Merge "Add list_limit option to /etc/keystone/domains/domain.conf file You can set it using keystone:server:domain:domain_name:identity:list_limit in reclass"
diff --git a/.travis.yml b/.travis.yml
index acbbe42..a9b99a0 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -17,8 +17,12 @@
- bundle install
env:
- - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5'
- - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7'
+ - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5' SUITE=single
+ - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7' SUITE=single
+ - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5' SUITE=single_fernet
+ - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7' SUITE=single_fernet
+ - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5' SUITE=under-apache
+ - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7' SUITE=under-apache
before_script:
- set -o pipefail
diff --git a/README.rst b/README.rst
index 1e0e822..14403eb 100644
--- a/README.rst
+++ b/README.rst
@@ -202,16 +202,17 @@
keystone:
server:
domain:
- description: "Testing domain"
- backend: ldap
- assignment:
- backend: sql
- ldap:
- url: "ldaps://idm.domain.com"
- suffix: "dc=cloud,dc=domain,dc=com"
- # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
- uid: keystone
- password: password
+ external:
+ description: "Testing domain"
+ backend: ldap
+ assignment:
+ backend: sql
+ ldap:
+ url: "ldaps://idm.domain.com"
+ suffix: "dc=cloud,dc=domain,dc=com"
+ # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
+ uid: keystone
+ password: password
Using LDAP backend for default domain
diff --git a/keystone/files/juno/keystone.conf.Debian b/keystone/files/juno/keystone.conf.Debian
index 4d2b9a8..fa7a75e 100644
--- a/keystone/files/juno/keystone.conf.Debian
+++ b/keystone/files/juno/keystone.conf.Debian
@@ -79,7 +79,7 @@
# Enforced by optional sizelimit middleware
# (keystone.middleware:RequestBodySizeLimiter). (integer
# value)
-#max_request_body_size=114688
+max_request_body_size= {{ server.max_request_body_size }}
# Limit the sizes of user & project ID/names. (integer value)
#max_param_size=64
@@ -1625,6 +1625,7 @@
# configured with the hash_algorithms, otherwise token
# revocation will not be processed correctly. (string value)
#hash_algorithm=md5
+hash_algorithm = {{ server.hash_algorithm }}
[trust]
diff --git a/keystone/files/kilo/keystone.conf.Debian b/keystone/files/kilo/keystone.conf.Debian
index 0e59b15..09e0cec 100644
--- a/keystone/files/kilo/keystone.conf.Debian
+++ b/keystone/files/kilo/keystone.conf.Debian
@@ -1151,7 +1151,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
[oslo_policy]
@@ -1458,6 +1458,7 @@
# middleware must be configured with the hash_algorithms, otherwise token
# revocation will not be processed correctly. (string value)
#hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
[trust]
diff --git a/keystone/files/liberty/keystone.conf.Debian b/keystone/files/liberty/keystone.conf.Debian
index 1a3ba25..2a91c8c 100644
--- a/keystone/files/liberty/keystone.conf.Debian
+++ b/keystone/files/liberty/keystone.conf.Debian
@@ -1344,7 +1344,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
#
# From oslo.middleware
@@ -1680,6 +1680,7 @@
# middleware must be configured with the hash_algorithms, otherwise token
# revocation will not be processed correctly. (string value)
#hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
[tokenless_auth]
diff --git a/keystone/files/mitaka/keystone.conf.Debian b/keystone/files/mitaka/keystone.conf.Debian
index d834c20..a526cee 100644
--- a/keystone/files/mitaka/keystone.conf.Debian
+++ b/keystone/files/mitaka/keystone.conf.Debian
@@ -1774,7 +1774,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
# The HTTP Header that will be used to determine what the original request
# protocol scheme was, even if it was hidden by an SSL termination proxy.
@@ -2168,6 +2168,7 @@
# Reason: PKI token support has been deprecated in the M release and will be
# removed in the O release. Fernet or UUID tokens are recommended.
#hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
# Add roles to token that are not explicitly added, but that are linked
# implicitly to other roles. (boolean value)
diff --git a/keystone/files/newton/keystone.conf.Debian b/keystone/files/newton/keystone.conf.Debian
index 7c5960e..db95287 100644
--- a/keystone/files/newton/keystone.conf.Debian
+++ b/keystone/files/newton/keystone.conf.Debian
@@ -2225,7 +2225,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
# DEPRECATED: The HTTP Header that will be used to determine what the original
# request protocol scheme was, even if it was hidden by a SSL termination
@@ -2844,6 +2844,7 @@
# Reason: PKI token support has been deprecated in the M release and will be
# removed in the O release. Fernet or UUID tokens are recommended.
#hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
# This controls whether roles should be included with tokens that are not
# directly assigned to the token's scope, but are instead linked implicitly to
diff --git a/keystone/files/ocata/keystone.conf.Debian b/keystone/files/ocata/keystone.conf.Debian
index 9e9ff1c..375935c 100644
--- a/keystone/files/ocata/keystone.conf.Debian
+++ b/keystone/files/ocata/keystone.conf.Debian
@@ -2395,7 +2395,7 @@
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
# DEPRECATED: The HTTP Header that will be used to determine what the original
# request protocol scheme was, even if it was hidden by a SSL termination
@@ -3032,6 +3032,7 @@
# Defaults to two days. (integer value)
#allow_expired_window = 172800
+hash_algorithm = {{ server.hash_algorithm }}
[tokenless_auth]
diff --git a/keystone/map.jinja b/keystone/map.jinja
index 01613bf..1a40274 100644
--- a/keystone/map.jinja
+++ b/keystone/map.jinja
@@ -6,6 +6,8 @@
'version': 'icehouse',
'api_version': '2',
'cors': {},
+ 'hash_algorithm': 'sha256',
+ 'max_request_body_size': '114688',
'tokens': {
'engine': 'database',
'expiration': '86400'
@@ -20,6 +22,8 @@
'api_version': '2',
'version': 'icehouse',
'cors': {},
+ 'hash_algorithm': 'sha256',
+ 'max_request_body_size': '114688',
'tokens': {
'engine': 'database',
'expiration': '86400'
diff --git a/keystone/server.sls b/keystone/server.sls
index 0bee8a6..b29e39e 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -5,6 +5,14 @@
pkg.installed:
- names: {{ server.pkgs }}
+{%- if server.get('backend') == 'ldap' or server.get('domain',{}).itervalues() | selectattr('ldap') | list %}
+keystone_ldap_packages:
+ pkg.installed:
+ - names:
+ - python-ldap
+ - python-ldappool
+{% endif %}
+
{%- if server.service_name in ['apache2', 'httpd'] %}
{%- set keystone_service = 'apache_service' %}
@@ -82,12 +90,32 @@
/etc/keystone/keystone-paste.ini:
file.managed:
- source: salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family }}
+ - user: keystone
+ - group: keystone
- template: jinja
- require:
- pkg: keystone_packages
- watch_in:
- service: {{ keystone_service }}
+/etc/keystone/policy.json:
+ file.managed:
+ - user: keystone
+ - group: keystone
+ - require:
+ - pkg: keystone_packages
+ - watch_in:
+ - service: {{ keystone_service }}
+
+/etc/keystone/logging.conf:
+ file.managed:
+ - user: keystone
+ - group: keystone
+ - require:
+ - pkg: keystone_packages
+ - watch_in:
+ - service: {{ keystone_service }}
+
{%- for name, rule in server.get('policy', {}).iteritems() %}
{%- if rule != None %}