Merge pull request #11 from dukov/master
Policy.json should be defined by user
diff --git a/README.rst b/README.rst
index 241691c..257037d 100644
--- a/README.rst
+++ b/README.rst
@@ -170,6 +170,20 @@
max_active_keys: 3
...
+Keystone auth methods
+
+.. code-block:: yaml
+
+ keystone:
+ server:
+ ...
+ auth_methods:
+ - external
+ - password
+ - token
+ - oauth1
+ ...
+
Keystone domain with LDAP backend, using SQL for role/project assignment
.. code-block:: yaml
@@ -315,6 +329,10 @@
keystone:
server:
+ auth_methods:
+ - password
+ - token
+ - saml2
websso:
protocol: saml2
remote_id_attribute: Shib-Identity-Provider
@@ -350,6 +368,21 @@
caching: true
cache_time: 600
+Enable CORS parameters
+
+.. code-block:: yaml
+
+ keystone:
+ server:
+ cors:
+ allowed_origin: https:localhost.local,http:localhost.local
+ expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
+ allow_methods: GET,PUT,POST,DELETE,PATCH
+ allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
+ allow_credentials: True
+ max_age: 86400
+
+
Keystone client
---------------
diff --git a/keystone/files/keystonerc b/keystone/files/keystonerc
index e3cf64a..15634a2 100644
--- a/keystone/files/keystonerc
+++ b/keystone/files/keystonerc
@@ -1,4 +1,4 @@
-{%- set server = pillar.keystone.server %}
+{%- from "keystone/map.jinja" import server with context %}
export OS_USERNAME={{ server.admin_name }}
export OS_PASSWORD={{ server.admin_password }}
export OS_TENANT_NAME={{ server.admin_tenant }}
@@ -7,3 +7,4 @@
export OS_SERVICE_TOKEN={{ server.service_token }}
export OS_SERVICE_ENDPOINT="http://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v2.0/"
export OS_ENDPOINT_TYPE="internal"
+export OS_CACERT="{{ server.cacert }}"
diff --git a/keystone/files/keystonerc_user b/keystone/files/keystonerc_user
index 61f6e67..26b4581 100644
--- a/keystone/files/keystonerc_user
+++ b/keystone/files/keystonerc_user
@@ -11,3 +11,4 @@
export OS_SERVICE_ENDPOINT="http://{{ provider.host }}:{{ provider.port }}/{{ provider.get('version', 'v2.0') }}/"
{%- endif %}
export OS_AUTH_STRATEGY=keystone
+#export OS_CACERT=
diff --git a/keystone/files/keystonercv3 b/keystone/files/keystonercv3
index ccb0d39..4152b58 100644
--- a/keystone/files/keystonercv3
+++ b/keystone/files/keystonercv3
@@ -1,4 +1,4 @@
-{%- set server = pillar.keystone.server %}
+{%- from "keystone/map.jinja" import server with context %}
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=http://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v3
export OS_PROJECT_DOMAIN_NAME=default
@@ -9,3 +9,4 @@
export OS_PASSWORD={{ server.admin_password }}
export OS_REGION_NAME={{ server.region }}
export OS_INTERFACE=internal
+export OS_CACERT="{{ server.cacert }}"
diff --git a/keystone/files/liberty/keystone.conf.Debian b/keystone/files/liberty/keystone.conf.Debian
index 9f6c9c2..05d0493 100644
--- a/keystone/files/liberty/keystone.conf.Debian
+++ b/keystone/files/liberty/keystone.conf.Debian
@@ -306,9 +306,10 @@
# Allowed authentication methods. (list value)
#methods = external,password,token,oauth1
-
+{% if server.auth_methods is defined %}
+methods = {{ server.auth_methods |join(',') }}
+{%- endif %}
{% if server.websso is defined %}
-methods = external,password,token,{{ server.websso.protocol }}
{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
{%- endif %}
diff --git a/keystone/files/mitaka/keystone.conf.Debian b/keystone/files/mitaka/keystone.conf.Debian
index 608f38a..28991a4 100644
--- a/keystone/files/mitaka/keystone.conf.Debian
+++ b/keystone/files/mitaka/keystone.conf.Debian
@@ -354,9 +354,10 @@
# Allowed authentication methods. (list value)
#methods = external,password,token,oauth1
-
+{% if server.auth_methods is defined %}
+methods = {{ server.auth_methods |join(',') }}
+{%- endif %}
{% if server.websso is defined %}
-methods = external,password,token,{{ server.websso.protocol }}
{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
{%- endif %}
@@ -495,23 +496,42 @@
# Indicate whether this resource may be shared with the domain received in the
# requests "origin" header. (list value)
#allowed_origin = <None>
+{% if server.cors.allowed_origin is defined %}
+allowed_origin = {{ server.cors.allowed_origin }}
+{% endif %}
# Indicate that the actual request can include user credentials (boolean value)
#allow_credentials = true
+{% if server.cors.allow_credentials is defined %}
+allow_credentials = {{ server.cors.allow_credentials }}
+{% endif %}
# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
# Headers. (list value)
#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
+{% if server.cors.expose_headers is defined %}
+expose_headers = {{ server.cors.expose_headers }}
+{% endif %}
# Maximum cache age of CORS preflight requests. (integer value)
#max_age = 3600
+{% if server.cors.max_age is defined %}
+max_age = {{ server.cors.max_age }}
+{% endif %}
+
# Indicate which methods can be used during the actual request. (list value)
#allow_methods = GET,PUT,POST,DELETE,PATCH
+{% if server.cors.allow_methods is defined %}
+allow_methods = {{ server.cors.allow_methods }}
+{% endif %}
# Indicate which header field names may be used during the actual request.
# (list value)
#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name
+{% if server.cors.allow_headers is defined %}
+allow_headers = {{ server.cors.allow_headers }}
+{% endif %}
[cors.subdomain]
diff --git a/keystone/files/newton/keystone.conf.Debian b/keystone/files/newton/keystone.conf.Debian
