Merge "Fix error-mask in db_sync state"
diff --git a/.kitchen.yml b/.kitchen.yml
index 29774f4..7ef9ad1 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -2,7 +2,7 @@
driver:
name: docker
hostname: keystone.ci.local
- use_sudo: true
+ use_sudo: false
provisioner:
name: salt_solo
@@ -10,7 +10,7 @@
salt_bootstrap_url: https://bootstrap.saltstack.com
salt_version: latest
require_chef: false
- log_level: info
+ log_level: error
formula: keystone
grains:
noservices: False
@@ -74,6 +74,13 @@
pillars-from-files:
keystone.sls: tests/pillar/single.sls
+ - name: single_domain
+ provisioner:
+ grains:
+ noservices: True
+ pillars-from-files:
+ keystone.sls: tests/pillar/single_domain.sls
+
- name: single_fernet
provisioner:
pillars-from-files:
diff --git a/.travis.yml b/.travis.yml
index acbbe42..7cf63e4 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -17,8 +17,14 @@
- bundle install
env:
- - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5'
- - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7'
+ - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5' SUITE=single
+ - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7' SUITE=single
+ - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5' SUITE=single_domain
+ - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7' SUITE=single_domain
+ - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5' SUITE=single_fernet
+ - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7' SUITE=single_fernet
+ - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5' SUITE=under-apache
+ - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7' SUITE=under-apache
before_script:
- set -o pipefail
diff --git a/README.rst b/README.rst
index e7c8aed..bb7146f 100644
--- a/README.rst
+++ b/README.rst
@@ -86,6 +86,17 @@
admin_address: 10.0.0.20
admin_port: 8774
+Keystone with custom policies. Keys with specified rules are created or set to this value if they already exists. Keys with no value (like our "existing_rule") are deleted from the policy file.
+
+.. code-block:: yaml
+
+ keystone:
+ server:
+ enabled: true
+ policy:
+ new_rule: "rule:admin_required"
+ existing_rule:
+
Keystone memcached storage for tokens
.. code-block:: yaml
@@ -191,16 +202,17 @@
keystone:
server:
domain:
- description: "Testing domain"
- backend: ldap
- assignment:
- backend: sql
- ldap:
- url: "ldaps://idm.domain.com"
- suffix: "dc=cloud,dc=domain,dc=com"
- # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
- uid: keystone
- password: password
+ external:
+ description: "Testing domain"
+ backend: ldap
+ assignment:
+ backend: sql
+ ldap:
+ url: "ldaps://idm.domain.com"
+ suffix: "dc=cloud,dc=domain,dc=com"
+ # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
+ uid: keystone
+ password: password
Using LDAP backend for default domain
@@ -293,6 +305,56 @@
virtual_host: '/openstack'
....
+Client-side RabbitMQ TLS configuration:
+
+|
+
+By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
+
+.. code-block:: yaml
+
+ keystone:
+ server:
+ ....
+ message_queue:
+ ssl:
+ enabled: True
+
+Use `cacert_file` option to specify the CA-cert file path explicitly:
+
+.. code-block:: yaml
+
+ keystone:
+ server:
+ ....
+ message_queue:
+ ssl:
+ enabled: True
+ cacert_file: /etc/ssl/rabbitmq-ca.pem
+
+To manage content of the `cacert_file` use the `cacert` option:
+
+.. code-block:: yaml
+
+ keystone:
+ server:
+ ....
+ message_queue:
+ ssl:
+ enabled: True
+ cacert: |
+
+ -----BEGIN CERTIFICATE-----
+ ...
+ -----END CERTIFICATE-------
+
+ cacert_file: /etc/openstack/rabbitmq-ca.pem
+
+
+Notice:
+ * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
+ * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
+
Enable CADF audit notification
.. code-block:: yaml
@@ -323,7 +385,7 @@
modules:
- wsgi
-Enable Federated keystone
+Enable SAML2 Federated keystone
.. code-block:: yaml
@@ -333,14 +395,16 @@
- password
- token
- saml2
- websso:
- protocol: saml2
- remote_id_attribute: Shib-Identity-Provider
+ federation:
+ saml2:
+ protocol: saml2
+ remote_id_attribute: Shib-Identity-Provider
+ shib_url_scheme: https
+ shib_compat_valid_user: 'on'
federation_driver: keystone.contrib.federation.backends.sql.Federation
federated_domain_name: Federated
trusted_dashboard:
- - http://${_param:proxy_vip_address_public}/horizon/auth/websso/
- shib_url_scheme: https
+ - https://${_param:cluster_public_host}/horizon/auth/websso/
apache:
server:
pkgs:
@@ -350,6 +414,48 @@
- wsgi
- shib2
+Enable OIDC Federated keystone
+
+.. code-block:: yaml
+
+ keystone:
+ server:
+ auth_methods:
+ - password
+ - token
+ - oidc
+ federation:
+ oidc:
+ protocol: oidc
+ remote_id_attribute: HTTP_OIDC_ISS
+ remote_id_attribute_value: https://accounts.google.com
+ oidc_claim_prefix: "OIDC-"
+ oidc_response_type: id_token
+ oidc_scope: "openid email profile"
+ oidc_provider_metadata_url: https://accounts.google.com/.well-known/openid-configuration
+ oidc_client_id: <openid_client_id>
+ oidc_client_secret: <openid_client_secret>
+ oidc_crypto_passphrase: openstack
+ oidc_redirect_uri: https://key.example.com:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect
+ oidc_oauth_introspection_endpoint: https://www.googleapis.com/oauth2/v1/tokeninfo
+ oidc_oauth_introspection_token_param_name: access_token
+ oidc_oauth_remote_user_claim: user_id
+ oidc_ssl_validate_server: 'off'
+ federated_domain_name: Federated
+ federation_driver: keystone.contrib.federation.backends.sql.Federation
+ trusted_dashboard:
+ - https://${_param:cluster_public_host}/auth/websso/
+ apache:
+ server:
+ pkgs:
+ - apache2
+ - libapache2-mod-auth-openidc
+ modules:
+ - wsgi
+ - auth_openidc
+
+Notes: Ubuntu Trusty repository doesn't contain libapache2-mod-auth-openidc package. Additonal repository should be added to source list.
+
Use a custom identity driver with custom options
.. code-block:: yaml
@@ -547,6 +653,17 @@
param2: value
....
+Configuration of policy.json file
+
+.. code-block:: yaml
+
+
+ keystone:
+ server:
+ ....
+ policy:
+ admin_or_token_subject: 'rule:admin_required or rule:token_subject'
+
Usage
=====
diff --git a/_grains/keystone_policy.py b/_grains/keystone_policy.py
new file mode 100644
index 0000000..2155b12
--- /dev/null
+++ b/_grains/keystone_policy.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python
+import salt.config
+import salt.loader
+
+
+def main():
+ path = "/etc/keystone/policy.json"
+ __opts__ = salt.config.minion_config('/etc/salt/minion')
+ keystone_policy_mod = salt.loader.raw_mod(__opts__, 'keystone_policy', None)
+ if keystone_policy_mod:
+ result = keystone_policy_mod['keystone_policy.rule_list'](path)
+ if result and 'Error' not in result:
+ return {'keystone_policy': result}
+ return {}
+
diff --git a/_modules/keystone_policy.py b/_modules/keystone_policy.py
new file mode 100644
index 0000000..4e3ae6d
--- /dev/null
+++ b/_modules/keystone_policy.py
@@ -0,0 +1,78 @@
+import io
+import json
+import logging
+
+import yaml
+
+LOG = logging.getLogger(__name__)
+
+
+def __virtual__():
+ return True
+
+
+def rule_list(path, **kwargs):
+ try:
+ with io.open(path, 'r') as file_handle:
+ rules = yaml.safe_load(file_handle) or {}
+ rules = {str(k): str(v) for (k, v) in rules.items()}
+ except Exception as e:
+ msg = "Unable to load policy file %s: %s" % (path, repr(e))
+ LOG.debug(msg)
+ rules = {'Error': msg}
+ return rules
+
+
+def rule_delete(name, path, **kwargs):
+ ret = {}
+ rules = __salt__['keystone_policy.rule_list'](path, **kwargs)
+ if 'Error' not in rules:
+ if name not in rules:
+ return ret
+ del rules[name]
+ try:
+ with io.open(path, 'w') as file_handle:
+ if path.endswith('json'):
+ serialized = json.dumps(rules, indent=4)
+ else:
+ serialized = yaml.safe_dump(rules, indent=4)
+ file_handle.write(unicode(serialized))
+ except Exception as e:
+ msg = "Unable to save policy file: %s" % repr(e)
+ LOG.error(msg)
+ return {'Error': msg}
+ ret = 'Rule {0} deleted'.format(name)
+ return ret
+
+
+def rule_set(name, rule, path, **kwargs):
+ rules = __salt__['keystone_policy.rule_list'](path, **kwargs)
+ if 'Error' not in rules:
+ if name in rules and rules[name] == rule:
+ return {name: 'Rule %s already exists and is in correct state' % name}
+ rules.update({name: rule})
+ try:
+ with io.open(path, 'w') as file_handle:
+ if path.endswith('json'):
+ serialized = json.dumps(rules, indent=4)
+ else:
+ serialized = yaml.safe_dump(rules, indent=4)
+ file_handle.write(unicode(serialized))
+ except Exception as e:
+ msg = "Unable to save policy file %s: %s" % (path, repr(e))
+ LOG.error(msg)
+ return {'Error': msg}
+ return rule_get(name, path, **kwargs)
+ return rules
+
+
+def rule_get(name, path, **kwargs):
+ ret = {}
+ rules = __salt__['keystone_policy.rule_list'](path, **kwargs)
+ if 'Error' in rules:
+ ret['Error'] = rules['Error']
+ elif name in rules:
+ ret[name] = rules.get(name)
+
+ return ret
+
diff --git a/_states/keystone_policy.py b/_states/keystone_policy.py
new file mode 100644
index 0000000..e7a4a6a
--- /dev/null
+++ b/_states/keystone_policy.py
@@ -0,0 +1,81 @@
+#!/usr/bin/env python
+'''
+Management of policy.json
+=========================
+
+Merge user defined hash to policy.json
+--------------------------------------
+
+.. code-block:: yaml
+
+ my_rule_present:
+ keystone_policy.rule_present:
+ - name: rule_name
+ - rule: rule
+ - path: /etc/keystone/policy.json
+
+ my_rule_absent:
+ keystone_policy.rule_absent:
+ - name: rule_name
+ - path: /etc/keystone/policy.json
+
+'''
+import logging
+
+log = logging.getLogger(__name__)
+
+
+def __virtual__():
+ return True
+
+
+def rule_present(name, rule, path, **kwargs):
+ '''
+ Ensures that the policy rule exists
+
+ :param name: Rule name
+ :param rule: Rule
+ :param path: Path to policy file
+ '''
+ rule = rule or ""
+ ret = {'name': name,
+ 'changes': {},
+ 'result': True,
+ 'comment': 'Rule "{0}" already exists and is in correct state'.format(name)}
+ rule_check = __salt__['keystone_policy.rule_get'](name, path, **kwargs)
+ if not rule_check:
+ __salt__['keystone_policy.rule_set'](name, rule, path, **kwargs)
+ ret['comment'] = 'Rule {0} has been created'.format(name)
+ ret['changes']['Rule'] = 'Rule %s: "%s" has been created' % (name, rule)
+ elif 'Error' in rule_check:
+ ret['comment'] = rule_check.get('Error')
+ ret['result'] = False
+ elif rule_check[name] != rule:
+ __salt__['keystone_policy.rule_set'](name, rule, path, **kwargs)
+ ret['comment'] = 'Rule %s has been changed' % (name,)
+ ret['changes']['Old Rule'] = '%s: "%s"' % (name, rule_check[name])
+ ret['changes']['New Rule'] = '%s: "%s"' % (name, rule)
+ return ret
+
+
+def rule_absent(name, path, **kwargs):
+ '''
+ Ensures that the policy rule does not exist
+
+ :param name: Rule name
+ :param path: Path to policy file
+ '''
+ ret = {'name': name,
+ 'changes': {},
+ 'result': True,
+ 'comment': 'Rule "{0}" is already absent'.format(name)}
+ rule_check = __salt__['keystone_policy.rule_get'](name, path, **kwargs)
+ if rule_check:
+ __salt__['keystone_policy.rule_delete'](name, path, **kwargs)
+ ret['comment'] = 'Rule {0} has been deleted'.format(name)
+ ret['changes']['Rule'] = 'Rule %s: "%s" has been deleted' % (name, rule_check[name])
+ elif 'Error' in rule_check:
+ ret['comment'] = rule_check.get('Error')
+ ret['result'] = False
+ return ret
+
diff --git a/keystone/client/project.sls b/keystone/client/project.sls
index bb0d30e..856c78f 100644
--- a/keystone/client/project.sls
+++ b/keystone/client/project.sls
@@ -3,13 +3,6 @@
{%- if client.tenant is defined %}
-keystone_salt_config:
- file.managed:
- - name: /etc/salt/minion.d/keystone.conf
- - template: jinja
- - source: salt://keystone/files/salt-minion.conf
- - mode: 600
-
keystone_client_roles:
keystone.role_present:
- names: {{ client.roles }}
@@ -17,8 +10,6 @@
- connection_password: {{ client.server.password }}
- connection_tenant: {{ client.server.tenant }}
- connection_auth_url: 'http://{{ client.server.host }}:{{ client.server.public_port }}/v2.0/'
- - require:
- - file: keystone_salt_config
{%- for tenant_name, tenant in client.get('tenant', {}).iteritems() %}
diff --git a/keystone/client/server.sls b/keystone/client/server.sls
index 4a8bfed..416590b 100644
--- a/keystone/client/server.sls
+++ b/keystone/client/server.sls
@@ -64,9 +64,9 @@
keystone_{{ server_name }}_service_{{ service_name }}_endpoint_{{ endpoint.region }}:
keystone.endpoint_present:
- name: {{ service_name }}
- - publicurl: '{{ endpoint.get('public_protocol', 'http') }}://{{ endpoint.public_address }}:{{ endpoint.public_port }}{{ endpoint.public_path }}'
- - internalurl: '{{ endpoint.get('internal_protocol', 'http') }}://{{ endpoint.internal_address }}:{{ endpoint.internal_port }}{{ endpoint.internal_path }}'
- - adminurl: '{{ endpoint.get('admin_protocol', 'http') }}://{{ endpoint.admin_address }}:{{ endpoint.admin_port }}{{ endpoint.admin_path }}'
+ - publicurl: '{{ endpoint.get('public_protocol', 'http') }}://{{ endpoint.public_address }}{% if not (endpoint.get('public_protocol', 'http') == 'https' and endpoint.public_port|int == 443) %}:{{ endpoint.public_port }}{% endif %}{{ endpoint.public_path }}'
+ - internalurl: '{{ endpoint.get('internal_protocol', 'http') }}://{{ endpoint.internal_address }}{% if not (endpoint.get('internal_protocol', 'http') == 'https' and endpoint.internal_port|int == 443) %}:{{ endpoint.internal_port }}{% endif %}{{ endpoint.internal_path }}'
+ - adminurl: '{{ endpoint.get('admin_protocol', 'http') }}://{{ endpoint.admin_address }}{% if not (endpoint.get('admin_protocol', 'http') == 'https' and endpoint.admin_port|int == 443) %}:{{ endpoint.admin_port }}{% endif %}{{ endpoint.admin_path }}'
- region: {{ endpoint.region }}
- require:
- keystone: keystone_{{ server_name }}_service_{{ service_name }}
diff --git a/keystone/client/service.sls b/keystone/client/service.sls
index efdef37..40c68df 100644
--- a/keystone/client/service.sls
+++ b/keystone/client/service.sls
@@ -5,10 +5,4 @@
pkg.installed:
- names: {{ client.pkgs }}
-keystone_profile:
- file.managed:
- - name: /etc/salt/minion.d/_keystone.conf
- - source: salt://keystone/files/keystone.conf
- - template: jinja
-
-{%- endif %}
\ No newline at end of file
+{%- endif %}
diff --git a/keystone/files/_ldap.conf b/keystone/files/_ldap.conf
index 0c27708..cabf873 100644
--- a/keystone/files/_ldap.conf
+++ b/keystone/files/_ldap.conf
@@ -1,40 +1,62 @@
[ldap]
url = {{ ldap.url }}
+{%- if ldap.get('auth', True) == True %}
+{%- if ldap.bind_user is defined %}
+user = {{ ldap.bind_user }}
+{%- else %}
user = uid={{ ldap.get("uid", "keystone") }},cn=users,cn=accounts,{{ ldap.suffix }}
+{%- endif %}
password = {{ ldap.password }}
+{%- endif %}
suffix = {{ ldap.suffix }}
+query_scope = {{ ldap.get("query_scope", "one") }}
+page_size = {{ ldap.get("page_size", "0") }}
+chase_referrals = {{ ldap.get("chase_referrals", False) }}
# User mapping
+{%- if ldap.user_tree_dn is defined %}
+user_tree_dn = {{ ldap.user_tree_dn }}
+{%- else %}
user_tree_dn = cn=users,cn=accounts,{{ ldap.suffix }}
-user_objectclass = person
-user_id_attribute = uid
-user_name_attribute = uid
-user_mail_attribute = mail
+{%- endif %}
+user_objectclass = {{ ldap.get("user_objectclass", "person") }}
+user_id_attribute = {{ ldap.get("user_id_attribute", "uid") }}
+user_name_attribute = {{ ldap.get("user_name_attribute", "uid") }}
+user_mail_attribute = {{ ldap.get("user_mail_attribute", "mail") }}
+user_pass_attribute = {{ ldap.get("user_pass_attribute", "password") }}
{%- if ldap.get('read_only', True) %}
user_allow_create = false
user_allow_update = false
user_allow_delete = false
{%- endif %}
-user_enabled_attribute = nsAccountLock
-user_enabled_default = False
-user_enabled_invert = true
+user_enabled_attribute = {{ ldap.get("user_enabled_attribute", "nsAccountLock") }}
+user_enabled_default = {{ ldap.get("user_enabled_default", False) }}
+user_enabled_invert = {{ ldap.get("user_enabled_invert", True) }}
+user_enabled_mask = {{ ldap.get("user_enabled_mask", 0) }}
{%- if ldap.get('filter', {}).get('user', False) %}
user_filter = {{ ldap.filter.user }}
{%- endif %}
# Group mapping
+{%- if ldap.group_tree_dn is defined %}
+group_tree_dn = {{ ldap.group_tree_dn }}
+{%- else %}
group_tree_dn = cn=groups,cn=accounts,{{ ldap.suffix }}
-group_objectclass = groupOfNames
-group_id_attribute = cn
-group_name_attribute = cn
-group_member_attribute = member
-group_desc_attribute = description
+{%- endif %}
+group_objectclass = {{ ldap.get("group_objectclass", "groupOfNames") }}
+group_id_attribute = {{ ldap.get("group_id_attribute", "cn") }}
+group_name_attribute = {{ ldap.get("group_name_attribute", "cn") }}
+group_member_attribute = {{ ldap.get("group_member_attribute", "member") }}
+group_desc_attribute = {{ ldap.get("group_desc_attribute", "description") }}
{%- if ldap.get('read_only', True) %}
group_allow_create = false
group_allow_update = false
group_allow_delete = false
{%- endif %}
+{%- if ldap.get('filter', {}).get('group', False) %}
+group_filter = {{ ldap.filter.group }}
+{%- endif %}
{%- if ldap.tls is defined %}
diff --git a/keystone/files/grafana_dashboards/keystone_prometheus.json b/keystone/files/grafana_dashboards/keystone_prometheus.json
new file mode 100755
index 0000000..1d0e495
--- /dev/null
+++ b/keystone/files/grafana_dashboards/keystone_prometheus.json
@@ -0,0 +1,1050 @@
+{% raw %}
+{
+ "annotations": {
+ "list": []
+ },
+ "editable": true,
+ "gnetId": null,
+ "graphTooltip": 0,
+ "hideControls": false,
+ "id": null,
+ "links": [],
+ "refresh": "1m",
+ "rows": [
+ {
+ "collapse": false,
+ "height": "250px",
+ "panels": [
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": true,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "datasource": null,
+ "format": "none",
+ "gauge": {
+ "maxValue": 1,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "id": 1,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "span": 3,
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": false,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "min(openstack_api_check_status{service=~\"keystone.*public.*\"})",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "{{ service }}",
+ "refId": "A",
+ "step": 60
+ }
+ ],
+ "thresholds": "1,0",
+ "title": "API Availability",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ },
+ {
+ "op": "=",
+ "text": "OK",
+ "value": "1"
+ },
+ {
+ "op": "=",
+ "text": "DOWN",
+ "value": "0"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "datasource": null,
+ "decimals": null,
+ "format": "none",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "id": 12,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "/ sec",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "span": 3,
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": false,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "sum(irate(haproxy_http_response_5xx{proxy=~\"keystone.*\",sv=\"FRONTEND\"}[5m]))",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "per sec",
+ "refId": "A",
+ "step": 60
+ }
+ ],
+ "thresholds": "",
+ "title": "HTTP 5xx errors",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "datasource": null,
+ "format": "none",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "id": 3,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "span": 3,
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": false,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "min(haproxy_active_servers{proxy=~\"keystone.*public.*\", sv=\"BACKEND\"})",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "",
+ "refId": "A",
+ "step": 60
+ }
+ ],
+ "thresholds": "",
+ "title": "Public API backends",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "datasource": null,
+ "format": "none",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "id": 4,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "span": 3,
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": false,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "min(haproxy_active_servers{proxy=~\"keystone.*admin.*\", sv=\"BACKEND\"})",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "",
