Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
systemsmanagement:Ardana:9
ardana-keystone
ardana-keystone-9.0+git.1573069087.15ffd1c.obscpio
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ardana-keystone-9.0+git.1573069087.15ffd1c.obscpio of Package ardana-keystone
07070100000000000081A40000000000000000000000015DC3211F00000356000000000000000000000000000000000000003C00000000ardana-keystone-9.0+git.1573069087.15ffd1c/.copyrightignore# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # roles/KEY-API/files/samples/k2k/k2k_sp_mapping.json roles/KEY-API/files/samples/websso/adfs_sp_mapping.json roles/KEY-API/files/samples/x509auth/x509auth_mapping.json roles/KEY-API/files/samples/x509auth/cacert.pem 07070100000001000081A40000000000000000000000015DC3211F00000075000000000000000000000000000000000000003600000000ardana-keystone-9.0+git.1573069087.15ffd1c/.gitignore.vagrant *.sw? .tox *.egg *.egg-info .testrepository *.pyc .project .pydevproject .settings/* .settings *.iml .idea 07070100000002000081A40000000000000000000000015DC3211F0000007B000000000000000000000000000000000000003600000000ardana-keystone-9.0+git.1573069087.15ffd1c/.gitreview[gerrit] host=gerrit.prv.suse.net port=29418 project=ardana/keystone-ansible.git defaultremote=ardana defaultbranch=master 07070100000003000081A40000000000000000000000015DC3211F0000000C000000000000000000000000000000000000003900000000ardana-keystone-9.0+git.1573069087.15ffd1c/.rsync-filter- ardana-ci 07070100000004000081A40000000000000000000000015DC3211F0000279F000000000000000000000000000000000000003300000000ardana-keystone-9.0+git.1573069087.15ffd1c/LICENSE Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. 07070100000005000081A40000000000000000000000015DC3211F0000048A000000000000000000000000000000000000003500000000ardana-keystone-9.0+git.1573069087.15ffd1c/README.md (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP (c) Copyright 2017 SUSE LLC Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. 80README ====== This repo contains the following roles - KEY-API: Keystone api - keystone-common: Variable declarations - keystone-post-configuure: Bootstrapps data The verbs: - configure - configure the service/role - install - install the service/role - start - start the service/role - stop - stop the service/role The operations: - deploy - deploy the service (install, configure and start) - reconfigure - reconfigures the service Refer to REAADME.md at roles/KEY-API/ for reconfiguration instructions 07070100000006000081A40000000000000000000000015DC3211F000002E6000000000000000000000000000000000000004A00000000ardana-keystone-9.0+git.1573069087.15ffd1c/_keystone-schedule-restart.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # Schedule a restart of keystone services using ardana_notify_... variables - hosts: all tasks: - include: roles/keystone-common/tasks/_schedule_restart.yml07070100000007000041ED0000000000000000000000045DC3211F00000000000000000000000000000000000000000000003500000000ardana-keystone-9.0+git.1573069087.15ffd1c/ardana-ci07070100000008000041ED0000000000000000000000035DC3211F00000000000000000000000000000000000000000000003D00000000ardana-keystone-9.0+git.1573069087.15ffd1c/ardana-ci/project07070100000009000041ED0000000000000000000000035DC3211F00000000000000000000000000000000000000000000004900000000ardana-keystone-9.0+git.1573069087.15ffd1c/ardana-ci/project/input-model0707010000000A000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000004E00000000ardana-keystone-9.0+git.1573069087.15ffd1c/ardana-ci/project/input-model/data0707010000000B000081A40000000000000000000000015DC3211F00000560000000000000000000000000000000000000006000000000ardana-keystone-9.0+git.1573069087.15ffd1c/ardana-ci/project/input-model/data/control_plane.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- product: version: 2 control-planes: - name: ccp control-plane-prefix: ccp region-name: region1 failure-zones: - AZ1 - AZ2 - AZ3 common-service-components: - lifecycle-manager-target - openstack-client clusters: - name: cluster0 cluster-prefix: c0 server-role: - SERVER1-ROLE - SERVER2-ROLE - SERVER3-ROLE member-count: 3 allocation-policy: strict service-components: - lifecycle-manager - ntp-server - mysql - ip-cluster - rabbitmq - keystone-client - keystone-api 0707010000000C000081A40000000000000000000000015DC3211F0000034F000000000000000000000000000000000000005A00000000ardana-keystone-9.0+git.1573069087.15ffd1c/ardana-ci/project/input-model/data/servers.yml--- product: version: 2 baremetal: netmask: 255.255.255.0 subnet: 192.168.110.0 server-interface: eth2 servers: - id: server1 ip-addr: 192.168.110.3 role: SERVER1-ROLE server-group: AZ1 mac-addr: a4:93:0c:4f:7c:73 nic-mapping: VAGRANT ilo-ip: 192.168.109.3 ilo-password: password ilo-user: admin - id: server2 ip-addr: 192.168.110.4 role: SERVER2-ROLE server-group: AZ2 mac-addr: b2:72:8d:ac:7c:6f nic-mapping: VAGRANT ilo-ip: 192.168.109.4 ilo-password: password ilo-user: admin - id: server3 ip-addr: 192.168.110.5 role: SERVER3-ROLE server-group: AZ3 mac-addr: 8a:8e:64:55:43:76 nic-mapping: VAGRANT ilo-ip: 192.168.109.5 ilo-password: password ilo-user: admin 0707010000000D000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000003B00000000ardana-keystone-9.0+git.1573069087.15ffd1c/ardana-ci/tests0707010000000E000081A40000000000000000000000015DC3211F00000404000000000000000000000000000000000000004A00000000ardana-keystone-9.0+git.1573069087.15ffd1c/ardana-ci/tests/test-plan.yaml# # (c) Copyright 2016-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: Test reconfigure logfile: testsuite-reconfigure.log prefix: reconfigure playbooks: - keystone-reconfigure.yml - name: Validate keystone exec: - validate-keystone.bash - name: Test reboot logfile: reboot.log prefix: reboot vms: - reboot: server2 exec: - ansible-playbook -i hosts/verb_hosts keystone-start.yml - validate-keystone.bash 0707010000000F000081ED0000000000000000000000015DC3211F00000087000000000000000000000000000000000000005200000000ardana-keystone-9.0+git.1573069087.15ffd1c/ardana-ci/tests/validate-keystone.bash#!/bin/bash ansible-playbook -i hosts/verb_hosts keystone-status.yml if [ $? -eq 0 ] then echo "Ok" else echo "Fail" exit 1 fi 07070100000010000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000003200000000ardana-keystone-9.0+git.1573069087.15ffd1c/config07070100000011000081A40000000000000000000000015DC3211F0000078C000000000000000000000000000000000000004800000000ardana-keystone-9.0+git.1573069087.15ffd1c/config/keystone-symlinks.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # # The following relative symlinks are created under the # my_cloud/config directory. --- symlinks: "keystone/keystone.conf.j2": roles/KEY-API/templates/keystone.conf.j2 "keystone/keystone_deploy_config.yml": roles/keystone-common/vars/keystone_deploy_config.yml "keystone/keystone_configure_ldap_sample.yml": roles/KEY-API/files/samples/keystone_configure_ldap_sample.yml "keystone/keystone_configure_ldap_certs_sample.yml": roles/KEY-API/files/samples/keystone_configure_ldap_certs_sample.yml "keystone/policy.json": roles/KEY-API/templates/policy.v3cloudsample.json "keystone/README.md": roles/KEY-API/README.md "keystone/keystone_configure_adfs_sample.yml": roles/KEY-API/files/samples/websso/keystone_configure_adfs_sample.yml "keystone/keystone_configure_idp_sample.yml": roles/KEY-API/files/samples/k2k/keystone_configure_idp_sample.yml "keystone/keystone_configure_sp_sample.yml": roles/KEY-API/files/samples/k2k/keystone_configure_sp_sample.yml "keystone/k2k_sp_mapping.json": roles/KEY-API/files/samples/k2k/k2k_sp_mapping.json "keystone/adfs_sp_mapping.json": roles/KEY-API/files/samples/websso/adfs_sp_mapping.json "keystone/keystone_configure_openid_connect_sample.yml": roles/KEY-API/files/samples/websso/keystone_configure_openid_connect_sample.yml 07070100000012000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000003A00000000ardana-keystone-9.0+git.1573069087.15ffd1c/filter_plugins07070100000013000081A40000000000000000000000015DC3211F000004F6000000000000000000000000000000000000004A00000000ardana-keystone-9.0+git.1573069087.15ffd1c/filter_plugins/osini_filter.py# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # # Creates a list of tuples from the dictionary def ini_tuple(config_entries): config_tuples = list() for section in config_entries: for option in sorted(config_entries[section]): #config_tuples.append(item0, item1, config_entries[item0][item1]) config_tuples.append( dict(section=section, option=option, value=config_entries[section][option] ) ) return config_tuples class FilterModule(object): def filters(self): return {'osini': ini_tuple} 07070100000014000081A40000000000000000000000015DC3211F000002FE000000000000000000000000000000000000005400000000ardana-keystone-9.0+git.1573069087.15ffd1c/keystone-configure-fernet-monitoring.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - hosts: KEY-API:&MON-AGN roles: - role: keystone-monitor tasks: - include: roles/keystone-monitor/tasks/monitor_fernet_master_node.yml when: keystone_configure_fernet 07070100000015000081A40000000000000000000000015DC3211F00000399000000000000000000000000000000000000004A00000000ardana-keystone-9.0+git.1573069087.15ffd1c/keystone-configure-monasca.yml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - hosts: KEY-API:&MON-AGN roles: - role: keystone-monitor tasks: - include: roles/keystone-monitor/tasks/local_monitor.yml - hosts: KEY-API:&MON-AGN roles: - role: keystone-monitor tasks: - include: roles/keystone-monitor/tasks/remote_monitor.yml 07070100000016000081A40000000000000000000000015DC3211F000005C9000000000000000000000000000000000000003F00000000ardana-keystone-9.0+git.1573069087.15ffd1c/keystone-deploy.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - hosts: KEY-API roles: - role: KEY-API tasks: - include: roles/KEY-API/tasks/install.yml - hosts: KEY-API roles: - role: KEY-API tasks: - include: roles/KEY-API/tasks/db_configure.yml - hosts: KEY-API roles: - KEY-API tasks: - include: roles/KEY-API/tasks/configure.yml - hosts: KEY-API roles: - role: KEY-API tasks: - include: roles/KEY-API/tasks/start.yml - include: keystone-configure-monasca.yml # Register endpoint using keystone client. - hosts: KEY-API roles: - role: keystone-post-configure tasks: - include: roles/keystone-post-configure/tasks/keystone_conf.yml ansible_python_interpreter: "{{ KEY_CLI.vars.keystone_client_python_interpreter }}" - hosts: KEY-API roles: - KEY-API tasks: - include: roles/KEY-API/tasks/restart.yml 07070100000017000081A40000000000000000000000015DC3211F000004ED000000000000000000000000000000000000005000000000ardana-keystone-9.0+git.1573069087.15ffd1c/keystone-reconfigure-credentials.yml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - hosts: KEY-API roles: - KEY-API tasks: - include: roles/KEY-API/tasks/reconfigure.yml ansible_python_interpreter: "{{ KEY_CLI.vars.keystone_client_python_interpreter }}" # Actually serial restart here doesn't make sense - hosts: KEY-API serial: "50%" roles: - role: KEY-API tasks: - include: roles/KEY-API/tasks/start.yml - hosts: KEY-API roles: - KEY-API tasks: - include: roles/KEY-API/tasks/_reconfigure_credentials.yml ansible_python_interpreter: "{{ KEY_CLI.vars.keystone_client_python_interpreter }}" when: KEY_API.old_vars is defined 07070100000018000081A40000000000000000000000015DC3211F000005C3000000000000000000000000000000000000004400000000ardana-keystone-9.0+git.1573069087.15ffd1c/keystone-reconfigure.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - hosts: KEY-API roles: - KEY-API tasks: - include: roles/KEY-API/tasks/reconfigure.yml ansible_python_interpreter: "{{ KEY_CLI.vars.keystone_client_python_interpreter }}" # Split the tasks to enable serial restart - hosts: KEY-API serial: "50%" roles: - role: KEY-API tasks: - include: roles/KEY-API/tasks/start.yml # Register endpoint using keystone client. - hosts: KEY-API roles: - role: keystone-post-configure tasks: - include: roles/keystone-post-configure/tasks/services_conf.yml ansible_python_interpreter: "{{ KEY_CLI.vars.keystone_client_python_interpreter }}" - include: keystone-configure-monasca.yml # If radosgw is configured, service endpoints for swift need updates - include: ses-reconfigure.yml - include: _swift-post-configure.yml 07070100000019000081A40000000000000000000000015DC3211F0000028D000000000000000000000000000000000000004000000000ardana-keystone-9.0+git.1573069087.15ffd1c/keystone-restart.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - include: _keystone-schedule-restart.yml - include: keystone-start.yml 0707010000001A000081A40000000000000000000000015DC3211F000002EC000000000000000000000000000000000000003E00000000ardana-keystone-9.0+git.1573069087.15ffd1c/keystone-start.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - hosts: KEY-API roles: - role: KEY-API tasks: - include: roles/KEY-API/tasks/start.yml 0707010000001B000081A40000000000000000000000015DC3211F00000306000000000000000000000000000000000000003F00000000ardana-keystone-9.0+git.1573069087.15ffd1c/keystone-status.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - hosts: KEY-API max_fail_percentage: 0 roles: - role: KEY-API tasks: - include: roles/KEY-API/tasks/status.yml 0707010000001C000081A40000000000000000000000015DC3211F000002BD000000000000000000000000000000000000005200000000ardana-keystone-9.0+git.1573069087.15ffd1c/keystone-stop-fernet-auto-rotation.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - hosts: KEY-API roles: - role: KEY-API tasks: - include: roles/KEY-API/tasks/_stop_fernet_auto_rotation.yml 0707010000001D000081A40000000000000000000000015DC3211F000002EB000000000000000000000000000000000000003D00000000ardana-keystone-9.0+git.1573069087.15ffd1c/keystone-stop.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - hosts: KEY-API roles: - role: KEY-API tasks: - include: roles/KEY-API/tasks/stop.yml 0707010000001E000081A40000000000000000000000015DC3211F000006D3000000000000000000000000000000000000004000000000ardana-keystone-9.0+git.1573069087.15ffd1c/keystone-upgrade.yml# # (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - include: keystone-status.yml - hosts: KEY-API roles: - role: KEY-API tasks: - include: roles/KEY-API/tasks/install.yml - hosts: KEY-API roles: - role: KEY-API tasks: - include: roles/KEY-API/tasks/db_configure.yml - hosts: KEY-API roles: - KEY-API tasks: - include: roles/KEY-API/tasks/configure.yml ansible_python_interpreter: "{{ KEY_CLI.vars.keystone_client_python_interpreter }}" - hosts: KEY-API serial: 1 roles: - role: KEY-API tasks: - include: roles/KEY-API/tasks/start.yml # provision any new users, services, endpoints, etc. # NOTE: all operations should be idempotent - hosts: KEY-API roles: - role: keystone-post-configure tasks: - include: roles/keystone-post-configure/tasks/keystone_conf.yml ansible_python_interpreter: "{{ KEY_CLI.vars.keystone_client_python_interpreter }}" - include: roles/keystone-post-configure/tasks/keystone_provision_accts.yml ansible_python_interpreter: "{{ KEY_CLI.vars.keystone_client_python_interpreter }}" - include: keystone-status.yml 0707010000001F000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000003300000000ardana-keystone-9.0+git.1573069087.15ffd1c/library07070100000020000081A40000000000000000000000015DC3211F0000346E000000000000000000000000000000000000004A00000000ardana-keystone-9.0+git.1573069087.15ffd1c/library/keystone_federation.py#!/usr/bin/python # # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # # -*- coding: utf-8 -*- DOCUMENTATION = ''' --- module: keystone_federation version_added: "1.0" short_description: Manage federation APIs, Identity Providers, Protocols, Mappings, Service Providers description: - Manage federation APIs from OpenStack. - Authentication should be added to each call with token/domain scope token cred/project scope token credentials Examples below uses token, instead you can also specify login credentials requirements: [ python-keystoneclient ] author: Sam Leong ''' EXAMPLES = ''' # Create an identity provider - keystone_federation: action="create_identity_provider" login_token=admin identity_provider_id="Foo" description="Foo Identity Provider" endpoint=https://keystone:35357/v3 # Create a mapping - keystone_federation: action="create_mapping" login_token=admin mapping_id="My_mapping" rules="{mapping:...}" # Create a protocol - keystone_federation: action="create_protocol" protocol_id="My_protocol" identity_provider_id="Foo" mapping_id="My_mapping" ''' from ansible.module_utils.basic import * from ansible.module_utils.database import * from keystoneclient import exceptions from keystoneclient import session from keystoneclient.auth import token_endpoint from keystoneclient.auth.identity import v3 from keystoneclient.v3 import client as v3client def _get_client(auth_url=None, token=None, insecure=False, ca_cert=None): """Return a ks_client client object""" auth_plugin = token_endpoint.Token(endpoint=auth_url, token=token) if not insecure: # Caller wants cert verification verify = ca_cert or True # Client cert is not supported now. # Will add it later with cert=client_cert option auth_session = session.Session( auth=auth_plugin, verify=verify) return v3client.Client(auth_url=auth_url, session=auth_session) def _find_identity_provider(ks_client, identity_provider_id=None): try: return ks_client.federation.identity_providers.get( identity_provider=identity_provider_id) except exceptions.NotFound: return None def _find_protocol(ks_client, identity_provider_id=None, protocol_id=None): try: return ks_client.federation.protocols.get( identity_provider=identity_provider_id, protocol=protocol_id) except exceptions.NotFound: return None def _find_mapping(ks_client, mapping_id=None): try: return ks_client.federation.mappings.get(mapping=mapping_id) except exceptions.NotFound: return None def _find_service_provider(ks_client, service_provider_id=None): try: return ks_client.federation.service_providers.get( service_provider=service_provider_id) except exceptions.NotFound: return None def find_identity_provider(ks_client, identity_provider_id=None): identity_provider = _find_identity_provider( ks_client, identity_provider_id=identity_provider_id) if identity_provider is not None: return True, identity_provider return False, None def delete_identity_provider(ks_client, identity_provider_id=None): identity_provider = _find_identity_provider( ks_client, identity_provider_id=identity_provider_id) if identity_provider is not None: ks_client.federation.identity_providers.update( identity_provider=identity_provider_id, enabled=False) ks_client.federation.identity_providers.delete( identity_provider=identity_provider_id) return True, identity_provider # identity_provider with that Id doesn't exist return False, None def create_identity_provider(ks_client, identity_provider_id=None, enabled=True, description=None, remote_id=None): identity_provider = _find_identity_provider( ks_client, identity_provider_id=identity_provider_id) if identity_provider is not None: delete_identity_provider( ks_client, identity_provider_id=identity_provider_id) # identity_provider with that Id doesn't exist remote_ids = [] if remote_id: remote_ids.append(remote_id) identity_provider = ks_client.federation.identity_providers.create( id=identity_provider_id, enabled=enabled, description=description, remote_ids=remote_ids) return True, identity_provider def find_protocol(ks_client, identity_provider_id=None, protocol_id=None): protocol = _find_protocol(ks_client, identity_provider_id=identity_provider_id, protocol_id=protocol_id) if protocol is not None: return True, protocol return False, None def delete_protocol(ks_client, identity_provider_id=None, protocol_id=None): protocol = _find_protocol(ks_client, identity_provider_id=identity_provider_id, protocol_id=protocol_id) if protocol is not None: ks_client.federation.protocols.delete( identity_provider=identity_provider_id, protocol=protocol_id) return True, protocol return False, protocol def create_protocol(ks_client, protocol_id=None, identity_provider_id=None, mapping_id=None): protocol = _find_protocol(ks_client, identity_provider_id=identity_provider_id, protocol_id=protocol_id) if protocol is not None: delete_protocol(ks_client, identity_provider_id=identity_provider_id, protocol_id=protocol_id) protocol = ks_client.federation.protocols.create( protocol_id=protocol_id, identity_provider=identity_provider_id, mapping=mapping_id) return True, protocol def find_mapping(ks_client, mapping_id=None): mapping = _find_mapping(ks_client, mapping_id=mapping_id) if mapping is not None: return True, mapping return False, None def delete_mapping(ks_client, mapping_id=None): mapping = _find_mapping(ks_client, mapping_id=mapping_id) if mapping is not None: ks_client.federation.mappings.delete(mapping=mapping_id) return True, mapping return False, mapping def create_mapping(ks_client, mapping_id=None, rules=None): mapping = _find_mapping(ks_client, mapping_id=mapping_id) if mapping is not None: delete_mapping(ks_client, mapping_id=mapping_id) mapping = ks_client.federation.mappings.create(mapping_id=mapping_id, rules=rules) return True, mapping def find_service_provider(ks_client, service_provider_id=None): sp = _find_service_provider(ks_client, service_provider_id=service_provider_id) if sp is not None: return True, sp return False, None def delete_service_provider(ks_client, service_provider_id=None): sp = _find_service_provider(ks_client, service_provider_id=service_provider_id) if sp is not None: ks_client.federation.service_providers.update( service_provider=service_provider_id, enabled=False) ks_client.federation.service_providers.delete( service_provider=service_provider_id) return True, sp return False, sp def create_service_provider(ks_client, service_provider_id=None, auth_url=None, enabled=True, description=None, sp_url=None): sp = _find_service_provider(ks_client, service_provider_id=service_provider_id) if sp is not None: delete_service_provider(ks_client, service_provider_id=service_provider_id) sp = ks_client.federation.service_providers.create(id=service_provider_id, auth_url=auth_url, enabled=enabled, description=description, sp_url=sp_url) return True, sp dispatch_map = { "find_identity_provider": find_identity_provider, "delete_identity_provider": delete_identity_provider, "create_identity_provider": create_identity_provider, "find_protocol": find_protocol, "delete_protocol": delete_protocol, "create_protocol": create_protocol, "find_mapping": find_mapping, "delete_mapping": delete_mapping, "create_mapping": create_mapping, "find_service_provider": find_service_provider, "delete_service_provider": delete_service_provider, "create_service_provider": create_service_provider, } def process_params(module): identity_provider_id = module.params.get("identity_provider_id", None) description = module.params.get("description", None) remote_id = module.params.get("remote_id", None) protocol_id = module.params.get("protocol_id", None) mapping_id = module.params.get("mapping_id", None) rules = module.params.get("rules", None) service_provider_id = module.params.get("service_provider_id", None) auth_url = module.params.get("auth_url", None) sp_url = module.params.get("sp_url", None) action = module.params["action"] if action not in dispatch_map: raise RuntimeError("unknown action: {}".format(action)) if action in ["find_identity_provider", "delete_identity_provider"]: return dict(identity_provider_id=identity_provider_id) elif action == "create_identity_provider": return dict(identity_provider_id=identity_provider_id, description=description, remote_id=remote_id) elif action in ["find_protocol", "delete_protocol"]: return dict(identity_provider_id=identity_provider_id, protocol_id=protocol_id) elif action == "create_protocol": return dict(protocol_id=protocol_id, identity_provider_id=identity_provider_id, mapping_id=mapping_id) elif action in ["find_mapping", "delete_mapping"]: return dict(mapping_id=mapping_id) elif action == "create_mapping": return dict(mapping_id=mapping_id, rules=rules) elif action in ["find_service_provider", "delete_service_provider"]: return dict(service_provider_id=service_provider_id) elif action == "create_service_provider": return dict(service_provider_id=service_provider_id, auth_url=auth_url, description=description, sp_url=sp_url) else: raise NotImplementedError(action) def get_client(module): auth_url = module.params.get("endpoint") token = module.params.get("login_token") insecure = module.params.get("insecure") cacert = module.params.get("cacert") ks_client = _get_client( auth_url=auth_url, token=token, insecure=insecure, ca_cert=cacert) return ks_client def process_module_action(module): ks_client = get_client(module) action = module.params["action"] kwargs = process_params(module) try: result = dispatch_map[action](ks_client, **kwargs) except Exception as e: module.fail_json(msg="%s, failed" % e) else: status, resource_data = result if hasattr(resource_data, '_info'): resource_data = resource_data._info data = dict(changed=status, result=resource_data) module.exit_json(**data) def main(): supported_actions = dispatch_map.keys() argument_spec = dict( login_token=dict(default=None, no_log=True), insecure=dict(default=None), cacert=dict(default=None), endpoint=dict(default=None), description=dict(default="Created by Ansible keystone_v3"), identity_provider_id=dict(default=None), remote_id=dict(default=None), protocol_id=dict(default=None), mapping_id=dict(default=None), rules=dict(default=None), service_provider_id=dict(default=None), sp_url=dict(default=None), auth_url=dict(default=None), action=dict(default=None, required=True, choices=supported_actions) ) module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=False) process_module_action(module) if __name__ == '__main__': main() 07070100000021000081A40000000000000000000000015DC3211F000089D4000000000000000000000000000000000000004200000000ardana-keystone-9.0+git.1573069087.15ffd1c/library/keystone_v3.py#!