Documenation update after refactoring
* added a lot of inline comments for attributes, recipes and provider * updated README to the current state of the cookbook Change-Id: Ic7b7ae6d26ce56e2237fe3215aff9ab447946b48
This commit is contained in:
@@ -1,6 +1,6 @@
|
||||
# This configuration was generated by
|
||||
# `rubocop --auto-gen-config`
|
||||
# on 2016-02-16 10:26:21 +0100 using RuboCop version 0.34.2.
|
||||
# on 2016-04-26 16:37:57 -0500 using RuboCop version 0.34.2.
|
||||
# The point is for the user to remove these configuration records
|
||||
# one by one as the offenses are removed from the code base.
|
||||
# Note that changes in the inspected code, or installation of new
|
||||
@@ -27,5 +27,5 @@ Style/Documentation:
|
||||
Exclude:
|
||||
- 'recipes/_fernet_tokens.rb'
|
||||
- 'recipes/client.rb'
|
||||
- 'recipes/openrc.rb'
|
||||
- 'recipes/registration.rb'
|
||||
- 'recipes/server-apache.rb'
|
||||
|
489
README.md
489
README.md
@@ -1,357 +1,204 @@
|
||||
Description
|
||||
===========
|
||||
|
||||
This cookbook installs the OpenStack Identity Service **Keystone** as part of the OpenStack reference deployment Chef for OpenStack. The https://github.com/openstack/openstack-chef-repo contains documentation for using this cookbook in the context of a full OpenStack deployment. Keystone is installed from packages, creating the default user, tenant, and roles. It also registers the identity service and identity endpoint.
|
||||
This cookbook installs the OpenStack Identity Service **Keystone** as part of
|
||||
the OpenStack reference deployment Chef for OpenStack. The
|
||||
https://github.com/openstack/openstack-chef-repo contains documentation for
|
||||
using this cookbook in the context of a full OpenStack deployment. Keystone is
|
||||
installed from packages, creating the default user, tenant, and roles. It also
|
||||
registers the identity service and identity endpoint.
|
||||
|
||||
http://keystone.openstack.org/
|
||||
http://keystone.openstack.org
|
||||
|
||||
Requirements
|
||||
============
|
||||
|
||||
Chef 0.10.0 or higher required (for Chef environment use)
|
||||
- Chef 12 or higher
|
||||
- chefdk 0.9.0 for testing (also includes berkshelf for cookbook dependency
|
||||
resolution)
|
||||
|
||||
Platform
|
||||
========
|
||||
|
||||
- ubuntu
|
||||
- redhat
|
||||
- centos
|
||||
|
||||
Cookbooks
|
||||
---------
|
||||
=========
|
||||
|
||||
The following cookbooks are dependencies:
|
||||
|
||||
* openstack-common
|
||||
|
||||
Usage
|
||||
=====
|
||||
|
||||
client
|
||||
------
|
||||
|
||||
Installs the keystone client packages
|
||||
|
||||
|
||||
server (deprecated, will be removed in M release)
|
||||
------
|
||||
|
||||
Installs and Configures Keystone Service
|
||||
|
||||
```json
|
||||
"run_list": [
|
||||
"recipe[openstack-identity::server]"
|
||||
]
|
||||
```
|
||||
|
||||
server-apache
|
||||
-------------
|
||||
|
||||
Installs and Configures Keystone Service under Apache
|
||||
|
||||
```json
|
||||
"run_list": [
|
||||
"recipe[openstack-identity::server-apache]"
|
||||
]
|
||||
```
|
||||
|
||||
Resources/Providers
|
||||
===================
|
||||
|
||||
These resources provide an abstraction layer for interacting with the keystone server's API, allowing for other nodes to register any required users, tenants, roles, services, or endpoints.