+ "refId": "A",
+ "step": 60
+ }
+ ],
+ "thresholds": "",
+ "title": "Admin API backends",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ }
+ ],
+ "repeat": null,
+ "repeatIteration": null,
+ "repeatRowId": null,
+ "showTitle": true,
+ "title": "Service Status",
+ "titleSize": "h6"
+ },
+ {
+ "collapse": false,
+ "height": "250",
+ "panels": [
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": null,
+ "fill": 1,
+ "id": 13,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "span": 6,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(openstack_keystone_http_response_times_rate{host=~\"^$host$\"}) by (http_status)",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "{{ http_status }}",
+ "refId": "A",
+ "step": 10
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Throughput",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "ops",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ]
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": null,
+ "fill": 1,
+ "id": 14,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "span": 6,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "max(openstack_keystone_http_response_times_upper_90{host=~\"^$host$\"}) by (http_method)",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "{{ http_method }}",
+ "refId": "A",
+ "step": 10
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Latency",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "s",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ]
+ }
+ ],
+ "repeat": null,
+ "repeatIteration": null,
+ "repeatRowId": null,
+ "showTitle": true,
+ "title": "API Performances",
+ "titleSize": "h6"
+ },
+ {
+ "collapse": false,
+ "height": 250,
+ "panels": [
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "datasource": null,
+ "format": "none",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "id": 7,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "span": 2,
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": false,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": false
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "max(openstack_keystone_users{state=\"enabled\"})",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "",
+ "metric": "openstack_keystone_users_total",
+ "refId": "A",
+ "step": 60
+ }
+ ],
+ "thresholds": "",
+ "title": "Active Users",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "datasource": null,
+ "format": "none",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "id": 8,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "span": 2,
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": false,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": false
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "max(openstack_keystone_users{state=\"disabled\"})",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "",
+ "metric": "openstack_keystone_users_total",
+ "refId": "A",
+ "step": 60
+ }
+ ],
+ "thresholds": "",
+ "title": "Disabled Users",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": null,
+ "fill": 1,
+ "id": 6,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "span": 8,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "max(openstack_keystone_users) by (state)",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "{{ state }}",
+ "metric": "openstack_keystone_users",
+ "refId": "A",
+ "step": 4
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Users",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ]
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "datasource": null,
+ "format": "none",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "id": 9,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "span": 2,
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": false,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": false
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "max(openstack_keystone_tenants{state=\"enabled\"})",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "",
+ "metric": "",
+ "refId": "A",
+ "step": 60
+ }
+ ],
+ "thresholds": "",
+ "title": "Active Tenants",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "datasource": null,
+ "format": "none",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "id": 10,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "span": 2,
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": false,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": false
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "max(openstack_keystone_tenants{state=\"disabled\"})",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "",
+ "metric": "openstack_keystone_users_total",
+ "refId": "A",
+ "step": 60
+ }
+ ],
+ "thresholds": "",
+ "title": "Disabled Tenants",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": null,
+ "fill": 1,
+ "id": 11,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "span": 8,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "max(openstack_keystone_tenants) by (state)",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "{{ state }}",
+ "metric": "openstack_keystone_users",
+ "refId": "A",
+ "step": 4
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Tenants",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ]
+ }
+ ],
+ "repeat": null,
+ "repeatIteration": null,
+ "repeatRowId": null,
+ "showTitle": true,
+ "title": "Resources",
+ "titleSize": "h6"
+ }
+ ],
+ "schemaVersion": 14,
+ "sharedCrosshair": true,
+ "style": "dark",
+ "tags": [],
+ "templating": {
+ "list": [
+ {
+ "allValue": null,
+ "current": {},
+ "datasource": "prometheus",
+ "hide": 0,
+ "includeAll": true,
+ "label": null,
+ "multi": true,
+ "name": "host",
+ "options": [],
+ "query": "label_values(openstack_keystone_http_response_times_count,host)",
+ "refresh": 1,
+ "refresh_on_load": true,
+ "regex": "",
+ "sort": 1,
+ "tagValuesQuery": "",
+ "tags": [],
+ "tagsQuery": "",
+ "type": "query",
+ "useTags": false
+ }
+ ]
+ },
+ "time": {
+ "from": "now-1h",
+ "to": "now"
+ },
+ "timepicker": {
+ "refresh_intervals": [
+ "5s",
+ "10s",
+ "30s",
+ "1m",
+ "5m",
+ "15m",
+ "30m",
+ "1h",
+ "2h",
+ "1d"
+ ],
+ "time_options": [
+ "5m",
+ "15m",
+ "1h",
+ "6h",
+ "12h",
+ "24h",
+ "2d",
+ "7d",
+ "30d"
+ ]
+ },
+ "timezone": "browser",
+ "title": "Keystone",
+ "version": 29
+}
+{% endraw %}
diff --git a/keystone/files/juno/keystone.conf.Debian b/keystone/files/juno/keystone.conf.Debian
index 4d2b9a8..fa7a75e 100644
--- a/keystone/files/juno/keystone.conf.Debian
+++ b/keystone/files/juno/keystone.conf.Debian
@@ -79,7 +79,7 @@
# Enforced by optional sizelimit middleware
# (keystone.middleware:RequestBodySizeLimiter). (integer
# value)
-#max_request_body_size=114688
+max_request_body_size= {{ server.max_request_body_size }}
# Limit the sizes of user & project ID/names. (integer value)
#max_param_size=64
@@ -1625,6 +1625,7 @@
# configured with the hash_algorithms, otherwise token
# revocation will not be processed correctly. (string value)
#hash_algorithm=md5
+hash_algorithm = {{ server.hash_algorithm }}
[trust]
diff --git a/keystone/files/juno/policy-v2.json b/keystone/files/juno/policy-v2.json
deleted file mode 100644
index af65205..0000000
--- a/keystone/files/juno/policy-v2.json
+++ /dev/null
@@ -1,171 +0,0 @@
-{
- "admin_required": "role:admin or is_admin:1",
- "service_role": "role:service",
- "service_or_admin": "rule:admin_required or rule:service_role",
- "owner" : "user_id:%(user_id)s",
- "admin_or_owner": "rule:admin_required or rule:owner",
-
- "default": "rule:admin_required",
-
- "identity:get_region": "",
- "identity:list_regions": "",
- "identity:create_region": "rule:admin_required",
- "identity:update_region": "rule:admin_required",
- "identity:delete_region": "rule:admin_required",
-
- "identity:get_service": "rule:admin_required",
- "identity:list_services": "rule:admin_required",
- "identity:create_service": "rule:admin_required",
- "identity:update_service": "rule:admin_required",
- "identity:delete_service": "rule:admin_required",
-
- "identity:get_endpoint": "rule:admin_required",
- "identity:list_endpoints": "rule:admin_required",
- "identity:create_endpoint": "rule:admin_required",
- "identity:update_endpoint": "rule:admin_required",
- "identity:delete_endpoint": "rule:admin_required",
-
- "identity:get_domain": "rule:admin_required",
- "identity:list_domains": "rule:admin_required",
- "identity:create_domain": "rule:admin_required",
- "identity:update_domain": "rule:admin_required",
- "identity:delete_domain": "rule:admin_required",
-
- "identity:get_project": "rule:admin_required",
- "identity:list_projects": "rule:admin_required",
- "identity:list_user_projects": "rule:admin_or_owner",
- "identity:create_project": "rule:admin_required",
- "identity:update_project": "rule:admin_required",
- "identity:delete_project": "rule:admin_required",
-
- "identity:get_user": "rule:admin_required",
- "identity:list_users": "rule:admin_required",
- "identity:create_user": "rule:admin_required",
- "identity:update_user": "rule:admin_required",
- "identity:delete_user": "rule:admin_required",
- "identity:change_password": "rule:admin_or_owner",
-
- "identity:get_group": "rule:admin_required",
- "identity:list_groups": "rule:admin_required",
- "identity:list_groups_for_user": "rule:admin_or_owner",
- "identity:create_group": "rule:admin_required",
- "identity:update_group": "rule:admin_required",
- "identity:delete_group": "rule:admin_required",
- "identity:list_users_in_group": "rule:admin_required",
- "identity:remove_user_from_group": "rule:admin_required",
- "identity:check_user_in_group": "rule:admin_required",
- "identity:add_user_to_group": "rule:admin_required",
-
- "identity:get_credential": "rule:admin_required",
- "identity:list_credentials": "rule:admin_required",
- "identity:create_credential": "rule:admin_required",
- "identity:update_credential": "rule:admin_required",
- "identity:delete_credential": "rule:admin_required",
-
- "identity:ec2_get_credential": "rule:admin_or_owner",
- "identity:ec2_list_credentials": "rule:admin_or_owner",
- "identity:ec2_create_credential": "rule:admin_or_owner",
- "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
- "identity:get_role": "rule:admin_required",
- "identity:list_roles": "rule:admin_required",
- "identity:create_role": "rule:admin_required",
- "identity:update_role": "rule:admin_required",
- "identity:delete_role": "rule:admin_required",
-
- "identity:check_grant": "rule:admin_required",
- "identity:list_grants": "rule:admin_required",
- "identity:create_grant": "rule:admin_required",
- "identity:revoke_grant": "rule:admin_required",
-
- "identity:list_role_assignments": "rule:admin_required",
-
- "identity:get_policy": "rule:admin_required",
- "identity:list_policies": "rule:admin_required",
- "identity:create_policy": "rule:admin_required",
- "identity:update_policy": "rule:admin_required",
- "identity:delete_policy": "rule:admin_required",
-
- "identity:check_token": "rule:admin_required",
- "identity:validate_token": "rule:service_or_admin",
- "identity:validate_token_head": "rule:service_or_admin",
- "identity:revocation_list": "rule:service_or_admin",
- "identity:revoke_token": "rule:admin_or_owner",
-
- "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
- "identity:get_trust": "rule:admin_or_owner",
- "identity:list_trusts": "",
- "identity:list_roles_for_trust": "",
- "identity:check_role_for_trust": "",
- "identity:get_role_for_trust": "",
- "identity:delete_trust": "",
-
- "identity:create_consumer": "rule:admin_required",
- "identity:get_consumer": "rule:admin_required",
- "identity:list_consumers": "rule:admin_required",
- "identity:delete_consumer": "rule:admin_required",
- "identity:update_consumer": "rule:admin_required",
-
- "identity:authorize_request_token": "rule:admin_required",
- "identity:list_access_token_roles": "rule:admin_required",
- "identity:get_access_token_role": "rule:admin_required",
- "identity:list_access_tokens": "rule:admin_required",
- "identity:get_access_token": "rule:admin_required",
- "identity:delete_access_token": "rule:admin_required",
-
- "identity:list_projects_for_endpoint": "rule:admin_required",
- "identity:add_endpoint_to_project": "rule:admin_required",
- "identity:check_endpoint_in_project": "rule:admin_required",
- "identity:list_endpoints_for_project": "rule:admin_required",
- "identity:remove_endpoint_from_project": "rule:admin_required",
-
- "identity:create_endpoint_group": "rule:admin_required",
- "identity:list_endpoint_groups": "rule:admin_required",
- "identity:get_endpoint_group": "rule:admin_required",
- "identity:update_endpoint_group": "rule:admin_required",
- "identity:delete_endpoint_group": "rule:admin_required",
- "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
- "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
- "identity:list_endpoint_groups_for_project": "rule:admin_required",
- "identity:add_endpoint_group_to_project": "rule:admin_required",
- "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
- "identity:create_identity_provider": "rule:admin_required",
- "identity:list_identity_providers": "rule:admin_required",
- "identity:get_identity_providers": "rule:admin_required",
- "identity:update_identity_provider": "rule:admin_required",
- "identity:delete_identity_provider": "rule:admin_required",
-
- "identity:create_protocol": "rule:admin_required",
- "identity:update_protocol": "rule:admin_required",
- "identity:get_protocol": "rule:admin_required",
- "identity:list_protocols": "rule:admin_required",
- "identity:delete_protocol": "rule:admin_required",
-
- "identity:create_mapping": "rule:admin_required",
- "identity:get_mapping": "rule:admin_required",
- "identity:list_mappings": "rule:admin_required",
- "identity:delete_mapping": "rule:admin_required",
- "identity:update_mapping": "rule:admin_required",
-
- "identity:get_auth_catalog": "",
- "identity:get_auth_projects": "",
- "identity:get_auth_domains": "",
-
- "identity:list_projects_for_groups": "",
- "identity:list_domains_for_groups": "",
-
- "identity:list_revoke_events": "",
-
- "identity:create_policy_association_for_endpoint": "rule:admin_required",
- "identity:check_policy_association_for_endpoint": "rule:admin_required",
- "identity:delete_policy_association_for_endpoint": "rule:admin_required",
- "identity:create_policy_association_for_service": "rule:admin_required",
- "identity:check_policy_association_for_service": "rule:admin_required",
- "identity:delete_policy_association_for_service": "rule:admin_required",
- "identity:create_policy_association_for_region_and_service": "rule:admin_required",
- "identity:check_policy_association_for_region_and_service": "rule:admin_required",
- "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
- "identity:get_policy_for_endpoint": "rule:admin_required",
- "identity:list_endpoints_for_policy": "rule:admin_required"
-}
diff --git a/keystone/files/keystone.conf b/keystone/files/keystone.conf
deleted file mode 100644
index e6c9de2..0000000
--- a/keystone/files/keystone.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-{%- from "keystone/map.jinja" import client with context %}
-{%- for profile_name, identity in client.server.iteritems() %}
-
-{%- if identity.admin.get('protocol', 'http') == 'http' %}
-{%- set protocol = 'http' %}
-{%- else %}
-{%- set protocol = 'https' %}
-{%- endif %}
-
-{%- if identity.admin.get('api_version', '2') == '3' %}
-{%- set version = "v3" %}
-{%- else %}
-{%- set version = "v2.0" %}
-{%- endif %}
-
-{%- if identity.admin.user is defined %}
-
-{%- if identity.admin.token is not defined %}
-
-{{ profile_name }}:
- keystone.user: '{{ identity.admin.user }}'
- keystone.password: '{{ identity.admin.password }}'
- keystone.tenant: '{{ identity.admin.project }}'
- keystone.auth_url: '{{ protocol+'://'+identity.admin.host+':'+identity.admin.port|string+'/'+version }}'
- keystone.region_name: '{{ identity.admin.region_name }}'
-
-{%- endif %}
-
-{%- endif %}
-
-{%- endfor %}
diff --git a/keystone/files/keystone.domain.conf b/keystone/files/keystone.domain.conf
index 00b6200..46408eb 100644
--- a/keystone/files/keystone.domain.conf
+++ b/keystone/files/keystone.domain.conf
@@ -12,6 +12,9 @@
{%- else %}
driver = keystone.identity.backends.sql.Identity
{%- endif %}
+{%- if domain.get('identity',{}).list_limit is defined %}
+list_limit = {{ domain.identity.list_limit }}
+{%- endif %}
[assignment]
{%- if domain.get("assignment", {}).get("backend", "sql") == "ldap" %}
diff --git a/keystone/files/keystonercv3 b/keystone/files/keystonercv3
index 4152b58..9da173c 100644
--- a/keystone/files/keystonercv3
+++ b/keystone/files/keystonercv3
@@ -1,8 +1,8 @@
{%- from "keystone/map.jinja" import server with context %}
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=http://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v3
-export OS_PROJECT_DOMAIN_NAME=default
-export OS_USER_DOMAIN_NAME=default
+export OS_PROJECT_DOMAIN_NAME=Default
+export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME={{ server.admin_tenant }}
export OS_TENANT_NAME={{ server.admin_tenant }}
export OS_USERNAME={{ server.admin_name }}
diff --git a/keystone/files/kilo/keystone.conf.Debian b/keystone/files/kilo/keystone.conf.Debian
index 0e59b15..09e0cec 100644
--- a/keystone/files/kilo/keystone.conf.Debian
+++ b/keystone/files/kilo/keystone.conf.Debian
@@ -1151,7 +1151,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
[oslo_policy]
@@ -1458,6 +1458,7 @@
# middleware must be configured with the hash_algorithms, otherwise token
# revocation will not be processed correctly. (string value)
#hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
[trust]
diff --git a/keystone/files/kilo/policy-v2.json b/keystone/files/kilo/policy-v2.json
deleted file mode 100644
index 2b88c53..0000000
--- a/keystone/files/kilo/policy-v2.json
+++ /dev/null
@@ -1,184 +0,0 @@
-{
- "admin_required": "role:admin or is_admin:1",
- "service_role": "role:service",
- "service_or_admin": "rule:admin_required or rule:service_role",
- "owner" : "user_id:%(user_id)s",
- "admin_or_owner": "rule:admin_required or rule:owner",
- "token_subject": "user_id:%(target.token.user_id)s",
- "admin_or_token_subject": "rule:admin_required or rule:token_subject",
- "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
-
- "default": "rule:admin_required",
-
- "identity:get_region": "",
- "identity:list_regions": "",
- "identity:create_region": "rule:admin_required",
- "identity:update_region": "rule:admin_required",
- "identity:delete_region": "rule:admin_required",
-
- "identity:get_service": "rule:admin_required",
- "identity:list_services": "rule:admin_required",
- "identity:create_service": "rule:admin_required",
- "identity:update_service": "rule:admin_required",
- "identity:delete_service": "rule:admin_required",
-
- "identity:get_endpoint": "rule:admin_required",
- "identity:list_endpoints": "rule:admin_required",
- "identity:create_endpoint": "rule:admin_required",
- "identity:update_endpoint": "rule:admin_required",
- "identity:delete_endpoint": "rule:admin_required",
-
- "identity:get_domain": "rule:admin_required",
- "identity:list_domains": "rule:admin_required",
- "identity:create_domain": "rule:admin_required",
- "identity:update_domain": "rule:admin_required",
- "identity:delete_domain": "rule:admin_required",
-
- "identity:get_project": "rule:admin_required",
- "identity:list_projects": "rule:admin_required",
- "identity:list_user_projects": "rule:admin_or_owner",
- "identity:create_project": "rule:admin_required",
- "identity:update_project": "rule:admin_required",
- "identity:delete_project": "rule:admin_required",
-
- "identity:get_user": "rule:admin_required",
- "identity:list_users": "rule:admin_required",
- "identity:create_user": "rule:admin_required",
- "identity:update_user": "rule:admin_required",
- "identity:delete_user": "rule:admin_required",
- "identity:change_password": "rule:admin_or_owner",
-