/usr/bin/python # # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # # -*- coding: utf-8 -*- from __builtin__ import False DOCUMENTATION = ''' --- module: keystone_v3 version_added: "1.0" short_description: Manage OpenStack Identity (keystone v3) users, tenants and roles description: - Manage users,tenants, endpoints, services roles from OpenStack. - Authentication should be added to each call with token/domain scope token cred/project scope token credentials Examples below uses token, instead you can also specify login credentials requirements: [ python-keystoneclient ] author: Haneef Ali ''' EXAMPLES = ''' # Create a project using ssl endpoint and insecure mode - keystone_v3: action="create_project" project_name=demo description="Default Tenant" project_domain_name="Default" login_token=Mytoken endpoint=https://keystone:35357/v3 insecure=True # Create a project using ssl endpoint passing proper certs # /tmp/mycacert.crt should exist in target node - keystone_v3: action="create_project" project_name=demo description="Default Tenant" project_domain_name="Default" login_token=Mytoken endpoint=https://keystone:35357/v3 cacert="/tmp/mycacert.crt" # Create a project - keystone_v3: action="create_project" project_name=demo description="Default Tenant" project_domain_name="Default" login_token=Mytoken endpoint=http://keystone:35357/v3 # Create a user - keystone_v3: action="create_user" user_name=demo description="Default User" user_domain_name="Default" login_token=Mytoken endpoint=http://keystone:35357/v3 # Create a domain - keystone_v3: action="create_domain" domain_name=demo description="Default User" login_token=Mytoken endpoint=http://keystone:35357/v3 # Create a role - keystone_v3: action="create_domain" domain_name=demo description="Default User" login_token=Mytoken endpoint=http://keystone:35357/v3 # Grant admin role to the john user in the demo tenant - keystone_v3: action="grant_project_role" project__name=demo role_name=admin user_name=john user_domain_name=Default project_domain_name=Default login_token=Mytoken endpoint=http://keystone:35357/v3 # Grant admin role to the john user in the domain John_Domain - keystone_v3: action="grant_domain_role" domain__name=John-Domain role_name=admin user_name=john user_domain_name=Default login_token=Mytoken endpoint=http://keystone:35357/v3 # Create a service - keystone_v3: action="create_service" service_name=Keystone service_type=identity description=Identity login_token=Mytoken endpoint=http://keystone:35357/v3 # Create a endpoint - keystone_v3: action="create_endpoint" service_name=Keystone region=myregion public_url=http://myservice:7777/v1 internal_url=http://myservice-internal:8888/v1 admin_url=http://myservice-admin:9999/v1 login_token=Mytoken endpoint=http://keystone:35357/v3 ''' import traceback from keystoneclient.v3 import client as v3client from keystoneclient.auth.identity import v3 from keystoneclient.auth import token_endpoint from keystoneclient import session from keystoneclient import exceptions def _get_client(auth_url=None, token=None, login_username=None, login_password=None, login_project_name=None, login_project_domain_name=None, login_user_domain_name=None, login_domain_name=None, insecure=False, ca_cert=None): """Return a ks_client client object""" auth_plugin = None if login_domain_name and login_project_name: raise Exception("Token can be scoped either to project or domain. Use either domain or project") if token: auth_plugin = token_endpoint.Token(endpoint=auth_url, token=token) else: auth_plugin = v3.Password(auth_url=auth_url, username=login_username, password=login_password, project_name=login_project_name, project_domain_name=login_project_domain_name, user_domain_name=login_user_domain_name, domain_name=login_domain_name) verify = False if not insecure: # Caller wants cert verification verify = ca_cert or True # Client cert is not supported now. Will add it later with cert=client_cert option auth_session = session.Session( auth=auth_plugin, verify=verify) return v3client.Client(auth_url=auth_url, session=auth_session) def _find_domain(ks_client, domain_name=None): domains = ks_client.domains.list(name=domain_name) return domains[0] if len(domains) else None def _delete_domain(ks_client, domain=None): ks_client.domains.update(domain, enabled=False) return ks_client.domains.delete(domain) def _create_domain(ks_client, domain_name=None, description=None): return ks_client.domains.create(name=domain_name, description=description) def _find_user(ks_client, domain_name=None, user_name=None): domain = _find_domain(ks_client, domain_name=domain_name) if domain: users = ks_client.users.list(domain=domain, name=user_name) if len(users): return users[0] def _create_user(ks_client, user_name=None, user_password=None, domain_name=None, email=None, description=None): domain = _find_domain(ks_client, domain_name) return ks_client.users.create(name=user_name, password=user_password, description=description, email=email, domain=domain) def _delete_user(ks_client, user=None): ks_client.users.update(user=user, enabled=False) ks_client.users.delete(user=user) def _update_user(ks_client, user=None, **kwargs): ks_client.users.update(user=user, **kwargs) def _find_project(ks_client, domain_name=None, project_name=None): domain = _find_domain(ks_client, domain_name=domain_name) if domain: projects = ks_client.projects.list(domain=domain, name=project_name) if len(projects): return projects[0] def _create_project(ks_client, project_name=None, domain_name=None, description=None): domain = _find_domain(ks_client, domain_name) return ks_client.projects.create(name=project_name, description=description, domain=domain) def _delete_project(ks_client, project=None): ks_client.projects.update(project=project, enabled=False) ks_client.projects.delete(project=project) def _find_group(ks_client, domain_name=None, group_name=None): domain = _find_domain(ks_client, domain_name=domain_name) if domain: groups = ks_client.groups.list(domain=domain, name=group_name) if len(groups): return groups[0] def _create_group(ks_client, group_name=None, domain_name=None, description=None): domain = _find_domain(ks_client, domain_name) return ks_client.groups.create(name=group_name, description=description, domain=domain) def _delete_group(ks_client, group=None): ks_client.groups.update(group=group, enabled=False) ks_client.groups.delete(group=group) def _find_role(ks_client, role_name=None): roles = ks_client.roles.list(name=role_name) return roles[0] if len(roles) else None def _delete_role(ks_client, role=None): return ks_client.roles.delete(role) def _create_role(ks_client, role_name=None, description=None): return ks_client.roles.create(name=role_name, description=description) def _grant_roles(ks_client, role=None, project=None, user=None, group=None, domain=None): return ks_client.roles.grant(role=role, project=project, user=user, group=group, domain=domain) def _revoke_roles(ks_client, role=None, project=None, user=None, group=None, domain=None): return ks_client.roles.revoke(role=role, project=project, user=user, group=group, domain=domain) def _find_service(ks_client, service_name=None, service_type=None): services = ks_client.services.list(name=service_name, type=service_type) return services[0] if len(services) else None def _create_service(ks_client, service_name=None, service_type=None, description=None): return ks_client.services.create(name=service_name, type=service_type, description=description) def _delete_service(ks_client, service_name=None): service = ks_client.services.get(service_name) if service: ks_client.services.delete(service) return service_name def _find_endpoint(ks_client, service=None, interface=None, region=None): endpoints = ks_client.endpoints.list(service=service, interface=interface) for ep in endpoints: if not region or ep.region == region: return ep return None def _create_endpoint(ks_client, service=None, url=None, interface=None, region=None): return ks_client.endpoints.create(service=service, url=url, interface=interface, region=region) def _update_endpoint(ks_client, endpoint=None, url=None, interface=None, region=None): return ks_client.endpoints.update(endpoint=endpoint, url=url, interface=interface, region=region) def find_domain(ks_client, domain_name=None): domain = _find_domain(ks_client, domain_name=domain_name) result, domain = (True, domain) if (domain) else (False, None) return result, domain def create_domain(ks_client, domain_name=None, description=None): domain = _find_domain(ks_client, domain_name=domain_name) if domain: return (False, domain) # Domain with that name doesn't exist domain = _create_domain( ks_client, domain_name=domain_name, description=description) return (True, domain) def delete_domain(ks_client, domain_name=None): domain = _find_domain(ks_client, domain_name=domain_name) if domain: _delete_domain(ks_client, domain=domain) return (True, domain) # Domain with that name doesn't exist return (False, None) def find_user(ks_client, user_name=None, domain_name=None): user = _find_user(ks_client, domain_name=domain_name, user_name=user_name) result, user = (True, user) if user else (False, None) return result, user def create_user(ks_client, user_name=None, user_password=None, domain_name=None, email=None, description=None): user = _find_user(ks_client, user_name=user_name, domain_name=domain_name) if user: kwargs = dict(password=user_password, email=None, description=None) _update_user(ks_client, user=user, **kwargs) return (True, user) # User with that name doesn't exist user = _create_user(ks_client, user_name=user_name, user_password=user_password, domain_name=domain_name, email=email, description=description) return (True, user) def delete_user(ks_client, user_name=None, domain_name=None): user = _find_user(ks_client, domain_name=domain_name, user_name=user_name) if user: _delete_user(ks_client, user=user) return (True, user) # User with that name doesn't exist return (False, None) def update_user(ks_client, user_name=None, domain_name=None, user_password=None): user = _find_user(ks_client, domain_name=domain_name, user_name=user_name) if user: _update_user(ks_client, user=user, password=user_password) return (True, user) # User with that name doesn't exist return (False, None) def find_group(ks_client, group_name=None, domain_name=None): group = _find_group(ks_client, domain_name=domain_name, group_name=group_name) result, group = (True, group) if group else (False, None) return result, group def create_group(ks_client, group_name=None, domain_name=None, description=None): group = _find_group(ks_client, group_name=group_name, domain_name=domain_name) if group: return (False, group) # User with that name doesn't exist group = _create_group(ks_client, group_name=group_name, domain_name=domain_name, description=description) return (True, group) def delete_group(ks_client, group_name=None, domain_name=None): group = _find_group(ks_client, domain_name=domain_name, group_name=group_name) if group: _delete_group(ks_client, group=group) return (True, group) # Group with that name doesn't exist return (False, None) def find_project(ks_client, project_name=None, domain_name=None): project = _find_project( ks_client, domain_name=domain_name, project_name=project_name) result, project = (True, project) if project else (False, None) return result, project def create_project(ks_client, project_name=None, domain_name=None, description=None): project = _find_project( ks_client, project_name=project_name, domain_name=domain_name) if project: return (False, project) # Project with that name doesn't exist project = _create_project(ks_client, project_name=project_name, domain_name=domain_name, description=description) return (True, project) def delete_project(ks_client, project_name=None, domain_name=None): project = _find_project( ks_client, domain_name=domain_name, project_name=project_name) if project: _delete_project(ks_client, project=project) return (True, project) # Project with that name doesn't exist return (False, None) def find_role(ks_client, role_name=None): role = _find_role(ks_client, role_name=role_name) result, role = (True, role) if (role) else (False, None) return result, role def create_role(ks_client, role_name=None, description=None): role = _find_role(ks_client, role_name=role_name) if role: return (False, role) # role with that name doesn't exist role = _create_role( ks_client, role_name=role_name, description=description) return (True, role) def delete_role(ks_client, role_name=None): role = _find_role(ks_client, role_name=role_name) if role: _delete_role(ks_client, role=role) return (True, role) # role with that name doesn't exist return (False, None) def _find_project_role_assignment(ks_client, role_name=None, user_name=None, group_name=None, project_name=None, group_domain_name=None, user_domain_name=None, project_domain_name=None): role = _find_role(ks_client, role_name=role_name) user = group = None if user_name: user = _find_user( ks_client, user_name=user_name, domain_name=user_domain_name) elif group_name: group = _find_group(ks_client, group_name=group_name, domain_name=group_domain_name) project = _find_project( ks_client, project_name=project_name, domain_name=project_domain_name) ret = False if (user or group and role and project): try: ret = ks_client.roles.check(role=role, user=user, group=group, project=project) except Exception as e: if not isinstance(e, exceptions.NotFound): raise return (ret, role, user, group, project) def _grant_or_revoke_project_role(ks_client, role_name=None, user_name=None, group_name=None, group_domain_name=None, project_name=None, user_domain_name=None, project_domain_name=None, grant=True): (assignment_status, role, user, group, project) = _find_project_role_assignment(ks_client, role_name=role_name, user_name=user_name, group_name=group_name, group_domain_name=group_domain_name, project_name=project_name, user_domain_name=user_domain_name, project_domain_name=project_domain_name) if not role: raise Exception("Role name=%s doesn't exist" %(role_name)) if assignment_status and grant: return (False, "Already assigned") if not assignment_status and not grant: return (False, "Already revoked") if (user or group and role and project): if (grant): _grant_roles(ks_client, role=role, project=project, user=user, group=group) else: _revoke_roles(ks_client, role=role, project=project, user=user, group=group) return (True, "OK") return (False, "Not able to find user/role/project with the given inputs") def _find_domain_role_assignment(ks_client, role_name=None, user_name=None, user_domain_name=None, domain_name=None): role = _find_role(ks_client, role_name=role_name) user = _find_user( ks_client, user_name=user_name, domain_name=user_domain_name) domain = _find_domain(ks_client, domain_name=domain_name) ret = False if (user and role and domain): try: ret = ks_client.roles.check(role=role, user=user, domain=domain) except Exception as e: if not isinstance(e, exceptions.NotFound): raise return (ret, role, user, domain) def _grant_or_revoke_domain_role(ks_client, role_name=None, user_name=None, user_domain_name=None, domain_name=None, grant=True): (assignment_status, role, user, domain) = _find_domain_role_assignment(ks_client, role_name=role_name, user_name=user_name, user_domain_name=user_domain_name, domain_name=domain_name) if assignment_status and grant: return (False, "Already assigned") if not assignment_status and not grant: return (False, "Already revoked") if (user and role and domain): if (grant): _grant_roles(ks_client, role=role, domain=domain, user=user) else: _revoke_roles(ks_client, role=role, domain=domain, user=user) return (True, "OK") return (False, "Not able to find user/role/domain with the given inputs") def grant_project_role(ks_client, role_name=None, user_name=None, project_name=None, user_domain_name=None, project_domain_name=None): return _grant_or_revoke_project_role(ks_client, role_name=role_name, user_name=user_name, project_name=project_name, user_domain_name=user_domain_name, project_domain_name=project_domain_name, grant=True) def grant_project_role_on_group(ks_client, role_name=None, group_name=None, group_domain_name=None, project_name=None, project_domain_name=None): return _grant_or_revoke_project_role(ks_client, role_name=role_name, group_name=group_name, group_domain_name=group_domain_name, project_name=project_name, project_domain_name=project_domain_name, grant=True) def revoke_project_role(ks_client, role_name=None, user_name=None, project_name=None, user_domain_name=None, project_domain_name=None): return _grant_or_revoke_project_role(ks_client, role_name=role_name, user_name=user_name, project_name=project_name, user_domain_name=user_domain_name, project_domain_name=project_domain_name, grant=False) def revoke_project_role_on_group(ks_client, role_name=None, group_name=None, group_domain_name=None, project_name=None, project_domain_name=None): return _grant_or_revoke_project_role(ks_client, role_name=role_name, group_name=group_name, group_domain_name=group_domain_name, project_name=project_name, project_domain_name=project_domain_name, grant=False) def grant_domain_role(ks_client, role_name=None, user_name=None, domain_name=None, user_domain_name=None): return _grant_or_revoke_domain_role(ks_client, role_name=role_name, user_name=user_name, user_domain_name=user_domain_name, domain_name=domain_name, grant=True) def revoke_domain_role(ks_client, role_name=None, user_name=None, domain_name=None, user_domain_name=None): return _grant_or_revoke_domain_role(ks_client, role_name=role_name, user_name=user_name, user_domain_name=user_domain_name, domain_name=domain_name, grant=False) def create_service(ks_client, service_name=None, service_type=None, description=None): service = _find_service(ks_client, service_name=service_name, service_type=service_type) if service: return (False, service) # Service with that name doesn't exist service = _create_service( ks_client, service_name=service_name, service_type=service_type, description=description) return (True, service) def delete_service(ks_client, service_name=None, service_type=None): service = _find_service(ks_client, service_name=service_name, service_type=service_type) if not service: return (False, service) service = _delete_service(ks_client, service) return (True, service) def create_endpoint(ks_client, service_name=None, region=None, admin_url=None, internal_url=None, public_url=None): service = _find_service(ks_client, service_name=service_name) if not service: raise Exception("Service with the name=%s doesn't exist" %(service_name)) changed = False changed_ep = [] if public_url: public_endpoint = _find_endpoint(ks_client, service=service, interface="public", region=region) if public_endpoint: changed, ep = update_endpoint(ks_client, region=region, public_url=public_url, public_endpoint=public_endpoint) if changed: changed_ep.append(ep[0]) else: changed_ep.append(public_endpoint._info) else: changed = True ep = _create_endpoint(ks_client, service=service, interface="public", region=region, url=public_url) changed_ep.append(ep._info) if admin_url: admin_endpoint = _find_endpoint(ks_client, service=service, interface="admin", region=region) if admin_endpoint: changed, ep = update_endpoint(ks_client, region=region, admin_url=admin_url, admin_endpoint=admin_endpoint) if changed: changed_ep.append(ep[0]) else: changed_ep.append(admin_endpoint._info) else: changed = True ep = _create_endpoint(ks_client, service=service, interface="admin", region=region, url=admin_url) changed_ep.append(ep._info) if internal_url: internal_endpoint = _find_endpoint(ks_client, service=service, interface="internal", region=region) if internal_endpoint: changed, ep = update_endpoint(ks_client, region=region, internal_url=internal_url, internal_endpoint=internal_endpoint) if changed: changed_ep.append(ep[0]) else: changed_ep.append(internal_endpoint._info) else: changed = True ep = _create_endpoint(ks_client, service=service, interface="internal", region=region, url=internal_url) changed_ep.append(ep._info) return changed, changed_ep def update_endpoint(ks_client, region=None, admin_url=None, internal_url=None, public_url=None, admin_endpoint=None, internal_endpoint=None, public_endpoint=None): changed = False changed_ep = [] if public_url and public_endpoint: if public_endpoint.url != public_url: ep = _update_endpoint( ks_client, endpoint=public_endpoint, interface="public", region=region, url=public_url) changed = True changed_ep.append(ep._info) if admin_url and admin_endpoint: if admin_endpoint.url != admin_url: ep = _update_endpoint( ks_client, endpoint=admin_endpoint, interface="admin", region=region, url=admin_url) changed = True changed_ep.append(ep._info) if internal_url and internal_endpoint: if internal_endpoint.url != internal_url: ep = _update_endpoint( ks_client, endpoint=internal_endpoint, interface="internal", region=region, url=internal_url) changed = True changed_ep.append(ep._info) return changed, changed_ep def get_login_token(ks_client): session = ks_client.session auth_headers = session.get_auth_headers() token = auth_headers.get('X-Auth-Token') return (True, token) def process_params(module): user_name = module.params.get("user_name", None) group_name = module.params.get("group_name", None) user_password = module.params.get("user_password", None) email = module.params.get("email", None) description = module.params.get("description", None) user_domain_name = module.params.get("user_domain_name", None) group_domain_name = module.params.get("group_domain_name", None) domain_name = module.params.get("domain_name", None) project_name = module.params.get("project_name", None) project_domain_name = module.params.get("project_domain_name", None) role_name = module.params.get("role_name", None) service_name = module.params.get("service_name", None) service_type = module.params.get("service_type", None) region = module.params.get("region", None) admin_url = module.params.get("admin_url", None) internal_url = module.params.get("internal_url", None) public_url = module.params.get("public_url", None) action = module.params["action"] if (action == "token_get" ): kwargs = dict() elif (action == "find_domain" or action == "delete_domain"): kwargs = dict(domain_name=domain_name) elif (action == "create_domain"): kwargs = dict(domain_name=domain_name, description=description) elif (action == "find_user" or action == "delete_user"): kwargs = dict(domain_name=user_domain_name, user_name=user_name) elif (action == "create_user"): kwargs = dict(domain_name=user_domain_name, description=description, user_name=user_name, email=email, user_password=user_password) elif (action == "find_project" or action == "delete_project"): kwargs = dict( domain_name=project_domain_name, project_name=project_name) elif (action == "create_project"): kwargs = dict(domain_name=project_domain_name, description=description, project_name=project_name) elif (action == "find_role" or action == "delete_role"): kwargs = dict(role_name=role_name) elif (action == "create_role"): kwargs = dict(role_name=role_name, description=description) elif (action == "grant_project_role" or action == "revoke_project_role"): kwargs = dict(role_name=role_name, user_name=user_name, user_domain_name=user_domain_name, project_name=project_name, project_domain_name=project_domain_name) elif (action in ["grant_project_role_on_group", "revoke_project_role_on_group"]): kwargs = dict(role_name=role_name, group_name=group_name, group_domain_name=group_domain_name, project_name=project_name, project_domain_name=project_domain_name) elif (action == "grant_domain_role" or action == "revoke_domain_role"): kwargs = dict(role_name=role_name, user_name=user_name, user_domain_name=user_domain_name, domain_name=domain_name) elif (action == "create_service"): kwargs = dict(service_name=service_name, service_type=service_type, description=description) elif (action == "delete_service"): kwargs = dict(service_name=service_name, service_type=service_type) elif (action == "create_endpoint"): kwargs = dict(service_name=service_name, region=region, admin_url=admin_url, internal_url=internal_url, public_url=public_url) elif (action == "reset_password_by_admin"): kwargs = dict(domain_name=user_domain_name, user_name=user_name, user_password=user_password) elif (action == "create_group"): kwargs = dict(group_name=group_name, domain_name=domain_name, description=description) elif (action == "find_group" or action == "delete_group"): kwargs = dict(group_name=group_name, domain_name=domain_name) return kwargs dispatch_map = { "find_domain": find_domain, "delete_domain": delete_domain, "create_domain": create_domain, "find_user": find_user, "delete_user": delete_user, "create_user": create_user, "find_project": find_project, "delete_project": delete_project, "create_project": create_project, "find_role": find_role, "delete_role": delete_role, "create_role": create_role, "grant_project_role": grant_project_role, "revoke_project_role": revoke_project_role, "grant_project_role_on_group": grant_project_role_on_group, "revoke_project_role_on_group": revoke_project_role_on_group, "grant_domain_role": grant_domain_role, "revoke_domain_role": revoke_domain_role, "create_service": create_service, "delete_service": delete_service, "create_endpoint": create_endpoint, "find_group": find_group, "delete_group": delete_group, "create_group": create_group, "token_get": get_login_token, "reset_password_by_admin": update_user } def get_client(module): login_username = module.params.get("login_username") login_project_name = module.params.get("login_project_name") login_user_domain_name = module.params.get("login_user_domain_name") login_project_domain_name = module.params.get("login_project_domain_name") login_password = module.params.get("login_password") login_domain_name = module.params.get("login_domain_name") auth_url = module.params.get("endpoint") token = module.params.get("login_token") insecure = module.params.get("insecure") cacert = module.params.get("cacert") ks_client = _get_client(login_username=login_username, login_project_name=login_project_name, login_user_domain_name=login_user_domain_name, login_project_domain_name=login_project_domain_name, login_password=login_password, login_domain_name=login_domain_name, auth_url=auth_url, token=token, insecure=insecure, ca_cert=cacert) return ks_client def process_module_action(module): ks_client = get_client(module) action = module.params["action"] kwargs = process_params(module) try: result = dispatch_map[action](ks_client, **kwargs) except Exception as e: tb = traceback.format_exc() failed_msg = "%s: %s" % (e, tb) module.fail_json(msg="%s, failed" % failed_msg) else: status, resource_data = result if hasattr(resource_data, '_info'): resource_data = resource_data._info data = dict(changed=status, result=resource_data) module.exit_json(**data) def main(): supported_actions = dispatch_map.keys() argument_spec = dict( login_username=dict(default=None), login_password=dict(default=None, no_log=True), login_project_name=dict(default=None), login_project_domain_name=dict(default=None), login_user_domain_name=dict(default=None), login_domain_name=dict(default=None), login_token=dict(default=None, no_log=True), insecure=dict(default=None), cacert=dict(default="/etc/ssl/ca-bundle.pem"), endpoint=dict(default=None), description=dict(default="Created by Ansible keystone_v3"), email=dict(default=None), user_name=dict(default=None), user_password=dict(default=None, no_log=True), user_domain_name=dict(default=None), project_name=dict(default=None), project_domain_name=dict(default=None), domain_name=dict(default=None), role_name=dict(default=None), group_name=dict(default=None), group_domain_name=dict(default=None), service_name=dict(default=None), service_type=dict(default=None), region=dict(default=None), admin_url=dict(default=None), public_url=dict(default=None), internal_url=dict(default=None), action=dict(default=None, required=True, choices=supported_actions) ) module = AnsibleModule( argument_spec=argument_spec, supports_check_mode=False) process_module_action(module) from ansible.module_utils.basic import * from ansible.module_utils.database import * if __name__ == '__main__': main() 07070100000022000041ED0000000000000000000000065DC3211F00000000000000000000000000000000000000000000003100000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles07070100000023000041ED0000000000000000000000095DC3211F00000000000000000000000000000000000000000000003900000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API07070100000024000081A40000000000000000000000015DC3211F00002D64000000000000000000000000000000000000004300000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/README.md (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP (c) Copyright 2017 SUSE LLC Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. 