index 0807960..6add60c 100644
--- a/keystone/files/newton/keystone.conf.Debian
+++ b/keystone/files/newton/keystone.conf.Debian
@@ -414,8 +414,10 @@
# Allowed authentication methods. (list value)
#methods = external,password,token,oauth1
+{% if server.auth_methods is defined %}
+methods = {{ server.auth_methods |join(',') }}
+{%- endif %}
{% if server.websso is defined %}
-methods = external,password,token,{{ server.websso.protocol }}
{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
{%- endif %}
@@ -577,23 +579,42 @@
# requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing
# slash. Example: https://horizon.example.com (list value)
#allowed_origin = <None>
+{% if server.cors.allowed_origin is defined %}
+allowed_origin = {{ server.cors.allowed_origin }}
+{% endif %}
# Indicate that the actual request can include user credentials (boolean value)
#allow_credentials = true
+{% if server.cors.allow_credentials is defined %}
+allow_credentials = {{ server.cors.allow_credentials }}
+{% endif %}
# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
# Headers. (list value)
#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
+{% if server.cors.expose_headers is defined %}
+allowed_origin = {{ server.cors.expose_headers }}
+{% endif %}
# Maximum cache age of CORS preflight requests. (integer value)
#max_age = 3600
+{% if server.cors.max_age is defined %}
+max_age = {{ server.cors.max_age }}
+{% endif %}
+
# Indicate which methods can be used during the actual request. (list value)
#allow_methods = GET,PUT,POST,DELETE,PATCH
+{% if server.cors.allow_methods is defined %}
+allow_methods = {{ server.cors.allow_methods }}
+{% endif %}
# Indicate which header field names may be used during the actual request.
# (list value)
#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name
+{% if server.cors.allow_headers is defined %}
+allow_headers = {{ server.cors.allow_headers }}
+{% endif %}
[cors.subdomain]
diff --git a/keystone/files/ocata/keystone.conf.Debian b/keystone/files/ocata/keystone.conf.Debian
index dd9a7c9..aa442f2 100644
--- a/keystone/files/ocata/keystone.conf.Debian
+++ b/keystone/files/ocata/keystone.conf.Debian
@@ -481,8 +481,10 @@
# are being invoked to validate attributes in the request environment, it can
# cause conflicts. (list value)
#methods = external,password,token,oauth1,mapped
+{% if server.auth_methods is defined %}
+methods = {{ server.auth_methods |join(',') }}
+{%- endif %}
{% if server.websso is defined %}
-methods = external,password,token,{{ server.websso.protocol }}
{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
{%- endif %}
@@ -649,23 +651,42 @@
# requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing
# slash. Example: https://horizon.example.com (list value)
#allowed_origin = <None>
+{% if server.cors.allowed_origin is defined %}
+allowed_origin = {{ server.cors.allowed_origin }}
+{% endif %}
# Indicate that the actual request can include user credentials (boolean value)
#allow_credentials = true