|
||||
|
||||
register
|
||||
--------
|
||||
|
||||
Register users, tenants, roles, services and endpoints with Keystone
|
||||
|
||||
### Actions
|
||||
|
||||
- :create_tenant: Create a tenant
|
||||
- :create_user: Create a user for a specified tenant
|
||||
- :create_role: Create a role
|
||||
- :grant_role: Grant a role to a specified user for a specified tenant
|
||||
- :create_service: Create a service
|
||||
- :create_endpoint: Create an endpoint for a sepcified service
|
||||
|
||||
### General Attributes
|
||||
|
||||
- auth_protocol: Required communication protocol with Keystone server
|
||||
- Acceptable values are [ "http", "https" ]
|
||||
- auth_host: Keystone server IP Address
|
||||
- auth_port: Port Keystone server is listening on
|
||||
- api_ver: API Version for Keystone server
|
||||
- Accepted values are [ "/v2.0" ]
|
||||
- auth_token: Auth Token for communication with Keystone server
|
||||
- misc_keystone: Array of strings to be added to the keystone.conf file
|
||||
|
||||
### :create_tenant Specific Attributes
|
||||
|
||||
- tenant_name: Name of tenant to create
|
||||
- tenant_description: Description of tenant to create
|
||||
- tenant_enabled: Enable or Disable tenant
|
||||
- Accepted values are [ "true", "false" ]
|
||||
- Default is "true"
|
||||
|
||||
### :create_user Specific Attributes
|
||||
|
||||
- user_name: Name of user account to create
|
||||
- user_pass: Password for the user account
|
||||
- user_enabled: Enable or Disable user
|
||||
- Accepted values are [ "true", "false" ]
|
||||
- Default is "true"
|
||||
- tenant_name: Name of tenant to create user in
|
||||
|
||||
### :create_role Specific Attributes
|
||||
|
||||
- role_name: Name of the role to create
|
||||
|
||||
### :grant_role Specific Attributes
|
||||
|
||||
- role_name: Name of the role to grant
|
||||
- user_name: User name to grant the role to
|
||||
- tenant_name: Name of tenant to grant role in
|
||||
|
||||
### :create_service Specific Attributes
|
||||
|
||||
- service_name: Name of service
|
||||
- service_description: Description of service
|
||||
- service_type: Type of service to create
|
||||
- Accepted values are [ "image", "identity", "compute", "storage", "ec2", "volume", "object-store", "metering", "network", "orchestration", "cloudformation" ]
|
||||
- **NOTE:** call will be skipped if `openstack['identity']['catalog']['backend']` is set to 'templated'
|
||||
|
||||
### :create_endpoint Specific Attributes
|
||||
|
||||
- endpoint_region: Default value is "RegionOne"
|
||||
- endpoint_adminurl: URL to admin endpoint (using admin port)
|
||||
- endpoint_internalurl: URL to service endpoint (using service port)
|
||||
- endpoint_publicurl: URL to public endpoint
|
||||
- Default is same as endpoint_internalURL
|
||||
- service_type: Type of service to create endpoint for
|
||||
- Accepted values are [ "image", "identity", "compute", "storage", "ec2", "volume", "object-store", "metering", "network", "orchestration", "cloudformation" ]
|
||||
- **NOTE:** call will be skipped if `openstack['identity']['catalog']['backend']` is set to 'templated'
|
||||
|
||||
### Examples
|
||||
|
||||
# Create 'openstack' tenant
|
||||
openstack_identity_register "Register 'openstack' Tenant" do
|
||||
auth_host "192.168.1.10"
|
||||
auth_port "35357"
|
||||
auth_protocol "http"
|
||||
api_ver "/v2.0"
|
||||
auth_token "123456789876"
|
||||
tenant_name "openstack"
|
||||
tenant_description "Default Tenant"
|
||||
tenant_enabled "true" # Not required as this is the default