80README ====== There are different configurable entries for keystone 1. Configuration entries that go into keystone.conf 2. Deployment specific configuration which are not part of keystone.conf like log_level,process count etc. 3. Additional configuration like the domain-specific configuration or LDAP CA certificates update. The following section describes the mechanism used for overriding or changing those configuration entries: For 1: keystone.conf - Edit the files keystone.conf.j2 located on a deployer node /home/stack/openstack/my_cloud/config/keystone/. Modify this template file as appropriate. - You can get default/available configuration for Liberty from http://docs.openstack.org/liberty/config-reference/content/keystone-configuration-file.html - Make sure you don't change any values under {{ }} - Commit the changes and rerun playbooks of configuration processor and deployment area preparation (refer to section Appendix A for the detail) - Run reconfiguration playbook in deployment area: $ cd ~/scratch/ansible/next/ardana/ansible $ ansible-playbook -i hosts/verb_hosts keystone-reconfigure.yml For 2: keystone deployment such as log level - Edit respective parameters in /home/stack/openstack/my_cloud/config/keystone/keystone_deploy_config.yml. Here you can only change values, can't add any new settings - Commit the changes and rerun playbooks of configuration processor and deployment area preparation (refer to section Appendix A for the detail) - Run reconfiguration playbook in deployment area: $ cd ~/scratch/ansible/next/ardana/ansible $ ansible-playbook -i hosts/verb_hosts keystone-reconfigure.yml For 3.1: Domain-Specific Configuration File Store By default, domain-specific driver configuration file store is enabled. To update configuration for a specific LDAP domain, please see instruction below: - Ensure that the following configuration options in the main configuration file template: /home/stack/openstack/my_cloud/config/keystone/keystone.conf.j2 [identity] domain_specific_drivers_enabled = True domain_configurations_from_database = False - Locate the file: /home/stack/openstack/my_cloud/config/keystone/keystone_configure_ldap_sample.yml - Save a copy of this file with a new name, for example: /home/stack/openstack/my_cloud/config/keystone/keystone_configure_ldap_my.yml - Edit the file to carry the correct definition of the LDAP server connection - Commit the changes and rerun playbooks of configuration processor and deployment area preparation (refer to section Appendix A for the detail) - Run reconfiguration playbook in deployment area: $ cd ~/scratch/ansible/next/ardana/ansible $ ansible-playbook -i hosts/verb_hosts keystone-reconfigure.yml -e@/home/stack/openstack/my_cloud/config/keystone/keystone_configure_ldap_my.yml - Follow these same steps for each LDAP domain with which you are integrating Keystone, creating a yaml file for each and running the reconfigure playbook once for each additional domain. For 3.2: Set up or Switch to Domain-Specific Driver Configuration - Database Store To set up Domain-Specific Driver Configuration - Database Store, the steps are to deploy the Domain-Specific Driver Configuration - File Store first, as shown above in 3.1. Then switch to the database store. Once switched, all of the domain-specific driver configuration files shall be ignored by the system. No domain mixture of file and database stores is supported. - Ensure that the following configuration options in the main configuration file template: /home/stack/openstack/my_cloud/config/keystone/keystone.conf.j2 [identity] domain_specific_drivers_enabled = True domain_configurations_from_database = True [domain_config] driver = sql - Commit the changes and rerun playbooks of configuration processor and deployment area preparation (refer to section Appendix A for the detail) - Run reconfiguration playbook in deployment area: $ cd ~/scratch/ansible/next/ardana/ansible $ ansible-playbook -i hosts/verb_hosts keystone-reconfigure.yml - Upload the domain-specific configuration files to the database if they has not been loaded. If they have already loaded and just like to switch back to database store mode, then skip this upload step. Otherwise, -- Go to either one of control nodes Keystone deployed. Verify domain-specific driver configuration files are located under the directory /etc/keystone/domains with the format: keystone.<domain name>.conf -- Use Keystone manager utility to load domain-specific configuration files to the database. You may choose to upload all or one by one as shown below: Upload all configuration files to the SQL database $ keystone-manage domain_config_upload --all or Upload individual domain-specific configuration files by specifying the domain name: $ keystone-manage domain_config_upload --domain-name <domain name> If you have more than one LDAP domains to be processed, then repeat this per-domain configuration loading step with corresponding appropriate configuration content for each LDAP domain. Note: Please be advised that Keystone manager utility doesn't upload domain-specific driver configuration file the second time for the same domain. For the management of the domain-specific driver configuration in the database store, you may refer to Domain-Specific Driver Configuration - Database Store Management via Identity API. For 3.3: Updating LDAP CA certificates - Locate the file keystone_configure_ldap_certs_sample.yml /home/stack/openstack/my_cloud/config/keystone/keystone_configure_ldap_certs_sample.yml - Save a copy of this file with a new name, for example: /home/stack/openstack/my_cloud/config/keystone/keystone_configure_ldap_certs_update.yml - Edit the file and specify the correct single file path name for the ldap certicicates. This file pathname has to be consistent with the domain-specific configuration tls_cacertfile file pathname. - Edit the file and populate or update it with ldap CA certificates for all domains - Commit the changes and rerun playbooks of configuration processor and deployment area preparation (refer to section Appendix A for the detail) - Run reconfiguration playbook in deployment area: $ cd ~/scratch/ansible/next/ardana/ansible $ ansible-playbook -i hosts/verb_hosts keystone-reconfigure.yml -e@/home/stack/openstack/my_cloud/config/keystone/keystone_configure_ldap_certs_update.yml Enabling features in Keystone Ardana doesn't enable all the features by default. Some of these features are tested/supported and some of them are non-core features. Tested features can be enabled and used in production. Non-core features can be enabled for POC or to get customer feedback. Non-core features may require few manual configuration and may have defects. We will move an Non-core feature to supported feature once we have resolved all the issues with it Tested/Supported Features Enable/Disable Keystone auditing Keystone audit is disabled by default. The following instruction is for keystone audit only. For the rest of Ardana OpenStack services auditing, please refer to Ardana OpenStack audit documentation for the detail. To Enable/Disable keystone audit, do the following in the deployer node: - Edit the file ~/openstack/my_cloud/definition/cloudConfig.yml (All audit related configuration is defined under `audit-settings` section.) - Case 1: Enable keystone audit Add 'keystone' in service list of enabled-services and remove or comment out 'keystone' in service list of disabled-services if existing. If no more item within 'disabled-services:', then remove or comment out 'disabled-service:' as well. For example, ---------------------------------- audit-settings: audit-dir: /var/audit default: disabled enabled-services: - keystone disabled-services: - nova - barbican # - keystone - cinder - ceilometer - neutron ---------------------------------- Case 2: Disable keystone audit Add 'keystone' in service list of disabled-services and remove or comment out 'keystone' in service list of enabled-services if existing. If no more item within enabled-services, then remove or comment out 'enabled-services:' as well. For example, ---------------------------------- audit-settings: audit-dir: /var/audit default: disabled #enabled-services: # - keystone disabled-services: - nova - barbican - keystone - cinder - ceilometer - neutron ---------------------------------- - Commit the changes and rerun playbooks of configuration processor and deployment area preparation (refer to section Appendix A for the detail) - Run reconfiguration playbook in deployment area: $ cd ~/scratch/ansible/next/ardana/ansible $ ansible-playbook -i hosts/verb_hosts keystone-reconfigure.yml Note: * It is incorrect to specify service name in both lists of enabled-services and disabled-services list simultaneously. If both specified, then 'enabled-services' item takes precedence. * Please note that valid yaml syntax need to be followed when specifying values. If there is no item specified in the enabled-services, then enabled-services has to be removed or commented out. Similarly for disabled-services. Non-core Features Changing for UUID token to Fernet Token - Edit the file /home/stack/openstack/my_cloud/config/keystone/keystone_deploy_config.yml. Change the value `keystone_configure_fernet` to True to enable Fernet Token - Commit the changes and rerun playbooks of configuration processor and deployment area preparation (refer to section Appendix A for the detail) - Run reconfiguration playbook in deployment area: $ cd ~/scratch/ansible/next/ardana/ansible $ ansible-playbook -i hosts/verb_hosts keystone-reconfigure.yml [Appendix A] Commit the change into local git repository, and rerun playbooks of configuration processor and deployment area preparation: $ cd ~/ardana $ git checkout site $ git add -A $ git commit -m "type your commit message here..." $ cd ~/openstack/ardana/ansible $ ansible-playbook -i hosts/localhost config-processor-run.yml $ ansible-playbook -i hosts/localhost ready-deployment.yml 07070100000025000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000004200000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/defaults07070100000026000081A40000000000000000000000015DC3211F00000288000000000000000000000000000000000000004B00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/defaults/main.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- 07070100000027000041ED0000000000000000000000035DC3211F00000000000000000000000000000000000000000000003F00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/files07070100000028000041ED0000000000000000000000055DC3211F00000000000000000000000000000000000000000000004700000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/files/samples07070100000029000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000004B00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/files/samples/k2k0707010000002A000081A40000000000000000000000015DC3211F000001C0000000000000000000000000000000000000005F00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/files/samples/k2k/k2k_sp_mapping.json[ { "local": [ { "user": { "name": "{0}" } }, { "group": { "name": "group1", "domain":{ "name": "domain1" } } } ], "remote":[{ "type": "openstack_user" }, { "type": "Shib-Identity-Provider", "any_one_of":[ "https://<idp_host>:5000/v3/OS-FEDERATION/saml2/idp" ] } ] } ] 0707010000002B000081A40000000000000000000000015DC3211F00000F7F000000000000000000000000000000000000006D00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/files/samples/k2k/keystone_configure_idp_sample.yml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- keystone_k2k_idp_conf: service_provider: - id: z620_sp description: This is service provider who sits on the z620 box. sp_url: https://service_provider_host:5000 auth_url: https://service_provider_host:5000/v3 signer_cert: -----BEGIN CERTIFICATE-----\nMIIDmDCCAoACCQDS+ZDoUfrcIzANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFsZTEMMAoG\nA1UECgwDSFBFMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEQMA4GA1UEAwwHSzJLX0lk\nUDEeMBwGCSqGSIb3DQEJARYPazJrX2lkcEBocGUuY29tMCAXDTE1MTEyMDAxMjg1\nMFoYDzIxMTUxMDI3MDEyODUwWjCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh\nbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFsZTEMMAoGA1UECgwDSFBFMRQwEgYD\nVQQLDAtFbmdpbmVlcmluZzEQMA4GA1UEAwwHSzJLX0lkUDEeMBwGCSqGSIb3DQEJ\nARYPazJrX2lkcEBocGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEA1gRiHiwSO6L5PrtroHi/f17DQBOpJ1KMnS9FOHSm1mES2xlB46y/GebGIZp+\nivUbLvbJHdi0axcA0OuzCLPx6t338npJzEELXNHhlSJ2KHUuLtdpltsFGMISFjD5\nkuQgBi4bEUyhQFRWkcgqL3fK5lwTB/YaMRMnLA67QDvSPOFcJFZIOhICY0cVKsHJ\nxxRbi8XfNZOLE65+yq5onxZuWH+Kbg7bOGBl45YXXjncjSN/LjruoDYv+PrHuCuF\n8B9k7F7PtGaYBnqf4z79DErxdjQZvJ3rN7W/qj04gcdaeAxoHy0+cCp+2zejerEh\n00ax1NYYnPRrEhrcU8wbM47UvQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDD99xf\nDw4+XRzU5ii1YuJpIsFWxbCfCqAfBtz6WaEV/UssKiEkcsasOseQvD7EUMVRhxlP\ne+7Al/vazn4xwSJzthv3NQq5g5rAMuY9Dsu5Smyok6ygY1mAAJcLGfF2VtaaSo8B\nUGj5SN8jjhOG+Yh2aNOBt6GVJlE36oFeHRVPGByq/UEGlozEWT4qAZHql8/nQlzD\nhup36JhXxtgeP/DMQOAn7HYeVJQ6+xoUWZIQhvrlvDdhWskasfOtPqI0c8/BLFoL\nCvX5vYvFSXZMyhNnMOOPyf7bTXEr+TBCVaO957FLowGv8VnW/nLVEL5tkTRWVy1A\nOpKEvhlMsl5I/tle\n-----END CERTIFICATE----- signer_key: -----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA1gRiHiwSO6L5PrtroHi/f17DQBOpJ1KMnS9FOHSm1mES2xlB\n46y/GebGIZp+ivUbLvbJHdi0axcA0OuzCLPx6t338npJzEELXNHhlSJ2KHUuLtdp\nltsFGMISFjD5kuQgBi4bEUyhQFRWkcgqL3fK5lwTB/YaMRMnLA67QDvSPOFcJFZI\nOhICY0cVKsHJxxRbi8XfNZOLE65+yq5onxZuWH+Kbg7bOGBl45YXXjncjSN/Ljru\noDYv+PrHuCuF8B9k7F7PtGaYBnqf4z79DErxdjQZvJ3rN7W/qj04gcdaeAxoHy0+\ncCp+2zejerEh00ax1NYYnPRrEhrcU8wbM47UvQIDAQABAoIBADOcAv07q3nuJyTV\nlXKxK5zPgU4mb5gn8/jDuXGPz9vKtP1Y7ea1dbANUqIv22wvB0sgAAfOhlN8zJmU\n/SuQGTqGJJC4pKs41ECh7EBGey/uciChmbjjQCtkQXBQhx7BHGfhHm3hiNE2hVnK\nZ0HjJW6/rWcyFcbX045wTv+CbYR4cwGktQH+uzIkf4nxEzZ+v8ubx/JDLUet6eNz\nLPKLasIhiOU4YL2poX5wJ68up3SOTDHOOPlGvp26ml5ZhfhEiqnHZyR0x6vqTWi6\nwUrBOAwz6gnifmAdPLglso61b+S6VGfTCyyjCldj6Yrj8DMbPpO/gAXY2Xgs1Rpy\nAciL1wECgYEA82IDWOwNBhqnW4DzXaYRpHjx32ttPb60NKYtk4e33v9TW8IEXH5W\n4SVxFoDxor4Mmqp3k2CEKhmf6VRrxJNFYIqXRUqO5dBjh237zLVP4UCHhW3p3+uM\nKZl0bZ605jhd0WUGvzN2s0iP+1q+6m/++8hW008RB38LCKYsh6QHqjECgYEA4Rym\nq40ylLqqdCo3sYetR6eqidT7/8rZvN7EmaXHsvW1oCVhBxWd+X/7DCYztVGOOwM8\n7eKXZPtkEV3rWzgCE7NSP8X7AbOxej9Z9qYeM282KjYCHclJD/wkCwa1btX3qGGF\ngDbVw3/DcCmTkUWtq08zdz0HGfPC9fc+UTw95E0CgYA1BwrhqfSgetgx6KOdqNw5\nMJzKZ/aSOGW8/uP5O93E+W5pFJmsqV42idjc5VVAdxX58OBCvQmuvoyH4vvkBY5d\nHXUeBMOjsMausDjnfi2cT1n3qV4GiqSsP6INbEHP00IlqFRS/lyDbXDpe/kSzToK\nE7lPKu/z6Ss3RDV5jDSbUQKBgQCDJbMAPPmb5ohJtxLNTdMo7MiRFlFd+6sQuuPk\n8809OKMA0uYNP43SfroeoN79Iq9vN/q2SI2VGlR5PbNRaHblTVJ8rvYGTs71/pSF\n+s+bfY4b120yN0NmmanR9q2bDfMD2RTy1n+BLx0IamB7gRGlvTWpoRdTCk2qCMn4\nf9U6/QKBgB8g8Q9hc2WDRjk6K+xyfNZ3pCiHmjTHvCt305DhRDjEjenj0WuXW/QW\nfHvjOW+UrZXg5K56ZKNbew8i5W4McrUoxFhk5rZRisFgetD4gxSgPCuiY7fE/QDX\nScXlxGigdJBUDKkmsdO4q0H1EGXYudTYP8x14v0U8S1N+3SifgBu\n-----END RSA PRIVATE KEY----- 0707010000002C000081A40000000000000000000000015DC3211F000005C1000000000000000000000000000000000000006C00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/files/samples/k2k/keystone_configure_sp_sample.yml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- keystone_trusted_idp: k2k keystone_sp_conf: target_domain: name: domain1 description: my domain target_project: name: project1 description: my project target_group: name: group1 description: my group role: name: service idp_metadata_file: /tmp/idp_metadata.xml identity_provider: id: z420_idp description: This is the identity service provider on the z420 box. mapping: id: mapping1 rules_file: /tmp/k2k_mapping.json protocol: id: saml2 attribute_map: - name: name1 id: id1 - name: name2 id: id2 shib_sso_application_entity_id: http://sp_uri_entityId shib_sso_idp_entity_id: <protocol>://<idp_host>:<port>/v3/OS-FEDERATION/saml2/idp 0707010000002D000081A40000000000000000000000015DC3211F00001336000000000000000000000000000000000000007000000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/files/samples/keystone_configure_ldap_certs_sample.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- keystone_domainldap_certs: # CA certificates file content. # Certificates are stored in Base64 PEM format. This may be entire LDAP server # certificate (in case of self-signed certificates), certificate of authority # which issued LDAP server certificate, or a full certificate chain (Root CA # certificate, intermediate CA certificate(s), issuer certificate). # # If you have multiple LDAP domains, and LDAP server certificates are issued # by different authorities, make sure that you place certs for all the LDAP # backend domains in the cacert parameter as seen in this sample yml file # so that all the certs are combined in a single CA file and every LDAP # domain configuration points to the combined CA file. # Note: # 1. Please be advised that every time this ldap domain certficates reconfigured, # the single CA file gets overwritten and hence ensure that you place certs # for all the LDAP backend domains in the cacert parameter. # 2. There is a known issue on one cert per CA file per domain when the system processes # concurrent requests to multiple LDAP domains. Using the single CA file with all certs combined # shall get the system working properly. cert_settings: cacert_file: /etc/keystone/ssl/certs/all_ldapdomains_ca.pem cacert: | -----BEGIN CERTIFICATE----- MIIDVTCCAg2gAwIBAgIEVW4FQjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9F eGFtcGxlIENvbXBhbnkwHhcNMTUwNjAyMTkzNDI2WhcNMTYwNjAxMTkzNDI2WjAa MRgwFgYDVQQDEw9FeGFtcGxlIENvbXBhbnkwggFSMA0GCSqGSIb3DQEBAQUAA4IB PwAwggE6AoIBMQC2JHPnTfQ0BExcdfeLGzUxsmFtJ/EZc/EkU5/qpKJAwsssDRlS Xfg4CN2J68IosFiltBXzQFjT2GK+I9kLLr9Qmbexh5lmLhwApTXTNC+o5/IRIZnK fguRsbE0OdUPlEH7oeLVacPRGg3TU6DPJD7yIgEAmYmQOXWtmUiE2hy50w+Ik6kI JS2ve6VB48jLGC9O7H/x1Fs5sdRLXAEse9A06u2BtbSH9JWp1/DFSFjP9Dk514UP OyXD7rUWEWPMm7vkzwD1Yy2Oj2696y1hGTUxPGWtNEBpE2A364izd8GmD2PxYFzn emWs9u7UUKsc3ZCD7YQCuf+a5uLVOiq2LKsg3Cylk7jBqSVx0BjU4G3eSDnb/E2j a68tEqKMrMw7n791eHFOA8vfnwy0lceQHOghAgMBAAGjQzBBMA8GA1UdEwEB/wQF MAMBAf8wDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQUeazaagjvqla452B67afb afAL8B0wDQYJKoZIhvcNAQELBQADggExAIE44JHWTsakqY9/r7UUXYtmA3JPIS4q +ySyYkvO8zwTuinVRJqZJr9qN1dLKoovME5oQm9dgJCDuX9IPcm+NJduJp+r8Dcd q+LQ58qcHI9AEIGj4z12Q6BfyN6SMfq+qxx8XiTn+94gbF8SvLDGV30kyu5P4/M0 kSEhpklmey0b1uxzGRgwz03QsCuMHebt7rCD5ngEsq/wjKEY58xCs/YJzoyuqOY4 YmI5HV8DH2WSdB0ZmG9CdgbOijm4XnIhu5fXhIpyLPfL7kOUwoyF5t2eTU/lm2Uh 9/qqmq+q4qQ7uSj4fZ1B3vLozD27c/AXgInq+1cUUPQx/C7PwRKfdvm1CK+75pP5 ed7K+bPcCfGA/YDg4HIHBdTNeFAxlBdEwXgyZUTAv4WmY4el3R/Bys0= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDwTCCAqmgAwIBAgIQKSKXBZj4ZbBN5mitjA+p7zANBgkqhkiG9w0BAQUFADBz MRMwEQYKCZImiZPyLGQBGRYDY29tMRIwEAYKCZImiZPyLGQBGRYCaHAxEzARBgoJ kiaJk/IsZAEZFgNjZGwxGDAWBgoJkiaJk/IsZAEZFghrZXlzdG9uZTEZMBcGA1UE AxMQa2V5c3RvbmUtQUQwMS1DQTAeFw0xNTA3MjIwOTI1MTVaFw0yNTA3MjIwOTM1 MTRaMHMxEzARBgoJkiaJk/IsZAEZFgNjb20xEjAQBgoJkiaJk/IsZAEZFgJocDET MBEGCgmSJomT8ixkARkWA2NkbDEYMBYGCgmSJomT8ixkARkWCGtleXN0b25lMRkw FwYDVQQDExBrZXlzdG9uZS1BRDAxLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAx4Zzzd59cimCknq1iNwjUEgtip+n8Aw/epW5DPfkm810MUxZ9KVl MoNV82tIZHUf70gOqEBlgGreHyRiKANpN+qzCY4yP7/91sDD+eZ4JPZYV2wsXboG 5+dWrfz9oKr0vSo7llRfI0I1w0AwtQ26vMxwhEOBR0Rn5wM3XnRhsWYFWWCEmGHe 8HwWcd9KI3rFgDQwEnVQ5g+Fe9RxplHhe1h6ybgRea5Da8QGG/GKdVyyoSzwEYRe 5GevnBX6WChSkbtLT1qNmgFNEjizYb0eN96LgmZ5H27rq9sVemANhSdqeN/s1Jix Q6JsPfT6tWmuH/6rbLMxgPaYhhe7hEoGwQIDAQABo1EwTzALBgNVHQ8EBAMCAYYw DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUwG4P2G45Ggs7dlxiyo5Pz8Ol0asw EAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAGxRYjs4TVbRSyNH MrKrVFjhFP+vv1A4bbR8BoEwHR3zGbI1tMsFpInNRDUH0mmktor3ppn3DQdL4Tyi +dFIFJrVO9fus3Jx/0ijvhC70qhTavgZdsaWji5EoTv6oBw1Tvj3jto8IGHuuFre ZSyESGW3JmVYkIIJ2ZDTAY/PyIKLt+35hBtk+eCH3Gs9fFq5xNDIWIf8I2WNqJDu 2DpyRn9Jh5ywmle222XdjaNLqN8c2UDTbp7rMAF/X/jTXbEIHZXin+2nMiuV8Pxv ot96Y/NDLTSm7ig5jNd2uXupoP19AGGF/lLTZzJvcxQ7paucJfeiJe9ZeyxICEZC wampKBs= -----END CERTIFICATE----- 0707010000002E000081A40000000000000000000000015DC3211F0000143B000000000000000000000000000000000000006A00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/files/samples/keystone_configure_ldap_sample.yml# # (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- keystone_domainldap_conf: # CA certificates file content. # Certificates are stored in Base64 PEM format. This may be entire LDAP server # certificate (in case of self-signed certificates), certificate of authority # which issued LDAP server certificate, or a full certificate chain (Root CA # certificate, intermediate CA certificate(s), issuer certificate). # cert_settings: cacert: | -----BEGIN CERTIFICATE----- MIIDVTCCAg2gAwIBAgIEVW4FQjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9F eGFtcGxlIENvbXBhbnkwHhcNMTUwNjAyMTkzNDI2WhcNMTYwNjAxMTkzNDI2WjAa MRgwFgYDVQQDEw9FeGFtcGxlIENvbXBhbnkwggFSMA0GCSqGSIb3DQEBAQUAA4IB PwAwggE6AoIBMQC2JHPnTfQ0BExcdfeLGzUxsmFtJ/EZc/EkU5/qpKJAwsssDRlS Xfg4CN2J68IosFiltBXzQFjT2GK+I9kLLr9Qmbexh5lmLhwApTXTNC+o5/IRIZnK fguRsbE0OdUPlEH7oeLVacPRGg3TU6DPJD7yIgEAmYmQOXWtmUiE2hy50w+Ik6kI JS2ve6VB48jLGC9O7H/x1Fs5sdRLXAEse9A06u2BtbSH9JWp1/DFSFjP9Dk514UP OyXD7rUWEWPMm7vkzwD1Yy2Oj2696y1hGTUxPGWtNEBpE2A364izd8GmD2PxYFzn emWs9u7UUKsc3ZCD7YQCuf+a5uLVOiq2LKsg3Cylk7jBqSVx0BjU4G3eSDnb/E2j a68tEqKMrMw7n791eHFOA8vfnwy0lceQHOghAgMBAAGjQzBBMA8GA1UdEwEB/wQF MAMBAf8wDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQUeazaagjvqla452B67afb afAL8B0wDQYJKoZIhvcNAQELBQADggExAIE44JHWTsakqY9/r7UUXYtmA3JPIS4q +ySyYkvO8zwTuinVRJqZJr9qN1dLKoovME5oQm9dgJCDuX9IPcm+NJduJp+r8Dcd q+LQ58qcHI9AEIGj4z12Q6BfyN6SMfq+qxx8XiTn+94gbF8SvLDGV30kyu5P4/M0 kSEhpklmey0b1uxzGRgwz03QsCuMHebt7rCD5ngEsq/wjKEY58xCs/YJzoyuqOY4 YmI5HV8DH2WSdB0ZmG9CdgbOijm4XnIhu5fXhIpyLPfL7kOUwoyF5t2eTU/lm2Uh 9/qqmq+q4qQ7uSj4fZ1B3vLozD27c/AXgInq+1cUUPQx/C7PwRKfdvm1CK+75pP5 ed7K+bPcCfGA/YDg4HIHBdTNeFAxlBdEwXgyZUTAv4WmY4el3R/Bys0= -----END CERTIFICATE----- # A domain will be created in MySQL with this name, and associated with ldap backend. # Installer will also generate a config file named /etc/keystone/domains/keystone.