- "identity:get_group": "rule:admin_required",
- "identity:list_groups": "rule:admin_required",
- "identity:list_groups_for_user": "rule:admin_or_owner",
- "identity:create_group": "rule:admin_required",
- "identity:update_group": "rule:admin_required",
- "identity:delete_group": "rule:admin_required",
- "identity:list_users_in_group": "rule:admin_required",
- "identity:remove_user_from_group": "rule:admin_required",
- "identity:check_user_in_group": "rule:admin_required",
- "identity:add_user_to_group": "rule:admin_required",
-
- "identity:get_credential": "rule:admin_required",
- "identity:list_credentials": "rule:admin_required",
- "identity:create_credential": "rule:admin_required",
- "identity:update_credential": "rule:admin_required",
- "identity:delete_credential": "rule:admin_required",
-
- "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
- "identity:ec2_list_credentials": "rule:admin_or_owner",
- "identity:ec2_create_credential": "rule:admin_or_owner",
- "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
- "identity:get_role": "rule:admin_required",
- "identity:list_roles": "rule:admin_required",
- "identity:create_role": "rule:admin_required",
- "identity:update_role": "rule:admin_required",
- "identity:delete_role": "rule:admin_required",
-
- "identity:check_grant": "rule:admin_required",
- "identity:list_grants": "rule:admin_required",
- "identity:create_grant": "rule:admin_required",
- "identity:revoke_grant": "rule:admin_required",
-
- "identity:list_role_assignments": "rule:admin_required",
-
- "identity:get_policy": "rule:admin_required",
- "identity:list_policies": "rule:admin_required",
- "identity:create_policy": "rule:admin_required",
- "identity:update_policy": "rule:admin_required",
- "identity:delete_policy": "rule:admin_required",
-
- "identity:check_token": "rule:admin_or_token_subject",
- "identity:validate_token": "rule:service_admin_or_token_subject",
- "identity:validate_token_head": "rule:service_or_admin",
- "identity:revocation_list": "rule:service_or_admin",
- "identity:revoke_token": "rule:admin_or_token_subject",
-
- "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
- "identity:list_trusts": "",
- "identity:list_roles_for_trust": "",
- "identity:get_role_for_trust": "",
- "identity:delete_trust": "",
-
- "identity:create_consumer": "rule:admin_required",
- "identity:get_consumer": "rule:admin_required",
- "identity:list_consumers": "rule:admin_required",
- "identity:delete_consumer": "rule:admin_required",
- "identity:update_consumer": "rule:admin_required",
-
- "identity:authorize_request_token": "rule:admin_required",
- "identity:list_access_token_roles": "rule:admin_required",
- "identity:get_access_token_role": "rule:admin_required",
- "identity:list_access_tokens": "rule:admin_required",
- "identity:get_access_token": "rule:admin_required",
- "identity:delete_access_token": "rule:admin_required",
-
- "identity:list_projects_for_endpoint": "rule:admin_required",
- "identity:add_endpoint_to_project": "rule:admin_required",
- "identity:check_endpoint_in_project": "rule:admin_required",
- "identity:list_endpoints_for_project": "rule:admin_required",
- "identity:remove_endpoint_from_project": "rule:admin_required",
-
- "identity:create_endpoint_group": "rule:admin_required",
- "identity:list_endpoint_groups": "rule:admin_required",
- "identity:get_endpoint_group": "rule:admin_required",
- "identity:update_endpoint_group": "rule:admin_required",
- "identity:delete_endpoint_group": "rule:admin_required",
- "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
- "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
- "identity:get_endpoint_group_in_project": "rule:admin_required",
- "identity:list_endpoint_groups_for_project": "rule:admin_required",
- "identity:add_endpoint_group_to_project": "rule:admin_required",
- "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
- "identity:create_identity_provider": "rule:admin_required",
- "identity:list_identity_providers": "rule:admin_required",
- "identity:get_identity_providers": "rule:admin_required",
- "identity:update_identity_provider": "rule:admin_required",
- "identity:delete_identity_provider": "rule:admin_required",
-
- "identity:create_protocol": "rule:admin_required",
- "identity:update_protocol": "rule:admin_required",
- "identity:get_protocol": "rule:admin_required",
- "identity:list_protocols": "rule:admin_required",
- "identity:delete_protocol": "rule:admin_required",
-
- "identity:create_mapping": "rule:admin_required",
- "identity:get_mapping": "rule:admin_required",
- "identity:list_mappings": "rule:admin_required",
- "identity:delete_mapping": "rule:admin_required",
- "identity:update_mapping": "rule:admin_required",
-
- "identity:create_service_provider": "rule:admin_required",
- "identity:list_service_providers": "rule:admin_required",
- "identity:get_service_provider": "rule:admin_required",
- "identity:update_service_provider": "rule:admin_required",
- "identity:delete_service_provider": "rule:admin_required",
-
- "identity:get_auth_catalog": "",
- "identity:get_auth_projects": "",
- "identity:get_auth_domains": "",
-
- "identity:list_projects_for_groups": "",
- "identity:list_domains_for_groups": "",
-
- "identity:list_revoke_events": "",
-
- "identity:create_policy_association_for_endpoint": "rule:admin_required",
- "identity:check_policy_association_for_endpoint": "rule:admin_required",
- "identity:delete_policy_association_for_endpoint": "rule:admin_required",
- "identity:create_policy_association_for_service": "rule:admin_required",
- "identity:check_policy_association_for_service": "rule:admin_required",
- "identity:delete_policy_association_for_service": "rule:admin_required",
- "identity:create_policy_association_for_region_and_service": "rule:admin_required",
- "identity:check_policy_association_for_region_and_service": "rule:admin_required",
- "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
- "identity:get_policy_for_endpoint": "rule:admin_required",
- "identity:list_endpoints_for_policy": "rule:admin_required",
-
- "identity:create_domain_config": "rule:admin_required",
- "identity:get_domain_config": "rule:admin_required",
- "identity:update_domain_config": "rule:admin_required",
- "identity:delete_domain_config": "rule:admin_required"
-}
\ No newline at end of file
diff --git a/keystone/files/kilo/policy-v3.json b/keystone/files/kilo/policy-v3.json
deleted file mode 100644
index d0e3e64..0000000
--- a/keystone/files/kilo/policy-v3.json
+++ /dev/null
@@ -1,195 +0,0 @@
-{
- "admin_required": "role:admin",
- "cloud_admin": "rule:admin_required and domain_id:default",
- "service_role": "role:service",
- "service_or_admin": "rule:admin_required or rule:service_role",
- "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
- "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
- "admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
- "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
- "service_admin_or_owner": "rule:service_or_admin or rule:owner",
-
- "default": "rule:admin_required",
-
- "identity:get_region": "",
- "identity:list_regions": "",
- "identity:create_region": "rule:cloud_admin",
- "identity:update_region": "rule:cloud_admin",
- "identity:delete_region": "rule:cloud_admin",
-
- "identity:get_service": "rule:admin_or_cloud_admin",
- "identity:list_services": "rule:admin_or_cloud_admin",
- "identity:create_service": "rule:cloud_admin",
- "identity:update_service": "rule:cloud_admin",
- "identity:delete_service": "rule:cloud_admin",
-
- "identity:get_endpoint": "rule:admin_or_cloud_admin",
- "identity:list_endpoints": "rule:admin_or_cloud_admin",
- "identity:create_endpoint": "rule:cloud_admin",
- "identity:update_endpoint": "rule:cloud_admin",
- "identity:delete_endpoint": "rule:cloud_admin",
-
- "identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id",
- "identity:list_domains": "rule:cloud_admin",
- "identity:create_domain": "rule:cloud_admin",
- "identity:update_domain": "rule:cloud_admin",
- "identity:delete_domain": "rule:cloud_admin",
-
- "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
- "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
- "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
- "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
- "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
- "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
- "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
- "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
-
- "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
- "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
- "identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
- "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
- "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
- "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
- "identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
-
- "admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
- "admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
- "identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
- "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
- "identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_domain_id",
- "identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
- "identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
- "identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
- "identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
- "identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
- "identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
- "identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-
- "identity:get_credential": "rule:admin_required",
- "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
- "identity:create_credential": "rule:admin_required",
- "identity:update_credential": "rule:admin_required",
- "identity:delete_credential": "rule:admin_required",
-
- "identity:ec2_get_credential": "rule:admin_or_cloud_admin or (rule:owner and user_id:%(target.credential.user_id)s)",
- "identity:ec2_list_credentials": "rule:admin_or_cloud_admin or rule:owner",
- "identity:ec2_create_credential": "rule:admin_or_cloud_admin or rule:owner",
- "identity:ec2_delete_credential": "rule:admin_or_cloud_admin or (rule:owner and user_id:%(target.credential.user_id)s)",
-
- "identity:get_role": "rule:admin_or_cloud_admin",
- "identity:list_roles": "rule:admin_or_cloud_admin",
- "identity:create_role": "rule:cloud_admin",
- "identity:update_role": "rule:cloud_admin",
- "identity:delete_role": "rule:cloud_admin",
-
- "domain_admin_for_grants": "rule:admin_required and (domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s)",
- "project_admin_for_grants": "rule:admin_required and project_id:%(project_id)s",
- "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
- "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
- "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
- "identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
-
- "admin_on_domain_filter" : "rule:admin_required and domain_id:%(scope.domain.id)s",
- "admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s",
- "identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",
-
- "identity:get_policy": "rule:cloud_admin",
- "identity:list_policies": "rule:cloud_admin",
- "identity:create_policy": "rule:cloud_admin",
- "identity:update_policy": "rule:cloud_admin",
- "identity:delete_policy": "rule:cloud_admin",
-
- "identity:change_password": "rule:owner",
- "identity:check_token": "rule:admin_or_owner",
- "identity:validate_token": "rule:service_admin_or_owner",
- "identity:validate_token_head": "rule:service_or_admin",
- "identity:revocation_list": "rule:service_or_admin",
- "identity:revoke_token": "rule:admin_or_owner",
-
- "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
- "identity:list_trusts": "",
- "identity:list_roles_for_trust": "",
- "identity:get_role_for_trust": "",
- "identity:delete_trust": "",
-
- "identity:create_consumer": "rule:admin_required",
- "identity:get_consumer": "rule:admin_required",
- "identity:list_consumers": "rule:admin_required",
- "identity:delete_consumer": "rule:admin_required",
- "identity:update_consumer": "rule:admin_required",
-
- "identity:authorize_request_token": "rule:admin_required",
- "identity:list_access_token_roles": "rule:admin_required",
- "identity:get_access_token_role": "rule:admin_required",
- "identity:list_access_tokens": "rule:admin_required",
- "identity:get_access_token": "rule:admin_required",
- "identity:delete_access_token": "rule:admin_required",
-
- "identity:list_projects_for_endpoint": "rule:admin_required",
- "identity:add_endpoint_to_project": "rule:admin_required",
- "identity:check_endpoint_in_project": "rule:admin_required",
- "identity:list_endpoints_for_project": "rule:admin_required",
- "identity:remove_endpoint_from_project": "rule:admin_required",
-
- "identity:create_endpoint_group": "rule:admin_required",
- "identity:list_endpoint_groups": "rule:admin_required",
- "identity:get_endpoint_group": "rule:admin_required",
- "identity:update_endpoint_group": "rule:admin_required",
- "identity:delete_endpoint_group": "rule:admin_required",
- "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
- "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
- "identity:get_endpoint_group_in_project": "rule:admin_required",
- "identity:list_endpoint_groups_for_project": "rule:admin_required",
- "identity:add_endpoint_group_to_project": "rule:admin_required",
- "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
- "identity:create_identity_provider": "rule:cloud_admin",
- "identity:list_identity_providers": "rule:cloud_admin",
- "identity:get_identity_providers": "rule:cloud_admin",
- "identity:update_identity_provider": "rule:cloud_admin",
- "identity:delete_identity_provider": "rule:cloud_admin",
-
- "identity:create_protocol": "rule:cloud_admin",
- "identity:update_protocol": "rule:cloud_admin",
- "identity:get_protocol": "rule:cloud_admin",
- "identity:list_protocols": "rule:cloud_admin",
- "identity:delete_protocol": "rule:cloud_admin",
-
- "identity:create_mapping": "rule:cloud_admin",
- "identity:get_mapping": "rule:cloud_admin",
- "identity:list_mappings": "rule:cloud_admin",
- "identity:delete_mapping": "rule:cloud_admin",
- "identity:update_mapping": "rule:cloud_admin",
-
- "identity:create_service_provider": "rule:cloud_admin",
- "identity:list_service_providers": "rule:cloud_admin",
- "identity:get_service_provider": "rule:cloud_admin",
- "identity:update_service_provider": "rule:cloud_admin",
- "identity:delete_service_provider": "rule:cloud_admin",
-
- "identity:get_auth_catalog": "",
- "identity:get_auth_projects": "",
- "identity:get_auth_domains": "",
-
- "identity:list_projects_for_groups": "",
- "identity:list_domains_for_groups": "",
-
- "identity:list_revoke_events": "",
-
- "identity:create_policy_association_for_endpoint": "rule:cloud_admin",
- "identity:check_policy_association_for_endpoint": "rule:cloud_admin",
- "identity:delete_policy_association_for_endpoint": "rule:cloud_admin",
- "identity:create_policy_association_for_service": "rule:cloud_admin",
- "identity:check_policy_association_for_service": "rule:cloud_admin",
- "identity:delete_policy_association_for_service": "rule:cloud_admin",
- "identity:create_policy_association_for_region_and_service": "rule:cloud_admin",
- "identity:check_policy_association_for_region_and_service": "rule:cloud_admin",
- "identity:delete_policy_association_for_region_and_service": "rule:cloud_admin",
- "identity:get_policy_for_endpoint": "rule:cloud_admin",
- "identity:list_endpoints_for_policy": "rule:cloud_admin",
-
- "identity:create_domain_config": "rule:cloud_admin",
- "identity:get_domain_config": "rule:cloud_admin",
- "identity:update_domain_config": "rule:cloud_admin",
- "identity:delete_domain_config": "rule:cloud_admin"
-}
\ No newline at end of file
diff --git a/keystone/files/liberty/keystone.conf.Debian b/keystone/files/liberty/keystone.conf.Debian
index 05d0493..2a91c8c 100644
--- a/keystone/files/liberty/keystone.conf.Debian
+++ b/keystone/files/liberty/keystone.conf.Debian
@@ -309,10 +309,13 @@
{% if server.auth_methods is defined %}
methods = {{ server.auth_methods |join(',') }}
{%- endif %}
-{% if server.websso is defined %}
-{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
-{%- endif %}
+{%- if server.get('federation', {}).oidc is defined %}
+{{ server.federation.oidc.protocol }} = keystone.auth.plugins.mapped.Mapped
+{%- endif %}
+{%- if server.get('federation', {}).saml2 is defined %}
+{{ server.federation.saml2.protocol }} = keystone.auth.plugins.mapped.Mapped
+{%- endif %}
# Entrypoint for the password auth plugin module in the keystone.auth.password
# namespace. (string value)
#password = <None>
@@ -330,11 +333,6 @@
# namespace. (string value)
#oauth1 = <None>
-{% if server.websso is defined %}
-[{{ server.websso.protocol }}]
-remote_id_attribute = {{ server.websso.remote_id_attribute }}
-{%- endif %}
-
[cache]
#
@@ -786,6 +784,15 @@
# Its value may be silently ignored in the future.
#cert_required = false
+{%- if server.get('federation', {}).saml2 is defined %}
+[{{ server.federation.saml2.protocol }}]
+remote_id_attribute = {{ server.federation.saml2.remote_id_attribute }}
+{%- endif %}
+
+{%- if server.get('federation', {}).oidc is defined %}
+[{{ server.federation.oidc.protocol }}]
+remote_id_attribute = {{ server.federation.oidc.remote_id_attribute }}
+{%- endif %}
[federation]
@@ -796,8 +803,8 @@
# Entrypoint for the federation backend driver in the keystone.federation
# namespace. (string value)
#driver = sql
-{% if server.websso is defined %}
-driver = {{ server.websso.federation_driver }}
+{%- if server.get('federation', {}).federation_driver is defined %}
+driver = {{ server.federation.federation_driver }}
{%- endif %}
# Value to be used when filtering assertion parameters from the environment.
@@ -814,6 +821,9 @@
# this name or update an existing domain to this name. You are not advised to
# change this value unless you really have to. (string value)
#federated_domain_name = Federated
+{%- if server.get('federation', {}).federated_domain_name is defined %}
+federated_domain_name = {{ server.federation.federated_domain_name }}
+{%- endif %}
# A list of trusted dashboard hosts. Before accepting a Single Sign-On request
# to return a token, the origin host must be a member of the trusted_dashboard
@@ -821,13 +831,11 @@
# example: trusted_dashboard=http://acme.com trusted_dashboard=http://beta.com
# (multi valued)
#trusted_dashboard =
-{%- if server.websso is defined %}
-{%- if server.websso.trusted_dashboard is defined %}
-{%- for dashboard in server.websso.trusted_dashboard %}
+{%- if server.get('federation', {}).trusted_dashboard is defined %}
+{%- for dashboard in server.federation.trusted_dashboard %}
trusted_dashboard = {{ dashboard }}
{%- endfor %}
{%- endif %}
-{%- endif %}
# Location of Single Sign-On callback handler, will return a token to a trusted
# dashboard host. (string value)
@@ -1336,7 +1344,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
#
# From oslo.middleware
@@ -1672,6 +1680,7 @@
# middleware must be configured with the hash_algorithms, otherwise token
# revocation will not be processed correctly. (string value)
#hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
[tokenless_auth]
diff --git a/keystone/files/liberty/policy-v2.json b/keystone/files/liberty/policy-v2.json
deleted file mode 100644
index ebb94b0..0000000
--- a/keystone/files/liberty/policy-v2.json
+++ /dev/null
@@ -1,184 +0,0 @@
-{
- "admin_required": "role:admin or is_admin:1",
- "service_role": "role:service",
- "service_or_admin": "rule:admin_required or rule:service_role",
- "owner" : "user_id:%(user_id)s",
- "admin_or_owner": "rule:admin_required or rule:owner",
- "token_subject": "user_id:%(target.token.user_id)s",
- "admin_or_token_subject": "rule:admin_required or rule:token_subject",