|
||||
action :create_tenant
|
||||
end
|
||||
|
||||
# Create 'admin' user
|
||||
openstack_identity_register "Register 'admin' User" do
|
||||
auth_host "192.168.1.10"
|
||||
auth_port "35357"
|
||||
auth_protocol "http"
|
||||
api_ver "/v2.0"
|
||||
auth_token "123456789876"
|
||||
tenant_name "openstack"
|
||||
user_name "admin"
|
||||
user_pass "secrete"
|
||||
user_enabled "true" # Not required as this is the default
|
||||
action :create_user
|
||||
end
|
||||
|
||||
# Create 'admin' role
|
||||
openstack_identity_register "Register 'admin' Role" do
|
||||
auth_host "192.168.1.10"
|
||||
auth_port "35357"
|
||||
auth_protocol "http"
|
||||
api_ver "/v2.0"
|
||||
auth_token "123456789876"
|
||||
role_name role_key
|
||||
action :create_role
|
||||
end
|
||||
|
||||
|
||||
# Grant 'admin' role to 'admin' user in the 'openstack' tenant
|
||||
openstack_identity_register "Grant 'admin' Role to 'admin' User" do
|
||||
auth_host "192.168.1.10"
|
||||
auth_port "35357"
|
||||
auth_protocol "http"
|
||||
api_ver "/v2.0"
|
||||
auth_token "123456789876"
|
||||
tenant_name "openstack"
|
||||
user_name "admin"
|
||||
role_name "admin"
|
||||
action :grant_role
|
||||
end
|
||||
|
||||
# Create 'identity' service
|
||||
openstack_identity_register "Register Identity Service" do
|
||||
auth_host "192.168.1.10"
|
||||
auth_port "35357"
|
||||
auth_protocol "http"
|
||||
api_ver "/v2.0"
|
||||
auth_token "123456789876"
|
||||
service_name "keystone"
|
||||
service_type "identity"
|
||||
service_description "Keystone Identity Service"
|
||||
action :create_service
|
||||
end
|
||||
|
||||
# Create 'identity' endpoint
|
||||
openstack_identity_register "Register Identity Endpoint" do
|
||||
auth_host "192.168.1.10"
|
||||
auth_port "35357"
|
||||
auth_protocol "http"
|
||||
api_ver "/v2.0"
|
||||
auth_token "123456789876"
|
||||
service_type "identity"
|
||||
endpoint_region "RegionOne"
|
||||
endpoint_adminurl "http://192.168.1.10:35357/v2.0"
|
||||
endpoint_internalurl "http://192.168.1.10:5001/v2.0"
|
||||
endpoint_publicurl "http://1.2.3.4:5001/v2.0"
|
||||
action :create_endpoint
|
||||
end
|
||||
|
||||
credentials
|
||||
-----------
|
||||
|
||||
Create EC2 credentials for a given user in the specified tenant
|
||||
|
||||
### Actions
|
||||
|
||||
- :create_ec2: create EC2 credentials
|
||||
|
||||
### General Attributes
|
||||
|
||||
- auth_protocol: Required communication protocol with Keystone server. Acceptable values are [ "http", "https" ]
|
||||
- auth_host: Keystone server IP Address
|
||||
- auth_port: Port Keystone server is listening on
|
||||
- api_ver: API Version for Keystone server
|
||||
- Accepted values are [ "/v2.0" ]
|
||||
- auth_token: Auth Token for communication with Keystone server
|
||||
|
||||
### :create_ec2 Specific Attributes
|
||||
|
||||
- user_name: User name to grant the credentials for
|
||||
- tenant_name: Tenant name to grant the credentials in
|
||||
|
||||
### Examples
|
||||
|
||||
openstack_identity_credentials "Create EC2 credentials for 'admin' user" do
|
||||
auth_host "192.168.1.10"
|
||||
auth_port "35357"
|
||||
auth_protocol "http"
|
||||
api_ver "/v2.0"
|
||||
auth_token "123456789876"
|
||||
user_name "admin"
|
||||
tenant_name "openstack"
|
||||
end
|
||||
- 'apache2', '~> 3.1'
|
||||
- 'openstack-common', '>= 13.0.0'
|
||||
|
||||
Attributes
|
||||
==========
|
||||
|
||||
**TODO**: Clean up after refactoring.
|
||||
Please refer to the Common cookbook for more attributes.
