0 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

22
playbooks/roles/os_keystone/README.rst
View File

@ -1,22 +0,0 @@
OpenStack keystone
##################
:tags: openstack, keystone, cloud, ansible
:category: \*nix
Role to install keystone. This will install keystone using apache.
This role will install the following:
* keystone
* apache2
.. code-block:: yaml
- name: Installation and setup of Keystone
hosts: keystone_all
user: root
roles:
- { role: "os_keystone", tags: [ "os-keystone" ] }
vars:
external_lb_vip_address: 172.16.24.1
internal_lb_vip_address: 192.168.0.1
keystone_galera_address: "{{ internal_lb_vip_address }}"

389
playbooks/roles/os_keystone/defaults/main.yml
View File

@ -1,389 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Verbosity Options
debug: False
verbose: True
## APT Cache options
cache_timeout: 600
# Name of the virtual env to deploy into
keystone_venv_tag: untagged
keystone_venv_bin: "/openstack/venvs/keystone-{{ keystone_venv_tag }}/bin"
# Set this to enable or disable installing in a venv
keystone_venv_enabled: true
# The bin path defaults to the venv path however if installation in a
# venv is disabled the bin path will be dynamically set based on the
# system path used when the installing.
keystone_bin: "{{ keystone_venv_bin }}"
keystone_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/keystone.tgz
keystone_fatal_deprecations: False
## System info
keystone_system_user_name: keystone
keystone_system_group_name: keystone
keystone_system_additional_groups:
- ssl_cert
keystone_system_service_name: apache2
keystone_system_shell: /bin/bash
keystone_system_comment: keystone system user
keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}"
keystone_rpc_backend: rabbit
## Drivers
keystone_auth_methods: "password,token"
keystone_identity_driver: sql
# For a sql backed token storage use: "sql"
keystone_token_driver: memcache
keystone_token_provider: fernet
keystone_token_expiration: 43200
keystone_token_cache_time: 3600
# Set the revocation driver used within keystone.
keystone_revocation_driver: sql
keystone_revocation_cache_time: 3600
keystone_revocation_expiration_buffer: 1800
## Fernet config vars
keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
keystone_fernet_tokens_max_active_keys: 7
# Any of the following rotation times are valid:
# reboot, yearly, annually, monthly, weekly, daily, hourly
keystone_fernet_rotation: daily
keystone_fernet_auto_rotation_script: /opt/keystone-fernet-rotate.sh
keystone_assignment_driver: sql
keystone_resource_cache_time: 3600
keystone_resource_driver: sql
keystone_bind_address: 0.0.0.0
## Memcached servers used within keystone.
# String or Comma separated list of servers.
keystone_memcached_servers: 127.0.0.1
keystone_memcached_max_compare_and_set_retry: 16
## DB info
keystone_galera_user: keystone
keystone_galera_database: keystone
# Database tuning
keystone_database_idle_timeout: 200
keystone_database_min_pool_size: 5
keystone_database_max_pool_size: 120
keystone_database_pool_timeout: 30
## RabbitMQ info
keystone_rabbitmq_userid: keystone
keystone_rabbitmq_vhost: /keystone
## Role info
keystone_role_name: admin
keystone_default_role_name: _member_
## Admin info
keystone_admin_port: 35357
keystone_admin_user_name: admin
keystone_admin_tenant_name: admin
keystone_admin_description: Admin Tenant
## Secure Proxy SSL Information
#keystone_secure_proxy_ssl_header: X-Forwarded-For
## Service Type and Data
keystone_service_region: RegionOne
keystone_service_name: keystone
keystone_service_port: 5000
keystone_service_proto: http
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
keystone_service_type: identity
keystone_service_description: "Keystone Identity Service"
keystone_service_user_name: keystone
keystone_service_tenant_name: service
keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
keystone_service_publicurl_v2: "{{ keystone_service_publicuri }}/v2.0"
keystone_service_internalurl_v2: "{{ keystone_service_internaluri }}/v2.0"
keystone_service_adminurl_v2: "{{ keystone_service_adminuri }}/v2.0"
keystone_service_publicurl_v3: "{{ keystone_service_publicuri }}/v3"
keystone_service_internalurl_v3: "{{ keystone_service_internaluri }}/v3"
keystone_service_adminurl_v3: "{{ keystone_service_adminuri }}/v3"
keystone_service_publicurl: "{{ keystone_service_publicurl_v3 }}"
keystone_service_internalurl: "{{ keystone_service_internalurl_v3 }}"
keystone_service_adminurl: "{{ keystone_service_adminurl_v3 }}"
## Set this value to override the "public_endpoint" keystone.conf variable
#keystone_public_endpoint: "{{ keystone_service_publicuri }}"
## Apache setup
keystone_apache_log_level: info
keystone_apache_servertokens: "Prod"
keystone_apache_serversignature: "Off"
keystone_wsgi_threads: 1
keystone_wsgi_processes: "{{ ansible_processor_vcpus | default (1) * 2 }}"
# set keystone_ssl to true to enable SSL configuration on the keystone containers
keystone_ssl: false
keystone_ssl_cert: /etc/ssl/certs/keystone.pem
keystone_ssl_key: /etc/ssl/private/keystone.key
keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
keystone_ssl_protocol: "{{ ssl_protocol }}"
keystone_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
# if using a self-signed certificate, set this to true to regenerate it
keystone_ssl_self_signed_regen: false
keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
# Set these in user_variables to deploy custom certificates
#keystone_user_ssl_cert: <path to cert on ansible deployment host>
#keystone_user_ssl_key: <path to cert on ansible deployment host>
#keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
## Caching
# If set this will enable dog pile cache for keystone.
# keystone_cache_backend_argument: url:127.0.0.1:11211
## LDAP Section
# Define Keystone LDAP domain configuration here.
# This may be used to add configuration for a LDAP identity back-end.
# See the http://docs.openstack.org/admin-guide-cloud/keystone_integrate_with_ldap.html
#
# Each top-level entry is a domain name. Each entry below that are key: value pairs for
# the ldap section in the domain-specific configuraiton file.
#
# (EXAMPLE LAYOUT)
# keystone_ldap:
# Users:
# url: "ldap://127.0.0.1"
# user: "root"
# password: "secrete"
# ...
keystone_ldap: {}
keystone_ldap_domain_config_dir: /etc/keystone/domains
# If you want to regenerate the keystone users SSH keys, on each run, set this var to True
# Otherwise keys will be generated on the first run and not regenerated each run.
keystone_recreate_keys: False
## Policy vars
# Provide a list of access controls to update the default policy.json with. These changes will be merged
# with the access controls in the default policy.json. E.g.
#keystone_policy_overrides:
# identity:create_region: "rule:admin_required"
# identity:update_region: "rule:admin_required"
## Federation
# Enable the following section on the Keystone IdP
#keystone_idp:
# certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
# keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
# self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
# regen_cert: false
# idp_entity_id: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/idp"
# idp_sso_endpoint: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/sso"
# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
# service_providers:
# - id: "sp_1"
# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
# # the following settings are optional
# organization_name: example_company
# organization_display_name: Example Corp.
# organization_url: example.com
# contact_company: example_company
# contact_name: John
# contact_surname: Smith
# contact_email: jsmith@example.com
# contact_telephone: 555-55-5555
# contact_type: technical
# Enable the following section in order to install and configure
# Keystone as a Resource Service Provider (SP) and to configure
# trusts with specific Identity Providers (IdP).
#keystone_sp:
# cert_duration_years: 5
# trusted_dashboard_list:
# - "https://{{ external_lb_vip_address }}/auth/websso/"
# - "https://{{ horizon_server_name }}/auth/websso/"
# trusted_idp_list:
# note that only one of these is supported at any one time for now
# - name: "keystone-idp"
# entity_ids:
# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp'
# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata'
# metadata_file: 'metadata-keystone-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: Default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: keystone-idp-mapping
# rules:
# - remote:
# - type: openstack_user
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# user:
# name: '{0}'
# attributes:
# - name: openstack_user
# id: openstack_user
# - name: openstack_roles
# id: openstack_roles
# - name: openstack_project
# id: openstack_project
# - name: openstack_user_domain
# id: openstack_user_domain
# - name: openstack_project_domain
# id: openstack_project_domain
#
# - name: 'testshib-idp'
# entity_ids:
# - 'https://idp.testshib.org/idp/shibboleth'
# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml'
# metadata_file: 'metadata-testshib-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: Default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: testshib-idp-mapping
# rules:
# - remote:
# - type: eppn
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# - user:
# name: '{0}'
#
# - name: 'adfs-idp'
# entity_ids:
# - 'http://adfs.contoso.com/adfs/services/trust'
# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml'
# metadata_file: 'metadata-adfs-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: Default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: adfs-idp-mapping
# rules:
# - remote:
# - type: upn
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# - user:
# name: '{0}'
# attributes:
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
# id: upn
keystone_service_in_ldap: false
# Keystone Federation SP Packages
keystone_sp_apt_packages:
- libapache2-mod-shib2
# Keystone notification settings
keystone_ceilometer_enabled: false
# Common apt packages
keystone_apt_packages:
- apache2
- apache2-utils
- debhelper
- dh-apparmor
- docutils-common
- git
- libapache2-mod-wsgi
- libjs-sphinxdoc
- libjs-underscore
- libldap2-dev
- libsasl2-dev
- libxslt1.1
- rsync
keystone_idp_apt_packages:
- ssl-cert
- xmlsec1
# Keystone packages that must be installed before anything else
keystone_requires_pip_packages:
- virtualenv
- virtualenv-tools
- python-keystoneclient # Keystoneclient needed to OSA keystone lib
- httplib2
# Common pip packages
keystone_pip_packages:
- argparse
- keystone
- keystonemiddleware
- ldappool
- lxml
- PyMySQL
- oslo.log
- oslo.middleware
- pbr
- pycrypto
- pysaml2
- python-keystoneclient
- python-ldap
- python-memcached
- python-openstackclient
- repoze.lru
## Tunable overrides
keystone_keystone_conf_overrides: {}
keystone_keystone_default_conf_overrides: {}
keystone_keystone_paste_ini_overrides: {}
keystone_policy_overrides: {}