- "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
-
- "default": "rule:admin_required",
-
- "identity:get_region": "",
- "identity:list_regions": "",
- "identity:create_region": "rule:admin_required",
- "identity:update_region": "rule:admin_required",
- "identity:delete_region": "rule:admin_required",
-
- "identity:get_service": "rule:admin_required",
- "identity:list_services": "rule:admin_required",
- "identity:create_service": "rule:admin_required",
- "identity:update_service": "rule:admin_required",
- "identity:delete_service": "rule:admin_required",
-
- "identity:get_endpoint": "rule:admin_required",
- "identity:list_endpoints": "rule:admin_required",
- "identity:create_endpoint": "rule:admin_required",
- "identity:update_endpoint": "rule:admin_required",
- "identity:delete_endpoint": "rule:admin_required",
-
- "identity:get_domain": "rule:admin_required",
- "identity:list_domains": "rule:admin_required",
- "identity:create_domain": "rule:admin_required",
- "identity:update_domain": "rule:admin_required",
- "identity:delete_domain": "rule:admin_required",
-
- "identity:get_project": "rule:admin_required",
- "identity:list_projects": "rule:admin_required",
- "identity:list_user_projects": "rule:admin_or_owner",
- "identity:create_project": "rule:admin_required",
- "identity:update_project": "rule:admin_required",
- "identity:delete_project": "rule:admin_required",
-
- "identity:get_user": "rule:admin_required",
- "identity:list_users": "rule:admin_required",
- "identity:create_user": "rule:admin_required",
- "identity:update_user": "rule:admin_required",
- "identity:delete_user": "rule:admin_required",
- "identity:change_password": "rule:admin_or_owner",
-
- "identity:get_group": "rule:admin_required",
- "identity:list_groups": "rule:admin_required",
- "identity:list_groups_for_user": "rule:admin_or_owner",
- "identity:create_group": "rule:admin_required",
- "identity:update_group": "rule:admin_required",
- "identity:delete_group": "rule:admin_required",
- "identity:list_users_in_group": "rule:admin_required",
- "identity:remove_user_from_group": "rule:admin_required",
- "identity:check_user_in_group": "rule:admin_required",
- "identity:add_user_to_group": "rule:admin_required",
-
- "identity:get_credential": "rule:admin_required",
- "identity:list_credentials": "rule:admin_required",
- "identity:create_credential": "rule:admin_required",
- "identity:update_credential": "rule:admin_required",
- "identity:delete_credential": "rule:admin_required",
-
- "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
- "identity:ec2_list_credentials": "rule:admin_or_owner",
- "identity:ec2_create_credential": "rule:admin_or_owner",
- "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
- "identity:get_role": "rule:admin_required",
- "identity:list_roles": "rule:admin_required",
- "identity:create_role": "rule:admin_required",
- "identity:update_role": "rule:admin_required",
- "identity:delete_role": "rule:admin_required",
-
- "identity:check_grant": "rule:admin_required",
- "identity:list_grants": "rule:admin_required",
- "identity:create_grant": "rule:admin_required",
- "identity:revoke_grant": "rule:admin_required",
-
- "identity:list_role_assignments": "rule:admin_required",
-
- "identity:get_policy": "rule:admin_required",
- "identity:list_policies": "rule:admin_required",
- "identity:create_policy": "rule:admin_required",
- "identity:update_policy": "rule:admin_required",
- "identity:delete_policy": "rule:admin_required",
-
- "identity:check_token": "rule:admin_or_token_subject",
- "identity:validate_token": "rule:service_admin_or_token_subject",
- "identity:validate_token_head": "rule:service_or_admin",
- "identity:revocation_list": "rule:service_or_admin",
- "identity:revoke_token": "rule:admin_or_token_subject",
-
- "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
- "identity:list_trusts": "",
- "identity:list_roles_for_trust": "",
- "identity:get_role_for_trust": "",
- "identity:delete_trust": "",
-
- "identity:create_consumer": "rule:admin_required",
- "identity:get_consumer": "rule:admin_required",
- "identity:list_consumers": "rule:admin_required",
- "identity:delete_consumer": "rule:admin_required",
- "identity:update_consumer": "rule:admin_required",
-
- "identity:authorize_request_token": "rule:admin_required",
- "identity:list_access_token_roles": "rule:admin_required",
- "identity:get_access_token_role": "rule:admin_required",
- "identity:list_access_tokens": "rule:admin_required",
- "identity:get_access_token": "rule:admin_required",
- "identity:delete_access_token": "rule:admin_required",
-
- "identity:list_projects_for_endpoint": "rule:admin_required",
- "identity:add_endpoint_to_project": "rule:admin_required",
- "identity:check_endpoint_in_project": "rule:admin_required",
- "identity:list_endpoints_for_project": "rule:admin_required",
- "identity:remove_endpoint_from_project": "rule:admin_required",
-
- "identity:create_endpoint_group": "rule:admin_required",
- "identity:list_endpoint_groups": "rule:admin_required",
- "identity:get_endpoint_group": "rule:admin_required",
- "identity:update_endpoint_group": "rule:admin_required",
- "identity:delete_endpoint_group": "rule:admin_required",
- "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
- "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
- "identity:get_endpoint_group_in_project": "rule:admin_required",
- "identity:list_endpoint_groups_for_project": "rule:admin_required",
- "identity:add_endpoint_group_to_project": "rule:admin_required",
- "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
- "identity:create_identity_provider": "rule:admin_required",
- "identity:list_identity_providers": "rule:admin_required",
- "identity:get_identity_providers": "rule:admin_required",
- "identity:update_identity_provider": "rule:admin_required",
- "identity:delete_identity_provider": "rule:admin_required",
-
- "identity:create_protocol": "rule:admin_required",
- "identity:update_protocol": "rule:admin_required",
- "identity:get_protocol": "rule:admin_required",
- "identity:list_protocols": "rule:admin_required",
- "identity:delete_protocol": "rule:admin_required",
-
- "identity:create_mapping": "rule:admin_required",
- "identity:get_mapping": "rule:admin_required",
- "identity:list_mappings": "rule:admin_required",
- "identity:delete_mapping": "rule:admin_required",
- "identity:update_mapping": "rule:admin_required",
-
- "identity:create_service_provider": "rule:admin_required",
- "identity:list_service_providers": "rule:admin_required",
- "identity:get_service_provider": "rule:admin_required",
- "identity:update_service_provider": "rule:admin_required",
- "identity:delete_service_provider": "rule:admin_required",
-
- "identity:get_auth_catalog": "",
- "identity:get_auth_projects": "",
- "identity:get_auth_domains": "",
-
- "identity:list_projects_for_groups": "",
- "identity:list_domains_for_groups": "",
-
- "identity:list_revoke_events": "",
-
- "identity:create_policy_association_for_endpoint": "rule:admin_required",
- "identity:check_policy_association_for_endpoint": "rule:admin_required",
- "identity:delete_policy_association_for_endpoint": "rule:admin_required",
- "identity:create_policy_association_for_service": "rule:admin_required",
- "identity:check_policy_association_for_service": "rule:admin_required",
- "identity:delete_policy_association_for_service": "rule:admin_required",
- "identity:create_policy_association_for_region_and_service": "rule:admin_required",
- "identity:check_policy_association_for_region_and_service": "rule:admin_required",
- "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
- "identity:get_policy_for_endpoint": "rule:admin_required",
- "identity:list_endpoints_for_policy": "rule:admin_required",
-
- "identity:create_domain_config": "rule:admin_required",
- "identity:get_domain_config": "rule:admin_required",
- "identity:update_domain_config": "rule:admin_required",
- "identity:delete_domain_config": "rule:admin_required"
-}
diff --git a/keystone/files/liberty/wsgi-keystone.conf b/keystone/files/liberty/wsgi-keystone.conf
index beaf74b..c461e3a 100644
--- a/keystone/files/liberty/wsgi-keystone.conf
+++ b/keystone/files/liberty/wsgi-keystone.conf
@@ -1,27 +1,99 @@
{%- from "keystone/map.jinja" import server with context %}
{%- set site = salt['pillar.get']('apache:server:site:'+site_name) %}
-Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
-Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357
+{% macro setup_oidc() -%}
+ SetEnv HTTP_OIDC_ISS {{ server.federation.oidc.remote_id_attribute_value }}
+ {% if server.federation.oidc.oidc_claim_prefix is defined %}
+ OIDCClaimPrefix "{{ server.federation.oidc.oidc_claim_prefix }}"
+ {%- endif %}
+ OIDCClientID "{{ server.federation.oidc.oidc_client_id}}"
+ {% if server.federation.oidc.oidc_client_secret is defined %}
+ OIDCClientSecret "{{ server.federation.oidc.oidc_client_secret }}"
+ {%- endif %}
+ OIDCCryptoPassphrase "{{ server.federation.oidc.oidc_crypto_passphrase }}"
+ OIDCRedirectURI "{{ server.federation.oidc.oidc_redirect_uri }}"
+ {% if server.federation.oidc.oidc_provider_metadata_url is defined %}
+ OIDCProviderMetadataURL "{{ server.federation.oidc.oidc_provider_metadata_url }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_response_type is defined %}
+ OIDCResponseType "{{ server.federation.oidc.oidc_response_type }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_scope is defined %}
+ OIDCScope "{{ server.federation.oidc.oidc_scope }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_ssl_validate_server is defined %}
+ OIDCSSLValidateServer "{{ server.federation.oidc.oidc_ssl_validate_server }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_ssl_validate_server is defined %}
+ OIDCOAuthSSLValidateServer "{{ server.federation.oidc.oidc_oauth_ssl_validate_server }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_introspection_endpoint is defined %}
+ OIDCOAuthIntrospectionEndpoint "{{ server.federation.oidc.oidc_oauth_introspection_endpoint }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_introspection_token_param_name is defined %}
+ OIDCOAuthIntrospectionTokenParamName "{{ server.federation.oidc.oidc_oauth_introspection_token_param_name }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_remote_user_claim is defined %}
+ OIDCOAuthRemoteUserClaim "{{ server.federation.oidc.oidc_oauth_remote_user_claim }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_verify_jwks_uri is defined %}
+ OIDCOAuthVerifyJwksUri "{{ server.federation.oidc.oidc_oauth_verify_jwks_uri }}"
+ {%- endif %}
+ {% if server.federation.oidc.odic_token_iat_slack is defined %}
+ OIDCIDTokenIatSlack "{{ server.federation.oidc.odic_token_iat_slack }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_issuer is defined %}
+ OIDCProviderIssuer "{{ server.federation.oidc.oidc_provider_issuer }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_authorization_endpoint is defined %}
+ OIDCProviderAuthorizationEndpoint "{{ server.federation.oidc.oidc_provider_authorization_endpoint }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_token_endpoint is defined %}
+ OIDCProviderTokenEndpoint "{{ server.federation.oidc.oidc_provider_token_endpoint }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_token_endpoint_auth is defined %}
+ OIDCProviderTokenEndpointAuth "{{ server.federation.oidc.oidc_provider_token_endpoint_auth }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_user_info_endpoint is defined %}
+ OIDCProviderUserInfoEndpoint "{{ server.federation.oidc.oidc_provider_user_info_endpoint }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_jwks_uri is defined %}
+ OIDCProviderJwksUri "{{ server.federation.oidc.oidc_provider_jwks_uri }}"
+ {%- endif %}
+ {%- if server.federation.oidc.oidc_oauth_verify_shared_keys is defined %}
+ {%- set shared_keys_list = [] %}
+ {%- for shared_key_def in server.federation.oidc.oidc_oauth_verify_shared_keys %}
+ {%- do shared_keys_list.append("\""+shared_key_def.type+"#"+shared_key_def.kid+"#"+shared_key_def.key+"\"") %}
+ {%- endfor %}
+ OIDCOAuthVerifySharedKeys {{ shared_keys_list|join(" ") }}
+ {%- endif %}
+ {%- if server.federation.oidc.oidc_oauth_verify_cert_files is defined %}
+ {%- set cert_files_list = [] %}
+ {%- for cert_file_def in server.federation.oidc.oidc_oauth_verify_cert_files %}
+ {%- do cert_files_list.append("\""+cert_file_def.kid+"#"+cert_file_def.filename+"\"") %}
+ {%- endfor %}
+ OIDCOAuthVerifyCertFiles {{ cert_files_list|join(" ") }}
+ {%- endif %}
-<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000>
-{%- include "apache/files/_name.conf" %}
-{%- include "apache/files/_ssl.conf" %}
-{%- include "apache/files/_locations.conf" %}
-
- WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
- WSGIProcessGroup keystone-public
- WSGIScriptAlias / /usr/bin/keystone-wsgi-public
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
- ErrorLogFormat "%{cu}t %M"
-{%- include "apache/files/_log.conf" %}
-
- <Directory /usr/bin>
- Require all granted
- </Directory>
-
- {% if server.websso is defined %}
- WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
+ <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
+ AuthType oauth20
+ Require valid-user
+ </LocationMatch>
+ <LocationMatch "/v3/auth/OS-FEDERATION/websso/oidc">
+ AuthType openid-connect
+ Require valid-user
+ </LocationMatch>
+ <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/oidc/websso">
+ AuthType openid-connect
+ Require valid-user
+ </LocationMatch>
+{% endmacro -%}
+{% macro setup_saml2() -%}
+ {% if server.federation.saml2.shib_url_scheme is defined %}
+ ShibURLScheme {{ server.federation.saml2.shib_url_scheme }}
+ {%- endif %}
+ {% if server.federation.saml2.shib_compat_valid_user is defined %}
+ ShibCompatValidUser {{ server.federation.saml2.shib_compat_valid_user }}
+ {%- endif %}
<Location /Shibboleth.sso>
SetHandler shib
</Location>
@@ -43,6 +115,34 @@
ShibExportAssertion Off
Require valid-user
</LocationMatch>
+{% endmacro -%}
+
+Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
+Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357
+
+<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000>
+{%- include "apache/files/_name.conf" %}
+{%- include "apache/files/_ssl.conf" %}
+{%- include "apache/files/_locations.conf" %}
+
+ WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+ WSGIProcessGroup keystone-public
+ WSGIScriptAlias / /usr/bin/keystone-wsgi-public
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ ErrorLogFormat "%{cu}t %M"
+{%- include "apache/files/_log.conf" %}
+
+ <Directory /usr/bin>
+ Require all granted
+ </Directory>
+
+ {% if server.get('federation', {}).saml2 is defined %}
+ WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
+ {{ setup_saml2() }}
+ {%- endif %}
+ {% if server.get('federation', {}).oidc is defined %}
+ {{ setup_oidc() }}
{%- endif %}
</VirtualHost>
@@ -64,29 +164,13 @@
Require all granted
</Directory>
- {% if server.websso is defined %}
+ {% if server.get('federation', {}).saml2 is defined %}
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
- <Location /Shibboleth.sso>
- SetHandler shib
- </Location>
- <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
- <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
- <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
+ {{ setup_saml2() }}
+ {%- endif %}
+
+ {% if server.get('federation', {}).oidc is defined %}
+ {{ setup_oidc() }}
{%- endif %}
</VirtualHost>
diff --git a/keystone/files/mitaka/keystone.conf.Debian b/keystone/files/mitaka/keystone.conf.Debian
index 28991a4..18d6f2b 100644
--- a/keystone/files/mitaka/keystone.conf.Debian
+++ b/keystone/files/mitaka/keystone.conf.Debian
@@ -1,4 +1,4 @@
-{% from "keystone/map.jinja" import server with context %}
+{% from "keystone/map.jinja" import server, system_cacerts_file with context %}
[DEFAULT]
#
@@ -357,8 +357,12 @@
{% if server.auth_methods is defined %}
methods = {{ server.auth_methods |join(',') }}
{%- endif %}
-{% if server.websso is defined %}
-{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
+
+{%- if server.get('federation', {}).oidc is defined %}
+{{ server.federation.oidc.protocol }} = keystone.auth.plugins.mapped.Mapped
+{%- endif %}
+{%- if server.get('federation', {}).saml2 is defined %}
+{{ server.federation.saml2.protocol }} = keystone.auth.plugins.mapped.Mapped
{%- endif %}
# Entrypoint for the password auth plugin module in the keystone.auth.password
@@ -597,7 +601,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection={{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection={{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
@@ -848,6 +852,15 @@
# Its value may be silently ignored in the future.
#cert_required = false
+{%- if server.get('federation', {}).saml2 is defined %}
+[{{ server.federation.saml2.protocol }}]
+remote_id_attribute = {{ server.federation.saml2.remote_id_attribute }}
+{%- endif %}
+
+{%- if server.get('federation', {}).oidc is defined %}
+[{{ server.federation.oidc.protocol }}]
+remote_id_attribute = {{ server.federation.oidc.remote_id_attribute }}
+{%- endif %}
[federation]
@@ -858,8 +871,8 @@
# Entrypoint for the federation backend driver in the keystone.federation
# namespace. (string value)
#driver = sql
-{%- if server.get('websso', {}).federation_driver is defined %}
-driver = {{ server.websso.federation_driver }}
+{%- if server.get('federation', {}).federation_driver is defined %}
+driver = {{ server.federation.federation_driver }}
{%- endif %}
# Value to be used when filtering assertion parameters from the environment.
@@ -870,17 +883,14 @@
# environment (e.g. if using the mod_shib plugin this value is `Shib-Identity-
# Provider`). (string value)
#remote_id_attribute = <None>
-{%- if server.websso is defined %}
-remote_id_attribute = {{ server.websso.remote_id_attribute }}
-{%- endif %}
# A domain name that is reserved to allow federated ephemeral users to have a
# domain concept. Note that an admin will not be able to create a domain with
# this name or update an existing domain to this name. You are not advised to
# change this value unless you really have to. (string value)
#federated_domain_name = Federated
-{%- if server.get('websso', {}).federated_domain_name is defined %}
-federated_domain_name = {{ server.websso.federated_domain_name }}
+{%- if server.get('federation', {}).federated_domain_name is defined %}
+federated_domain_name = {{ server.federation.federated_domain_name }}
{%- endif %}
# A list of trusted dashboard hosts. Before accepting a Single Sign-On request
@@ -889,8 +899,8 @@
# example: trusted_dashboard=http://acme.com/auth/websso
# trusted_dashboard=http://beta.com/auth/websso (multi valued)
#trusted_dashboard =
-{%- if server.get('websso', {}).trusted_dashboard is defined %}
-{%- for dashboard in server.websso.trusted_dashboard %}
+{%- if server.get('federation', {}).trusted_dashboard is defined %}
+{%- for dashboard in server.federation.trusted_dashboard %}
trusted_dashboard = {{ dashboard }}
{%- endfor %}
{%- endif %}
@@ -1567,14 +1577,31 @@
# Allowed values: round-robin, shuffle
#kombu_failover_strategy = round-robin
+{%- set rabbit_port = server.message_queue.get('port', 5671 if server.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if server.message_queue.members is defined %}
rabbit_hosts = {% for member in server.message_queue.members -%}
- {{ member.host }}:{{ member.get('port', 5672) }}
+ {{ member.host }}:{{ member.get('port', rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
{%- else %}
rabbit_host = {{ server.message_queue.host }}
-rabbit_port = {{ server.message_queue.port }}
+rabbit_port = {{ rabbit_port }}
+{%- endif %}
+
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if server.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ server.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if server.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