|
||||
Please see the extensive inline documentation in `attributes/*.rb` for
|
||||
descriptions of all the settable attributes for this cookbook.
|
||||
|
||||
* `openstack['identity']['db_server_chef_role']` - The name of the Chef role that knows about the db server
|
||||
* `openstack['identity']['user']` - User keystone runs as
|
||||
* `openstack['identity']['group']` - Group keystone runs as
|
||||
* `openstack['identity']['db']` - Name of keystone database
|
||||
* `openstack['identity']['db_user']` - Username for keystone database access
|
||||
* `openstack['identity']['db_passwd']` - Password for keystone database access
|
||||
* `openstack['identity']['db_ipaddress']` - IP address of the keystone database
|
||||
* `openstack['identity']['api_ipaddress']` - IP address for the keystone API to bind to. _TODO_: Rename to bind_address
|
||||
* `openstack['identity']['admin_token']` - Admin token for bootstraping keystone server
|
||||
* `openstack['identity']['admin_workers']` - The number of worker processes to serve the admin WSGI application
|
||||
* `openstack['identity']['public_workers']` - The number of worker processes to serve the public WSGI application
|
||||
* `openstack['identity']['roles']` - Array of roles to create in the keystone server
|
||||
* `openstack['identity']['users']` - Array of users to create in the keystone server
|
||||
* `openstack['identity']['pastefile_url']` - Specify the URL for a keystone-paste.ini file that will override the default packaged file
|
||||
* `openstack['identity']['token']['expiration']` - Token validity time in seconds
|
||||
* `openstack['identity']['token']['hash_algorithm']` - Hash algorithms to use for hashing PKI tokens
|
||||
* `openstack['identity']['catalog']['backend']` - Storage mechanism for the keystone service catalog
|
||||
* `openstack['identity']["control_exchange"]` - The AMQP exchange to connect to if using RabbitMQ or Qpid, defaults to openstack
|
||||
* `openstack['identity']['rpc_backend']` - The messaging module to use
|
||||
* `openstack['identity']['rpc_thread_pool_size']` - Size of RPC thread pool
|
||||
* `openstack['identity']['rpc_conn_pool_size']` - Size of RPC connection pool
|
||||
* `openstack['identity']['rpc_response_timeout']` - Seconds to wait for a response from call or multicall
|
||||
* `openstack['identity']['ldap']['url']` - LDAP host URL (default: 'ldap://localhost')
|
||||
* `openstack['identity']['ldap']['user']` - LDAP bind DN (default: 'dc=Manager,dc=example,dc=com')
|
||||
* `openstack['identity']['ldap']['password']` - LDAP bind password (default: nil)
|
||||
* `openstack['identity']['ldap']['use_tls']` - Use TLS for LDAP (default: false)
|
||||
* `openstack['identity']['ldap']['tls_cacertfile']` - Path to CA cert file (default: nil)
|
||||
* `openstack['identity']['ldap']['tls_cacertdir']` - Path to CA cert directory (default: nil)
|
||||
* `openstack['identity']['ldap']['tls_req_cert']` - CA cert check ('demand', 'allow' or 'never', default: 'demand')
|
||||
* `openstack['identity']['ldap']['use_pool']` - Enable LDAP connection pool
|
||||
* `openstack['identity']['ldap']['pool_size']` - Connection pool size
|
||||
* `openstack['identity']['ldap']['pool_retry_max']` - Maximum count of reconnect trials
|
||||
* `openstack['identity']['ldap']['pool_retry_delay']` - Time span in seconds to wait between two reconnect trials (floating point value)
|
||||
* `openstack['identity']['ldap']['pool_connection_timeout']` - Connector timeout in seconds. Value -1 indicates indefinite
|
||||
* `openstack['identity']['ldap']['pool_connection_lifetime']` - Connection lifetime in seconds.(integer value)
|