22
playbooks/roles/os_keystone/files/sso_callback_template.html
View File

@ -1,22 +0,0 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Keystone WebSSO redirect</title>
</head>
<body>
<form id="sso" name="sso" action="$host" method="post">
Please wait...
<br/>
<input type="hidden" name="token" id="token" value="$token"/>
<noscript>
<input type="submit" name="submit_no_javascript" id="submit_no_javascript"
value="If your JavaScript is disabled, please click to continue"/>
</noscript>
</form>
<script type="text/javascript">
window.onload = function() {
document.forms['sso'].submit();
}
</script>
</body>
</html>

34
playbooks/roles/os_keystone/handlers/main.yml
View File

@ -1,34 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Restart Apache
service:
name: "apache2"
state: "restarted"
pattern: "apache2"
register: apache_restart
until: apache_restart|success
retries: 5
delay: 2
- name: Restart Shibd
service:
name: "shibd"
state: "restarted"
pattern: "shibd"
register: shibd_restart
until: shibd_restart|success
retries: 5
delay: 2

120
playbooks/roles/os_keystone/library/keystone_sp
View File

@ -1,120 +0,0 @@
#!/usr/bin/python
# (c) 2015, Kevin Carter <kevin.carter@rackspace.com>
#
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# import module snippets
from ansible.module_utils.basic import *
DOCUMENTATION = """
---
module: keystone_sp
version_added: "1.9.2"
short_description:
- Creates a fact for keystone_federated_identities and keystone_protocols
description:
- Sets facts called `keystone_federated_identities` and
`keystone_federated_protocols`, which are lists of hashes built from
keystone_sp using the information in the `federated_identities` and
`protocols` keys.
options:
sp_data:
description:
- Hash to build the service provider lists from
required: true
author: Kevin Carter
"""
EXAMPLES = """
# Set the keystone_federated_identities and keystone_federated_protocols facts
- keystone_sp:
sp_data: "{{ keystone_sp }}"
when: keystone_sp is defined
"""
# Keystone service provider data structure example.
"""
keystone_sp:
trusted_idp_list:
- name: "keystone-idp"
federated_identities:
- domain: Default
project: fedproject
group: fedgroup
role: _member_
protocols:
- name: saml2
mapping:
...
- name: 'testshib-idp'
federated_identities:
- domain: Default
project: fedproject2
group: fedgroup2
role: _member_
protocols:
- name: saml2
mapping:
...
"""
class KeystoneSp(object):
def __init__(self, module):
"""Generate an integer from a name."""
self.module = module
self.identities_return_list = list()
self.protocols_return_list = list()
self.sp_data = self.module.params['sp_data']
def populate_sp_data(self):
trusted_idp_list = self.sp_data['trusted_idp_list']
for trusted_idp in trusted_idp_list:
federated_identities = trusted_idp.get('federated_identities')
if federated_identities:
self.identities_return_list.extend(federated_identities)
protocols = trusted_idp.get('protocols')
if protocols:
for protocol in protocols:
self.protocols_return_list.append(
{'idp': trusted_idp, 'protocol': protocol})
def main():
module = AnsibleModule(
argument_spec=dict(
sp_data=dict(
required=True
)
),
supports_check_mode=False
)
try:
ksp = KeystoneSp(module=module)
ksp.populate_sp_data()
module.exit_json(
changed=True,
ansible_facts={
'keystone_federated_identities': ksp.identities_return_list,
'keystone_federated_protocols': ksp.protocols_return_list}
)
except Exception as exp:
resp = {'stderr': exp}
module.fail_json(msg='Failed Process', **resp)
if __name__ == '__main__':
main()

40
playbooks/roles/os_keystone/meta/main.yml
View File

@ -1,40 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
galaxy_info:
author: rcbops
description: Installation and setup of keystone
company: Rackspace
license: Apache2
min_ansible_version: 1.6.6
platforms:
- name: Ubuntu
versions:
- trusty
categories:
- cloud
- python
- keystone
- development
- openstack
dependencies:
- apt_package_pinning
- galera_client
- openstack_openrc
- pip_lock_down
- role: memcached_server
when: >
'memcache' in keystone_token_driver and
'fernet' not in keystone_token_provider

98
playbooks/roles/os_keystone/tasks/keystone_apache.yml
View File

@ -1,98 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Drop apache2 ports file
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "root"
group: "root"
with_items:
- { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
- { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" }
notify:
- Restart Apache
tags:
- keystone-httpd
- name: Disable default apache site
file:
path: "/etc/apache2/sites-enabled/000-default.conf"
state: "absent"
notify:
- Restart Apache
tags:
- keystone-httpd
- name: Enabled keystone vhost
file:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
state: "{{ item.state }}"
with_items:
- { src: "/etc/apache2/sites-available/keystone-httpd.conf", dest: "/etc/apache2/sites-enabled/keystone-httpd.conf", state: "link" }
notify:
- Restart Apache
tags:
- keystone-httpd
- name: Ensure Apache ServerName
lineinfile:
dest: "/etc/apache2/apache2.conf"
line: "ServerName {{ inventory_hostname }}"
notify:
- Restart Apache
tags:
- keystone-httpd
- name: Ensure Apache ServerTokens
lineinfile:
dest: "/etc/apache2/conf-available/security.conf"
regexp: '^ServerTokens'
line: "ServerTokens {{ keystone_apache_servertokens }}"
notify:
- Restart Apache
tags:
- keystone-httpd
- name: Ensure Apache ServerSignature
lineinfile:
dest: "/etc/apache2/conf-available/security.conf"
regexp: '^ServerSignature'
line: "ServerSignature {{ keystone_apache_serversignature }}"
notify:
- Restart Apache
tags:
- keystone-httpd
- name: Enable/disable mod_ssl for apache2
apache2_module:
name: ssl
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
notify:
- Restart Apache
tags:
- keystone-httpd
- keystone-ssl
- name: Enable/disable mod_shib2 for apache2
apache2_module:
name: shib2
state: "{{ ( keystone_sp is defined ) | ternary('present', 'absent') }}"
ignore_errors: yes
notify:
- Restart Apache
tags:
- keystone-httpd

50
playbooks/roles/os_keystone/tasks/keystone_db_setup.yml
View File

@ -1,50 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create DB for service
mysql_db:
login_user: "{{ galera_root_user }}"
login_password: "{{ galera_root_password }}"
login_host: "{{ keystone_galera_address }}"
name: "{{ keystone_galera_database }}"
state: "present"
tags:
- keystone-db-setup
- name: Grant access to the DB for the service
mysql_user:
login_user: "{{ galera_root_user }}"
login_password: "{{ galera_root_password }}"
login_host: "{{ keystone_galera_address }}"
name: "{{ keystone_galera_user }}"
password: "{{ keystone_container_mysql_password }}"
host: "{{ item }}"
state: "present"
priv: "{{ keystone_galera_database }}.*:ALL"
with_items:
- "localhost"
- "%"
tags:
- keystone-db-setup
- name: Perform a Keystone DB sync
command: "{{ keystone_bin }}/keystone-manage db_sync"
become: yes
become_user: "{{ keystone_system_user_name }}"
tags:
- keystone-db-setup
- keystone-db-sync
- keystone-setup
- keystone-command-bin

152
playbooks/roles/os_keystone/tasks/keystone_federation_sp_idp_setup.yml
View File

@ -1,152 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# note that these tasks will run when the id/name parameter is present.
# Providing the id/name without the other required params is a user error.
# TODO: Revisit this method when Ansible 2 releases
# User with_subelements instead, but in v1.x it's broken
- name: Set keystone_federated_identities fact
keystone_sp:
sp_data: "{{ keystone_sp }}"
tags:
- keystone-federation-sp
- name: Ensure domain which remote IDP users are mapped onto exists
keystone:
command: ensure_domain
domain_name: "{{ item.domain }}"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: item.domain is defined
with_items: keystone_federated_identities
tags:
- keystone-federation-sp
- name: Ensure project which remote IDP users are mapped onto exists
keystone:
command: ensure_project
project_name: "{{ item.project }}"
domain_name: "{{ item.domain | default('Default') }}"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: item.project is defined
with_items: keystone_federated_identities
tags:
- keystone-federation-sp
- name: Ensure user which remote IDP users are mapped onto exists
keystone:
command: ensure_user
user_name: "{{ item.user }}"
password: "{{ item.password }}"
project_name: "{{ item.project }}"
domain_name: "{{ item.domain | default('Default') }}"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: >
item.user is defined and
item.password is defined and
item.project is defined
with_items: keystone_federated_identities
tags:
- keystone-federation-sp
- name: Ensure Group for external IDP users exists
keystone:
command: ensure_group
group_name: "{{ item.group }}"
domain_name: "{{ item.domain | default('Default') }}"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: item.group is defined
with_items: keystone_federated_identities
tags:
- keystone-federation-sp
- name: Ensure Role for external IDP users exists
keystone:
command: "ensure_role"
role_name: "{{ item.role | default('_member_') }}"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: >
item.group is defined and
item.project is defined
with_items: keystone_federated_identities
tags:
- keystone-federation-sp
- name: Ensure Group/Project/Role mapping exists
keystone:
command: ensure_group_role
group_name: "{{ item.group }}"
project_name: "{{ item.project }}"
role_name: "{{ item.role | default('_member_') }}"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: >
item.group is defined and
item.project is defined
with_items: keystone_federated_identities
tags:
- keystone-federation-sp
- name: Ensure mapping for external IDP attributes exists
keystone:
command: ensure_mapping
mapping_name: "{{ item.protocol.mapping.name }}"
mapping_rules: "{{ item.protocol.mapping.rules }}"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: item.protocol.mapping.name is defined
with_items: keystone_federated_protocols
tags:
- keystone-federation-sp
- name: Ensure external IDP
keystone:
command: ensure_identity_provider
idp_name: "{{ item.name }}"
idp_remote_ids: "{{ item.entity_ids }}"
idp_enabled: true
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: item.name is defined
with_items: keystone_sp.trusted_idp_list
tags:
- keystone-federation-sp
- name: Ensure federation protocol exists
keystone:
command: ensure_protocol
protocol_name: "{{ item.protocol.name }}"
idp_name: "{{ item.idp.name }}"
mapping_name: "{{ item.protocol.mapping.name }}"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
when: item.protocol.name is defined
with_items: keystone_federated_protocols
tags:
- keystone-federation-sp