{%- endif %}
# RabbitMQ HA cluster host:port pairs. (list value)
@@ -1764,7 +1791,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
# The HTTP Header that will be used to determine what the original request
# protocol scheme was, even if it was hidden by an SSL termination proxy.
@@ -2158,6 +2185,7 @@
# Reason: PKI token support has been deprecated in the M release and will be
# removed in the O release. Fernet or UUID tokens are recommended.
#hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
# Add roles to token that are not explicitly added, but that are linked
# implicitly to other roles. (boolean value)
diff --git a/keystone/files/mitaka/policy-v2.json b/keystone/files/mitaka/policy-v2.json
deleted file mode 100644
index 797af24..0000000
--- a/keystone/files/mitaka/policy-v2.json
+++ /dev/null
@@ -1,198 +0,0 @@
-{
- "admin_required": "role:admin or is_admin:1",
- "service_role": "role:service",
- "service_or_admin": "rule:admin_required or rule:service_role",
- "owner" : "user_id:%(user_id)s",
- "admin_or_owner": "rule:admin_required or rule:owner",
- "token_subject": "user_id:%(target.token.user_id)s",
- "admin_or_token_subject": "rule:admin_required or rule:token_subject",
- "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
-
- "default": "rule:admin_required",
-
- "identity:get_region": "",
- "identity:list_regions": "",
- "identity:create_region": "rule:admin_required",
- "identity:update_region": "rule:admin_required",
- "identity:delete_region": "rule:admin_required",
-
- "identity:get_service": "rule:admin_required",
- "identity:list_services": "rule:admin_required",
- "identity:create_service": "rule:admin_required",
- "identity:update_service": "rule:admin_required",
- "identity:delete_service": "rule:admin_required",
-
- "identity:get_endpoint": "rule:admin_required",
- "identity:list_endpoints": "rule:admin_required",
- "identity:create_endpoint": "rule:admin_required",
- "identity:update_endpoint": "rule:admin_required",
- "identity:delete_endpoint": "rule:admin_required",
-
- "identity:get_domain": "rule:admin_required",
- "identity:list_domains": "rule:admin_required",
- "identity:create_domain": "rule:admin_required",
- "identity:update_domain": "rule:admin_required",
- "identity:delete_domain": "rule:admin_required",
-
- "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
- "identity:list_projects": "rule:admin_required",
- "identity:list_user_projects": "rule:admin_or_owner",
- "identity:create_project": "rule:admin_required",
- "identity:update_project": "rule:admin_required",
- "identity:delete_project": "rule:admin_required",
-
- "identity:get_user": "rule:admin_required",
- "identity:list_users": "rule:admin_required",
- "identity:create_user": "rule:admin_required",
- "identity:update_user": "rule:admin_required",
- "identity:delete_user": "rule:admin_required",
- "identity:change_password": "rule:admin_or_owner",
-
- "identity:get_group": "rule:admin_required",
- "identity:list_groups": "rule:admin_required",
- "identity:list_groups_for_user": "rule:admin_or_owner",
- "identity:create_group": "rule:admin_required",
- "identity:update_group": "rule:admin_required",
- "identity:delete_group": "rule:admin_required",
- "identity:list_users_in_group": "rule:admin_required",
- "identity:remove_user_from_group": "rule:admin_required",
- "identity:check_user_in_group": "rule:admin_required",
- "identity:add_user_to_group": "rule:admin_required",
-
- "identity:get_credential": "rule:admin_required",
- "identity:list_credentials": "rule:admin_required",
- "identity:create_credential": "rule:admin_required",
- "identity:update_credential": "rule:admin_required",
- "identity:delete_credential": "rule:admin_required",
-
- "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
- "identity:ec2_list_credentials": "rule:admin_or_owner",
- "identity:ec2_create_credential": "rule:admin_or_owner",
- "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
- "identity:get_role": "rule:admin_required",
- "identity:list_roles": "rule:admin_required",
- "identity:create_role": "rule:admin_required",
- "identity:update_role": "rule:admin_required",
- "identity:delete_role": "rule:admin_required",
- "identity:get_domain_role": "rule:admin_required",
- "identity:list_domain_roles": "rule:admin_required",
- "identity:create_domain_role": "rule:admin_required",
- "identity:update_domain_role": "rule:admin_required",
- "identity:delete_domain_role": "rule:admin_required",
-
- "identity:get_implied_role": "rule:admin_required ",
- "identity:list_implied_roles": "rule:admin_required",
- "identity:create_implied_role": "rule:admin_required",
- "identity:delete_implied_role": "rule:admin_required",
- "identity:list_role_inference_rules": "rule:admin_required",
- "identity:check_implied_role": "rule:admin_required",
-
- "identity:check_grant": "rule:admin_required",
- "identity:list_grants": "rule:admin_required",
- "identity:create_grant": "rule:admin_required",
- "identity:revoke_grant": "rule:admin_required",
-
- "identity:list_role_assignments": "rule:admin_required",
- "identity:list_role_assignments_for_tree": "rule:admin_required",
-
- "identity:get_policy": "rule:admin_required",
- "identity:list_policies": "rule:admin_required",
- "identity:create_policy": "rule:admin_required",
- "identity:update_policy": "rule:admin_required",
- "identity:delete_policy": "rule:admin_required",
-
- "identity:check_token": "rule:admin_or_token_subject",
- "identity:validate_token": "rule:service_admin_or_token_subject",
- "identity:validate_token_head": "rule:service_or_admin",
- "identity:revocation_list": "rule:service_or_admin",
- "identity:revoke_token": "rule:admin_or_token_subject",
-
- "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
- "identity:list_trusts": "",
- "identity:list_roles_for_trust": "",
- "identity:get_role_for_trust": "",
- "identity:delete_trust": "",
-
- "identity:create_consumer": "rule:admin_required",
- "identity:get_consumer": "rule:admin_required",
- "identity:list_consumers": "rule:admin_required",
- "identity:delete_consumer": "rule:admin_required",
- "identity:update_consumer": "rule:admin_required",
-
- "identity:authorize_request_token": "rule:admin_required",
- "identity:list_access_token_roles": "rule:admin_required",
- "identity:get_access_token_role": "rule:admin_required",
- "identity:list_access_tokens": "rule:admin_required",
- "identity:get_access_token": "rule:admin_required",
- "identity:delete_access_token": "rule:admin_required",
-
- "identity:list_projects_for_endpoint": "rule:admin_required",
- "identity:add_endpoint_to_project": "rule:admin_required",
- "identity:check_endpoint_in_project": "rule:admin_required",
- "identity:list_endpoints_for_project": "rule:admin_required",
- "identity:remove_endpoint_from_project": "rule:admin_required",
-
- "identity:create_endpoint_group": "rule:admin_required",
- "identity:list_endpoint_groups": "rule:admin_required",
- "identity:get_endpoint_group": "rule:admin_required",
- "identity:update_endpoint_group": "rule:admin_required",
- "identity:delete_endpoint_group": "rule:admin_required",
- "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
- "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
- "identity:get_endpoint_group_in_project": "rule:admin_required",
- "identity:list_endpoint_groups_for_project": "rule:admin_required",
- "identity:add_endpoint_group_to_project": "rule:admin_required",
- "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
- "identity:create_identity_provider": "rule:admin_required",
- "identity:list_identity_providers": "rule:admin_required",
- "identity:get_identity_providers": "rule:admin_required",
- "identity:update_identity_provider": "rule:admin_required",
- "identity:delete_identity_provider": "rule:admin_required",
-
- "identity:create_protocol": "rule:admin_required",
- "identity:update_protocol": "rule:admin_required",
- "identity:get_protocol": "rule:admin_required",
- "identity:list_protocols": "rule:admin_required",
- "identity:delete_protocol": "rule:admin_required",
-
- "identity:create_mapping": "rule:admin_required",
- "identity:get_mapping": "rule:admin_required",
- "identity:list_mappings": "rule:admin_required",
- "identity:delete_mapping": "rule:admin_required",
- "identity:update_mapping": "rule:admin_required",
-
- "identity:create_service_provider": "rule:admin_required",
- "identity:list_service_providers": "rule:admin_required",
- "identity:get_service_provider": "rule:admin_required",
- "identity:update_service_provider": "rule:admin_required",
- "identity:delete_service_provider": "rule:admin_required",
-
- "identity:get_auth_catalog": "",
- "identity:get_auth_projects": "",
- "identity:get_auth_domains": "",
-
- "identity:list_projects_for_groups": "",
- "identity:list_domains_for_groups": "",
-
- "identity:list_revoke_events": "",
-
- "identity:create_policy_association_for_endpoint": "rule:admin_required",
- "identity:check_policy_association_for_endpoint": "rule:admin_required",
- "identity:delete_policy_association_for_endpoint": "rule:admin_required",
- "identity:create_policy_association_for_service": "rule:admin_required",
- "identity:check_policy_association_for_service": "rule:admin_required",
- "identity:delete_policy_association_for_service": "rule:admin_required",
- "identity:create_policy_association_for_region_and_service": "rule:admin_required",
- "identity:check_policy_association_for_region_and_service": "rule:admin_required",
- "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
- "identity:get_policy_for_endpoint": "rule:admin_required",
- "identity:list_endpoints_for_policy": "rule:admin_required",
-
- "identity:create_domain_config": "rule:admin_required",
- "identity:get_domain_config": "rule:admin_required",
- "identity:update_domain_config": "rule:admin_required",
- "identity:delete_domain_config": "rule:admin_required",
- "identity:get_domain_config_default": "rule:admin_required"
-}
diff --git a/keystone/files/mitaka/wsgi-keystone.conf b/keystone/files/mitaka/wsgi-keystone.conf
index 763672d..3c18ef8 100644
--- a/keystone/files/mitaka/wsgi-keystone.conf
+++ b/keystone/files/mitaka/wsgi-keystone.conf
@@ -1,5 +1,122 @@
{%- from "keystone/map.jinja" import server with context %}
{%- set site = salt['pillar.get']('apache:server:site:'+site_name) %}
+{% macro setup_oidc() -%}
+ SetEnv HTTP_OIDC_ISS {{ server.federation.oidc.remote_id_attribute_value }}
+ {% if server.federation.oidc.oidc_claim_prefix is defined %}
+ OIDCClaimPrefix "{{ server.federation.oidc.oidc_claim_prefix }}"
+ {%- endif %}
+ OIDCClientID "{{ server.federation.oidc.oidc_client_id}}"
+ {% if server.federation.oidc.oidc_client_secret is defined %}
+ OIDCClientSecret "{{ server.federation.oidc.oidc_client_secret }}"
+ {%- endif %}
+ OIDCCryptoPassphrase "{{ server.federation.oidc.oidc_crypto_passphrase }}"
+ OIDCRedirectURI "{{ server.federation.oidc.oidc_redirect_uri }}"
+ {% if server.federation.oidc.oidc_provider_metadata_url is defined %}
+ OIDCProviderMetadataURL "{{ server.federation.oidc.oidc_provider_metadata_url }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_response_type is defined %}
+ OIDCResponseType "{{ server.federation.oidc.oidc_response_type }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_scope is defined %}
+ OIDCScope "{{ server.federation.oidc.oidc_scope }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_ssl_validate_server is defined %}
+ OIDCSSLValidateServer "{{ server.federation.oidc.oidc_ssl_validate_server }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_ssl_validate_server is defined %}
+ OIDCOAuthSSLValidateServer "{{ server.federation.oidc.oidc_oauth_ssl_validate_server }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_introspection_endpoint is defined %}
+ OIDCOAuthIntrospectionEndpoint "{{ server.federation.oidc.oidc_oauth_introspection_endpoint }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_introspection_token_param_name is defined %}
+ OIDCOAuthIntrospectionTokenParamName "{{ server.federation.oidc.oidc_oauth_introspection_token_param_name }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_remote_user_claim is defined %}
+ OIDCOAuthRemoteUserClaim "{{ server.federation.oidc.oidc_oauth_remote_user_claim }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_verify_jwks_uri is defined %}
+ OIDCOAuthVerifyJwksUri "{{ server.federation.oidc.oidc_oauth_verify_jwks_uri }}"
+ {%- endif %}
+ {% if server.federation.oidc.odic_token_iat_slack is defined %}
+ OIDCIDTokenIatSlack "{{ server.federation.oidc.odic_token_iat_slack }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_issuer is defined %}
+ OIDCProviderIssuer "{{ server.federation.oidc.oidc_provider_issuer }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_authorization_endpoint is defined %}
+ OIDCProviderAuthorizationEndpoint "{{ server.federation.oidc.oidc_provider_authorization_endpoint }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_token_endpoint is defined %}
+ OIDCProviderTokenEndpoint "{{ server.federation.oidc.oidc_provider_token_endpoint }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_token_endpoint_auth is defined %}
+ OIDCProviderTokenEndpointAuth "{{ server.federation.oidc.oidc_provider_token_endpoint_auth }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_user_info_endpoint is defined %}
+ OIDCProviderUserInfoEndpoint "{{ server.federation.oidc.oidc_provider_user_info_endpoint }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_jwks_uri is defined %}
+ OIDCProviderJwksUri "{{ server.federation.oidc.oidc_provider_jwks_uri }}"
+ {%- endif %}
+ {%- if server.federation.oidc.oidc_oauth_verify_shared_keys is defined %}
+ {%- set shared_keys_list = [] %}
+ {%- for shared_key_def in server.federation.oidc.oidc_oauth_verify_shared_keys %}
+ {%- do shared_keys_list.append("\""+shared_key_def.type+"#"+shared_key_def.kid+"#"+shared_key_def.key+"\"") %}
+ {%- endfor %}
+ OIDCOAuthVerifySharedKeys {{ shared_keys_list|join(" ") }}
+ {%- endif %}
+ {%- if server.federation.oidc.oidc_oauth_verify_cert_files is defined %}
+ {%- set cert_files_list = [] %}
+ {%- for cert_file_def in server.federation.oidc.oidc_oauth_verify_cert_files %}
+ {%- do cert_files_list.append("\""+cert_file_def.kid+"#"+cert_file_def.filename+"\"") %}
+ {%- endfor %}
+ OIDCOAuthVerifyCertFiles {{ cert_files_list|join(" ") }}
+ {%- endif %}
+
+ <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
+ AuthType oauth20
+ Require valid-user
+ </LocationMatch>
+ <LocationMatch "/v3/auth/OS-FEDERATION/websso/oidc">
+ AuthType openid-connect
+ Require valid-user
+ </LocationMatch>
+ <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/oidc/websso">
+ AuthType openid-connect
+ Require valid-user
+ </LocationMatch>
+{% endmacro -%}
+{% macro setup_saml2() -%}
+ {% if server.federation.saml2.shib_url_scheme is defined %}
+ ShibURLScheme {{ server.federation.saml2.shib_url_scheme }}
+ {%- endif %}
+ {% if server.federation.saml2.shib_compat_valid_user is defined %}
+ ShibCompatValidUser {{ server.federation.saml2.shib_compat_valid_user }}
+ {%- endif %}
+ <Location /Shibboleth.sso>
+ SetHandler shib
+ </Location>
+ <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
+ ShibRequestSetting requireSession 1
+ AuthType shibboleth
+ ShibExportAssertion Off
+ Require valid-user
+ </LocationMatch>
+ <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
+ ShibRequestSetting requireSession 1
+ AuthType shibboleth
+ ShibExportAssertion Off
+ Require valid-user
+ </LocationMatch>
+ <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
+ ShibRequestSetting requireSession 1
+ AuthType shibboleth
+ ShibExportAssertion Off
+ Require valid-user
+ </LocationMatch>
+{% endmacro -%}
+
Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357
@@ -8,7 +125,7 @@
{%- include "apache/files/_ssl.conf" %}
{%- include "apache/files/_locations.conf" %}
- WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+ WSGIDaemonProcess keystone-public processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
@@ -29,34 +146,23 @@
</IfVersion>
</Directory>
- {% if server.websso is defined %}
- {% if server.websso.shib_url_scheme is defined %}
- ShibURLScheme {{ server.websso.shib_url_scheme }}
- {%- endif %}
+ {% if server.get('federation', {}).saml2 is defined %}
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
- <Location /Shibboleth.sso>
- SetHandler shib
- </Location>
- <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
- <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
- <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
+ {{ setup_saml2() }}
+ {%- endif %}
+ {% if server.get('federation', {}).oidc is defined %}
+ {{ setup_oidc() }}
{%- endif %}
+ Alias /identity_admin /usr/bin/keystone-wsgi-admin
+ <Location /identity_admin>
+ SetHandler wsgi-script
+ Options +ExecCGI
+
+ WSGIProcessGroup keystone-admin
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ </Location>
</VirtualHost>
<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357>
@@ -64,7 +170,7 @@
{%- include "apache/files/_ssl.conf" %}
{%- include "apache/files/_locations.conf" %}
- WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+ WSGIDaemonProcess keystone-admin processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
@@ -85,52 +191,22 @@
</IfVersion>
</Directory>
- {% if server.websso is defined %}
- {% if server.websso.shib_url_scheme is defined %}
- ShibURLScheme {{ server.websso.shib_url_scheme }}
- {%- endif %}
+ {% if server.get('federation', {}).saml2 is defined %}
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
- <Location /Shibboleth.sso>
- SetHandler shib
- </Location>
- <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
- <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
- <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
+ {{ setup_saml2() }}
{%- endif %}
+ {% if server.get('federation', {}).oidc is defined %}
+ {{ setup_oidc() }}
+ {%- endif %}
+
+ Alias /identity /usr/bin/keystone-wsgi-public
+ <Location /identity>
+ SetHandler wsgi-script
+ Options +ExecCGI
+
+ WSGIProcessGroup keystone-public
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ </Location>
</VirtualHost>
-
-Alias /identity /usr/bin/keystone-wsgi-public
-<Location /identity>
- SetHandler wsgi-script
- Options +ExecCGI
-
- WSGIProcessGroup keystone-public
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
-</Location>
-
-Alias /identity_admin /usr/bin/keystone-wsgi-admin
-<Location /identity_admin>
- SetHandler wsgi-script
- Options +ExecCGI
-
- WSGIProcessGroup keystone-admin
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
-</Location>
diff --git a/keystone/files/newton/keystone.conf.Debian b/keystone/files/newton/keystone.conf.Debian
index 6add60c..83f4b13 100644
--- a/keystone/files/newton/keystone.conf.Debian
+++ b/keystone/files/newton/keystone.conf.Debian
@@ -1,4 +1,4 @@
-{% from "keystone/map.jinja" import server with context %}
+{% from "keystone/map.jinja" import server, system_cacerts_file with context %}
[DEFAULT]
#
@@ -358,14 +358,16 @@
# A URL representing the messaging driver to use and its full configuration.
# (string value)
#transport_url = rabbit://nova:3qVSI7a1m8AdaDQ7BpB0PJu4@192.168.0.4:5673/
+
+{%- set rabbit_port = server.message_queue.get('port', 5671 if server.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if server.message_queue.members is defined %}
transport_url = rabbit://{% for member in server.message_queue.members -%}
- {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+ {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port', rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
/{{ server.message_queue.virtual_host }}
{%- else %}
-transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ server.message_queue.port }}/{{ server.message_queue.virtual_host }}
+transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ rabbit_port }}/{{ server.message_queue.virtual_host }}
{%- endif %}
# DEPRECATED: The messaging driver to use, defaults to rabbit. Other drivers
@@ -374,7 +376,6 @@
# Its value may be silently ignored in the future.
# Reason: Replaced by [DEFAULT]/transport_url
#rpc_backend = rabbit
-rpc_backend = rabbit
{%- endif %}
# The default exchange under which topics are scoped. May be overridden by an
@@ -417,10 +418,13 @@
{% if server.auth_methods is defined %}
methods = {{ server.auth_methods |join(',') }}
{%- endif %}
-{% if server.websso is defined %}
-{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
-{%- endif %}
+{%- if server.get('federation', {}).oidc is defined %}
+{{ server.federation.oidc.protocol }} = keystone.auth.plugins.mapped.Mapped
+{%- endif %}
+{%- if server.get('federation', {}).saml2 is defined %}
+{{ server.federation.saml2.protocol }} = keystone.auth.plugins.mapped.Mapped
+{%- endif %}
# Entry point for the password auth plugin module in the
# `keystone.auth.password` namespace. You do not need to set this unless you
# are overriding keystone's own password authentication plugin. (string value)
@@ -669,7 +673,7 @@
# of keys should be managed separately and require different rotation policies.
# Do not share this repository with the repository used to manage keys for
# Fernet tokens. (string value)
-#key_repository = /etc/keystone/credential-keys/
+key_repository = {{ server.credential.location }}
[database]
@@ -700,7 +704,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection={{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection={{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
@@ -902,6 +906,15 @@
#admin_port = 35357
admin_port = 35357
+{%- if server.get('federation', {}).saml2 is defined %}
+[{{ server.federation.saml2.protocol }}]
+remote_id_attribute = {{ server.federation.saml2.remote_id_attribute }}
+{%- endif %}
+
+{%- if server.get('federation', {}).oidc is defined %}
+[{{ server.federation.oidc.protocol }}]
+remote_id_attribute = {{ server.federation.oidc.remote_id_attribute }}
+{%- endif %}
[federation]
@@ -913,8 +926,8 @@
# namespace. Keystone only provides a `sql` driver, so there is no reason to
# set this option unless you are providing a custom entry point. (string value)
#driver = sql
-{%- if server.get('websso', {}).federation_driver is defined %}
-driver = {{ server.websso.federation_driver }}
+{%- if server.get('federation', {}).federation_driver is defined %}
+driver = {{ server.federation.federation_driver }}
{%- endif %}
# Prefix to use when filtering environment variable names for federated
@@ -927,17 +940,14 @@
# `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`,
# this could be `MELLON_IDP`. (string value)
#remote_id_attribute = <None>
-{%- if server.websso is defined %}
-remote_id_attribute = {{ server.websso.remote_id_attribute }}
-{%- endif %}
# An arbitrary domain name that is reserved to allow federated ephemeral users
# to have a domain concept. Note that an admin will not be able to create a
# domain with this name or update an existing domain to this name. You are not
# advised to change this value unless you really have to. (string value)
#federated_domain_name = Federated
-{%- if server.get('websso', {}).federated_domain_name is defined %}
-federated_domain_name = {{ server.websso.federated_domain_name }}
+{%- if server.get('federation', {}).federated_domain_name is defined %}
+federated_domain_name = {{ server.federation.federated_domain_name }}
{%- endif %}
# A list of trusted dashboard hosts. Before accepting a Single Sign-On request
@@ -947,8 +957,8 @@
# trusted_dashboard=https://acme.example.com/auth/websso
# trusted_dashboard=https://beta.example.com/auth/websso (multi valued)
#trusted_dashboard =
-{%- if server.get('websso', {}).trusted_dashboard is defined %}
-{%- for dashboard in server.websso.trusted_dashboard %}
+{%- if server.get('federation', {}).trusted_dashboard is defined %}
+{%- for dashboard in server.federation.trusted_dashboard %}
trusted_dashboard = {{ dashboard }}
{%- endfor %}
{%- endif %}
@@ -1856,6 +1866,26 @@
# From oslo.messaging
#
+{%- if server.notification %}
+
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if server.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ server.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if server.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
