Implement X.509 auth for MySQL and Keystone
Related-PROD: PROD-22748
Change-Id: I7d557bcb63f95a5f6afdc8d27fb2c6c5a7608362
diff --git a/README.rst b/README.rst
index a171ab2..7603911 100644
--- a/README.rst
+++ b/README.rst
@@ -845,6 +845,27 @@
Currently the default fernet rotation driver is a shared filesystem
+Enable x509 and ssl communication between Keystone and Galera cluster.
+---------------------
+By default communication between Keystone and Galera is unsecure.
+
+You able to set custom certificates in pillar:
+server:
+ database:
+ x509:
+ enabled: True
+
+keystone:
+ server:
+ database:
+ x509:
+ cacert (certificate content)
+ cert (certificate content)
+ key (certificate content)
+
+You can read more about it here:
+ https://docs.openstack.org/security-guide/databases/database-access-control.html
+
Documentation and Bugs
======================
diff --git a/keystone/_ssl/mysql.sls b/keystone/_ssl/mysql.sls
new file mode 100644
index 0000000..a2b93a9
--- /dev/null
+++ b/keystone/_ssl/mysql.sls
@@ -0,0 +1,58 @@
+{%- from "keystone/map.jinja" import server with context %}
+
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+
+ {%- set ca_file=server.database.x509.ca_file %}
+ {%- set key_file=server.database.x509.key_file %}
+ {%- set cert_file=server.database.x509.cert_file %}
+
+mysql_keystone_ssl_x509_ca:
+ {%- if server.database.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: keystone:server:database:x509:cacert
+ - mode: 444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+mysql_keystone_client_ssl_cert:
+ {%- if server.database.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: keystone:server:database:x509:cert
+ - mode: 440
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ {%- endif %}
+
+mysql_keystone_client_ssl_private_key:
+ {%- if server.database.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: keystone:server:database:x509:key
+ - mode: 400
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+{% elif server.database.get('ssl',{}).get('enabled',False) %}
+mysql_ca_keystone:
+ {%- if server.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.database.ssl.cacert_file }}
+ - contents_pillar: keystone:server:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
+ {%- endif %}
+
+{%- endif %}
\ No newline at end of file
diff --git a/keystone/files/pike/keystone.conf.Debian b/keystone/files/pike/keystone.conf.Debian
index c0447e4..29f69d9 100644
--- a/keystone/files/pike/keystone.conf.Debian
+++ b/keystone/files/pike/keystone.conf.Debian
@@ -1,6 +1,13 @@
{% from "keystone/map.jinja" import server with context %}
-[DEFAULT]
+{%- set connection_x509_ssl_option = '' %}
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.x509.ca_file ~ '&ssl_cert=' ~ server.database.x509.cert_file ~ '&ssl_key=' ~ server.database.x509.key_file %}
+{%- elif server.database.get('ssl',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.ssl.get('cacert_file', server.cacert_file) %}
+{%- endif %}
+
+[DEFAULT]
#
# From keystone
#
@@ -779,7 +786,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection={{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/keystone/server.sls b/keystone/server.sls
index c2a9eba..c95ffb1 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -1,11 +1,17 @@
{%- from "keystone/map.jinja" import server with context %}
+
{%- if server.enabled %}
+{%- set mysql_x509_ssl_enabled = server.database.get('x509',{}).get('enabled',False) or server.database.get('ssl',{}).get('enabled',False) %}
+
include:
-{%- if server.service_name in ['apache2', 'httpd'] %}
-- apache
-{%- endif %}
-- keystone.db.offline_sync
+ {%- if server.service_name in ['apache2', 'httpd'] %}
+ - apache
+ {%- endif %}
+ - keystone.db.offline_sync
+ {%- if mysql_x509_ssl_enabled %}
+ - keystone._ssl.mysql
+ {%- endif %}
keystone_packages:
pkg.installed:
@@ -98,6 +104,9 @@
- group: keystone
- require:
- pkg: keystone_packages
+ {%- if mysql_x509_ssl_enabled %}
+ - sls: keystone._ssl.mysql
+ {%- endif %}
- watch_in:
- service: {{ keystone_service }}
@@ -554,25 +563,6 @@
{%- endfor %}
{%- endif %} {# end noservices #}
-{%- if server.database.get('ssl',{}).get('enabled',False) %}
-mysql_ca_keystone_server:
-{%- if server.database.ssl.cacert is defined %}
- file.managed:
- - name: {{ server.database.ssl.cacert_file }}
- - contents_pillar: keystone:server:database:ssl:cacert
- - mode: 0444
- - makedirs: true
- - require_in:
- - file: /etc/keystone/keystone.conf
-{%- else %}
- file.exists:
- - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
- - require_in:
- - file: /etc/keystone/keystone.conf
-{% endif %}
-{% endif %}
-
-
{%- if server.notification and server.message_queue.get('ssl',{}).get('enabled', False) %}
rabbitmq_ca_keystone_server:
{%- if server.message_queue.ssl.cacert is defined %}