101
playbooks/roles/os_keystone/tasks/keystone_federation_sp_setup.yml
View File

@ -1,101 +0,0 @@
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Drop Shibboleth Config
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}"
mode: "{{ item.mode|default('0644') }}"
with_items:
- { src: "shibboleth-attribute-map.xml.j2", dest: "/etc/shibboleth/attribute-map.xml" }
- { src: "shibboleth2.xml.j2", dest: "/etc/shibboleth/shibboleth2.xml" }
notify:
- Restart Shibd
tags:
- keystone-config
- keystone-federation-sp
- name: Generate the Shibboleth SP key-pair
shell: "shib-keygen -h {{ external_lb_vip_address }} -y {{ keystone_sp.cert_duration_years }}"
args:
creates: "/etc/shibboleth/sp-cert.pem"
when: inventory_hostname == groups['keystone_all'][0]
notify:
- Restart Apache
- Restart Shibd
tags:
- keystone-config
- keystone-federation-sp
- name: Store Shibboleth SP key-pair
memcached:
name: "{{ item.name }}"
file_path: "{{ item.src }}"
state: "present"
server: "{{ memcached_servers }}"
encrypt_string: "{{ memcached_encryption_key }}"
with_items:
- { src: "/etc/shibboleth/sp-cert.pem", name: "keystone_sp_cert" }
- { src: "/etc/shibboleth/sp-key.pem", name: "keystone_sp_key" }
register: memcache_keys
until: memcache_keys|success
retries: 5
delay: 2
when: inventory_hostname == groups['keystone_all'][0]
tags:
- keystone-config
- keystone-federation-sp
- name: Distribute the Shibboleth SP key-pair
memcached:
name: "{{ item.name }}"
file_path: "{{ item.src }}"
state: "retrieve"
file_mode: "{{ item.file_mode }}"
dir_mode: "{{ item.dir_mode }}"
server: "{{ memcached_servers }}"
encrypt_string: "{{ memcached_encryption_key }}"
with_items:
- { src: "/etc/shibboleth/sp-cert.pem", name: "keystone_sp_cert", file_mode: "0640", dir_mode: "0750" }
- { src: "/etc/shibboleth/sp-key.pem", name: "keystone_sp_key", file_mode: "0600", dir_mode: "0750" }
register: memcache_keys
until: memcache_keys|success
retries: 5
delay: 2
when: inventory_hostname != groups['keystone_all'][0]
notify:
- Restart Apache
- Restart Shibd
tags:
- keystone-config
- keystone-federation-sp
- name: Set appropriate file ownership on the Shibboleth SP key-pair
file:
path: "{{ item }}"
owner: "_shibd"
group: "_shibd"
with_items:
- "/etc/shibboleth/sp-cert.pem"
- "/etc/shibboleth/sp-key.pem"
when: inventory_hostname != groups['keystone_all'][0]
notify:
- Restart Apache
- Restart Shibd
tags:
- keystone-config
- keystone-federation-sp

24
playbooks/roles/os_keystone/tasks/keystone_fernet.yml
View File

@ -1,24 +0,0 @@
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- include: keystone_fernet_keys_create.yml
when: >
inventory_hostname == groups['keystone_all'][0]
- include: keystone_fernet_keys_distribute.yml
when: >
inventory_hostname == groups['keystone_all'][0]
- include: keystone_fernet_keys_autorotate.yml

53
playbooks/roles/os_keystone/tasks/keystone_fernet_keys_autorotate.yml
View File

@ -1,53 +0,0 @@
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This script is being created with mode 0755 intentionally. This is so that the
# script can be executed by root to rotate the keys as needed. The script being
# executed will always change it's user context to the keystone user before
# execution and while the script may be world read/executable its contains only
# the necessary bits that are required to run the rotate and sync commands.
- name: Drop fernet key auto rotate script
template:
src: "keystone-fernet-rotate.sh.j2"
dest: "{{ keystone_fernet_auto_rotation_script }}"
owner: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}"
mode: "1755"
tags:
- keystone-fernet-auto-rotate
# This creates the auto rotation job on the first keystone host.
- name: Create auto rotation job
cron:
name: "Fernet auto rotate job"
special_time: "{{ keystone_fernet_rotation }}"
user: "keystone"
job: "{{ keystone_fernet_auto_rotation_script }}"
cron_file: keystone-fernet-rotate
when: >
inventory_hostname == groups['keystone_all'][0]
tags:
- keystone-fernet-auto-rotate
# This makes sure that no auto rotation jobs are on any other hosts.
- name: Remove extra auto rotation job
cron:
name: "Fernet auto rotate job"
cron_file: keystone-fernet-rotate
state: "absent"
when: >
inventory_hostname != groups['keystone_all'][0]
tags:
- keystone-fernet-auto-rotate

46
playbooks/roles/os_keystone/tasks/keystone_fernet_keys_create.yml
View File

@ -1,46 +0,0 @@
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Check if fernet keys already exist
stat:
path: "{{ keystone_fernet_tokens_key_repository }}/0"
register: _fernet_keys
tags:
- keystone-fernet
- name: Create fernet keys for Keystone
command: >
{{ keystone_bin }}/keystone-manage fernet_setup
--keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"
become: yes
become_user: "{{ keystone_system_user_name }}"
when: not _fernet_keys.stat.exists
tags:
- keystone-setup
- keystone-fernet
- keystone-command-bin
- name: Rotate fernet keys for Keystone
command: >
{{ keystone_bin }}/keystone-manage fernet_rotate
--keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"
become: yes
become_user: "{{ keystone_system_user_name }}"
when: _fernet_keys.stat.exists
tags:
- keystone-fernet
- keystone-command-bin

27
playbooks/roles/os_keystone/tasks/keystone_fernet_keys_distribute.yml
View File

@ -1,27 +0,0 @@
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Distribute the fernet key repository
shell: |
rsync -e 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
-avz \
--delete \
{{ keystone_fernet_tokens_key_repository }}/ \
{{ keystone_system_user_name }}@{{ hostvars[item]['ansible_ssh_host'] }}:{{ keystone_fernet_tokens_key_repository }}/
become: yes
become_user: "{{ keystone_system_user_name }}"
with_items: groups['keystone_all'][1:]
tags:
- keystone-fernet-distribute

26
playbooks/roles/os_keystone/tasks/keystone_idp_metadata.yml
View File

@ -1,26 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Generate IdP metadata
shell: |
{{ keystone_bin }}/keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }}
become: yes
become_user: "{{ keystone_system_user_name }}"
when: keystone_idp is defined
notify:
- Restart Apache
tags:
- keystone-config
- keystone-idp

48
playbooks/roles/os_keystone/tasks/keystone_idp_self_signed_create.yml
View File

@ -1,48 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Remove IdP self-signed certificate for regen
file:
dest: "{{ keystone_idp.cerfile }}"
state: "absent"
when: >
keystone_idp.regen_cert == true or
keystone_idp.regen_cert == "True"
- name: Create IdP self-signed ssl cert
command: >
openssl req -new -nodes -sha256 -x509 -subj
"{{ keystone_idp.self_signed_cert_subject }}"
-days 3650
-keyout {{ keystone_idp.keyfile }}
-out {{ keystone_idp.certfile }}
-extensions v3_ca
creates={{ keystone_idp.certfile }}
when: >
inventory_hostname == groups['keystone_all'][0]
notify: Restart Apache
tags:
- keystone-config
- keystone-idp
- name: Set appropriate file ownership on the IdP self-signed cert
file:
path: "{{ item }}"
owner: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}"
mode: "0640"
with_items:
- "{{ keystone_idp.keyfile }}"
- "{{ keystone_idp.certfile }}"

44
playbooks/roles/os_keystone/tasks/keystone_idp_self_signed_distribute.yml
View File

@ -1,44 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Distribute IdP self-signed certificate
memcached:
name: "{{ item.name }}"
file_path: "{{ item.src }}"
state: "retrieve"
file_mode: "{{ item.file_mode }}"
dir_mode: "{{ item.dir_mode }}"
server: "{{ memcached_servers }}"
encrypt_string: "{{ memcached_encryption_key }}"
with_items:
- { src: "{{ keystone_idp.certfile }}", name: "keystone_idp_cert", file_mode: "0640", dir_mode: "0750" }
- { src: "{{ keystone_idp.keyfile }}", name: "keystone_idp_key", file_mode: "0640", dir_mode: "0750" }
register: memcache_keys
until: memcache_keys|success
retries: 5
delay: 2
notify: Restart Apache
tags:
- keystone-idp
- name: Set appropriate file ownership on the IdP self-signed cert
file:
path: "{{ item }}"
owner: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}"
mode: "0640"
with_items:
- "{{ keystone_idp.keyfile }}"
- "{{ keystone_idp.certfile }}"

31
playbooks/roles/os_keystone/tasks/keystone_idp_self_signed_store.yml
View File

