File ardana-keystone-8.0+git.1573147067.09e3ea0.obscpio of Package ardana-keystone
07070100000000000081A40000000000000000000000015DC451BB00000356000000000000000000000000000000000000003C00000000ardana-keystone-8.0+git.1573147067.09e3ea0/.copyrightignore#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
roles/KEY-API/files/samples/k2k/k2k_sp_mapping.json
roles/KEY-API/files/samples/websso/adfs_sp_mapping.json
roles/KEY-API/files/samples/x509auth/x509auth_mapping.json
roles/KEY-API/files/samples/x509auth/cacert.pem
07070100000001000081A40000000000000000000000015DC451BB00000075000000000000000000000000000000000000003600000000ardana-keystone-8.0+git.1573147067.09e3ea0/.gitignore.vagrant
*.sw?
.tox
*.egg
*.egg-info
.testrepository
*.pyc
.project
.pydevproject
.settings/*
.settings
*.iml
.idea
07070100000002000081A40000000000000000000000015DC451BB00000084000000000000000000000000000000000000003600000000ardana-keystone-8.0+git.1573147067.09e3ea0/.gitreview[gerrit]
host=gerrit.suse.provo.cloud
port=29418
project=ardana/keystone-ansible.git
defaultremote=ardana
defaultbranch=stable/pike
07070100000003000081A40000000000000000000000015DC451BB0000000C000000000000000000000000000000000000003900000000ardana-keystone-8.0+git.1573147067.09e3ea0/.rsync-filter- ardana-ci
07070100000004000081A40000000000000000000000015DC451BB0000279F000000000000000000000000000000000000003300000000ardana-keystone-8.0+git.1573147067.09e3ea0/LICENSE
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
07070100000005000081A40000000000000000000000015DC451BB0000048A000000000000000000000000000000000000003500000000ardana-keystone-8.0+git.1573147067.09e3ea0/README.md
(c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
(c) Copyright 2017 SUSE LLC
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
80README
======
This repo contains the following roles
- KEY-API: Keystone api
- keystone-common: Variable declarations
- keystone-post-configuure: Bootstrapps data
The verbs:
- configure - configure the service/role
- install - install the service/role
- start - start the service/role
- stop - stop the service/role
The operations:
- deploy - deploy the service (install, configure and start)
- reconfigure - reconfigures the service
Refer to REAADME.md at roles/KEY-API/ for reconfiguration instructions
07070100000006000081A40000000000000000000000015DC451BB000002E6000000000000000000000000000000000000004A00000000ardana-keystone-8.0+git.1573147067.09e3ea0/_keystone-schedule-restart.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# Schedule a restart of keystone services using ardana_notify_... variables
- hosts: all
tasks:
- include: roles/keystone-common/tasks/_schedule_restart.yml07070100000007000041ED0000000000000000000000045DC451BB00000000000000000000000000000000000000000000003500000000ardana-keystone-8.0+git.1573147067.09e3ea0/ardana-ci07070100000008000041ED0000000000000000000000035DC451BB00000000000000000000000000000000000000000000003D00000000ardana-keystone-8.0+git.1573147067.09e3ea0/ardana-ci/project07070100000009000041ED0000000000000000000000035DC451BB00000000000000000000000000000000000000000000004900000000ardana-keystone-8.0+git.1573147067.09e3ea0/ardana-ci/project/input-model0707010000000A000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000004E00000000ardana-keystone-8.0+git.1573147067.09e3ea0/ardana-ci/project/input-model/data0707010000000B000081A40000000000000000000000015DC451BB00000560000000000000000000000000000000000000006000000000ardana-keystone-8.0+git.1573147067.09e3ea0/ardana-ci/project/input-model/data/control_plane.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
product:
version: 2
control-planes:
- name: ccp
control-plane-prefix: ccp
region-name: region1
failure-zones:
- AZ1
- AZ2
- AZ3
common-service-components:
- lifecycle-manager-target
- openstack-client
clusters:
- name: cluster0
cluster-prefix: c0
server-role:
- SERVER1-ROLE
- SERVER2-ROLE
- SERVER3-ROLE
member-count: 3
allocation-policy: strict
service-components:
- lifecycle-manager
- ntp-server
- mysql
- ip-cluster
- rabbitmq
- keystone-client
- keystone-api
0707010000000C000081A40000000000000000000000015DC451BB0000034F000000000000000000000000000000000000005A00000000ardana-keystone-8.0+git.1573147067.09e3ea0/ardana-ci/project/input-model/data/servers.yml---
product:
version: 2
baremetal:
netmask: 255.255.255.0
subnet: 192.168.110.0
server-interface: eth2
servers:
- id: server1
ip-addr: 192.168.110.3
role: SERVER1-ROLE
server-group: AZ1
mac-addr: a4:93:0c:4f:7c:73
nic-mapping: VAGRANT
ilo-ip: 192.168.109.3
ilo-password: password
ilo-user: admin
- id: server2
ip-addr: 192.168.110.4
role: SERVER2-ROLE
server-group: AZ2
mac-addr: b2:72:8d:ac:7c:6f
nic-mapping: VAGRANT
ilo-ip: 192.168.109.4
ilo-password: password
ilo-user: admin
- id: server3
ip-addr: 192.168.110.5
role: SERVER3-ROLE
server-group: AZ3
mac-addr: 8a:8e:64:55:43:76
nic-mapping: VAGRANT
ilo-ip: 192.168.109.5
ilo-password: password
ilo-user: admin
0707010000000D000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000003B00000000ardana-keystone-8.0+git.1573147067.09e3ea0/ardana-ci/tests0707010000000E000081A40000000000000000000000015DC451BB00000404000000000000000000000000000000000000004A00000000ardana-keystone-8.0+git.1573147067.09e3ea0/ardana-ci/tests/test-plan.yaml#
# (c) Copyright 2016-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: Test reconfigure
logfile: testsuite-reconfigure.log
prefix: reconfigure
playbooks:
- keystone-reconfigure.yml
- name: Validate keystone
exec:
- validate-keystone.bash
- name: Test reboot
logfile: reboot.log
prefix: reboot
vms:
- reboot: server2
exec:
- ansible-playbook -i hosts/verb_hosts keystone-start.yml
- validate-keystone.bash
0707010000000F000081ED0000000000000000000000015DC451BB00000087000000000000000000000000000000000000005200000000ardana-keystone-8.0+git.1573147067.09e3ea0/ardana-ci/tests/validate-keystone.bash#!/bin/bash
ansible-playbook -i hosts/verb_hosts keystone-status.yml
if [ $? -eq 0 ]
then
echo "Ok"
else
echo "Fail"
exit 1
fi
07070100000010000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000003200000000ardana-keystone-8.0+git.1573147067.09e3ea0/config07070100000011000081A40000000000000000000000015DC451BB00000753000000000000000000000000000000000000004800000000ardana-keystone-8.0+git.1573147067.09e3ea0/config/keystone-symlinks.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# The following relative symlinks are created under the
# my_cloud/config directory.
---
symlinks:
"keystone/keystone.conf.j2": roles/KEY-API/templates/keystone.conf.j2
"keystone/keystone-paste.ini.j2": roles/KEY-API/templates/keystone-paste.ini.j2
"keystone/keystone_deploy_config.yml": roles/keystone-common/vars/keystone_deploy_config.yml
"keystone/keystone_configure_ldap_sample.yml": roles/KEY-API/files/samples/keystone_configure_ldap_sample.yml
"keystone/keystone_configure_ldap_certs_sample.yml": roles/KEY-API/files/samples/keystone_configure_ldap_certs_sample.yml
"keystone/policy.json": roles/KEY-API/templates/policy.v3cloudsample.json
"keystone/README.md": roles/KEY-API/README.md
"keystone/keystone_configure_adfs_sample.yml": roles/KEY-API/files/samples/websso/keystone_configure_adfs_sample.yml
"keystone/keystone_configure_idp_sample.yml": roles/KEY-API/files/samples/k2k/keystone_configure_idp_sample.yml
"keystone/keystone_configure_sp_sample.yml": roles/KEY-API/files/samples/k2k/keystone_configure_sp_sample.yml
"keystone/k2k_sp_mapping.json": roles/KEY-API/files/samples/k2k/k2k_sp_mapping.json
"keystone/adfs_sp_mapping.json": roles/KEY-API/files/samples/websso/adfs_sp_mapping.json
07070100000012000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000003A00000000ardana-keystone-8.0+git.1573147067.09e3ea0/filter_plugins07070100000013000081A40000000000000000000000015DC451BB000004F6000000000000000000000000000000000000004A00000000ardana-keystone-8.0+git.1573147067.09e3ea0/filter_plugins/osini_filter.py#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Creates a list of tuples from the dictionary
def ini_tuple(config_entries):
config_tuples = list()
for section in config_entries:
for option in sorted(config_entries[section]):
#config_tuples.append(item0, item1, config_entries[item0][item1])
config_tuples.append( dict(section=section,
option=option,
value=config_entries[section][option]
)
)
return config_tuples
class FilterModule(object):
def filters(self):
return {'osini': ini_tuple}
07070100000014000081A40000000000000000000000015DC451BB000002FE000000000000000000000000000000000000005400000000ardana-keystone-8.0+git.1573147067.09e3ea0/keystone-configure-fernet-monitoring.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- hosts: KEY-API:&MON-AGN
roles:
- role: keystone-monitor
tasks:
- include: roles/keystone-monitor/tasks/monitor_fernet_master_node.yml
when: keystone_configure_fernet
07070100000015000081A40000000000000000000000015DC451BB00000399000000000000000000000000000000000000004A00000000ardana-keystone-8.0+git.1573147067.09e3ea0/keystone-configure-monasca.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- hosts: KEY-API:&MON-AGN
roles:
- role: keystone-monitor
tasks:
- include: roles/keystone-monitor/tasks/local_monitor.yml
- hosts: KEY-API:&MON-AGN
roles:
- role: keystone-monitor
tasks:
- include: roles/keystone-monitor/tasks/remote_monitor.yml
07070100000016000081A40000000000000000000000015DC451BB000005C9000000000000000000000000000000000000003F00000000ardana-keystone-8.0+git.1573147067.09e3ea0/keystone-deploy.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- hosts: KEY-API
roles:
- role: KEY-API
tasks:
- include: roles/KEY-API/tasks/install.yml
- hosts: KEY-API
roles:
- role: KEY-API
tasks:
- include: roles/KEY-API/tasks/db_configure.yml
- hosts: KEY-API
roles:
- KEY-API
tasks:
- include: roles/KEY-API/tasks/configure.yml
- hosts: KEY-API
roles:
- role: KEY-API
tasks:
- include: roles/KEY-API/tasks/start.yml
- include: keystone-configure-monasca.yml
# Register endpoint using keystone client.
- hosts: KEY-API
roles:
- role: keystone-post-configure
tasks:
- include: roles/keystone-post-configure/tasks/keystone_conf.yml
ansible_python_interpreter: "{{
KEY_CLI.vars.keystone_client_python_interpreter }}"
- hosts: KEY-API
roles:
- KEY-API
tasks:
- include: roles/KEY-API/tasks/restart.yml
07070100000017000081A40000000000000000000000015DC451BB000004ED000000000000000000000000000000000000005000000000ardana-keystone-8.0+git.1573147067.09e3ea0/keystone-reconfigure-credentials.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- hosts: KEY-API
roles:
- KEY-API
tasks:
- include: roles/KEY-API/tasks/reconfigure.yml
ansible_python_interpreter: "{{
KEY_CLI.vars.keystone_client_python_interpreter }}"
# Actually serial restart here doesn't make sense
- hosts: KEY-API
serial: "50%"
roles:
- role: KEY-API
tasks:
- include: roles/KEY-API/tasks/start.yml
- hosts: KEY-API
roles:
- KEY-API
tasks:
- include: roles/KEY-API/tasks/_reconfigure_credentials.yml
ansible_python_interpreter: "{{
KEY_CLI.vars.keystone_client_python_interpreter }}"
when: KEY_API.old_vars is defined
07070100000018000081A40000000000000000000000015DC451BB000005C3000000000000000000000000000000000000004400000000ardana-keystone-8.0+git.1573147067.09e3ea0/keystone-reconfigure.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- hosts: KEY-API
roles:
- KEY-API
tasks:
- include: roles/KEY-API/tasks/reconfigure.yml
ansible_python_interpreter: "{{
KEY_CLI.vars.keystone_client_python_interpreter }}"
# Split the tasks to enable serial restart
- hosts: KEY-API
serial: "50%"
roles:
- role: KEY-API
tasks:
- include: roles/KEY-API/tasks/start.yml
# Register endpoint using keystone client.
- hosts: KEY-API
roles:
- role: keystone-post-configure
tasks:
- include: roles/keystone-post-configure/tasks/services_conf.yml
ansible_python_interpreter: "{{
KEY_CLI.vars.keystone_client_python_interpreter }}"
- include: keystone-configure-monasca.yml
# If radosgw is configured, service endpoints for swift need updates
- include: ses-reconfigure.yml
- include: _swift-post-configure.yml
07070100000019000081A40000000000000000000000015DC451BB0000028D000000000000000000000000000000000000004000000000ardana-keystone-8.0+git.1573147067.09e3ea0/keystone-restart.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- include: _keystone-schedule-restart.yml
- include: keystone-start.yml
0707010000001A000081A40000000000000000000000015DC451BB000002EC000000000000000000000000000000000000003E00000000ardana-keystone-8.0+git.1573147067.09e3ea0/keystone-start.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- hosts: KEY-API
roles:
- role: KEY-API
tasks:
- include: roles/KEY-API/tasks/start.yml
0707010000001B000081A40000000000000000000000015DC451BB00000306000000000000000000000000000000000000003F00000000ardana-keystone-8.0+git.1573147067.09e3ea0/keystone-status.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- hosts: KEY-API
max_fail_percentage: 0
roles:
- role: KEY-API
tasks:
- include: roles/KEY-API/tasks/status.yml
0707010000001C000081A40000000000000000000000015DC451BB000002BD000000000000000000000000000000000000005200000000ardana-keystone-8.0+git.1573147067.09e3ea0/keystone-stop-fernet-auto-rotation.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- hosts: KEY-API
roles:
- role: KEY-API
tasks:
- include: roles/KEY-API/tasks/_stop_fernet_auto_rotation.yml
0707010000001D000081A40000000000000000000000015DC451BB000002EB000000000000000000000000000000000000003D00000000ardana-keystone-8.0+git.1573147067.09e3ea0/keystone-stop.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- hosts: KEY-API
roles:
- role: KEY-API
tasks:
- include: roles/KEY-API/tasks/stop.yml
0707010000001E000081A40000000000000000000000015DC451BB0000062C000000000000000000000000000000000000004000000000ardana-keystone-8.0+git.1573147067.09e3ea0/keystone-upgrade.yml#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- include: keystone-status.yml
- hosts: KEY-API
roles:
- role: KEY-API
tasks:
- include: roles/KEY-API/tasks/install.yml
- hosts: KEY-API
roles:
- role: KEY-API
tasks:
- include: roles/KEY-API/tasks/db_configure.yml
- hosts: KEY-API
roles:
- KEY-API
tasks:
- include: roles/KEY-API/tasks/configure.yml
ansible_python_interpreter: "{{
KEY_CLI.vars.keystone_client_python_interpreter }}"
- hosts: KEY-API
serial: 1
roles:
- role: KEY-API
tasks:
- include: roles/KEY-API/tasks/start.yml
# provision any new users, services, endpoints, etc.
# NOTE: all operations should be idempotent
- hosts: KEY-API
roles:
- role: keystone-post-configure
tasks:
- include: roles/keystone-post-configure/tasks/keystone_provision_accts.yml
ansible_python_interpreter: "{{
KEY_CLI.vars.keystone_client_python_interpreter }}"
- include: keystone-status.yml
0707010000001F000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000003300000000ardana-keystone-8.0+git.1573147067.09e3ea0/library07070100000020000081A40000000000000000000000015DC451BB0000346E000000000000000000000000000000000000004A00000000ardana-keystone-8.0+git.1573147067.09e3ea0/library/keystone_federation.py#!/usr/bin/python
#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# -*- coding: utf-8 -*-
DOCUMENTATION = '''
---
module: keystone_federation
version_added: "1.0"
short_description: Manage federation APIs, Identity Providers, Protocols,
Mappings, Service Providers
description:
- Manage federation APIs from OpenStack.
- Authentication should be added to each call with
token/domain scope token cred/project scope token credentials
Examples below uses token, instead you can also specify login credentials
requirements: [ python-keystoneclient ]
author: Sam Leong
'''
EXAMPLES = '''
# Create an identity provider
- keystone_federation: action="create_identity_provider"
login_token=admin
identity_provider_id="Foo"
description="Foo Identity Provider"
endpoint=https://keystone:35357/v3
# Create a mapping
- keystone_federation: action="create_mapping"
login_token=admin
mapping_id="My_mapping"
rules="{mapping:...}"
# Create a protocol
- keystone_federation: action="create_protocol"
protocol_id="My_protocol"
identity_provider_id="Foo"
mapping_id="My_mapping"
'''
from ansible.module_utils.basic import *
from ansible.module_utils.database import *
from keystoneclient import exceptions
from keystoneclient import session
from keystoneclient.auth import token_endpoint
from keystoneclient.auth.identity import v3
from keystoneclient.v3 import client as v3client
def _get_client(auth_url=None, token=None, insecure=False, ca_cert=None):
"""Return a ks_client client object"""
auth_plugin = token_endpoint.Token(endpoint=auth_url, token=token)
if not insecure:
# Caller wants cert verification
verify = ca_cert or True
# Client cert is not supported now.
# Will add it later with cert=client_cert option
auth_session = session.Session(
auth=auth_plugin, verify=verify)
return v3client.Client(auth_url=auth_url, session=auth_session)
def _find_identity_provider(ks_client, identity_provider_id=None):
try:
return ks_client.federation.identity_providers.get(
identity_provider=identity_provider_id)
except exceptions.NotFound:
return None
def _find_protocol(ks_client, identity_provider_id=None, protocol_id=None):
try:
return ks_client.federation.protocols.get(
identity_provider=identity_provider_id,
protocol=protocol_id)
except exceptions.NotFound:
return None
def _find_mapping(ks_client, mapping_id=None):
try:
return ks_client.federation.mappings.get(mapping=mapping_id)
except exceptions.NotFound:
return None
def _find_service_provider(ks_client, service_provider_id=None):
try:
return ks_client.federation.service_providers.get(
service_provider=service_provider_id)
except exceptions.NotFound:
return None
def find_identity_provider(ks_client, identity_provider_id=None):
identity_provider = _find_identity_provider(
ks_client,
identity_provider_id=identity_provider_id)
if identity_provider is not None:
return True, identity_provider
return False, None
def delete_identity_provider(ks_client, identity_provider_id=None):
identity_provider = _find_identity_provider(
ks_client,
identity_provider_id=identity_provider_id)
if identity_provider is not None:
ks_client.federation.identity_providers.update(
identity_provider=identity_provider_id, enabled=False)
ks_client.federation.identity_providers.delete(
identity_provider=identity_provider_id)
return True, identity_provider
# identity_provider with that Id doesn't exist
return False, None
def create_identity_provider(ks_client, identity_provider_id=None,
enabled=True, description=None, remote_id=None):
identity_provider = _find_identity_provider(
ks_client,
identity_provider_id=identity_provider_id)
if identity_provider is not None:
delete_identity_provider(
ks_client,
identity_provider_id=identity_provider_id)
# identity_provider with that Id doesn't exist
remote_ids = []
if remote_id:
remote_ids.append(remote_id)
identity_provider = ks_client.federation.identity_providers.create(
id=identity_provider_id,
enabled=enabled,
description=description,
remote_ids=remote_ids)
return True, identity_provider
def find_protocol(ks_client, identity_provider_id=None, protocol_id=None):
protocol = _find_protocol(ks_client,
identity_provider_id=identity_provider_id,
protocol_id=protocol_id)
if protocol is not None:
return True, protocol
return False, None
def delete_protocol(ks_client, identity_provider_id=None, protocol_id=None):
protocol = _find_protocol(ks_client,
identity_provider_id=identity_provider_id,
protocol_id=protocol_id)
if protocol is not None:
ks_client.federation.protocols.delete(
identity_provider=identity_provider_id,
protocol=protocol_id)
return True, protocol
return False, protocol
def create_protocol(ks_client, protocol_id=None, identity_provider_id=None,
mapping_id=None):
protocol = _find_protocol(ks_client,
identity_provider_id=identity_provider_id,
protocol_id=protocol_id)
if protocol is not None:
delete_protocol(ks_client,
identity_provider_id=identity_provider_id,
protocol_id=protocol_id)
protocol = ks_client.federation.protocols.create(
protocol_id=protocol_id,
identity_provider=identity_provider_id,
mapping=mapping_id)
return True, protocol
def find_mapping(ks_client, mapping_id=None):
mapping = _find_mapping(ks_client, mapping_id=mapping_id)
if mapping is not None:
return True, mapping
return False, None
def delete_mapping(ks_client, mapping_id=None):
mapping = _find_mapping(ks_client, mapping_id=mapping_id)
if mapping is not None:
ks_client.federation.mappings.delete(mapping=mapping_id)
return True, mapping
return False, mapping
def create_mapping(ks_client, mapping_id=None, rules=None):
mapping = _find_mapping(ks_client, mapping_id=mapping_id)
if mapping is not None:
delete_mapping(ks_client, mapping_id=mapping_id)
mapping = ks_client.federation.mappings.create(mapping_id=mapping_id,
rules=rules)
return True, mapping
def find_service_provider(ks_client, service_provider_id=None):
sp = _find_service_provider(ks_client,
service_provider_id=service_provider_id)
if sp is not None:
return True, sp
return False, None
def delete_service_provider(ks_client, service_provider_id=None):
sp = _find_service_provider(ks_client,
service_provider_id=service_provider_id)
if sp is not None:
ks_client.federation.service_providers.update(
service_provider=service_provider_id, enabled=False)
ks_client.federation.service_providers.delete(
service_provider=service_provider_id)
return True, sp
return False, sp
def create_service_provider(ks_client, service_provider_id=None, auth_url=None,
enabled=True, description=None, sp_url=None):
sp = _find_service_provider(ks_client,
service_provider_id=service_provider_id)
if sp is not None:
delete_service_provider(ks_client,
service_provider_id=service_provider_id)
sp = ks_client.federation.service_providers.create(id=service_provider_id,
auth_url=auth_url,
enabled=enabled,
description=description,
sp_url=sp_url)
return True, sp
dispatch_map = {
"find_identity_provider": find_identity_provider,
"delete_identity_provider": delete_identity_provider,
"create_identity_provider": create_identity_provider,
"find_protocol": find_protocol,
"delete_protocol": delete_protocol,
"create_protocol": create_protocol,
"find_mapping": find_mapping,
"delete_mapping": delete_mapping,
"create_mapping": create_mapping,
"find_service_provider": find_service_provider,
"delete_service_provider": delete_service_provider,
"create_service_provider": create_service_provider,
}
def process_params(module):
identity_provider_id = module.params.get("identity_provider_id", None)
description = module.params.get("description", None)
remote_id = module.params.get("remote_id", None)
protocol_id = module.params.get("protocol_id", None)
mapping_id = module.params.get("mapping_id", None)
rules = module.params.get("rules", None)
service_provider_id = module.params.get("service_provider_id", None)
auth_url = module.params.get("auth_url", None)
sp_url = module.params.get("sp_url", None)
action = module.params["action"]
if action not in dispatch_map:
raise RuntimeError("unknown action: {}".format(action))
if action in ["find_identity_provider", "delete_identity_provider"]:
return dict(identity_provider_id=identity_provider_id)
elif action == "create_identity_provider":
return dict(identity_provider_id=identity_provider_id,
description=description,
remote_id=remote_id)
elif action in ["find_protocol", "delete_protocol"]:
return dict(identity_provider_id=identity_provider_id,
protocol_id=protocol_id)
elif action == "create_protocol":
return dict(protocol_id=protocol_id,
identity_provider_id=identity_provider_id,
mapping_id=mapping_id)
elif action in ["find_mapping", "delete_mapping"]:
return dict(mapping_id=mapping_id)
elif action == "create_mapping":
return dict(mapping_id=mapping_id, rules=rules)
elif action in ["find_service_provider", "delete_service_provider"]:
return dict(service_provider_id=service_provider_id)
elif action == "create_service_provider":
return dict(service_provider_id=service_provider_id, auth_url=auth_url,
description=description, sp_url=sp_url)
else:
raise NotImplementedError(action)
def get_client(module):
auth_url = module.params.get("endpoint")
token = module.params.get("login_token")
insecure = module.params.get("insecure")
cacert = module.params.get("cacert")
ks_client = _get_client(
auth_url=auth_url, token=token,
insecure=insecure, ca_cert=cacert)
return ks_client
def process_module_action(module):
ks_client = get_client(module)
action = module.params["action"]
kwargs = process_params(module)
try:
result = dispatch_map[action](ks_client, **kwargs)
except Exception as e:
module.fail_json(msg="%s, failed" % e)
else:
status, resource_data = result
if hasattr(resource_data, '_info'):
resource_data = resource_data._info
data = dict(changed=status, result=resource_data)
module.exit_json(**data)
def main():
supported_actions = dispatch_map.keys()
argument_spec = dict(
login_token=dict(default=None, no_log=True),
insecure=dict(default=None),
cacert=dict(default=None),
endpoint=dict(default=None),
description=dict(default="Created by Ansible keystone_v3"),
identity_provider_id=dict(default=None),
remote_id=dict(default=None),
protocol_id=dict(default=None),
mapping_id=dict(default=None),
rules=dict(default=None),
service_provider_id=dict(default=None),
sp_url=dict(default=None),
auth_url=dict(default=None),
action=dict(default=None, required=True, choices=supported_actions)
)
module = AnsibleModule(argument_spec=argument_spec,
supports_check_mode=False)
process_module_action(module)
if __name__ == '__main__':
main()
07070100000021000081A40000000000000000000000015DC451BB0000897F000000000000000000000000000000000000004200000000ardana-keystone-8.0+git.1573147067.09e3ea0/library/keystone_v3.py#!/usr/bin/python
#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# -*- coding: utf-8 -*-
from __builtin__ import False
DOCUMENTATION = '''
---
module: keystone_v3
version_added: "1.0"
short_description: Manage OpenStack Identity (keystone v3) users, tenants and roles
description:
- Manage users,tenants, endpoints, services roles from OpenStack.
