[REFACTOR] Implement X.509 auth for MySQL and Keystone
Change-Id: I9a80bb1bba76a81dc45be3d9b666ddccc056bee2
diff --git a/keystone/_ssl/mysql.sls b/keystone/_ssl/mysql.sls
index 2fa0f0a..215a3da 100644
--- a/keystone/_ssl/mysql.sls
+++ b/keystone/_ssl/mysql.sls
@@ -16,6 +16,8 @@
- name: {{ ca_file }}
- contents_pillar: keystone:server:database:x509:cacert
- mode: 444
+ - user: keystone
+ - group: keystone
- makedirs: true
{%- else %}
file.exists:
@@ -28,6 +30,8 @@
- name: {{ cert_file }}
- contents_pillar: keystone:server:database:x509:cert
- mode: 440
+ - user: keystone
+ - group: keystone
- makedirs: true
{%- else %}
file.exists:
@@ -40,12 +44,23 @@
- name: {{ key_file }}
- contents_pillar: keystone:server:database:x509:key
- mode: 400
+ - user: keystone
+ - group: keystone
- makedirs: true
{%- else %}
file.exists:
- name: {{ key_file }}
{%- endif %}
+mysql_keystone_ssl_x509_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - {{ cert_file }}
+ - {{ key_file }}
+ - user: keystone
+ - group: keystone
+
{% elif server.database.get('ssl',{}).get('enabled',False) %}
mysql_ca_keystone:
{%- if server.database.ssl.cacert is defined %}
diff --git a/keystone/server.sls b/keystone/server.sls
index cd6be76..b28d8a6 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -2,8 +2,6 @@
{%- if server.enabled %}
-{%- set mysql_x509_ssl_enabled = server.database.get('x509',{}).get('enabled',False) or server.database.get('ssl',{}).get('enabled',False) %}
-
include:
{%- if server.service_name in ['apache2', 'httpd'] %}
- apache