@ -1,31 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Store IdP self-signed certificate
memcached:
name: "{{ item.name }}"
file_path: "{{ item.src }}"
state: "present"
server: "{{ memcached_servers }}"
encrypt_string: "{{ memcached_encryption_key }}"
with_items:
- { src: "{{ keystone_idp.certfile }}", name: "keystone_idp_cert" }
- { src: "{{ keystone_idp.keyfile }}", name: "keystone_idp_key" }
register: memcache_keys
until: memcache_keys|success
retries: 5
delay: 2
tags:
- keystone-idp

30
playbooks/roles/os_keystone/tasks/keystone_idp_setup.yml
View File

@ -1,30 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- include: keystone_idp_self_signed_create.yml
when: >
inventory_hostname == groups['keystone_all'][0]
- include: keystone_idp_self_signed_store.yml
when: >
inventory_hostname == groups['keystone_all'][0]
- include: keystone_idp_self_signed_distribute.yml
when: >
inventory_hostname != groups['keystone_all'][0]
- include: keystone_idp_metadata.yml
- include: keystone_idp_sp_setup.yml

30
playbooks/roles/os_keystone/tasks/keystone_idp_sp_setup.yml
View File

@ -1,30 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Register service providers
keystone:
command: "ensure_service_provider"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
sp_name: "{{ item.id }}"
sp_url: "{{ item.sp_url }}"
sp_auth_url: "{{ item.auth_url }}"
with_items: keystone_idp.service_providers
register: add_service_providers
until: add_service_providers|success
retries: 5
delay: 10
tags:
- keystone-idp

218
playbooks/roles/os_keystone/tasks/keystone_install.yml
View File

@ -1,218 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#TODO(evrardjp): Replace the next 2 tasks by a standard apt with cache
#when https://github.com/ansible/ansible-modules-core/pull/1517 is merged
#in 1.9.x or we move to 2.0 (if tested working)
- name: Check apt last update file
stat:
path: /var/cache/apt
register: apt_cache_stat
tags:
- keystone-apt-packages
- name: Update apt if needed
apt:
update_cache: yes
when: "ansible_date_time.epoch|float - apt_cache_stat.stat.mtime > {{cache_timeout}}"
tags:
- keystone-apt-packages
- name: Install apt packages
apt:
pkg: "{{ item }}"
state: latest
register: install_packages
until: install_packages|success
retries: 5
delay: 2
with_items: keystone_apt_packages
tags:
- keystone-install
- keystone-apt-packages
- name: Install IdP apt packages
apt:
pkg: "{{ item }}"
state: latest
register: install_packages
until: install_packages|success
retries: 5
delay: 2
with_items: keystone_idp_apt_packages
when: keystone_idp is defined
tags:
- keystone-install
- keystone-apt-packages
- name: Install SP apt packages
apt:
pkg: "{{ item }}"
state: latest
register: install_packages
until: install_packages|success
retries: 5
delay: 2
with_items: keystone_sp_apt_packages
when: keystone_sp is defined
tags:
- keystone-install
- keystone-apt-packages
- name: Install requires pip packages
pip:
name: "{{ item }}"
state: present
extra_args: "{{ pip_install_options|default('') }}"
register: install_packages
until: install_packages|success
retries: 5
delay: 2
with_items: keystone_requires_pip_packages
tags:
- keystone-install
- keystone-pip-packages
- name: Get local venv checksum
stat:
path: "/var/cache/{{ keystone_venv_download_url | basename }}"
get_md5: False
when: keystone_venv_enabled | bool
register: local_venv_stat
tags:
- keystone-install
- keystone-pip-packages
- name: Get remote venv checksum
uri:
url: "{{ keystone_venv_download_url | replace('tgz', 'checksum') }}"
return_content: True
when: keystone_venv_enabled | bool
register: remote_venv_checksum
tags:
- keystone-install
- keystone-pip-packages
# TODO: When project moves to ansible 2 we can pass this a sha256sum which will:
# a) allow us to remove force: yes
# b) allow the module to calculate the checksum of dest file which would
# result in file being downloaded only if provided and dest sha256sum
# checksums differ
- name: Attempt venv download
get_url:
url: "{{ keystone_venv_download_url }}"
dest: "/var/cache/{{ keystone_venv_download_url | basename }}"
force: yes
ignore_errors: true
register: get_venv
when:
- keystone_venv_enabled | bool
- (local_venv_stat.stat.exists == False or
{{ local_venv_stat.stat.checksum is defined and local_venv_stat.stat.checksum != remote_venv_checksum.content | trim }})
tags:
- keystone-install
- keystone-pip-packages
- name: Set keystone get_venv fact
set_fact:
keystone_get_venv: "{{ get_venv }}"
when: keystone_venv_enabled | bool
tags:
- keystone-install
- keystone-pip-packages
- name: Remove existing venv
file:
path: "{{ keystone_venv_bin | dirname }}"
state: absent
when:
- keystone_venv_enabled | bool
- keystone_get_venv | changed
tags:
- keystone-install
- keystone-pip-packages
- name: Create keystone venv dir
file:
path: "{{ keystone_venv_bin | dirname }}"
state: directory
when:
- keystone_venv_enabled | bool
- keystone_get_venv | changed
tags:
- keystone-install
- keystone-pip-packages
- name: Unarchive pre-built venv
unarchive:
src: "/var/cache/{{ keystone_venv_download_url | basename }}"
dest: "{{ keystone_venv_bin | dirname }}"
copy: "no"
when:
- keystone_venv_enabled | bool
- keystone_get_venv | changed
notify:
- Restart Apache
tags:
- keystone-install
- keystone-pip-packages
- name: Update virtualenv path
command: >
virtualenv-tools --update-path=auto {{ keystone_venv_bin | dirname }}
when:
- keystone_venv_enabled | bool
- keystone_get_venv | success
tags:
- keystone-install
- keystone-pip-packages
- name: Install pip packages (venv)
pip:
name: "{{ item }}"
state: present
virtualenv: "{{ keystone_venv_bin | dirname }}"
virtualenv_site_packages: "no"
extra_args: "{{ pip_install_options|default('') }}"
register: install_packages
until: install_packages|success
retries: 5
delay: 2
with_items: keystone_pip_packages
when:
- keystone_venv_enabled | bool
- keystone_get_venv | failed
notify:
- Restart Apache
tags:
- keystone-install
- keystone-pip-packages
- name: Install pip packages (no venv)
pip:
name: "{{ item }}"
state: present
extra_args: "{{ pip_install_options|default('') }}"
register: install_packages
until: install_packages|success
retries: 5
delay: 2
with_items: keystone_pip_packages
when: not keystone_venv_enabled | bool
notify:
- Restart Apache
tags:
- keystone-install
- keystone-pip-packages

23
playbooks/roles/os_keystone/tasks/keystone_key_distribute.yml
View File

@ -1,23 +0,0 @@
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create authorized keys file from host vars
authorized_key:
user: "{{ keystone_system_user_name }}"
key: "{{ hostvars[item]['keystone_pubkey'] | b64decode }}"
with_items: groups['keystone_all']
tags:
- keystone-key
- keystone-key-distribute

30
playbooks/roles/os_keystone/tasks/keystone_key_populate.yml
View File

@ -1,30 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Get public key contents and store as var
slurp:
src: "{{ keystone_system_user_home }}/.ssh/id_rsa.pub"
register: keystone_pub
changed_when: false
tags:
- keystone-key
- keystone-key-create
- name: Register a fact for the keystone pub key
set_fact:
keystone_pubkey: "{{ keystone_pub.content }}"
tags:
- keystone-key
- keystone-key-create

24
playbooks/roles/os_keystone/tasks/keystone_key_setup.yml
View File

@ -1,24 +0,0 @@
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- include: keystone_key_populate.yml
tags:
- keystone-key
- keystone-key-create
- include: keystone_key_distribute.yml
tags:
- keystone-key
- keystone-key-distribute

41
playbooks/roles/os_keystone/tasks/keystone_ldap_setup.yml
View File

@ -1,41 +0,0 @@
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create Keystone LDAP domains
keystone:
command: ensure_domain
domain_name: "{{ item.key }}"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
with_dict: keystone_ldap
run_once: true
tags:
- keystone-ldap-domain-create
- name: Create Keystone LDAP domain configs
template:
src: keystone.domain.conf.j2
dest: "{{ keystone_ldap_domain_config_dir }}/keystone.{{ item.key }}.conf"
owner: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}"
mode: "0644"
with_dict: keystone_ldap
notify:
- Restart Apache
tags:
- keystone-ldap-domain-config

37
playbooks/roles/os_keystone/tasks/keystone_messaging_setup.yml
View File

@ -1,37 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Ensure Rabbitmq vhost
rabbitmq_vhost:
name: "{{ keystone_rabbitmq_vhost }}"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
tags:
- keystone-rabbitmq
- keystone-rabbitmq-vhost
- name: Ensure rabbitmq user
rabbitmq_user:
user: "{{ keystone_rabbitmq_userid }}"
password: "{{ keystone_rabbitmq_password }}"
vhost: "{{ keystone_rabbitmq_vhost }}"
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
tags:
- keystone-rabbitmq
- keystone-rabbitmq-user