- Authentication should be added to each call with
token/domain scope token cred/project scope token credentials
Examples below uses token, instead you can also specify login credentials
requirements: [ python-keystoneclient ]
author: Haneef Ali
'''
EXAMPLES = '''
# Create a project using ssl endpoint and insecure mode
- keystone_v3: action="create_project" project_name=demo
description="Default Tenant" project_domain_name="Default"
login_token=Mytoken endpoint=https://keystone:35357/v3
insecure=True
# Create a project using ssl endpoint passing proper certs
# /tmp/mycacert.crt should exist in target node
- keystone_v3: action="create_project" project_name=demo
description="Default Tenant" project_domain_name="Default"
login_token=Mytoken endpoint=https://keystone:35357/v3
cacert="/tmp/mycacert.crt"
# Create a project
- keystone_v3: action="create_project" project_name=demo
description="Default Tenant" project_domain_name="Default"
login_token=Mytoken endpoint=http://keystone:35357/v3
# Create a user
- keystone_v3: action="create_user" user_name=demo
description="Default User" user_domain_name="Default"
login_token=Mytoken endpoint=http://keystone:35357/v3
# Create a domain
- keystone_v3: action="create_domain" domain_name=demo
description="Default User"
login_token=Mytoken endpoint=http://keystone:35357/v3
# Create a role
- keystone_v3: action="create_domain" domain_name=demo
description="Default User"
login_token=Mytoken endpoint=http://keystone:35357/v3
# Grant admin role to the john user in the demo tenant
- keystone_v3: action="grant_project_role" project__name=demo
role_name=admin user_name=john user_domain_name=Default
project_domain_name=Default
login_token=Mytoken endpoint=http://keystone:35357/v3
# Grant admin role to the john user in the domain John_Domain
- keystone_v3: action="grant_domain_role" domain__name=John-Domain
role_name=admin user_name=john user_domain_name=Default
login_token=Mytoken endpoint=http://keystone:35357/v3
# Create a service
- keystone_v3: action="create_service" service_name=Keystone
service_type=identity description=Identity
login_token=Mytoken endpoint=http://keystone:35357/v3
# Create a endpoint
- keystone_v3: action="create_endpoint" service_name=Keystone region=myregion
public_url=http://myservice:7777/v1
internal_url=http://myservice-internal:8888/v1
admin_url=http://myservice-admin:9999/v1
login_token=Mytoken endpoint=http://keystone:35357/v3
'''
import traceback
from keystoneclient.v3 import client as v3client
from keystoneclient.auth.identity import v3
from keystoneclient.auth import token_endpoint
from keystoneclient import session
from keystoneclient import exceptions
def _get_client(auth_url=None, token=None, login_username=None, login_password=None, login_project_name=None,
login_project_domain_name=None, login_user_domain_name=None, login_domain_name=None,
insecure=False, ca_cert=None):
"""Return a ks_client client object"""
auth_plugin = None
if login_domain_name and login_project_name:
raise Exception("Token can be scoped either to project or domain. Use either domain or project")
if token:
auth_plugin = token_endpoint.Token(endpoint=auth_url, token=token)
else:
auth_plugin = v3.Password(auth_url=auth_url, username=login_username, password=login_password,
project_name=login_project_name, project_domain_name=login_project_domain_name,
user_domain_name=login_user_domain_name, domain_name=login_domain_name)
verify = False
if not insecure:
# Caller wants cert verification
verify = ca_cert or True
# Client cert is not supported now. Will add it later with cert=client_cert option
auth_session = session.Session(
auth=auth_plugin, verify=verify)
return v3client.Client(auth_url=auth_url, session=auth_session)
def _find_domain(ks_client, domain_name=None):
domains = ks_client.domains.list(name=domain_name)
return domains[0] if len(domains) else None
def _delete_domain(ks_client, domain=None):
ks_client.domains.update(domain, enabled=False)
return ks_client.domains.delete(domain)
def _create_domain(ks_client, domain_name=None, description=None):
return ks_client.domains.create(name=domain_name, description=description)
def _find_user(ks_client, domain_name=None, user_name=None):
domain = _find_domain(ks_client, domain_name=domain_name)
if domain:
users = ks_client.users.list(domain=domain, name=user_name)
if len(users):
return users[0]
def _create_user(ks_client, user_name=None, user_password=None, domain_name=None,
email=None, description=None):
domain = _find_domain(ks_client, domain_name)
return ks_client.users.create(name=user_name, password=user_password,
description=description,
email=email, domain=domain)
def _delete_user(ks_client, user=None):
ks_client.users.update(user=user, enabled=False)
ks_client.users.delete(user=user)
def _update_user(ks_client, user=None, **kwargs):
ks_client.users.update(user=user, **kwargs)
def _find_project(ks_client, domain_name=None, project_name=None):
domain = _find_domain(ks_client, domain_name=domain_name)
if domain:
projects = ks_client.projects.list(domain=domain, name=project_name)
if len(projects):
return projects[0]
def _create_project(ks_client, project_name=None, domain_name=None,
description=None):
domain = _find_domain(ks_client, domain_name)
return ks_client.projects.create(name=project_name,
description=description,
domain=domain)
def _delete_project(ks_client, project=None):
ks_client.projects.update(project=project, enabled=False)
ks_client.projects.delete(project=project)
def _find_group(ks_client, domain_name=None, group_name=None):
domain = _find_domain(ks_client, domain_name=domain_name)
if domain:
groups = ks_client.groups.list(domain=domain, name=group_name)
if len(groups):
return groups[0]
def _create_group(ks_client, group_name=None, domain_name=None,
description=None):
domain = _find_domain(ks_client, domain_name)
return ks_client.groups.create(name=group_name,
description=description,
domain=domain)
def _delete_group(ks_client, group=None):
ks_client.groups.update(group=group, enabled=False)
ks_client.groups.delete(group=group)
def _find_role(ks_client, role_name=None):
roles = ks_client.roles.list(name=role_name)
return roles[0] if len(roles) else None
def _delete_role(ks_client, role=None):
return ks_client.roles.delete(role)
def _create_role(ks_client, role_name=None, description=None):
return ks_client.roles.create(name=role_name, description=description)
def _grant_roles(ks_client, role=None, project=None, user=None,
group=None, domain=None):
return ks_client.roles.grant(role=role, project=project, user=user,
group=group, domain=domain)
def _revoke_roles(ks_client, role=None, project=None,
user=None, group=None, domain=None):
return ks_client.roles.revoke(role=role, project=project,
user=user, group=group, domain=domain)
def _find_service(ks_client, service_name=None, service_type=None):
services = ks_client.services.list(name=service_name,
type=service_type)
return services[0] if len(services) else None
def _create_service(ks_client, service_name=None, service_type=None,
description=None):
return ks_client.services.create(name=service_name, type=service_type,
description=description)
def _delete_service(ks_client, service_name=None):
service = ks_client.services.get(service_name)
if service:
ks_client.services.delete(service)
return service_name
def _find_endpoint(ks_client, service=None, interface=None, region=None):
endpoints = ks_client.endpoints.list(service=service, interface=interface)
for ep in endpoints:
if not region or ep.region == region:
return ep
return None
def _create_endpoint(ks_client, service=None, url=None,
interface=None, region=None):
return ks_client.endpoints.create(service=service, url=url,
interface=interface, region=region)
def _update_endpoint(ks_client, endpoint=None, url=None,
interface=None, region=None):
return ks_client.endpoints.update(endpoint=endpoint, url=url,
interface=interface, region=region)
def find_domain(ks_client, domain_name=None):
domain = _find_domain(ks_client, domain_name=domain_name)
result, domain = (True, domain) if (domain) else (False, None)
return result, domain
def create_domain(ks_client, domain_name=None, description=None):
domain = _find_domain(ks_client, domain_name=domain_name)
if domain:
return (False, domain)
# Domain with that name doesn't exist
domain = _create_domain(
ks_client, domain_name=domain_name, description=description)
return (True, domain)
def delete_domain(ks_client, domain_name=None):
domain = _find_domain(ks_client, domain_name=domain_name)
if domain:
_delete_domain(ks_client, domain=domain)
return (True, domain)
# Domain with that name doesn't exist
return (False, None)
def find_user(ks_client, user_name=None, domain_name=None):
user = _find_user(ks_client, domain_name=domain_name, user_name=user_name)
result, user = (True, user) if user else (False, None)
return result, user
def create_user(ks_client, user_name=None, user_password=None, domain_name=None,
email=None, description=None):
user = _find_user(ks_client, user_name=user_name, domain_name=domain_name)
if user:
kwargs = dict(password=user_password, email=None, description=None)
_update_user(ks_client, user=user, **kwargs)
return (True, user)
# User with that name doesn't exist
user = _create_user(ks_client, user_name=user_name,
user_password=user_password, domain_name=domain_name,
email=email, description=description)
return (True, user)
def delete_user(ks_client, user_name=None, domain_name=None):
user = _find_user(ks_client, domain_name=domain_name, user_name=user_name)
if user:
_delete_user(ks_client, user=user)
return (True, user)
# User with that name doesn't exist
return (False, None)
def update_user(ks_client, user_name=None, domain_name=None, user_password=None):
user = _find_user(ks_client, domain_name=domain_name, user_name=user_name)
if user:
_update_user(ks_client, user=user, password=user_password)
return (True, user)
# User with that name doesn't exist
return (False, None)
def find_group(ks_client, group_name=None, domain_name=None):
group = _find_group(ks_client, domain_name=domain_name, group_name=group_name)
result, group = (True, group) if group else (False, None)
return result, group
def create_group(ks_client, group_name=None, domain_name=None, description=None):
group = _find_group(ks_client, group_name=group_name, domain_name=domain_name)
if group:
return (False, group)
# User with that name doesn't exist
group = _create_group(ks_client, group_name=group_name,
domain_name=domain_name, description=description)
return (True, group)
def delete_group(ks_client, group_name=None, domain_name=None):
group = _find_group(ks_client, domain_name=domain_name, group_name=group_name)
if group:
_delete_group(ks_client, group=group)
return (True, group)
# Group with that name doesn't exist
return (False, None)
def find_project(ks_client, project_name=None, domain_name=None):
project = _find_project(
ks_client, domain_name=domain_name, project_name=project_name)
result, project = (True, project) if project else (False, None)
return result, project
def create_project(ks_client, project_name=None, domain_name=None,
description=None):
project = _find_project(
ks_client, project_name=project_name, domain_name=domain_name)
if project:
return (False, project)
# Project with that name doesn't exist
project = _create_project(ks_client, project_name=project_name,
domain_name=domain_name, description=description)
return (True, project)
def delete_project(ks_client, project_name=None, domain_name=None):
project = _find_project(
ks_client, domain_name=domain_name, project_name=project_name)
if project:
_delete_project(ks_client, project=project)
return (True, project)
# Project with that name doesn't exist
return (False, None)
def find_role(ks_client, role_name=None):
role = _find_role(ks_client, role_name=role_name)
result, role = (True, role) if (role) else (False, None)
return result, role
def create_role(ks_client, role_name=None, description=None):
role = _find_role(ks_client, role_name=role_name)
if role:
return (False, role)
# role with that name doesn't exist
role = _create_role(
ks_client, role_name=role_name, description=description)
return (True, role)
def delete_role(ks_client, role_name=None):
role = _find_role(ks_client, role_name=role_name)
if role:
_delete_role(ks_client, role=role)
return (True, role)
# role with that name doesn't exist
return (False, None)
def _find_project_role_assignment(ks_client, role_name=None, user_name=None,
group_name=None, project_name=None,
group_domain_name=None,
user_domain_name=None, project_domain_name=None):
role = _find_role(ks_client, role_name=role_name)
user = group = None
if user_name:
user = _find_user(
ks_client, user_name=user_name, domain_name=user_domain_name)
elif group_name:
group = _find_group(ks_client, group_name=group_name, domain_name=group_domain_name)
project = _find_project(
ks_client, project_name=project_name, domain_name=project_domain_name)
ret = False
if (user or group and role and project):
try:
ret = ks_client.roles.check(role=role, user=user, group=group, project=project)
except Exception as e:
if not isinstance(e, exceptions.NotFound):
raise
return (ret, role, user, group, project)
def _grant_or_revoke_project_role(ks_client, role_name=None, user_name=None, group_name=None,
group_domain_name=None,
project_name=None, user_domain_name=None,
project_domain_name=None, grant=True):
(assignment_status, role, user, group, project) = _find_project_role_assignment(ks_client, role_name=role_name,
user_name=user_name, group_name=group_name,
group_domain_name=group_domain_name, project_name=project_name,
user_domain_name=user_domain_name, project_domain_name=project_domain_name)
if assignment_status and grant:
return (False, "Already assigned")
if not assignment_status and not grant:
return (False, "Already revoked")
if (user or group and role and project):
if (grant):
_grant_roles(ks_client, role=role, project=project, user=user, group=group)
else:
_revoke_roles(ks_client, role=role, project=project, user=user, group=group)
return (True, "OK")
return (False, "Not able to find user/role/project with the given inputs")
def _find_domain_role_assignment(ks_client, role_name=None, user_name=None,
user_domain_name=None, domain_name=None):
role = _find_role(ks_client, role_name=role_name)
user = _find_user(
ks_client, user_name=user_name, domain_name=user_domain_name)
domain = _find_domain(ks_client, domain_name=domain_name)
ret = False
if (user and role and domain):
try:
ret = ks_client.roles.check(role=role, user=user, domain=domain)
except Exception as e:
if not isinstance(e, exceptions.NotFound):
raise
return (ret, role, user, domain)
def _grant_or_revoke_domain_role(ks_client, role_name=None, user_name=None,
user_domain_name=None, domain_name=None, grant=True):
(assignment_status, role, user, domain) = _find_domain_role_assignment(ks_client, role_name=role_name,
user_name=user_name, user_domain_name=user_domain_name, domain_name=domain_name)
if assignment_status and grant:
return (False, "Already assigned")
if not assignment_status and not grant:
return (False, "Already revoked")
if (user and role and domain):
if (grant):
_grant_roles(ks_client, role=role, domain=domain, user=user)
else:
_revoke_roles(ks_client, role=role, domain=domain, user=user)
return (True, "OK")
return (False, "Not able to find user/role/domain with the given inputs")
def grant_project_role(ks_client, role_name=None, user_name=None, project_name=None,
user_domain_name=None, project_domain_name=None):
return _grant_or_revoke_project_role(ks_client, role_name=role_name, user_name=user_name,
project_name=project_name, user_domain_name=user_domain_name,
project_domain_name=project_domain_name, grant=True)
def grant_project_role_on_group(ks_client, role_name=None, group_name=None, group_domain_name=None,
project_name=None, project_domain_name=None):
return _grant_or_revoke_project_role(ks_client, role_name=role_name, group_name=group_name,
group_domain_name=group_domain_name,
project_name=project_name,
project_domain_name=project_domain_name,
grant=True)
def revoke_project_role(ks_client, role_name=None, user_name=None, project_name=None,
user_domain_name=None, project_domain_name=None):
return _grant_or_revoke_project_role(ks_client, role_name=role_name, user_name=user_name,
project_name=project_name, user_domain_name=user_domain_name,
project_domain_name=project_domain_name, grant=False)
def revoke_project_role_on_group(ks_client, role_name=None, group_name=None,
group_domain_name=None,
project_name=None, project_domain_name=None):
return _grant_or_revoke_project_role(ks_client, role_name=role_name, group_name=group_name,
group_domain_name=group_domain_name, project_name=project_name,
project_domain_name=project_domain_name,
grant=False)
def grant_domain_role(ks_client, role_name=None, user_name=None, domain_name=None,
user_domain_name=None):
return _grant_or_revoke_domain_role(ks_client, role_name=role_name, user_name=user_name,
user_domain_name=user_domain_name,
domain_name=domain_name, grant=True)
def revoke_domain_role(ks_client, role_name=None, user_name=None, domain_name=None,
user_domain_name=None):
return _grant_or_revoke_domain_role(ks_client, role_name=role_name, user_name=user_name,
user_domain_name=user_domain_name,
domain_name=domain_name, grant=False)
def create_service(ks_client, service_name=None, service_type=None,
description=None):
service = _find_service(ks_client, service_name=service_name,
service_type=service_type)
if service:
return (False, service)
# Service with that name doesn't exist
service = _create_service(
ks_client, service_name=service_name, service_type=service_type,
description=description)
return (True, service)
def delete_service(ks_client, service_name=None, service_type=None):
service = _find_service(ks_client, service_name=service_name,
service_type=service_type)
if not service:
return (False, service)
service = _delete_service(ks_client, service)
return (True, service)
def create_endpoint(ks_client, service_name=None, region=None,
admin_url=None, internal_url=None,
public_url=None):
service = _find_service(ks_client, service_name=service_name)
if not service:
raise Exception("Service with the name=%s doesn't exist" %(service_name))
changed = False
changed_ep = []
if public_url:
public_endpoint = _find_endpoint(ks_client, service=service, interface="public", region=region)
if public_endpoint:
changed, ep = update_endpoint(ks_client, region=region,
public_url=public_url, public_endpoint=public_endpoint)
if changed:
changed_ep.append(ep[0])
else:
changed_ep.append(public_endpoint._info)
else:
changed = True
ep = _create_endpoint(ks_client, service=service,
interface="public", region=region,
url=public_url)
changed_ep.append(ep._info)
if admin_url:
admin_endpoint = _find_endpoint(ks_client, service=service, interface="admin", region=region)
if admin_endpoint:
changed, ep = update_endpoint(ks_client, region=region,
admin_url=admin_url, admin_endpoint=admin_endpoint)
if changed:
changed_ep.append(ep[0])
else:
changed_ep.append(admin_endpoint._info)
else:
changed = True
ep = _create_endpoint(ks_client, service=service,
interface="admin", region=region,
url=admin_url)
changed_ep.append(ep._info)
if internal_url:
internal_endpoint = _find_endpoint(ks_client, service=service, interface="internal", region=region)
if internal_endpoint:
changed, ep = update_endpoint(ks_client, region=region,
internal_url=internal_url, internal_endpoint=internal_endpoint)
if changed:
changed_ep.append(ep[0])
else:
changed_ep.append(internal_endpoint._info)
else:
changed = True
ep = _create_endpoint(ks_client, service=service,
interface="internal", region=region,
url=internal_url)
changed_ep.append(ep._info)
return changed, changed_ep
def update_endpoint(ks_client, region=None,
admin_url=None, internal_url=None,
public_url=None, admin_endpoint=None,
internal_endpoint=None, public_endpoint=None):
changed = False
changed_ep = []
if public_url and public_endpoint:
if public_endpoint.url != public_url:
ep = _update_endpoint(
ks_client, endpoint=public_endpoint, interface="public", region=region,
url=public_url)
changed = True
changed_ep.append(ep._info)
if admin_url and admin_endpoint:
if admin_endpoint.url != admin_url:
ep = _update_endpoint(
ks_client, endpoint=admin_endpoint, interface="admin", region=region,
url=admin_url)
changed = True
changed_ep.append(ep._info)
if internal_url and internal_endpoint:
if internal_endpoint.url != internal_url:
ep = _update_endpoint(
ks_client, endpoint=internal_endpoint, interface="internal", region=region,
url=internal_url)
changed = True
changed_ep.append(ep._info)
return changed, changed_ep
def get_login_token(ks_client):
session = ks_client.session
auth_headers = session.get_auth_headers()
token = auth_headers.get('X-Auth-Token')
return (True, token)
def process_params(module):
user_name = module.params.get("user_name", None)
group_name = module.params.get("group_name", None)
user_password = module.params.get("user_password", None)
email = module.params.get("email", None)
description = module.params.get("description", None)
user_domain_name = module.params.get("user_domain_name", None)
group_domain_name = module.params.get("group_domain_name", None)
domain_name = module.params.get("domain_name", None)
project_name = module.params.get("project_name", None)
project_domain_name = module.params.get("project_domain_name", None)
role_name = module.params.get("role_name", None)
service_name = module.params.get("service_name", None)
service_type = module.params.get("service_type", None)
region = module.params.get("region", None)
admin_url = module.params.get("admin_url", None)
internal_url = module.params.get("internal_url", None)
public_url = module.params.get("public_url", None)
action = module.params["action"]
if (action == "token_get" ):
kwargs = dict()
elif (action == "find_domain" or action == "delete_domain"):
kwargs = dict(domain_name=domain_name)
elif (action == "create_domain"):
kwargs = dict(domain_name=domain_name, description=description)
elif (action == "find_user" or action == "delete_user"):
kwargs = dict(domain_name=user_domain_name, user_name=user_name)
elif (action == "create_user"):
kwargs = dict(domain_name=user_domain_name, description=description, user_name=user_name,
email=email, user_password=user_password)
elif (action == "find_project" or action == "delete_project"):
kwargs = dict(
domain_name=project_domain_name, project_name=project_name)
elif (action == "create_project"):
kwargs = dict(domain_name=project_domain_name, description=description,
project_name=project_name)
elif (action == "find_role" or action == "delete_role"):
kwargs = dict(role_name=role_name)
elif (action == "create_role"):
kwargs = dict(role_name=role_name, description=description)
elif (action == "grant_project_role" or action == "revoke_project_role"):
kwargs = dict(role_name=role_name, user_name=user_name,
user_domain_name=user_domain_name, project_name=project_name,
project_domain_name=project_domain_name)
elif (action in ["grant_project_role_on_group", "revoke_project_role_on_group"]):
kwargs = dict(role_name=role_name, group_name=group_name, group_domain_name=group_domain_name,
project_name=project_name, project_domain_name=project_domain_name)
elif (action == "grant_domain_role" or action == "revoke_domain_role"):
kwargs = dict(role_name=role_name, user_name=user_name,
user_domain_name=user_domain_name,
domain_name=domain_name)
elif (action == "create_service"):
kwargs = dict(service_name=service_name, service_type=service_type,
description=description)
elif (action == "delete_service"):
kwargs = dict(service_name=service_name, service_type=service_type)
elif (action == "create_endpoint"):
kwargs = dict(service_name=service_name, region=region,
admin_url=admin_url, internal_url=internal_url,
public_url=public_url)
elif (action == "reset_password_by_admin"):
kwargs = dict(domain_name=user_domain_name, user_name=user_name,
user_password=user_password)
elif (action == "create_group"):
kwargs = dict(group_name=group_name, domain_name=domain_name,
description=description)
elif (action == "find_group" or action == "delete_group"):
kwargs = dict(group_name=group_name, domain_name=domain_name)
return kwargs
dispatch_map = {
"find_domain": find_domain,
"delete_domain": delete_domain,
"create_domain": create_domain,
"find_user": find_user,
"delete_user": delete_user,
"create_user": create_user,
"find_project": find_project,
"delete_project": delete_project,
"create_project": create_project,
"find_role": find_role,
"delete_role": delete_role,
"create_role": create_role,
"grant_project_role": grant_project_role,
"revoke_project_role": revoke_project_role,
"grant_project_role_on_group": grant_project_role_on_group,
"revoke_project_role_on_group": revoke_project_role_on_group,
"grant_domain_role": grant_domain_role,
"revoke_domain_role": revoke_domain_role,
"create_service": create_service,
"delete_service": delete_service,
"create_endpoint": create_endpoint,
"find_group": find_group,
"delete_group": delete_group,
"create_group": create_group,
"token_get": get_login_token,
"reset_password_by_admin": update_user
}
def get_client(module):
login_username = module.params.get("login_username")
login_project_name = module.params.get("login_project_name")
login_user_domain_name = module.params.get("login_user_domain_name")
login_project_domain_name = module.params.get("login_project_domain_name")
login_password = module.params.get("login_password")
login_domain_name = module.params.get("login_domain_name")
auth_url = module.params.get("endpoint")
token = module.params.get("login_token")
insecure = module.params.get("insecure")
cacert = module.params.get("cacert")
ks_client = _get_client(login_username=login_username,
login_project_name=login_project_name,
login_user_domain_name=login_user_domain_name,
login_project_domain_name=login_project_domain_name,
login_password=login_password,
login_domain_name=login_domain_name,
auth_url=auth_url, token=token,
insecure=insecure, ca_cert=cacert)
return ks_client
def process_module_action(module):
ks_client = get_client(module)
action = module.params["action"]
kwargs = process_params(module)
try:
result = dispatch_map[action](ks_client, **kwargs)
except Exception as e:
tb = traceback.format_exc()
failed_msg = "%s: %s" % (e, tb)
module.fail_json(msg="%s, failed" % failed_msg)
else:
status, resource_data = result
if hasattr(resource_data, '_info'):
resource_data = resource_data._info
data = dict(changed=status, result=resource_data)
module.exit_json(**data)
def main():
supported_actions = dispatch_map.keys()
argument_spec = dict(
login_username=dict(default=None),
login_password=dict(default=None, no_log=True),
login_project_name=dict(default=None),
login_project_domain_name=dict(default=None),
login_user_domain_name=dict(default=None),
login_domain_name=dict(default=None),
login_token=dict(default=None, no_log=True),
insecure=dict(default=None),
cacert=dict(default="/etc/ssl/ca-bundle.pem"),
endpoint=dict(default=None),
description=dict(default="Created by Ansible keystone_v3"),
email=dict(default=None),
user_name=dict(default=None),
user_password=dict(default=None, no_log=True),
user_domain_name=dict(default=None),
project_name=dict(default=None),
project_domain_name=dict(default=None),
domain_name=dict(default=None),
role_name=dict(default=None),
group_name=dict(default=None),
group_domain_name=dict(default=None),
service_name=dict(default=None),
service_type=dict(default=None),
region=dict(default=None),
admin_url=dict(default=None),
public_url=dict(default=None),
internal_url=dict(default=None),
action=dict(default=None, required=True, choices=supported_actions)
)
module = AnsibleModule(
argument_spec=argument_spec, supports_check_mode=False)
process_module_action(module)
from ansible.module_utils.basic import *
from ansible.module_utils.database import *
if __name__ == '__main__':
main()
07070100000022000041ED0000000000000000000000065DC451BB00000000000000000000000000000000000000000000003100000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles07070100000023000041ED0000000000000000000000095DC451BB00000000000000000000000000000000000000000000003900000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API07070100000024000081A40000000000000000000000015DC451BB00002D64000000000000000000000000000000000000004300000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/README.md
(c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
(c) Copyright 2017 SUSE LLC
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
80README
======
There are different configurable entries for keystone
1. Configuration entries that go into keystone.conf
2. Deployment specific configuration which are not part of keystone.conf like
log_level,process count etc.