||||
* `openstack['identity']['ldap']['use_auth_pool']` - Enable LDAP connection pooling for end user authentication
|
||||
* `openstack['identity']['ldap']['auth_pool_size']` - End user auth connection pool size. (integer value)
|
||||
* `openstack['identity']['ldap']['auth_pool_connection_lifetime']` - End user auth connection lifetime in seconds. (integervalue)
|
||||
Note that all attributes are in the `default['openstack']` "namespace"
|
||||
|
||||
* `openstack['identity']['misc_keystone']` - **Array of strings to be added to keystone.conf**
|
||||
* `openstack['identity']['list_limit']` - Maximum number of entities that will be returned in a collection
|
||||
* `openstack['identity']['assignment']['list_limit']` - Maximum number of entities that will be returned in a assignment collection
|
||||
* `openstack['identity']['catalog']['list_limit']` - Maximum number of entities that will be returned in a catalog collection
|
||||
* `openstack['identity']['identity']['list_limit']` - Maximum number of entities that will be returned in a identity collection
|
||||
* `openstack['identity']['policy']['list_limit']` - Maximum number of entities that will be returned in a policy collection
|
||||
* `openstack['identity']['pipeline']['public_api']` - Pipeline of identity public api
|
||||
* `openstack['identity']['pipeline']['admin_api']` - Pipeline of identity admin api
|
||||
* `openstack['identity']['pipeline']['api_v3']` - Pipeline of identity V3 api
|
||||
* `openstack['identity']['ssl']['enabled']` - Enable HTTPS Keystone API endpoint. Default is false
|
||||
* `openstack['identity']['ssl']['cert_required']` - When SSL is enabled this flag is used to require client certificate. Default is false.
|
||||
* `openstack['identity']['ssl']['basedir']` - Path to Keystone SSL directory
|
||||
* `openstack['identity']['ssl']['certfile']`- Cert file location
|
||||
* `openstack['identity']['ssl']['keyfile']` - Key file location
|
||||
* `openstack['identity']['ssl']['ca_certs']` - Path to CA certificate file
|
||||
The usage of attributes to generate the keystone.conf is decribed in the
|
||||
openstack-common cookbook.
|
||||
|
||||
Most `openstack['identity']['ldap']` attributes map directly to the corresponding config options in keystone.conf's `[ldap]` backend. They are primarily used when configuring `openstack['identity']['identity']['backend']` and/or `openstack["identity"]["assignment"]["backend"]` as `ldap` (both default to `sql`).
|
||||
Recipes
|
||||
=======
|
||||
|
||||
The `openstack['identity']['ldap']['use_tls']` option should not be used in conjunction with an `ldaps://` url. When the latter is used (and `openstack['identity']['ldap']['use_tls'] = false`), the certificate path and validation will instead be subject to the OS's LDAP config.
|
||||
## openstack-identity::client
|
||||
- Installs the packages require to use keystone client.
|
||||
|
||||
If `openstack['identity']['ldap']['tls_cacertfile']` is set, `openstack['identity']['ldap']['tls_cacertdir']` will be ignored. Set `openstack['identity']['ldap']['tls_cacertfile']` to `nil` if `openstack['identity']['ldap']['tls_cacertdir']` is desired.
|
||||
Values of `openstack['identity']['ldap']['tls_req_cert']` correspond to the standard options permitted by the TLS_REQCERT TLS option (`never` performs no validation of certs, `allow` performs some basic name checks but no thorough CA validation, `demand` requires the certificate chain to be valid for the connection to succeed).
|
||||
## openstack-identity::openrc
|
||||
- Creates a fully usable openrc file to export the needed environment variables
|
||||
to use the openstack client.