86
playbooks/roles/os_keystone/tasks/keystone_post_install.yml
View File

@ -1,86 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Copy keystone config
config_template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}"
mode: "0644"
config_overrides: "{{ item.config_overrides }}"
config_type: "{{ item.config_type }}"
with_items:
- src: "keystone.conf.j2"
dest: "/etc/keystone/keystone.conf"
config_overrides: "{{ keystone_keystone_conf_overrides }}"
config_type: "ini"
- src: "keystone-paste.ini.j2"
dest: "/etc/keystone/keystone-paste.ini"
config_overrides: "{{ keystone_keystone_paste_ini_overrides }}"
config_type: "ini"
- src: "policy.json.j2"
dest: "/etc/keystone/policy.json"
config_overrides: "{{ keystone_policy_overrides }}"
config_type: "json"
notify:
- Restart Apache
tags:
- keystone-config
- name: Drop Keystone Configs
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}"
mode: "{{ item.mode|default('0644') }}"
with_items:
- { src: "sso_callback_template.html", dest: "/etc/keystone/sso_callback_template.html" }
notify:
- Restart Apache
tags:
- keystone-config
- name: Drop Keystone WSGI Configs
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}"
mode: "{{ item.mode|default('0644') }}"
with_items:
- { src: "keystone-wsgi.py.j2", dest: "/var/www/cgi-bin/keystone/admin", mode: "0755" }
- { src: "keystone-wsgi.py.j2", dest: "/var/www/cgi-bin/keystone/main", mode: "0755" }
notify:
- Restart Apache
tags:
- keystone-config
- name: Get keystone command path
command: which keystone
register: keystone_command_path
when:
- not keystone_venv_enabled | bool
tags:
- keystone-command-bin
- name: Set keystone command path
set_fact:
keystone_bin: "{{ keystone_command_path.stdout | dirname }}"
when:
- not keystone_venv_enabled | bool
tags:
- keystone-command-bin

124
playbooks/roles/os_keystone/tasks/keystone_pre_install.yml
View File

@ -1,124 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: create the system group
group:
name: "{{ keystone_system_group_name }}"
state: "present"
system: "yes"
tags:
- keystone-group
- name: create additional groups
group:
name: "{{ item }}"
state: "present"
system: "yes"
with_items: keystone_system_additional_groups
tags:
- keystone-group
- name: Remove old key file(s) if found
file:
path: "{{ item }}"
state: "absent"
with_items:
- "{{ keystone_system_user_home }}/.ssh/authorized_keys"
- "{{ keystone_system_user_home }}/.ssh/id_rsa"
- "{{ keystone_system_user_home }}/.ssh/id_rsa.pub"
when: keystone_recreate_keys | bool
tags:
- keystone-key
- keystone-key-create
- name: Create the keystone system user
user:
name: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}"
groups: "{{ keystone_system_additional_groups | join(',') }}"
comment: "{{ keystone_system_comment }}"
shell: "{{ keystone_system_shell }}"
system: "yes"
createhome: "yes"
home: "{{ keystone_system_user_home }}"
generate_ssh_key: "yes"
tags:
- keystone-user
- keystone-key
- keystone-key-create
- name: Create keystone dir
file:
path: "{{ item.path }}"
state: directory
owner: "{{ item.owner|default(keystone_system_user_name) }}"
group: "{{ item.group|default(keystone_system_group_name) }}"
mode: "{{ item.mode|default(0755) }}"
with_items:
- { path: "/openstack", mode: "0755", owner: "root", group: "root" }
- { path: "/etc/keystone" }
- { path: "{{ keystone_ldap_domain_config_dir }}" }
- { path: "/etc/keystone/ssl" }
- { path: "{{ keystone_fernet_tokens_key_repository }}", mode: "2750"}
- { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
- { path: "{{ keystone_system_user_home }}" }
- { path: "/var/www/cgi-bin", owner: root, group: root }
- { path: "/var/www/cgi-bin/keystone" }
tags:
- keystone-dirs
- name: Create keystone venv dir
file:
path: "{{ item.path }}"
state: directory
with_items:
- { path: "/openstack/venvs" }
- { path: "{{ keystone_venv_bin }}" }
when: keystone_venv_enabled | bool
tags:
- keystone-dirs
- name: Test for log directory or link
shell: |
if [ -h "/var/log/keystone" ]; then
chown -h {{ keystone_system_user_name }}:{{ keystone_system_group_name }} "/var/log/keystone"
chown -R {{ keystone_system_user_name }}:{{ keystone_system_group_name }} "$(readlink /var/log/keystone)"
else
exit 1
fi
register: log_dir
failed_when: false
changed_when: log_dir.rc != 0
tags:
- keystone-dirs
- keystone-logs
- name: Create keystone log dir
file:
path: "{{ item.path }}"
state: directory
owner: "{{ item.owner|default(keystone_system_user_name) }}"
group: "{{ item.group|default(keystone_system_group_name) }}"
mode: "{{ item.mode|default('0755') }}"
with_items:
- { path: "/var/log/keystone" }
when: log_dir.rc != 0
tags:
- keystone-dirs
- keystone-logs
- include: keystone_messaging_setup.yml
when: >
inventory_hostname == groups['keystone_all'][0]

231
playbooks/roles/os_keystone/tasks/keystone_service_setup.yml
View File

@ -1,231 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Restart service
service:
name: "{{ keystone_system_service_name }}"
state: restarted
pattern: "{{ keystone_system_service_name }}"
tags:
- keystone-db-sync
- keystone-setup
- name: Wait for keystone admin to come up
wait_for:
host: "{{ ansible_ssh_host }}"
port: "{{ keystone_admin_port }}"
timeout: 25
delay: 10
tags:
- keystone-db-sync
- keystone-setup
- name: Wait for keystone service to come up
wait_for:
host: "{{ ansible_ssh_host }}"
port: "{{ keystone_service_port }}"
timeout: 25
delay: 10
tags:
- keystone-db-sync
- keystone-setup
# Create a service tenant
- name: Ensure service tenant
keystone:
command: "ensure_tenant"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
tenant_name: "{{ keystone_service_tenant_name }}"
description: "{{ keystone_service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
delay: 10
tags:
- keystone-api-setup
- keystone-setup
# Create an admin tenant
- name: Ensure admin tenant
keystone:
command: "ensure_tenant"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
tenant_name: "{{ keystone_admin_tenant_name }}"
description: "{{ keystone_admin_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
delay: 10
tags:
- keystone-api-setup
- keystone-setup
# Create an admin user
- name: Ensure Admin user
keystone:
command: "ensure_user"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
user_name: "{{ keystone_admin_user_name }}"
tenant_name: "{{ keystone_admin_tenant_name }}"
password: "{{ keystone_auth_admin_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
when: not keystone_service_in_ldap | bool
until: add_service|success
retries: 5
delay: 10
tags:
- keystone-api-setup
- keystone-setup
# Create an admin role
- name: Ensure Admin role
keystone:
command: "ensure_role"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
role_name: "{{ keystone_role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
delay: 10
tags:
- keystone-api-setup
- keystone-setup
# Add a role to the user
- name: Ensure Admin user to Admin role
keystone:
command: "ensure_user_role"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
user_name: "{{ keystone_admin_user_name }}"
tenant_name: "{{ keystone_admin_tenant_name }}"
role_name: "{{ keystone_role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
when: not keystone_service_in_ldap | bool
until: add_service|success
retries: 5
delay: 10
tags:
- keystone-api-setup
- keystone-setup
# Add the default user role
- name: Ensure default keystone user role
keystone:
command: "ensure_role"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
role_name: "{{ keystone_default_role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_member_role
when: not keystone_service_in_ldap | bool
until: add_member_role|success
retries: 5
delay: 10
tags:
- keystone-api-setup
- keystone-setup
# Create a service
- name: Ensure Keystone Service
keystone:
command: "ensure_service"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
service_name: "{{ keystone_service_name }}"
service_type: "{{ keystone_service_type }}"
description: "{{ keystone_service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
delay: 10
tags:
- keystone-api-setup
- keystone-service-add
- keystone-setup
# Create a service user
- name: Ensure Keystone user
keystone:
command: "ensure_user"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
user_name: "{{ keystone_service_user_name }}"
tenant_name: "{{ keystone_service_tenant_name }}"
password: "{{ keystone_service_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
delay: 10
tags:
- keystone-api-setup
- keystone-service-add
- keystone-setup
# Add a role to the user
- name: Ensure Keystone user to Admin role
keystone:
command: "ensure_user_role"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
user_name: "{{ keystone_service_user_name }}"
tenant_name: "{{ keystone_service_tenant_name }}"
role_name: "{{ keystone_role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service
until: add_service|success
retries: 5
delay: 10
tags:
- keystone-api-setup
- keystone-service-add
- keystone-setup
# Create an endpoint
- name: Ensure Keystone Endpoint
keystone:
command: "ensure_endpoint"
token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}"
region_name: "{{ keystone_service_region }}"
service_name: "{{ keystone_service_name }}"
service_type: "{{ keystone_service_type }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
endpoint_list:
- url: "{{ keystone_service_publicurl }}"
interface: "public"
- url: "{{ keystone_service_adminurl }}"
interface: "admin"
- url: "{{ keystone_service_internalurl }}"
interface: "internal"
register: add_service
until: add_service|success
retries: 5
delay: 10
tags:
- keystone-api-setup
- keystone-service-add
- keystone-setup

25
playbooks/roles/os_keystone/tasks/keystone_ssl.yml
View File

@ -1,25 +0,0 @@
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- include: keystone_ssl_self_signed.yml
when: >
keystone_ssl | bool and
(keystone_user_ssl_cert is not defined or keystone_user_ssl_key is not defined)
tags:
- keystone-ssl
- include: keystone_ssl_user_provided.yml
tags:
- keystone-ssl

36
playbooks/roles/os_keystone/tasks/keystone_ssl_key_create.yml
View File

@ -1,36 +0,0 @@
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Remove self signed cert for regen
file:
dest: "{{ keystone_ssl_cert }}"
state: "absent"
when: keystone_ssl_self_signed_regen | bool
tags:
- keystone-ssl
- name: Create self-signed Apache ssl cert
command: >
openssl req -new -nodes -sha256 -x509 -subj
"{{ keystone_ssl_self_signed_subject }}"
-days 3650
-keyout {{ keystone_ssl_key }}
-out {{ keystone_ssl_cert }}
-extensions v3_ca
creates={{ keystone_ssl_cert }}
notify: Restart Apache
tags:
- keystone-configs
- keystone-ssl