<domain_name>.conf # domain_settings: name: dept1 description: Dedicated domain for dept1 users conf_settings: identity: driver: ldap # For full list and description of ldap configuration options, please refer to # https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample or # http://docs.openstack.org/kilo/config-reference/content/keystone-configuration-file.html. # # Please note: # 1. LDAP configuration is read-only. Configuration which performs write operations (i.e. creates users, groups, etc) # is not supported at the moment. # 2. LDAP is only supported for identity operations (reading users and groups from LDAP). Assignment # operations with LDAP (i.e. managing roles, projects) are not supported. # 3. LDAP is configured as non-default domain. Configuring LDAP as a default domain is not supported. # ldap: url: ldap://ad.myorg.com suffix: DC=acme,DC=net query_scope: sub user_tree_dn: CN=Users,DC=acme,DC=net user : CN=admin,CN=Users,DC=acme,DC=net password: REDACTED user_objectclass: user user_id_attribute: cn user_name_attribute: cn group_tree_dn: CN=Users,DC=acme,DC=net group_objectclass: group group_id_attribute: cn group_name_attribute: cn use_pool: False user_enabled_attribute: userAccountControl user_enabled_mask: 2 user_enabled_default: 512 use_tls: True tls_req_cert: demand # if you are configuring multiple LDAP domains, and LDAP server certificates are issued # by different authorities, make sure that you place certs for all the LDAP backend domains in the # cacert parameter as seen in this sample yml file so that all the certs are combined in a single CA file # and every LDAP domain configuration points to the combined CA file. # Note: # 1. Please be advised that every time a new ldap domain is configured, the single CA file gets overwritten # and hence ensure that you place certs for all the LDAP backend domains in the cacert parameter. # 2. There is a known issue on one cert per CA file per domain when the system processes # concurrent requests to multiple LDAP domains. Using the single CA file with all certs combined # shall get the system working properly. tls_cacertfile: /etc/keystone/ssl/certs/all_ldapdomains_ca.pem 0707010000002F000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000004E00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/files/samples/websso07070100000030000081A40000000000000000000000015DC3211F0000026F000000000000000000000000000000000000006300000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/files/samples/websso/adfs_sp_mapping.json[ { "local": [{ "user": { "name": "{0}" } }], "remote": [{ "type": "ADFS_LOGIN" }] }, { "local": [{ "group": { "id": "GROUP_ID" } }], "remote": [{ "type": "ADFS_GROUP", "any_one_of": [ "Domain Users" ] }] } ] 07070100000031000081A40000000000000000000000015DC3211F000005D9000000000000000000000000000000000000007100000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/files/samples/websso/keystone_configure_adfs_sample.yml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- keystone_trusted_idp: adfs keystone_sp_conf: idp_metadata_file: adfs_metadata.xml shib_sso_application_entity_id: http://sp_uri_entityId shib_sso_idp_entity_id: http://default_idp_uri_entityId target_domain: name: domain1 description: my domain target_project: name: project1 description: my project target_group: name: group1 description: my group role: name: service identity_provider: id: adfs_idp1 description: This is the ADFS identity provider. mapping: id: mapping1 rules_file: adfs_mapping.json protocol: id: saml2 attribute_map: - name: http://schemas.xmlsoap.org/claims/Group id: ADFS_GROUP - name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6 id: ADFS_LOGIN 07070100000032000081A40000000000000000000000015DC3211F000003FF000000000000000000000000000000000000007B00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/files/samples/websso/keystone_configure_openid_connect_sample.yml# # (c) Copyright 2019 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- keystone_openid_connect_conf: identity_provider: google response_type: id_token scope: "openid email profile" metadata_url: https://accounts.google.com/.well-known/openid-configuration client_id: <Replace with your client ID> client_secret: <Replace with your client secret> redirect_uri: https://www.myenterprise.com:5000/v3/OS-FEDERATION/identity_providers/google/protocols/openid/auth crypto_passphrase: "" 07070100000033000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000005000000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/files/samples/x509auth07070100000034000081A40000000000000000000000015DC3211F00001094000000000000000000000000000000000000005B00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/files/samples/x509auth/cacert.pem-----BEGIN CERTIFICATE----- MIIF9DCCA9ygAwIBAgIJAOZ2+Dq0sG2uMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl MQwwCgYDVQQKDANIUEUxDzANBgNVBAsMBkhlbGlvbjEPMA0GA1UEAwwGcm9vdGNh MR0wGwYJKoZIhvcNAQkBFg5yb290Y2FAaHBlLmNvbTAgFw0xNjA0MDYwMDM2Mzla GA8yMjE2MDIxODAwMzYzOVowgYUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp Zm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDDAKBgNVBAoMA0hQRTEPMA0GA1UE CwwGSGVsaW9uMQ8wDQYDVQQDDAZyb290Y2ExHTAbBgkqhkiG9w0BCQEWDnJvb3Rj YUBocGUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAls+ybSfw nH6HvEtF2v//SQMfKJo8vVUUh8KYqHSYdGr6lZ0s650V8NCyGFfXke+zMRkEg6PK 9BXQ/r2DJgA2uZMb8LCG70/QwmlR57fjpd1AAiz26wroiPXL9RgAovDQb5f3RGzG +zhxcHF9Q+u4LPaLYdzTyvg8KGd6exTjhuJOPCi/Z9Tn5iltAornWlVlPbXCRGPD N+EC/iDZcuZF4DhAoTXRcsR6mgayaR5OICALfU4pOuggKB7+BwWNWs2Hz72UkY1z MaLvRjb/AkDEv0E1nJ/iPH3vJ4Ymd+8lgPAHJuncB/HTvtBwJWL4FjmYGa3CCCo1 9oSj3gnGs5PA54MV/7hvs7OT9JvWx14SIfkeJy6YQcgON3fPGT0+wyOAxlHI/HJa VEQHZ1En6aoszM+7Kks4iiqdyllUi5E+uzaVUEeZj4aqnM/qa84uYeGsZ/CLLom9 vXll1MCB1Rg2r7zakZFVA3+HyhAWWVlPfe1Z0fASEYzJ7zFRDclcoQCJmtSzLdOJ ykPRfGKstI07dgx1xzwMw6L5Dp071N5mlLeHPxi+l0OI+QUtBA2kfxOl/KphgMVA KSXUQWuMn756s/WKfO+OZnox2/R4za+tV3XnhuwvnnrvYIZ7owtddyEUCtPFl59t H1WPSrSqiwcz1BmYbnkjnwHb9bzOKn6QmOcCAwEAAaNjMGEwHQYDVR0OBBYEFHKl 5HeiF9fO8GXbh+hwXewOrej0MB8GA1UdIwQYMBaAFHKl5HeiF9fO8GXbh+hwXewO rej0MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB CwUAA4ICAQAKn+lAHX/9pBTLKHuQWq5tbaEv5uQVqKWJCJ9TvGiV1aB9C7RXbmfW kp/X6YFpaPyvbRuFgNAmZ550Xq2nHrvRHZXZ5RZD+QGxe5QsXcW6YiSGTPxqlHBH 7iupUDZi589CDgyR5S1s9cYxHpx+1YqkZkmMKwpJz74YdlowCy4TfZybNOuVEzIH 25e1oZPI28vHks5KxcLv50IK+mlAEl4O5Odx8JMknMlG+HRRYCp8thdctC7z/igq AKuBHkgRZMD85eSK01iGfqBDtK89yBreK9iZOr7OhmpdSJxinVPNA3s46cKKTcRi yRH8Xsf7GW5kLHSafz11wuzLs6TlXK9MdwilD/zGGQKpLkXcQqYatLdHBTSZpqbN XJFMDZEDmUef5S2T+AHMHZWlFX98jTx7jJoezFvXY5Sbab3v1lwey5M7ggASMF0I 8JKrM5COetWIME67MBtoeaLFVQAi0tHNxmmq2hgDzS3U3wsf4VM5dTKAf+WrREcm o6meZE/AS6tytbsY1M39iKUeak3M6/XmgbFrmMC5J/vJzIsqkmA3Xa6y/WxKyrQA CdpGqDtBqTo1qoC+VZwJ8nLNFfvnINRpWRWPNYq+c6QzvDsY3115xPO5Vlhg+/jc Y60qoHXnTYUwoyb/OvWGXhfRvMhRypLj7yo/sZiCEeMiUxiv9N292w== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIF7zCCA9egAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYUxCzAJBgNVBAYTAlVT MRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDDAKBgNV BAoMA0hQRTEPMA0GA1UECwwGSGVsaW9uMQ8wDQYDVQQDDAZyb290Y2ExHTAbBgkq hkiG9w0BCQEWDnJvb3RjYUBocGUuY29tMB4XDTE2MDQwNjIyMDU1NFoXDTI2MDQw NDIyMDU1NFowgYYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMQww CgYDVQQKDANIUEUxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRcwFQYDVQQDDA5pbnRl cm1lZGlhdGVjYTElMCMGCSqGSIb3DQEJARYWaW50ZXJtZWRpYXRlY2FAaHBlLmNv bTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALNz+Qg9LlmMMIGxDDnK UDmfK1QVlCY5QRC2BflDwZzPnZ9HC91RuGqrAj1bA4tnALIyFhW2jZh+dysr1s13 l/0/I4aX6xLOHzJszrhwxdgmRbF+lmt3U+Wc9xxy9z7haJqpp/zTNKFN3Ofi6CdG SSUISrZz7YLxX2ErYAbCTuQMLey8WyXSdcvuGKQZV0YYGJgPH4tLTSfrBi1z9h2h F3UC+n4N/ypnNgsciOl48ol9D2Yfys2++Du96MDQiJgkimkk0OjsfRsLiT5wwNPn ROg2Vq9QcUkco4E4uM6lp5zRWyLtOr7qRg3yP19ElJkS0x2stnP/1BM2SLjYGP/i 9kfxcWr5tY33YbaERpMpywauuBDopNzxVW71RAg5a3llzLvGsqyBvDVQETbY+ugJ 2w71k1Z1mv/Zpovavyd9eQ0jNcAq09AOgSbIDZWU9EQ1ZrS98ZIwkGc8SPX9x99F QcgXRf+ogfVzACt3m0l9M893SY2wIic9pGzvmx2zmDlKSfd8n9IbcnK/ON/oKqtL PNECbIGUVG0ILupvsZcndjcMJ3deW4OpZvQ1NFePd70ayY8t/bjAntaDG+Mht7Qp kWxcLc1VrVEmVlwlxKtdg9+BHiufZJE20napXoljct9L3Y62XqWWla4MijDGHvPE lDdORhUWIkcsXliq3jZIQjWXAgMBAAGjZjBkMB0GA1UdDgQWBBTAG04QrGyXyatJ dAoxThpeJcVsXTAfBgNVHSMEGDAWgBRypeR3ohfXzvBl24focF3sDq3o9DASBgNV HRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOC AgEAkoGn0xMHltY/xyxSW/OoKp6UvE7wfVLiHTE7lkiyNVjntAXqEyptAwvQZ85Q vDU3A0gqFfHBQX4tG6ks5Ark4AxctH0cVSwkV/ZxO4M+P5eb9fbX4kGzWOkfWCgR Ro9us/p0VGPceJACkArLK9ty0VWxfOzo64MU7EzMCf/Qgduyw8LFsyAZrJsKpCWZ 5bFX9KWyZgNSO1M/fYjb6cBixXfoOu15S5qg3tCBf7iy21XywMdpmyh9Ek/+/Wtt 2Mr1B+C3oV65/UNJzLbZbE+CgQCK88MPd9B908htS8C7wWpFbLbzGHUdgtppXbTB 0sCQFc+93kEaeG+zbTerrubRZpgDoAj2S9qmz/uxzlZBRp/PgYkh1wWJJ+y3jLB5 r2SOjRsky19XrQSeZ4l6Xq2aoiqt1qqDNEWXHqOm2QiPP3+f8OVAYUfux3+mnr0E cdAEBxPeuw8DEFDvlR9ve9sYAkEGh/Z1NMRJpQrxYbFOdNvsM3T22ZWU5O2eJzbZ se0ytXpqxeoqUrsGmPKQz6p0+vMwy8UyQ2HOP7BeyXkV/F3/AGUlhRL9HlWT4Oo8 zHUlbG0oA11lyvTcEHW1bqgzeSLpNAy204OfL0HqM4NkwHnBU/g61zC9eyZ+Nu67 gia6YFR9UuSA6xPQ6N33tOHpjB5jUbK4iW66NwY+hh+5Agc= -----END CERTIFICATE----- 07070100000035000081A40000000000000000000000015DC3211F000003BB000000000000000000000000000000000000006E00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/files/samples/x509auth/x509auth_configure_sample.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- keystone_x509auth_conf: identity_provider: id: intermediateca description: This is the trusted issuer HEX Id. mapping: id: x509_mapping1 rules_file: /tmp/x509auth_mapping.json protocol: id: x509 remote_id: intermediateca ca_file: /tmp/cacert.pem 07070100000036000081A40000000000000000000000015DC3211F00000486000000000000000000000000000000000000006600000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/files/samples/x509auth/x509auth_mapping.json[ { "local": [ { "user": { "name": "{0}", "domain": { "name": "{1}" }, "type": "local" } } ], "remote": [ { "type": "SSL_CLIENT_S_DN_CN" }, { "type": "SSL_CLIENT_S_DN_O" }, { "type": "SSL_CLIENT_I_DN", "any_one_of": [ "emailAddress=intermediateca@suse.com,CN=intermediateca,OU=Engineering,O=SUSE,ST=California,C=US", "/C=US/ST=California/O=SUSE/OU=Engineering/CN=intermediateca/emailAddress=intermediateca@suse.com" ] } ] } ] 07070100000037000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000004200000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/handlers07070100000038000081A40000000000000000000000015DC3211F000002E9000000000000000000000000000000000000004B00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/handlers/main.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # Handlers for Keystone - name: keystone_change set_fact: keystone_restart_required: true 07070100000039000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000003E00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/meta0707010000003A000081A40000000000000000000000015DC3211F000002C3000000000000000000000000000000000000004700000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/meta/main.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- dependencies: - role: keystone-common - role: FND-AP2 0707010000003B000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000003F00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks0707010000003C000081A40000000000000000000000015DC3211F000008A6000000000000000000000000000000000000006000000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_apply_configuration_changes.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEY-API | _apply_configuration_changes | Set facts for virtual install set_fact: override_virtual_install: "{{ True if is_baremetal_install == 'False' and (ansible_memtotal_mb < 47000) and (keystone_wsgi_admin_process_count == 5 and keystone_wsgi_public_process_count == 15) else False }}" #Virtual install can't handle 10 keystone process, so we are overriding it to 2 - name: KEY-API | _apply_configuration_changes | Override process counts for virtual install set_fact: keystone_wsgi_admin_process_count: 2 keystone_wsgi_public_process_count: 2 keystone_wsgi_socket_timeout: 120 when: override_virtual_install # NOTE: Separate keystone.conf so it can be validated by keystone-manage - name: KEY-API | _apply_configuration_changes | Templatize keystone.conf template: src: keystone.conf.j2 dest: "{{ keystone_venv_install_conf_dir }}/keystone.conf" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" mode: 0600 become: yes register: ardana_notify_keystone_change tags: - keystone - name: KEY-API | _apply_configuration_changes | Templatize to get reconfiguration change template: src: "{{ item.src }}" dest: "{{ keystone_venv_install_conf_dir }}/{{ item.dest }}" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" mode: 0600 with_items: - { src: policy.v3cloudsample.json , dest: policy.json } - { src: logging.conf.j2 , dest: logging.conf } become: yes register: ardana_notify_keystone_change tags: - keystone 0707010000003D000081A40000000000000000000000015DC3211F00000874000000000000000000000000000000000000005700000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_configure_auditing.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEY-API | _configure_auditing | Enable auditing ini_file: dest: "{{ keystone_conf_dir }}/keystone.conf" section: "oslo_messaging_notifications" option: "driver" value: "log" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" backup: no become: yes when: keystone_api_audit_enable register: ardana_notify_keystone_change tags: - keystone - name: KEY-API | _configure_auditing | Create auditing logging directory if not there file: path: "{{ keystone_audit_log_base_location }}/keystone" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" mode: 0755 state: directory become: yes when: keystone_api_audit_enable | bool tags: - keystone - name: KEY-API | _configure_auditing | Touch the audit log file file: path: "{{ item }}" owner: "{{ keystone_user }}" group: "adm" mode: 0640 state: touch become: yes with_items: - "{{ keystone_audit_log_base_location }}/keystone/keystone-audit.log" when: keystone_api_audit_enable | bool tags: - keystone - name: KEY-API | _configure_auditing | Disable auditing ini_file: dest: "{{ keystone_conf_dir }}/keystone.conf" section: "oslo_messaging_notifications" option: "driver" value: "noop" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" backup: no become: yes when: keystone_api_audit_enable == false register: ardana_notify_keystone_change tags: - keystone 0707010000003E000081A40000000000000000000000015DC3211F000003EB000000000000000000000000000000000000006100000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_configure_deployment_options.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # We are adding here once again to enable reconfiguration of process counts - name: KEY-API | _configure_deployment_options | Copies modwsgi configuration template: src: keystone-modwsgi.conf.j2 dest: "{{ apache2_vhost_dir }}/keystone-modwsgi.vhost" mode: 0644 become: yes register: ardana_notify_keystone_change tags: keystone 0707010000003F000081A40000000000000000000000015DC3211F00001EF1000000000000000000000000000000000000005C00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_configure_federation_sp.yml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEY-API | _configure_federation_sp | Create the IdP meta data files copy: dest: "{{ keystone_conf_dir }}/{{ keystone_sp_conf.identity_provider.id }}_metadata.xml" src: "{{ keystone_sp_conf.idp_metadata_file }}" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" mode: 0644 become: yes tags: - keystone - name: KEY-API | _configure_federation_sp | Check shibd mapping file has been configured shell: grep 'SHIBD TEMPLATE' "{{ keystone_shibd_conf_dir }}/attribute-map.xml" register: shib_mapping_configured_result ignore_errors: True - name: KEY-API | _configure_federation_sp | Configure the shibd mapping file template: src: "attribute-map.xml.j2" dest: "{{ keystone_shibd_conf_dir }}/attribute-map.xml" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" mode: 0644 when: not shib_mapping_configured_result.stdout become: yes notify: keystone_change tags: - keystone - name: KEY-API | _configure_federation_sp | Add shibd custom attributes in the mapping file lineinfile: backup: no state: present dest: "{{ keystone_shibd_conf_dir }}/attribute-map.xml" line: ' <Attribute name="{{ item.name }}" id="{{ item.id }}"/>' insertafter: '<!-- Custom attributes -->' with_items: keystone_sp_conf.attribute_map become: yes notify: keystone_change tags: - keystone - name: KEY-API | _configure_federation_sp | Configure shibd log rotation template: src: "shibd.logger.j2" dest: "{{ keystone_shibd_conf_dir }}/shibd.logger" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" mode: 0644 become: yes notify: keystone_change tags: - keystone - name: KEY-API | _configure_federation_sp | Check shibd configuration file has been configured shell: grep 'SHIBD TEMPLATE' "{{ keystone_shibd_conf_dir }}/shibboleth2.xml" register: shib_configured_result ignore_errors: True - name: KEY-API | _configure_federation_sp | Configure the shibd configuration file template: src: "shibboleth2.xml.j2" dest: "{{ keystone_shibd_conf_dir }}/shibboleth2.xml" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" mode: 0644 when: not shib_configured_result.stdout become: yes notify: keystone_change tags: - keystone - name: KEY-API | _configure_federation_sp | Add IdP metadata reference in the shibd configuration file lineinfile: backup: yes state: present dest: "{{ keystone_shibd_conf_dir }}/shibboleth2.xml" line: ' <MetadataProvider type="XML" file="{{ keystone_conf_dir }}/{{ keystone_sp_conf.identity_provider.id }}_metadata.xml"/>' insertafter: '<MetadataProvider type="Chaining">' become: yes notify: keystone_change tags: - keystone - name: KEY-API | _configure_federation_sp | Update entity Ids in the shibd configuration file lineinfile: state: present dest: "{{ keystone_shibd_conf_dir }}/shibboleth2.xml" regexp: "{{ item.regexp }}" line: "{{ item.line }}" with_items: - { regexp: '<ApplicationDefaults entityID=*', line: ' <ApplicationDefaults entityID="{{ keystone_sp_conf.shib_sso_application_entity_id }}">' } - { regexp: '<SSO entityID=*', line: ' <SSO entityID="{{ keystone_sp_conf.shib_sso_idp_entity_id }}">' } when: keystone_trusted_idp is defined and keystone_trusted_idp == "adfs" become: yes notify: keystone_change tags: - keystone - name: KEY-API | _configure_federation_sp | Get a domain scoped token keystone_v3: endpoint: "{{ keystone_admin_endpoint }}/v3" login_username: "{{ keystone_admin_user }}" login_password: "{{ keystone_admin_user_pwd }}" login_user_domain_name: "{{ keystone_default_domain }}" login_domain_name: "{{ keystone_default_domain }}" action: "token_get" run_once: true register: domain_scoped_token_result - name: KEY-API | _configure_federation_sp | Create a domain keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_admin_endpoint }}/v3" action: "create_domain" description: "{{ keystone_sp_conf.target_domain.description }}" domain_name: "{{ keystone_sp_conf.target_domain.name }} " run_once: true tags: - keystone - name: KEY-API | _configure_federation_sp | Create a project keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_admin_endpoint }}/v3" action: "create_project" description: "{{ keystone_sp_conf.target_project.description }}" project_name: "{{ keystone_sp_conf.target_project.name }} " project_domain_name: "{{ keystone_sp_conf.target_domain.name }} " run_once: true tags: - keystone - name: KEY-API | _configure_federation_sp | Create a group keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_admin_endpoint }}/v3" action: "create_group" description: "{{ keystone_sp_conf.target_group.description }}" group_name: "{{ keystone_sp_conf.target_group.name }}" domain_name: "{{ keystone_sp_conf.target_domain.name }} " register: federation_group_id_result run_once: true tags: - keystone - name: KEY-API | _configure_federation_sp | Grant role to a group on a project keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_admin_endpoint }}/v3" action: "grant_project_role_on_group" group_name: "{{ keystone_sp_conf.target_group.name }}" group_domain_name: "{{ keystone_sp_conf.target_domain.name }}" role_name: "{{ keystone_sp_conf.role.name }}" project_name: "{{ keystone_sp_conf.target_project.name }}" project_domain_name: "{{ keystone_sp_conf.target_domain.name }}" run_once: true tags: - keystone - name: KEY-API | _configure_federation_sp | Create IdP in the DB keystone_federation: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_admin_endpoint }}/v3" action: "create_identity_provider" identity_provider_id: "{{ keystone_sp_conf.identity_provider.id }}" description: "{{ keystone_sp_conf.identity_provider.description }}" remote_id: "{{ keystone_sp_conf.shib_sso_idp_entity_id }}" run_once: true tags: - keystone - name: KEY-API | _configure_federation_sp | Create Mapping in the DB keystone_federation: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_admin_endpoint }}/v3" action: "create_mapping" mapping_id: "{{ keystone_sp_conf.mapping.id }}" rules: "{{ lookup('file', keystone_sp_conf.mapping.rules_file) | regex_replace('GROUP_ID', federation_group_id_result.result.id) }}" run_once: true tags: - keystone - name: KEY-API | _configure_federation_sp | Create Protocol in the DB keystone_federation: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_admin_endpoint }}/v3" action: "create_protocol" protocol_id: "{{ keystone_sp_conf.protocol.id }}" identity_provider_id: "{{ keystone_sp_conf.identity_provider.id }}" mapping_id: "{{ keystone_sp_conf.mapping.id }}" run_once: true tags: - keystone 07070100000040000081A40000000000000000000000015DC3211F00000521000000000000000000000000000000000000005500000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_configure_fernet.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # determine the master node - include: _set_fernet_master_node.yml # setup the Fernet keys on the master node - name: KEY-API | _configure_fernet | Create Fernet keys on master node include: _create_fernet_keys.yml when: inventory_hostname == fernet_master_node # setup the SSH keys for Fernet key distribution as it is using rsync - name: KEY-API | _configure_fernet | Distribute the SSH keys include: _distribute_ssh_keys_for_fernet_distributions.yml when: inventory_hostname != fernet_master_node # now distribute the Fernet keys - include: _distribute_fernet_keys.yml # setup Fernet key auto rotation - include: _setup_fernet_auto_rotation.yml 07070100000041000081A40000000000000000000000015DC3211F00000991000000000000000000000000000000000000005600000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_configure_k2k_idp.yml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # # keystone user and endpoint registration --- - name: KEY-API | _configure_k2k_idp | Create the IdP signer certificate file copy: dest: "{{ keystone_conf_dir }}/idpcert.pem" content: "{{ keystone_k2k_idp_conf.signer_cert }}" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" mode: 0644 become: yes tags: - keystone - name: KEY-API | _configure_k2k_idp | Create the IdP signer private key file copy: dest: "{{ keystone_conf_dir }}/idpkey.pem" content: "{{ keystone_k2k_idp_conf.signer_key }}" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" mode: 0600 become: yes tags: - keystone - name: KEY-API | _configure_k2k_idp | Create IdP meta data file shell: "{{ keystone_bin_dir }}/keystone-manage saml_idp_metadata > {{ keystone_conf_dir }}/idp_metadata.xml" become: yes become_user: "{{ keystone_user }}" tags: - keystone - name: KEY-API | _configure_k2k_idp | Get a domain scoped token keystone_v3: endpoint: "{{ keystone_admin_endpoint }}/v3" login_username: "{{ keystone_admin_user }}" login_password: "{{ keystone_admin_user_pwd }}" login_user_domain_name: "Default" login_domain_name: "Default" action: "token_get" run_once: true register: domain_scoped_token_result - name: KEY-API | _configure_k2k_idp | Create K2k Service Provider keystone_federation: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_admin_endpoint }}/v3" action: "create_service_provider" service_provider_id: "{{ item.id }}" description: "{{ item.description }}" sp_url: "{{ item.sp_url }}/Shibboleth.sso/SAML2/ECP" auth_url: "{{ item.auth_url }}" with_items: keystone_k2k_idp_conf.service_provider run_once: true tags: - keystone 07070100000042000081A40000000000000000000000015DC3211F00000BDA000000000000000000000000000000000000005300000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_configure_ldap.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEY-API | _configure_ldap | Display variables that are configured for LDAP debug: var=keystone_domainldap_conf tags: - keystone - keystone_debug when: keystone_debug is defined - name: KEY-API | _configure_ldap | Get a domain scoped token keystone_v3: endpoint: "{{ keystone_admin_endpoint }}/v3" login_username: "{{ keystone_admin_user }}" login_password: "{{ keystone_admin_user_pwd }}" login_user_domain_name: "Default" login_domain_name: "Default" action: "token_get" run_once: true register: domain_scoped_token_result - name: KEY-API | _configure_ldap | Configure LDAP | Create domains keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_internal_endpoint }}/v3" action: "create_domain" description: "{{ keystone_domainldap_conf.domain_settings.description }}" domain_name: "{{ keystone_domainldap_conf.domain_settings.name }}" run_once: true tags: - keystone - name: KEY-API | _configure_ldap | Delete the existing configuration file file: path: "{{ keystone_conf_dir }}/domains/keystone.{{ keystone_domainldap_conf.domain_settings.name }}.conf" state: absent become: yes tags: - keystone - name: KEY-API | _configure_ldap | Populate domain specific config entries ini_file: dest: "{{ keystone_conf_dir }}/domains/keystone.