3. Additional configuration like the domain-specific configuration or LDAP CA
certificates update.
The following section describes the mechanism used for overriding or changing those
configuration entries:
For 1: keystone.conf
- Edit the files keystone.conf.j2 located on a deployer node
/home/stack/openstack/my_cloud/config/keystone/. Modify this template file as appropriate.
- You can get default/available configuration for Liberty from
http://docs.openstack.org/liberty/config-reference/content/keystone-configuration-file.html
- Make sure you don't change any values under {{ }}
- Commit the changes and rerun playbooks of configuration processor and deployment area
preparation (refer to section Appendix A for the detail)
- Run reconfiguration playbook in deployment area:
$ cd ~/scratch/ansible/next/ardana/ansible
$ ansible-playbook -i hosts/verb_hosts keystone-reconfigure.yml
For 2: keystone deployment such as log level
- Edit respective parameters in /home/stack/openstack/my_cloud/config/keystone/keystone_deploy_config.yml.
Here you can only change values, can't add any new settings
- Commit the changes and rerun playbooks of configuration processor and deployment area
preparation (refer to section Appendix A for the detail)
- Run reconfiguration playbook in deployment area:
$ cd ~/scratch/ansible/next/ardana/ansible
$ ansible-playbook -i hosts/verb_hosts keystone-reconfigure.yml
For 3.1: Domain-Specific Configuration File Store
By default, domain-specific driver configuration file store is enabled. To update configuration
for a specific LDAP domain, please see instruction below:
- Ensure that the following configuration options in the main configuration file template:
/home/stack/openstack/my_cloud/config/keystone/keystone.conf.j2
[identity]
domain_specific_drivers_enabled = True
domain_configurations_from_database = False
- Locate the file:
/home/stack/openstack/my_cloud/config/keystone/keystone_configure_ldap_sample.yml
- Save a copy of this file with a new name, for example:
/home/stack/openstack/my_cloud/config/keystone/keystone_configure_ldap_my.yml
- Edit the file to carry the correct definition of the LDAP server connection
- Commit the changes and rerun playbooks of configuration processor and deployment area
preparation (refer to section Appendix A for the detail)
- Run reconfiguration playbook in deployment area:
$ cd ~/scratch/ansible/next/ardana/ansible
$ ansible-playbook -i hosts/verb_hosts keystone-reconfigure.yml
-e@/home/stack/openstack/my_cloud/config/keystone/keystone_configure_ldap_my.yml
- Follow these same steps for each LDAP domain with which you are integrating Keystone, creating
a yaml file for each and running the reconfigure playbook once for each additional domain.
For 3.2: Set up or Switch to Domain-Specific Driver Configuration - Database Store
To set up Domain-Specific Driver Configuration - Database Store, the steps are to deploy the
Domain-Specific Driver Configuration - File Store first, as shown above in 3.1.
Then switch to the database store. Once switched, all of the domain-specific driver configuration
files shall be ignored by the system. No domain mixture of file and database stores is supported.
- Ensure that the following configuration options in the main configuration file template:
/home/stack/openstack/my_cloud/config/keystone/keystone.conf.j2
[identity]
domain_specific_drivers_enabled = True
domain_configurations_from_database = True
[domain_config]
driver = sql
- Commit the changes and rerun playbooks of configuration processor and deployment area
preparation (refer to section Appendix A for the detail)
- Run reconfiguration playbook in deployment area:
$ cd ~/scratch/ansible/next/ardana/ansible
$ ansible-playbook -i hosts/verb_hosts keystone-reconfigure.yml
- Upload the domain-specific configuration files to the database if they has not been loaded.
If they have already loaded and just like to switch back to database store mode,
then skip this upload step.
Otherwise,
-- Go to either one of control nodes Keystone deployed.
Verify domain-specific driver configuration files are located under the directory
/etc/keystone/domains with the format: keystone.<domain name>.conf
-- Use Keystone manager utility to load domain-specific configuration files to the
database. You may choose to upload all or one by one as shown below:
Upload all configuration files to the SQL database
$ keystone-manage domain_config_upload --all
or
Upload individual domain-specific configuration files by specifying the domain name:
$ keystone-manage domain_config_upload --domain-name <domain name>
If you have more than one LDAP domains to be processed, then repeat this per-domain
configuration loading step with corresponding appropriate configuration content for each
LDAP domain.
Note: Please be advised that Keystone manager utility doesn't upload domain-specific
driver configuration file the second time for the same domain.
For the management of the domain-specific driver configuration in the database store,
you may refer to Domain-Specific Driver Configuration - Database Store Management
via Identity API.
For 3.3: Updating LDAP CA certificates
- Locate the file keystone_configure_ldap_certs_sample.yml
/home/stack/openstack/my_cloud/config/keystone/keystone_configure_ldap_certs_sample.yml
- Save a copy of this file with a new name, for example:
/home/stack/openstack/my_cloud/config/keystone/keystone_configure_ldap_certs_update.yml
- Edit the file and specify the correct single file path name for the ldap certicicates.
This file pathname has to be consistent with the domain-specific configuration
tls_cacertfile file pathname.
- Edit the file and populate or update it with ldap CA certificates for all domains
- Commit the changes and rerun playbooks of configuration processor and deployment area
preparation (refer to section Appendix A for the detail)
- Run reconfiguration playbook in deployment area:
$ cd ~/scratch/ansible/next/ardana/ansible
$ ansible-playbook -i hosts/verb_hosts keystone-reconfigure.yml
-e@/home/stack/openstack/my_cloud/config/keystone/keystone_configure_ldap_certs_update.yml
Enabling features in Keystone
Ardana doesn't enable all the features by default. Some of these features are tested/supported
and some of them are non-core features. Tested features can be enabled and used in production.
Non-core features can be enabled for POC or to get customer feedback. Non-core
features may require few manual configuration and may have defects. We will move an
Non-core feature to supported feature once we have resolved all the issues with it
Tested/Supported Features
Enable/Disable Keystone auditing
Keystone audit is disabled by default. The following instruction is for keystone audit only.
For the rest of Ardana OpenStack services auditing, please refer to Ardana OpenStack audit documentation for the detail.
To Enable/Disable keystone audit, do the following in the deployer node:
- Edit the file ~/openstack/my_cloud/definition/cloudConfig.yml
(All audit related configuration is defined under `audit-settings` section.)
- Case 1: Enable keystone audit
Add 'keystone' in service list of enabled-services and remove or comment out 'keystone' in
service list of disabled-services if existing. If no more item within 'disabled-services:',
then remove or comment out 'disabled-service:' as well. For example,
----------------------------------
audit-settings:
audit-dir: /var/audit
default: disabled
enabled-services:
- keystone
disabled-services:
- nova
- barbican
# - keystone
- cinder
- ceilometer
- neutron
----------------------------------
Case 2: Disable keystone audit
Add 'keystone' in service list of disabled-services and remove or comment out 'keystone' in
service list of enabled-services if existing. If no more item within enabled-services,
then remove or comment out 'enabled-services:' as well. For example,
----------------------------------
audit-settings:
audit-dir: /var/audit
default: disabled
#enabled-services:
# - keystone
disabled-services:
- nova
- barbican
- keystone
- cinder
- ceilometer
- neutron
----------------------------------
- Commit the changes and rerun playbooks of configuration processor and deployment area
preparation (refer to section Appendix A for the detail)
- Run reconfiguration playbook in deployment area:
$ cd ~/scratch/ansible/next/ardana/ansible
$ ansible-playbook -i hosts/verb_hosts keystone-reconfigure.yml
Note:
* It is incorrect to specify service name in both lists of enabled-services and
disabled-services list simultaneously. If both specified, then 'enabled-services' item
takes precedence.
* Please note that valid yaml syntax need to be followed when specifying values. If there is
no item specified in the enabled-services, then enabled-services has to be removed or
commented out. Similarly for disabled-services.
Non-core Features
Changing for UUID token to Fernet Token
- Edit the file /home/stack/openstack/my_cloud/config/keystone/keystone_deploy_config.yml.
Change the value `keystone_configure_fernet` to True to enable Fernet Token
- Commit the changes and rerun playbooks of configuration processor and deployment area
preparation (refer to section Appendix A for the detail)
- Run reconfiguration playbook in deployment area:
$ cd ~/scratch/ansible/next/ardana/ansible
$ ansible-playbook -i hosts/verb_hosts keystone-reconfigure.yml
[Appendix A]
Commit the change into local git repository, and rerun playbooks of configuration processor
and deployment area preparation:
$ cd ~/ardana
$ git checkout site
$ git add -A
$ git commit -m "type your commit message here..."
$ cd ~/openstack/ardana/ansible
$ ansible-playbook -i hosts/localhost config-processor-run.yml
$ ansible-playbook -i hosts/localhost ready-deployment.yml
07070100000025000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000004200000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/defaults07070100000026000081A40000000000000000000000015DC451BB00000288000000000000000000000000000000000000004B00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/defaults/main.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
07070100000027000041ED0000000000000000000000035DC451BB00000000000000000000000000000000000000000000003F00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/files07070100000028000041ED0000000000000000000000055DC451BB00000000000000000000000000000000000000000000004700000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/files/samples07070100000029000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000004B00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/files/samples/k2k0707010000002A000081A40000000000000000000000015DC451BB000001C0000000000000000000000000000000000000005F00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/files/samples/k2k/k2k_sp_mapping.json[
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"group": {
"name": "group1",
"domain":{
"name": "domain1"
}
}
}
],
"remote":[{
"type": "openstack_user"
},
{
"type": "Shib-Identity-Provider",
"any_one_of":[
"https://<idp_host>:5000/v3/OS-FEDERATION/saml2/idp"
]
}
]
}
]
0707010000002B000081A40000000000000000000000015DC451BB00000F7F000000000000000000000000000000000000006D00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/files/samples/k2k/keystone_configure_idp_sample.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
keystone_k2k_idp_conf:
service_provider:
-
id: z620_sp
description: This is service provider who sits on the z620 box.
sp_url: https://service_provider_host:5000
auth_url: https://service_provider_host:5000/v3
signer_cert: -----BEGIN CERTIFICATE-----\nMIIDmDCCAoACCQDS+ZDoUfrcIzANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFsZTEMMAoG\nA1UECgwDSFBFMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEQMA4GA1UEAwwHSzJLX0lk\nUDEeMBwGCSqGSIb3DQEJARYPazJrX2lkcEBocGUuY29tMCAXDTE1MTEyMDAxMjg1\nMFoYDzIxMTUxMDI3MDEyODUwWjCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh\nbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFsZTEMMAoGA1UECgwDSFBFMRQwEgYD\nVQQLDAtFbmdpbmVlcmluZzEQMA4GA1UEAwwHSzJLX0lkUDEeMBwGCSqGSIb3DQEJ\nARYPazJrX2lkcEBocGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEA1gRiHiwSO6L5PrtroHi/f17DQBOpJ1KMnS9FOHSm1mES2xlB46y/GebGIZp+\nivUbLvbJHdi0axcA0OuzCLPx6t338npJzEELXNHhlSJ2KHUuLtdpltsFGMISFjD5\nkuQgBi4bEUyhQFRWkcgqL3fK5lwTB/YaMRMnLA67QDvSPOFcJFZIOhICY0cVKsHJ\nxxRbi8XfNZOLE65+yq5onxZuWH+Kbg7bOGBl45YXXjncjSN/LjruoDYv+PrHuCuF\n8B9k7F7PtGaYBnqf4z79DErxdjQZvJ3rN7W/qj04gcdaeAxoHy0+cCp+2zejerEh\n00ax1NYYnPRrEhrcU8wbM47UvQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDD99xf\nDw4+XRzU5ii1YuJpIsFWxbCfCqAfBtz6WaEV/UssKiEkcsasOseQvD7EUMVRhxlP\ne+7Al/vazn4xwSJzthv3NQq5g5rAMuY9Dsu5Smyok6ygY1mAAJcLGfF2VtaaSo8B\nUGj5SN8jjhOG+Yh2aNOBt6GVJlE36oFeHRVPGByq/UEGlozEWT4qAZHql8/nQlzD\nhup36JhXxtgeP/DMQOAn7HYeVJQ6+xoUWZIQhvrlvDdhWskasfOtPqI0c8/BLFoL\nCvX5vYvFSXZMyhNnMOOPyf7bTXEr+TBCVaO957FLowGv8VnW/nLVEL5tkTRWVy1A\nOpKEvhlMsl5I/tle\n-----END CERTIFICATE-----
signer_key: -----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA1gRiHiwSO6L5PrtroHi/f17DQBOpJ1KMnS9FOHSm1mES2xlB\n46y/GebGIZp+ivUbLvbJHdi0axcA0OuzCLPx6t338npJzEELXNHhlSJ2KHUuLtdp\nltsFGMISFjD5kuQgBi4bEUyhQFRWkcgqL3fK5lwTB/YaMRMnLA67QDvSPOFcJFZI\nOhICY0cVKsHJxxRbi8XfNZOLE65+yq5onxZuWH+Kbg7bOGBl45YXXjncjSN/Ljru\noDYv+PrHuCuF8B9k7F7PtGaYBnqf4z79DErxdjQZvJ3rN7W/qj04gcdaeAxoHy0+\ncCp+2zejerEh00ax1NYYnPRrEhrcU8wbM47UvQIDAQABAoIBADOcAv07q3nuJyTV\nlXKxK5zPgU4mb5gn8/jDuXGPz9vKtP1Y7ea1dbANUqIv22wvB0sgAAfOhlN8zJmU\n/SuQGTqGJJC4pKs41ECh7EBGey/uciChmbjjQCtkQXBQhx7BHGfhHm3hiNE2hVnK\nZ0HjJW6/rWcyFcbX045wTv+CbYR4cwGktQH+uzIkf4nxEzZ+v8ubx/JDLUet6eNz\nLPKLasIhiOU4YL2poX5wJ68up3SOTDHOOPlGvp26ml5ZhfhEiqnHZyR0x6vqTWi6\nwUrBOAwz6gnifmAdPLglso61b+S6VGfTCyyjCldj6Yrj8DMbPpO/gAXY2Xgs1Rpy\nAciL1wECgYEA82IDWOwNBhqnW4DzXaYRpHjx32ttPb60NKYtk4e33v9TW8IEXH5W\n4SVxFoDxor4Mmqp3k2CEKhmf6VRrxJNFYIqXRUqO5dBjh237zLVP4UCHhW3p3+uM\nKZl0bZ605jhd0WUGvzN2s0iP+1q+6m/++8hW008RB38LCKYsh6QHqjECgYEA4Rym\nq40ylLqqdCo3sYetR6eqidT7/8rZvN7EmaXHsvW1oCVhBxWd+X/7DCYztVGOOwM8\n7eKXZPtkEV3rWzgCE7NSP8X7AbOxej9Z9qYeM282KjYCHclJD/wkCwa1btX3qGGF\ngDbVw3/DcCmTkUWtq08zdz0HGfPC9fc+UTw95E0CgYA1BwrhqfSgetgx6KOdqNw5\nMJzKZ/aSOGW8/uP5O93E+W5pFJmsqV42idjc5VVAdxX58OBCvQmuvoyH4vvkBY5d\nHXUeBMOjsMausDjnfi2cT1n3qV4GiqSsP6INbEHP00IlqFRS/lyDbXDpe/kSzToK\nE7lPKu/z6Ss3RDV5jDSbUQKBgQCDJbMAPPmb5ohJtxLNTdMo7MiRFlFd+6sQuuPk\n8809OKMA0uYNP43SfroeoN79Iq9vN/q2SI2VGlR5PbNRaHblTVJ8rvYGTs71/pSF\n+s+bfY4b120yN0NmmanR9q2bDfMD2RTy1n+BLx0IamB7gRGlvTWpoRdTCk2qCMn4\nf9U6/QKBgB8g8Q9hc2WDRjk6K+xyfNZ3pCiHmjTHvCt305DhRDjEjenj0WuXW/QW\nfHvjOW+UrZXg5K56ZKNbew8i5W4McrUoxFhk5rZRisFgetD4gxSgPCuiY7fE/QDX\nScXlxGigdJBUDKkmsdO4q0H1EGXYudTYP8x14v0U8S1N+3SifgBu\n-----END RSA PRIVATE KEY-----
0707010000002C000081A40000000000000000000000015DC451BB000005C1000000000000000000000000000000000000006C00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/files/samples/k2k/keystone_configure_sp_sample.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
keystone_trusted_idp: k2k
keystone_sp_conf:
target_domain:
name: domain1
description: my domain
target_project:
name: project1
description: my project
target_group:
name: group1
description: my group
role:
name: service
idp_metadata_file: /tmp/idp_metadata.xml
identity_provider:
id: z420_idp
description: This is the identity service provider on the z420 box.
mapping:
id: mapping1
rules_file: /tmp/k2k_mapping.json
protocol:
id: saml2
attribute_map:
-
name: name1
id: id1
-
name: name2
id: id2
shib_sso_application_entity_id: http://sp_uri_entityId
shib_sso_idp_entity_id: <protocol>://<idp_host>:<port>/v3/OS-FEDERATION/saml2/idp
0707010000002D000081A40000000000000000000000015DC451BB00001336000000000000000000000000000000000000007000000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/files/samples/keystone_configure_ldap_certs_sample.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
keystone_domainldap_certs:
# CA certificates file content.
# Certificates are stored in Base64 PEM format. This may be entire LDAP server
# certificate (in case of self-signed certificates), certificate of authority
# which issued LDAP server certificate, or a full certificate chain (Root CA
# certificate, intermediate CA certificate(s), issuer certificate).
#
# If you have multiple LDAP domains, and LDAP server certificates are issued
# by different authorities, make sure that you place certs for all the LDAP
# backend domains in the cacert parameter as seen in this sample yml file
# so that all the certs are combined in a single CA file and every LDAP
# domain configuration points to the combined CA file.
# Note:
# 1. Please be advised that every time this ldap domain certficates reconfigured,
# the single CA file gets overwritten and hence ensure that you place certs
# for all the LDAP backend domains in the cacert parameter.
# 2. There is a known issue on one cert per CA file per domain when the system processes
# concurrent requests to multiple LDAP domains. Using the single CA file with all certs combined
# shall get the system working properly.
cert_settings:
cacert_file: /etc/keystone/ssl/certs/all_ldapdomains_ca.pem
cacert: |
-----BEGIN CERTIFICATE-----
MIIDVTCCAg2gAwIBAgIEVW4FQjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9F
eGFtcGxlIENvbXBhbnkwHhcNMTUwNjAyMTkzNDI2WhcNMTYwNjAxMTkzNDI2WjAa
MRgwFgYDVQQDEw9FeGFtcGxlIENvbXBhbnkwggFSMA0GCSqGSIb3DQEBAQUAA4IB
PwAwggE6AoIBMQC2JHPnTfQ0BExcdfeLGzUxsmFtJ/EZc/EkU5/qpKJAwsssDRlS
Xfg4CN2J68IosFiltBXzQFjT2GK+I9kLLr9Qmbexh5lmLhwApTXTNC+o5/IRIZnK
fguRsbE0OdUPlEH7oeLVacPRGg3TU6DPJD7yIgEAmYmQOXWtmUiE2hy50w+Ik6kI
JS2ve6VB48jLGC9O7H/x1Fs5sdRLXAEse9A06u2BtbSH9JWp1/DFSFjP9Dk514UP
OyXD7rUWEWPMm7vkzwD1Yy2Oj2696y1hGTUxPGWtNEBpE2A364izd8GmD2PxYFzn
emWs9u7UUKsc3ZCD7YQCuf+a5uLVOiq2LKsg3Cylk7jBqSVx0BjU4G3eSDnb/E2j
a68tEqKMrMw7n791eHFOA8vfnwy0lceQHOghAgMBAAGjQzBBMA8GA1UdEwEB/wQF
MAMBAf8wDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQUeazaagjvqla452B67afb
afAL8B0wDQYJKoZIhvcNAQELBQADggExAIE44JHWTsakqY9/r7UUXYtmA3JPIS4q
+ySyYkvO8zwTuinVRJqZJr9qN1dLKoovME5oQm9dgJCDuX9IPcm+NJduJp+r8Dcd
q+LQ58qcHI9AEIGj4z12Q6BfyN6SMfq+qxx8XiTn+94gbF8SvLDGV30kyu5P4/M0
kSEhpklmey0b1uxzGRgwz03QsCuMHebt7rCD5ngEsq/wjKEY58xCs/YJzoyuqOY4
YmI5HV8DH2WSdB0ZmG9CdgbOijm4XnIhu5fXhIpyLPfL7kOUwoyF5t2eTU/lm2Uh
9/qqmq+q4qQ7uSj4fZ1B3vLozD27c/AXgInq+1cUUPQx/C7PwRKfdvm1CK+75pP5
ed7K+bPcCfGA/YDg4HIHBdTNeFAxlBdEwXgyZUTAv4WmY4el3R/Bys0=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDwTCCAqmgAwIBAgIQKSKXBZj4ZbBN5mitjA+p7zANBgkqhkiG9w0BAQUFADBz
MRMwEQYKCZImiZPyLGQBGRYDY29tMRIwEAYKCZImiZPyLGQBGRYCaHAxEzARBgoJ
kiaJk/IsZAEZFgNjZGwxGDAWBgoJkiaJk/IsZAEZFghrZXlzdG9uZTEZMBcGA1UE
AxMQa2V5c3RvbmUtQUQwMS1DQTAeFw0xNTA3MjIwOTI1MTVaFw0yNTA3MjIwOTM1
MTRaMHMxEzARBgoJkiaJk/IsZAEZFgNjb20xEjAQBgoJkiaJk/IsZAEZFgJocDET
MBEGCgmSJomT8ixkARkWA2NkbDEYMBYGCgmSJomT8ixkARkWCGtleXN0b25lMRkw
FwYDVQQDExBrZXlzdG9uZS1BRDAxLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAx4Zzzd59cimCknq1iNwjUEgtip+n8Aw/epW5DPfkm810MUxZ9KVl
MoNV82tIZHUf70gOqEBlgGreHyRiKANpN+qzCY4yP7/91sDD+eZ4JPZYV2wsXboG
5+dWrfz9oKr0vSo7llRfI0I1w0AwtQ26vMxwhEOBR0Rn5wM3XnRhsWYFWWCEmGHe
8HwWcd9KI3rFgDQwEnVQ5g+Fe9RxplHhe1h6ybgRea5Da8QGG/GKdVyyoSzwEYRe
5GevnBX6WChSkbtLT1qNmgFNEjizYb0eN96LgmZ5H27rq9sVemANhSdqeN/s1Jix
Q6JsPfT6tWmuH/6rbLMxgPaYhhe7hEoGwQIDAQABo1EwTzALBgNVHQ8EBAMCAYYw
DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUwG4P2G45Ggs7dlxiyo5Pz8Ol0asw
EAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAGxRYjs4TVbRSyNH
MrKrVFjhFP+vv1A4bbR8BoEwHR3zGbI1tMsFpInNRDUH0mmktor3ppn3DQdL4Tyi
+dFIFJrVO9fus3Jx/0ijvhC70qhTavgZdsaWji5EoTv6oBw1Tvj3jto8IGHuuFre
ZSyESGW3JmVYkIIJ2ZDTAY/PyIKLt+35hBtk+eCH3Gs9fFq5xNDIWIf8I2WNqJDu
2DpyRn9Jh5ywmle222XdjaNLqN8c2UDTbp7rMAF/X/jTXbEIHZXin+2nMiuV8Pxv
ot96Y/NDLTSm7ig5jNd2uXupoP19AGGF/lLTZzJvcxQ7paucJfeiJe9ZeyxICEZC
wampKBs=
-----END CERTIFICATE-----
0707010000002E000081A40000000000000000000000015DC451BB0000143B000000000000000000000000000000000000006A00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/files/samples/keystone_configure_ldap_sample.yml#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
keystone_domainldap_conf:
# CA certificates file content.
# Certificates are stored in Base64 PEM format. This may be entire LDAP server
# certificate (in case of self-signed certificates), certificate of authority
# which issued LDAP server certificate, or a full certificate chain (Root CA
# certificate, intermediate CA certificate(s), issuer certificate).
#
cert_settings:
cacert: |
-----BEGIN CERTIFICATE-----
MIIDVTCCAg2gAwIBAgIEVW4FQjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9F
eGFtcGxlIENvbXBhbnkwHhcNMTUwNjAyMTkzNDI2WhcNMTYwNjAxMTkzNDI2WjAa
MRgwFgYDVQQDEw9FeGFtcGxlIENvbXBhbnkwggFSMA0GCSqGSIb3DQEBAQUAA4IB
PwAwggE6AoIBMQC2JHPnTfQ0BExcdfeLGzUxsmFtJ/EZc/EkU5/qpKJAwsssDRlS
Xfg4CN2J68IosFiltBXzQFjT2GK+I9kLLr9Qmbexh5lmLhwApTXTNC+o5/IRIZnK
fguRsbE0OdUPlEH7oeLVacPRGg3TU6DPJD7yIgEAmYmQOXWtmUiE2hy50w+Ik6kI
JS2ve6VB48jLGC9O7H/x1Fs5sdRLXAEse9A06u2BtbSH9JWp1/DFSFjP9Dk514UP
OyXD7rUWEWPMm7vkzwD1Yy2Oj2696y1hGTUxPGWtNEBpE2A364izd8GmD2PxYFzn
emWs9u7UUKsc3ZCD7YQCuf+a5uLVOiq2LKsg3Cylk7jBqSVx0BjU4G3eSDnb/E2j
a68tEqKMrMw7n791eHFOA8vfnwy0lceQHOghAgMBAAGjQzBBMA8GA1UdEwEB/wQF
MAMBAf8wDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQUeazaagjvqla452B67afb
afAL8B0wDQYJKoZIhvcNAQELBQADggExAIE44JHWTsakqY9/r7UUXYtmA3JPIS4q
+ySyYkvO8zwTuinVRJqZJr9qN1dLKoovME5oQm9dgJCDuX9IPcm+NJduJp+r8Dcd
q+LQ58qcHI9AEIGj4z12Q6BfyN6SMfq+qxx8XiTn+94gbF8SvLDGV30kyu5P4/M0
kSEhpklmey0b1uxzGRgwz03QsCuMHebt7rCD5ngEsq/wjKEY58xCs/YJzoyuqOY4
YmI5HV8DH2WSdB0ZmG9CdgbOijm4XnIhu5fXhIpyLPfL7kOUwoyF5t2eTU/lm2Uh
9/qqmq+q4qQ7uSj4fZ1B3vLozD27c/AXgInq+1cUUPQx/C7PwRKfdvm1CK+75pP5
ed7K+bPcCfGA/YDg4HIHBdTNeFAxlBdEwXgyZUTAv4WmY4el3R/Bys0=
-----END CERTIFICATE-----
# A domain will be created in MySQL with this name, and associated with ldap backend.
# Installer will also generate a config file named /etc/keystone/domains/keystone.<domain_name>.conf
#
domain_settings:
name: dept1
description: Dedicated domain for dept1 users
conf_settings:
identity:
driver: ldap
# For full list and description of ldap configuration options, please refer to
# https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample or
# http://docs.openstack.org/kilo/config-reference/content/keystone-configuration-file.html.
#
# Please note:
# 1. LDAP configuration is read-only. Configuration which performs write operations (i.e. creates users, groups, etc)
# is not supported at the moment.
# 2. LDAP is only supported for identity operations (reading users and groups from LDAP). Assignment
# operations with LDAP (i.e. managing roles, projects) are not supported.
# 3. LDAP is configured as non-default domain. Configuring LDAP as a default domain is not supported.
#
ldap:
url: ldap://ad.myorg.com
suffix: DC=acme,DC=net
query_scope: sub
user_tree_dn: CN=Users,DC=acme,DC=net
user : CN=admin,CN=Users,DC=acme,DC=net
password: REDACTED
user_objectclass: user
user_id_attribute: cn
user_name_attribute: cn
group_tree_dn: CN=Users,DC=acme,DC=net
group_objectclass: group
group_id_attribute: cn
group_name_attribute: cn
use_pool: False
user_enabled_attribute: userAccountControl
user_enabled_mask: 2
user_enabled_default: 512
use_tls: True
tls_req_cert: demand
# if you are configuring multiple LDAP domains, and LDAP server certificates are issued
# by different authorities, make sure that you place certs for all the LDAP backend domains in the
# cacert parameter as seen in this sample yml file so that all the certs are combined in a single CA file
# and every LDAP domain configuration points to the combined CA file.
# Note:
# 1. Please be advised that every time a new ldap domain is configured, the single CA file gets overwritten
# and hence ensure that you place certs for all the LDAP backend domains in the cacert parameter.
# 2. There is a known issue on one cert per CA file per domain when the system processes
# concurrent requests to multiple LDAP domains. Using the single CA file with all certs combined
# shall get the system working properly.
tls_cacertfile: /etc/keystone/ssl/certs/all_ldapdomains_ca.pem
0707010000002F000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000004E00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/files/samples/websso07070100000030000081A40000000000000000000000015DC451BB0000026F000000000000000000000000000000000000006300000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/files/samples/websso/adfs_sp_mapping.json[
{
"local": [{
"user": {
"name": "{0}"
}
}],
"remote": [{
"type": "ADFS_LOGIN"
}]
},
{
"local": [{
"group": {
"id": "GROUP_ID"
}
}],
"remote": [{
"type": "ADFS_GROUP",
"any_one_of": [
"Domain Users"
]
}]
}
]
07070100000031000081A40000000000000000000000015DC451BB000005D9000000000000000000000000000000000000007100000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/files/samples/websso/keystone_configure_adfs_sample.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
keystone_trusted_idp: adfs
keystone_sp_conf:
idp_metadata_file: adfs_metadata.xml
shib_sso_application_entity_id: http://sp_uri_entityId
shib_sso_idp_entity_id: http://default_idp_uri_entityId
target_domain:
name: domain1
description: my domain
target_project:
name: project1
description: my project
target_group:
name: group1
description: my group
role:
name: service
identity_provider:
id: adfs_idp1
description: This is the ADFS identity provider.
mapping:
id: mapping1
rules_file: adfs_mapping.json
protocol:
id: saml2
attribute_map:
-
name: http://schemas.xmlsoap.org/claims/Group
id: ADFS_GROUP
-
name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
id: ADFS_LOGIN
07070100000032000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000005000000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/files/samples/x509auth07070100000033000081A40000000000000000000000015DC451BB00001094000000000000000000000000000000000000005B00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/files/samples/x509auth/cacert.pem-----BEGIN CERTIFICATE-----
MIIF9DCCA9ygAwIBAgIJAOZ2+Dq0sG2uMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
MQwwCgYDVQQKDANIUEUxDzANBgNVBAsMBkhlbGlvbjEPMA0GA1UEAwwGcm9vdGNh
MR0wGwYJKoZIhvcNAQkBFg5yb290Y2FAaHBlLmNvbTAgFw0xNjA0MDYwMDM2Mzla
GA8yMjE2MDIxODAwMzYzOVowgYUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
Zm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDDAKBgNVBAoMA0hQRTEPMA0GA1UE
CwwGSGVsaW9uMQ8wDQYDVQQDDAZyb290Y2ExHTAbBgkqhkiG9w0BCQEWDnJvb3Rj
YUBocGUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAls+ybSfw
nH6HvEtF2v//SQMfKJo8vVUUh8KYqHSYdGr6lZ0s650V8NCyGFfXke+zMRkEg6PK
9BXQ/r2DJgA2uZMb8LCG70/QwmlR57fjpd1AAiz26wroiPXL9RgAovDQb5f3RGzG
+zhxcHF9Q+u4LPaLYdzTyvg8KGd6exTjhuJOPCi/Z9Tn5iltAornWlVlPbXCRGPD
N+EC/iDZcuZF4DhAoTXRcsR6mgayaR5OICALfU4pOuggKB7+BwWNWs2Hz72UkY1z
MaLvRjb/AkDEv0E1nJ/iPH3vJ4Ymd+8lgPAHJuncB/HTvtBwJWL4FjmYGa3CCCo1
9oSj3gnGs5PA54MV/7hvs7OT9JvWx14SIfkeJy6YQcgON3fPGT0+wyOAxlHI/HJa
VEQHZ1En6aoszM+7Kks4iiqdyllUi5E+uzaVUEeZj4aqnM/qa84uYeGsZ/CLLom9
vXll1MCB1Rg2r7zakZFVA3+HyhAWWVlPfe1Z0fASEYzJ7zFRDclcoQCJmtSzLdOJ
ykPRfGKstI07dgx1xzwMw6L5Dp071N5mlLeHPxi+l0OI+QUtBA2kfxOl/KphgMVA
KSXUQWuMn756s/WKfO+OZnox2/R4za+tV3XnhuwvnnrvYIZ7owtddyEUCtPFl59t
H1WPSrSqiwcz1BmYbnkjnwHb9bzOKn6QmOcCAwEAAaNjMGEwHQYDVR0OBBYEFHKl
5HeiF9fO8GXbh+hwXewOrej0MB8GA1UdIwQYMBaAFHKl5HeiF9fO8GXbh+hwXewO
rej0MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB
CwUAA4ICAQAKn+lAHX/9pBTLKHuQWq5tbaEv5uQVqKWJCJ9TvGiV1aB9C7RXbmfW
kp/X6YFpaPyvbRuFgNAmZ550Xq2nHrvRHZXZ5RZD+QGxe5QsXcW6YiSGTPxqlHBH
7iupUDZi589CDgyR5S1s9cYxHpx+1YqkZkmMKwpJz74YdlowCy4TfZybNOuVEzIH
25e1oZPI28vHks5KxcLv50IK+mlAEl4O5Odx8JMknMlG+HRRYCp8thdctC7z/igq
AKuBHkgRZMD85eSK01iGfqBDtK89yBreK9iZOr7OhmpdSJxinVPNA3s46cKKTcRi
yRH8Xsf7GW5kLHSafz11wuzLs6TlXK9MdwilD/zGGQKpLkXcQqYatLdHBTSZpqbN
XJFMDZEDmUef5S2T+AHMHZWlFX98jTx7jJoezFvXY5Sbab3v1lwey5M7ggASMF0I
8JKrM5COetWIME67MBtoeaLFVQAi0tHNxmmq2hgDzS3U3wsf4VM5dTKAf+WrREcm
o6meZE/AS6tytbsY1M39iKUeak3M6/XmgbFrmMC5J/vJzIsqkmA3Xa6y/WxKyrQA
CdpGqDtBqTo1qoC+VZwJ8nLNFfvnINRpWRWPNYq+c6QzvDsY3115xPO5Vlhg+/jc
Y60qoHXnTYUwoyb/OvWGXhfRvMhRypLj7yo/sZiCEeMiUxiv9N292w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF7zCCA9egAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYUxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDDAKBgNV
BAoMA0hQRTEPMA0GA1UECwwGSGVsaW9uMQ8wDQYDVQQDDAZyb290Y2ExHTAbBgkq
hkiG9w0BCQEWDnJvb3RjYUBocGUuY29tMB4XDTE2MDQwNjIyMDU1NFoXDTI2MDQw
NDIyMDU1NFowgYYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMQww
CgYDVQQKDANIUEUxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRcwFQYDVQQDDA5pbnRl
cm1lZGlhdGVjYTElMCMGCSqGSIb3DQEJARYWaW50ZXJtZWRpYXRlY2FAaHBlLmNv
bTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALNz+Qg9LlmMMIGxDDnK
UDmfK1QVlCY5QRC2BflDwZzPnZ9HC91RuGqrAj1bA4tnALIyFhW2jZh+dysr1s13
l/0/I4aX6xLOHzJszrhwxdgmRbF+lmt3U+Wc9xxy9z7haJqpp/zTNKFN3Ofi6CdG
SSUISrZz7YLxX2ErYAbCTuQMLey8WyXSdcvuGKQZV0YYGJgPH4tLTSfrBi1z9h2h
F3UC+n4N/ypnNgsciOl48ol9D2Yfys2++Du96MDQiJgkimkk0OjsfRsLiT5wwNPn
ROg2Vq9QcUkco4E4uM6lp5zRWyLtOr7qRg3yP19ElJkS0x2stnP/1BM2SLjYGP/i
9kfxcWr5tY33YbaERpMpywauuBDopNzxVW71RAg5a3llzLvGsqyBvDVQETbY+ugJ
2w71k1Z1mv/Zpovavyd9eQ0jNcAq09AOgSbIDZWU9EQ1ZrS98ZIwkGc8SPX9x99F
QcgXRf+ogfVzACt3m0l9M893SY2wIic9pGzvmx2zmDlKSfd8n9IbcnK/ON/oKqtL
PNECbIGUVG0ILupvsZcndjcMJ3deW4OpZvQ1NFePd70ayY8t/bjAntaDG+Mht7Qp
kWxcLc1VrVEmVlwlxKtdg9+BHiufZJE20napXoljct9L3Y62XqWWla4MijDGHvPE
lDdORhUWIkcsXliq3jZIQjWXAgMBAAGjZjBkMB0GA1UdDgQWBBTAG04QrGyXyatJ
dAoxThpeJcVsXTAfBgNVHSMEGDAWgBRypeR3ohfXzvBl24focF3sDq3o9DASBgNV
HRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOC
AgEAkoGn0xMHltY/xyxSW/OoKp6UvE7wfVLiHTE7lkiyNVjntAXqEyptAwvQZ85Q
vDU3A0gqFfHBQX4tG6ks5Ark4AxctH0cVSwkV/ZxO4M+P5eb9fbX4kGzWOkfWCgR
Ro9us/p0VGPceJACkArLK9ty0VWxfOzo64MU7EzMCf/Qgduyw8LFsyAZrJsKpCWZ
5bFX9KWyZgNSO1M/fYjb6cBixXfoOu15S5qg3tCBf7iy21XywMdpmyh9Ek/+/Wtt
2Mr1B+C3oV65/UNJzLbZbE+CgQCK88MPd9B908htS8C7wWpFbLbzGHUdgtppXbTB
0sCQFc+93kEaeG+zbTerrubRZpgDoAj2S9qmz/uxzlZBRp/PgYkh1wWJJ+y3jLB5
r2SOjRsky19XrQSeZ4l6Xq2aoiqt1qqDNEWXHqOm2QiPP3+f8OVAYUfux3+mnr0E
cdAEBxPeuw8DEFDvlR9ve9sYAkEGh/Z1NMRJpQrxYbFOdNvsM3T22ZWU5O2eJzbZ
se0ytXpqxeoqUrsGmPKQz6p0+vMwy8UyQ2HOP7BeyXkV/F3/AGUlhRL9HlWT4Oo8
zHUlbG0oA11lyvTcEHW1bqgzeSLpNAy204OfL0HqM4NkwHnBU/g61zC9eyZ+Nu67
gia6YFR9UuSA6xPQ6N33tOHpjB5jUbK4iW66NwY+hh+5Agc=
-----END CERTIFICATE-----
07070100000034000081A40000000000000000000000015DC451BB000003BB000000000000000000000000000000000000006E00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/files/samples/x509auth/x509auth_configure_sample.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
keystone_x509auth_conf:
identity_provider:
id: intermediateca
description: This is the trusted issuer HEX Id.
mapping:
id: x509_mapping1
rules_file: /tmp/x509auth_mapping.json
protocol:
id: x509
remote_id: intermediateca
ca_file: /tmp/cacert.pem
07070100000035000081A40000000000000000000000015DC451BB00000486000000000000000000000000000000000000006600000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/files/samples/x509auth/x509auth_mapping.json[
{
"local": [
{
"user": {
"name": "{0}",
"domain": {
"name": "{1}"
},
"type": "local"
}
}
],
"remote": [
{
"type": "SSL_CLIENT_S_DN_CN"
},
{
"type": "SSL_CLIENT_S_DN_O"
},
{
"type": "SSL_CLIENT_I_DN",
"any_one_of": [
"emailAddress=intermediateca@suse.com,CN=intermediateca,OU=Engineering,O=SUSE,ST=California,C=US",
"/C=US/ST=California/O=SUSE/OU=Engineering/CN=intermediateca/emailAddress=intermediateca@suse.com"
]
}
]
}
]
07070100000036000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000004200000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/handlers07070100000037000081A40000000000000000000000015DC451BB000002E9000000000000000000000000000000000000004B00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/handlers/main.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# Handlers for Keystone
- name: keystone_change
set_fact:
keystone_restart_required: true
07070100000038000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000003E00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/meta07070100000039000081A40000000000000000000000015DC451BB000002C3000000000000000000000000000000000000004700000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/meta/main.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
dependencies:
- role: keystone-common
- role: FND-AP2
0707010000003A000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000003F00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks0707010000003B000081A40000000000000000000000015DC451BB000008E6000000000000000000000000000000000000006000000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_apply_configuration_changes.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEY-API | _apply_configuration_changes | Set facts for virtual install
set_fact:
override_virtual_install: "{{ True if is_baremetal_install ==
'False' and (ansible_memtotal_mb < 47000)
and (keystone_wsgi_admin_process_count == 5 and
keystone_wsgi_public_process_count == 15) else False }}"
#Virtual install can't handle 10 keystone process, so we are overriding it to 2
- name: KEY-API | _apply_configuration_changes | Override process counts for virtual install
set_fact:
keystone_wsgi_admin_process_count: 2
keystone_wsgi_public_process_count: 2
keystone_wsgi_socket_timeout: 120
when: override_virtual_install
# NOTE: Separate keystone.conf so it can be validated by keystone-manage
- name: KEY-API | _apply_configuration_changes | Templatize keystone.conf
template:
src: keystone.conf.j2
dest: "{{ keystone_venv_install_conf_dir }}/keystone.conf"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
mode: 0600
become: yes
register: ardana_notify_keystone_change
tags:
- keystone
- name: KEY-API | _apply_configuration_changes | Templatize to get reconfiguration change
template:
src: "{{ item.src }}"
dest: "{{ keystone_venv_install_conf_dir }}/{{ item.dest }}"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
mode: 0600
with_items:
- { src: keystone-paste.ini.j2 , dest: keystone-paste.ini }
- { src: policy.v3cloudsample.json , dest: policy.json }
- { src: logging.conf.j2 , dest: logging.conf }
become: yes
register: ardana_notify_keystone_change
tags:
- keystone
0707010000003C000081A40000000000000000000000015DC451BB00000874000000000000000000000000000000000000005700000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_configure_auditing.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEY-API | _configure_auditing | Enable auditing
ini_file:
dest: "{{ keystone_conf_dir }}/keystone.conf"
section: "oslo_messaging_notifications"
option: "driver"
value: "log"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
backup: no
become: yes
when: keystone_api_audit_enable
register: ardana_notify_keystone_change
tags:
- keystone
- name: KEY-API | _configure_auditing | Create auditing logging directory if not there
file:
path: "{{ keystone_audit_log_base_location }}/keystone"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
mode: 0755
state: directory
become: yes
when: keystone_api_audit_enable | bool
tags:
- keystone
- name: KEY-API | _configure_auditing | Touch the audit log file
file:
path: "{{ item }}"
owner: "{{ keystone_user }}"
group: "adm"
mode: 0640
state: touch
become: yes
with_items:
- "{{ keystone_audit_log_base_location }}/keystone/keystone-audit.log"
when: keystone_api_audit_enable | bool
tags:
- keystone
- name: KEY-API | _configure_auditing | Disable auditing
ini_file:
dest: "{{ keystone_conf_dir }}/keystone.conf"
section: "oslo_messaging_notifications"
option: "driver"
value: "noop"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
backup: no
become: yes
when: keystone_api_audit_enable == false
register: ardana_notify_keystone_change
tags:
- keystone
0707010000003D000081A40000000000000000000000015DC451BB000003EB000000000000000000000000000000000000006100000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_configure_deployment_options.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# We are adding here once again to enable reconfiguration of process counts
- name: KEY-API | _configure_deployment_options | Copies modwsgi configuration
template:
src: keystone-modwsgi.conf.j2
dest: "{{ apache2_vhost_dir }}/keystone-modwsgi.vhost"
mode: 0644
become: yes
register: ardana_notify_keystone_change
tags: keystone
0707010000003E000081A40000000000000000000000015DC451BB00001EF1000000000000000000000000000000000000005C00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_configure_federation_sp.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEY-API | _configure_federation_sp | Create the IdP meta data files
copy:
dest: "{{ keystone_conf_dir }}/{{ keystone_sp_conf.identity_provider.id
}}_metadata.xml"
src: "{{ keystone_sp_conf.idp_metadata_file }}"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
mode: 0644
become: yes
tags:
- keystone
- name: KEY-API | _configure_federation_sp | Check shibd mapping file has been configured
shell: grep 'SHIBD TEMPLATE' "{{ keystone_shibd_conf_dir }}/attribute-map.xml"
register: shib_mapping_configured_result
ignore_errors: True
- name: KEY-API | _configure_federation_sp | Configure the shibd mapping file
template:
src: "attribute-map.xml.j2"
dest: "{{ keystone_shibd_conf_dir }}/attribute-map.xml"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
mode: 0644
when: not shib_mapping_configured_result.stdout
become: yes
notify: keystone_change
tags:
- keystone
- name: KEY-API | _configure_federation_sp | Add shibd custom attributes in the mapping file
lineinfile:
backup: no
state: present
dest: "{{ keystone_shibd_conf_dir }}/attribute-map.xml"
line: ' <Attribute name="{{ item.name }}" id="{{ item.id }}"/>'
insertafter: '<!-- Custom attributes -->'
with_items: keystone_sp_conf.attribute_map
become: yes
notify: keystone_change
tags:
- keystone
- name: KEY-API | _configure_federation_sp | Configure shibd log rotation
template:
src: "shibd.logger.j2"
dest: "{{ keystone_shibd_conf_dir }}/shibd.logger"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
mode: 0644
become: yes
notify: keystone_change
tags:
- keystone
- name: KEY-API | _configure_federation_sp | Check shibd configuration file has been configured
shell: grep 'SHIBD TEMPLATE' "{{ keystone_shibd_conf_dir }}/shibboleth2.xml"
register: shib_configured_result
ignore_errors: True
- name: KEY-API | _configure_federation_sp | Configure the shibd configuration file
template:
src: "shibboleth2.xml.j2"
dest: "{{ keystone_shibd_conf_dir }}/shibboleth2.xml"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
mode: 0644
when: not shib_configured_result.stdout
become: yes
notify: keystone_change
tags:
- keystone
- name: KEY-API | _configure_federation_sp | Add IdP metadata reference in the shibd configuration file
lineinfile:
backup: yes
state: present
dest: "{{ keystone_shibd_conf_dir }}/shibboleth2.xml"
line: ' <MetadataProvider type="XML" file="{{
keystone_conf_dir }}/{{
keystone_sp_conf.identity_provider.id }}_metadata.xml"/>'
insertafter: '<MetadataProvider type="Chaining">'
become: yes
notify: keystone_change
tags:
- keystone
- name: KEY-API | _configure_federation_sp | Update entity Ids in the shibd configuration file
lineinfile:
state: present
dest: "{{ keystone_shibd_conf_dir }}/shibboleth2.xml"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
with_items:
- { regexp: '<ApplicationDefaults entityID=*',
line: ' <ApplicationDefaults entityID="{{
keystone_sp_conf.shib_sso_application_entity_id }}">' }
- { regexp: '<SSO entityID=*', line: ' <SSO entityID="{{
keystone_sp_conf.shib_sso_idp_entity_id }}">' }
when: keystone_trusted_idp is defined and keystone_trusted_idp == "adfs"
become: yes
notify: keystone_change
tags:
- keystone
- name: KEY-API | _configure_federation_sp | Get a domain scoped token
keystone_v3:
endpoint: "{{ keystone_admin_endpoint }}/v3"
login_username: "{{ keystone_admin_user }}"
login_password: "{{ keystone_admin_user_pwd }}"
login_user_domain_name: "{{ keystone_default_domain }}"
login_domain_name: "{{ keystone_default_domain }}"
action: "token_get"
run_once: true
register: domain_scoped_token_result
- name: KEY-API | _configure_federation_sp | Create a domain
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_admin_endpoint }}/v3"
action: "create_domain"
description: "{{ keystone_sp_conf.target_domain.description }}"
domain_name: "{{ keystone_sp_conf.target_domain.name }} "
run_once: true
tags:
- keystone
- name: KEY-API | _configure_federation_sp | Create a project
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_admin_endpoint }}/v3"
action: "create_project"
description: "{{ keystone_sp_conf.target_project.description }}"
project_name: "{{ keystone_sp_conf.target_project.name }} "
project_domain_name: "{{ keystone_sp_conf.target_domain.name }} "
run_once: true
tags:
- keystone
- name: KEY-API | _configure_federation_sp | Create a group
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_admin_endpoint }}/v3"
action: "create_group"
description: "{{ keystone_sp_conf.target_group.description }}"
group_name: "{{ keystone_sp_conf.target_group.name }}"
domain_name: "{{ keystone_sp_conf.target_domain.name }} "
register: federation_group_id_result
run_once: true
tags:
- keystone
- name: KEY-API | _configure_federation_sp | Grant role to a group on a project
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_admin_endpoint }}/v3"
action: "grant_project_role_on_group"
group_name: "{{ keystone_sp_conf.target_group.name }}"
group_domain_name: "{{ keystone_sp_conf.target_domain.name }}"
role_name: "{{ keystone_sp_conf.role.name }}"
project_name: "{{ keystone_sp_conf.target_project.name }}"
project_domain_name: "{{ keystone_sp_conf.target_domain.name }}"
run_once: true
tags:
- keystone
- name: KEY-API | _configure_federation_sp | Create IdP in the DB
keystone_federation:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_admin_endpoint }}/v3"
action: "create_identity_provider"
identity_provider_id: "{{ keystone_sp_conf.identity_provider.id }}"
description: "{{ keystone_sp_conf.identity_provider.description }}"
remote_id: "{{ keystone_sp_conf.shib_sso_idp_entity_id }}"
run_once: true
tags:
- keystone
- name: KEY-API | _configure_federation_sp | Create Mapping in the DB
keystone_federation:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_admin_endpoint }}/v3"
action: "create_mapping"
mapping_id: "{{ keystone_sp_conf.mapping.id }}"
rules: "{{ lookup('file', keystone_sp_conf.mapping.rules_file) |
regex_replace('GROUP_ID', federation_group_id_result.result.id) }}"
run_once: true
tags:
- keystone
- name: KEY-API | _configure_federation_sp | Create Protocol in the DB
keystone_federation:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_admin_endpoint }}/v3"
action: "create_protocol"
protocol_id: "{{ keystone_sp_conf.protocol.id }}"
identity_provider_id: "{{ keystone_sp_conf.identity_provider.id }}"
mapping_id: "{{ keystone_sp_conf.mapping.id }}"
run_once: true
tags:
- keystone
0707010000003F000081A40000000000000000000000015DC451BB00000521000000000000000000000000000000000000005500000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_configure_fernet.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# determine the master node
- include: _set_fernet_master_node.yml
# setup the Fernet keys on the master node
- name: KEY-API | _configure_fernet | Create Fernet keys on master node
include: _create_fernet_keys.yml
when: inventory_hostname == fernet_master_node