35
playbooks/roles/os_keystone/tasks/keystone_ssl_key_distribute.yml
View File

@ -1,35 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Distribute self signed cert and key
memcached:
name: "{{ item.name }}"
file_path: "{{ item.src }}"
state: "retrieve"
file_mode: "{{ item.file_mode }}"
dir_mode: "{{ item.dir_mode }}"
server: "{{ memcached_servers }}"
encrypt_string: "{{ memcached_encryption_key }}"
with_items:
- { src: "{{ keystone_ssl_cert }}", name: "keystone_ssl_cert", file_mode: "0644", dir_mode: "0755" }
- { src: "{{ keystone_ssl_key }}", name: "keystone_ssl_key", file_mode: "0640", dir_mode: "0750" }
register: memcache_keys
until: memcache_keys|success
retries: 5
delay: 2
notify: Restart Apache
tags:
- keystone-config
- keystone-ssl

31
playbooks/roles/os_keystone/tasks/keystone_ssl_key_store.yml
View File

@ -1,31 +0,0 @@
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Store self signed cert and key
memcached:
name: "{{ item.name }}"
file_path: "{{ item.src }}"
state: "present"
server: "{{ memcached_servers }}"
encrypt_string: "{{ memcached_encryption_key }}"
with_items:
- { src: "{{ keystone_ssl_cert }}", name: "keystone_ssl_cert" }
- { src: "{{ keystone_ssl_key }}", name: "keystone_ssl_key" }
register: memcache_keys
until: memcache_keys|success
retries: 5
delay: 2
tags:
- keystone-ssl

26
playbooks/roles/os_keystone/tasks/keystone_ssl_self_signed.yml
View File

@ -1,26 +0,0 @@
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- include: keystone_ssl_key_create.yml
when: >
inventory_hostname == groups['keystone_all'][0]
- include: keystone_ssl_key_store.yml
when: >
inventory_hostname == groups['keystone_all'][0]
- include: keystone_ssl_key_distribute.yml
when: >
inventory_hostname != groups['keystone_all'][0]

53
playbooks/roles/os_keystone/tasks/keystone_ssl_user_provided.yml
View File

@ -1,53 +0,0 @@
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Drop user provided ssl cert
copy:
src: "{{ keystone_user_ssl_cert }}"
dest: "{{ keystone_ssl_cert }}"
owner: "root"
group: "root"
mode: "0644"
when: keystone_user_ssl_cert is defined
notify: Restart Apache
tags:
- keystone-configs
- keystone-ssl
- name: Drop user provided ssl key
copy:
src: "{{ keystone_user_ssl_key }}"
dest: "{{ keystone_ssl_key }}"
owner: "root"
group: "root"
mode: "0640"
when: keystone_user_ssl_key is defined
notify: Restart Apache
tags:
- keystone-configs
- keystone-ssl
- name: Drop user provided ssl CA cert
copy:
src: "{{ keystone_user_ssl_ca_cert }}"
dest: "{{ keystone_ssl_ca_cert }}"
owner: "root"
group: "root"
mode: "0644"
when: keystone_user_ssl_ca_cert is defined
notify: Restart Apache
tags:
- keystone-configs
- keystone-ssl

23
playbooks/roles/os_keystone/tasks/keystone_token_cleanup.yml
View File

@ -1,23 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Add keystone token_flush cron job
cron:
name: "Clear out stale keystone tokens"
minute: 0
job: "{{ keystone_bin }}/keystone-manage token_flush"
user: "{{ keystone_system_user_name }}"
tags:
- keystone-config

65
playbooks/roles/os_keystone/tasks/main.yml
View File

@ -1,65 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- include: keystone_pre_install.yml
- include: keystone_install.yml
- include: keystone_post_install.yml
- include: keystone_key_setup.yml
tags:
- keystone-key
- keystone-key-distribute
- include: keystone_fernet.yml
tags:
- keystone-fernet
when: >
'fernet' in keystone_token_provider
- include: keystone_federation_sp_setup.yml
when: >
keystone_sp is defined
- include: keystone_db_setup.yml
when: >
inventory_hostname == groups['keystone_all'][0]
- include: keystone_token_cleanup.yml
when: >
'sql' in keystone_token_driver
- include: keystone_ssl.yml
- include: keystone_apache.yml
- include: keystone_service_setup.yml
when: >
inventory_hostname == groups['keystone_all'][0]
- include: keystone_ldap_setup.yml
tags:
- keystone-config
- keystone-ldap
- include: keystone_federation_sp_idp_setup.yml
when: >
keystone_sp is defined and
inventory_hostname == groups['keystone_all'][0]
- name: Flush handlers
meta: flush_handlers
- include: keystone_idp_setup.yml
when: >
keystone_idp is defined

56
playbooks/roles/os_keystone/templates/keystone-fernet-rotate.sh.j2
View File

@ -1,56 +0,0 @@
#!/usr/bin/env bash
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# {{ ansible_managed }}
# This script is being created with mode 0755 intentionally. This is so that the
# script can be executed by root to rotate the keys as needed. The script being
# executed will always change it's user context to the keystone user before
# execution and while the script may be world read/executable its contains only
# the necessary bits that are required to run the rotate and sync commands.
function autorotate {
# Rotate the keys
{{ keystone_bin }}/keystone-manage fernet_rotate \
--keystone-user "{{ keystone_system_user_name }}" \
--keystone-group "{{ keystone_system_group_name }}"
{% for host in groups['keystone_all'] %}
{% if inventory_hostname != host %}
# Fernet sync job to "{{ host }}"
rsync -e 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
-avz \
--delete \
{{ keystone_fernet_tokens_key_repository }}/ \
{{ keystone_system_user_name }}@{{ hostvars[host]['ansible_ssh_host'] }}:{{ keystone_fernet_tokens_key_repository }}/
{%- endif %}
{%- endfor %}
}
if [ "$(id -u)" == "0" ];then
# Change the script context to always execute as the "{{ keystone_system_user_name }}" user.
su - "{{ keystone_system_user_name }}" -s "/bin/bash" -c bash << EOC
{{ keystone_fernet_auto_rotation_script }}
EOC
elif [ "$(whoami)" == "{{ keystone_system_user_name }}" ];then
logger $(autorotate)
else
echo "Failed - you do not have permission to rotate, or you've executed the job as the wrong user."
exit 99
fi

89
playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2
View File

@ -1,89 +0,0 @@
# {{ ansible_managed }}
<VirtualHost *:{{ keystone_service_port }}>
WSGIDaemonProcess keystone-service user={{ keystone_system_user_name }} group={{ keystone_system_group_name }} processes={{ keystone_wsgi_processes }} threads={{ keystone_wsgi_threads }} display-name=%{GROUP}
WSGIProcessGroup keystone-service
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel {{ keystone_apache_log_level }}
ErrorLog /var/log/keystone/keystone-apache-error.log
CustomLog /var/log/keystone/ssl_access.log combined
Options +FollowSymLinks
{% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
SSLEngine on
SSLCertificateFile {{ keystone_ssl_cert }}
SSLCertificateKeyFile {{ keystone_ssl_key }}
{% if keystone_user_ssl_ca_cert is defined -%}
SSLCACertificateFile {{ keystone_ssl_ca_cert }}
{% endif -%}
SSLCompression Off
SSLProtocol {{ keystone_ssl_protocol }}
SSLHonorCipherOrder On
SSLCipherSuite {{ keystone_ssl_cipher_suite }}
SSLOptions +StdEnvVars +ExportCertData
{% endif %}
{% if keystone_sp is defined -%}
ShibURLScheme {{ keystone_service_publicuri_proto }}
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<Location /v3/auth/OS-FEDERATION/websso/saml2>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting exportAssertion 1
ShibRequireSession On
ShibExportAssertion On
Require valid-user
</Location>
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
ShibRequestSetting requireSession 1
AuthType shibboleth
ShibExportAssertion Off
Require valid-user
</LocationMatch>
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1
{% endif %}
</VirtualHost>
<VirtualHost *:{{ keystone_admin_port }}>
WSGIDaemonProcess keystone-admin user={{ keystone_system_user_name }} group={{ keystone_system_group_name }} processes={{ keystone_wsgi_processes }} threads={{ keystone_wsgi_threads }} display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel {{ keystone_apache_log_level }}
ErrorLog /var/log/keystone/keystone-apache-error.log
CustomLog /var/log/keystone/ssl_access.log combined
Options +FollowSymLinks
{% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" -%}
SSLEngine on
SSLCertificateFile {{ keystone_ssl_cert }}
SSLCertificateKeyFile {{ keystone_ssl_key }}
{% if keystone_user_ssl_ca_cert is defined -%}
SSLCACertificateFile {{ keystone_ssl_ca_cert }}
{% endif -%}
SSLCompression Off
SSLProtocol {{ keystone_ssl_protocol }}
SSLHonorCipherOrder On
SSLCipherSuite {{ keystone_ssl_cipher_suite }}
SSLOptions +StdEnvVars +ExportCertData
{% endif %}
</VirtualHost>