+{%- endif %}
+
+{%- endif %}
+
# Use durable queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/amqp_durable_queues
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
@@ -2216,7 +2246,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
# DEPRECATED: The HTTP Header that will be used to determine what the original
# request protocol scheme was, even if it was hidden by a SSL termination
@@ -2835,6 +2865,7 @@
# Reason: PKI token support has been deprecated in the M release and will be
# removed in the O release. Fernet or UUID tokens are recommended.
#hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
# This controls whether roles should be included with tokens that are not
# directly assigned to the token's scope, but are instead linked implicitly to
diff --git a/keystone/files/newton/policy-v2.json b/keystone/files/newton/policy-v2.json
deleted file mode 100644
index 1e37bef..0000000
--- a/keystone/files/newton/policy-v2.json
+++ /dev/null
@@ -1,198 +0,0 @@
-{
- "admin_required": "role:admin or is_admin:1",
- "service_role": "role:service",
- "service_or_admin": "rule:admin_required or rule:service_role",
- "owner" : "user_id:%(user_id)s",
- "admin_or_owner": "rule:admin_required or rule:owner",
- "token_subject": "user_id:%(target.token.user_id)s",
- "admin_or_token_subject": "rule:admin_required or rule:token_subject",
- "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
-
- "default": "rule:admin_required",
-
- "identity:get_region": "",
- "identity:list_regions": "",
- "identity:create_region": "rule:admin_required",
- "identity:update_region": "rule:admin_required",
- "identity:delete_region": "rule:admin_required",
-
- "identity:get_service": "rule:admin_required",
- "identity:list_services": "rule:admin_required",
- "identity:create_service": "rule:admin_required",
- "identity:update_service": "rule:admin_required",
- "identity:delete_service": "rule:admin_required",
-
- "identity:get_endpoint": "rule:admin_required",
- "identity:list_endpoints": "rule:admin_required",
- "identity:create_endpoint": "rule:admin_required",
- "identity:update_endpoint": "rule:admin_required",
- "identity:delete_endpoint": "rule:admin_required",
-
- "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
- "identity:list_domains": "rule:admin_required",
- "identity:create_domain": "rule:admin_required",
- "identity:update_domain": "rule:admin_required",
- "identity:delete_domain": "rule:admin_required",
-
- "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
- "identity:list_projects": "rule:admin_required",
- "identity:list_user_projects": "rule:admin_or_owner",
- "identity:create_project": "rule:admin_required",
- "identity:update_project": "rule:admin_required",
- "identity:delete_project": "rule:admin_required",
-
- "identity:get_user": "rule:admin_or_owner",
- "identity:list_users": "rule:admin_required",
- "identity:create_user": "rule:admin_required",
- "identity:update_user": "rule:admin_required",
- "identity:delete_user": "rule:admin_required",
- "identity:change_password": "rule:admin_or_owner",
-
- "identity:get_group": "rule:admin_required",
- "identity:list_groups": "rule:admin_required",
- "identity:list_groups_for_user": "rule:admin_or_owner",
- "identity:create_group": "rule:admin_required",
- "identity:update_group": "rule:admin_required",
- "identity:delete_group": "rule:admin_required",
- "identity:list_users_in_group": "rule:admin_required",
- "identity:remove_user_from_group": "rule:admin_required",
- "identity:check_user_in_group": "rule:admin_required",
- "identity:add_user_to_group": "rule:admin_required",
-
- "identity:get_credential": "rule:admin_required",
- "identity:list_credentials": "rule:admin_required",
- "identity:create_credential": "rule:admin_required",
- "identity:update_credential": "rule:admin_required",
- "identity:delete_credential": "rule:admin_required",
-
- "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
- "identity:ec2_list_credentials": "rule:admin_or_owner",
- "identity:ec2_create_credential": "rule:admin_or_owner",
- "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
- "identity:get_role": "rule:admin_required",
- "identity:list_roles": "rule:admin_required",
- "identity:create_role": "rule:admin_required",
- "identity:update_role": "rule:admin_required",
- "identity:delete_role": "rule:admin_required",
- "identity:get_domain_role": "rule:admin_required",
- "identity:list_domain_roles": "rule:admin_required",
- "identity:create_domain_role": "rule:admin_required",
- "identity:update_domain_role": "rule:admin_required",
- "identity:delete_domain_role": "rule:admin_required",
-
- "identity:get_implied_role": "rule:admin_required ",
- "identity:list_implied_roles": "rule:admin_required",
- "identity:create_implied_role": "rule:admin_required",
- "identity:delete_implied_role": "rule:admin_required",
- "identity:list_role_inference_rules": "rule:admin_required",
- "identity:check_implied_role": "rule:admin_required",
-
- "identity:check_grant": "rule:admin_required",
- "identity:list_grants": "rule:admin_required",
- "identity:create_grant": "rule:admin_required",
- "identity:revoke_grant": "rule:admin_required",
-
- "identity:list_role_assignments": "rule:admin_required",
- "identity:list_role_assignments_for_tree": "rule:admin_required",
-
- "identity:get_policy": "rule:admin_required",
- "identity:list_policies": "rule:admin_required",
- "identity:create_policy": "rule:admin_required",
- "identity:update_policy": "rule:admin_required",
- "identity:delete_policy": "rule:admin_required",
-
- "identity:check_token": "rule:admin_or_token_subject",
- "identity:validate_token": "rule:service_admin_or_token_subject",
- "identity:validate_token_head": "rule:service_or_admin",
- "identity:revocation_list": "rule:service_or_admin",
- "identity:revoke_token": "rule:admin_or_token_subject",
-
- "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
- "identity:list_trusts": "",
- "identity:list_roles_for_trust": "",
- "identity:get_role_for_trust": "",
- "identity:delete_trust": "",
-
- "identity:create_consumer": "rule:admin_required",
- "identity:get_consumer": "rule:admin_required",
- "identity:list_consumers": "rule:admin_required",
- "identity:delete_consumer": "rule:admin_required",
- "identity:update_consumer": "rule:admin_required",
-
- "identity:authorize_request_token": "rule:admin_required",
- "identity:list_access_token_roles": "rule:admin_required",
- "identity:get_access_token_role": "rule:admin_required",
- "identity:list_access_tokens": "rule:admin_required",
- "identity:get_access_token": "rule:admin_required",
- "identity:delete_access_token": "rule:admin_required",
-
- "identity:list_projects_for_endpoint": "rule:admin_required",
- "identity:add_endpoint_to_project": "rule:admin_required",
- "identity:check_endpoint_in_project": "rule:admin_required",
- "identity:list_endpoints_for_project": "rule:admin_required",
- "identity:remove_endpoint_from_project": "rule:admin_required",
-
- "identity:create_endpoint_group": "rule:admin_required",
- "identity:list_endpoint_groups": "rule:admin_required",
- "identity:get_endpoint_group": "rule:admin_required",
- "identity:update_endpoint_group": "rule:admin_required",
- "identity:delete_endpoint_group": "rule:admin_required",
- "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
- "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
- "identity:get_endpoint_group_in_project": "rule:admin_required",
- "identity:list_endpoint_groups_for_project": "rule:admin_required",
- "identity:add_endpoint_group_to_project": "rule:admin_required",
- "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
- "identity:create_identity_provider": "rule:admin_required",
- "identity:list_identity_providers": "rule:admin_required",
- "identity:get_identity_providers": "rule:admin_required",
- "identity:update_identity_provider": "rule:admin_required",
- "identity:delete_identity_provider": "rule:admin_required",
-
- "identity:create_protocol": "rule:admin_required",
- "identity:update_protocol": "rule:admin_required",
- "identity:get_protocol": "rule:admin_required",
- "identity:list_protocols": "rule:admin_required",
- "identity:delete_protocol": "rule:admin_required",
-
- "identity:create_mapping": "rule:admin_required",
- "identity:get_mapping": "rule:admin_required",
- "identity:list_mappings": "rule:admin_required",
- "identity:delete_mapping": "rule:admin_required",
- "identity:update_mapping": "rule:admin_required",
-
- "identity:create_service_provider": "rule:admin_required",
- "identity:list_service_providers": "rule:admin_required",
- "identity:get_service_provider": "rule:admin_required",
- "identity:update_service_provider": "rule:admin_required",
- "identity:delete_service_provider": "rule:admin_required",
-
- "identity:get_auth_catalog": "",
- "identity:get_auth_projects": "",
- "identity:get_auth_domains": "",
-
- "identity:list_projects_for_user": "",
- "identity:list_domains_for_user": "",
-
- "identity:list_revoke_events": "",
-
- "identity:create_policy_association_for_endpoint": "rule:admin_required",
- "identity:check_policy_association_for_endpoint": "rule:admin_required",
- "identity:delete_policy_association_for_endpoint": "rule:admin_required",
- "identity:create_policy_association_for_service": "rule:admin_required",
- "identity:check_policy_association_for_service": "rule:admin_required",
- "identity:delete_policy_association_for_service": "rule:admin_required",
- "identity:create_policy_association_for_region_and_service": "rule:admin_required",
- "identity:check_policy_association_for_region_and_service": "rule:admin_required",
- "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
- "identity:get_policy_for_endpoint": "rule:admin_required",
- "identity:list_endpoints_for_policy": "rule:admin_required",
-
- "identity:create_domain_config": "rule:admin_required",
- "identity:get_domain_config": "rule:admin_required",
- "identity:update_domain_config": "rule:admin_required",
- "identity:delete_domain_config": "rule:admin_required",
- "identity:get_domain_config_default": "rule:admin_required"
-}
diff --git a/keystone/files/newton/wsgi-keystone.conf b/keystone/files/newton/wsgi-keystone.conf
index 763672d..3c18ef8 100644
--- a/keystone/files/newton/wsgi-keystone.conf
+++ b/keystone/files/newton/wsgi-keystone.conf
@@ -1,5 +1,122 @@
{%- from "keystone/map.jinja" import server with context %}
{%- set site = salt['pillar.get']('apache:server:site:'+site_name) %}
+{% macro setup_oidc() -%}
+ SetEnv HTTP_OIDC_ISS {{ server.federation.oidc.remote_id_attribute_value }}
+ {% if server.federation.oidc.oidc_claim_prefix is defined %}
+ OIDCClaimPrefix "{{ server.federation.oidc.oidc_claim_prefix }}"
+ {%- endif %}
+ OIDCClientID "{{ server.federation.oidc.oidc_client_id}}"
+ {% if server.federation.oidc.oidc_client_secret is defined %}
+ OIDCClientSecret "{{ server.federation.oidc.oidc_client_secret }}"
+ {%- endif %}
+ OIDCCryptoPassphrase "{{ server.federation.oidc.oidc_crypto_passphrase }}"
+ OIDCRedirectURI "{{ server.federation.oidc.oidc_redirect_uri }}"
+ {% if server.federation.oidc.oidc_provider_metadata_url is defined %}
+ OIDCProviderMetadataURL "{{ server.federation.oidc.oidc_provider_metadata_url }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_response_type is defined %}
+ OIDCResponseType "{{ server.federation.oidc.oidc_response_type }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_scope is defined %}
+ OIDCScope "{{ server.federation.oidc.oidc_scope }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_ssl_validate_server is defined %}
+ OIDCSSLValidateServer "{{ server.federation.oidc.oidc_ssl_validate_server }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_ssl_validate_server is defined %}
+ OIDCOAuthSSLValidateServer "{{ server.federation.oidc.oidc_oauth_ssl_validate_server }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_introspection_endpoint is defined %}
+ OIDCOAuthIntrospectionEndpoint "{{ server.federation.oidc.oidc_oauth_introspection_endpoint }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_introspection_token_param_name is defined %}
+ OIDCOAuthIntrospectionTokenParamName "{{ server.federation.oidc.oidc_oauth_introspection_token_param_name }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_remote_user_claim is defined %}
+ OIDCOAuthRemoteUserClaim "{{ server.federation.oidc.oidc_oauth_remote_user_claim }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_verify_jwks_uri is defined %}
+ OIDCOAuthVerifyJwksUri "{{ server.federation.oidc.oidc_oauth_verify_jwks_uri }}"
+ {%- endif %}
+ {% if server.federation.oidc.odic_token_iat_slack is defined %}
+ OIDCIDTokenIatSlack "{{ server.federation.oidc.odic_token_iat_slack }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_issuer is defined %}
+ OIDCProviderIssuer "{{ server.federation.oidc.oidc_provider_issuer }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_authorization_endpoint is defined %}
+ OIDCProviderAuthorizationEndpoint "{{ server.federation.oidc.oidc_provider_authorization_endpoint }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_token_endpoint is defined %}
+ OIDCProviderTokenEndpoint "{{ server.federation.oidc.oidc_provider_token_endpoint }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_token_endpoint_auth is defined %}
+ OIDCProviderTokenEndpointAuth "{{ server.federation.oidc.oidc_provider_token_endpoint_auth }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_user_info_endpoint is defined %}
+ OIDCProviderUserInfoEndpoint "{{ server.federation.oidc.oidc_provider_user_info_endpoint }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_jwks_uri is defined %}
+ OIDCProviderJwksUri "{{ server.federation.oidc.oidc_provider_jwks_uri }}"
+ {%- endif %}
+ {%- if server.federation.oidc.oidc_oauth_verify_shared_keys is defined %}
+ {%- set shared_keys_list = [] %}
+ {%- for shared_key_def in server.federation.oidc.oidc_oauth_verify_shared_keys %}
+ {%- do shared_keys_list.append("\""+shared_key_def.type+"#"+shared_key_def.kid+"#"+shared_key_def.key+"\"") %}
+ {%- endfor %}
+ OIDCOAuthVerifySharedKeys {{ shared_keys_list|join(" ") }}
+ {%- endif %}
+ {%- if server.federation.oidc.oidc_oauth_verify_cert_files is defined %}
+ {%- set cert_files_list = [] %}
+ {%- for cert_file_def in server.federation.oidc.oidc_oauth_verify_cert_files %}
+ {%- do cert_files_list.append("\""+cert_file_def.kid+"#"+cert_file_def.filename+"\"") %}
+ {%- endfor %}
+ OIDCOAuthVerifyCertFiles {{ cert_files_list|join(" ") }}
+ {%- endif %}
+
+ <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
+ AuthType oauth20
+ Require valid-user
+ </LocationMatch>
+ <LocationMatch "/v3/auth/OS-FEDERATION/websso/oidc">
+ AuthType openid-connect
+ Require valid-user
+ </LocationMatch>
+ <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/oidc/websso">
+ AuthType openid-connect
+ Require valid-user
+ </LocationMatch>
+{% endmacro -%}
+{% macro setup_saml2() -%}
+ {% if server.federation.saml2.shib_url_scheme is defined %}
+ ShibURLScheme {{ server.federation.saml2.shib_url_scheme }}
+ {%- endif %}
+ {% if server.federation.saml2.shib_compat_valid_user is defined %}
+ ShibCompatValidUser {{ server.federation.saml2.shib_compat_valid_user }}
+ {%- endif %}
+ <Location /Shibboleth.sso>
+ SetHandler shib
+ </Location>
+ <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
+ ShibRequestSetting requireSession 1
+ AuthType shibboleth
+ ShibExportAssertion Off
+ Require valid-user
+ </LocationMatch>
+ <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
+ ShibRequestSetting requireSession 1
+ AuthType shibboleth
+ ShibExportAssertion Off
+ Require valid-user
+ </LocationMatch>
+ <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
+ ShibRequestSetting requireSession 1
+ AuthType shibboleth
+ ShibExportAssertion Off
+ Require valid-user
+ </LocationMatch>
+{% endmacro -%}
+
Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357
@@ -8,7 +125,7 @@
{%- include "apache/files/_ssl.conf" %}
{%- include "apache/files/_locations.conf" %}
- WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+ WSGIDaemonProcess keystone-public processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
@@ -29,34 +146,23 @@
</IfVersion>
</Directory>
- {% if server.websso is defined %}
- {% if server.websso.shib_url_scheme is defined %}
- ShibURLScheme {{ server.websso.shib_url_scheme }}
- {%- endif %}
+ {% if server.get('federation', {}).saml2 is defined %}
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
- <Location /Shibboleth.sso>
- SetHandler shib
- </Location>
- <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
- <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
- <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
+ {{ setup_saml2() }}
+ {%- endif %}
+ {% if server.get('federation', {}).oidc is defined %}
+ {{ setup_oidc() }}
{%- endif %}
+ Alias /identity_admin /usr/bin/keystone-wsgi-admin
+ <Location /identity_admin>
+ SetHandler wsgi-script
+ Options +ExecCGI
+
+ WSGIProcessGroup keystone-admin
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ </Location>
</VirtualHost>
<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357>
@@ -64,7 +170,7 @@
{%- include "apache/files/_ssl.conf" %}
{%- include "apache/files/_locations.conf" %}
- WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+ WSGIDaemonProcess keystone-admin processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
@@ -85,52 +191,22 @@
</IfVersion>
</Directory>
- {% if server.websso is defined %}
- {% if server.websso.shib_url_scheme is defined %}
- ShibURLScheme {{ server.websso.shib_url_scheme }}
- {%- endif %}
+ {% if server.get('federation', {}).saml2 is defined %}
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
- <Location /Shibboleth.sso>
- SetHandler shib
- </Location>
- <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
- <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
- <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
+ {{ setup_saml2() }}
{%- endif %}
+ {% if server.get('federation', {}).oidc is defined %}
+ {{ setup_oidc() }}
+ {%- endif %}
+
+ Alias /identity /usr/bin/keystone-wsgi-public
+ <Location /identity>
+ SetHandler wsgi-script
+ Options +ExecCGI
+
+ WSGIProcessGroup keystone-public
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ </Location>
</VirtualHost>
-
-Alias /identity /usr/bin/keystone-wsgi-public
-<Location /identity>
- SetHandler wsgi-script
- Options +ExecCGI
-
- WSGIProcessGroup keystone-public
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
-</Location>
-
-Alias /identity_admin /usr/bin/keystone-wsgi-admin
-<Location /identity_admin>
- SetHandler wsgi-script
- Options +ExecCGI
-
- WSGIProcessGroup keystone-admin
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
-</Location>
diff --git a/keystone/files/ocata/keystone.conf.Debian b/keystone/files/ocata/keystone.conf.Debian
index aa442f2..59b1cff 100644
--- a/keystone/files/ocata/keystone.conf.Debian
+++ b/keystone/files/ocata/keystone.conf.Debian
@@ -1,4 +1,4 @@
-{% from "keystone/map.jinja" import server with context %}
+{% from "keystone/map.jinja" import server, system_cacerts_file with context %}
[DEFAULT]
#
@@ -425,14 +425,15 @@
# A URL representing the messaging driver to use and its full configuration.
# (string value)
#transport_url = rabbit://nova:3qVSI7a1m8AdaDQ7BpB0PJu4@192.168.0.4:5673/
+{%- set rabbit_port = server.message_queue.get('port', 5671 if server.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if server.message_queue.members is defined %}
transport_url = rabbit://{% for member in server.message_queue.members -%}
- {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+ {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port', rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
/{{ server.message_queue.virtual_host }}
{%- else %}
-transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ server.message_queue.port }}/{{ server.message_queue.virtual_host }}
+transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ rabbit_port }}/{{ server.message_queue.virtual_host }}