# setup the SSH keys for Fernet key distribution as it is using rsync
- name: KEY-API | _configure_fernet | Distribute the SSH keys
include: _distribute_ssh_keys_for_fernet_distributions.yml
when: inventory_hostname != fernet_master_node
# now distribute the Fernet keys
- include: _distribute_fernet_keys.yml
# setup Fernet key auto rotation
- include: _setup_fernet_auto_rotation.yml
07070100000040000081A40000000000000000000000015DC451BB00000991000000000000000000000000000000000000005600000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_configure_k2k_idp.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# keystone user and endpoint registration
---
- name: KEY-API | _configure_k2k_idp | Create the IdP signer certificate file
copy:
dest: "{{ keystone_conf_dir }}/idpcert.pem"
content: "{{ keystone_k2k_idp_conf.signer_cert }}"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
mode: 0644
become: yes
tags:
- keystone
- name: KEY-API | _configure_k2k_idp | Create the IdP signer private key file
copy:
dest: "{{ keystone_conf_dir }}/idpkey.pem"
content: "{{ keystone_k2k_idp_conf.signer_key }}"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
mode: 0600
become: yes
tags:
- keystone
- name: KEY-API | _configure_k2k_idp | Create IdP meta data file
shell: "{{ keystone_bin_dir }}/keystone-manage saml_idp_metadata >
{{ keystone_conf_dir }}/idp_metadata.xml"
become: yes
become_user: "{{ keystone_user }}"
tags:
- keystone
- name: KEY-API | _configure_k2k_idp | Get a domain scoped token
keystone_v3:
endpoint: "{{ keystone_admin_endpoint }}/v3"
login_username: "{{ keystone_admin_user }}"
login_password: "{{ keystone_admin_user_pwd }}"
login_user_domain_name: "Default"
login_domain_name: "Default"
action: "token_get"
run_once: true
register: domain_scoped_token_result
- name: KEY-API | _configure_k2k_idp | Create K2k Service Provider
keystone_federation:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_admin_endpoint }}/v3"
action: "create_service_provider"
service_provider_id: "{{ item.id }}"
description: "{{ item.description }}"
sp_url: "{{ item.sp_url }}/Shibboleth.sso/SAML2/ECP"
auth_url: "{{ item.auth_url }}"
with_items: keystone_k2k_idp_conf.service_provider
run_once: true
tags:
- keystone
07070100000041000081A40000000000000000000000015DC451BB00000BDA000000000000000000000000000000000000005300000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_configure_ldap.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEY-API | _configure_ldap | Display variables that are configured for LDAP
debug: var=keystone_domainldap_conf
tags:
- keystone
- keystone_debug
when: keystone_debug is defined
- name: KEY-API | _configure_ldap | Get a domain scoped token
keystone_v3:
endpoint: "{{ keystone_admin_endpoint }}/v3"
login_username: "{{ keystone_admin_user }}"
login_password: "{{ keystone_admin_user_pwd }}"
login_user_domain_name: "Default"
login_domain_name: "Default"
action: "token_get"
run_once: true
register: domain_scoped_token_result
- name: KEY-API | _configure_ldap | Configure LDAP | Create domains
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_internal_endpoint }}/v3"
action: "create_domain"
description: "{{ keystone_domainldap_conf.domain_settings.description }}"
domain_name: "{{ keystone_domainldap_conf.domain_settings.name }}"
run_once: true
tags:
- keystone
- name: KEY-API | _configure_ldap | Delete the existing configuration file
file:
path: "{{ keystone_conf_dir }}/domains/keystone.{{
keystone_domainldap_conf.domain_settings.name }}.conf"
state: absent
become: yes
tags:
- keystone
- name: KEY-API | _configure_ldap | Populate domain specific config entries
ini_file:
dest: "{{ keystone_conf_dir }}/domains/keystone.{{
keystone_domainldap_conf.domain_settings.name }}.conf"
section: "{{ item.section }}"
option: "{{ item.option }}"
value: "{{ item.value }}"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
backup: no
with_items: keystone_domainldap_conf.conf_settings | osini()
become: yes
register: ardana_notify_keystone_change
tags:
- keystone
- name: KEY-API | _configure_ldap | Create the ldap CA file
copy:
dest: "{{ keystone_domainldap_conf.conf_settings.ldap.tls_cacertfile }}"
content: "{{ keystone_domainldap_conf.cert_settings.cacert }}"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
mode: 0644
when: (keystone_domainldap_conf.conf_settings.ldap.use_tls is defined and
keystone_domainldap_conf.conf_settings.ldap.use_tls == True)
or keystone_domainldap_conf.conf_settings.ldap.url|
split(':')|first() == 'ldaps'
become: yes
tags:
- keystone
07070100000042000081A40000000000000000000000015DC451BB0000041C000000000000000000000000000000000000005900000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_configure_ldap_certs.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEY-API | _configure_ldap_certs | Create the ldap CA file
copy:
dest: "{{ keystone_domainldap_certs.cert_settings.cacert_file }}"
content: "{{ keystone_domainldap_certs.cert_settings.cacert }}"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
mode: 0644
when: (keystone_domainldap_certs.cert_settings is defined)
become: yes
tags:
- keystone
07070100000043000081A40000000000000000000000015DC451BB00000441000000000000000000000000000000000000005F00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_configure_websso_with_adfs.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEY-API | _configure_websso_with_adfs |
Create Symlink for Keystone sso_callback_template from venv
file:
src: "{{ keystone_venv_dir }}/usr/share/keystone/{{ item }}"
dest: "{{ keystone_conf_dir }}/{{ item }}"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
state: link
with_items:
- sso_callback_template.html
become: yes
tags:
- keystone
- include: _configure_federation_sp.yml
07070100000044000081A40000000000000000000000015DC451BB00000C17000000000000000000000000000000000000005700000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_configure_x509auth.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEY-API | _configure_x509auth | Get a domain scoped token
keystone_v3:
endpoint: "{{ keystone_admin_endpoint }}/v3"
login_username: "{{ keystone_admin_user }}"
login_password: "{{ keystone_admin_user_pwd }}"
login_user_domain_name: "{{ keystone_default_domain }}"
login_domain_name: "{{ keystone_default_domain }}"
action: "token_get"
run_once: true
register: domain_scoped_token_result
- name: KEY-API | _configure_x509auth | Create IdP in the DB
keystone_federation:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_admin_endpoint }}/v3"
action: "create_identity_provider"
identity_provider_id: "{{ keystone_x509auth_conf.identity_provider.id }}"
description: "{{ keystone_x509auth_conf.identity_provider.description }}"
remote_id: "{{ keystone_x509auth_conf.remote_id }}"
run_once: true
tags:
- keystone
- name: KEY-API | _configure_x509auth | Create Mapping in the DB
keystone_federation:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_admin_endpoint }}/v3"
action: "create_mapping"
mapping_id: "{{ keystone_x509auth_conf.mapping.id }}"
rules: "{{ lookup('file', keystone_x509auth_conf.mapping.rules_file) }}"
run_once: true
tags:
- keystone
- name: KEY-API | _configure_x509auth | Create Protocol in the DB
keystone_federation:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_admin_endpoint }}/v3"
action: "create_protocol"
protocol_id: "{{ keystone_x509auth_conf.protocol.id }}"
identity_provider_id: "{{ keystone_x509auth_conf.identity_provider.id }}"
mapping_id: "{{ keystone_x509auth_conf.mapping.id }}"
run_once: true
tags:
- keystone
- name: KEY-API | _configure_x509auth | Create trusted CA certificate file
copy:
dest: "/etc/ssl/private/cacert.pem"
src: "{{ keystone_x509auth_conf.ca_file }}"
owner: "root"
group: "root"
mode: 0644
become: yes
tags:
- keystone
- name: KEY-API | _configure_x509auth |
Create Symlink for Keystone sso_callback_template from venv
file:
src: "{{ keystone_venv_dir }}/usr/share/keystone/{{ item }}"
dest: "{{ keystone_conf_dir }}/{{ item }}"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
state: link
mode: 0644
with_items:
- sso_callback_template.html
become: yes
tags:
- keystone
07070100000045000081A40000000000000000000000015DC451BB00000595000000000000000000000000000000000000005700000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_create_fernet_keys.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: KEY-API | _create_fernet_keys | Check Fernet Keys
become: yes
stat:
path: "{{ keystone_fernet_dir }}/0"
register: check_fernet_key_result
tags:
- keystone
- name: KEY-API | _create_fernet_keys | Setup Fernet Keys
become: yes
become_user: "{{ keystone_user }}"
command: >
{{ keystone_bin_dir }}/keystone-manage fernet_setup
--keystone-user {{ keystone_user }}
--keystone-group {{ keystone_group }}
when: not check_fernet_key_result.stat.exists
tags:
- keystone
- name: KEY-API | _create_fernet_keys | Rotate Fernet Keys
become: yes
become_user: "{{ keystone_user }}"
command: >
{{ keystone_bin_dir }}/keystone-manage fernet_rotate
--keystone-user {{ keystone_user }}
--keystone-group {{ keystone_group }}
when: not check_fernet_key_result.stat.exists
tags:
- keystone
07070100000046000081A40000000000000000000000015DC451BB000004D4000000000000000000000000000000000000005400000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_create_rc_files.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
- name: KEY-API | _create_rc_files | Copy stackrc file
template:
src: "{{ item }}"
dest: "{{ ardanauser_home }}"
owner: "{{ ardanauser }}"
group: "{{ ardanauser }}"
mode: 0600
with_items:
- keystone.osrc
- service.osrc
tags:
- keystone
- name: KEY-API | _create_rc_files | Copy stackrc file to deployer
template:
src: "{{ item }}"
dest: "{{ ardanauser_home }}"
owner: "{{ ardanauser }}"
group: "{{ ardanauser }}"
mode: 0600
delegate_to: localhost
with_items:
- keystone.osrc
- service.osrc
tags:
- keystone
07070100000047000081A40000000000000000000000015DC451BB000003D5000000000000000000000000000000000000005B00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_distribute_fernet_keys.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEY-API | _distribute_fernet_keys | Distribute Fernet key dir
become: yes
become_user: "{{ keystone_user }}"
synchronize:
src: "{{ keystone_fernet_dir }}"
dest: "{{ keystone_fernet_dir }}"
archive: yes
delete: yes
compress: yes
set_remote_user: no
when: inventory_hostname != fernet_master_node
delegate_to: "{{ fernet_master_node }}"
tags:
- keystone
07070100000048000081A40000000000000000000000015DC451BB00000967000000000000000000000000000000000000007100000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_distribute_ssh_keys_for_fernet_distributions.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: KEY-API | _distribute_ssh_keys_for_fernet_distributions |
Read the Fernet dist ssh public key
become: yes
command: cat {{ keystone_home_dir }}/.ssh/id_rsa.pub
register: keystone_ssh_pub_key_result
delegate_to: "{{ fernet_master_node }}"
tags:
- keystone
# NOTE(gyee): we first restrict the command to 'date' so the next task
# can add the host fingerprint to the known_hosts file of the master.
- name: KEY-API | _distribute_ssh_keys_for_fernet_distributions |
Add dist public key to authorized_keys
become: yes
authorized_key:
user: "{{ keystone_user }}"
state: present
key: "{{ keystone_ssh_pub_key_result.stdout }}"
key_options: >
command="date"
tags:
- keystone
# NOTE(gyee): by do this we are adding the host key for the given host
# to the Fernet master node's known_hosts file so that we don't have
# to turn off strict host key checking later when we are doing Fernet
# key synchronization.
- name: KEY-API | _distribute_ssh_keys_for_fernet_distributions |
generate SSH host key
become: yes
become_user: "{{ keystone_user }}"
command: >
ssh -o StrictHostKeyChecking=no
{{ host.bind['KEY_API'].internal.ip_address }} date
delegate_to: "{{ fernet_master_node }}"
tags:
- keystone
# NOTE(gyee): we are restricting the given SSH key for the singular purpose
# of Fernet key distribution. Anything else will require explicit permission.
- name: KEY-API | _distribute_ssh_keys_for_fernet_distributions |
Add dist public key to authorized_keys
become: yes
authorized_key:
user: "{{ keystone_user }}"
state: present
key: "{{ keystone_ssh_pub_key_result.stdout }}"
key_options: >
command="rsync --server -vlogDtprze.iLsC
--delete . {{ keystone_fernet_dir }}"
tags:
- keystone
07070100000049000081A40000000000000000000000015DC451BB00000498000000000000000000000000000000000000005C00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_find_fernet_master_node.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEY-API | _find_fernet_master_node | Check for fernet key rotation job
become: yes
stat:
path: "{{ keystone_fernet_rotate_cron_script }}"
register: fernet_key_rotation_cron_script_result
tags:
- keystone
# a node is considered the master node if it has fernet token key rotation
# cron job active
- name: KEY-API | _find_fernet_master_node | Set fernet key rotation master
set_fact:
found_fernet_master_node: "{{ item }}"
when: hostvars[item]['fernet_key_rotation_cron_script_result']['stat']['exists']
with_items: "{{ keystone_hosts }}"
tags:
- keystone
0707010000004A000081A40000000000000000000000015DC451BB00000876000000000000000000000000000000000000005C00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_reconfigure_credentials.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
- name: KEY-API | _reconfigure_credentials | Get a domain scoped token
keystone_v3:
endpoint: "{{ keystone_internal_endpoint }}/v3"
login_username: "{{ keystone_admin_user }}"
login_password: "{{ keystone_old_admin_pwd | quote }}"
login_user_domain_name: "{{ keystone_default_domain }}"
login_domain_name: "{{ keystone_default_domain }}"
action: "token_get"
register: domain_scoped_token_result
when: KEY_API.old_vars.keystone_admin_pwd is defined
run_once: true
ignore_errors: true
# Reset keystone admin user's default password
- name: KEY-API | _reconfigure_credentials | Reset keystone admin user's password
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_internal_endpoint }}/v3"
action: "reset_password_by_admin"
user_name: "{{ keystone_admin_user }}"
user_password: "{{ keystone_admin_user_pwd }}"
user_domain_name: "{{ keystone_default_domain }}"
when: domain_scoped_token_result | success
run_once: true
- name: KEY-API | _reconfigure_credentials | Validate admin user's password
keystone_v3:
endpoint: "{{ keystone_internal_endpoint }}/v3"
login_username: "{{ keystone_admin_user }}"
login_password: "{{ keystone_admin_user_pwd | quote }}"
login_user_domain_name: "{{ keystone_default_domain }}"
login_domain_name: "{{ keystone_default_domain }}"
action: "token_get"
when: KEY_API.old_vars.keystone_admin_pwd is defined
run_once: true
- include: _create_rc_files.yml
0707010000004B000081A40000000000000000000000015DC451BB000004B0000000000000000000000000000000000000005B00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_set_fernet_master_node.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# see if fernet master node alread exist
- include: _find_fernet_master_node.yml
# If the master node exist, fernet_master_node should be defined. Otherwise,
# we'll designate the first node as the master node.
- name: KEY-API | _set_fernet_master_node | Set Fernet master node
set_fact:
fernet_master_node: "{{ keystone_hosts[0] }}"
when: found_fernet_master_node is undefined
tags:
- keystone
- name: KEY-API | _set_fernet_master_node | Set found Fernet master node
set_fact:
fernet_master_node: "{{ found_fernet_master_node }}"
when: found_fernet_master_node is defined
tags:
- keystone
0707010000004C000081A40000000000000000000000015DC451BB00000669000000000000000000000000000000000000005F00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_setup_fernet_auto_rotation.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: KEY-API | _setup_fernet_auto_rotation | Setup the auto rotation script
become: yes
template:
src: "{{ keystone_fernet_auto_rotation_script_name}}.j2"
dest: "{{ keystone_fernet_auto_rotation_script }}"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
mode: 0750
when: inventory_hostname == fernet_master_node
tags:
- keystone
- name: KEY-API | _setup_fernet_auto_rotation | Create auto rotation cron job
become: yes
cron:
name: "Fernet token auto rotation job"
special_time: "{{ keystone_fernet_rotation }}"
user: "{{ keystone_user }}"
job: "{{ keystone_fernet_auto_rotation_script }}"
cron_file: keystone-fernet-rotate
state: present
when: inventory_hostname == fernet_master_node
tags:
- keystone
- name: KEY-API | _setup_fernet_auto_rotation | Remove extra auto rotation jobs
become: yes
cron:
name: "Fernet token auto rotation job"
cron_file: keystone-fernet-rotate
state: absent
when: inventory_hostname != fernet_master_node
tags:
- keystone
0707010000004D000081A40000000000000000000000015DC451BB000005CE000000000000000000000000000000000000005A00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_setup_revocation_cron.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEY-API | configure | Add token cleanup to crontab
cron:
name: "keystone token cleanup"
hour: "1"
minute: 1
job: "{{ keystone_bin_dir }}/keystone-manage token_flush"
state: present
become: yes
run_once: True
tags:
- keystone
- name: KEY-API | configure | Copy revocation_event cleanup cron job
template:
src: "revocation_cleanup.j2"
dest: "{{ keystone_bin_dir }}/revocation_cleanup.sh"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
mode: 0755
become: yes
tags:
- keystone
- name: KEY-API | configure | Add revocation cleanup to crontab
cron:
name: "keystone revocation cleanup"
hour: "1,5,10,15,20"
minute: 1
job: "{{ keystone_bin_dir }}/revocation_cleanup.sh"
state: present
become: yes
run_once: True
tags:
- keystone
0707010000004E000081A40000000000000000000000015DC451BB0000031D000000000000000000000000000000000000005E00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_stop_fernet_auto_rotation.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: KEY-API | _stop_fernet_auto_rotation | Stop auto rotation jobs
become: yes
cron:
name: "Fernet token auto rotation job"
cron_file: keystone-fernet-rotate
state: absent
tags:
- keystone
0707010000004F000081A40000000000000000000000015DC451BB00000525000000000000000000000000000000000000006000000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_update_log_file_permissions.yml#
# (c) Copyright 2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
- name: KEY-API | _update_log_file_permissions | Update the file permissions for shibd log files
become: yes
file:
path: "{{ item }}"
owner: "{{ shibd_user }}"
group: "{{ adm_group_name }}"
mode: "u+rw,g+r,o-rwx"
state: directory
recurse: yes
with_items:
- "{{ shibd_log_dir }}"
- "{{ shibd_www_log_dir }}"
tags:
- keystone
- name: KEY-API | _update_log_file_permissions | Update the file permissions for keystone log files
become: yes
file:
path: "{{ keystone_log_dir }}"
owner: "keystone"
group: "{{ adm_group_name }}"
mode: "u+rw,g+r,o-rwx"
state: directory
recurse: yes
tags:
- keystone
07070100000050000081A40000000000000000000000015DC451BB00000F3E000000000000000000000000000000000000005100000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/_venv_install.yml#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEY-API | _venv_install | Update the venv Cache
install_package:
cache: update
become: yes
tags:
- keystone
- name: KEY-API | _venv_install | Install Keystone
install_package:
name: keystone
service: keystone
state: present
activate: act_off
become: yes
register: keystone_venv_install_result
tags:
- keystone
- name: KEY-API | _venv_install | Set facts about the venv
set_fact:
keystone_venv_install_conf_dir: "{{ 'keystone' |
config_dir(keystone_venv_install_result.version) }}"
keystone_venv_install_share_dir: "{{ 'keystone' |
share_dir(keystone_venv_install_result.version) }}/"
keystone_bin_dir: "{{ 'keystone' |
bin_dir(keystone_venv_install_result.version) }}/"
- name: KEY-API | _venv_install | Debug venv variable
debug: var=keystone_venv_install_result
tags:
- keystone
- keystone_debug
when: keystone_debug is defined
run_once: True
- name: KEY-API | _venv_install | Activate the Venv
become: yes
install_package:
name: keystone
service: keystone
activate: act_on
version: "{{ keystone_venv_install_result.version }}"
when: keystone_venv_install_result is defined
register: ardana_notify_keystone_change
tags:
- keystone
- name: KEY-API | _venv_install | Copies file to venv conf dir
template:
src: "{{ item.src }}"
dest: "{{ keystone_venv_install_conf_dir }}/{{ item.dest }}"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
mode: 0600
with_items:
- { src: keystone-paste.ini.j2 , dest: keystone-paste.ini }
- { src: policy.v3cloudsample.json , dest: policy.json }
- { src: keystone.conf.j2 , dest: keystone.conf }
- { src: logging.conf.j2 , dest: logging.conf }
become: yes
register: ardana_notify_keystone_change
tags:
- keystone
- name: KEY-API | _venv_install | Create symbolic link for startup file
become: yes
file:
src: "{{ keystone_bin_dir }}/keystone-wsgi-public"
dest: "/var/www/keystone/{{ item }}"
owner: root
group: "{{ keystone_group }}"
state: link
with_items:
- main
tags:
- keystone
- name: KEY-API | _venv_install | Create symbolic link for startup file
become: yes
file:
src: "{{ keystone_bin_dir }}/keystone-wsgi-admin"
dest: "/var/www/keystone/{{ item }}"
owner: root
group: "{{ keystone_group }}"
state: link
with_items:
- admin
tags:
- keystone
# Temporary patch to enable upgrade from Beta1 to Beta 2 without
# manual workaround
- name: KEY-API | _venv_install | Remove the files that are in Beta 1
file:
path: "{{ keystone_conf_dir }}/{{ item }}"
state: absent
with_items:
- keystone.conf
- logging.conf
- policy.json
- keystone-paste.ini
become: yes
ignore_errors: True
tags:
- keystone
- name: KEY-API | _venv_install | Create Symlinks for other config files from install
become: yes
file:
src: "{{ keystone_venv_install_conf_dir }}/{{ item }}"
dest: "{{ keystone_conf_dir }}/{{ item }}"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
state: link
with_items:
- keystone-paste.ini
- keystone.conf
- logging.conf
- policy.json
tags:
- keystone
07070100000051000081A40000000000000000000000015DC451BB00000320000000000000000000000000000000000000004D00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/configure.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- include: _apply_configuration_changes.yml
- include: _create_rc_files.yml
- include: _setup_revocation_cron.yml
- include: configure_features.yml
07070100000052000081A40000000000000000000000015DC451BB00000781000000000000000000000000000000000000005600000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/configure_features.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- include: _configure_deployment_options.yml
- include: _configure_ldap.yml
when: keystone_domainldap_conf is defined
- include: _configure_ldap_certs.yml
when: keystone_domainldap_certs is defined
- include: _configure_auditing.yml
- name: KEY-API | configure_features | Check Fernet token configuration prereq
debug:
msg: >-
WARNING: Then number of play hosts does not match the number of Keystone
API hosts. It is possible that the --limit option was used in the play.
