Merge "Update .travis.yml and .kitchen.yml files for parallel testing"
diff --git a/README.rst b/README.rst
index 1e0e822..14403eb 100644
--- a/README.rst
+++ b/README.rst
@@ -202,16 +202,17 @@
keystone:
server:
domain:
- description: "Testing domain"
- backend: ldap
- assignment:
- backend: sql
- ldap:
- url: "ldaps://idm.domain.com"
- suffix: "dc=cloud,dc=domain,dc=com"
- # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
- uid: keystone
- password: password
+ external:
+ description: "Testing domain"
+ backend: ldap
+ assignment:
+ backend: sql
+ ldap:
+ url: "ldaps://idm.domain.com"
+ suffix: "dc=cloud,dc=domain,dc=com"
+ # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
+ uid: keystone
+ password: password
Using LDAP backend for default domain
diff --git a/keystone/files/_ldap.conf b/keystone/files/_ldap.conf
index 5cfabd0..cabf873 100644
--- a/keystone/files/_ldap.conf
+++ b/keystone/files/_ldap.conf
@@ -1,12 +1,14 @@
[ldap]
url = {{ ldap.url }}
+{%- if ldap.get('auth', True) == True %}
{%- if ldap.bind_user is defined %}
user = {{ ldap.bind_user }}
{%- else %}
user = uid={{ ldap.get("uid", "keystone") }},cn=users,cn=accounts,{{ ldap.suffix }}
{%- endif %}
password = {{ ldap.password }}
+{%- endif %}
suffix = {{ ldap.suffix }}
query_scope = {{ ldap.get("query_scope", "one") }}
page_size = {{ ldap.get("page_size", "0") }}
diff --git a/keystone/files/juno/keystone.conf.Debian b/keystone/files/juno/keystone.conf.Debian
index 4d2b9a8..fa7a75e 100644
--- a/keystone/files/juno/keystone.conf.Debian
+++ b/keystone/files/juno/keystone.conf.Debian
@@ -79,7 +79,7 @@
# Enforced by optional sizelimit middleware
# (keystone.middleware:RequestBodySizeLimiter). (integer
# value)
-#max_request_body_size=114688
+max_request_body_size= {{ server.max_request_body_size }}
# Limit the sizes of user & project ID/names. (integer value)
#max_param_size=64
@@ -1625,6 +1625,7 @@
# configured with the hash_algorithms, otherwise token
# revocation will not be processed correctly. (string value)
#hash_algorithm=md5
+hash_algorithm = {{ server.hash_algorithm }}
[trust]
diff --git a/keystone/files/keystonercv3 b/keystone/files/keystonercv3
index 4152b58..9da173c 100644
--- a/keystone/files/keystonercv3
+++ b/keystone/files/keystonercv3
@@ -1,8 +1,8 @@
{%- from "keystone/map.jinja" import server with context %}
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=http://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v3
-export OS_PROJECT_DOMAIN_NAME=default
-export OS_USER_DOMAIN_NAME=default
+export OS_PROJECT_DOMAIN_NAME=Default
+export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME={{ server.admin_tenant }}
export OS_TENANT_NAME={{ server.admin_tenant }}
export OS_USERNAME={{ server.admin_name }}
diff --git a/keystone/files/kilo/keystone.conf.Debian b/keystone/files/kilo/keystone.conf.Debian
index 0e59b15..09e0cec 100644
--- a/keystone/files/kilo/keystone.conf.Debian
+++ b/keystone/files/kilo/keystone.conf.Debian
@@ -1151,7 +1151,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
[oslo_policy]
@@ -1458,6 +1458,7 @@
# middleware must be configured with the hash_algorithms, otherwise token
# revocation will not be processed correctly. (string value)
#hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
[trust]
diff --git a/keystone/files/liberty/keystone.conf.Debian b/keystone/files/liberty/keystone.conf.Debian
index 1a3ba25..2a91c8c 100644
--- a/keystone/files/liberty/keystone.conf.Debian
+++ b/keystone/files/liberty/keystone.conf.Debian
@@ -1344,7 +1344,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
#
# From oslo.middleware
@@ -1680,6 +1680,7 @@
# middleware must be configured with the hash_algorithms, otherwise token
# revocation will not be processed correctly. (string value)
#hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
[tokenless_auth]
diff --git a/keystone/files/mitaka/keystone.conf.Debian b/keystone/files/mitaka/keystone.conf.Debian