{{ keystone_domainldap_conf.domain_settings.name }}.conf" section: "{{ item.section }}" option: "{{ item.option }}" value: "{{ item.value }}" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" backup: no with_items: keystone_domainldap_conf.conf_settings | osini() become: yes register: ardana_notify_keystone_change tags: - keystone - name: KEY-API | _configure_ldap | Create the ldap CA file copy: dest: "{{ keystone_domainldap_conf.conf_settings.ldap.tls_cacertfile }}" content: "{{ keystone_domainldap_conf.cert_settings.cacert }}" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" mode: 0644 when: (keystone_domainldap_conf.conf_settings.ldap.use_tls is defined and keystone_domainldap_conf.conf_settings.ldap.use_tls == True) or keystone_domainldap_conf.conf_settings.ldap.url| split(':')|first() == 'ldaps' become: yes tags: - keystone 07070100000043000081A40000000000000000000000015DC3211F0000041C000000000000000000000000000000000000005900000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_configure_ldap_certs.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEY-API | _configure_ldap_certs | Create the ldap CA file copy: dest: "{{ keystone_domainldap_certs.cert_settings.cacert_file }}" content: "{{ keystone_domainldap_certs.cert_settings.cacert }}" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" mode: 0644 when: (keystone_domainldap_certs.cert_settings is defined) become: yes tags: - keystone 07070100000044000081A40000000000000000000000015DC3211F00000441000000000000000000000000000000000000005F00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_configure_websso_with_adfs.yml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEY-API | _configure_websso_with_adfs | Create Symlink for Keystone sso_callback_template from venv file: src: "{{ keystone_venv_dir }}/usr/share/keystone/{{ item }}" dest: "{{ keystone_conf_dir }}/{{ item }}" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" state: link with_items: - sso_callback_template.html become: yes tags: - keystone - include: _configure_federation_sp.yml 07070100000045000081A40000000000000000000000015DC3211F000003D3000000000000000000000000000000000000006900000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_configure_websso_with_openid_connect.yml# # (c) Copyright 2019 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEY-API | _configure_websso_with_openid_connect | Create Symlink for Keystone sso_callback_template from venv file: src: "{{ keystone_venv_dir }}/usr/share/keystone/sso_callback_template.html" dest: "{{ keystone_conf_dir }}/sso_callback_template.html" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" state: link become: yes tags: - keystone 07070100000046000081A40000000000000000000000015DC3211F00000C17000000000000000000000000000000000000005700000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_configure_x509auth.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEY-API | _configure_x509auth | Get a domain scoped token keystone_v3: endpoint: "{{ keystone_admin_endpoint }}/v3" login_username: "{{ keystone_admin_user }}" login_password: "{{ keystone_admin_user_pwd }}" login_user_domain_name: "{{ keystone_default_domain }}" login_domain_name: "{{ keystone_default_domain }}" action: "token_get" run_once: true register: domain_scoped_token_result - name: KEY-API | _configure_x509auth | Create IdP in the DB keystone_federation: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_admin_endpoint }}/v3" action: "create_identity_provider" identity_provider_id: "{{ keystone_x509auth_conf.identity_provider.id }}" description: "{{ keystone_x509auth_conf.identity_provider.description }}" remote_id: "{{ keystone_x509auth_conf.remote_id }}" run_once: true tags: - keystone - name: KEY-API | _configure_x509auth | Create Mapping in the DB keystone_federation: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_admin_endpoint }}/v3" action: "create_mapping" mapping_id: "{{ keystone_x509auth_conf.mapping.id }}" rules: "{{ lookup('file', keystone_x509auth_conf.mapping.rules_file) }}" run_once: true tags: - keystone - name: KEY-API | _configure_x509auth | Create Protocol in the DB keystone_federation: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_admin_endpoint }}/v3" action: "create_protocol" protocol_id: "{{ keystone_x509auth_conf.protocol.id }}" identity_provider_id: "{{ keystone_x509auth_conf.identity_provider.id }}" mapping_id: "{{ keystone_x509auth_conf.mapping.id }}" run_once: true tags: - keystone - name: KEY-API | _configure_x509auth | Create trusted CA certificate file copy: dest: "/etc/ssl/private/cacert.pem" src: "{{ keystone_x509auth_conf.ca_file }}" owner: "root" group: "root" mode: 0644 become: yes tags: - keystone - name: KEY-API | _configure_x509auth | Create Symlink for Keystone sso_callback_template from venv file: src: "{{ keystone_venv_dir }}/usr/share/keystone/{{ item }}" dest: "{{ keystone_conf_dir }}/{{ item }}" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" state: link mode: 0644 with_items: - sso_callback_template.html become: yes tags: - keystone 07070100000047000081A40000000000000000000000015DC3211F00000595000000000000000000000000000000000000005700000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_create_fernet_keys.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- - name: KEY-API | _create_fernet_keys | Check Fernet Keys become: yes stat: path: "{{ keystone_fernet_dir }}/0" register: check_fernet_key_result tags: - keystone - name: KEY-API | _create_fernet_keys | Setup Fernet Keys become: yes become_user: "{{ keystone_user }}" command: > {{ keystone_bin_dir }}/keystone-manage fernet_setup --keystone-user {{ keystone_user }} --keystone-group {{ keystone_group }} when: not check_fernet_key_result.stat.exists tags: - keystone - name: KEY-API | _create_fernet_keys | Rotate Fernet Keys become: yes become_user: "{{ keystone_user }}" command: > {{ keystone_bin_dir }}/keystone-manage fernet_rotate --keystone-user {{ keystone_user }} --keystone-group {{ keystone_group }} when: not check_fernet_key_result.stat.exists tags: - keystone 07070100000048000081A40000000000000000000000015DC3211F000004D4000000000000000000000000000000000000005400000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_create_rc_files.yml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # - name: KEY-API | _create_rc_files | Copy stackrc file template: src: "{{ item }}" dest: "{{ ardanauser_home }}" owner: "{{ ardanauser }}" group: "{{ ardanauser }}" mode: 0600 with_items: - keystone.osrc - service.osrc tags: - keystone - name: KEY-API | _create_rc_files | Copy stackrc file to deployer template: src: "{{ item }}" dest: "{{ ardanauser_home }}" owner: "{{ ardanauser }}" group: "{{ ardanauser }}" mode: 0600 delegate_to: localhost with_items: - keystone.osrc - service.osrc tags: - keystone 07070100000049000081A40000000000000000000000015DC3211F000003D5000000000000000000000000000000000000005B00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_distribute_fernet_keys.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEY-API | _distribute_fernet_keys | Distribute Fernet key dir become: yes become_user: "{{ keystone_user }}" synchronize: src: "{{ keystone_fernet_dir }}" dest: "{{ keystone_fernet_dir }}" archive: yes delete: yes compress: yes set_remote_user: no when: inventory_hostname != fernet_master_node delegate_to: "{{ fernet_master_node }}" tags: - keystone 0707010000004A000081A40000000000000000000000015DC3211F00000967000000000000000000000000000000000000007100000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_distribute_ssh_keys_for_fernet_distributions.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- - name: KEY-API | _distribute_ssh_keys_for_fernet_distributions | Read the Fernet dist ssh public key become: yes command: cat {{ keystone_home_dir }}/.ssh/id_rsa.pub register: keystone_ssh_pub_key_result delegate_to: "{{ fernet_master_node }}" tags: - keystone # NOTE(gyee): we first restrict the command to 'date' so the next task # can add the host fingerprint to the known_hosts file of the master. - name: KEY-API | _distribute_ssh_keys_for_fernet_distributions | Add dist public key to authorized_keys become: yes authorized_key: user: "{{ keystone_user }}" state: present key: "{{ keystone_ssh_pub_key_result.stdout }}" key_options: > command="date" tags: - keystone # NOTE(gyee): by do this we are adding the host key for the given host # to the Fernet master node's known_hosts file so that we don't have # to turn off strict host key checking later when we are doing Fernet # key synchronization. - name: KEY-API | _distribute_ssh_keys_for_fernet_distributions | generate SSH host key become: yes become_user: "{{ keystone_user }}" command: > ssh -o StrictHostKeyChecking=no {{ host.bind['KEY_API'].internal.ip_address }} date delegate_to: "{{ fernet_master_node }}" tags: - keystone # NOTE(gyee): we are restricting the given SSH key for the singular purpose # of Fernet key distribution. Anything else will require explicit permission. - name: KEY-API | _distribute_ssh_keys_for_fernet_distributions | Add dist public key to authorized_keys become: yes authorized_key: user: "{{ keystone_user }}" state: present key: "{{ keystone_ssh_pub_key_result.stdout }}" key_options: > command="rsync --server -vlogDtprze.iLsC --delete . {{ keystone_fernet_dir }}" tags: - keystone 0707010000004B000081A40000000000000000000000015DC3211F00000498000000000000000000000000000000000000005C00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_find_fernet_master_node.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEY-API | _find_fernet_master_node | Check for fernet key rotation job become: yes stat: path: "{{ keystone_fernet_rotate_cron_script }}" register: fernet_key_rotation_cron_script_result tags: - keystone # a node is considered the master node if it has fernet token key rotation # cron job active - name: KEY-API | _find_fernet_master_node | Set fernet key rotation master set_fact: found_fernet_master_node: "{{ item }}" when: hostvars[item]['fernet_key_rotation_cron_script_result']['stat']['exists'] with_items: "{{ keystone_hosts }}" tags: - keystone 0707010000004C000081A40000000000000000000000015DC3211F00000876000000000000000000000000000000000000005C00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_reconfigure_credentials.yml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # - name: KEY-API | _reconfigure_credentials | Get a domain scoped token keystone_v3: endpoint: "{{ keystone_internal_endpoint }}/v3" login_username: "{{ keystone_admin_user }}" login_password: "{{ keystone_old_admin_pwd | quote }}" login_user_domain_name: "{{ keystone_default_domain }}" login_domain_name: "{{ keystone_default_domain }}" action: "token_get" register: domain_scoped_token_result when: KEY_API.old_vars.keystone_admin_pwd is defined run_once: true ignore_errors: true # Reset keystone admin user's default password - name: KEY-API | _reconfigure_credentials | Reset keystone admin user's password keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_internal_endpoint }}/v3" action: "reset_password_by_admin" user_name: "{{ keystone_admin_user }}" user_password: "{{ keystone_admin_user_pwd }}" user_domain_name: "{{ keystone_default_domain }}" when: domain_scoped_token_result | success run_once: true - name: KEY-API | _reconfigure_credentials | Validate admin user's password keystone_v3: endpoint: "{{ keystone_internal_endpoint }}/v3" login_username: "{{ keystone_admin_user }}" login_password: "{{ keystone_admin_user_pwd | quote }}" login_user_domain_name: "{{ keystone_default_domain }}" login_domain_name: "{{ keystone_default_domain }}" action: "token_get" when: KEY_API.old_vars.keystone_admin_pwd is defined run_once: true - include: _create_rc_files.yml 0707010000004D000081A40000000000000000000000015DC3211F000004B0000000000000000000000000000000000000005B00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_set_fernet_master_node.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # see if fernet master node alread exist - include: _find_fernet_master_node.yml # If the master node exist, fernet_master_node should be defined. Otherwise, # we'll designate the first node as the master node. - name: KEY-API | _set_fernet_master_node | Set Fernet master node set_fact: fernet_master_node: "{{ keystone_hosts[0] }}" when: found_fernet_master_node is undefined tags: - keystone - name: KEY-API | _set_fernet_master_node | Set found Fernet master node set_fact: fernet_master_node: "{{ found_fernet_master_node }}" when: found_fernet_master_node is defined tags: - keystone 0707010000004E000081A40000000000000000000000015DC3211F00000669000000000000000000000000000000000000005F00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_setup_fernet_auto_rotation.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- - name: KEY-API | _setup_fernet_auto_rotation | Setup the auto rotation script become: yes template: src: "{{ keystone_fernet_auto_rotation_script_name}}.j2" dest: "{{ keystone_fernet_auto_rotation_script }}" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" mode: 0750 when: inventory_hostname == fernet_master_node tags: - keystone - name: KEY-API | _setup_fernet_auto_rotation | Create auto rotation cron job become: yes cron: name: "Fernet token auto rotation job" special_time: "{{ keystone_fernet_rotation }}" user: "{{ keystone_user }}" job: "{{ keystone_fernet_auto_rotation_script }}" cron_file: keystone-fernet-rotate state: present when: inventory_hostname == fernet_master_node tags: - keystone - name: KEY-API | _setup_fernet_auto_rotation | Remove extra auto rotation jobs become: yes cron: name: "Fernet token auto rotation job" cron_file: keystone-fernet-rotate state: absent when: inventory_hostname != fernet_master_node tags: - keystone 0707010000004F000081A40000000000000000000000015DC3211F000005CE000000000000000000000000000000000000005A00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_setup_revocation_cron.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEY-API | configure | Add token cleanup to crontab cron: name: "keystone token cleanup" hour: "1" minute: 1 job: "{{ keystone_bin_dir }}/keystone-manage token_flush" state: present become: yes run_once: True tags: - keystone - name: KEY-API | configure | Copy revocation_event cleanup cron job template: src: "revocation_cleanup.j2" dest: "{{ keystone_bin_dir }}/revocation_cleanup.sh" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" mode: 0755 become: yes tags: - keystone - name: KEY-API | configure | Add revocation cleanup to crontab cron: name: "keystone revocation cleanup" hour: "1,5,10,15,20" minute: 1 job: "{{ keystone_bin_dir }}/revocation_cleanup.sh" state: present become: yes run_once: True tags: - keystone 07070100000050000081A40000000000000000000000015DC3211F0000031D000000000000000000000000000000000000005E00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_stop_fernet_auto_rotation.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- - name: KEY-API | _stop_fernet_auto_rotation | Stop auto rotation jobs become: yes cron: name: "Fernet token auto rotation job" cron_file: keystone-fernet-rotate state: absent tags: - keystone 07070100000051000081A40000000000000000000000015DC3211F00000525000000000000000000000000000000000000006000000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_update_log_file_permissions.yml# # (c) Copyright 2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # - name: KEY-API | _update_log_file_permissions | Update the file permissions for shibd log files become: yes file: path: "{{ item }}" owner: "{{ shibd_user }}" group: "{{ adm_group_name }}" mode: "u+rw,g+r,o-rwx" state: directory recurse: yes with_items: - "{{ shibd_log_dir }}" - "{{ shibd_www_log_dir }}" tags: - keystone - name: KEY-API | _update_log_file_permissions | Update the file permissions for keystone log files become: yes file: path: "{{ keystone_log_dir }}" owner: "keystone" group: "{{ adm_group_name }}" mode: "u+rw,g+r,o-rwx" state: directory recurse: yes tags: - keystone 07070100000052000081A40000000000000000000000015DC3211F00000ECC000000000000000000000000000000000000005100000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/_venv_install.yml# # (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEY-API | _venv_install | Update the venv Cache install_package: cache: update become: yes tags: - keystone - name: KEY-API | _venv_install | Install Keystone install_package: name: keystone service: keystone state: present activate: act_off become: yes register: keystone_venv_install_result tags: - keystone - name: KEY-API | _venv_install | Set facts about the venv set_fact: keystone_venv_install_conf_dir: "{{ 'keystone' | config_dir(keystone_venv_install_result.version) }}" keystone_venv_install_share_dir: "{{ 'keystone' | share_dir(keystone_venv_install_result.version) }}/" keystone_bin_dir: "{{ 'keystone' | bin_dir(keystone_venv_install_result.version) }}/" - name: KEY-API | _venv_install | Debug venv variable debug: var=keystone_venv_install_result tags: - keystone - keystone_debug when: keystone_debug is defined run_once: True - name: KEY-API | _venv_install | Activate the Venv become: yes install_package: name: keystone service: keystone activate: act_on version: "{{ keystone_venv_install_result.version }}" when: keystone_venv_install_result is defined register: ardana_notify_keystone_change tags: - keystone - name: KEY-API | _venv_install | Copies file to venv conf dir template: src: "{{ item.src }}" dest: "{{ keystone_venv_install_conf_dir }}/{{ item.dest }}" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" mode: 0600 with_items: - { src: policy.v3cloudsample.json , dest: policy.json } - { src: keystone.conf.j2 , dest: keystone.conf } - { src: logging.conf.j2 , dest: logging.conf } become: yes register: ardana_notify_keystone_change tags: - keystone - name: KEY-API | _venv_install | Create symbolic link for startup file become: yes file: src: "{{ keystone_bin_dir }}/keystone-wsgi-public" dest: "/var/www/keystone/{{ item }}" owner: root group: "{{ keystone_group }}" state: link with_items: - main tags: - keystone - name: KEY-API | _venv_install | Create symbolic link for startup file become: yes file: src: "{{ keystone_bin_dir }}/keystone-wsgi-admin" dest: "/var/www/keystone/{{ item }}" owner: root group: "{{ keystone_group }}" state: link with_items: - admin tags: - keystone # Temporary patch to enable upgrade from Beta1 to Beta 2 without # manual workaround - name: KEY-API | _venv_install | Remove the files that are in Beta 1 file: path: "{{ keystone_conf_dir }}/{{ item }}" state: absent with_items: - keystone.conf - logging.conf - policy.json become: yes ignore_errors: True tags: - keystone - name: KEY-API | _venv_install | Create Symlinks for other config files from install become: yes file: src: "{{ keystone_venv_install_conf_dir }}/{{ item }}" dest: "{{ keystone_conf_dir }}/{{ item }}" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" state: link with_items: - keystone.conf - logging.conf - policy.json tags: - keystone 07070100000053000081A40000000000000000000000015DC3211F00000320000000000000000000000000000000000000004D00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/configure.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - include: _apply_configuration_changes.yml - include: _create_rc_files.yml - include: _setup_revocation_cron.yml - include: configure_features.yml 07070100000054000081A40000000000000000000000015DC3211F00000A05000000000000000000000000000000000000005600000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/configure_features.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEY-API | configure_features | Set oidc_crypto_passphrase set_fact: oidc_crypto_passphrase: "{{ keystone_openid_connect_conf.crypto_passphrase }}" when: keystone_openid_connect_conf is defined tags: - keystone - name: KEY-API | configure_features | Create random OIDC crypto passphrase set_fact: oidc_crypto_passphrase: "{{ lookup('password', '/tmp/oidcpassphrase chars=ascii_letters,digits,hexdigits') }}" when: keystone_openid_connect_conf is defined and oidc_crypto_passphrase == "" tags: - keystone - include: _configure_deployment_options.yml - include: _configure_ldap.yml when: keystone_domainldap_conf is defined - include: _configure_ldap_certs.yml when: keystone_domainldap_certs is defined - include: _configure_auditing.yml - name: KEY-API | configure_features | Check Fernet token configuration prereq debug: msg: >- WARNING: Then number of play hosts does not match the number of Keystone API hosts. It is possible that the --limit option was used in the play. The use of --limit option is not supported when configuring the Fernet token feature. Fernet token configuration will be skipped. when: keystone_configure_fernet and vars['play_hosts'] | length != keystone_hosts | length - include: _configure_fernet.yml when: keystone_configure_fernet and vars['play_hosts'] | length == keystone_hosts | length - include: _configure_federation_sp.yml when: keystone_trusted_idp is defined and keystone_trusted_idp == "k2k" - include: _configure_k2k_idp.yml when: keystone_k2k_idp_conf is defined - include: _configure_websso_with_adfs.yml when: keystone_trusted_idp is defined and keystone_trusted_idp == "adfs" - include: _configure_websso_with_openid_connect.yml when: keystone_openid_connect_conf is defined - include: _configure_x509auth.yml when: keystone_x509auth_conf is defined 07070100000055000081A40000000000000000000000015DC3211F000003F2000000000000000000000000000000000000005000000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/db_configure.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEY-API | db_configure | Sync Keystone DB command: > "{{ keystone_bin_dir }}/keystone-manage" --config-file "{{ keystone_venv_install_conf_dir }}/keystone.conf" --log-config "{{ keystone_venv_install_conf_dir }}/logging.conf" db_sync run_once: true become: yes become_user: "{{ keystone_user }}" tags: - keystone 07070100000056000081A40000000000000000000000015DC3211F000011A3000000000000000000000000000000000000004B00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/install.yml# # (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # Some of these libraries are already in base node install. No harm listing here # python-httplib2 is an ansible dependency for the module uri - name: KEY-API | install | Install keystone dependencies become: yes package: state: present name: "{{ item }}" with_items: key_api_packages tags: - keystone # TODO(fergal) - remove this extra package install action once the legacy # CI process includes the xmlsec1 and its dependent package(s). - name: KEY-API | install | Install non-legacy keystone dependencies become: yes package: state: present name: "{{ item }}" with_items: - xmlsec1 - libxmlsec1-openssl1 tags: - keystone - name: KEY-API | install | Add group '{{ keystone_group }}' become: yes group: name: "{{ keystone_group }}" state: present tags: - keystone - name: KEY-API | install | Check to see if keystone user already exist become: yes getent: database: passwd key: "{{ keystone_user }}" fail_key: no tags: - keystone # If keystone user already exist, that means we are in the upgrade # situation. In that case, we must stop any process that is owned by # the keystone user before making usermod. - name: KEY-API | install | Stop any process owned by keystone user include: stop.yml when: getent_passwd[keystone_user] is not none - name: KEY-API | install | Wait for keystone owned processes to exit wait_for: timeout: 30 when: getent_passwd[keystone_user] is not none # NOTE(gyee): we are setting keystone user shell to '/bin/bash/ in order # to enable keystone user to do rsync over ssh for Fernet key distribution. - name: KEY-API | install | Add user '{{ keystone_user }}' become: yes user: name: "{{ keystone_user }}" group: "{{ keystone_group }}" createhome: yes home: "{{ keystone_home_dir }}" generate_ssh_key: yes shell: /bin/bash state: present register: ardana_notify_keystone_change tags: - keystone - name: KEY-API | install | Update keystone user home dir permission become: yes file: path: "{{ keystone_home_dir }}" mode: 0750 state: directory tags: - keystone - name: KEY-API | install | Create /etc/keystone directory become: yes file: path: "{{ item.name }}" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" mode: "{{ item.mode }}" state: directory recurse: yes with_items: - { name: "{{ keystone_conf_dir }}", mode: "u+rwx,g+rx,o+rx" } - { name: "{{ keystone_conf_dir }}/ssl/certs", mode: "u+rwx,g-rwx,o-rwx" } - { name: "{{ keystone_conf_dir }}/domains", mode: "u+rwx,g-rwx,o-rwx" } - { name: "{{ keystone_fernet_dir }}", mode: "u+rwx,g-rwx,o-rwx" } tags: - keystone - name: KEY-API | install | Create logging directory become: yes file: path: "{{ keystone_log_dir }}" owner: "{{ keystone_user }}" group: "{{ keystone_group }}" mode: 0775 state: directory tags: - keystone - name: KEY-API | install | Create /var/www/keystone directory become: yes file: path: /var/www/keystone owner: "{{ keystone_user }}" group: "{{ keystone_group }}" mode: 0755 state: directory tags: - keystone # These two tasks are repeated so that it doesn't restart # when u run keystone-deploy twice - name: KEY-API | install | Set facts for virtual install set_fact: override_virtual_install: "{{ True if is_baremetal_install == 'False' and (ansible_memtotal_mb < 47000) and (keystone_wsgi_admin_process_count == keystone_default_process_count) else False }}" - name: KEY-API | install | Override process counts for virtual install set_fact: keystone_wsgi_admin_process_count: 2 keystone_wsgi_public_process_count: 2 keystone_wsgi_socket_timeout: 120 when: override_virtual_install - include: _venv_install.yml 07070100000057000081A40000000000000000000000015DC3211F000002EC000000000000000000000000000000000000004800000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/main.yml# # (c) Copyright 2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEY-API | main | Set os-specific variables include_vars: "{{ ansible_os_family | lower }}.yml" 07070100000058000081A40000000000000000000000015DC3211F00000321000000000000000000000000000000000000004F00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/reconfigure.