|
||||
|
||||
The following attributes are defined in attributes/default.rb of the common cookbook, but are documented here due to their relevance:
|
||||
## openstack-identity::registration
|
||||
- Registers the initial keystone endpoint as well as users, tenants and roles
|
||||
needed for the initial configuration utilizing the LWRP provided inside of
|
||||
this cookbook. The recipe is documented in detail with inline comments inside
|
||||
the recipe.
|
||||
|
||||
* `openstack['endpoints']['identity-bind']['host']` - The IP address to bind the identity services to
|
||||
* `openstack['endpoints']['identity-bind']['scheme']` - Unused
|
||||
* `openstack['endpoints']['identity-bind']['port']` - Unused
|
||||
* `openstack['endpoints']['identity-bind']['path']` - Unused
|
||||
* `openstack['endpoints']['identity-bind']['bind_interface']` - The interface name to bind the identity services to
|
||||
## openstack-identity::server-apache
|
||||
- Installs and configures the OpenStack Identity Service running inside of an
|
||||
apache webserver. The recipe is documented in detail with inline comments
|
||||
inside the recipe.
|
||||
|
||||
If the value of the 'bind_interface' attribute is non-nil, then the identity service will be bound to the first IP address on that interface. If the value of the 'bind_interface' attribute is nil, then the identity service will be bound to the IP address specified in the host attribute.
|
||||
Resources
|
||||
=========
|
||||
|
||||
### SSL enabling
|
||||
To enable SSL on Keystone, a key and certficate must be created and installed on server running Keystone. The location of these files can be provided with the node attributes described above. Also, note that `openstack['endpoints']['identity-bind']['scheme']`, from openstack common cookbook, must be set to 'https' in order to enable SSL.
|
||||
## openstack_identity_register
|
||||
|
||||
### Token flushing
|
||||
When managing tokens with an SQL backend the token database may grow unboundedly as new tokens are issued and expired
|
||||
tokens are not disposed of. Expired tokens may need to be kept around in order to allow for auditability.
|
||||
### Actions
|
||||
|
||||
It is up to deployers to define when their tokens can be safely deleted. Keystone provides a tool to purge expired tokens,
|
||||
and the server recipe can create a cronjob to run that tool. By default the cronjob will be configured to run hourly.
|
||||
- create_ec2_credentials:
|
||||
- create_endpoint:
|
||||
- create_role:
|
||||
- create_service:
|
||||
- create_tenant:
|
||||
- create_user:
|
||||
- grant_role:
|
||||
|
||||
The flush tokens cronjob configuration parameters are listed below:
|
||||
### Attribute Parameters
|
||||
|
||||
* `openstack['identity']['token_flush_cron']['enabled']` - Boolean indicating whether the flush tokens cronjob is enabled. It is by default enabled if the token backend is 'sql'.
|
||||
* `openstack['identity']['token_flush_cron']['log_file']` - The log file for the flush tokens tool.
|
||||
* `openstack['identity']['token_flush_cron']['hour']` - The hour at which the flush tokens cronjob should run (values 0 - 23).
|
||||
* `openstack['identity']['token_flush_cron']['minute']` - The minute at which the flush tokens cronjob should run (values 0 - 59).
|
||||
* `openstack']['identity']['token_flush_cron']['day']` - The day of the month when the flush tokens cronjob should run (values 1 - 31).
|
||||
* `openstack['identity']['token_flush_cron']['weekday']` = The day of the week at which the flush tokens cronjob should run (values 0 - 6, where Sunday is 0).
|
||||
- auth_uri: The uri used to as authentication endpoint for requests
|
||||
- bootstrap_token: The admin bootstrap_token used for authentication
|
||||
- service_type: Type of service to create (e.g. 'identity' or 'volume')
|
||||
- service_name: The name of the service to create (only for action
|
||||
:create_service)
|
||||
- service_description: The description for the service to create (only for
|
||||
action :create_service)
|
||||
- endpoint_region: The region to create the endpoint in (only for action
|
||||
:create_endpoint) Defaults to <code>"RegionOne"</code>.
