diff --git a/Dockerfile b/Dockerfile index 8f11198..381b090 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,9 +35,11 @@ RUN cd /opt/surveil && python setup.py develop #Set to 'surveil' or 'keystone' ENV SURVEIL_AUTH_BACKEND=surveil -ENV SURVEIL_KEYSTONE_ENDPOINT=http://198.72.123.131:5000/v2.0/ -ENV SURVEIL_KEYSTONE_USERNAME=admin -ENV SURVEIL_KEYSTONE_PASSWORD=password +ENV SURVEIL_KEYSTONE_HOST=198.72.123.131 +ENV SURVEIL_KEYSTONE_AUTH_PROTOCOL=http +ENV SURVEIL_KEYSTONE_ADMIN_USER=admin +ENV SURVEIL_KEYSTONE_ADMIN_PASSWORD=password +ENV SURVEIL_KEYSTONE_ADMIN_TENANT_NAME=admin CMD cd /opt/surveil && \ ./setup.sh && \ diff --git a/docker-compose-production.yml b/docker-compose-production.yml index 4397aed..5ab0d70 100644 --- a/docker-compose-production.yml +++ b/docker-compose-production.yml @@ -10,7 +10,11 @@ surveil: environment: PBR_VERSION: "PROD" #SURVEIL_AUTH_BACKEND: "keystone" - #SURVEIL_KEYSTONE_ENDPOINT: "http://198.72.123.131:5000/v2.0/" + #SURVEIL_KEYSTONE_HOST: "198.72.123.131" + #SURVEIL_KEYSTONE_AUTH_PROTOCOL: "http" + #SURVEIL_KEYSTONE_ADMIN_USER: "admin" + #SURVEIL_KEYSTONE_ADMIN_PASSWORD: "password" + #SURVEIL_KEYSTONE_ADMIN_TENANT_NAME: "admin" shinken: #build: tools/docker/shinken_container/ diff --git a/etc/surveil/api_paste.ini b/etc/surveil/api_paste.ini index 8ba7fe6..1684e70 100644 --- a/etc/surveil/api_paste.ini +++ b/etc/surveil/api_paste.ini @@ -14,120 +14,9 @@ paste.filter_factory = surveil.api.authmiddleware.auth:filter_factory [filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory -# Prefix to prepend at the beginning of the path (string -# value) -#auth_admin_prefix= - -# Host providing the admin Identity API endpoint (string -# value) -#auth_host=198.72.123.131 - -# Port of the admin Identity API endpoint (integer value) -#auth_port=5000 - -# Protocol of the admin Identity API endpoint(http or https) -# (string value) +# Keystone auth settings +auth_host=198.72.123.131 auth_protocol=http - -# Complete public Identity API endpoint (string value) -auth_uri=http://198.72.123.131:5000/v2.0/ - -# API version of the admin Identity API endpoint (string -# value) -#auth_version= - -# Do not handle authorization requests within the middleware, -# but delegate the authorization decision to downstream WSGI -# components (boolean value) -#delay_auth_decision=false - -# Request timeout value for communicating with Identity API -# server. (boolean value) -#http_connect_timeout= - -# How many times are we trying to reconnect when communicating -# with Identity API Server. (integer value) -#http_request_max_retries=3 - -# Single shared secret with the Keystone configuration used -# for bootstrapping a Keystone installation, or otherwise -# bypassing the normal authentication process. (string value) -#admin_token= - -# Keystone account username (string value) admin_user=admin - -# Keystone account password (string value) admin_password=password - -# Keystone service account tenant name to validate user tokens -# (string value) admin_tenant_name=admin - -# Env key for the swift cache (string value) -#cache= - -# Required if Keystone server requires client certificate -# (string value) -#certfile= - -# Required if Keystone server requires client certificate -# (string value) -#keyfile= - -# A PEM encoded Certificate Authority to use when verifying -# HTTPs connections. Defaults to system CAs. (string value) -#cafile= - -# Verify HTTPS connections. (boolean value) -#insecure=false - -# Directory used to cache files related to PKI tokens (string -# value) -#signing_dir= - -# If defined, the memcache server(s) to use for caching (list -# value) -# Deprecated group/name - [DEFAULT]/memcache_servers -#memcached_servers= - -# In order to prevent excessive requests and validations, the -# middleware uses an in-memory cache for the tokens the -# Keystone API returns. This is only valid if memcache_servers -# is defined. Set to -1 to disable caching completely. -# (integer value) -#token_cache_time=300 - -# Value only used for unit testing (integer value) -#revocation_cache_time=1 - -# (optional) if defined, indicate whether token data should be -# authenticated or authenticated and encrypted. Acceptable -# values are MAC or ENCRYPT. If MAC, token data is -# authenticated (with HMAC) in the cache. If ENCRYPT, token -# data is encrypted and authenticated in the cache. If the -# value is not one of these options or empty, auth_token will -# raise an exception on initialization. (string value) -#memcache_security_strategy= - -# (optional, mandatory if memcache_security_strategy is -# defined) this string is used for key derivation. (string -# value) -#memcache_secret_key= - -# (optional) indicate whether to set the X-Service-Catalog -# header. If False, middleware will not ask for service -# catalog on token validation and will not set the X-Service- -# Catalog header. (boolean value) -#include_service_catalog=true - -# Used to control the use and type of token binding. Can be -# set to: "disabled" to not check token binding. "permissive" -# (default) to validate binding information if the bind type -# is of a form known to the server and ignore it if not. -# "strict" like "permissive" but if the bind type is unknown -# the token will be rejected. "required" any form of token -# binding is needed to be allowed. Finally the name of a -# binding method that must be present in tokens. (string -# value) -#enforce_token_bind=permissive diff --git a/tools/docker/surveil_container/setup.sh b/tools/docker/surveil_container/setup.sh index a3e60df..4185d99 100755 --- a/tools/docker/surveil_container/setup.sh +++ b/tools/docker/surveil_container/setup.sh @@ -7,9 +7,11 @@ function setup_surveil_api { else echo -e "=> Setting up Surveil API for keystone authentication..." sed -i "s|pipeline =.*|pipeline = authtoken api-server|" /etc/surveil/api_paste.ini - sed -i "s|auth_uri=.*|auth_uri=${SURVEIL_KEYSTONE_ENDPOINT}|" /etc/surveil/api_paste.ini - sed -i "s|admin_user=.*|admin_user=${SURVEIL_KEYSTONE_USERNAME}|" /etc/surveil/api_paste.ini - sed -i "s|admin_password=.*|admin_password=${SURVEIL_KEYSTONE_PASSWORD}|" /etc/surveil/api_paste.ini + sed -i "s|auth_protocol=.*|auth_protocol=${SURVEIL_KEYSTONE_AUTH_PROTOCOL}|" /etc/surveil/api_paste.ini + sed -i "s|auth_host=.*|auth_host=${SURVEIL_KEYSTONE_HOST}|" /etc/surveil/api_paste.ini + sed -i "s|admin_user=.*|admin_user=${SURVEIL_KEYSTONE_ADMIN_USER}|" /etc/surveil/api_paste.ini + sed -i "s|admin_password=.*|admin_password=${SURVEIL_KEYSTONE_ADMIN_PASSWORD}|" /etc/surveil/api_paste.ini + sed -i "s|admin_tenant_name=.*|admin_tenant_name=${SURVEIL_KEYSTONE_ADMIN_TENANT_NAME}|" /etc/surveil/api_paste.ini fi }