security settings
Change-Id: I7b8fc91ef78a4fa0d882c956472e453b830d186b
diff --git a/keystone/files/juno/keystone.conf.Debian b/keystone/files/juno/keystone.conf.Debian
index 4d2b9a8..fa7a75e 100644
--- a/keystone/files/juno/keystone.conf.Debian
+++ b/keystone/files/juno/keystone.conf.Debian
@@ -79,7 +79,7 @@
# Enforced by optional sizelimit middleware
# (keystone.middleware:RequestBodySizeLimiter). (integer
# value)
-#max_request_body_size=114688
+max_request_body_size= {{ server.max_request_body_size }}
# Limit the sizes of user & project ID/names. (integer value)
#max_param_size=64
@@ -1625,6 +1625,7 @@
# configured with the hash_algorithms, otherwise token
# revocation will not be processed correctly. (string value)
#hash_algorithm=md5
+hash_algorithm = {{ server.hash_algorithm }}
[trust]
diff --git a/keystone/files/kilo/keystone.conf.Debian b/keystone/files/kilo/keystone.conf.Debian
index 0e59b15..09e0cec 100644
--- a/keystone/files/kilo/keystone.conf.Debian
+++ b/keystone/files/kilo/keystone.conf.Debian
@@ -1151,7 +1151,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
[oslo_policy]
@@ -1458,6 +1458,7 @@
# middleware must be configured with the hash_algorithms, otherwise token
# revocation will not be processed correctly. (string value)
#hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
[trust]
diff --git a/keystone/files/liberty/keystone.conf.Debian b/keystone/files/liberty/keystone.conf.Debian
index 1a3ba25..2a91c8c 100644
--- a/keystone/files/liberty/keystone.conf.Debian
+++ b/keystone/files/liberty/keystone.conf.Debian
@@ -1344,7 +1344,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
#
# From oslo.middleware
@@ -1680,6 +1680,7 @@
# middleware must be configured with the hash_algorithms, otherwise token
# revocation will not be processed correctly. (string value)
#hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
[tokenless_auth]
diff --git a/keystone/files/mitaka/keystone.conf.Debian b/keystone/files/mitaka/keystone.conf.Debian
index d834c20..a526cee 100644
--- a/keystone/files/mitaka/keystone.conf.Debian
+++ b/keystone/files/mitaka/keystone.conf.Debian
@@ -1774,7 +1774,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
# The HTTP Header that will be used to determine what the original request
# protocol scheme was, even if it was hidden by an SSL termination proxy.
@@ -2168,6 +2168,7 @@
# Reason: PKI token support has been deprecated in the M release and will be
# removed in the O release. Fernet or UUID tokens are recommended.
#hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
# Add roles to token that are not explicitly added, but that are linked
# implicitly to other roles. (boolean value)
diff --git a/keystone/files/newton/keystone.conf.Debian b/keystone/files/newton/keystone.conf.Debian
index 7c5960e..db95287 100644
--- a/keystone/files/newton/keystone.conf.Debian
+++ b/keystone/files/newton/keystone.conf.Debian
@@ -2225,7 +2225,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
# DEPRECATED: The HTTP Header that will be used to determine what the original
# request protocol scheme was, even if it was hidden by a SSL termination
@@ -2844,6 +2844,7 @@
# Reason: PKI token support has been deprecated in the M release and will be
# removed in the O release. Fernet or UUID tokens are recommended.
#hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
# This controls whether roles should be included with tokens that are not
# directly assigned to the token's scope, but are instead linked implicitly to
diff --git a/keystone/files/ocata/keystone.conf.Debian b/keystone/files/ocata/keystone.conf.Debian
index 9e9ff1c..375935c 100644
--- a/keystone/files/ocata/keystone.conf.Debian
+++ b/keystone/files/ocata/keystone.conf.Debian
@@ -2395,7 +2395,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
# DEPRECATED: The HTTP Header that will be used to determine what the original
# request protocol scheme was, even if it was hidden by a SSL termination
@@ -3032,6 +3032,7 @@
# Defaults to two days. (integer value)
#allow_expired_window = 172800
+hash_algorithm = {{ server.hash_algorithm }}
[tokenless_auth]
diff --git a/keystone/map.jinja b/keystone/map.jinja
index 01613bf..1a40274 100644
--- a/keystone/map.jinja
+++ b/keystone/map.jinja
@@ -6,6 +6,8 @@
'version': 'icehouse',
'api_version': '2',
'cors': {},
+ 'hash_algorithm': 'sha256',
+ 'max_request_body_size': '114688',
'tokens': {
'engine': 'database',
'expiration': '86400'
@@ -20,6 +22,8 @@
'api_version': '2',
'version': 'icehouse',
'cors': {},
+ 'hash_algorithm': 'sha256',
+ 'max_request_body_size': '114688',
'tokens': {
'engine': 'database',
'expiration': '86400'
diff --git a/keystone/server.sls b/keystone/server.sls
index 0bee8a6..ad0ccf6 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -82,12 +82,32 @@
/etc/keystone/keystone-paste.ini:
file.managed:
- source: salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family }}
+ - user: keystone
+ - group: keystone
- template: jinja
- require:
- pkg: keystone_packages
- watch_in:
- service: {{ keystone_service }}
+/etc/keystone/policy.json:
+ file.managed:
+ - user: keystone
+ - group: keystone
+ - require:
+ - pkg: keystone_packages
+ - watch_in:
+ - service: {{ keystone_service }}
+
+/etc/keystone/logging.conf:
+ file.managed:
+ - user: keystone
+ - group: keystone
+ - require:
+ - pkg: keystone_packages
+ - watch_in:
+ - service: {{ keystone_service }}
+
{%- for name, rule in server.get('policy', {}).iteritems() %}
{%- if rule != None %}