The use of --limit option is not supported when configuring the
Fernet token feature. Fernet token configuration will be skipped.
when: keystone_configure_fernet and
vars['play_hosts'] | length != keystone_hosts | length
- include: _configure_fernet.yml
when: keystone_configure_fernet and
vars['play_hosts'] | length == keystone_hosts | length
- include: _configure_federation_sp.yml
when: keystone_trusted_idp is defined and keystone_trusted_idp == "k2k"
- include: _configure_k2k_idp.yml
when: keystone_k2k_idp_conf is defined
- include: _configure_websso_with_adfs.yml
when: keystone_trusted_idp is defined and keystone_trusted_idp == "adfs"
- include: _configure_x509auth.yml
when: keystone_x509auth_conf is defined
07070100000053000081A40000000000000000000000015DC451BB000003F2000000000000000000000000000000000000005000000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/db_configure.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEY-API | db_configure | Sync Keystone DB
command: >
"{{ keystone_bin_dir }}/keystone-manage"
--config-file "{{ keystone_venv_install_conf_dir }}/keystone.conf"
--log-config "{{ keystone_venv_install_conf_dir }}/logging.conf"
db_sync
run_once: true
become: yes
become_user: "{{ keystone_user }}"
tags:
- keystone
07070100000054000081A40000000000000000000000015DC451BB000011DB000000000000000000000000000000000000004B00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/install.yml#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# Some of these libraries are already in base node install. No harm listing here
# python-httplib2 is an ansible dependency for the module uri
- name: KEY-API | install | Install keystone dependencies
become: yes
package:
state: present
name: "{{ item }}"
with_items: key_api_packages
tags:
- keystone
# TODO(fergal) - remove this extra package install action once the legacy
# CI process includes the xmlsec1 and its dependent package(s).
- name: KEY-API | install | Install non-legacy keystone dependencies
become: yes
package:
state: present
name: "{{ item }}"
with_items:
- xmlsec1
- libxmlsec1-openssl1
when:
- not (deployer_media_legacy_layout | bool)
tags:
- keystone
- name: KEY-API | install | Add group '{{ keystone_group }}'
become: yes
group:
name: "{{ keystone_group }}"
state: present
tags:
- keystone
- name: KEY-API | install | Check to see if keystone user already exist
become: yes
getent:
database: passwd
key: "{{ keystone_user }}"
fail_key: no
tags:
- keystone
# If keystone user already exist, that means we are in the upgrade
# situation. In that case, we must stop any process that is owned by
# the keystone user before making usermod.
- name: KEY-API | install | Stop any process owned by keystone user
include: stop.yml
when: getent_passwd[keystone_user] is not none
- name: KEY-API | install | Wait for keystone owned processes to exit
wait_for:
timeout: 30
when: getent_passwd[keystone_user] is not none
# NOTE(gyee): we are setting keystone user shell to '/bin/bash/ in order
# to enable keystone user to do rsync over ssh for Fernet key distribution.
- name: KEY-API | install | Add user '{{ keystone_user }}'
become: yes
user:
name: "{{ keystone_user }}"
group: "{{ keystone_group }}"
createhome: yes
home: "{{ keystone_home_dir }}"
generate_ssh_key: yes
shell: /bin/bash
state: present
register: ardana_notify_keystone_change
tags:
- keystone
- name: KEY-API | install | Update keystone user home dir permission
become: yes
file:
path: "{{ keystone_home_dir }}"
mode: 0750
state: directory
tags:
- keystone
- name: KEY-API | install | Create /etc/keystone directory
become: yes
file:
path: "{{ item.name }}"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
mode: "{{ item.mode }}"
state: directory
recurse: yes
with_items:
- { name: "{{ keystone_conf_dir }}", mode: "u+rwx,g+rx,o+rx" }
- { name: "{{ keystone_conf_dir }}/ssl/certs", mode: "u+rwx,g-rwx,o-rwx" }
- { name: "{{ keystone_conf_dir }}/domains", mode: "u+rwx,g-rwx,o-rwx" }
- { name: "{{ keystone_fernet_dir }}", mode: "u+rwx,g-rwx,o-rwx" }
tags:
- keystone
- name: KEY-API | install | Create logging directory
become: yes
file:
path: "{{ keystone_log_dir }}"
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
mode: 0775
state: directory
tags:
- keystone
- name: KEY-API | install | Create /var/www/keystone directory
become: yes
file:
path: /var/www/keystone
owner: "{{ keystone_user }}"
group: "{{ keystone_group }}"
mode: 0755
state: directory
tags:
- keystone
# These two tasks are repeated so that it doesn't restart
# when u run keystone-deploy twice
- name: KEY-API | install | Set facts for virtual install
set_fact:
override_virtual_install: "{{ True if is_baremetal_install == 'False' and
(ansible_memtotal_mb < 47000) and
(keystone_wsgi_admin_process_count == keystone_default_process_count)
else False }}"
- name: KEY-API | install | Override process counts for virtual install
set_fact:
keystone_wsgi_admin_process_count: 2
keystone_wsgi_public_process_count: 2
keystone_wsgi_socket_timeout: 120
when: override_virtual_install
- include: _venv_install.yml
07070100000055000081A40000000000000000000000015DC451BB000002EC000000000000000000000000000000000000004800000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/main.yml#
# (c) Copyright 2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEY-API | main | Set os-specific variables
include_vars: "{{ ansible_os_family | lower }}.yml"
07070100000056000081A40000000000000000000000015DC451BB00000321000000000000000000000000000000000000004F00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/reconfigure.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- include: _apply_configuration_changes.yml
- include: _create_rc_files.yml
- include: _setup_revocation_cron.yml
- include: configure_features.yml
07070100000057000081A40000000000000000000000015DC451BB0000065E000000000000000000000000000000000000004B00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/restart.yml#
# (c) Copyright 2016-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# reset the keystone log file ownership and permission on restart
- include: _update_log_file_permissions.yml
- name: KEY-API | restart | Touch the startup so that keystone is restarted
become: yes
file:
path: "{{ keystone_bin_dir }}/keystone-wsgi-public"
owner: root
group: root
state: touch
mode: 0664
tags:
- keystone
- name: KEY-API | restart | Touch the startup so that keystone is restarted
become: yes
file:
path: "{{ keystone_bin_dir }}/keystone-wsgi-admin"
owner: root
group: root
state: touch
mode: 0664
tags:
- keystone
- name: KEY-API | restart | Make sure keystone is up and responding
uri:
url: "{{ keystone_internal_endpoint }}"
status_code: 300
timeout: 20
register: keystone_version_status_result
until: keystone_version_status_result.status is defined and
keystone_version_status_result.status == 300
delay: 10
retries: 3
run_once: true
tags:
- keystone
07070100000058000081A40000000000000000000000015DC451BB000013B4000000000000000000000000000000000000004900000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/start.yml#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# reset keystone log file ownership and permission on every restart
- include: _update_log_file_permissions.yml
# Set the fact for restart based on ardana_notify
- name: KEY-API | start | Set fact to start based on ardana_notify_fact
set_fact:
keystone_restart_required: True
when: ardana_notify_keystone_change is defined and
ardana_notify_keystone_change.changed
- name: KEY-API | start | Enable keystone-modwsgi vhost
become: yes
file:
src: "{{ apache2_vhost_dir }}/keystone-modwsgi.vhost"
dest: "{{ apache2_vhost_dir }}/keystone-modwsgi.conf"
state: link
tags: keystone
register: ardana_notify_keystone_apache_restart
- name: KEY-API | start | Set fact to restart Apache
set_fact:
keystone_restart_required: True
when: >-
ardana_notify_keystone_apache_restart is defined
and ardana_notify_keystone_apache_restart.changed
- include: "{{ playbook_dir }}/roles/FND-AP2/tasks/start_reload.yml"
vars:
apache_reload_requested: False
apache_restart_requested: "{{ keystone_restart_required }}"
- name: KEY-API | start | Restart shibd
become: yes
service:
name: shibd
state: restarted
tags:
- keystone
- name: KEY-API | start | Wait for keystone to become active
become: yes
wait_for:
host: "{{ keystone_internal_listen_ip }}"
port: "{{ item }}"
state: "started"
timeout: 60
with_items:
- "{{ keystone_admin_port }}"
- "{{ keystone_internal_port }}"
tags:
- keystone
- name: KEY-API | start | Make sure keystone is up and responding
uri:
url: "{{ keystone_internal_endpoint }}"
status_code: 300
timeout: 20
register: keystone_version_status_result
until: keystone_version_status_result.status is defined and
keystone_version_status_result.status == 300
delay: 10
retries: 3
run_once: true
ignore_errors: true
tags:
- keystone
# Debug Keystone start/resonding issues by the followings:
# This is usually the first point at which we'll hit SSL cert
# issues. If you still observe cert connection info above, then
# failure at this point may not be related to cert issues.
# you don't see cert connection info above, then failure may
# be related to cert issue.
# If the output is blank it implies the internal VIP can't be reached.
- name: KEY-API | start | Debug keystone cert if appropriate
run_once: true
command: >
timeout 10 openssl s_client -CAfile {{ trusted_ca_bundle }}
-connect {{ keystone_internal_vip_host }}:{{ keystone_internal_vip_port }}
register: keystone_cert_result
ignore_errors: true
when: not (keystone_version_status_result.status is defined
and keystone_version_status_result.status == 300)
tags:
- keystone
- name: KEY-API | start | Report cert debug hint - internal VIP
run_once: true
fail:
msg="Error-Internal VIP
{{ keystone_internal_vip_host }}:{{ keystone_internal_vip_port }}
can't be reached."
ignore_errors: true
when: not (keystone_version_status_result.status is defined
and keystone_version_status_result.status == 300) and
(keystone_cert_result.stdout_lines | length == 0)
tags:
- keystone
- name: KEY-API | start | Report cert debug - cert connection result
run_once: true
ignore_errors: true
debug:
var: keystone_cert_result.stdout_lines
when: not (keystone_version_status_result.status is defined
and keystone_version_status_result.status == 300) and
(keystone_cert_result.stdout_lines | length > 0)
tags:
- keystone
- name: KEY-API | start | Report cert debug - hint
run_once: true
ignore_errors: true
debug:
msg="Certificate debug Hint -
If you still observe cert connection info above,
then failure at this point may not be related to cert issues.
If you don't see cert connection info above, then failure may
be related to cert issue."
when: not (keystone_version_status_result.status is defined
and keystone_version_status_result.status == 300) and
(keystone_cert_result.stdout_lines | length > 0)
tags:
- keystone
- name: KEY-API | start | Report keystone error status result
fail: msg="{{ keystone_version_status_result }}"
when: not (keystone_version_status_result.status is defined
and keystone_version_status_result.status == 300)
tags:
- keystone
07070100000059000081A40000000000000000000000015DC451BB0000045F000000000000000000000000000000000000004A00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/status.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEY-API | status | include required variables
include_vars: roles/keystone-common/defaults/keystone_admin.yml
- name: KEY-API | status | Register keystone status
uri:
url: "http://{{ keystone_admin_listen_ip }}:{{ keystone_admin_port }}"
status_code: 300
timeout: 300
register: keystone_status_result
until: keystone_status_result is defined and
keystone_status_result.status == 300
delay: 20
retries: 6
tags:
- keystone
0707010000005A000081A40000000000000000000000015DC451BB00000434000000000000000000000000000000000000004800000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/tasks/stop.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEY-API | stop | Disable keystone vhost
become: yes
file:
state: absent
path: "{{ apache2_vhost_dir }}/keystone-modwsgi.conf"
- name: KEY-API | stop | Reload Apache2 so that keystone is stopped
become: yes
service: name=apache2 state=reloaded
tags:
- keystone
- name: KEY-API | stop | Stop shibd service for Keystone
become: yes
service: name=shibd state=stopped
tags:
- keystone
0707010000005B000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000004300000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/templates0707010000005C000081A40000000000000000000000015DC451BB0000069D000000000000000000000000000000000000005800000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/templates/attribute-map.xml.j2{#
#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!--
The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
few exceptions for newer attributes where the name is the same for both versions. You will
usually want to uncomment or map the names for both SAML versions as a unit.
-->
<!-- Default attributes -->
<Attribute name="openstack_user" id="openstack_user"/>
<Attribute name="openstack_user_domain" id="openstack_user_domain"/>
<Attribute name="openstack_roles" id="openstack_roles"/>
<Attribute name="openstack_project" id="openstack_project"/>
<Attribute name="openstack_project_domain" id="openstack_project_domain"/>
<!-- Please don't make any chances to this comment and the one below, this is a SHIBD TEMPLATE used by the playbook. -->
<!-- Custom attributes -->
</Attributes>
0707010000005D000081A40000000000000000000000015DC451BB00000729000000000000000000000000000000000000006000000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/templates/keystone-fernet-rotate.sh.j2#!/usr/bin/env bash
#
# NOTE: this script was borrowed from upstream
#
# https://github.com/openstack/openstack-ansible-os_keystone/blob/master/
# templates/keystone-fernet-rotate.sh.j2
#
# Copyright 2015, Rackspace US, Inc.
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
function autorotate {
# Rotate the keys
{{ keystone_bin_dir }}/keystone-manage fernet_rotate \
--keystone-user "{{ keystone_user }}" \
--keystone-group "{{ keystone_group }}"
{% for host in keystone_hosts %}
{% if inventory_hostname != host %}
# Fernet sync job to "{{ host }}"
rsync -avz \
--delete \
{{ keystone_fernet_dir }}/ \
{{ keystone_user }}@{{ hostvars[host].host.bind.KEY_API.internal.ip_address }}:{{ keystone_fernet_dir }}/
{%- endif %}
{%- endfor %}
}
if [ "$(id -u)" == "0" ];then
# Change the script context to always execute as the "{{ keystone_user }}" user.
su - "{{ keystone_user }}" -s "/bin/bash" -c bash << EOC
{{ keystone_fernet_auto_rotation_script }}
EOC
elif [ "$(whoami)" == "{{ keystone_user }}" ];then
logger $(autorotate)
else
echo "Failed - you do not have permission to rotate, or you've executed the job as the wrong user."
exit 99
fi
0707010000005E000081A40000000000000000000000015DC451BB00001769000000000000000000000000000000000000005C00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/templates/keystone-modwsgi.conf.j2{#
#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
Listen {{ keystone_admin_listen_ip }}:{{ keystone_admin_port }}
listen {{ keystone_public_listen_ip }}:{{ keystone_public_port }}
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes={{ keystone_wsgi_admin_process_count }} threads=1 socket-timeout={{ keystone_wsgi_socket_timeout }} user={{ keystone_user }} group={{ keystone_group }} python-path={{ keystone_venv_dir }}:{{
keystone_venv_dir }}/lib/python2.7/site-packages/ display-name={{ keystone_group }}-admin
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/keystone/admin
WSGIApplicationGroup %{GLOBAL}
KeepAlive off
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogFormat "%h:%p %u %t \"%r\" %>s \"%{Referer}i\" \"%{User-Agent}i\" \"%{x-openstack-request-id}i\" %X took %D micro sec" log_format
LogFormat "%{X-Forwarded-For}i:%p %u %t \"%r\" %>s \"%{Referer}i\" \"%{User-Agent}i\" \"%{x-openstack-request-id}i\" %X took %D micro sec" log_format_proxy
SetEnvIf Request_URI "^" any_request=1
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded=1
# Identify load balance health check requests
SetEnvIf Request_Method "^LBCHK$" lb-ping=1
# Assuming all the monitoring pings from HAProxy are configured with the X-HAProxy-Ping header set to "true"
SetEnvIfNoCase X-HAProxy-Ping "true" proxy-ping=1
# turn off any_request if this forwarded or proxy-ping or lb-ping
SetEnvIf proxy-ping 1 !any_request
SetEnvIf forwarded 1 !any_request
SetEnvIf lb-ping 1 !any_request
# turn off forwarded if proxy-ping or lb-ping
SetEnvIf proxy-ping 1 !forwarded
SetEnvIf lb-ping 1 !forwarded
# separated log files
ErrorLog {{ keystone_log_dir }}/keystone_modwsgi.log
CustomLog {{ keystone_log_dir }}/keystone_access.log log_format env=any_request
CustomLog {{ keystone_log_dir }}/keystone_access.log log_format_proxy env=forwarded
CustomLog {{ keystone_log_dir }}/keystone_monitoring.log log_format_proxy env=proxy-ping
CustomLog {{ keystone_log_dir }}/keystone_monitoring.log log_format env=lb-ping
# pass TLS attributes from haproxy
SetEnvIf X-SSL-Issuer "^(.*)$" SSL_CLIENT_I_DN=$0
SetEnvIf X-SSL-Issuer-CN "^(.*)$" SSL_CLIENT_I_DN_CN=$0
SetEnvIf X-SSL-Client-CN "^(.*)$" SSL_CLIENT_S_DN_CN=$0
SetEnvIf X-SSL-Client-O "^(.*)$" SSL_CLIENT_S_DN_O=$0
</VirtualHost>
<VirtualHost *:5000>
ServerName {{ keystone_public_endpoint }}
WSGIDaemonProcess keystone-main processes={{ keystone_wsgi_public_process_count }} threads=1 socket-timeout={{ keystone_wsgi_socket_timeout }} user={{ keystone_user }} group={{ keystone_group }} python-path={{ keystone_venv_dir }}:{{
keystone_venv_dir }}/lib/python2.7/site-packages/ display-name={{ keystone_group }}-main
WSGIProcessGroup keystone-main
WSGIScriptAlias / /var/www/keystone/main
WSGIApplicationGroup %{GLOBAL}
KeepAlive off
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogFormat "%h:%p %u %t \"%r\" %>s \"%{Referer}i\" \"%{User-Agent}i\" \"%{x-openstack-request-id}i\" %X took %D micro sec" log_format
LogFormat "%{X-Forwarded-For}i:%p %u %t \"%r\" %>s \"%{Referer}i\" \"%{User-Agent}i\" \"%{x-openstack-request-id}i\" %X took %D micro sec" log_format_proxy
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/keystone/main/$1
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
ShibRequestSetting requireSession 1
AuthType shibboleth
ShibRequireSession On
ShibExportAssertion Off
Require valid-user
</LocationMatch>
<Location /v3/auth/OS-FEDERATION/websso/saml2>
ShibRequestSetting requireSession 1
AuthType shibboleth
ShibRequireSession On
ShibExportAssertion Off
Require valid-user
</Location>
SetEnvIf Request_URI "^" any_request=1
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded=1
# Identify load balance health check requests
SetEnvIf Request_Method "^LBCHK$" lb-ping=1
# Assuming all the monitoring pings from HAProxy are configured with the X-HAProxy-Ping header set to "true"
SetEnvIfNoCase X-HAProxy-Ping "true" proxy-ping=1
# turn off any_request if this forwarded or proxy-ping or lb-ping
SetEnvIf proxy-ping 1 !any_request
SetEnvIf forwarded 1 !any_request
SetEnvIf lb-ping 1 !any_request
# turn off forwarded if proxy-ping or lb-ping
SetEnvIf proxy-ping 1 !forwarded
SetEnvIf lb-ping 1 !forwarded
# separated log files
ErrorLog {{ keystone_log_dir }}/keystone_modwsgi.log
CustomLog {{ keystone_log_dir }}/keystone_access.log log_format env=any_request
CustomLog {{ keystone_log_dir }}/keystone_access.log log_format_proxy env=forwarded
CustomLog {{ keystone_log_dir }}/keystone_monitoring.log log_format_proxy env=proxy-ping
CustomLog {{ keystone_log_dir }}/keystone_monitoring.log log_format env=lb-ping
# pass TLS attributes from haproxy
SetEnvIf X-SSL-Issuer "^(.*)$" SSL_CLIENT_I_DN=$0
SetEnvIf X-SSL-Issuer-CN "^(.*)$" SSL_CLIENT_I_DN_CN=$0
SetEnvIf X-SSL-Client-CN "^(.*)$" SSL_CLIENT_S_DN_CN=$0
SetEnvIf X-SSL-Client-O "^(.*)$" SSL_CLIENT_S_DN_O=$0
</VirtualHost>
0707010000005F000081A40000000000000000000000015DC451BB00000B70000000000000000000000000000000000000005900000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/templates/keystone-paste.ini.j2{#
#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
# Keystone PasteDeploy configuration file.
[filter:debug]
use = egg:oslo.middleware#debug
[filter:request_id]
use = egg:oslo.middleware#request_id
[filter:build_auth_context]
use = egg:keystone#build_auth_context
[filter:token_auth]
use = egg:keystone#token_auth
[filter:json_body]
use = egg:keystone#json_body
[filter:cors]
use = egg:oslo.middleware#cors
oslo_config_project = keystone
[filter:http_proxy_to_wsgi]
use = egg:oslo.middleware#http_proxy_to_wsgi
[filter:ec2_extension]
use = egg:keystone#ec2_extension
[filter:ec2_extension_v3]
use = egg:keystone#ec2_extension_v3
[filter:s3_extension]
use = egg:keystone#s3_extension
[filter:url_normalize]
use = egg:keystone#url_normalize
[filter:sizelimit]
use = egg:oslo.middleware#sizelimit
[app:public_service]
use = egg:keystone#public_service
[app:service_v3]
use = egg:keystone#service_v3
[app:admin_service]
use = egg:keystone#admin_service
[pipeline:public_api]
# The last item in this pipeline must be public_service or an equivalent
# application. It cannot be a filter.
pipeline = cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension public_service
[pipeline:admin_api]
# The last item in this pipeline must be admin_service or an equivalent
# application. It cannot be a filter.
pipeline = cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
[pipeline:api_v3]
# The last item in this pipeline must be service_v3 or an equivalent
# application. It cannot be a filter.
pipeline = cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
[app:public_version_service]
use = egg:keystone#public_version_service
[app:admin_version_service]
use = egg:keystone#admin_version_service
[pipeline:public_version_api]
pipeline = cors sizelimit url_normalize public_version_service
[pipeline:admin_version_api]
pipeline = cors sizelimit url_normalize admin_version_service
[composite:main]
use = egg:Paste#urlmap
/v2.0 = public_api
/v3 = api_v3
/ = public_version_api
[composite:admin]
use = egg:Paste#urlmap
/v2.0 = admin_api
/v3 = api_v3
/ = admin_version_api
07070100000060000081A40000000000000000000000015DC451BB00000B49000000000000000000000000000000000000005400000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/templates/keystone.conf.j2{#