{%- endif %}
# DEPRECATED: The messaging driver to use, defaults to rabbit. Other drivers
@@ -441,7 +442,6 @@
# Its value may be silently ignored in the future.
# Reason: Replaced by [DEFAULT]/transport_url
#rpc_backend = rabbit
-rpc_backend = rabbit
{%- endif %}
# The default exchange under which topics are scoped. May be overridden by an
# exchange name specified in the transport_url option. (string value)
@@ -484,8 +484,12 @@
{% if server.auth_methods is defined %}
methods = {{ server.auth_methods |join(',') }}
{%- endif %}
-{% if server.websso is defined %}
-{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
+
+{%- if server.get('federation', {}).oidc is defined %}
+{{ server.federation.oidc.protocol }} = keystone.auth.plugins.mapped.Mapped
+{%- endif %}
+{%- if server.get('federation', {}).saml2 is defined %}
+{{ server.federation.saml2.protocol }} = keystone.auth.plugins.mapped.Mapped
{%- endif %}
# Entry point for the password auth plugin module in the
@@ -741,7 +745,7 @@
# of keys should be managed separately and require different rotation policies.
# Do not share this repository with the repository used to manage keys for
# Fernet tokens. (string value)
-#key_repository = /etc/keystone/credential-keys/
+key_repository = {{ server.credential.location }}
[database]
@@ -772,7 +776,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection={{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection={{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
@@ -974,6 +978,15 @@
# Specifies the distribution of the keystone server. (string value)
#Distribution = Ubuntu
+{%- if server.get('federation', {}).saml2 is defined %}
+[{{ server.federation.saml2.protocol }}]
+remote_id_attribute = {{ server.federation.saml2.remote_id_attribute }}
+{%- endif %}
+
+{%- if server.get('federation', {}).oidc is defined %}
+[{{ server.federation.oidc.protocol }}]
+remote_id_attribute = {{ server.federation.oidc.remote_id_attribute }}
+{%- endif %}
[federation]
@@ -985,8 +998,8 @@
# namespace. Keystone only provides a `sql` driver, so there is no reason to
# set this option unless you are providing a custom entry point. (string value)
#driver = sql
-{%- if server.get('websso', {}).federation_driver is defined %}
-driver = {{ server.websso.federation_driver }}
+{%- if server.get('federation', {}).federation_driver is defined %}
+driver = {{ server.federation.federation_driver }}
{%- endif %}
# Prefix to use when filtering environment variable names for federated
@@ -999,17 +1012,14 @@
# `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`,
# this could be `MELLON_IDP`. (string value)
#remote_id_attribute = <None>
-{%- if server.websso is defined %}
-remote_id_attribute = {{ server.websso.remote_id_attribute }}
-{%- endif %}
# An arbitrary domain name that is reserved to allow federated ephemeral users
# to have a domain concept. Note that an admin will not be able to create a
# domain with this name or update an existing domain to this name. You are not
# advised to change this value unless you really have to. (string value)
#federated_domain_name = Federated
-{%- if server.get('websso', {}).federated_domain_name is defined %}
-federated_domain_name = {{ server.websso.federated_domain_name }}
+{%- if server.get('federation', {}).federated_domain_name is defined %}
+federated_domain_name = {{ server.federation.federated_domain_name }}
{%- endif %}
# A list of trusted dashboard hosts. Before accepting a Single Sign-On request
@@ -1019,8 +1029,8 @@
# trusted_dashboard=https://acme.example.com/auth/websso
# trusted_dashboard=https://beta.example.com/auth/websso (multi valued)
#trusted_dashboard =
-{%- if server.get('websso', {}).trusted_dashboard is defined %}
-{%- for dashboard in server.websso.trusted_dashboard %}
+{%- if server.get('federation', {}).trusted_dashboard is defined %}
+{%- for dashboard in server.federation.trusted_dashboard %}
trusted_dashboard = {{ dashboard }}
{%- endfor %}
{%- endif %}
@@ -1952,6 +1962,27 @@
# From oslo.messaging
#
+
+{%- if server.notification %}
+
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if server.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ server.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if server.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
+{%- endif %}
+
+{%- endif %}
+
# Use durable queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/amqp_durable_queues
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
@@ -2385,7 +2416,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
# DEPRECATED: The HTTP Header that will be used to determine what the original
# request protocol scheme was, even if it was hidden by a SSL termination
@@ -3022,6 +3053,7 @@
# Defaults to two days. (integer value)
#allow_expired_window = 172800
+hash_algorithm = {{ server.hash_algorithm }}
[tokenless_auth]
diff --git a/keystone/files/ocata/keystone.conf.RedHat b/keystone/files/ocata/keystone.conf.RedHat
index dd9a7c9..663854e 100644
--- a/keystone/files/ocata/keystone.conf.RedHat
+++ b/keystone/files/ocata/keystone.conf.RedHat
@@ -481,9 +481,9 @@
# are being invoked to validate attributes in the request environment, it can
# cause conflicts. (list value)
#methods = external,password,token,oauth1,mapped
-{% if server.websso is defined %}
-methods = external,password,token,{{ server.websso.protocol }}
-{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
+{% if server.federation is defined %}
+methods = external,password,token,{{ server.federation.protocol }}
+{{ server.federation.protocol }} = keystone.auth.plugins.mapped.Mapped
{%- endif %}
# Entry point for the password auth plugin module in the
@@ -964,8 +964,8 @@
# namespace. Keystone only provides a `sql` driver, so there is no reason to
# set this option unless you are providing a custom entry point. (string value)
#driver = sql
-{%- if server.get('websso', {}).federation_driver is defined %}
-driver = {{ server.websso.federation_driver }}
+{%- if server.get('federation', {}).federation_driver is defined %}
+driver = {{ server.federation.federation_driver }}
{%- endif %}
# Prefix to use when filtering environment variable names for federated
@@ -978,8 +978,8 @@
# `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`,
# this could be `MELLON_IDP`. (string value)
#remote_id_attribute = <None>
-{%- if server.websso is defined %}
-remote_id_attribute = {{ server.websso.remote_id_attribute }}
+{%- if server.federation is defined %}
+remote_id_attribute = {{ server.federation.remote_id_attribute }}
{%- endif %}
# An arbitrary domain name that is reserved to allow federated ephemeral users
@@ -987,8 +987,8 @@
# domain with this name or update an existing domain to this name. You are not
# advised to change this value unless you really have to. (string value)
#federated_domain_name = Federated
-{%- if server.get('websso', {}).federated_domain_name is defined %}
-federated_domain_name = {{ server.websso.federated_domain_name }}
+{%- if server.get('federation', {}).federated_domain_name is defined %}
+federated_domain_name = {{ server.federation.federated_domain_name }}
{%- endif %}
# A list of trusted dashboard hosts. Before accepting a Single Sign-On request
@@ -998,8 +998,8 @@
# trusted_dashboard=https://acme.example.com/auth/websso
# trusted_dashboard=https://beta.example.com/auth/websso (multi valued)
#trusted_dashboard =
-{%- if server.get('websso', {}).trusted_dashboard is defined %}
-{%- for dashboard in server.websso.trusted_dashboard %}
+{%- if server.get('federation', {}).trusted_dashboard is defined %}
+{%- for dashboard in server.federation.trusted_dashboard %}
trusted_dashboard = {{ dashboard }}
{%- endfor %}
{%- endif %}
diff --git a/keystone/files/ocata/policy-v2.json b/keystone/files/ocata/policy-v2.json
deleted file mode 100644
index ddf2396..0000000
--- a/keystone/files/ocata/policy-v2.json
+++ /dev/null
@@ -1,199 +0,0 @@
-{
- "admin_required": "role:admin or is_admin:1",
- "service_role": "role:service",
- "service_or_admin": "rule:admin_required or rule:service_role",
- "owner" : "user_id:%(user_id)s",
- "admin_or_owner": "rule:admin_required or rule:owner",
- "token_subject": "user_id:%(target.token.user_id)s",
- "admin_or_token_subject": "rule:admin_required or rule:token_subject",
- "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
-
- "default": "rule:admin_required",
-
- "identity:get_region": "",
- "identity:list_regions": "",
- "identity:create_region": "rule:admin_required",
- "identity:update_region": "rule:admin_required",
- "identity:delete_region": "rule:admin_required",
-
- "identity:get_service": "rule:admin_required",
- "identity:list_services": "rule:admin_required",
- "identity:create_service": "rule:admin_required",
- "identity:update_service": "rule:admin_required",
- "identity:delete_service": "rule:admin_required",
-
- "identity:get_endpoint": "rule:admin_required",
- "identity:list_endpoints": "rule:admin_required",
- "identity:create_endpoint": "rule:admin_required",
- "identity:update_endpoint": "rule:admin_required",
- "identity:delete_endpoint": "rule:admin_required",
-
- "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
- "identity:list_domains": "rule:admin_required",
- "identity:create_domain": "rule:admin_required",
- "identity:update_domain": "rule:admin_required",
- "identity:delete_domain": "rule:admin_required",
-
- "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
- "identity:list_projects": "rule:admin_required",
- "identity:list_user_projects": "rule:admin_or_owner",
- "identity:create_project": "rule:admin_required",
- "identity:update_project": "rule:admin_required",
- "identity:delete_project": "rule:admin_required",
-
- "identity:get_user": "rule:admin_or_owner",
- "identity:list_users": "rule:admin_required",
- "identity:create_user": "rule:admin_required",
- "identity:update_user": "rule:admin_required",
- "identity:delete_user": "rule:admin_required",
- "identity:change_password": "rule:admin_or_owner",
-
- "identity:get_group": "rule:admin_required",
- "identity:list_groups": "rule:admin_required",
- "identity:list_groups_for_user": "rule:admin_or_owner",
- "identity:create_group": "rule:admin_required",
- "identity:update_group": "rule:admin_required",
- "identity:delete_group": "rule:admin_required",
- "identity:list_users_in_group": "rule:admin_required",
- "identity:remove_user_from_group": "rule:admin_required",
- "identity:check_user_in_group": "rule:admin_required",
- "identity:add_user_to_group": "rule:admin_required",
-
- "identity:get_credential": "rule:admin_required",
- "identity:list_credentials": "rule:admin_required",
- "identity:create_credential": "rule:admin_required",
- "identity:update_credential": "rule:admin_required",
- "identity:delete_credential": "rule:admin_required",
-
- "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
- "identity:ec2_list_credentials": "rule:admin_or_owner",
- "identity:ec2_create_credential": "rule:admin_or_owner",
- "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
- "identity:get_role": "rule:admin_required",
- "identity:list_roles": "rule:admin_required",
- "identity:create_role": "rule:admin_required",
- "identity:update_role": "rule:admin_required",
- "identity:delete_role": "rule:admin_required",
- "identity:get_domain_role": "rule:admin_required",
- "identity:list_domain_roles": "rule:admin_required",
- "identity:create_domain_role": "rule:admin_required",
- "identity:update_domain_role": "rule:admin_required",
- "identity:delete_domain_role": "rule:admin_required",
-
- "identity:get_implied_role": "rule:admin_required ",
- "identity:list_implied_roles": "rule:admin_required",
- "identity:create_implied_role": "rule:admin_required",
- "identity:delete_implied_role": "rule:admin_required",
- "identity:list_role_inference_rules": "rule:admin_required",
- "identity:check_implied_role": "rule:admin_required",
-
- "identity:check_grant": "rule:admin_required",
- "identity:list_grants": "rule:admin_required",
- "identity:create_grant": "rule:admin_required",
- "identity:revoke_grant": "rule:admin_required",
-
- "identity:list_role_assignments": "rule:admin_required",
- "identity:list_role_assignments_for_tree": "rule:admin_required",
-
- "identity:get_policy": "rule:admin_required",
- "identity:list_policies": "rule:admin_required",
- "identity:create_policy": "rule:admin_required",
- "identity:update_policy": "rule:admin_required",
- "identity:delete_policy": "rule:admin_required",
-
- "identity:check_token": "rule:admin_or_token_subject",
- "identity:validate_token": "rule:service_admin_or_token_subject",
- "identity:validate_token_head": "rule:service_or_admin",
- "identity:revocation_list": "rule:service_or_admin",
- "identity:revoke_token": "rule:admin_or_token_subject",
-
- "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
- "identity:list_trusts": "",
- "identity:list_roles_for_trust": "",
- "identity:get_role_for_trust": "",
- "identity:delete_trust": "",
-
- "identity:create_consumer": "rule:admin_required",
- "identity:get_consumer": "rule:admin_required",
- "identity:list_consumers": "rule:admin_required",
- "identity:delete_consumer": "rule:admin_required",
- "identity:update_consumer": "rule:admin_required",
-
- "identity:authorize_request_token": "rule:admin_required",
- "identity:list_access_token_roles": "rule:admin_required",
- "identity:get_access_token_role": "rule:admin_required",
- "identity:list_access_tokens": "rule:admin_required",
- "identity:get_access_token": "rule:admin_required",
- "identity:delete_access_token": "rule:admin_required",
-
- "identity:list_projects_for_endpoint": "rule:admin_required",
- "identity:add_endpoint_to_project": "rule:admin_required",
- "identity:check_endpoint_in_project": "rule:admin_required",
- "identity:list_endpoints_for_project": "rule:admin_required",
- "identity:remove_endpoint_from_project": "rule:admin_required",
-
- "identity:create_endpoint_group": "rule:admin_required",
- "identity:list_endpoint_groups": "rule:admin_required",
- "identity:get_endpoint_group": "rule:admin_required",
- "identity:update_endpoint_group": "rule:admin_required",
- "identity:delete_endpoint_group": "rule:admin_required",
- "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
- "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
- "identity:get_endpoint_group_in_project": "rule:admin_required",
- "identity:list_endpoint_groups_for_project": "rule:admin_required",
- "identity:add_endpoint_group_to_project": "rule:admin_required",
- "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
- "identity:create_identity_provider": "rule:admin_required",
- "identity:list_identity_providers": "rule:admin_required",
- "identity:get_identity_providers": "rule:admin_required",
- "identity:update_identity_provider": "rule:admin_required",
- "identity:delete_identity_provider": "rule:admin_required",
-
- "identity:create_protocol": "rule:admin_required",
- "identity:update_protocol": "rule:admin_required",
- "identity:get_protocol": "rule:admin_required",
- "identity:list_protocols": "rule:admin_required",
- "identity:delete_protocol": "rule:admin_required",
-
- "identity:create_mapping": "rule:admin_required",
- "identity:get_mapping": "rule:admin_required",
- "identity:list_mappings": "rule:admin_required",
- "identity:delete_mapping": "rule:admin_required",
- "identity:update_mapping": "rule:admin_required",
-
- "identity:create_service_provider": "rule:admin_required",
- "identity:list_service_providers": "rule:admin_required",
- "identity:get_service_provider": "rule:admin_required",
- "identity:update_service_provider": "rule:admin_required",
- "identity:delete_service_provider": "rule:admin_required",
-
- "identity:get_auth_catalog": "",
- "identity:get_auth_projects": "",
- "identity:get_auth_domains": "",
-
- "identity:list_projects_for_user": "",
- "identity:list_domains_for_user": "",
-
- "identity:list_revoke_events": "rule:service_or_admin",
-
- "identity:create_policy_association_for_endpoint": "rule:admin_required",
- "identity:check_policy_association_for_endpoint": "rule:admin_required",
- "identity:delete_policy_association_for_endpoint": "rule:admin_required",
- "identity:create_policy_association_for_service": "rule:admin_required",
- "identity:check_policy_association_for_service": "rule:admin_required",
- "identity:delete_policy_association_for_service": "rule:admin_required",
- "identity:create_policy_association_for_region_and_service": "rule:admin_required",
- "identity:check_policy_association_for_region_and_service": "rule:admin_required",
- "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
- "identity:get_policy_for_endpoint": "rule:admin_required",
- "identity:list_endpoints_for_policy": "rule:admin_required",
-
- "identity:create_domain_config": "rule:admin_required",
- "identity:get_domain_config": "rule:admin_required",
- "identity:get_security_compliance_domain_config": "",
- "identity:update_domain_config": "rule:admin_required",
- "identity:delete_domain_config": "rule:admin_required",
- "identity:get_domain_config_default": "rule:admin_required"
-}
diff --git a/keystone/files/ocata/wsgi-keystone.conf b/keystone/files/ocata/wsgi-keystone.conf
index 763672d..3c18ef8 100644
--- a/keystone/files/ocata/wsgi-keystone.conf
+++ b/keystone/files/ocata/wsgi-keystone.conf
@@ -1,5 +1,122 @@
{%- from "keystone/map.jinja" import server with context %}
{%- set site = salt['pillar.get']('apache:server:site:'+site_name) %}
+{% macro setup_oidc() -%}
+ SetEnv HTTP_OIDC_ISS {{ server.federation.oidc.remote_id_attribute_value }}
+ {% if server.federation.oidc.oidc_claim_prefix is defined %}
+ OIDCClaimPrefix "{{ server.federation.oidc.oidc_claim_prefix }}"
+ {%- endif %}
+ OIDCClientID "{{ server.federation.oidc.oidc_client_id}}"
+ {% if server.federation.oidc.oidc_client_secret is defined %}
+ OIDCClientSecret "{{ server.federation.oidc.oidc_client_secret }}"
+ {%- endif %}
+ OIDCCryptoPassphrase "{{ server.federation.oidc.oidc_crypto_passphrase }}"
+ OIDCRedirectURI "{{ server.federation.oidc.oidc_redirect_uri }}"
+ {% if server.federation.oidc.oidc_provider_metadata_url is defined %}
+ OIDCProviderMetadataURL "{{ server.federation.oidc.oidc_provider_metadata_url }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_response_type is defined %}
+ OIDCResponseType "{{ server.federation.oidc.oidc_response_type }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_scope is defined %}
+ OIDCScope "{{ server.federation.oidc.oidc_scope }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_ssl_validate_server is defined %}
+ OIDCSSLValidateServer "{{ server.federation.oidc.oidc_ssl_validate_server }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_ssl_validate_server is defined %}
+ OIDCOAuthSSLValidateServer "{{ server.federation.oidc.oidc_oauth_ssl_validate_server }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_introspection_endpoint is defined %}
+ OIDCOAuthIntrospectionEndpoint "{{ server.federation.oidc.oidc_oauth_introspection_endpoint }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_introspection_token_param_name is defined %}
+ OIDCOAuthIntrospectionTokenParamName "{{ server.federation.oidc.oidc_oauth_introspection_token_param_name }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_remote_user_claim is defined %}
+ OIDCOAuthRemoteUserClaim "{{ server.federation.oidc.oidc_oauth_remote_user_claim }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_oauth_verify_jwks_uri is defined %}
+ OIDCOAuthVerifyJwksUri "{{ server.federation.oidc.oidc_oauth_verify_jwks_uri }}"
+ {%- endif %}
+ {% if server.federation.oidc.odic_token_iat_slack is defined %}
+ OIDCIDTokenIatSlack "{{ server.federation.oidc.odic_token_iat_slack }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_issuer is defined %}
+ OIDCProviderIssuer "{{ server.federation.oidc.oidc_provider_issuer }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_authorization_endpoint is defined %}
+ OIDCProviderAuthorizationEndpoint "{{ server.federation.oidc.oidc_provider_authorization_endpoint }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_token_endpoint is defined %}
+ OIDCProviderTokenEndpoint "{{ server.federation.oidc.oidc_provider_token_endpoint }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_token_endpoint_auth is defined %}
+ OIDCProviderTokenEndpointAuth "{{ server.federation.oidc.oidc_provider_token_endpoint_auth }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_user_info_endpoint is defined %}
+ OIDCProviderUserInfoEndpoint "{{ server.federation.oidc.oidc_provider_user_info_endpoint }}"
+ {%- endif %}
+ {% if server.federation.oidc.oidc_provider_jwks_uri is defined %}
+ OIDCProviderJwksUri "{{ server.federation.oidc.oidc_provider_jwks_uri }}"
+ {%- endif %}
+ {%- if server.federation.oidc.oidc_oauth_verify_shared_keys is defined %}
+ {%- set shared_keys_list = [] %}
+ {%- for shared_key_def in server.federation.oidc.oidc_oauth_verify_shared_keys %}
+ {%- do shared_keys_list.append("\""+shared_key_def.type+"#"+shared_key_def.kid+"#"+shared_key_def.key+"\"") %}
+ {%- endfor %}
+ OIDCOAuthVerifySharedKeys {{ shared_keys_list|join(" ") }}
+ {%- endif %}
+ {%- if server.federation.oidc.oidc_oauth_verify_cert_files is defined %}
+ {%- set cert_files_list = [] %}
+ {%- for cert_file_def in server.federation.oidc.oidc_oauth_verify_cert_files %}
+ {%- do cert_files_list.append("\""+cert_file_def.kid+"#"+cert_file_def.filename+"\"") %}
+ {%- endfor %}
+ OIDCOAuthVerifyCertFiles {{ cert_files_list|join(" ") }}
+ {%- endif %}
+
+ <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
+ AuthType oauth20
+ Require valid-user
+ </LocationMatch>
+ <LocationMatch "/v3/auth/OS-FEDERATION/websso/oidc">
+ AuthType openid-connect
+ Require valid-user
+ </LocationMatch>
+ <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/oidc/websso">
+ AuthType openid-connect
+ Require valid-user
+ </LocationMatch>
+{% endmacro -%}
+{% macro setup_saml2() -%}
+ {% if server.federation.saml2.shib_url_scheme is defined %}
+ ShibURLScheme {{ server.federation.saml2.shib_url_scheme }}
+ {%- endif %}
+ {% if server.federation.saml2.shib_compat_valid_user is defined %}
+ ShibCompatValidUser {{ server.federation.saml2.shib_compat_valid_user }}
+ {%- endif %}
+ <Location /Shibboleth.sso>
+ SetHandler shib
+ </Location>
+ <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
+ ShibRequestSetting requireSession 1
+ AuthType shibboleth
+ ShibExportAssertion Off
+ Require valid-user
+ </LocationMatch>
+ <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
+ ShibRequestSetting requireSession 1
+ AuthType shibboleth
+ ShibExportAssertion Off
+ Require valid-user
+ </LocationMatch>
+ <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
+ ShibRequestSetting requireSession 1
+ AuthType shibboleth
+ ShibExportAssertion Off
+ Require valid-user
+ </LocationMatch>
+{% endmacro -%}
+
Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357
@@ -8,7 +125,7 @@
{%- include "apache/files/_ssl.conf" %}
{%- include "apache/files/_locations.conf" %}
- WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+ WSGIDaemonProcess keystone-public processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
@@ -29,34 +146,23 @@
</IfVersion>
</Directory>
- {% if server.websso is defined %}
- {% if server.websso.shib_url_scheme is defined %}
- ShibURLScheme {{ server.websso.shib_url_scheme }}
- {%- endif %}
+ {% if server.get('federation', {}).saml2 is defined %}
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
- <Location /Shibboleth.sso>
- SetHandler shib
- </Location>
- <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
- <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
- <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
+ {{ setup_saml2() }}
+ {%- endif %}
+ {% if server.get('federation', {}).oidc is defined %}
+ {{ setup_oidc() }}
{%- endif %}
+ Alias /identity_admin /usr/bin/keystone-wsgi-admin
+ <Location /identity_admin>
+ SetHandler wsgi-script
+ Options +ExecCGI
+
+ WSGIProcessGroup keystone-admin
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ </Location>
</VirtualHost>
<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357>
@@ -64,7 +170,7 @@
{%- include "apache/files/_ssl.conf" %}
{%- include "apache/files/_locations.conf" %}
- WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+ WSGIDaemonProcess keystone-admin processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
@@ -85,52 +191,22 @@
</IfVersion>
</Directory>
- {% if server.websso is defined %}
- {% if server.websso.shib_url_scheme is defined %}
- ShibURLScheme {{ server.websso.shib_url_scheme }}
- {%- endif %}
+ {% if server.get('federation', {}).saml2 is defined %}
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
- <Location /Shibboleth.sso>
- SetHandler shib
- </Location>
- <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
- <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
- <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
- ShibRequestSetting requireSession 1
- AuthType shibboleth
- ShibExportAssertion Off
- Require valid-user
- </LocationMatch>
+ {{ setup_saml2() }}
{%- endif %}
+ {% if server.get('federation', {}).oidc is defined %}
+ {{ setup_oidc() }}
+ {%- endif %}
+
+ Alias /identity /usr/bin/keystone-wsgi-public
+ <Location /identity>
+ SetHandler wsgi-script
+ Options +ExecCGI
+
+ WSGIProcessGroup keystone-public
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ </Location>
</VirtualHost>
-
-Alias /identity /usr/bin/keystone-wsgi-public
-<Location /identity>
- SetHandler wsgi-script
- Options +ExecCGI
-
- WSGIProcessGroup keystone-public
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
-</Location>
-
-Alias /identity_admin /usr/bin/keystone-wsgi-admin
-<Location /identity_admin>
- SetHandler wsgi-script
- Options +ExecCGI
-
- WSGIProcessGroup keystone-admin
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
-</Location>
diff --git a/keystone/files/salt-minion.conf b/keystone/files/salt-minion.conf
deleted file mode 100644
index 19c5af9..0000000
--- a/keystone/files/salt-minion.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-{%- if pillar.keystone.get('server', {'enabled': False}).enabled -%}
-{%- from "keystone/map.jinja" import server with context -%}
-keystone.token: '{{ server.service_token }}'
-keystone.endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
-{%- else -%}
-{%- from "keystone/map.jinja" import client with context -%}
-keystone.user: '{{ client.server.user }}'
-keystone.password: '{{ client.server.password }}'
-keystone.tenant: '{{ client.server.tenant }}'
-keystone.auth_url: 'http://{{ client.server.host }}:{{ client.server.public_port }}/v2.0/'
-{%- endif %}
-
-{#-
-vim: syntax=jinja
--#}
diff --git a/keystone/map.jinja b/keystone/map.jinja
index 361bba9..35a2613 100644
--- a/keystone/map.jinja
+++ b/keystone/map.jinja
@@ -1,3 +1,7 @@
+{%- set system_cacerts_file = salt['grains.filter_by']({
+ 'Debian': '/etc/ssl/certs/ca-certificates.crt',
+ 'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
+})%}
{% set server = salt['grains.filter_by']({
'Debian': {
@@ -6,6 +10,8 @@
'version': 'icehouse',
'api_version': '2',
'cors': {},
+ 'hash_algorithm': 'sha256',
+ 'max_request_body_size': '114688',
'tokens': {
'engine': 'database',
'expiration': '86400'
@@ -20,6 +26,8 @@
'api_version': '2',
'version': 'icehouse',
'cors': {},
+ 'hash_algorithm': 'sha256',
+ 'max_request_body_size': '114688',
'tokens': {
'engine': 'database',
'expiration': '86400'
@@ -50,3 +58,13 @@
'pkgs': [],
},
}, merge=pillar.keystone.get('control', {})) %}
+
+{% set monitoring = salt['grains.filter_by']({
+ 'default': {
+ 'error_log_rate': 0.2,
+ 'failed_auths': {
+ 'percentage': 50,
+ 'all_auths_rate': 0.1,
+ },
+ },
+}, grain='os_family', merge=salt['pillar.get']('keystone:monitoring')) %}
diff --git a/keystone/meta/grafana.yml b/keystone/meta/grafana.yml
index 1f3370f..75c3ee7 100644
--- a/keystone/meta/grafana.yml
+++ b/keystone/meta/grafana.yml
@@ -1,8 +1,14 @@
dashboard:
- keystone:
+ keystone_prometheus:
+ datasource: prometheus
+ format: json
+ template: keystone/files/grafana_dashboards/keystone_prometheus.json
+ keystone_influxdb:
+ datasource: influxdb
format: json
template: keystone/files/grafana_dashboards/keystone_influxdb.json
main:
+ datasource: influxdb
row:
ost-control-plane:
title: OpenStack Control Plane
@@ -18,6 +24,7 @@
rawQuery: true
query: SELECT last(value) FROM cluster_status WHERE cluster_name = 'keystone' AND environment_label = '$environment' AND $timeFilter GROUP BY time($interval) fill(null)
service_level:
+ datasource: influxdb
row:
keystone-service-level:
title: Keystone Service Levels
diff --git a/keystone/meta/prometheus.yml b/keystone/meta/prometheus.yml
new file mode 100644
index 0000000..33a5b3c
--- /dev/null
+++ b/keystone/meta/prometheus.yml
@@ -0,0 +1,42 @@
+{%- if pillar.keystone.server is defined and pillar.keystone.server.get('enabled') %}
+{%- from "keystone/map.jinja" import monitoring with context %}
+{% raw %}
+server:
+ alert:
+ KeystoneAPIDown:
+ if: >-
+ openstack_api_check_status{service=~"keystone.*"} == 0
+ for: 2m
+ labels:
+ severity: down
+ service: "{{ $labels.service }}"
+ annotations:
+ summary: "Endpoint check for '{{ $labels.service }}' is down"
+ description: >-
+ Endpoint check for '{{ $labels.service }}' is down for 2 minutes
+ KeystoneErrorLogsTooHigh:
+{%- endraw %}
+ {%- set log_threshold = monitoring.error_log_rate|float %}
+ if: >-
+ sum(rate(log_messages{service="keystone",level=~"error|emergency|fatal"}[5m])) without (level) > {{ log_threshold }}
+{%- raw %}
+ labels:
+ severity: warning
+ service: "{{ $labels.service }}"
+ annotations:
+ summary: 'Too many errors in {{ $labels.service }} logs'
+ description: 'The rate of errors in {{ $labels.service }} logs over the last 5 minutes is too high on node {{ $labels.host }} (current value={{ $value }}, threshold={%- endraw %}{{ log_threshold }}).'