91
playbooks/roles/os_keystone/templates/keystone-paste.ini.j2
View File

@ -1,91 +0,0 @@
# Keystone PasteDeploy configuration file.
[filter:debug]
use = egg:oslo.middleware#debug
[filter:request_id]
use = egg:oslo.middleware#request_id
[filter:build_auth_context]
use = egg:keystone#build_auth_context
[filter:token_auth]
use = egg:keystone#token_auth
[filter:admin_token_auth]
use = egg:keystone#admin_token_auth
[filter:json_body]
use = egg:keystone#json_body
[filter:user_crud_extension]
use = egg:keystone#user_crud_extension
[filter:crud_extension]
use = egg:keystone#crud_extension
[filter:ec2_extension]
use = egg:keystone#ec2_extension
[filter:ec2_extension_v3]
use = egg:keystone#ec2_extension_v3
[filter:s3_extension]
use = egg:keystone#s3_extension
[filter:simple_cert_extension]
use = egg:keystone#simple_cert_extension
[filter:url_normalize]
use = egg:keystone#url_normalize
[filter:sizelimit]
use = egg:oslo.middleware#sizelimit
[app:public_service]
use = egg:keystone#public_service
[app:service_v3]
use = egg:keystone#service_v3
[app:admin_service]
use = egg:keystone#admin_service
[pipeline:public_api]
# The last item in this pipeline must be public_service or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service
[pipeline:admin_api]
# The last item in this pipeline must be admin_service or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service
[pipeline:api_v3]
# The last item in this pipeline must be service_v3 or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3
[app:public_version_service]
use = egg:keystone#public_version_service
[app:admin_version_service]
use = egg:keystone#admin_version_service
[pipeline:public_version_api]
pipeline = sizelimit url_normalize public_version_service
[pipeline:admin_version_api]
pipeline = sizelimit url_normalize admin_version_service
[composite:main]
use = egg:Paste#urlmap
/v2.0 = public_api
/v3 = api_v3
/ = public_version_api
[composite:admin]
use = egg:Paste#urlmap
/v2.0 = admin_api
/v3 = api_v3
/ = admin_version_api

4
playbooks/roles/os_keystone/templates/keystone-ports.conf.j2
View File

@ -1,4 +0,0 @@
# {{ ansible_managed }}
Listen {{ keystone_service_port }}
Listen {{ keystone_admin_port }}

48
playbooks/roles/os_keystone/templates/keystone-wsgi.py.j2
View File

@ -1,48 +0,0 @@
# Copyright 2013 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import os
{% if keystone_venv_enabled | bool %}
activate_this = os.path.expanduser("{{ keystone_venv_bin }}/activate_this.py")
execfile(activate_this, dict(__file__=activate_this))
{% endif %}
import os
from oslo_log import log
from oslo_log import versionutils
from keystone.i18n import _LW
from keystone.server import wsgi as wsgi_server
name = os.path.basename(__file__)
LOG = log.getLogger(__name__)
def deprecation_warning():
versionutils.report_deprecated_feature(
LOG,
_LW('httpd/keystone.py is deprecated as of Mitaka'
' in favor of keystone-wsgi-admin and keystone-wsgi-public'
' and may be removed in O.')
)
# NOTE(ldbragst): 'application' is required in this context by WSGI spec.
# The following is a reference to Python Paste Deploy documentation
# http://pythonpaste.org/deploy/
application = wsgi_server.initialize_application(
name,
post_log_configured_function=deprecation_warning)

165
playbooks/roles/os_keystone/templates/keystone.conf.j2
View File

@ -1,165 +0,0 @@
# {{ ansible_managed }}
[DEFAULT]
verbose = {{ verbose }}
debug = {{ debug }}
admin_token = {{ keystone_auth_admin_token }}
{% if keystone_public_endpoint is defined %}
public_endpoint = {{ keystone_public_endpoint }}
{% endif %}
admin_endpoint = {{ keystone_service_adminuri }}
fatal_deprecations = {{ keystone_fatal_deprecations }}
member_role_name = {{ keystone_default_role_name }}
{% if keystone_ssl | bool and keystone_secure_proxy_ssl_header is defined %}
secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }}
{% endif %}
log_file = keystone.log
log_dir = /var/log/keystone
rpc_backend = {{ keystone_rpc_backend }}
{% if keystone_ceilometer_enabled %}
notification_driver = messagingv2
{% endif %}
{% if 'memcache' in keystone_token_driver and 'fernet' not in keystone_token_provider %}
[memcache]
servers = {{ keystone_memcached_servers }}
max_compare_and_set_retry = {{ keystone_memcached_max_compare_and_set_retry }}
{% endif %}
{% if keystone_cache_backend_argument is defined %}
[cache]
backend = dogpile.cache.memcached
backend_argument = {{ keystone_cache_backend_argument }}
config_prefix = cache.keystone
distributed_lock = True
enabled = true
{% endif %}
[revoke]
caching = true
driver = {{ keystone_revocation_driver }}
expiration_buffer = {{ keystone_revocation_expiration_buffer }}
cache_time = {{ keystone_revocation_cache_time }}
[auth]
{% if keystone_sp is defined %}
methods = {{ keystone_auth_methods }},saml2
saml2 = keystone.auth.plugins.mapped.Mapped
{% else %}
methods = {{ keystone_auth_methods }}
{% endif %}
[database]
connection = mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}/{{ keystone_galera_database }}?charset=utf8
idle_timeout = {{ keystone_database_idle_timeout }}
min_pool_size = {{ keystone_database_min_pool_size }}
max_pool_size = {{ keystone_database_max_pool_size }}
pool_timeout = {{ keystone_database_pool_timeout }}
[fernet_tokens]
key_repository = {{ keystone_fernet_tokens_key_repository }}
max_active_keys = {{ keystone_fernet_tokens_max_active_keys }}
[identity]
{% if keystone_ldap.Default is not defined %}
driver = sql
{% endif %}
{% if keystone_ldap | length > 0 %}
domain_config_dir = {{ keystone_ldap_domain_config_dir }}
domain_specific_drivers_enabled = True
{% endif %}
[assignment]
driver = {{ keystone_assignment_driver }}
[resource]
cache_time = {{ keystone_resource_cache_time }}
caching = true
driver = {{ keystone_resource_driver }}
[token]
enforce_token_bind = permissive
expiration = {{ keystone_token_expiration }}
caching = true
cache_time = {{ keystone_token_cache_time }}
provider = {{ keystone_token_provider }}
{% if 'fernet' not in keystone_token_provider %}
driver = {{ keystone_token_driver }}
{% endif %}
# We need to /temporarily/ disable catalog caching due to [1], once
# upstream keystone bug [2] is fixed we can remove this [catalog]
# section entirely.
# [1] https://review.openstack.org/#/c/215212/
# [2] https://review.openstack.org/#/c/271536/
[catalog]
caching = false
{% if keystone_idp is defined %}
[saml]
certfile = "{{ keystone_idp.certfile }}"
keyfile = "{{ keystone_idp.keyfile }}"
idp_entity_id = "{{ keystone_idp.idp_entity_id }}"
idp_sso_endpoint = "{{ keystone_idp.idp_sso_endpoint }}"
idp_metadata_path = "{{ keystone_idp.idp_metadata_path }}"
{% if keystone_idp.organization_name is defined %}
idp_organization_name = {{ keystone_idp.organization_name }}
{% endif %}
{% if keystone_idp.organization_display_name is defined %}
idp_organization_display_name = {{ keystone_idp.organization_display_name }}
{% endif %}
{% if keystone_idp.organization_url is defined %}
idp_organization_url = {{ keystone_idp.organization_url }}
{% endif %}
{% if keystone_idp.contact_company is defined %}
idp_contact_company = {{ keystone_idp.contact_company }}
{% endif %}
{% if keystone_idp.contact_name is defined %}
idp_contact_name = {{ keystone_idp.contact_name }}
{% endif %}
{% if keystone_idp.contact_surname is defined %}
idp_contact_surname = {{ keystone_idp.contact_surname }}
{% endif %}
{% if keystone_idp.contact_email is defined %}
idp_contact_email = {{ keystone_idp.contact_email }}
{% endif %}
{% if keystone_idp.contact_telephone is defined %}
idp_contact_telephone = {{ keystone_idp.contact_telephone }}
{% endif %}
{% if keystone_idp.contact_type is defined %}
idp_contact_type = {{ keystone_idp.contact_type }}
{% endif %}
{% endif %}
[eventlet_server]
admin_bind_host = {{ keystone_bind_address }}
admin_port = {{ keystone_admin_port }}
public_port = {{ keystone_service_port }}
[oslo_messaging_rabbit]
rabbit_port = {{ rabbitmq_port }}
rabbit_userid = {{ keystone_rabbitmq_userid }}
rabbit_password = {{ keystone_rabbitmq_password }}
rabbit_virtual_host = {{ keystone_rabbitmq_vhost }}
rabbit_hosts = {{ rabbitmq_servers }}
rabbit_use_ssl = {{ rabbitmq_use_ssl }}
{% if keystone_sp is defined %}
[federation]
remote_id_attribute = Shib-Identity-Provider
{% if keystone_sp.trusted_dashboard_list is defined %}
{% for item in keystone_sp.trusted_dashboard_list %}
trusted_dashboard = {{ item }}
{% endfor %}
{% endif %}
{% endif %}

9
playbooks/roles/os_keystone/templates/keystone.domain.conf.j2
View File

@ -1,9 +0,0 @@
# {{ ansible_managed }}
[identity]
driver = ldap
[ldap]
{% for key, value in item.value | dictsort %}
{{ key }} = {{ value }}
{% endfor %}