#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
# This configuration file includes the default values for Ardana OpenStack
# Changes may be made to this file by the customer.
# Layout / order of settings in this file can be found:
# http://docs.openstack.org/kilo/config-reference/content/keystone-configuration-file.html
#
# Please don't change any values under curly braces
[DEFAULT]
log_config_append = {{ keystone_conf_dir }}/logging.conf
notification_format = cadf
notification_opt_out =
debug = {{ keystone_enable_debug | default(false) }}
insecure_debug = {{ keystone_enable_insecure_debug | default(false) }}
[oslo_messaging_notifications]
driver = noop
[oslo_messaging_rabbit]
rabbit_hosts = {{ keystone_rabbit_hosts_port_pair }}
rabbit_userid = "{{ keystone_rabbit_user }}"
rabbit_password = "{{ keystone_rabbit_password }}"
rabbit_use_ssl = {{ keystone_rabbit_use_ssl }}
[cache]
backend = oslo_cache.memcache_pool
enabled = True
memcache_servers = {{ memcached_servers }}
memcache_socket_timeout = 1
[database]
connection = {{ keystone_database_connection_string }}
# One connection per process which is active in the pool
min_pool_size = 1
[identity]
driver = sql
domain_config_dir = {{ keystone_conf_dir }}/domains
domain_specific_drivers_enabled = True
[resource]
admin_project_domain_name = {{ keystone_default_domain }}
admin_project_name = {{ keystone_cloudadmin_project }}
[token]
expiration = 14400
provider = {{ keystone_token_provider }}
[fernet_tokens]
key_repository ={{ keystone_fernet_dir }}
[auth]
methods = external,password,token,saml2,x509
[saml2]
remote_id_attribute = Shib-Identity-Provider
{% if HZN_WEB is defined %}
[federation]
trusted_dashboard = {{ HZN_WEB.advertises.vips.public[0].url }}/auth/websso/
trusted_dashboard = {{ HZN_WEB.advertises.vips.public[0].url | regex_replace('^(?P<protocol>.+)://(?P<host>.+):(?P<port>\\d+)$', '\\g<protocol>://\\g<host>') }}/auth/websso/
remote_id_attribute = SSL_CLIENT_I_DN_CN
{% endif %}
[saml]
certfile={{ keystone_conf_dir }}/idpcert.pem
keyfile={{ keystone_conf_dir }}/idpkey.pem
idp_entity_id={{ keystone_public_endpoint }}/v3/OS-FEDERATION/saml2/idp
idp_sso_endpoint={{ keystone_public_endpoint }}/v3/OS-FEDERATION/saml2/sso
idp_metadata_path={{ keystone_conf_dir }}/idp_metadata.xml
07070100000061000081A40000000000000000000000015DC451BB000004C4000000000000000000000000000000000000005100000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/templates/keystone.osrc{#
#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
# Refer http://docs.openstack.org/developer/python-openstackclient/command-list.html
# Environment variables for keystone v3 API using openstack client
# Keystone requires domain scoped token
unset OS_PROJECT_NAME
unset OS_PROJECT_DOMAIN_NAME
export OS_IDENTITY_API_VERSION=3
export OS_USERNAME={{ keystone_admin_user }}
export OS_USER_DOMAIN_NAME=Default
export OS_PASSWORD={{ keystone_admin_user_pwd }}
export OS_DOMAIN_NAME=Default
export OS_AUTH_URL={{ keystone_internal_endpoint }}/v3
export OS_INTERFACE=internal
export OS_CACERT={{ trusted_ca_bundle }}
07070100000062000081A40000000000000000000000015DC451BB00000AC7000000000000000000000000000000000000005300000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/templates/logging.conf.j2{#
#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
[loggers]
keys: root, iso8601, dogpile{%- if keystone_api_audit_enable|bool %}, audit{% endif %}
[handlers]
keys: watchedfile, logstash{%- if keystone_api_audit_enable|bool %}, auditfile{% endif %}
[formatters]
keys: debug,minimal, normal, logstash
###########
# Loggers #
###########
[logger_root]
qualname: root
handlers: watchedfile, logstash
level: NOTSET
[logger_iso8601]
qualname: iso8601
handlers: watchedfile, logstash
level: INFO
[logger_dogpile]
qualname: dogpile
handlers: watchedfile, logstash
level: INFO
{%- if keystone_api_audit_enable|bool %}
[logger_audit]
qualname: oslo.messaging.notification
handlers: auditfile
propagate: 0
level: INFO
{% endif %}
################
# Log Handlers #
################
# Writes to disk
[handler_watchedfile]
class: handlers.WatchedFileHandler
args: ('{{ keystone_log_dir }}/keystone.log',)
formatter = debug
level: {{ keystone_loglevel }}
# Writes JSON to disk, beaver will ship to logstash
[handler_logstash]
class: handlers.WatchedFileHandler
args: ('{{ keystone_log_dir }}/keystone-json.log',)
formatter= logstash
level: {{ keystone_logstash_loglevel }}
{%- if keystone_api_audit_enable|bool %}
# Writes to disk
[handler_auditfile]
class: handlers.WatchedFileHandler
args: ('{{ keystone_audit_log_base_location }}/keystone/keystone-audit.log', 'a', None, True)
formatter = minimal
level: INFO
{% endif %}
##################
# Log Formatters #
##################
[formatter_minimal]
format=%(message)s
[formatter_normal]
format=(%(name)s): %(asctime)s %(levelname)s %(message)s
[formatter_debug]
format=%(process)d (%(name)s): %(asctime)s %(levelname)s %(module)s %(funcName)s %(message)s
# datefmt must be set otherwise you end up with too many (msecs) fields
[formatter_context]
class: oslo_log.formatters.ContextFormatter
args: (datefmt=datefmt)
format: %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user)s %(tenant)s] %(instance)s%(message)s
datefmt: %Y-%m-%d %H:%M:%S
# the "format" attr actually sets the "type"
[formatter_logstash]
class = logstash.LogstashFormatterVersion1
format = keystone
07070100000063000081A40000000000000000000000015DC451BB00003F29000000000000000000000000000000000000005D00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/templates/policy.v3cloudsample.json{#
#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
{
"admin_required": "role:admin",
"cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:{{keystone_admin_domain_id}})",
"service_role": "role:service",
"service_or_admin": "rule:admin_required or rule:service_role",
"owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
"domain_admin": "rule:admin_required and domain_id:%(target.token.user.domain.id)s",
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
"admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
"admin_and_matching_domain_id": "(rule:admin_required and domain_id:%(domain_id)s) or rule:domain_admin",
"service_admin_or_owner": "rule:service_or_admin or rule:owner",
"default": "rule:admin_required",
"domain_observer": "role:{{ keystone_domain_observer_role }} and token.project.domain.id:{{keystone_admin_domain_id}}",
"identity:get_region": "",
"identity:list_regions": "",
"identity:create_region": "rule:admin_or_cloud_admin",
"identity:update_region": "rule:admin_or_cloud_admin",
"identity:delete_region": "rule:admin_or_cloud_admin",
"identity:get_service": "rule:admin_or_cloud_admin",
"identity:list_services": "rule:admin_or_cloud_admin",
"identity:create_service": "rule:cloud_admin",
"identity:update_service": "rule:cloud_admin",
"identity:delete_service": "rule:cloud_admin",
"identity:get_endpoint": "rule:admin_or_cloud_admin",
"identity:list_endpoints": "rule:admin_or_cloud_admin",
"identity:create_endpoint": "rule:cloud_admin",
"identity:update_endpoint": "rule:cloud_admin",
"identity:delete_endpoint": "rule:cloud_admin",
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
"identity:list_domains": "rule:domain_observer or rule:cloud_admin or rule:admin_required and domain_name:%(name)s",
"identity:create_domain": "rule:cloud_admin",
"identity:update_domain": "rule:cloud_admin",
"identity:delete_domain": "rule:cloud_admin",
"project_admin": "rule:admin_required and project_id:%(target.project.id)s",
"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
"admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
"identity:list_projects": "role:{{keystone_project_observer_role}} or rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:list_user_projects": "rule:cloud_admin or rule:owner or rule:admin_and_matching_domain_id",
"identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
"identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or rule:project_admin",
"identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
"admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
"admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
"identity:get_user": "role:{{keystone_user_observer_role}} or rule:cloud_admin or rule:owner or rule:admin_and_matching_target_user_domain_id",
"identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
"identity:update_user": "rule:cloud_admin or rule:owner or rule:admin_and_matching_target_user_domain_id",
"identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
"admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
"admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
"identity:get_group": "role:{{keystone_user_observer_role}} or rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:list_groups_for_user": "rule:cloud_admin or rule:owner or (rule:admin_required and domain_id:%(domain_id)s)",
"identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
"identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:list_users_in_group": "rule:cloud_admin or (rule:admin_required and domain_id:%(domain_id)s)",
"identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:get_credential": "rule:admin_required or user_id:%(target.credential.user_id)s",
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
"identity:create_credential": "rule:admin_required or user_id:%(credential.user_id)s",
"identity:update_credential": "rule:admin_required or user_id:%(target.credential.user_id)s",
"identity:delete_credential": "rule:admin_required or user_id:%(target.credential.user_id)s",
"identity:ec2_get_credential": "rule:admin_or_cloud_admin or rule:owner",
"identity:ec2_list_credentials": "rule:admin_or_cloud_admin or rule:owner",
"identity:ec2_create_credential": "rule:admin_or_cloud_admin or rule:owner",
"identity:ec2_delete_credential": "(rule:admin_or_cloud_admin or rule:owner) or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:get_role": "rule:admin_or_cloud_admin",
"identity:list_roles": "rule:admin_or_cloud_admin",
"identity:create_role": "rule:cloud_admin",
"identity:update_role": "rule:cloud_admin",
"identity:delete_role": "rule:cloud_admin",
"identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles",
"identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles",
"identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role",
"identity:update_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role",
"identity:delete_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role",
"domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
"get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
"domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",
"project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s",
"list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles",
"domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s",
"project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s",
"admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
"implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",
"identity:get_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
"identity:list_implied_roles": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
"identity:create_implied_role": "rule:cloud_admin or (rule:admin_and_matching_prior_role_domain_id and rule:implied_role_matches_prior_role_domain_or_global)",
"identity:delete_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
"identity:list_role_inference_rules": "rule:cloud_admin",
"identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
"identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants",
"identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"domain_admin_for_grants": "rule:domain_admin_for_global_role_grants or rule:domain_admin_for_domain_role_grants",
"domain_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and rule:domain_admin_grant_match",
"domain_admin_for_domain_role_grants": "rule:admin_required and domain_id:%(target.role.domain_id)s and rule:domain_admin_grant_match",
"domain_admin_grant_match": "domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s",
"project_admin_for_grants": "rule:project_admin_for_global_role_grants or rule:project_admin_for_domain_role_grants",
"project_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and project_id:%(project_id)s",
"project_admin_for_domain_role_grants": "rule:admin_required and project_domain_id:%(target.role.domain_id)s and project_id:%(project_id)s",
"domain_admin_for_list_grants": "rule:admin_required and rule:domain_admin_grant_match",
"project_admin_for_list_grants": "rule:admin_required and project_id:%(project_id)s",
"admin_on_domain_filter" : "rule:admin_required and domain_id:%(scope.domain.id)s",
"admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s",
"admin_on_domain_of_project_filter" : "rule:admin_required and domain_id:%(target.project.domain_id)s",
"identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",
"identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
"identity:get_policy": "rule:cloud_admin",
"identity:list_policies": "rule:cloud_admin",
"identity:create_policy": "rule:cloud_admin",
"identity:update_policy": "rule:cloud_admin",
"identity:delete_policy": "rule:cloud_admin",
"identity:check_token": "rule:cloud_admin or rule:admin_or_owner or rule:service_or_admin",
"identity:validate_token": "rule:service_admin_or_owner",
"identity:validate_token_head": "rule:service_or_admin",
"identity:revocation_list": "rule:service_or_admin",
"identity:revoke_token": "rule:cloud_admin or rule:admin_or_owner",
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
"identity:get_trust": "rule:admin_or_owner",
"identity:list_trusts": "",
"identity:list_roles_for_trust": "",
"identity:check_role_for_trust": "",
"identity:get_role_for_trust": "",
"identity:delete_trust": "",
"identity:create_consumer": "rule:admin_required",
"identity:get_consumer": "rule:admin_required",
"identity:list_consumers": "rule:admin_required",
"identity:delete_consumer": "rule:admin_required",
"identity:update_consumer": "rule:admin_required",
"identity:authorize_request_token": "rule:admin_required",
"identity:list_access_token_roles": "rule:admin_required",
"identity:get_access_token_role": "rule:admin_required",
"identity:list_access_tokens": "rule:admin_required",
"identity:get_access_token": "rule:admin_required",
"identity:delete_access_token": "rule:admin_required",
"identity:list_projects_for_endpoint": "rule:admin_required",
"identity:add_endpoint_to_project": "rule:admin_required",
"identity:check_endpoint_in_project": "rule:admin_required",
"identity:list_endpoints_for_project": "rule:admin_required",
"identity:remove_endpoint_from_project": "rule:admin_required",
"identity:create_endpoint_group": "rule:admin_required",
"identity:list_endpoint_groups": "rule:admin_required",
"identity:get_endpoint_group": "rule:admin_required",
"identity:update_endpoint_group": "rule:admin_required",
"identity:delete_endpoint_group": "rule:admin_required",
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
"identity:get_endpoint_group_in_project": "rule:admin_required",
"identity:list_endpoint_groups_for_project": "rule:admin_required",
"identity:add_endpoint_group_to_project": "rule:admin_required",
"identity:remove_endpoint_group_from_project": "rule:admin_required",
"identity:create_identity_provider": "rule:cloud_admin",
"identity:list_identity_providers": "rule:cloud_admin",
"identity:get_identity_providers": "rule:cloud_admin",
"identity:update_identity_provider": "rule:cloud_admin",
"identity:delete_identity_provider": "rule:cloud_admin",
"identity:create_protocol": "rule:cloud_admin",
"identity:update_protocol": "rule:cloud_admin",
"identity:get_protocol": "rule:cloud_admin",
"identity:list_protocols": "rule:cloud_admin",
"identity:delete_protocol": "rule:cloud_admin",
"identity:create_mapping": "rule:cloud_admin",
"identity:get_mapping": "rule:cloud_admin",
"identity:list_mappings": "rule:cloud_admin",
"identity:delete_mapping": "rule:cloud_admin",
"identity:update_mapping": "rule:cloud_admin",
"identity:create_service_provider": "rule:cloud_admin",
"identity:list_service_providers": "",
"identity:get_service_provider": "",
"identity:update_service_provider": "rule:cloud_admin",
"identity:delete_service_provider": "rule:cloud_admin",
"identity:get_auth_catalog": "",
"identity:get_auth_projects": "",
"identity:get_auth_domains": "",
"identity:list_projects_for_user": "",
"identity:list_domains_for_user": "",
"identity:list_revoke_events": "",
"identity:create_policy_association_for_endpoint": "rule:cloud_admin",
"identity:check_policy_association_for_endpoint": "rule:cloud_admin",
"identity:delete_policy_association_for_endpoint": "rule:cloud_admin",
"identity:create_policy_association_for_service": "rule:cloud_admin",
"identity:check_policy_association_for_service": "rule:cloud_admin",
"identity:delete_policy_association_for_service": "rule:cloud_admin",
"identity:create_policy_association_for_region_and_service": "rule:cloud_admin",
"identity:check_policy_association_for_region_and_service": "rule:cloud_admin",
"identity:delete_policy_association_for_region_and_service": "rule:cloud_admin",
"identity:get_policy_for_endpoint": "rule:cloud_admin",
"identity:list_endpoints_for_policy": "rule:cloud_admin",
"identity:create_domain_config": "rule:cloud_admin",
"identity:get_domain_config": "rule:cloud_admin",
"identity:update_domain_config": "rule:cloud_admin",
"identity:delete_domain_config": "rule:cloud_admin",
"identity:get_domain_config_default": "rule:cloud_admin"
}
07070100000064000081A40000000000000000000000015DC451BB0000013E000000000000000000000000000000000000005900000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/templates/revocation_cleanup.j2#! /bin/bash
echo "Running revocation cleanup job"
source {{ ardanauser_home }}/keystone.osrc
token=`openstack token issue | grep -iw id | cut -d'|' -f3`
token="$(echo -e "${token}" | tr -d '[[:space:]]')"
echo $token
curl -k -H "X-Auth-Token:$token" -H "X-Subject-Token:$token" -X DELETE $OS_AUTH_URL/auth/tokens
07070100000065000081A40000000000000000000000015DC451BB000004BA000000000000000000000000000000000000005000000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/templates/service.osrc{#
#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
unset OS_DOMAIN_NAME
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_VERSION=3
export OS_PROJECT_NAME={{ keystone_admin_project_name }}
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USERNAME={{ keystone_admin_user }}
export OS_USER_DOMAIN_NAME=Default
export OS_PASSWORD={{ keystone_admin_user_pwd }}
export OS_AUTH_URL={{ keystone_internal_endpoint }}/v3
export OS_ENDPOINT_TYPE=internalURL
# OpenstackClient uses OS_INTERFACE instead of OS_ENDPOINT
export OS_INTERFACE=internal
export OS_CACERT={{ trusted_ca_bundle }}
export OS_COMPUTE_API_VERSION=2
07070100000066000081A40000000000000000000000015DC451BB000018EF000000000000000000000000000000000000005600000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/templates/shibboleth2.xml.j2{#
#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<!--
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-->
<!--
To customize behavior for specific resources on Apache, and to link vhosts or
resources to ApplicationOverride settings below, use web server options/commands.
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
-->
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="http://sso_entityId">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
Note that while we default checkAddress to "false", this has a negative impact on the
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http">
<!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<SSO entityID="http://idp_entityId">
SAML2 SAML1
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. -->
<!--
<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
</MetadataProvider>
-->
<!-- Please don't make any chances to the comment, this is a SHIBD TEMPLATE used by the playbook. -->
<MetadataProvider type="Chaining">
</MetadataProvider>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
<!--
The default settings can be overridden by creating ApplicationOverride elements (see
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
Resource requests are mapped by web server commands, or the RequestMapper, to an
applicationId setting.
Example of a second application (for a second vhost) that has a different entityID.
Resources on the vhost would map to an applicationId of "admin":
-->
<!--
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-->
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
07070100000067000081A40000000000000000000000015DC451BB00000941000000000000000000000000000000000000005300000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/templates/shibd.logger.j2# set overall behavior
log4j.rootCategory=INFO, shibd_log, warn_log
# fairly verbose for DEBUG, so generally leave at INFO
log4j.category.XMLTooling.XMLObject=INFO
log4j.category.XMLTooling.KeyInfoResolver=INFO
log4j.category.Shibboleth.IPRange=INFO
log4j.category.Shibboleth.PropertySet=INFO
# raise for low-level tracing of SOAP client HTTP/SSL behavior
log4j.category.XMLTooling.libcurl=INFO
# logs XML being signed or verified if set to DEBUG
log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
log4j.additivity.XMLTooling.Signature.Debugger=false
# the tran log blocks the "default" appender(s) at runtime
# Level should be left at INFO for this category
log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
log4j.additivity.Shibboleth-TRANSACTION=false
# define the appenders
log4j.appender.shibd_log=org.apache.log4j.RollingFileAppender
log4j.appender.shibd_log.fileName=/var/log/shibboleth/shibd.log
log4j.appender.shibd_log.maxFileSize=10000000
log4j.appender.shibd_log.maxBackupIndex=10
log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
log4j.appender.shibd_log.layout.ConversionPattern={% raw %}%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n{% endraw %}
log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log
log4j.appender.warn_log.maxFileSize=10000000
log4j.appender.warn_log.maxBackupIndex=10
log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
log4j.appender.warn_log.threshold=WARN
log4j.appender.warn_log.layout.ConversionPattern={% raw %}%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n{% endraw %}
log4j.appender.tran_log=org.apache.log4j.RollingFileAppender
log4j.appender.tran_log.fileName=/var/log/shibboleth/transaction.log
log4j.appender.tran_log.maxFileSize=10000000
log4j.appender.tran_log.maxBackupIndex=10
log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
log4j.appender.tran_log.layout.ConversionPattern={% raw %}%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n{% endraw %}
log4j.appender.sig_log=org.apache.log4j.FileAppender
log4j.appender.sig_log.fileName=/var/log/shibboleth/signature.log
log4j.appender.sig_log.maxFileSize=10000000
log4j.appender.sig_log.maxBackupIndex=10
log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
log4j.appender.sig_log.layout.ConversionPattern={% raw %}%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n{% endraw %}
07070100000068000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000003E00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/vars07070100000069000081A40000000000000000000000015DC451BB00000397000000000000000000000000000000000000004900000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/vars/debian.yml#
# (c) Copyright 2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# python-httplib2 is an ansible dependency for the module uri sed in start.yml
key_api_packages:
- libldap-2.4-2
- libsasl2-2
- libmysqlclient18
- libxml2
- libxslt1.1
- libffi6
- libldap2-dev
- libsasl2-dev
- python-httplib2
- xmlsec1
shibd_user: _shibd
0707010000006A000081A40000000000000000000000015DC451BB0000036F000000000000000000000000000000000000004700000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/vars/main.yml#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
ardanauser : "{{ ansible_env['USER'] }}"
ardanauser_home: "{{ ansible_env['HOME'] }}"
shibd_log_dir: "/var/log/shibboleth"
shibd_www_log_dir: "/var/log/shibboleth-www"
adm_group_name: "adm"
keystone_log_dir: "/var/log/keystone"
0707010000006B000081A40000000000000000000000015DC451BB0000040F000000000000000000000000000000000000004700000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/KEY-API/vars/suse.yml#
# (c) Copyright 2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
key_api_packages:
- cron
- cyrus-sasl
- libffi4
- libldap-2_4-2
- libmysqlclient18
- libsasl2-3
- libxml2
- libxslt1
- logrotate
- python-PrettyTable
- python-httplib2
- xmlstarlet
# - xmlsec1 # TODO(fergal): uncomment once Legacy CI support includes package
# - libxmlsec1-openssl1 # TODO(gyee): uncomment once Legacy CI support includes package
shibd_user: shibd
0707010000006C000041ED0000000000000000000000065DC451BB00000000000000000000000000000000000000000000004100000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-common0707010000006D000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000004A00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-common/defaults0707010000006E000081A40000000000000000000000015DC451BB00000334000000000000000000000000000000000000005D00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-common/defaults/keystone_admin.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Settings needed for accessing keystone admin
keystone_admin_port: "{{ host.bind.KEY_API.admin.port }}"
keystone_admin_listen_ip: "{{ host.bind.KEY_API.admin.ip_address }}"
0707010000006F000081A40000000000000000000000015DC451BB00001840000000000000000000000000000000000000005300000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-common/defaults/main.yml#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
keystone_hosts: "{{ groups[verb_hosts.KEY_API] }}"
keystone_old_admin_pwd: "{{ KEY_API.old_vars.keystone_admin_pwd }}"
keystone_user: keystone
keystone_group: keystone
keystone_home_dir: /var/lib/keystone
service: keystone
keystone_conf_dir: "/etc/keystone"
keystone_venv_install_conf_dir: "{{ service | config_dir() }}"
keystone_venv_install_share_dir: "{{ service | share_dir() }}/"
keystone_bin_dir: "{{ service | bin_dir }}"
keystone_venv_dir: "{{ service | venv_dir }}"
keystone_share_dir: "{{ service | share_dir }}"
keystone_admin_domain_id: "default"
keystone_token_provider: "{% if keystone_configure_fernet %}fernet{% else %}uuid{% endif %}"
keystone_fernet_dir_name: fernet-keys
keystone_fernet_dir: "{{ keystone_conf_dir }}/{{ keystone_fernet_dir_name }}/"
keystone_fernet_auto_rotation_script_name: keystone-fernet-rotate.sh
keystone_fernet_auto_rotation_script: "{{ keystone_bin_dir }}/{{ keystone_fernet_auto_rotation_script_name }}"
keystone_fernet_rotate_cron_script: /etc/cron.d/keystone-fernet-rotate
# Any of the following rotation times are valid:
# reboot, yearly, annually, monthly, weekly, daily, hourly
keystone_fernet_rotation: daily
keystone_db_ca_file: "{{ trusted_ca_bundle }}"
keystone_db_ssl: "{% if keystone_enable_tls_for_mysql and KEY_API.consumes_FND_MDB.vips.private[0].use_tls %}?ssl_ca={{ keystone_db_ca_file }}{% endif %}"
keystone_database_connection_string: "mysql+pymysql://{{ KEY_API.consumes_FND_MDB.vars.accounts.keystone.username }}:{{ KEY_API.consumes_FND_MDB.vars.accounts.keystone.password | urlencode }}@{{ KEY_API.consumes_FND_MDB.vips.private[0].host }}/keystone{{ keystone_db_ssl }}"
keystone_public_port: "{{ host.bind.KEY_API.public.port }}"
keystone_public_listen_ip: "{{ host.bind.KEY_API.public.ip_address }}"
keystone_internal_port: "{{ host.bind.KEY_API.internal.port }}"
keystone_internal_listen_ip: "{{ host.bind.KEY_API.internal.ip_address }}"
vip_protocol_admin: "{{ KEY_API.advertises.vips.admin[0].protocol }}"
keystone_admin_vip_ip : "{{ KEY_API.advertises.vips.admin[0].ip_address }}"
keystone_admin_vip_host: "{{ KEY_API.advertises.vips.admin[0].host }}"
keystone_admin_vip_port: "{{ KEY_API.advertises.vips.admin[0].port }}"
vip_protocol_internal: "{{ KEY_API.advertises.vips.private[0].protocol }}"
keystone_internal_vip_host: "{{ KEY_API.advertises.vips.private[0].host }}"
keystone_internal_vip_port: "{{ KEY_API.advertises.vips.private[0].port }}"
vip_protocol_public: "{{ KEY_API.advertises.vips.public[0].protocol }}"
keystone_public_vip_host: "{{ KEY_API.advertises.vips.public[0].host }}"
keystone_public_vip_port: "{{ KEY_API.advertises.vips.public[0].port }}"
keystone_admin_endpoint: "{{ KEY_API.advertises.vips.admin[0].url }}"
keystone_internal_endpoint: "{{ KEY_API.advertises.vips.private[0].url }}"
keystone_public_endpoint: "{{ KEY_API.advertises.vips.public[0].url }}"
keystone_service_project_name: "{{ KEY_API.vars.keystone_service_tenant }}"
keystone_admin_project_name: "{{ KEY_API.vars.keystone_admin_tenant }}"
keystone_demo_project_name: "{{ KEY_API.vars.keystone_demo_tenant }}"
keystone_monitoring_project_name: "{{ KEY_API.vars.keystone_monitoring_tenant }}"
keystone_admin_role: "{{ KEY_API.vars.keystone_admin_role }}"
keystone_keystoneadmin_role: "{{ KEY_API.vars.keystone_KeystoneAdmin_role }}"
keystone_member_role: "{{ KEY_API.vars.keystone_member_role }}"
keystone_service_role: "{{ KEY_API.vars.keystone_service_role }}"
keystone_monitor_role: "{{ KEY_API.vars.keystone_monitoring_role }}"
keystone_project_observer_role: "{{ KEY_API.vars.keystone_project_observer_role }}"
keystone_user_observer_role: "{{ KEY_API.vars.keystone_user_observer_role }}"
keystone_domain_observer_role: "{{ KEY_API.vars.keystone_domain_observer_role }}"
keystone_default_domain: Default
keystone_v2_domain_name: "{{ keystone_default_domain }}"
keystone_v2_project_domain_name: "{{ keystone_v2_domain_name }}"
keystone_v2_user_domain_name: "{{ keystone_v2_domain_name }}"
keystone_region: "{{ KEY_API.advertises.vips.public[0].region_name }}"
keystone_admin_user: "{{ KEY_API.vars.keystone_admin_user }}"
keystone_admin_user_pwd: "{{ KEY_API.vars.keystone_admin_pwd | quote }}"
keystone_demo_user: "{{ KEY_API.vars.keystone_demo_user }}"
keystone_demo_pwd: "{{ KEY_API.vars.keystone_demo_pwd | quote }}"
# Message queue variables
_mq_hosts_list: "{{ KEY_API.consumes_FND_RMQ.members.private | default (KEY_API.consumes_FND_RMQ.members.public) }}"
keystone_rabbit_hosts_port_pair:
"{% for x in _mq_hosts_list -%}
{{ x.host }}:{{ x.port }}
{%- if not loop.last -%},{% endif %}
{%- endfor %}"
keystone_rabbit_user: "{{ KEY.consumes_FND_RMQ.vars.accounts.keystone.username }}"
keystone_rabbit_password: "{{ KEY.consumes_FND_RMQ.vars.accounts.keystone.password }}"
keystone_rabbit_use_ssl: "{{ KEY.consumes_FND_RMQ.members.private[0].use_tls }}"
keystone_cloudadmin_domain: cloud_admin
keystone_cloudadmin_project: cloud_admin_project
is_baremetal_install: "{{ True if ansible_virtualization_role == 'host' else False }}"
# This is used only for tuning virtual install
keystone_default_process_count: 10
keystone_settle_time: 30
keystone_restart_required: false
# Keystone audit variables
keystone_api_audit_enable: "{{ KEY.audit.enabled }}"
keystone_audit_log_base_location: "{{ KEY.audit.dir }}"
# This is for federation configuration
keystone_shibd_conf_dir: "/etc/shibboleth"
memcached_servers: "{% for x in KEY_API.consumes_FND_MEM.members.private %}{{ x.host }}:{{ x.port }}{%if not loop.last %},{% endif %}{% endfor %}"
07070100000070000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000004600000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-common/meta07070100000071000081A40000000000000000000000015DC451BB00000263000000000000000000000000000000000000004F00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-common/meta/main.yml# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
dependencies:
- role: tls-vars
07070100000072000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000004700000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-common/tasks07070100000073000081A40000000000000000000000015DC451BB0000030E000000000000000000000000000000000000005D00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-common/tasks/_schedule_restart.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: keystone-common | _schedule_restart | Schedule a restart for keystone
debug:
msg: "Trigger a change notification in keystone"
changed_when: true
register: ardana_notify_keystone_change07070100000074000081A40000000000000000000000015DC451BB00000D2E000000000000000000000000000000000000005000000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-common/tasks/main.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: keystone-common | main | Include dependent yml files
include_vars: "{{ item }}"
with_items:
- keystone_deploy_config.yml
- ../defaults/keystone_admin.yml
tags:
- keystone
- keystone_debug
- name: keystone-common | main | Display variables that are configured for KEY-API
debug: var=KEY_API
tags:
- keystone
- keystone_debug
when: keystone_debug is defined
run_once: True
- name: keystone-common | main | Display variables for the inventory host
debug: var=hostvars[inventory_hostname]
tags:
- keystone
- keystone_debug
when: keystone_debug is defined
run_once: True
# NOTE(gyee) check to see what the current token provider is. If this is a new
# install, it will return an empty string as keystone.conf may not have
# existed yet. This logic will work if we don't also configure a "provider" for
# credential. Right now, the only provider for credential is "fernet" so we
# should be fine. In the future, if more than one providers are supported for
# credential, we'll need to update this logic. Better yet, upgrade to
# Ansible 2.x and use the ini module and this problem will magically
# disappear. :-)
# FIXME(gyee): use Ansible ini module for this when we upgrade to
# Ansible 2.x.
- name: keystone-common | main | Look for the default token provider
become: yes
shell: >-
grep '^provider\s*=' {{ keystone_venv_install_conf_dir }}/keystone.conf
2>&1 | grep '^provider\s*=' | sed 's/.*=\s*//'
register: lookup_keystone_token_provider_result
tags:
- keystone
- name: keystone-common | main | Display current Keystone token provider
debug:
msg: "{{ lookup_keystone_token_provider_result.stdout }}"
tags:
- keystone
- keystone_debug
when: keystone_debug is defined
# NOTE(gyee): in an upgrade situation where --limit is used, we do not want
# to change the current token provider as we will end up with some controllers
# using Fernet token provider while others still using UUID. This will be
# disastrous as some tokens does not validate. We DO NOT support changing
# token provider to Fernet until all the nodes are upgraded and ready as
# Fernet required all the token-signing keys are in-sync for all the nodes
# at all times.
- name: keystone-common | main | Set token provider
set_fact:
keystone_token_provider: >-
{{ lookup_keystone_token_provider_result.stdout }}
when: play_hosts|length != keystone_hosts|length and
lookup_keystone_token_provider_result.stdout != ""
- name: keystone-common | main | Display Keystone token provider
debug:
msg: "Token provider is {{ keystone_token_provider }}"
tags:
- keystone
- keystone_debug
when: keystone_debug is defined
07070100000075000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000004600000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-common/vars07070100000076000081A40000000000000000000000015DC451BB0000091C000000000000000000000000000000000000006100000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-common/vars/keystone_deploy_config.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#########################################################
# Logging
#########################################################
# Possible log levels are INFO/DEBUG/WARN/ERROR
keystone_loglevel: INFO
keystone_logstash_loglevel: INFO
#########################################################
# WSGI
#########################################################
# To handle 100 concurrent connections count = 15 is more than enough
# Most of the traffice goes to internal vip which is controlled by
# public procoess count
keystone_wsgi_admin_process_count: 5
keystone_wsgi_public_process_count: 15
#socket-timeout option to WSGIDaemonProcess to allow the timeout on indvidual
# read/writes on the socket connection between the Apache child worker and
#the daemon process to be specified separately to the Apache Timeout directive.
keystone_wsgi_socket_timeout: 600
#########################################################
# Fernet Token
#########################################################
# Optional non-core features that can be enabled/disabled
keystone_configure_fernet: False
#########################################################
# Enable TLS transport for mysql
#########################################################
keystone_enable_tls_for_mysql: True
#########################################################
# Addition roles to be created and assigned to the
# 'admin' user for the 'admin' project. The 'admin'
# project is used to manage the OpenStack cloud.
#########################################################
keystone_extra_roles_for_admin_user_and_admin_project:
- swiftoperator
- glance_admin
- cinder_admin
- nova_admin
- neutron_admin
07070100000077000041ED0000000000000000000000065DC451BB00000000000000000000000000000000000000000000004200000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-monitor07070100000078000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000004B00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-monitor/defaults07070100000079000081A40000000000000000000000015DC451BB000002AB000000000000000000000000000000000000005400000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-monitor/defaults/main.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
monasca_alarm_definition_api_url: >
{{ MON_AGN.consumes_MON_API.vips.private[0].url ~ '/v2.0' }}
0707010000007A000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000004700000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-monitor/meta0707010000007B000081A40000000000000000000000015DC451BB000002DA000000000000000000000000000000000000005000000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-monitor/meta/main.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
dependencies:
- role: keystone-common
- {role: monasca-agent, run_mode: Use}
0707010000007C000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000004800000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-monitor/tasks0707010000007D000081A40000000000000000000000015DC451BB0000033B000000000000000000000000000000000000006800000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-monitor/tasks/_monitor_fernet_master_node.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- include: ../../KEY-API/tasks/_find_fernet_master_node.yml
- name: keystone-monitor | _monitor_fernet_master_node |
Setup master node monitor
include: _setup_fernet_master_node_monitor.yml
when: found_fernet_master_node is defined
0707010000007E000081A40000000000000000000000015DC451BB00000AF8000000000000000000000000000000000000006E00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-monitor/tasks/_setup_fernet_master_node_monitor.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: keystone-monitor | _set_fernet_master_node_monitor |
Setup default email notification method
monasca_notification_method:
name: "Default Email"
type: 'EMAIL'
address: "root@localhost"
keystone_url: "{{ keystone_admin_endpoint }}/v3"
keystone_user: "{{ keystone_admin_user }}"
keystone_password: "{{ keystone_admin_user_pwd }}"
keystone_project: "{{ keystone_admin_project_name }}"
keystone_project_domain: "{{ keystone_default_domain }}"
keystone_user_domain: "{{ keystone_default_domain }}"
monasca_api_url: "{{ monasca_alarm_definition_api_url }}"
overwrite: false
register: keystone_default_notification_result
run_once: true
- name: keystone-monitor | _set_fernet_master_node_monitor | Set hostname
set_fact:
fernet_master_hostname: >-
{{ hostvars[found_fernet_master_node].host.my_dimensions.hostname }}
- name: keystone-monitor | _set_fernet_master_node_monitor | Set control_plane
set_fact:
fernet_master_control_plane: >-
{{ hostvars[found_fernet_master_node].host.my_dimensions.control_plane }}
- name: keystone-monitor | _set_fernet_master_node_monitor |
Create fernet master node alarm definition
monasca_alarm_definition:
name: "Fernet Master"
description: "Check to make sure Fernet Master node still alive."
severity: "CRITICAL"
expression: >-
host_alive_status{hostname={{ fernet_master_hostname }},
control_plane={{ fernet_master_control_plane }}} > 0
match_by: ["hostname"]
keystone_url: "{{ keystone_admin_endpoint }}/v3"
keystone_user: "{{ keystone_admin_user }}"
keystone_password: "{{ keystone_admin_user_pwd }}"
keystone_project: "{{ keystone_admin_project_name }}"
keystone_project_domain: "{{ keystone_default_domain }}"
keystone_user_domain: "{{ keystone_default_domain }}"
monasca_api_url: "{{ monasca_alarm_definition_api_url }}"
ok_actions:
- "{{ keystone_default_notification_result.notification_method_id }}"
undetermined_actions:
- "{{ keystone_default_notification_result.notification_method_id }}"
alarm_actions:
- "{{ keystone_default_notification_result.notification_method_id }}"
run_once: true
0707010000007F000081A40000000000000000000000015DC451BB000007BA000000000000000000000000000000000000005A00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-monitor/tasks/local_monitor.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
- name: keystone-monitor | local_monitor |
Set up check on keystone wsgi process and admin endpoint locally
become: yes
monasca_agent_plugin:
name: "keystone"
args: "disable_http_check=yes"
tags:
- keystone
- keystone_monitor
- name: keystone-monitor | local_monitor |
Setup active check on keystone internal endpoint locally
become: yes
monasca_agent_plugin:
name: "httpcheck"
args: "use_keystone=False \
url=http://{{ keystone_internal_listen_ip }}:{{
keystone_internal_port }}/v3 \
dimensions=service:identity-service,\
component:keystone-api,\
api_endpoint:internal,\
monitored_host_type:instance"
tags:
- keystone
- keystone_monitor
- name: keystone-monitor | local_monitor |
Setup active check on keystone admin endpoint locally
become: yes
monasca_agent_plugin:
name: "httpcheck"
args: "use_keystone=False \
url=http://{{ keystone_admin_listen_ip }}:{{
keystone_admin_port }}/v3 \
dimensions=service:identity-service,\
component:keystone-api,\
api_endpoint:admin,\
monitored_host_type:instance"
tags:
- keystone
- keystone_monitor
07070100000080000081A40000000000000000000000015DC451BB000004E7000000000000000000000000000000000000006700000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-monitor/tasks/monitor_fernet_master_node.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: keystone-monitor | monitor_fernet_master_node |
Check Fernet token configuration prereq
debug:
msg: >-
WARNING: Then number of play hosts does not match the number of Keystone
API hosts. It is possible that the --limit option was used in the play.
The use of --limit option is not supported when configuring the
Fernet token feature. Fernet token configuration will be skipped.
when: vars['play_hosts'] | length != keystone_hosts | length
- name: keystone-monitor | monitor_fernet_master_node | Monitor Fernet Master
include: _monitor_fernet_master_node.yml
when: vars['play_hosts'] | length == keystone_hosts | length
07070100000081000081A40000000000000000000000015DC451BB00000451000000000000000000000000000000000000005B00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-monitor/tasks/remote_monitor.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
- name: keystone-monitor | remote_monitor | Setup http check against Keystone VIP
become: yes
monasca_agent_plugin:
name: "httpcheck"
args: "use_keystone=False url={{ item.url }}/v3 dimensions=service:\
identity-service,component:keystone-api,api_endpoint:{{
item.api_endpoint }},monitored_host_type:vip"
with_items:
- { api_endpoint: 'internal', url: "{{ keystone_internal_endpoint }}"}
tags:
- keystone_monitor
07070100000082000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000004700000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-monitor/vars07070100000083000081A40000000000000000000000015DC451BB000002DE000000000000000000000000000000000000005000000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-monitor/vars/main.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
ardanauser : "{{ ansible_env['USER'] }}"
ardanauser_home: "{{ ansible_env['HOME'] }}"
07070100000084000041ED0000000000000000000000055DC451BB00000000000000000000000000000000000000000000004900000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-post-configure07070100000085000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000005200000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-post-configure/defaults07070100000086000081A40000000000000000000000015DC451BB000007A7000000000000000000000000000000000000005B00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-post-configure/defaults/main.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
keystone_services: "[ {% for s in KEY_API.advertised %}
{'service_name': '{{ s.service_name }}',
'service_type': '{{ s.service_type | default('') }}',
'service_description': '{{ s.service_description | default('') }}'
}
{%- if not loop.last -%}
,
{% endif -%}
{% endfor %} ] "
keystone_endpoints: "[ {% for s in KEY_API.advertised %}
{% for r in s.regions %}
{'service_name': '{{ s.service_name }}',
'public_url': '{{ s.public_url | default('') }}',
'internal_url': '{{ s.internal_url | default('') }}',
'admin_url': '{{ s.admin_url | default('') }}',
'region': '{{ r }}'
}
{%- if not loop.last -%}
,
{% endif -%}
{% endfor %}
{%- if not loop.last -%}
,
{% endif -%}
{% endfor %} ]"
07070100000087000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000004E00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-post-configure/meta07070100000088000081A40000000000000000000000015DC451BB000002B1000000000000000000000000000000000000005700000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-post-configure/meta/main.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
dependencies:
- role: keystone-common
07070100000089000041ED0000000000000000000000025DC451BB00000000000000000000000000000000000000000000004F00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-post-configure/tasks0707010000008A000081A40000000000000000000000015DC451BB00000D0E000000000000000000000000000000000000006100000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-post-configure/tasks/keystone_conf.yml#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# keystone user and endpoint registration
---
- name: keystone-post-configure | keystone_conf | Create bootstrap users
command: >
"{{ keystone_bin_dir }}/keystone-manage"
--config-file "{{ keystone_venv_install_conf_dir }}/keystone.conf"
--log-config "{{ keystone_venv_install_conf_dir }}/logging.conf"
bootstrap
--bootstrap-username "{{ keystone_admin_user }}"
--bootstrap-project-name "{{ keystone_cloudadmin_project }}"
--bootstrap-role-name "{{ keystone_admin_role }}"
environment:
OS_BOOTSTRAP_PASSWORD: "{{ keystone_admin_user_pwd }}"
run_once: true
become: yes
become_user: "{{ keystone_user }}"
tags:
- keystone
- name: keystone-post-configure | keystone_conf | Get cloud admin token
become: yes
keystone_v3:
endpoint: "{{ keystone_admin_endpoint }}/v3"
login_username: "{{ keystone_admin_user }}"
login_password: "{{ keystone_admin_user_pwd }}"
login_user_domain_name: "{{ keystone_default_domain }}"
login_project_name: "{{ keystone_cloudadmin_project }}"
login_project_domain_name: "{{ keystone_default_domain }}"
cacert: "{{ trusted_ca_bundle }}"
action: "token_get"
run_once: true
register: cloud_admin_token_result
tags:
- keystone
- name: keystone-post-configure | keystone_conf | Set cloud admin token
set_fact:
cloud_admin_token: "{{ cloud_admin_token_result.result }}"
- name: keystone-post-configure | keystone_conf | Create roles
keystone_v3:
login_token: "{{ cloud_admin_token }}"
endpoint: "{{ keystone_internal_endpoint }}/v3"
cacert: "{{ trusted_ca_bundle }}"
action: "create_role"
role_name: "{{ item }}"
description: "Bootstrap roles created via keystone deploy"
with_items:
- "{{ keystone_keystoneadmin_role }}"
run_once: true
tags:
- keystone
# NOTE: we should be using the keystone_cloud_admin project for cloud admin
# operations. Using domain-scoped token for backward compatibility only.
- name: keystone-post-configure | keystone_conf | Grant admin Role to admin User
on Default domain
become: yes
keystone_v3:
login_token: "{{ cloud_admin_token }}"
endpoint: "{{ keystone_internal_endpoint }}/v3"
cacert: "{{ trusted_ca_bundle }}"
action: "grant_domain_role"
user_name: "{{ keystone_admin_user }}"
domain_name: "Default"
role_name: "{{ keystone_admin_role }}"
user_domain_name: "{{ keystone_v2_user_domain_name }}"
run_once: true
tags:
- keystone
# now provision the rest of accounts using the newly-minted cloud admin
# credential
- name: keystone-post-configure | keystone_conf | Provision account data
include: keystone_provision_accts.yml
0707010000008B000081A40000000000000000000000015DC451BB00001DC6000000000000000000000000000000000000006C00000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-post-configure/tasks/keystone_provision_accts.yml#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# keystone user and endpoint registration
---
- name: keystone-post-configure | keystone_provision_accts | Get a domain scoped token after bootstrap
keystone_v3:
endpoint: "{{ keystone_internal_endpoint }}/v3"
cacert: "{{ trusted_ca_bundle }}"
login_username: "{{ keystone_admin_user }}"
login_password: "{{ keystone_admin_user_pwd }}"
login_user_domain_name: "Default"
login_domain_name: "Default"
action: "token_get"
register: domain_scoped_token_result
- name: keystone-post-configure | keystone_provision_accts | Create roles
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_internal_endpoint }}/v3"
cacert: "{{ trusted_ca_bundle }}"
action: "create_role"
role_name: "{{ item }}"
description: "Bootstrap roles created via keystone deploy"
with_items:
- "{{ keystone_service_role }}"
- "{{ keystone_member_role }}"
- "{{ keystone_monitor_role }}"
- "{{ keystone_project_observer_role }}"
- "{{ keystone_domain_observer_role }}"
- "{{ keystone_user_observer_role }}"
run_once: true
tags:
- keystone
- name: keystone-post-configure | keystone_provision_accts | Create extra roles
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_internal_endpoint }}/v3"
cacert: "{{ trusted_ca_bundle }}"
action: "create_role"
role_name: "{{ item }}"
description: "Bootstrap roles created via keystone deploy"
with_items: "{{ keystone_extra_roles_for_admin_user_and_admin_project }}"
when: keystone_extra_roles_for_admin_user_and_admin_project is defined
run_once: true
tags:
- keystone
- name: keystone-post-configure | keystone_provision_accts | Create bootstrap tenants
become: yes
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_internal_endpoint }}/v3"
cacert: "{{ trusted_ca_bundle }}"
action: "create_project"
project_name: "{{ item }}"
project_domain_name: "{{ keystone_v2_project_domain_name }}"
description: "Bootstrap accounts created via keystone deploy"
with_items:
- "{{ keystone_admin_project_name }}"
- "{{ keystone_demo_project_name }}"
- "{{ keystone_service_project_name }}"
- "{{ keystone_monitoring_project_name }}"
run_once: true
tags:
- keystone
- name: keystone-post-configure | keystone_provision_accts | Grant admin Role to admin User
on admin tenant
become: yes
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_internal_endpoint }}/v3"
cacert: "{{ trusted_ca_bundle }}"
action: "grant_project_role"
user_name: "{{ keystone_admin_user }}"
project_name: "{{ keystone_admin_project_name }}"
role_name: "{{ keystone_admin_role }}"
user_domain_name: "{{ keystone_v2_user_domain_name }}"
project_domain_name: "{{ keystone_v2_project_domain_name }}"
run_once: true
tags:
- keystone
- name: keystone-post-configure | keystone_provision_accts | Create Demo User
become: yes
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_internal_endpoint }}/v3"
cacert: "{{ trusted_ca_bundle }}"
action: "create_user"
user_name: "{{ keystone_demo_user }}"
user_password: "{{ keystone_demo_pwd }}"
description: "Bootstrap accounts created via keystone deploy"
user_domain_name: "{{ keystone_v2_user_domain_name }}"
run_once: true
tags:
- keystone
- name: keystone-post-configure | keystone_provision_accts | Grant member role to Demo User
on Admin Tenant
become: yes
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_internal_endpoint }}/v3"
cacert: "{{ trusted_ca_bundle }}"
action: "grant_project_role"
user_name: "{{ keystone_demo_user }}"
project_name: "{{ keystone_admin_project_name }}"
role_name: "{{ keystone_member_role }}"
user_domain_name: "{{ keystone_v2_user_domain_name }}"
project_domain_name: "{{ keystone_v2_project_domain_name }}"
run_once: true
tags:
- keystone
- name: keystone-post-configure | keystone_provision_accts | Grant admin user admin Role
on demo tenant
become: yes
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_internal_endpoint }}/v3"
cacert: "{{ trusted_ca_bundle }}"
action: "grant_project_role"
user_name: "{{ keystone_admin_user }}"
project_name: "{{ keystone_demo_project_name }}"
role_name: "{{ keystone_admin_role }}"
user_domain_name: "{{ keystone_v2_user_domain_name }}"
project_domain_name: "{{ keystone_v2_project_domain_name }}"
run_once: true
tags:
- keystone
#
# The Member role is used by Horizon and Swift
- name: keystone-post-configure | keystone_provision_accts | Grant Demo user Member Role
on Demo tenant
become: yes
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_internal_endpoint }}/v3"
cacert: "{{ trusted_ca_bundle }}"
action: "grant_project_role"
user_name: "{{ keystone_demo_user }}"
project_name: "{{ keystone_demo_project_name }}"
role_name: "{{ keystone_member_role }}"
user_domain_name: "{{ keystone_v2_user_domain_name }}"
project_domain_name: "{{ keystone_v2_project_domain_name }}"
run_once: true
tags:
- keystone
- name: keystone-post-configure | keystone_provision_accts | Grant admin user, admin Role
to services tenant
become: yes
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_internal_endpoint }}/v3"
cacert: "{{ trusted_ca_bundle }}"
action: "grant_project_role"
user_name: "{{ keystone_admin_user }}"
project_name: "{{ keystone_service_project_name }}"
role_name: "{{ keystone_admin_role }}"
user_domain_name: "{{ keystone_v2_user_domain_name }}"
project_domain_name: "{{ keystone_v2_project_domain_name }}"
run_once: true
tags:
- keystone
- name: keystone-post-configure | keystone_provision_accts |
Grant admin user addition roles to admin project
become: yes
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone_internal_endpoint }}/v3"
cacert: "{{ trusted_ca_bundle }}"
action: "grant_project_role"
user_name: "{{ keystone_admin_user }}"
project_name: "{{ keystone_admin_project_name }}"
role_name: "{{ item }}"
user_domain_name: "{{ keystone_v2_user_domain_name }}"
project_domain_name: "{{ keystone_v2_project_domain_name }}"
with_items: "{{ keystone_extra_roles_for_admin_user_and_admin_project }}"
when: keystone_extra_roles_for_admin_user_and_admin_project is defined
run_once: true
tags:
- keystone
- name: keystone-post-configure | keystone_provision_accts | Configure Services
include: services_conf.yml
0707010000008C000081A40000000000000000000000015DC451BB00000919000000000000000000000000000000000000006100000000ardana-keystone-8.0+git.1573147067.09e3ea0/roles/keystone-post-configure/tasks/services_conf.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: keystone-post-configure | services_conf | Get a domain scoped token
become: yes
keystone_v3:
endpoint: "{{ keystone_admin_endpoint }}/v3"
login_username: "{{ keystone_admin_user }}"
login_password: "{{ keystone_admin_user_pwd }}"
login_user_domain_name: "{{ keystone_default_domain }}"
login_domain_name: "{{ keystone_default_domain }}"
cacert: "{{ trusted_ca_bundle }}"
action: "token_get"
run_once: true
register: domain_scoped_token_result
- name: keystone-post-configure | services_conf | Create services in Keystone
become: yes
keystone_v3:
endpoint: "{{ keystone_admin_endpoint }}/v3"
cacert: "{{ trusted_ca_bundle }}"
login_token: "{{ domain_scoped_token_result.result }}"
action: "create_service"
service_name: "{{ item.service_name }}"
service_type: "{{ item.service_type | default('') }}"
description: "{{ item.service_description | default('') }}"
run_once: True
with_items:
- "{{ keystone_services }}"
when: item.service_name is defined
- name: keystone-post-configure | services_conf | Create endpoints in Keystone
become: yes
keystone_v3:
endpoint: "{{ keystone_admin_endpoint }}/v3"
cacert: "{{ trusted_ca_bundle }}"
login_token: "{{ domain_scoped_token_result.result }}"
action: "create_endpoint"
service_name: "{{ item.service_name }}"
region: "{{ item.region | default('') }}"
admin_url: "{{ item.admin_url | default('') }}"
internal_url: "{{ item.internal_url | default('') }}"
public_url: "{{ item.public_url | default('') }}"
run_once: True
with_items:
- "{{ keystone_endpoints }}"
when: item.service_name is defined
07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!582 blocks