+ KeystoneFailedAuthsTooHigh:
+ {%- set auth_threshold = monitoring.failed_auths.percentage %}
+ {%- set rate_threshold = monitoring.failed_auths.all_auths_rate|float %}
+ if: >-
+ rate(authentications_total_failed[5m]) > rate(authentications_total_all[5m]) * {{ auth_threshold }} / 100 and rate(authentications_total_all[5m]) > {{ rate_threshold }}
+{%- raw %}
+ labels:
+ severity: warning
+ service: keystone
+ annotations:
+ summary: 'Too many failed authentications in Keystone'
+ description: 'The rate of failed authentications in Keystone over the last 5 minutes is too high (current value={{ $value }}, threshold={%- endraw %}{{ auth_threshold }}).'
+
+{%- endif %}
diff --git a/keystone/meta/salt.yml b/keystone/meta/salt.yml
index c5f5e3a..a729abd 100644
--- a/keystone/meta/salt.yml
+++ b/keystone/meta/salt.yml
@@ -7,3 +7,54 @@
control:
priority: 520
+minion:
+ {%- if pillar.get('keystone', {}).get('server') or pillar.get('keystone', {}).get('client') %}
+ {%- from "keystone/map.jinja" import server with context %}
+ {%- from "keystone/map.jinja" import client with context %}
+
+ keystone:
+ {%- if pillar.keystone.get('server', {'enabled': False}).enabled %}
+ keystone.token: '{{ server.service_token }}'
+ keystone.endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
+ {%- else %}
+ {%- if client.get('server', {}).get('user') %}
+ keystone.user: '{{ client.server.user }}'
+ keystone.password: '{{ client.server.password }}'
+ keystone.tenant: '{{ client.server.tenant }}'
+ keystone.auth_url: 'http://{{ client.server.host }}:{{ client.server.public_port }}/v2.0/'
+ {%- endif %}
+ {%- endif %}
+
+ {#- Profile based metadata #}
+ {%- for profile_name, identity in client.get('server', {}).iteritems() %}
+ {%- if identity.admin.get('protocol', 'http') == 'http' %}
+ {%- set protocol = 'http' %}
+ {%- else %}
+ {%- set protocol = 'https' %}
+ {%- endif %}
+
+ {%- if identity.admin.get('api_version', '2') == '3' %}
+ {%- set version = "v3" %}
+ {%- else %}
+ {%- set version = "v2.0" %}
+ {%- endif %}
+
+ {%- if identity.admin.user is defined %}
+ {%- if identity.admin.token is not defined %}
+
+ {{ profile_name }}:
+ keystone.user: '{{ identity.admin.user }}'
+ keystone.password: '{{ identity.admin.password }}'
+ keystone.tenant: '{{ identity.admin.project }}'
+ keystone.auth_url: '{{ protocol+'://'+identity.admin.host+':'+identity.admin.port|string+'/'+version }}'
+ keystone.region_name: '{{ identity.admin.region_name }}'
+ keystone.use_keystoneauth: {{ identity.admin.get('use_keystoneauth', false) }}
+
+ {%- endif %}
+ {%- endif %}
+ {%- endfor %}
+ {%- endif %}
+
+{#-
+vim: syntax=jinja
+-#}
diff --git a/keystone/meta/telegraf.yml b/keystone/meta/telegraf.yml
new file mode 100644
index 0000000..6b92366
--- /dev/null
+++ b/keystone/meta/telegraf.yml
@@ -0,0 +1,23 @@
+{%- from "keystone/map.jinja" import server with context %}
+{%- if server is defined and server.get('enabled', False) %}
+remote_agent:
+ input:
+ openstack:
+ interval: '1m'
+ project: "{{ server.admin_tenant }}"
+ tenant: "{{ server.admin_tenant }}"
+ region: "{{ server.region }}"
+ username: "{{ server.admin_name }}"
+ password: "{{ server.admin_password }}"
+ identity_endpoint: "http://{{ server.bind.private_address|replace('0.0.0.0', '127.0.0.1') }}:{{ server.bind.private_port }}/v{% if server.get('api_version', 2)|int == 2 %}2.0{% else %}3{% endif %}"
+ monitor_agents: "true"
+agent:
+ input:
+ http_response:
+ keystone-public-api:
+ address: "http://{{ server.bind.address|replace('0.0.0.0', '127.0.0.1') }}:{{ server.bind.public_port }}/"
+ expected_code: 300
+ keystone-admin-api:
+ address: "http://{{ server.bind.address|replace('0.0.0.0', '127.0.0.1') }}:{{ server.bind.private_port }}/"
+ expected_code: 300
+{%- endif %}
diff --git a/keystone/server.sls b/keystone/server.sls
index 7452a80..97fa2e0 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -1,18 +1,37 @@
-{%- from "keystone/map.jinja" import server with context %}
+{%- from "keystone/map.jinja" import server, system_cacerts_file with context %}
{%- if server.enabled %}
keystone_packages:
pkg.installed:
- names: {{ server.pkgs }}
+{%- set ldap = {'enabled': False} %}
+{%- if server.get('backend') == 'ldap' %}
+ {%- do ldap.update({'enabled': True}) %}
+{%- else %}
+ {%- for domain in server.get('domain', {}).itervalues() %}
+ {%- if domain.get('ldap') %}
+ {%- do ldap.update({'enabled': True}) %}
+ {%- endif %}
+ {%- endfor %}
+{%- endif %}
+
+{%- if ldap.enabled %}
+keystone_ldap_packages:
+ pkg.installed:
+ - names:
+ - python-ldap
+ - python-ldappool
+{% endif %}
+
{%- if server.service_name in ['apache2', 'httpd'] %}
-{%- if not grains.get('noservices', False) %}
+{%- set keystone_service = 'apache_service' %}
+
purge_not_needed_configs:
file.absent:
- names: ['/etc/apache2/sites-enabled/keystone.conf', '/etc/apache2/sites-enabled/wsgi-keystone.conf']
- watch_in:
- - service: keystone_service
-{%- endif %}
+ - service: {{ keystone_service }}
include:
- apache
@@ -28,14 +47,11 @@
- watch:
- pkg: keystone_packages
-{%- endif %}
+{%- else %}
-keystone_salt_config:
- file.managed:
- - name: /etc/salt/minion.d/keystone.conf
- - template: jinja
- - source: salt://keystone/files/salt-minion.conf
- - mode: 600
+{%- set keystone_service = 'keystone_service' %}
+
+{%- endif %}
{%- if not salt['user.info']('keystone') %}
@@ -67,45 +83,78 @@
- template: jinja
- require:
- pkg: keystone_packages
- {%- if not grains.get('noservices', False) %}
- watch_in:
- - service: keystone_service
- {%- endif %}
+ - service: {{ keystone_service }}
-{% if server.websso is defined %}
+{% if server.federation is defined %}
/etc/keystone/sso_callback_template.html:
file.managed:
- source: salt://keystone/files/sso_callback_template.html
- require:
- pkg: keystone_packages
- {%- if not grains.get('noservices', False) %}
- watch_in:
- - service: keystone_service
- {%- endif %}
+ - service: {{ keystone_service }}
{%- endif %}
/etc/keystone/keystone-paste.ini:
file.managed:
- source: salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family }}
+ - user: keystone
+ - group: keystone
- template: jinja
- require:
- pkg: keystone_packages
- {%- if not grains.get('noservices', False) %}
- watch_in:
- - service: keystone_service
- {%- endif %}
+ - service: {{ keystone_service }}
/etc/keystone/policy.json:
file.managed:
- - source: salt://keystone/files/{{ server.version }}/policy-v{{ server.api_version }}.json
+ - user: keystone
+ - group: keystone
- require:
- pkg: keystone_packages
- {%- if not grains.get('noservices', False) %}
- watch_in:
- - service: keystone_service
- {%- endif %}
+ - service: {{ keystone_service }}
+
+/etc/keystone/logging.conf:
+ file.managed:
+ - user: keystone
+ - group: keystone
+ - require:
+ - pkg: keystone_packages
+ - watch_in:
+ - service: {{ keystone_service }}
+
+{%- for name, rule in server.get('policy', {}).iteritems() %}
+
+{%- if rule != None %}
+
+rule_{{ name }}_present:
+ keystone_policy.rule_present:
+ - path: /etc/keystone/policy.json
+ - name: {{ name }}
+ - rule: {{ rule }}
+ - require:
+ - pkg: keystone_packages
+ - watch_in:
+ - service: {{ keystone_service }}
+
+{%- else %}
+
+rule_{{ name }}_absent:
+ keystone_policy.rule_absent:
+ - path: /etc/keystone/policy.json
+ - name: {{ name }}
+ - require:
+ - pkg: keystone_packages
+ - watch_in:
+ - service: {{ keystone_service }}
+
+{%- endif %}
+
+{%- endfor %}
{%- if server.get("domain", {}) %}
@@ -123,10 +172,8 @@
- template: jinja
- require:
- file: /etc/keystone/domains
- {%- if not grains.get('noservices', False) %}
- watch_in:
- - service: keystone_service
- {%- endif %}
+ - service: {{ keystone_service }}
- defaults:
domain_name: {{ domain_name }}
@@ -140,22 +187,19 @@
- file: /etc/keystone/domains
{%- if not grains.get('noservices', False) %}
- watch_in:
- - service: keystone_service
+ - service: {{ keystone_service }}
{%- endif %}
{%- endif %}
-{%- if not grains.get('noservices', False) %}
keystone_domain_{{ domain_name }}:
cmd.run:
- name: source /root/keystonercv3 && openstack domain create --description "{{ domain.description }}" {{ domain_name }}
- - unless: source /root/keystonercv3 && openstack domain list | grep " {{ domain_name }}"
+ - unless: {% if grains.get('noservices') %}/bin/true{% else %}source /root/keystonercv3 && openstack domain list | grep " {{ domain_name }}"{% endif %}
+ - shell: /bin/bash
- require:
- file: /root/keystonercv3
- {%- if not grains.get('noservices', False) %}
- - service: keystone_service
- {%- endif %}
-{%- endif %}
+ - service: {{ keystone_service }}
{%- endfor %}
@@ -169,19 +213,23 @@
- contents_pillar: keystone:server:ldap:tls:cacert
- require:
- pkg: keystone_packages
- {%- if not grains.get('noservices', False) %}
- watch_in:
- - service: keystone_service
- {%- endif %}
+ - service: {{ keystone_service }}
{%- endif %}
-{%- if not grains.get('noservices', False) %}
+{%- if server.service_name not in ['apache2', 'httpd'] %}
keystone_service:
service.running:
- name: {{ server.service_name }}
- enable: True
+ {%- if grains.get('noservices') %}
+ - onlyif: /bin/false
+ {%- endif %}
- watch:
+ {%- if server.notification and server.message_queue.get('ssl',{}).get('enabled', False) %}
+ - file: rabbitmq_ca
+ {%- endif %}
- file: /etc/keystone/keystone.conf
{%- endif %}
@@ -214,7 +262,7 @@
- name: keystone-manage db_sync && sleep 1
- timeout: 120
- require:
- - service: keystone_service
+ - service: {{ keystone_service }}
{%- endif %}
{% if server.tokens.engine == 'fernet' %}
@@ -235,22 +283,32 @@
cmd.run:
- name: keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
- require:
- - service: keystone_service
+ - service: {{ keystone_service }}
- file: keystone_fernet_keys
-
-{%- if server.version == 'newton' %}
-keystone_fernet_setup_credentials:
- cmd.run:
- - name: keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
- - require:
- - service: keystone_service
- - cmd: keystone_fernet_setup
- - file: keystone_fernet_keys
-{%- endif %}
{%- endif %}
{% endif %}
+{%- if server.version in ['newton', 'ocata'] %}
+keystone_credential_keys:
+ file.directory:
+ - name: {{ server.credential.location }}
+ - mode: 750
+ - user: keystone
+ - group: keystone
+ - require:
+ - pkg: keystone_packages
+
+{%- if not grains.get('noservices', False) %}
+keystone_credential_setup:
+ cmd.run:
+ - name: keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
+ - require:
+ - service: {{ keystone_service }}
+ - file: keystone_credential_keys
+{%- endif %}
+{%- endif %}
+
{%- if not grains.get('noservices', False) %}
{%- if not salt['pillar.get']('linux:system:repo:mirantis_openstack', False) %}
@@ -262,7 +320,6 @@
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
- require:
- cmd: keystone_syncdb
- - file: keystone_salt_config
keystone_admin_tenant:
keystone.tenant_present:
@@ -320,7 +377,6 @@
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
- require:
- keystone: keystone_{{ service_name }}_service
- - file: keystone_salt_config
{% if service.user is defined %}
@@ -377,4 +433,37 @@
{%- endfor %}
{%- endif %} {# end noservices #}
+{%- if server.database.get('ssl',{}).get('enabled',False) %}
+mysql_ca:
+{%- if server.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.database.ssl.cacert_file }}
+ - contents_pillar: keystone:server:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ - require_in:
+ - file: /etc/keystone/keystone.conf
+{%- else %}
+ file.exists:
+ - name: {{ server.database.ssl.get('cacert_file', system_cacerts_file) }}
+ - require_in:
+ - file: /etc/keystone/keystone.conf
+{% endif %}
+{% endif %}
+
+
+{%- if server.notification and server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbitmq_ca:
+{%- if server.message_queue.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.message_queue.ssl.cacert_file }}
+ - contents_pillar: keystone:server:message_queue:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+{%- else %}
+ file.exists:
+ - name: {{ server.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+{%- endif %}
+
{%- endif %}
diff --git a/metadata/service/server/cluster.yml b/metadata/service/server/cluster.yml
index 5038cf3..147bd34 100644
--- a/metadata/service/server/cluster.yml
+++ b/metadata/service/server/cluster.yml
@@ -30,6 +30,8 @@
engine: cache
expiration: 43200
location: /etc/keystone/fernet-keys/
+ credential:
+ location: /etc/keystone/credential-keys/
message_queue:
engine: rabbitmq
host: ${_param:cluster_vip_address}
diff --git a/metadata/service/server/single.yml b/metadata/service/server/single.yml
index 5269121..d131fd7 100644
--- a/metadata/service/server/single.yml
+++ b/metadata/service/server/single.yml
@@ -30,6 +30,8 @@
engine: cache
expiration: 43200
location: /etc/keystone/fernet-keys/
+ credential:
+ location: /etc/keystone/credential-keys/
message_queue:
engine: rabbitmq
host: ${_param:single_address}
diff --git a/metadata/service/support.yml b/metadata/service/support.yml
index 283ca7e..413387b 100644
--- a/metadata/service/support.yml
+++ b/metadata/service/support.yml
@@ -6,10 +6,14 @@
heka:
enabled: true
sensu:
- enabled: true
+ enabled: false
sphinx:
enabled: true
config:
enabled: true
grafana:
enabled: true
+ telegraf:
+ enabled: true
+ prometheus:
+ enabled: true
diff --git a/tests/pillar/cluster.sls b/tests/pillar/cluster.sls
index 898b6ae..c6d7cc6 100644
--- a/tests/pillar/cluster.sls
+++ b/tests/pillar/cluster.sls
@@ -44,3 +44,8 @@
port: 11211
- host: 127.0.0.1
port: 11211
+ domain:
+ test:
+ description: "Test domain"
+ identity:
+ list_limit: 20
diff --git a/tests/pillar/single_domain.sls b/tests/pillar/single_domain.sls
new file mode 100644
index 0000000..be0272e
--- /dev/null
+++ b/tests/pillar/single_domain.sls
@@ -0,0 +1,72 @@
+keystone:
+# Server state
+ server:
+ enabled: true
+ version: liberty
+ service_token: RANDOMSTRINGTOKEN
+ service_tenant: service
+ admin_tenant: admin
+ admin_name: admin
+ admin_password: passw0rd
+ admin_email: root@localhost
+ bind:
+ address: 0.0.0.0
+ private_address: 127.0.0.1
+ private_port: 35357
+ public_address: 127.0.0.1
+ public_port: 5000
+ region: RegionOne
+ database:
+ engine: mysql
+ host: localhost
+ name: keystone
+ password: passw0rd
+ user: keystone
+ tokens:
+ engine: cache
+ expiration: 86400
+ location: /etc/keystone/fernet-keys/
+ notification: false
+ notification_format: cadf
+ domain:
+ testing:
+ description: "Testing domain"
+ backend: ldap
+ assignment:
+ backend: sql
+ ldap:
+ url: "ldaps://idm.domain.com"
+ suffix: "dc=cloud,dc=domain,dc=com"
+ uid: keystone
+ password: password
+# CI related dependencies
+mysql:
+ client:
+ enabled: true
+ version: '5.7'
+ admin:
+ host: localhost
+ port: 3306
+ user: admin
+ password: password
+ encoding: utf8
+ server:
+ enabled: true
+ version: "5.7"
+ force_encoding: utf8
+ bind:
+ address: 0.0.0.0
+ port: 3306
+ protocol: tcp
+ database:
+ keystone:
+ encoding: utf8
+ users:
+ - host: '%'
+ name: keystone
+ password: passw0rd
+ rights: all
+ - host: 127.0.0.1
+ name: keystone
+ password: passw0rd
+ rights: all
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
new file mode 100644
index 0000000..f60e5ed
--- /dev/null
+++ b/tests/pillar/ssl.sls
@@ -0,0 +1,53 @@
+# Test case with enabled SSL of the following communication paths:
+# - messaging (rabbitmq)
+
+keystone:
+ server:
+ enabled: true
+ version: liberty
+ service_token: token
+ service_tenant: service
+ admin_tenant: admin
+ admin_name: admin
+ admin_password: passw0rd
+ admin_email: root@localhost
+ bind:
+ address: 0.0.0.0
+ private_address: 127.0.0.1
+ private_port: 35357
+ public_address: 127.0.0.1
+ public_port: 5000
+ region: RegionOne
+ database:
+ engine: mysql
+ host: 127.0.0.1
+ name: keystone
+ password: passw0rd
+ user: keystone
+ ssl:
+ enabled: True
+ tokens:
+ engine: cache
+ expiration: 86400
+ location: /etc/keystone/fernet-keys/
+ notification: true
+ notification_format: cadf
+ message_queue:
+ engine: rabbitmq
+ host: 127.0.0.1
+ port: 5671
+ user: openstack
+ password: passw0rd
+ virtual_host: '/openstack'
+ ha_queues: true
+ ssl:
+ enabled: True
+ cache:
+ engine: memcached
+ members:
+ - host: 127.0.0.1
+ port: 11211
+ - host: 127.0.0.1
+ port: 11211
+ - host: 127.0.0.1
+ port: 11211