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - include: _apply_configuration_changes.yml - include: _create_rc_files.yml - include: _setup_revocation_cron.yml - include: configure_features.yml 07070100000059000081A40000000000000000000000015DC3211F0000065E000000000000000000000000000000000000004B00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/restart.yml# # (c) Copyright 2016-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # reset the keystone log file ownership and permission on restart - include: _update_log_file_permissions.yml - name: KEY-API | restart | Touch the startup so that keystone is restarted become: yes file: path: "{{ keystone_bin_dir }}/keystone-wsgi-public" owner: root group: root state: touch mode: 0664 tags: - keystone - name: KEY-API | restart | Touch the startup so that keystone is restarted become: yes file: path: "{{ keystone_bin_dir }}/keystone-wsgi-admin" owner: root group: root state: touch mode: 0664 tags: - keystone - name: KEY-API | restart | Make sure keystone is up and responding uri: url: "{{ keystone_internal_endpoint }}" status_code: 300 timeout: 20 register: keystone_version_status_result until: keystone_version_status_result.status is defined and keystone_version_status_result.status == 300 delay: 10 retries: 3 run_once: true tags: - keystone 0707010000005A000081A40000000000000000000000015DC3211F000013B4000000000000000000000000000000000000004900000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/start.yml# # (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # reset keystone log file ownership and permission on every restart - include: _update_log_file_permissions.yml # Set the fact for restart based on ardana_notify - name: KEY-API | start | Set fact to start based on ardana_notify_fact set_fact: keystone_restart_required: True when: ardana_notify_keystone_change is defined and ardana_notify_keystone_change.changed - name: KEY-API | start | Enable keystone-modwsgi vhost become: yes file: src: "{{ apache2_vhost_dir }}/keystone-modwsgi.vhost" dest: "{{ apache2_vhost_dir }}/keystone-modwsgi.conf" state: link tags: keystone register: ardana_notify_keystone_apache_restart - name: KEY-API | start | Set fact to restart Apache set_fact: keystone_restart_required: True when: >- ardana_notify_keystone_apache_restart is defined and ardana_notify_keystone_apache_restart.changed - include: "{{ playbook_dir }}/roles/FND-AP2/tasks/start_reload.yml" vars: apache_reload_requested: False apache_restart_requested: "{{ keystone_restart_required }}" - name: KEY-API | start | Restart shibd become: yes service: name: shibd state: restarted tags: - keystone - name: KEY-API | start | Wait for keystone to become active become: yes wait_for: host: "{{ keystone_internal_listen_ip }}" port: "{{ item }}" state: "started" timeout: 60 with_items: - "{{ keystone_admin_port }}" - "{{ keystone_internal_port }}" tags: - keystone - name: KEY-API | start | Make sure keystone is up and responding uri: url: "{{ keystone_internal_endpoint }}" status_code: 300 timeout: 20 register: keystone_version_status_result until: keystone_version_status_result.status is defined and keystone_version_status_result.status == 300 delay: 10 retries: 3 run_once: true ignore_errors: true tags: - keystone # Debug Keystone start/resonding issues by the followings: # This is usually the first point at which we'll hit SSL cert # issues. If you still observe cert connection info above, then # failure at this point may not be related to cert issues. # you don't see cert connection info above, then failure may # be related to cert issue. # If the output is blank it implies the internal VIP can't be reached. - name: KEY-API | start | Debug keystone cert if appropriate run_once: true command: > timeout 10 openssl s_client -CAfile {{ trusted_ca_bundle }} -connect {{ keystone_internal_vip_host }}:{{ keystone_internal_vip_port }} register: keystone_cert_result ignore_errors: true when: not (keystone_version_status_result.status is defined and keystone_version_status_result.status == 300) tags: - keystone - name: KEY-API | start | Report cert debug hint - internal VIP run_once: true fail: msg="Error-Internal VIP {{ keystone_internal_vip_host }}:{{ keystone_internal_vip_port }} can't be reached." ignore_errors: true when: not (keystone_version_status_result.status is defined and keystone_version_status_result.status == 300) and (keystone_cert_result.stdout_lines | length == 0) tags: - keystone - name: KEY-API | start | Report cert debug - cert connection result run_once: true ignore_errors: true debug: var: keystone_cert_result.stdout_lines when: not (keystone_version_status_result.status is defined and keystone_version_status_result.status == 300) and (keystone_cert_result.stdout_lines | length > 0) tags: - keystone - name: KEY-API | start | Report cert debug - hint run_once: true ignore_errors: true debug: msg="Certificate debug Hint - If you still observe cert connection info above, then failure at this point may not be related to cert issues. If you don't see cert connection info above, then failure may be related to cert issue." when: not (keystone_version_status_result.status is defined and keystone_version_status_result.status == 300) and (keystone_cert_result.stdout_lines | length > 0) tags: - keystone - name: KEY-API | start | Report keystone error status result fail: msg="{{ keystone_version_status_result }}" when: not (keystone_version_status_result.status is defined and keystone_version_status_result.status == 300) tags: - keystone 0707010000005B000081A40000000000000000000000015DC3211F00000468000000000000000000000000000000000000004A00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/status.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEY-API | status | include required variables include_vars: roles/keystone-common/defaults/keystone_admin.yml - name: KEY-API | status | Register keystone status uri: url: "http://{{ keystone_admin_listen_ip | ipwrap }}:{{ keystone_admin_port }}" status_code: 300 timeout: 300 register: keystone_status_result until: keystone_status_result is defined and keystone_status_result.status == 300 delay: 20 retries: 6 tags: - keystone 0707010000005C000081A40000000000000000000000015DC3211F00000434000000000000000000000000000000000000004800000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/tasks/stop.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEY-API | stop | Disable keystone vhost become: yes file: state: absent path: "{{ apache2_vhost_dir }}/keystone-modwsgi.conf" - name: KEY-API | stop | Reload Apache2 so that keystone is stopped become: yes service: name=apache2 state=reloaded tags: - keystone - name: KEY-API | stop | Stop shibd service for Keystone become: yes service: name=shibd state=stopped tags: - keystone 0707010000005D000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000004300000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/templates0707010000005E000081A40000000000000000000000015DC3211F0000069D000000000000000000000000000000000000005800000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/templates/attribute-map.xml.j2{# # # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #} <Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <!-- The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a few exceptions for newer attributes where the name is the same for both versions. You will usually want to uncomment or map the names for both SAML versions as a unit. --> <!-- Default attributes --> <Attribute name="openstack_user" id="openstack_user"/> <Attribute name="openstack_user_domain" id="openstack_user_domain"/> <Attribute name="openstack_roles" id="openstack_roles"/> <Attribute name="openstack_project" id="openstack_project"/> <Attribute name="openstack_project_domain" id="openstack_project_domain"/> <!-- Please don't make any chances to this comment and the one below, this is a SHIBD TEMPLATE used by the playbook. --> <!-- Custom attributes --> </Attributes> 0707010000005F000081A40000000000000000000000015DC3211F00000729000000000000000000000000000000000000006000000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/templates/keystone-fernet-rotate.sh.j2#!/usr/bin/env bash # # NOTE: this script was borrowed from upstream # # https://github.com/openstack/openstack-ansible-os_keystone/blob/master/ # templates/keystone-fernet-rotate.sh.j2 # # Copyright 2015, Rackspace US, Inc. # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. function autorotate { # Rotate the keys {{ keystone_bin_dir }}/keystone-manage fernet_rotate \ --keystone-user "{{ keystone_user }}" \ --keystone-group "{{ keystone_group }}" {% for host in keystone_hosts %} {% if inventory_hostname != host %} # Fernet sync job to "{{ host }}" rsync -avz \ --delete \ {{ keystone_fernet_dir }}/ \ {{ keystone_user }}@{{ hostvars[host].host.bind.KEY_API.internal.ip_address }}:{{ keystone_fernet_dir }}/ {%- endif %} {%- endfor %} } if [ "$(id -u)" == "0" ];then # Change the script context to always execute as the "{{ keystone_user }}" user. su - "{{ keystone_user }}" -s "/bin/bash" -c bash << EOC {{ keystone_fernet_auto_rotation_script }} EOC elif [ "$(whoami)" == "{{ keystone_user }}" ];then logger $(autorotate) else echo "Failed - you do not have permission to rotate, or you've executed the job as the wrong user." exit 99 fi 07070100000060000081A40000000000000000000000015DC3211F00001D37000000000000000000000000000000000000005C00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/templates/keystone-modwsgi.conf.j2{# # # (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #} Listen {{ keystone_admin_listen_ip }}:{{ keystone_admin_port }} listen {{ keystone_public_listen_ip }}:{{ keystone_public_port }} <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes={{ keystone_wsgi_admin_process_count }} threads=1 socket-timeout={{ keystone_wsgi_socket_timeout }} user={{ keystone_user }} group={{ keystone_group }} python-path={{ keystone_venv_dir }}:{{ keystone_venv_dir }}/lib/python2.7/site-packages/ display-name={{ keystone_group }}-admin WSGIProcessGroup keystone-admin WSGIScriptAlias / /var/www/keystone/admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization on KeepAlive off <IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M" </IfVersion> LogFormat "%h:%p %u %t \"%r\" %>s \"%{Referer}i\" \"%{User-Agent}i\" \"%{x-openstack-request-id}i\" %X took %D micro sec" log_format LogFormat "%{X-Forwarded-For}i:%p %u %t \"%r\" %>s \"%{Referer}i\" \"%{User-Agent}i\" \"%{x-openstack-request-id}i\" %X took %D micro sec" log_format_proxy SetEnvIf Request_URI "^" any_request=1 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded=1 # Identify load balance health check requests SetEnvIf Request_URI "^/healthcheck$" lb-ping=1 # Assuming all the monitoring pings from HAProxy are configured with the X-HAProxy-Ping header set to "true" SetEnvIfNoCase X-HAProxy-Ping "true" proxy-ping=1 # turn off any_request if this forwarded or proxy-ping or lb-ping SetEnvIf proxy-ping 1 !any_request SetEnvIf forwarded 1 !any_request SetEnvIf lb-ping 1 !any_request # turn off forwarded if proxy-ping or lb-ping SetEnvIf proxy-ping 1 !forwarded SetEnvIf lb-ping 1 !forwarded # separated log files ErrorLog {{ keystone_log_dir }}/keystone_modwsgi.log CustomLog {{ keystone_log_dir }}/keystone_access.log log_format env=any_request CustomLog {{ keystone_log_dir }}/keystone_access.log log_format_proxy env=forwarded CustomLog {{ keystone_log_dir }}/keystone_monitoring.log log_format_proxy env=proxy-ping CustomLog {{ keystone_log_dir }}/keystone_monitoring.log log_format env=lb-ping # pass TLS attributes from haproxy SetEnvIf X-SSL-Issuer "^(.*)$" SSL_CLIENT_I_DN=$0 SetEnvIf X-SSL-Issuer-CN "^(.*)$" SSL_CLIENT_I_DN_CN=$0 SetEnvIf X-SSL-Client-CN "^(.*)$" SSL_CLIENT_S_DN_CN=$0 SetEnvIf X-SSL-Client-O "^(.*)$" SSL_CLIENT_S_DN_O=$0 </VirtualHost> <VirtualHost *:5000> ServerName {{ keystone_public_endpoint }} WSGIDaemonProcess keystone-main processes={{ keystone_wsgi_public_process_count }} threads=1 socket-timeout={{ keystone_wsgi_socket_timeout }} user={{ keystone_user }} group={{ keystone_group }} python-path={{ keystone_venv_dir }}:{{ keystone_venv_dir }}/lib/python2.7/site-packages/ display-name={{ keystone_group }}-main WSGIProcessGroup keystone-main WSGIScriptAlias / /var/www/keystone/main WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization on KeepAlive off <IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M" </IfVersion> LogFormat "%h:%p %u %t \"%r\" %>s \"%{Referer}i\" \"%{User-Agent}i\" \"%{x-openstack-request-id}i\" %X took %D micro sec" log_format LogFormat "%{X-Forwarded-For}i:%p %u %t \"%r\" %>s \"%{Referer}i\" \"%{User-Agent}i\" \"%{x-openstack-request-id}i\" %X took %D micro sec" log_format_proxy WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/keystone/main/$1 <Location /Shibboleth.sso> SetHandler shib </Location> # NOTE(gyee): we have to enable ShibCompatValidUser so it doesn't # interfere with the other auth modules's valid-user settings. # See https://bugs.launchpad.net/ubuntu/+source/shibboleth-sp2/+bug/1358284 ShibCompatValidUser On <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth> ShibRequestSetting requireSession 1 AuthType shibboleth ShibRequireSession On ShibExportAssertion Off Require valid-user </LocationMatch> <Location /v3/auth/OS-FEDERATION/websso/saml2> ShibRequestSetting requireSession 1 AuthType shibboleth ShibRequireSession On ShibExportAssertion Off Require valid-user </Location> {% if keystone_openid_connect_conf is defined %} # see https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf OIDCClaimPrefix "OIDC-" OIDCResponseType "{{ keystone_openid_connect_conf.response_type }}" OIDCScope "{{ keystone_openid_connect_conf.scope }}" OIDCProviderMetadataURL "{{ keystone_openid_connect_conf.metadata_url }}" OIDCClientID "{{ keystone_openid_connect_conf.client_id }}" OIDCClientSecret "{{ keystone_openid_connect_conf.client_secret }}" OIDCCryptoPassphrase "{{ oidc_crypto_passphrase }}" OIDCRedirectURI "{{ keystone_openid_connect_conf.redirect_uri }}" <Location /v3/OS-FEDERATION/identity_providers/{{ keystone_openid_connect_conf.identity_provider }}/protocols/openid/auth> Require valid-user AuthType openid-connect </Location> <Location /v3/auth/OS-FEDERATION/websso/openid> Require valid-user AuthType openid-connect </Location> <Location /v3/auth/OS-FEDERATION/identity_providers/{{ keystone_openid_connect_conf.identity_provider }}/protocols/openid/websso> Require valid-user AuthType openid-connect </Location> {% endif %} SetEnvIf Request_URI "^" any_request=1 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded=1 # Identify load balance health check requests SetEnvIf Request_URI "^/healthcheck$" lb-ping=1 # Assuming all the monitoring pings from HAProxy are configured with the X-HAProxy-Ping header set to "true" SetEnvIfNoCase X-HAProxy-Ping "true" proxy-ping=1 # turn off any_request if this forwarded or proxy-ping or lb-ping SetEnvIf proxy-ping 1 !any_request SetEnvIf forwarded 1 !any_request SetEnvIf lb-ping 1 !any_request # turn off forwarded if proxy-ping or lb-ping SetEnvIf proxy-ping 1 !forwarded SetEnvIf lb-ping 1 !forwarded # separated log files ErrorLog {{ keystone_log_dir }}/keystone_modwsgi.log CustomLog {{ keystone_log_dir }}/keystone_access.log log_format env=any_request CustomLog {{ keystone_log_dir }}/keystone_access.log log_format_proxy env=forwarded CustomLog {{ keystone_log_dir }}/keystone_monitoring.log log_format_proxy env=proxy-ping CustomLog {{ keystone_log_dir }}/keystone_monitoring.log log_format env=lb-ping # pass TLS attributes from haproxy SetEnvIf X-SSL-Issuer "^(.*)$" SSL_CLIENT_I_DN=$0 SetEnvIf X-SSL-Issuer-CN "^(.*)$" SSL_CLIENT_I_DN_CN=$0 SetEnvIf X-SSL-Client-CN "^(.*)$" SSL_CLIENT_S_DN_CN=$0 SetEnvIf X-SSL-Client-O "^(.*)$" SSL_CLIENT_S_DN_O=$0 </VirtualHost> 07070100000061000081A40000000000000000000000015DC3211F00000B7E000000000000000000000000000000000000005400000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/templates/keystone.conf.j2{# # # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #} # This configuration file includes the default values for Ardana OpenStack # Changes may be made to this file by the customer. # Layout / order of settings in this file can be found: # http://docs.openstack.org/kilo/config-reference/content/keystone-configuration-file.html # # Please don't change any values under curly braces [DEFAULT] log_config_append = {{ keystone_conf_dir }}/logging.conf notification_format = cadf notification_opt_out = debug = {{ keystone_enable_debug | default(false) }} insecure_debug = {{ keystone_enable_insecure_debug | default(false) }} [oslo_messaging_notifications] driver = noop [oslo_messaging_rabbit] rabbit_hosts = {{ keystone_rabbit_hosts_port_pair }} rabbit_userid = "{{ keystone_rabbit_user }}" rabbit_password = "{{ keystone_rabbit_password }}" rabbit_use_ssl = {{ keystone_rabbit_use_ssl }} [cache] backend = oslo_cache.memcache_pool enabled = True memcache_servers = {{ memcached_servers }} memcache_socket_timeout = 1 [database] connection = {{ keystone_database_connection_string }} # One connection per process which is active in the pool min_pool_size = 1 [identity] driver = sql domain_config_dir = {{ keystone_conf_dir }}/domains domain_specific_drivers_enabled = True [resource] admin_project_domain_name = {{ keystone_default_domain }} admin_project_name = {{ keystone_cloudadmin_project }} [token] expiration = 14400 provider = {{ keystone_token_provider }} [fernet_tokens] key_repository ={{ keystone_fernet_dir }} [auth] methods = external,password,token,saml2,x509,openid [saml2] remote_id_attribute = Shib-Identity-Provider {% if HZN_WEB is defined %} [federation] trusted_dashboard = {{ HZN_WEB.advertises.vips.public[0].url }}/auth/websso/ trusted_dashboard = {{ HZN_WEB.advertises.vips.public[0].url | regex_replace('^(?P<protocol>.+)://(?P<host>.+):(?P<port>\\d+)$', '\\g<protocol>://\\g<host>') }}/auth/websso/ remote_id_attribute = SSL_CLIENT_I_DN_CN {% endif %} [saml] certfile={{ keystone_conf_dir }}/idpcert.pem keyfile={{ keystone_conf_dir }}/idpkey.pem idp_entity_id={{ keystone_public_endpoint }}/v3/OS-FEDERATION/saml2/idp idp_sso_endpoint={{ keystone_public_endpoint }}/v3/OS-FEDERATION/saml2/sso idp_metadata_path={{ keystone_conf_dir }}/idp_metadata.xml [openid] remote_id_attribute = HTTP_OIDC_ISS 07070100000062000081A40000000000000000000000015DC3211F000004C4000000000000000000000000000000000000005100000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/templates/keystone.osrc{# # # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #} # Refer http://docs.openstack.org/developer/python-openstackclient/command-list.html # Environment variables for keystone v3 API using openstack client # Keystone requires domain scoped token unset OS_PROJECT_NAME unset OS_PROJECT_DOMAIN_NAME export OS_IDENTITY_API_VERSION=3 export OS_USERNAME={{ keystone_admin_user }} export OS_USER_DOMAIN_NAME=Default export OS_PASSWORD={{ keystone_admin_user_pwd }} export OS_DOMAIN_NAME=Default export OS_AUTH_URL={{ keystone_internal_endpoint }}/v3 export OS_INTERFACE=internal export OS_CACERT={{ trusted_ca_bundle }} 07070100000063000081A40000000000000000000000015DC3211F00000AC7000000000000000000000000000000000000005300000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/templates/logging.conf.j2{# # # (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #} [loggers] keys: root, iso8601, dogpile{%- if keystone_api_audit_enable|bool %}, audit{% endif %} [handlers] keys: watchedfile, logstash{%- if keystone_api_audit_enable|bool %}, auditfile{% endif %} [formatters] keys: debug,minimal, normal, logstash ########### # Loggers # ########### [logger_root] qualname: root handlers: watchedfile, logstash level: NOTSET [logger_iso8601] qualname: iso8601 handlers: watchedfile, logstash level: INFO [logger_dogpile] qualname: dogpile handlers: watchedfile, logstash level: INFO {%- if keystone_api_audit_enable|bool %} [logger_audit] qualname: oslo.messaging.notification handlers: auditfile propagate: 0 level: INFO {% endif %} ################ # Log Handlers # ################ # Writes to disk [handler_watchedfile] class: handlers.WatchedFileHandler args: ('{{ keystone_log_dir }}/keystone.log',) formatter = debug level: {{ keystone_loglevel }} # Writes JSON to disk, beaver will ship to logstash [handler_logstash] class: handlers.WatchedFileHandler args: ('{{ keystone_log_dir }}/keystone-json.log',) formatter= logstash level: {{ keystone_logstash_loglevel }} {%- if keystone_api_audit_enable|bool %} # Writes to disk [handler_auditfile] class: handlers.WatchedFileHandler args: ('{{ keystone_audit_log_base_location }}/keystone/keystone-audit.log', 'a', None, True) formatter = minimal level: INFO {% endif %} ################## # Log Formatters # ################## [formatter_minimal] format=%(message)s [formatter_normal] format=(%(name)s): %(asctime)s %(levelname)s %(message)s [formatter_debug] format=%(process)d (%(name)s): %(asctime)s %(levelname)s %(module)s %(funcName)s %(message)s # datefmt must be set otherwise you end up with too many (msecs) fields [formatter_context] class: oslo_log.formatters.ContextFormatter args: (datefmt=datefmt) format: %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user)s %(tenant)s] %(instance)s%(message)s datefmt: %Y-%m-%d %H:%M:%S # the "format" attr actually sets the "type" [formatter_logstash] class = logstash.LogstashFormatterVersion1 format = keystone 07070100000064000081A40000000000000000000000015DC3211F00003F0A000000000000000000000000000000000000005D00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/templates/policy.v3cloudsample.json{# # # (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #} { "admin_required": "role:admin", "cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:{{keystone_admin_domain_id}})", "service_role": "role:service", "service_or_admin": "rule:admin_required or rule:service_role", "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s", "domain_admin": "rule:admin_required and domain_id:%(target.token.user.domain.id)s", "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner", "admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin", "admin_and_matching_domain_id": "(rule:admin_required and domain_id:%(domain_id)s) or rule:domain_admin", "service_admin_or_owner": "rule:service_or_admin or rule:owner", "default": "rule:admin_required", "domain_observer": "role:{{ keystone_domain_observer_role }} and project_domain_id:{{keystone_admin_domain_id}}", "identity:get_region": "", "identity:list_regions": "", "identity:create_region": "rule:admin_or_cloud_admin", "identity:update_region": "rule:admin_or_cloud_admin", "identity:delete_region": "rule:admin_or_cloud_admin", "identity:get_service": "rule:admin_or_cloud_admin", "identity:list_services": "rule:admin_or_cloud_admin", "identity:create_service": "rule:cloud_admin", "identity:update_service": "rule:cloud_admin", "identity:delete_service": "rule:cloud_admin", "identity:get_endpoint": "rule:admin_or_cloud_admin", "identity:list_endpoints": "rule:admin_or_cloud_admin", "identity:create_endpoint": "rule:cloud_admin", "identity:update_endpoint": "rule:cloud_admin", "identity:delete_endpoint": "rule:cloud_admin", "identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or project_domain_id:%(target.domain.id)s", "identity:list_domains": "rule:domain_observer or rule:cloud_admin or rule:admin_required and domain_name:%(name)s", "identity:create_domain": "rule:cloud_admin", "identity:update_domain": "rule:cloud_admin", "identity:delete_domain": "rule:cloud_admin", "project_admin": "rule:admin_required and project_id:%(target.project.id)s", "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s", "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s", "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s", "identity:list_projects": "role:{{keystone_project_observer_role}} or rule:cloud_admin or rule:admin_and_matching_domain_id", "identity:list_user_projects": "rule:cloud_admin or rule:owner or rule:admin_and_matching_domain_id", "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id", "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or rule:project_admin", "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id", "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s", "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s", "identity:get_user": "role:{{keystone_user_observer_role}} or rule:cloud_admin or rule:owner or rule:admin_and_matching_target_user_domain_id", "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id", "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id", "identity:update_user": "rule:cloud_admin or rule:owner or rule:admin_and_matching_target_user_domain_id", "identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id", "admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s", "admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s", "identity:get_group": "role:{{keystone_user_observer_role}} or rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id", "identity:list_groups_for_user": "rule:cloud_admin or rule:owner or (rule:admin_required and domain_id:%(domain_id)s)", "identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id", "identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", "identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", "identity:list_users_in_group": "rule:cloud_admin or (rule:admin_required and