index d834c20..a526cee 100644
--- a/keystone/files/mitaka/keystone.conf.Debian
+++ b/keystone/files/mitaka/keystone.conf.Debian
@@ -1774,7 +1774,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
# The HTTP Header that will be used to determine what the original request
# protocol scheme was, even if it was hidden by an SSL termination proxy.
@@ -2168,6 +2168,7 @@
# Reason: PKI token support has been deprecated in the M release and will be
# removed in the O release. Fernet or UUID tokens are recommended.
#hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
# Add roles to token that are not explicitly added, but that are linked
# implicitly to other roles. (boolean value)
diff --git a/keystone/files/mitaka/wsgi-keystone.conf b/keystone/files/mitaka/wsgi-keystone.conf
index f727008..3c18ef8 100644
--- a/keystone/files/mitaka/wsgi-keystone.conf
+++ b/keystone/files/mitaka/wsgi-keystone.conf
@@ -125,7 +125,7 @@
{%- include "apache/files/_ssl.conf" %}
{%- include "apache/files/_locations.conf" %}
- WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+ WSGIDaemonProcess keystone-public processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
@@ -170,7 +170,7 @@
{%- include "apache/files/_ssl.conf" %}
{%- include "apache/files/_locations.conf" %}
- WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+ WSGIDaemonProcess keystone-admin processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
diff --git a/keystone/files/newton/keystone.conf.Debian b/keystone/files/newton/keystone.conf.Debian
index 7c5960e..db95287 100644
--- a/keystone/files/newton/keystone.conf.Debian
+++ b/keystone/files/newton/keystone.conf.Debian
@@ -2225,7 +2225,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
# DEPRECATED: The HTTP Header that will be used to determine what the original
# request protocol scheme was, even if it was hidden by a SSL termination
@@ -2844,6 +2844,7 @@
# Reason: PKI token support has been deprecated in the M release and will be
# removed in the O release. Fernet or UUID tokens are recommended.
#hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
# This controls whether roles should be included with tokens that are not
# directly assigned to the token's scope, but are instead linked implicitly to
diff --git a/keystone/files/newton/wsgi-keystone.conf b/keystone/files/newton/wsgi-keystone.conf
index f727008..3c18ef8 100644
--- a/keystone/files/newton/wsgi-keystone.conf
+++ b/keystone/files/newton/wsgi-keystone.conf
@@ -125,7 +125,7 @@
{%- include "apache/files/_ssl.conf" %}
{%- include "apache/files/_locations.conf" %}
- WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+ WSGIDaemonProcess keystone-public processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
@@ -170,7 +170,7 @@
{%- include "apache/files/_ssl.conf" %}
{%- include "apache/files/_locations.conf" %}
- WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+ WSGIDaemonProcess keystone-admin processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
diff --git a/keystone/files/ocata/keystone.conf.Debian b/keystone/files/ocata/keystone.conf.Debian
index 9e9ff1c..375935c 100644
--- a/keystone/files/ocata/keystone.conf.Debian
+++ b/keystone/files/ocata/keystone.conf.Debian
@@ -2395,7 +2395,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
# DEPRECATED: The HTTP Header that will be used to determine what the original
# request protocol scheme was, even if it was hidden by a SSL termination
@@ -3032,6 +3032,7 @@
# Defaults to two days. (integer value)
#allow_expired_window = 172800
+hash_algorithm = {{ server.hash_algorithm }}
[tokenless_auth]
diff --git a/keystone/files/ocata/wsgi-keystone.conf b/keystone/files/ocata/wsgi-keystone.conf
index f727008..3c18ef8 100644
--- a/keystone/files/ocata/wsgi-keystone.conf
+++ b/keystone/files/ocata/wsgi-keystone.conf
@@ -125,7 +125,7 @@
{%- include "apache/files/_ssl.conf" %}
{%- include "apache/files/_locations.conf" %}
- WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+ WSGIDaemonProcess keystone-public processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
@@ -170,7 +170,7 @@
{%- include "apache/files/_ssl.conf" %}
{%- include "apache/files/_locations.conf" %}
- WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+ WSGIDaemonProcess keystone-admin processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
diff --git a/keystone/map.jinja b/keystone/map.jinja
index 01613bf..1a40274 100644
--- a/keystone/map.jinja
+++ b/keystone/map.jinja
@@ -6,6 +6,8 @@
'version': 'icehouse',
'api_version': '2',
'cors': {},
+ 'hash_algorithm': 'sha256',
+ 'max_request_body_size': '114688',
'tokens': {
'engine': 'database',
'expiration': '86400'
@@ -20,6 +22,8 @@
'api_version': '2',
'version': 'icehouse',
'cors': {},
+ 'hash_algorithm': 'sha256',
+ 'max_request_body_size': '114688',
'tokens': {
'engine': 'database',
'expiration': '86400'
diff --git a/keystone/server.sls b/keystone/server.sls
index 0bee8a6..b29e39e 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -5,6 +5,14 @@
pkg.installed:
- names: {{ server.pkgs }}
+{%- if server.get('backend') == 'ldap' or server.get('domain',{}).itervalues() | selectattr('ldap') | list %}
+keystone_ldap_packages:
+ pkg.installed:
+ - names:
+ - python-ldap
+ - python-ldappool
+{% endif %}
+
{%- if server.service_name in ['apache2', 'httpd'] %}
{%- set keystone_service = 'apache_service' %}
@@ -82,12 +90,32 @@
/etc/keystone/keystone-paste.ini:
file.managed:
- source: salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family }}
+ - user: keystone
+ - group: keystone
- template: jinja
- require:
- pkg: keystone_packages
- watch_in:
- service: {{ keystone_service }}
+/etc/keystone/policy.json:
+ file.managed:
+ - user: keystone
+ - group: keystone
+ - require:
+ - pkg: keystone_packages
+ - watch_in:
+ - service: {{ keystone_service }}
+
+/etc/keystone/logging.conf:
+ file.managed:
+ - user: keystone
+ - group: keystone
+ - require:
+ - pkg: keystone_packages
+ - watch_in:
+ - service: {{ keystone_service }}
+
{%- for name, rule in server.get('policy', {}).iteritems() %}
{%- if rule != None %}