Merge "Upload os_client_config to mine during upgrade"
diff --git a/README.rst b/README.rst
index a171ab2..7603911 100644
--- a/README.rst
+++ b/README.rst
@@ -845,6 +845,27 @@
Currently the default fernet rotation driver is a shared filesystem
+Enable x509 and ssl communication between Keystone and Galera cluster.
+---------------------
+By default communication between Keystone and Galera is unsecure.
+
+You able to set custom certificates in pillar:
+server:
+ database:
+ x509:
+ enabled: True
+
+keystone:
+ server:
+ database:
+ x509:
+ cacert (certificate content)
+ cert (certificate content)
+ key (certificate content)
+
+You can read more about it here:
+ https://docs.openstack.org/security-guide/databases/database-access-control.html
+
Documentation and Bugs
======================
diff --git a/keystone/_ssl/mysql.sls b/keystone/_ssl/mysql.sls
new file mode 100644
index 0000000..a2b93a9
--- /dev/null
+++ b/keystone/_ssl/mysql.sls
@@ -0,0 +1,58 @@
+{%- from "keystone/map.jinja" import server with context %}
+
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+
+ {%- set ca_file=server.database.x509.ca_file %}
+ {%- set key_file=server.database.x509.key_file %}
+ {%- set cert_file=server.database.x509.cert_file %}
+
+mysql_keystone_ssl_x509_ca:
+ {%- if server.database.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: keystone:server:database:x509:cacert
+ - mode: 444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+mysql_keystone_client_ssl_cert:
+ {%- if server.database.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: keystone:server:database:x509:cert
+ - mode: 440
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ {%- endif %}
+
+mysql_keystone_client_ssl_private_key:
+ {%- if server.database.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: keystone:server:database:x509:key
+ - mode: 400
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+{% elif server.database.get('ssl',{}).get('enabled',False) %}
+mysql_ca_keystone:
+ {%- if server.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.database.ssl.cacert_file }}
+ - contents_pillar: keystone:server:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
+ {%- endif %}
+
+{%- endif %}
\ No newline at end of file
diff --git a/keystone/client/os_client_config.sls b/keystone/client/os_client_config.sls
index bffed11..1b87982 100644
--- a/keystone/client/os_client_config.sls
+++ b/keystone/client/os_client_config.sls
@@ -12,7 +12,7 @@
- name: {{ config.get('file', '/root/.config/openstack/clouds.yml') }}
- contents: |
{{ client.os_client_config.cfgs.get(conf_name).content |yaml(False)|indent(8) }}
- - owner: {{ config.get('owner', 'root') }}
+ - user: {{ config.get('user', 'root') }}
- group: {{ config.get('group', 'root') }}
- makedirs: True
diff --git a/keystone/files/pike/keystone.conf.Debian b/keystone/files/pike/keystone.conf.Debian
index c0447e4..29f69d9 100644
--- a/keystone/files/pike/keystone.conf.Debian
+++ b/keystone/files/pike/keystone.conf.Debian
@@ -1,6 +1,13 @@
{% from "keystone/map.jinja" import server with context %}
-[DEFAULT]
+{%- set connection_x509_ssl_option = '' %}
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.x509.ca_file ~ '&ssl_cert=' ~ server.database.x509.cert_file ~ '&ssl_key=' ~ server.database.x509.key_file %}
+{%- elif server.database.get('ssl',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.ssl.get('cacert_file', server.cacert_file) %}
+{%- endif %}
+
+[DEFAULT]
#
# From keystone
#
@@ -779,7 +786,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection={{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/keystone/server.sls b/keystone/server.sls
index 4c3e17c..96adc87 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -1,11 +1,17 @@
{%- from "keystone/map.jinja" import server with context %}
+
{%- if server.enabled %}
+{%- set mysql_x509_ssl_enabled = server.database.get('x509',{}).get('enabled',False) or server.database.get('ssl',{}).get('enabled',False) %}
+
include:
-{%- if server.service_name in ['apache2', 'httpd'] %}
-- apache
-{%- endif %}
-- keystone.db.offline_sync
+ {%- if server.service_name in ['apache2', 'httpd'] %}
+ - apache
+ {%- endif %}
+ - keystone.db.offline_sync
+ {%- if mysql_x509_ssl_enabled %}
+ - keystone._ssl.mysql
+ {%- endif %}
keystone_packages:
pkg.installed:
@@ -94,8 +100,13 @@
file.managed:
- source: salt://keystone/files/{{ server.version }}/keystone.conf.{{ grains.os_family }}
- template: jinja
+ - mode: 0640
+ - group: keystone
- require:
- pkg: keystone_packages
+ {%- if mysql_x509_ssl_enabled %}
+ - sls: keystone._ssl.mysql
+ {%- endif %}
- watch_in:
- service: {{ keystone_service }}
@@ -104,6 +115,8 @@
/etc/keystone/sso_callback_template.html:
file.managed:
- source: salt://keystone/files/sso_callback_template.html
+ - mode: 0640
+ - group: keystone
- require:
- pkg: keystone_packages
- watch_in:
@@ -114,7 +127,8 @@
/etc/keystone/keystone-paste.ini:
file.managed:
- source: salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family }}
- - user: keystone
+ - mode: 0640
+ - user: root
- group: keystone
- template: jinja
- require:
@@ -132,13 +146,16 @@
/etc/keystone/logging.conf:
file.managed:
- - user: keystone
+ - mode: 0640
+ - user: root
- group: keystone
- source: salt://oslo_templates/files/logging/_logging.conf
- template: jinja
- defaults:
service_name: keystone
_data: {{ server.logging }}
+ - require_in:
+ - sls: keystone.db.offline_sync
- require:
- pkg: keystone_packages
{%- if server.logging.log_handlers.get('fluentd', {}).get('enabled', False) %}
@@ -158,7 +175,8 @@
/etc/keystone/policy.json:
file.managed:
- - user: keystone
+ - mode: 0640
+ - user: root
- group: keystone
- require:
- pkg: keystone_packages
@@ -208,6 +226,8 @@
file.managed:
- source: salt://keystone/files/keystone.domain.conf
- template: jinja
+ - mode: 0640
+ - group: keystone
- require:
- file: /etc/keystone/domains
- watch_in:
@@ -298,6 +318,9 @@
file.managed:
- source: salt://keystone/files/keystonerc
- template: jinja
+ - mode: 0640
+ - user: root
+ - group: root
- require:
- pkg: keystone_packages
@@ -305,6 +328,9 @@
file.managed:
- source: salt://keystone/files/keystonercv3
- template: jinja
+ - mode: 0640
+ - user: root
+ - group: root
- require:
- pkg: keystone_packages
@@ -539,25 +565,6 @@
{%- endfor %}
{%- endif %} {# end noservices #}
-{%- if server.database.get('ssl',{}).get('enabled',False) %}
-mysql_ca_keystone_server:
-{%- if server.database.ssl.cacert is defined %}
- file.managed:
- - name: {{ server.database.ssl.cacert_file }}
- - contents_pillar: keystone:server:database:ssl:cacert
- - mode: 0444
- - makedirs: true
- - require_in:
- - file: /etc/keystone/keystone.conf
-{%- else %}
- file.exists:
- - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
- - require_in:
- - file: /etc/keystone/keystone.conf
-{% endif %}
-{% endif %}
-
-
{%- if server.notification and server.message_queue.get('ssl',{}).get('enabled', False) %}
rabbitmq_ca_keystone_server:
{%- if server.message_queue.ssl.cacert is defined %}