domain_id:%(domain_id)s)", "identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", "identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", "identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", "identity:get_credential": "rule:admin_required or user_id:%(target.credential.user_id)s", "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s", "identity:create_credential": "rule:admin_required or user_id:%(credential.user_id)s", "identity:update_credential": "rule:admin_required or user_id:%(target.credential.user_id)s", "identity:delete_credential": "rule:admin_required or user_id:%(target.credential.user_id)s", "identity:ec2_get_credential": "rule:admin_or_cloud_admin or rule:owner", "identity:ec2_list_credentials": "rule:admin_or_cloud_admin or rule:owner", "identity:ec2_create_credential": "rule:admin_or_cloud_admin or rule:owner", "identity:ec2_delete_credential": "(rule:admin_or_cloud_admin or rule:owner) or (rule:owner and user_id:%(target.credential.user_id)s)", "identity:get_role": "rule:admin_or_cloud_admin", "identity:list_roles": "rule:admin_or_cloud_admin", "identity:create_role": "rule:cloud_admin", "identity:update_role": "rule:cloud_admin", "identity:delete_role": "rule:cloud_admin", "identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles", "identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles", "identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role", "identity:update_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role", "identity:delete_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role", "domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s", "get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role", "domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s", "project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s", "list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles", "domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s", "project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s", "admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s", "implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)", "identity:get_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", "identity:list_implied_roles": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", "identity:create_implied_role": "rule:cloud_admin or (rule:admin_and_matching_prior_role_domain_id and rule:implied_role_matches_prior_role_domain_or_global)", "identity:delete_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", "identity:list_role_inference_rules": "rule:cloud_admin", "identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants", "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", "identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", "domain_admin_for_grants": "rule:domain_admin_for_global_role_grants or rule:domain_admin_for_domain_role_grants", "domain_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and rule:domain_admin_grant_match", "domain_admin_for_domain_role_grants": "rule:admin_required and domain_id:%(target.role.domain_id)s and rule:domain_admin_grant_match", "domain_admin_grant_match": "domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s", "project_admin_for_grants": "rule:project_admin_for_global_role_grants or rule:project_admin_for_domain_role_grants", "project_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and project_id:%(project_id)s", "project_admin_for_domain_role_grants": "rule:admin_required and project_domain_id:%(target.role.domain_id)s and project_id:%(project_id)s", "domain_admin_for_list_grants": "rule:admin_required and rule:domain_admin_grant_match", "project_admin_for_list_grants": "rule:admin_required and project_id:%(project_id)s", "admin_on_domain_filter" : "rule:admin_required and domain_id:%(scope.domain.id)s", "admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s", "admin_on_domain_of_project_filter" : "rule:admin_required and domain_id:%(target.project.domain_id)s", "identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter", "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter", "identity:get_policy": "rule:cloud_admin", "identity:list_policies": "rule:cloud_admin", "identity:create_policy": "rule:cloud_admin", "identity:update_policy": "rule:cloud_admin", "identity:delete_policy": "rule:cloud_admin", "identity:check_token": "rule:cloud_admin or rule:admin_or_owner or rule:service_or_admin", "identity:validate_token": "rule:service_admin_or_owner", "identity:validate_token_head": "rule:service_or_admin", "identity:revocation_list": "rule:service_or_admin", "identity:revoke_token": "rule:cloud_admin or rule:admin_or_owner", "identity:create_trust": "user_id:%(trust.trustor_user_id)s", "identity:get_trust": "", "identity:list_trusts": "", "identity:list_roles_for_trust": "", "identity:check_role_for_trust": "", "identity:get_role_for_trust": "", "identity:delete_trust": "", "identity:create_consumer": "rule:admin_required", "identity:get_consumer": "rule:admin_required", "identity:list_consumers": "rule:admin_required", "identity:delete_consumer": "rule:admin_required", "identity:update_consumer": "rule:admin_required", "identity:authorize_request_token": "rule:admin_required", "identity:list_access_token_roles": "rule:admin_required", "identity:get_access_token_role": "rule:admin_required", "identity:list_access_tokens": "rule:admin_required", "identity:get_access_token": "rule:admin_required", "identity:delete_access_token": "rule:admin_required", "identity:list_projects_for_endpoint": "rule:admin_required", "identity:add_endpoint_to_project": "rule:admin_required", "identity:check_endpoint_in_project": "rule:admin_required", "identity:list_endpoints_for_project": "rule:admin_required", "identity:remove_endpoint_from_project": "rule:admin_required", "identity:create_endpoint_group": "rule:admin_required", "identity:list_endpoint_groups": "rule:admin_required", "identity:get_endpoint_group": "rule:admin_required", "identity:update_endpoint_group": "rule:admin_required", "identity:delete_endpoint_group": "rule:admin_required", "identity:list_projects_associated_with_endpoint_group": "rule:admin_required", "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", "identity:get_endpoint_group_in_project": "rule:admin_required", "identity:list_endpoint_groups_for_project": "rule:admin_required", "identity:add_endpoint_group_to_project": "rule:admin_required", "identity:remove_endpoint_group_from_project": "rule:admin_required", "identity:create_identity_provider": "rule:cloud_admin", "identity:list_identity_providers": "rule:cloud_admin", "identity:get_identity_providers": "rule:cloud_admin", "identity:update_identity_provider": "rule:cloud_admin", "identity:delete_identity_provider": "rule:cloud_admin", "identity:create_protocol": "rule:cloud_admin", "identity:update_protocol": "rule:cloud_admin", "identity:get_protocol": "rule:cloud_admin", "identity:list_protocols": "rule:cloud_admin", "identity:delete_protocol": "rule:cloud_admin", "identity:create_mapping": "rule:cloud_admin", "identity:get_mapping": "rule:cloud_admin", "identity:list_mappings": "rule:cloud_admin", "identity:delete_mapping": "rule:cloud_admin", "identity:update_mapping": "rule:cloud_admin", "identity:create_service_provider": "rule:cloud_admin", "identity:list_service_providers": "", "identity:get_service_provider": "", "identity:update_service_provider": "rule:cloud_admin", "identity:delete_service_provider": "rule:cloud_admin", "identity:get_auth_catalog": "", "identity:get_auth_projects": "", "identity:get_auth_domains": "", "identity:list_projects_for_user": "", "identity:list_domains_for_user": "", "identity:list_revoke_events": "", "identity:create_policy_association_for_endpoint": "rule:cloud_admin", "identity:check_policy_association_for_endpoint": "rule:cloud_admin", "identity:delete_policy_association_for_endpoint": "rule:cloud_admin", "identity:create_policy_association_for_service": "rule:cloud_admin", "identity:check_policy_association_for_service": "rule:cloud_admin", "identity:delete_policy_association_for_service": "rule:cloud_admin", "identity:create_policy_association_for_region_and_service": "rule:cloud_admin", "identity:check_policy_association_for_region_and_service": "rule:cloud_admin", "identity:delete_policy_association_for_region_and_service": "rule:cloud_admin", "identity:get_policy_for_endpoint": "rule:cloud_admin", "identity:list_endpoints_for_policy": "rule:cloud_admin", "identity:create_domain_config": "rule:cloud_admin", "identity:get_domain_config": "rule:cloud_admin", "identity:update_domain_config": "rule:cloud_admin", "identity:delete_domain_config": "rule:cloud_admin", "identity:get_domain_config_default": "rule:cloud_admin" } 07070100000065000081A40000000000000000000000015DC3211F0000013E000000000000000000000000000000000000005900000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/templates/revocation_cleanup.j2#! /bin/bash echo "Running revocation cleanup job" source {{ ardanauser_home }}/keystone.osrc token=`openstack token issue | grep -iw id | cut -d'|' -f3` token="$(echo -e "${token}" | tr -d '[[:space:]]')" echo $token curl -k -H "X-Auth-Token:$token" -H "X-Subject-Token:$token" -X DELETE $OS_AUTH_URL/auth/tokens 07070100000066000081A40000000000000000000000015DC3211F000004BA000000000000000000000000000000000000005000000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/templates/service.osrc{# # # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #} unset OS_DOMAIN_NAME export OS_IDENTITY_API_VERSION=3 export OS_AUTH_VERSION=3 export OS_PROJECT_NAME={{ keystone_admin_project_name }} export OS_PROJECT_DOMAIN_NAME=Default export OS_USERNAME={{ keystone_admin_user }} export OS_USER_DOMAIN_NAME=Default export OS_PASSWORD={{ keystone_admin_user_pwd }} export OS_AUTH_URL={{ keystone_internal_endpoint }}/v3 export OS_ENDPOINT_TYPE=internalURL # OpenstackClient uses OS_INTERFACE instead of OS_ENDPOINT export OS_INTERFACE=internal export OS_CACERT={{ trusted_ca_bundle }} export OS_COMPUTE_API_VERSION=2 07070100000067000081A40000000000000000000000015DC3211F000018EF000000000000000000000000000000000000005600000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/templates/shibboleth2.xml.j2{# # # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #} <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180"> <!-- By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache are used. See example-shibboleth2.xml for samples of explicitly configuring them. --> <!-- To customize behavior for specific resources on Apache, and to link vhosts or resources to ApplicationOverride settings below, use web server options/commands. See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help. For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic. --> <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. --> <ApplicationDefaults entityID="http://sso_entityId"> <!-- Controls session lifetimes, address checks, cookie handling, and the protocol handlers. You MUST supply an effectively unique handlerURL value for each of your applications. The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing a relative value based on the virtual host. Using handlerSSL="true", the default, will force the protocol to be https. You should also set cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to "false", this has a negative impact on the security of your site. Stealing sessions via cookie theft is much easier with this disabled. --> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="false" cookieProps="http"> <!-- Configures SSO for a default IdP. To allow for >1 IdP, remove entityID property and adjust discoveryURL to point to discovery service. (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.) You can also override entityID on /Login query string, or in RequestMap/htaccess. --> <SSO entityID="http://idp_entityId"> SAML2 SAML1 </SSO> <!-- SAML and local-only logout. --> <Logout>SAML2 Local</Logout> <!-- Extension service that generates "approximate" metadata based on SP configuration. --> <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/> <!-- Status reporting service. --> <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/> <!-- Session diagnostic service. --> <Handler type="Session" Location="/Session" showAttributeValues="false"/> <!-- JSON feed of discovery information. --> <Handler type="DiscoveryFeed" Location="/DiscoFeed"/> </Sessions> <!-- Allows overriding of error template information/filenames. You can also add attributes with values that can be plugged into the templates. --> <Errors supportContact="root@localhost" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <!-- Example of remotely supplied batch of signed metadata. --> <!-- <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml" backingFilePath="federation-metadata.xml" reloadInterval="7200"> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> <MetadataFilter type="Signature" certificate="fedsigner.pem"/> </MetadataProvider> --> <!-- Please don't make any chances to the comment, this is a SHIBD TEMPLATE used by the playbook. --> <MetadataProvider type="Chaining"> </MetadataProvider> <!-- Map to extract attributes from SAML assertions. --> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/> <!-- Use a SAML query if no attributes are supplied during SSO. --> <AttributeResolver type="Query" subjectMatch="true"/> <!-- Default filtering policy for recognized attributes, lets other data pass. --> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> <!-- Simple file-based resolver for using a single keypair. --> <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/> <!-- The default settings can be overridden by creating ApplicationOverride elements (see the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic). Resource requests are mapped by web server commands, or the RequestMapper, to an applicationId setting. Example of a second application (for a second vhost) that has a different entityID. Resources on the vhost would map to an applicationId of "admin": --> <!-- <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/> --> </ApplicationDefaults> <!-- Policies that determine how to process and authenticate runtime messages. --> <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/> <!-- Low-level configuration about protocols and bindings available for use. --> <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/> </SPConfig> 07070100000068000081A40000000000000000000000015DC3211F00000941000000000000000000000000000000000000005300000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/templates/shibd.logger.j2# set overall behavior log4j.rootCategory=INFO, shibd_log, warn_log # fairly verbose for DEBUG, so generally leave at INFO log4j.category.XMLTooling.XMLObject=INFO log4j.category.XMLTooling.KeyInfoResolver=INFO log4j.category.Shibboleth.IPRange=INFO log4j.category.Shibboleth.PropertySet=INFO # raise for low-level tracing of SOAP client HTTP/SSL behavior log4j.category.XMLTooling.libcurl=INFO # logs XML being signed or verified if set to DEBUG log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log log4j.additivity.XMLTooling.Signature.Debugger=false # the tran log blocks the "default" appender(s) at runtime # Level should be left at INFO for this category log4j.category.Shibboleth-TRANSACTION=INFO, tran_log log4j.additivity.Shibboleth-TRANSACTION=false # define the appenders log4j.appender.shibd_log=org.apache.log4j.RollingFileAppender log4j.appender.shibd_log.fileName=/var/log/shibboleth/shibd.log log4j.appender.shibd_log.maxFileSize=10000000 log4j.appender.shibd_log.maxBackupIndex=10 log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout log4j.appender.shibd_log.layout.ConversionPattern={% raw %}%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n{% endraw %} log4j.appender.warn_log=org.apache.log4j.RollingFileAppender log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log log4j.appender.warn_log.maxFileSize=10000000 log4j.appender.warn_log.maxBackupIndex=10 log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout log4j.appender.warn_log.threshold=WARN log4j.appender.warn_log.layout.ConversionPattern={% raw %}%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n{% endraw %} log4j.appender.tran_log=org.apache.log4j.RollingFileAppender log4j.appender.tran_log.fileName=/var/log/shibboleth/transaction.log log4j.appender.tran_log.maxFileSize=10000000 log4j.appender.tran_log.maxBackupIndex=10 log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout log4j.appender.tran_log.layout.ConversionPattern={% raw %}%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n{% endraw %} log4j.appender.sig_log=org.apache.log4j.FileAppender log4j.appender.sig_log.fileName=/var/log/shibboleth/signature.log log4j.appender.sig_log.maxFileSize=10000000 log4j.appender.sig_log.maxBackupIndex=10 log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout log4j.appender.sig_log.layout.ConversionPattern={% raw %}%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n{% endraw %} 07070100000069000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000003E00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/vars0707010000006A000081A40000000000000000000000015DC3211F00000397000000000000000000000000000000000000004900000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/vars/debian.yml# # (c) Copyright 2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # python-httplib2 is an ansible dependency for the module uri sed in start.yml key_api_packages: - libldap-2.4-2 - libsasl2-2 - libmysqlclient18 - libxml2 - libxslt1.1 - libffi6 - libldap2-dev - libsasl2-dev - python-httplib2 - xmlsec1 shibd_user: _shibd 0707010000006B000081A40000000000000000000000015DC3211F0000036F000000000000000000000000000000000000004700000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/vars/main.yml# # (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # ardanauser : "{{ ansible_env['USER'] }}" ardanauser_home: "{{ ansible_env['HOME'] }}" shibd_log_dir: "/var/log/shibboleth" shibd_www_log_dir: "/var/log/shibboleth-www" adm_group_name: "adm" keystone_log_dir: "/var/log/keystone" 0707010000006C000081A40000000000000000000000015DC3211F0000040F000000000000000000000000000000000000004700000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/KEY-API/vars/suse.yml# # (c) Copyright 2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- key_api_packages: - cron - cyrus-sasl - libffi4 - libldap-2_4-2 - libmysqlclient18 - libsasl2-3 - libxml2 - libxslt1 - logrotate - python-PrettyTable - python-httplib2 - xmlstarlet # - xmlsec1 # TODO(fergal): uncomment once Legacy CI support includes package # - libxmlsec1-openssl1 # TODO(gyee): uncomment once Legacy CI support includes package shibd_user: shibd 0707010000006D000041ED0000000000000000000000065DC3211F00000000000000000000000000000000000000000000004100000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-common0707010000006E000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000004A00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-common/defaults0707010000006F000081A40000000000000000000000015DC3211F00000334000000000000000000000000000000000000005D00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-common/defaults/keystone_admin.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # # Settings needed for accessing keystone admin keystone_admin_port: "{{ host.bind.KEY_API.admin.port }}" keystone_admin_listen_ip: "{{ host.bind.KEY_API.admin.ip_address }}" 07070100000070000081A40000000000000000000000015DC3211F0000181D000000000000000000000000000000000000005300000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-common/defaults/main.yml# # (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- keystone_hosts: "{{ groups[verb_hosts.KEY_API] }}" keystone_old_admin_pwd: "{{ KEY_API.old_vars.keystone_admin_pwd }}" keystone_user: keystone keystone_group: keystone keystone_home_dir: /var/lib/keystone service: keystone keystone_conf_dir: "/etc/keystone" keystone_venv_install_conf_dir: "{{ service | config_dir() }}" keystone_venv_install_share_dir: "{{ service | share_dir() }}/" keystone_bin_dir: "{{ service | bin_dir }}" keystone_venv_dir: "{{ service | venv_dir }}" keystone_share_dir: "{{ service | share_dir }}" keystone_admin_domain_id: "default" keystone_token_provider: "{% if keystone_configure_fernet %}fernet{% else %}uuid{% endif %}" keystone_fernet_dir_name: fernet-keys keystone_fernet_dir: "{{ keystone_conf_dir }}/{{ keystone_fernet_dir_name }}/" keystone_fernet_auto_rotation_script_name: keystone-fernet-rotate.sh keystone_fernet_auto_rotation_script: "{{ keystone_bin_dir }}/{{ keystone_fernet_auto_rotation_script_name }}" keystone_fernet_rotate_cron_script: /etc/cron.d/keystone-fernet-rotate # Any of the following rotation times are valid: # reboot, yearly, annually, monthly, weekly, daily, hourly keystone_fernet_rotation: daily keystone_db_ca_file: "{{ trusted_ca_bundle }}" keystone_db_ssl: "{% if keystone_enable_tls_for_mysql and KEY_API.consumes_FND_MDB.vips.private[0].use_tls %}?ssl_ca={{ keystone_db_ca_file }}{% endif %}" keystone_database_connection_string: "mysql+pymysql://{{ KEY_API.consumes_FND_MDB.vars.accounts.keystone.username }}:{{ KEY_API.consumes_FND_MDB.vars.accounts.keystone.password | urlencode }}@{{ KEY_API.consumes_FND_MDB.vips.private[0].host }}/keystone{{ keystone_db_ssl }}" keystone_public_port: "{{ host.bind.KEY_API.public.port }}" keystone_public_listen_ip: "{{ host.bind.KEY_API.public.ip_address }}" keystone_internal_port: "{{ host.bind.KEY_API.internal.port }}" keystone_internal_listen_ip: "{{ host.bind.KEY_API.internal.ip_address }}" vip_protocol_admin: "{{ KEY_API.advertises.vips.admin[0].protocol }}" keystone_admin_vip_ip : "{{ KEY_API.advertises.vips.admin[0].ip_address }}" keystone_admin_vip_host: "{{ KEY_API.advertises.vips.admin[0].host }}" keystone_admin_vip_port: "{{ KEY_API.advertises.vips.admin[0].port }}" vip_protocol_internal: "{{ KEY_API.advertises.vips.private[0].protocol }}" keystone_internal_vip_host: "{{ KEY_API.advertises.vips.private[0].host }}" keystone_internal_vip_port: "{{ KEY_API.advertises.vips.private[0].port }}" vip_protocol_public: "{{ KEY_API.advertises.vips.public[0].protocol }}" keystone_public_vip_host: "{{ KEY_API.advertises.vips.public[0].host }}" keystone_public_vip_port: "{{ KEY_API.advertises.vips.public[0].port }}" keystone_admin_endpoint: "{{ KEY_API.advertises.vips.admin[0].url }}" keystone_internal_endpoint: "{{ KEY_API.advertises.vips.private[0].url }}" keystone_public_endpoint: "{{ KEY_API.advertises.vips.public[0].url }}" keystone_service_project_name: "{{ KEY_API.vars.keystone_service_tenant }}" keystone_admin_project_name: "{{ KEY_API.vars.keystone_admin_tenant }}" keystone_demo_project_name: "{{ KEY_API.vars.keystone_demo_tenant }}" keystone_monitoring_project_name: "{{ KEY_API.vars.keystone_monitoring_tenant }}" keystone_admin_role: "{{ KEY_API.vars.keystone_admin_role }}" keystone_keystoneadmin_role: "{{ KEY_API.vars.keystone_KeystoneAdmin_role }}" keystone_member_role: member keystone_service_role: "{{ KEY_API.vars.keystone_service_role }}" keystone_monitor_role: "{{ KEY_API.vars.keystone_monitoring_role }}" keystone_project_observer_role: "{{ KEY_API.vars.keystone_project_observer_role }}" keystone_user_observer_role: "{{ KEY_API.vars.keystone_user_observer_role }}" keystone_domain_observer_role: "{{ KEY_API.vars.keystone_domain_observer_role }}" keystone_default_domain: Default keystone_v2_domain_name: "{{ keystone_default_domain }}" keystone_v2_project_domain_name: "{{ keystone_v2_domain_name }}" keystone_v2_user_domain_name: "{{ keystone_v2_domain_name }}" keystone_region: "{{ KEY_API.advertises.vips.public[0].region_name }}" keystone_admin_user: "{{ KEY_API.vars.keystone_admin_user }}" keystone_admin_user_pwd: "{{ KEY_API.vars.keystone_admin_pwd | quote }}" keystone_demo_user: "{{ KEY_API.vars.keystone_demo_user }}" keystone_demo_pwd: "{{ KEY_API.vars.keystone_demo_pwd | quote }}" # Message queue variables _mq_hosts_list: "{{ KEY_API.consumes_FND_RMQ.members.private | default (KEY_API.consumes_FND_RMQ.members.public) }}" keystone_rabbit_hosts_port_pair: "{% for x in _mq_hosts_list -%} {{ x.host }}:{{ x.port }} {%- if not loop.last -%},{% endif %} {%- endfor %}" keystone_rabbit_user: "{{ KEY.consumes_FND_RMQ.vars.accounts.keystone.username }}" keystone_rabbit_password: "{{ KEY.consumes_FND_RMQ.vars.accounts.keystone.password }}" keystone_rabbit_use_ssl: "{{ KEY.consumes_FND_RMQ.members.private[0].use_tls }}" keystone_cloudadmin_domain: cloud_admin keystone_cloudadmin_project: cloud_admin_project is_baremetal_install: "{{ True if ansible_virtualization_role == 'host' else False }}" # This is used only for tuning virtual install keystone_default_process_count: 10 keystone_settle_time: 30 keystone_restart_required: false # Keystone audit variables keystone_api_audit_enable: "{{ KEY.audit.enabled }}" keystone_audit_log_base_location: "{{ KEY.audit.dir }}" # This is for federation configuration keystone_shibd_conf_dir: "/etc/shibboleth" memcached_servers: "{% for x in KEY_API.consumes_FND_MEM.members.private %}{{ x.host }}:{{ x.port }}{%if not loop.last %},{% endif %}{% endfor %}" 07070100000071000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000004600000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-common/meta07070100000072000081A40000000000000000000000015DC3211F00000263000000000000000000000000000000000000004F00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-common/meta/main.yml# (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- dependencies: - role: tls-vars 07070100000073000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000004700000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-common/tasks07070100000074000081A40000000000000000000000015DC3211F0000030E000000000000000000000000000000000000005D00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-common/tasks/_schedule_restart.