186
playbooks/roles/os_keystone/templates/policy.json.j2
View File

@ -1,186 +0,0 @@
{
"admin_required": "role:admin or is_admin:1",
"service_role": "role:service",
"service_or_admin": "rule:admin_required or rule:service_role",
"owner" : "user_id:%(user_id)s",
"admin_or_owner": "rule:admin_required or rule:owner",
"token_subject": "user_id:%(target.token.user_id)s",
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
"default": "rule:admin_required",
"identity:get_region": "",
"identity:list_regions": "",
"identity:create_region": "rule:admin_required",
"identity:update_region": "rule:admin_required",
"identity:delete_region": "rule:admin_required",
"identity:get_service": "rule:admin_required",
"identity:list_services": "rule:admin_required",
"identity:create_service": "rule:admin_required",
"identity:update_service": "rule:admin_required",
"identity:delete_service": "rule:admin_required",
"identity:get_endpoint": "rule:admin_required",
"identity:list_endpoints": "rule:admin_required",
"identity:create_endpoint": "rule:admin_required",
"identity:update_endpoint": "rule:admin_required",
"identity:delete_endpoint": "rule:admin_required",
"identity:get_domain": "rule:admin_required",
"identity:list_domains": "rule:admin_required",
"identity:create_domain": "rule:admin_required",
"identity:update_domain": "rule:admin_required",
"identity:delete_domain": "rule:admin_required",
"identity:get_project": "rule:admin_required",
"identity:list_projects": "rule:admin_required",
"identity:list_user_projects": "rule:admin_or_owner",
"identity:create_project": "rule:admin_required",
"identity:update_project": "rule:admin_required",
"identity:delete_project": "rule:admin_required",
"identity:get_user": "rule:admin_required",
"identity:list_users": "rule:admin_required",
"identity:create_user": "rule:admin_required",
"identity:update_user": "rule:admin_required",
"identity:delete_user": "rule:admin_required",
"identity:change_password": "rule:admin_or_owner",
"identity:get_group": "rule:admin_required",
"identity:list_groups": "rule:admin_required",
"identity:list_groups_for_user": "rule:admin_or_owner",
"identity:create_group": "rule:admin_required",
"identity:update_group": "rule:admin_required",
"identity:delete_group": "rule:admin_required",
"identity:list_users_in_group": "rule:admin_required",
"identity:remove_user_from_group": "rule:admin_required",
"identity:check_user_in_group": "rule:admin_required",
"identity:add_user_to_group": "rule:admin_required",
"identity:get_credential": "rule:admin_required",
"identity:list_credentials": "rule:admin_required",
"identity:create_credential": "rule:admin_required",
"identity:update_credential": "rule:admin_required",
"identity:delete_credential": "rule:admin_required",
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:ec2_list_credentials": "rule:admin_or_owner",
"identity:ec2_create_credential": "rule:admin_or_owner",
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:get_role": "rule:admin_required",
"identity:list_roles": "rule:admin_required",
"identity:create_role": "rule:admin_required",
"identity:update_role": "rule:admin_required",
"identity:delete_role": "rule:admin_required",
"identity:check_grant": "rule:admin_required",
"identity:list_grants": "rule:admin_required",
"identity:create_grant": "rule:admin_required",
"identity:revoke_grant": "rule:admin_required",
"identity:list_role_assignments": "rule:admin_required",
"identity:list_role_assignments_for_tree": "rule:admin_required",
"identity:get_policy": "rule:admin_required",
"identity:list_policies": "rule:admin_required",
"identity:create_policy": "rule:admin_required",
"identity:update_policy": "rule:admin_required",
"identity:delete_policy": "rule:admin_required",
"identity:check_token": "rule:admin_or_token_subject",
"identity:validate_token": "rule:service_admin_or_token_subject",
"identity:validate_token_head": "rule:service_or_admin",
"identity:revocation_list": "rule:service_or_admin",
"identity:revoke_token": "rule:admin_or_token_subject",
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
"identity:list_trusts": "",
"identity:list_roles_for_trust": "",
"identity:get_role_for_trust": "",
"identity:delete_trust": "",
"identity:create_consumer": "rule:admin_required",
"identity:get_consumer": "rule:admin_required",
"identity:list_consumers": "rule:admin_required",
"identity:delete_consumer": "rule:admin_required",
"identity:update_consumer": "rule:admin_required",
"identity:authorize_request_token": "rule:admin_required",
"identity:list_access_token_roles": "rule:admin_required",
"identity:get_access_token_role": "rule:admin_required",
"identity:list_access_tokens": "rule:admin_required",
"identity:get_access_token": "rule:admin_required",
"identity:delete_access_token": "rule:admin_required",
"identity:list_projects_for_endpoint": "rule:admin_required",
"identity:add_endpoint_to_project": "rule:admin_required",
"identity:check_endpoint_in_project": "rule:admin_required",
"identity:list_endpoints_for_project": "rule:admin_required",
"identity:remove_endpoint_from_project": "rule:admin_required",
"identity:create_endpoint_group": "rule:admin_required",
"identity:list_endpoint_groups": "rule:admin_required",
"identity:get_endpoint_group": "rule:admin_required",
"identity:update_endpoint_group": "rule:admin_required",
"identity:delete_endpoint_group": "rule:admin_required",
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
"identity:get_endpoint_group_in_project": "rule:admin_required",
"identity:list_endpoint_groups_for_project": "rule:admin_required",
"identity:add_endpoint_group_to_project": "rule:admin_required",
"identity:remove_endpoint_group_from_project": "rule:admin_required",
"identity:create_identity_provider": "rule:admin_required",
"identity:list_identity_providers": "rule:admin_required",
"identity:get_identity_providers": "rule:admin_required",
"identity:update_identity_provider": "rule:admin_required",
"identity:delete_identity_provider": "rule:admin_required",
"identity:create_protocol": "rule:admin_required",
"identity:update_protocol": "rule:admin_required",
"identity:get_protocol": "rule:admin_required",
"identity:list_protocols": "rule:admin_required",
"identity:delete_protocol": "rule:admin_required",
"identity:create_mapping": "rule:admin_required",
"identity:get_mapping": "rule:admin_required",
"identity:list_mappings": "rule:admin_required",
"identity:delete_mapping": "rule:admin_required",
"identity:update_mapping": "rule:admin_required",
"identity:create_service_provider": "rule:admin_required",
"identity:list_service_providers": "rule:admin_required",
"identity:get_service_provider": "rule:admin_required",
"identity:update_service_provider": "rule:admin_required",
"identity:delete_service_provider": "rule:admin_required",
"identity:get_auth_catalog": "",
"identity:get_auth_projects": "",
"identity:get_auth_domains": "",
"identity:list_projects_for_groups": "",
"identity:list_domains_for_groups": "",
"identity:list_revoke_events": "",
"identity:create_policy_association_for_endpoint": "rule:admin_required",
"identity:check_policy_association_for_endpoint": "rule:admin_required",
"identity:delete_policy_association_for_endpoint": "rule:admin_required",
"identity:create_policy_association_for_service": "rule:admin_required",
"identity:check_policy_association_for_service": "rule:admin_required",
"identity:delete_policy_association_for_service": "rule:admin_required",
"identity:create_policy_association_for_region_and_service": "rule:admin_required",
"identity:check_policy_association_for_region_and_service": "rule:admin_required",
"identity:delete_policy_association_for_region_and_service": "rule:admin_required",
"identity:get_policy_for_endpoint": "rule:admin_required",
"identity:list_endpoints_for_policy": "rule:admin_required",
"identity:create_domain_config": "rule:admin_required",
"identity:get_domain_config": "rule:admin_required",
"identity:update_domain_config": "rule:admin_required",
"identity:delete_domain_config": "rule:admin_required",
"identity:get_domain_config_default": "rule:admin_required"
}

63
playbooks/roles/os_keystone/templates/shibboleth-attribute-map.xml.j2
View File

@ -1,63 +0,0 @@
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!--
The below default attributes are standard for a Shibboleth
Identity Provider and will likely work with many other
standard SAML2 Identity Providers.
-->
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
<!-- A persistent id attribute that supports personalized anonymous access. -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>
<!--
The following attributes have been configured through Ansible.
-->
{% for idp in keystone_sp.trusted_idp_list %}
{% if idp.protocols is defined %}
{% for protocol in idp.protocols %}
{% if protocol.name == "saml2" and protocol.attributes is defined %}
{% for attr in protocol.attributes %}
<Attribute{% for k in attr %} {{ k }}="{{ attr[k] }}"{% endfor %}/>
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
</Attributes>

104
playbooks/roles/os_keystone/templates/shibboleth2.xml.j2
View File

@ -1,104 +0,0 @@
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<!-- The entityID is the name by which your IdP will know your SP. -->
<ApplicationDefaults entityID="{{ keystone_service_publicuri }}/shibboleth">
<!-- You should use secure cookies if at all possible. See cookieProps in this Wiki article. -->
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions -->
<Sessions lifetime="28800"
timeout="3600"
relayState="ss:mem"
checkAddress="false"
handlerSSL="{% if keystone_ssl | bool %}true{% else %}false{% endif %}"
{% if keystone_service_publicuri_proto == "https" %}cookieProps="; path=/; secure"{% endif %}>
<!-- Triggers a login request directly to the IdP. -->
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
<SSO ECP="true" entityID="{{ keystone_sp.trusted_idp_list.0.entity_ids.0 }}">
SAML2 SAML1
</SSO>
<!-- SAML and local-only logout. -->
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout -->
<Logout>SAML2 Local</Logout>
<!--
Handlers allow you to interact with the SP and gather more information.
Attribute values received by the SP through SAML will be visible at:
{{ keystone_service_publicuri }}/Shibboleth.sso/Session
-->
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator"
Location="/Metadata"
signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!--
Loads and trusts a list of metadata files which describes
the trusted IdP's and how to communicate with them.
-->
{% if keystone_sp.trusted_idp_list is defined -%}
{% for item in keystone_sp.trusted_idp_list %}
<MetadataProvider type="XML"
uri="{{ item.metadata_uri }}"
backingFilePath="{{ item.metadata_file }}"
reloadInterval="{{ item.metadata_reload }}" />
{% endfor %}
{% endif %}
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML"
validate="true"
reloadChanges="false"
path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML"
validate="true"
path="attribute-policy.xml"/>
<!-- Your SP generated these credentials. They're used to talk to IdP's. -->
<CredentialResolver type="File"
key="sp-key.pem"
certificate="sp-cert.pem"/>
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML"
validate="true"
path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML"
validate="true"
reloadChanges="false"
path="protocols.xml"/>
</SPConfig>