|
||||
- endpoint_adminurl: The public url to register for the endpoint (only for
|
||||
action :create_endpoint)
|
||||
- endpoint_internalurl: The internal url to register for the endpoint (only for
|
||||
action :create_endpoint)
|
||||
- endpoint_publicurl: The public url to register for the endpoint (only for
|
||||
action :create_endpoint)
|
||||
- tenant_name: The name of the tenant to create or create the user in (only for
|
||||
action :create_tenant and :create_user)
|
||||
- tenant_description: The description of the tenant to create (only for action
|
||||
:create_tenant)
|
||||
- tenant_enabled: Enable or disable tenant to create (only for action
|
||||
:create_tenant) Defaults to <code>true</code>.
|
||||
- user_name: The name of the user to create (only for action :create_user)
|
||||
- user_pass: The passwort of the user to create (only for action :create_user)
|
||||
- user_enabled: Enable or disable user to create (only for action :create_user)
|
||||
Defaults to <code>true</code>.
|
||||
- role_name: The name of the role to create or grant to the user (only for
|
||||
:create_role and :grant_role)
|
||||
- admin_tenant_name: The name of the admin tenant (only for
|
||||
:create_ec2_credentials)
|
||||
- admin_user: The name of the admin user (only for :create_ec2_credentials)
|
||||
- admin_pass: The password of the admin user (only for :create_ec2_credentials)
|
||||
- identity_endpoint: The identity endpoint to use for user and ec2 creation. If
|
||||
not specified, default endpoint will be used. (only for create_ec2_credentials
|
||||
and create_user)
|
||||
|
||||
Testing
|
||||
=====
|
||||
### Examples
|
||||
|
||||
Please refer to the [TESTING.md](TESTING.md) for instructions for testing the cookbook.
|
||||
```
|
||||
# Create 'openstack' tenant
|
||||
openstack_identity_register "Register 'openstack' Tenant" do
|
||||
auth_host "192.168.1.10"
|
||||
auth_port "35357"
|
||||
auth_protocol "http"
|
||||
api_ver "/v2.0"
|
||||
auth_token "123456789876"
|
||||
tenant_name "openstack"
|
||||
tenant_description "Default Tenant"
|
||||
tenant_enabled "true" # Not required as this is the default
|
||||
action :create_tenant
|
||||
end
|
||||
|
||||
Berkshelf
|
||||
=====
|
||||
# Create 'admin' user
|
||||
openstack_identity_register "Register 'admin' User" do
|
||||
auth_host "192.168.1.10"
|
||||
auth_port "35357"
|
||||
auth_protocol "http"
|
||||
api_ver "/v2.0"
|
||||
auth_token "123456789876"
|
||||
tenant_name "openstack"
|
||||
user_name "admin"
|
||||
user_pass "secrete"
|
||||
user_enabled "true" # Not required as this is the default
|
||||
action :create_user
|
||||
end
|
||||
|
||||
# Create 'admin' role
|
||||
openstack_identity_register "Register 'admin' Role" do
|
||||
auth_host "192.168.1.10"
|
||||
auth_port "35357"
|
||||
auth_protocol "http"
|
||||
api_ver "/v2.0"
|
||||
auth_token "123456789876"
|
||||
role_name role_key
|
||||
action :create_role
|
||||
end
|
||||
|
||||
# Grant 'admin' role to 'admin' user in the 'openstack' tenant
|
||||
openstack_identity_register "Grant 'admin' Role to 'admin' User" do
|
||||
auth_host "192.168.1.10"
|
||||
auth_port "35357"
|
||||
auth_protocol "http"
|
||||
api_ver "/v2.0"
|
||||
auth_token "123456789876"
|
||||
tenant_name "openstack"
|
||||
user_name "admin"
|
||||
role_name "admin"
|
||||