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: keystone-common | _schedule_restart | Schedule a restart for keystone debug: msg: "Trigger a change notification in keystone" changed_when: true register: ardana_notify_keystone_change07070100000075000081A40000000000000000000000015DC3211F00000D2E000000000000000000000000000000000000005000000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-common/tasks/main.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: keystone-common | main | Include dependent yml files include_vars: "{{ item }}" with_items: - keystone_deploy_config.yml - ../defaults/keystone_admin.yml tags: - keystone - keystone_debug - name: keystone-common | main | Display variables that are configured for KEY-API debug: var=KEY_API tags: - keystone - keystone_debug when: keystone_debug is defined run_once: True - name: keystone-common | main | Display variables for the inventory host debug: var=hostvars[inventory_hostname] tags: - keystone - keystone_debug when: keystone_debug is defined run_once: True # NOTE(gyee) check to see what the current token provider is. If this is a new # install, it will return an empty string as keystone.conf may not have # existed yet. This logic will work if we don't also configure a "provider" for # credential. Right now, the only provider for credential is "fernet" so we # should be fine. In the future, if more than one providers are supported for # credential, we'll need to update this logic. Better yet, upgrade to # Ansible 2.x and use the ini module and this problem will magically # disappear. :-) # FIXME(gyee): use Ansible ini module for this when we upgrade to # Ansible 2.x. - name: keystone-common | main | Look for the default token provider become: yes shell: >- grep '^provider\s*=' {{ keystone_venv_install_conf_dir }}/keystone.conf 2>&1 | grep '^provider\s*=' | sed 's/.*=\s*//' register: lookup_keystone_token_provider_result tags: - keystone - name: keystone-common | main | Display current Keystone token provider debug: msg: "{{ lookup_keystone_token_provider_result.stdout }}" tags: - keystone - keystone_debug when: keystone_debug is defined # NOTE(gyee): in an upgrade situation where --limit is used, we do not want # to change the current token provider as we will end up with some controllers # using Fernet token provider while others still using UUID. This will be # disastrous as some tokens does not validate. We DO NOT support changing # token provider to Fernet until all the nodes are upgraded and ready as # Fernet required all the token-signing keys are in-sync for all the nodes # at all times. - name: keystone-common | main | Set token provider set_fact: keystone_token_provider: >- {{ lookup_keystone_token_provider_result.stdout }} when: play_hosts|length != keystone_hosts|length and lookup_keystone_token_provider_result.stdout != "" - name: keystone-common | main | Display Keystone token provider debug: msg: "Token provider is {{ keystone_token_provider }}" tags: - keystone - keystone_debug when: keystone_debug is defined 07070100000076000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000004600000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-common/vars07070100000077000081A40000000000000000000000015DC3211F00000A11000000000000000000000000000000000000006100000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-common/vars/keystone_deploy_config.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # ######################################################### # Logging ######################################################### # Possible log levels are INFO/DEBUG/WARN/ERROR keystone_loglevel: INFO keystone_logstash_loglevel: INFO ######################################################### # WSGI ######################################################### # To handle 100 concurrent connections count = 15 is more than enough # Most of the traffice goes to internal vip which is controlled by # public procoess count keystone_wsgi_admin_process_count: "{{ [5, [2, ansible_processor_vcpus / 2] | max] | min | int }}" keystone_wsgi_public_process_count: "{{ [10, [2, (ansible_processor_vcpus / 2) * 3] | max] | min | int }}" #socket-timeout option to WSGIDaemonProcess to allow the timeout on indvidual # read/writes on the socket connection between the Apache child worker and #the daemon process to be specified separately to the Apache Timeout directive. keystone_wsgi_socket_timeout: 600 ######################################################### # Fernet Token ######################################################### # Enable Fernet token by default as UUID token was deprecated. # You may revert back to UUID token provider by setting this # value to False, for disaster recovery purposes. keystone_configure_fernet: True ######################################################### # Enable TLS transport for mysql ######################################################### keystone_enable_tls_for_mysql: True ######################################################### # Addition roles to be created and assigned to the # 'admin' user for the 'admin' project. The 'admin' # project is used to manage the OpenStack cloud. ######################################################### keystone_extra_roles_for_admin_user_and_admin_project: - swiftoperator - glance_admin - cinder_admin - nova_admin - neutron_admin 07070100000078000041ED0000000000000000000000065DC3211F00000000000000000000000000000000000000000000004200000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-monitor07070100000079000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000004B00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-monitor/defaults0707010000007A000081A40000000000000000000000015DC3211F000002AB000000000000000000000000000000000000005400000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-monitor/defaults/main.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- monasca_alarm_definition_api_url: > {{ MON_AGN.consumes_MON_API.vips.private[0].url ~ '/v2.0' }} 0707010000007B000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000004700000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-monitor/meta0707010000007C000081A40000000000000000000000015DC3211F000002DA000000000000000000000000000000000000005000000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-monitor/meta/main.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- dependencies: - role: keystone-common - {role: monasca-agent, run_mode: Use} 0707010000007D000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000004800000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-monitor/tasks0707010000007E000081A40000000000000000000000015DC3211F0000033B000000000000000000000000000000000000006800000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-monitor/tasks/_monitor_fernet_master_node.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- - include: ../../KEY-API/tasks/_find_fernet_master_node.yml - name: keystone-monitor | _monitor_fernet_master_node | Setup master node monitor include: _setup_fernet_master_node_monitor.yml when: found_fernet_master_node is defined 0707010000007F000081A40000000000000000000000015DC3211F00000AF8000000000000000000000000000000000000006E00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-monitor/tasks/_setup_fernet_master_node_monitor.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- - name: keystone-monitor | _set_fernet_master_node_monitor | Setup default email notification method monasca_notification_method: name: "Default Email" type: 'EMAIL' address: "root@localhost" keystone_url: "{{ keystone_admin_endpoint }}/v3" keystone_user: "{{ keystone_admin_user }}" keystone_password: "{{ keystone_admin_user_pwd }}" keystone_project: "{{ keystone_admin_project_name }}" keystone_project_domain: "{{ keystone_default_domain }}" keystone_user_domain: "{{ keystone_default_domain }}" monasca_api_url: "{{ monasca_alarm_definition_api_url }}" overwrite: false register: keystone_default_notification_result run_once: true - name: keystone-monitor | _set_fernet_master_node_monitor | Set hostname set_fact: fernet_master_hostname: >- {{ hostvars[found_fernet_master_node].host.my_dimensions.hostname }} - name: keystone-monitor | _set_fernet_master_node_monitor | Set control_plane set_fact: fernet_master_control_plane: >- {{ hostvars[found_fernet_master_node].host.my_dimensions.control_plane }} - name: keystone-monitor | _set_fernet_master_node_monitor | Create fernet master node alarm definition monasca_alarm_definition: name: "Fernet Master" description: "Check to make sure Fernet Master node still alive." severity: "CRITICAL" expression: >- host_alive_status{hostname={{ fernet_master_hostname }}, control_plane={{ fernet_master_control_plane }}} > 0 match_by: ["hostname"] keystone_url: "{{ keystone_admin_endpoint }}/v3" keystone_user: "{{ keystone_admin_user }}" keystone_password: "{{ keystone_admin_user_pwd }}" keystone_project: "{{ keystone_admin_project_name }}" keystone_project_domain: "{{ keystone_default_domain }}" keystone_user_domain: "{{ keystone_default_domain }}" monasca_api_url: "{{ monasca_alarm_definition_api_url }}" ok_actions: - "{{ keystone_default_notification_result.notification_method_id }}" undetermined_actions: - "{{ keystone_default_notification_result.notification_method_id }}" alarm_actions: - "{{ keystone_default_notification_result.notification_method_id }}" run_once: true 07070100000080000081A40000000000000000000000015DC3211F000007CC000000000000000000000000000000000000005A00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-monitor/tasks/local_monitor.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # - name: keystone-monitor | local_monitor | Set up check on keystone wsgi process and admin endpoint locally become: yes monasca_agent_plugin: name: "keystone" args: "disable_http_check=yes" tags: - keystone - keystone_monitor - name: keystone-monitor | local_monitor | Setup active check on keystone internal endpoint locally become: yes monasca_agent_plugin: name: "httpcheck" args: "use_keystone=False \ url=http://{{ keystone_internal_listen_ip | ipwrap }}:{{ keystone_internal_port }}/v3 \ dimensions=service:identity-service,\ component:keystone-api,\ api_endpoint:internal,\ monitored_host_type:instance" tags: - keystone - keystone_monitor - name: keystone-monitor | local_monitor | Setup active check on keystone admin endpoint locally become: yes monasca_agent_plugin: name: "httpcheck" args: "use_keystone=False \ url=http://{{ keystone_admin_listen_ip | ipwrap }}:{{ keystone_admin_port }}/v3 \ dimensions=service:identity-service,\ component:keystone-api,\ api_endpoint:admin,\ monitored_host_type:instance" tags: - keystone - keystone_monitor 07070100000081000081A40000000000000000000000015DC3211F000004E7000000000000000000000000000000000000006700000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-monitor/tasks/monitor_fernet_master_node.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- - name: keystone-monitor | monitor_fernet_master_node | Check Fernet token configuration prereq debug: msg: >- WARNING: Then number of play hosts does not match the number of Keystone API hosts. It is possible that the --limit option was used in the play. The use of --limit option is not supported when configuring the Fernet token feature. Fernet token configuration will be skipped. when: vars['play_hosts'] | length != keystone_hosts | length - name: keystone-monitor | monitor_fernet_master_node | Monitor Fernet Master include: _monitor_fernet_master_node.yml when: vars['play_hosts'] | length == keystone_hosts | length 07070100000082000081A40000000000000000000000015DC3211F00000451000000000000000000000000000000000000005B00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-monitor/tasks/remote_monitor.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # - name: keystone-monitor | remote_monitor | Setup http check against Keystone VIP become: yes monasca_agent_plugin: name: "httpcheck" args: "use_keystone=False url={{ item.url }}/v3 dimensions=service:\ identity-service,component:keystone-api,api_endpoint:{{ item.api_endpoint }},monitored_host_type:vip" with_items: - { api_endpoint: 'internal', url: "{{ keystone_internal_endpoint }}"} tags: - keystone_monitor 07070100000083000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000004700000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-monitor/vars07070100000084000081A40000000000000000000000015DC3211F000002DE000000000000000000000000000000000000005000000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-monitor/vars/main.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- ardanauser : "{{ ansible_env['USER'] }}" ardanauser_home: "{{ ansible_env['HOME'] }}" 07070100000085000041ED0000000000000000000000055DC3211F00000000000000000000000000000000000000000000004900000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-post-configure07070100000086000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000005200000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-post-configure/defaults07070100000087000081A40000000000000000000000015DC3211F000007A7000000000000000000000000000000000000005B00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-post-configure/defaults/main.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- keystone_services: "[ {% for s in KEY_API.advertised %} {'service_name': '{{ s.service_name }}', 'service_type': '{{ s.service_type | default('') }}', 'service_description': '{{ s.service_description | default('') }}' } {%- if not loop.last -%} , {% endif -%} {% endfor %} ] " keystone_endpoints: "[ {% for s in KEY_API.advertised %} {% for r in s.regions %} {'service_name': '{{ s.service_name }}', 'public_url': '{{ s.public_url | default('') }}', 'internal_url': '{{ s.internal_url | default('') }}', 'admin_url': '{{ s.admin_url | default('') }}', 'region': '{{ r }}' } {%- if not loop.last -%} , {% endif -%} {% endfor %} {%- if not loop.last -%} , {% endif -%} {% endfor %} ]" 07070100000088000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000004E00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-post-configure/meta07070100000089000081A40000000000000000000000015DC3211F000002B1000000000000000000000000000000000000005700000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-post-configure/meta/main.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- dependencies: - role: keystone-common 0707010000008A000041ED0000000000000000000000025DC3211F00000000000000000000000000000000000000000000004F00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-post-configure/tasks0707010000008B000081A40000000000000000000000015DC3211F00000D0E000000000000000000000000000000000000006100000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-post-configure/tasks/keystone_conf.yml# # (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # # keystone user and endpoint registration --- - name: keystone-post-configure | keystone_conf | Create bootstrap users command: > "{{ keystone_bin_dir }}/keystone-manage" --config-file "{{ keystone_venv_install_conf_dir }}/keystone.conf" --log-config "{{ keystone_venv_install_conf_dir }}/logging.conf" bootstrap --bootstrap-username "{{ keystone_admin_user }}" --bootstrap-project-name "{{ keystone_cloudadmin_project }}" --bootstrap-role-name "{{ keystone_admin_role }}" environment: OS_BOOTSTRAP_PASSWORD: "{{ keystone_admin_user_pwd }}" run_once: true become: yes become_user: "{{ keystone_user }}" tags: - keystone - name: keystone-post-configure | keystone_conf | Get cloud admin token become: yes keystone_v3: endpoint: "{{ keystone_admin_endpoint }}/v3" login_username: "{{ keystone_admin_user }}" login_password: "{{ keystone_admin_user_pwd }}" login_user_domain_name: "{{ keystone_default_domain }}" login_project_name: "{{ keystone_cloudadmin_project }}" login_project_domain_name: "{{ keystone_default_domain }}" cacert: "{{ trusted_ca_bundle }}" action: "token_get" run_once: true register: cloud_admin_token_result tags: - keystone - name: keystone-post-configure | keystone_conf | Set cloud admin token set_fact: cloud_admin_token: "{{ cloud_admin_token_result.result }}" - name: keystone-post-configure | keystone_conf | Create roles keystone_v3: login_token: "{{ cloud_admin_token }}" endpoint: "{{ keystone_internal_endpoint }}/v3" cacert: "{{ trusted_ca_bundle }}" action: "create_role" role_name: "{{ item }}" description: "Bootstrap roles created via keystone deploy" with_items: - "{{ keystone_keystoneadmin_role }}" run_once: true tags: - keystone # NOTE: we should be using the keystone_cloud_admin project for cloud admin # operations. Using domain-scoped token for backward compatibility only. - name: keystone-post-configure | keystone_conf | Grant admin Role to admin User on Default domain become: yes keystone_v3: login_token: "{{ cloud_admin_token }}" endpoint: "{{ keystone_internal_endpoint }}/v3" cacert: "{{ trusted_ca_bundle }}" action: "grant_domain_role" user_name: "{{ keystone_admin_user }}" domain_name: "Default" role_name: "{{ keystone_admin_role }}" user_domain_name: "{{ keystone_v2_user_domain_name }}" run_once: true tags: - keystone # now provision the rest of accounts using the newly-minted cloud admin # credential - name: keystone-post-configure | keystone_conf | Provision account data include: keystone_provision_accts.yml 0707010000008C000081A40000000000000000000000015DC3211F00001E3F000000000000000000000000000000000000006C00000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-post-configure/tasks/keystone_provision_accts.yml# # (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # # keystone user and endpoint registration --- - name: keystone-post-configure | keystone_provision_accts | Get a domain scoped token after bootstrap keystone_v3: endpoint: "{{ keystone_internal_endpoint }}/v3" cacert: "{{ trusted_ca_bundle }}" login_username: "{{ keystone_admin_user }}" login_password: "{{ keystone_admin_user_pwd }}" login_user_domain_name: "Default" login_domain_name: "Default" action: "token_get" register: domain_scoped_token_result - name: keystone-post-configure | keystone_provision_accts | Create roles keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_internal_endpoint }}/v3" cacert: "{{ trusted_ca_bundle }}" action: "create_role" role_name: "{{ item }}" description: "Bootstrap roles created via keystone deploy" with_items: - "{{ keystone_service_role }}" - "{{ keystone_monitor_role }}" - "{{ keystone_project_observer_role }}" - "{{ keystone_domain_observer_role }}" - "{{ keystone_user_observer_role }}" run_once: true tags: - keystone - name: keystone-post-configure | keystone_provision_accts | Create extra roles keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_internal_endpoint }}/v3" cacert: "{{ trusted_ca_bundle }}" action: "create_role" role_name: "{{ item }}" description: "Bootstrap roles created via keystone deploy" with_items: "{{ keystone_extra_roles_for_admin_user_and_admin_project }}" when: keystone_extra_roles_for_admin_user_and_admin_project is defined run_once: true tags: - keystone - name: keystone-post-configure | keystone_provision_accts | Create bootstrap tenants become: yes keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_internal_endpoint }}/v3" cacert: "{{ trusted_ca_bundle }}" action: "create_project" project_name: "{{ item }}" project_domain_name: "{{ keystone_v2_project_domain_name }}" description: "Bootstrap accounts created via keystone deploy" with_items: - "{{ keystone_admin_project_name }}" - "{{ keystone_demo_project_name }}" - "{{ keystone_service_project_name }}" - "{{ keystone_monitoring_project_name }}" run_once: true tags: - keystone - name: keystone-post-configure | keystone_provision_accts | Grant admin Role to admin User on admin tenant become: yes keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_internal_endpoint }}/v3" cacert: "{{ trusted_ca_bundle }}" action: "grant_project_role" user_name: "{{ keystone_admin_user }}" project_name: "{{ keystone_admin_project_name }}" role_name: "{{ item }}" user_domain_name: "{{ keystone_v2_user_domain_name }}" project_domain_name: "{{ keystone_v2_project_domain_name }}" with_items: - "{{ keystone_project_observer_role }}" - "{{ keystone_admin_role }}" run_once: true tags: - keystone - name: keystone-post-configure | keystone_provision_accts | Create Demo User become: yes keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_internal_endpoint }}/v3" cacert: "{{ trusted_ca_bundle }}" action: "create_user" user_name: "{{ keystone_demo_user }}" user_password: "{{ keystone_demo_pwd }}" description: "Bootstrap accounts created via keystone deploy" user_domain_name: "{{ keystone_v2_user_domain_name }}" run_once: true tags: - keystone - name: keystone-post-configure | keystone_provision_accts | Grant member role to Demo User on Admin Tenant become: yes keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_internal_endpoint }}/v3" cacert: "{{ trusted_ca_bundle }}" action: "grant_project_role" user_name: "{{ keystone_demo_user }}" project_name: "{{ keystone_admin_project_name }}" role_name: "{{ keystone_member_role }}" user_domain_name: "{{ keystone_v2_user_domain_name }}" project_domain_name: "{{ keystone_v2_project_domain_name }}" run_once: true tags: - keystone - name: keystone-post-configure | keystone_provision_accts | Grant admin user admin Role on demo tenant become: yes keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_internal_endpoint }}/v3" cacert: "{{ trusted_ca_bundle }}" action: "grant_project_role" user_name: "{{ keystone_admin_user }}" project_name: "{{ keystone_demo_project_name }}" role_name: "{{ keystone_admin_role }}" user_domain_name: "{{ keystone_v2_user_domain_name }}" project_domain_name: "{{ keystone_v2_project_domain_name }}" run_once: true tags: - keystone # # The Member role is used by Horizon and Swift - name: keystone-post-configure | keystone_provision_accts | Grant Demo user Member Role on Demo tenant become: yes keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_internal_endpoint }}/v3" cacert: "{{ trusted_ca_bundle }}" action: "grant_project_role" user_name: "{{ keystone_demo_user }}" project_name: "{{ keystone_demo_project_name }}" role_name: "{{ keystone_member_role }}" user_domain_name: "{{ keystone_v2_user_domain_name }}" project_domain_name: "{{ keystone_v2_project_domain_name }}" run_once: true tags: - keystone - name: keystone-post-configure | keystone_provision_accts | Grant admin user, admin Role to services tenant become: yes keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_internal_endpoint }}/v3" cacert: "{{ trusted_ca_bundle }}" action: "grant_project_role" user_name: "{{ keystone_admin_user }}" project_name: "{{ keystone_service_project_name }}" role_name: "{{ item }}" user_domain_name: "{{ keystone_v2_user_domain_name }}" project_domain_name: "{{ keystone_v2_project_domain_name }}" with_items: - "{{ keystone_project_observer_role }}" - "{{ keystone_admin_role }}" run_once: true tags: - keystone - name: keystone-post-configure | keystone_provision_accts | Grant admin user addition roles to admin project become: yes keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone_internal_endpoint }}/v3" cacert: "{{ trusted_ca_bundle }}" action: "grant_project_role" user_name: "{{ keystone_admin_user }}" project_name: "{{ keystone_admin_project_name }}" role_name: "{{ item }}" user_domain_name: "{{ keystone_v2_user_domain_name }}" project_domain_name: "{{ keystone_v2_project_domain_name }}" with_items: "{{ keystone_extra_roles_for_admin_user_and_admin_project }}" when: keystone_extra_roles_for_admin_user_and_admin_project is defined run_once: true tags: - keystone - name: keystone-post-configure | keystone_provision_accts | Configure Services include: services_conf.yml 0707010000008D000081A40000000000000000000000015DC3211F00000919000000000000000000000000000000000000006100000000ardana-keystone-9.0+git.1573069087.15ffd1c/roles/keystone-post-configure/tasks/services_conf.yml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: keystone-post-configure | services_conf | Get a domain scoped token become: yes keystone_v3: endpoint: "{{ keystone_admin_endpoint }}/v3" login_username: "{{ keystone_admin_user }}" login_password: "{{ keystone_admin_user_pwd }}" login_user_domain_name: "{{ keystone_default_domain }}" login_domain_name: "{{ keystone_default_domain }}" cacert: "{{ trusted_ca_bundle }}" action: "token_get" run_once: true register: domain_scoped_token_result - name: keystone-post-configure | services_conf | Create services in Keystone become: yes keystone_v3: endpoint: "{{ keystone_admin_endpoint }}/v3" cacert: "{{ trusted_ca_bundle }}" login_token: "{{ domain_scoped_token_result.result }}" action: "create_service" service_name: "{{ item.service_name }}" service_type: "{{ item.service_type | default('') }}" description: "{{ item.service_description | default('') }}" run_once: True with_items: - "{{ keystone_services }}" when: item.service_name is defined - name: keystone-post-configure | services_conf | Create endpoints in Keystone become: yes keystone_v3: endpoint: "{{ keystone_admin_endpoint }}/v3" cacert: "{{ trusted_ca_bundle }}" login_token: "{{ domain_scoped_token_result.result }}" action: "create_endpoint" service_name: "{{ item.service_name }}" region: "{{ item.region | default('') }}" admin_url: "{{ item.admin_url | default('') }}" internal_url: "{{ item.internal_url | default('') }}" public_url: "{{ item.public_url | default('') }}" run_once: True with_items: - "{{ keystone_endpoints }}" when: item.service_name is defined 07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!585 blocks
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