+{% if server.cors.allow_credentials is defined %}
+allow_credentials = {{ server.cors.allow_credentials }}
+{% endif %}
# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
# Headers. (list value)
#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
+{% if server.cors.expose_headers is defined %}
+allowed_origin = {{ server.cors.expose_headers }}
+{% endif %}
# Maximum cache age of CORS preflight requests. (integer value)
#max_age = 3600
+{% if server.cors.max_age is defined %}
+max_age = {{ server.cors.max_age }}
+{% endif %}
+
# Indicate which methods can be used during the actual request. (list value)
#allow_methods = GET,PUT,POST,DELETE,PATCH
+{% if server.cors.allow_methods is defined %}
+allow_methods = {{ server.cors.allow_methods }}
+{% endif %}
# Indicate which header field names may be used during the actual request.
# (list value)
#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name
+{% if server.cors.allow_headers is defined %}
+allow_headers = {{ server.cors.allow_headers }}
+{% endif %}
[cors.subdomain]
@@ -3058,4 +3079,4 @@
# unless you are providing a custom entry point. (string value)
#driver = sql
[extra_headers]
-Distribution = Ubuntu
\ No newline at end of file
+Distribution = Ubuntu
diff --git a/keystone/map.jinja b/keystone/map.jinja
index 284130f..361bba9 100644
--- a/keystone/map.jinja
+++ b/keystone/map.jinja
@@ -5,24 +5,28 @@
'service_name': 'keystone',
'version': 'icehouse',
'api_version': '2',
+ 'cors': {},
'tokens': {
'engine': 'database',
'expiration': '86400'
},
'notification': False,
- 'roles': ['admin', 'Member']
+ 'roles': ['admin', 'Member'],
+ 'cacert': '/etc/ssl/certs/ca-certificates.crt'
},
'RedHat': {
'pkgs': ['openstack-keystone', 'openstack-utils', 'python-keystone', 'python-keystoneclient', 'python-pycadf'],
'service_name': 'openstack-keystone',
'api_version': '2',
'version': 'icehouse',
+ 'cors': {},
'tokens': {
'engine': 'database',
'expiration': '86400'
},
'notification': False,
- 'roles': ['admin', 'Member']
+ 'roles': ['admin', 'Member'],
+ 'cacert': '/etc/pki/tls/certs/ca-bundle.crt'
},
}, merge=pillar.keystone.get('server', {})) %}
diff --git a/keystone/server.sls b/keystone/server.sls
index 57050fd..384911f 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -6,19 +6,13 @@
- names: {{ server.pkgs }}
{%- if server.service_name in ['apache2', 'httpd'] %}
-/etc/apache2/sites-available/wsgi-keystone.conf:
+{%- if not grains.get('noservices', False) %}
+purge_not_needed_configs:
file.absent:
- {%- if not grains.get('noservices', False) %}
+ - names: ['/etc/apache2/sites-enabled/keystone.conf', '/etc/apache2/sites-enabled/wsgi-keystone.conf']
- watch_in:
- service: keystone_service
- {%- endif %}
-
-/etc/apache2/sites-enabled/wsgi-keystone.conf:
- file.absent:
- {%- if not grains.get('noservices', False) %}
- - watch_in:
- - service: keystone_service
- {%- endif %}
+{%- endif %}
include:
- apache