action :grant_role
|
||||
end
|
||||
|
||||
# Create 'identity' service
|
||||
openstack_identity_register "Register Identity Service" do
|
||||
auth_host "192.168.1.10"
|
||||
auth_port "35357"
|
||||
auth_protocol "http"
|
||||
api_ver "/v2.0"
|
||||
auth_token "123456789876"
|
||||
service_name "keystone"
|
||||
service_type "identity"
|
||||
service_description "Keystone Identity Service"
|
||||
action :create_service
|
||||
end
|
||||
|
||||
# Create 'identity' endpoint
|
||||
openstack_identity_register "Register Identity Endpoint" do
|
||||
auth_host "192.168.1.10"
|
||||
auth_port "35357"
|
||||
auth_protocol "http"
|
||||
api_ver "/v2.0"
|
||||
auth_token "123456789876"
|
||||
service_type "identity"
|
||||
endpoint_region "RegionOne"
|
||||
endpoint_adminurl "http://192.168.1.10:35357/v2.0"
|
||||
endpoint_internalurl "http://192.168.1.10:5001/v2.0"
|
||||
endpoint_publicurl "http://1.2.3.4:5001/v2.0"
|
||||
action :create_endpoint
|
||||
end
|
||||
```
|
||||
|
||||
Berks will resolve version requirements and dependencies on first run and
|
||||
store these in Berksfile.lock. If new cookbooks become available you can run
|
||||
`berks update` to update the references in Berksfile.lock. Berksfile.lock will
|
||||
be included in stable branches to provide a known good set of dependencies.
|
||||
Berksfile.lock will not be included in development branches to encourage
|
||||
development against the latest cookbooks.
|
||||
|
||||
License and Author
|
||||
==================
|
||||
@@ -370,7 +217,7 @@ Author:: Sean Gallagher (<sean.gallagher@att.com>)
|
||||
Author:: Ionut Artarisi (<iartarisi@suse.cz>)
|
||||
Author:: Chen Zhiwei (zhiwchen@cn.ibm.com)
|
||||
Author:: Eric Zhou (zyouzhou@cn.ibm.com)
|
||||
Author:: Jan Klare (j.klare@x-ion.de)
|
||||
Author:: Jan Klare (j.klare@cloudbau.de)
|
||||
|
||||
Copyright 2012, Rackspace US, Inc.
|
||||
Copyright 2012-2013, Opscode, Inc.
|
||||
|
@@ -18,43 +18,43 @@
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
# Set to some text value if you want templated config files
|
||||
# to contain a custom banner at the top of the written file
|
||||
default['openstack']['identity']['custom_template_banner'] = "
|
||||
# This file autogenerated by Chef
|
||||
# Do not edit, changes will be overwritten
|
||||
"
|
||||
default['openstack']['identity']['custom_template_banner'] =
|
||||
'# This file autogenerated by Chef, changes will be overwritten'
|
||||
|
||||
# Set the endpoints for the identity service to allow all other cookbooks to
|
||||
# access and use them
|
||||
%w(public internal admin).each do |ep_type|
|
||||
# openstack identity service endpoints (used by users and services)
|
||||
%w(admin internal public).each do |ep_type|
|
||||
# host for openstack admin/internal/public identity endpoint
|
||||
default['openstack']['endpoints'][ep_type]['identity']['host'] = '127.0.0.1'
|
||||
# scheme for openstack admin/internal/public identity endpoint
|
||||
default['openstack']['endpoints'][ep_type]['identity']['scheme'] = 'http'
|
||||
# path for openstack admin/internal/public identity endpoint
|
||||
default['openstack']['endpoints'][ep_type]['identity']['path'] = '/v2.0'
|
||||
end
|
||||
|
||||
# port for openstack public identity endpoint
|
||||
default['openstack']['endpoints']['public']['identity']['port'] = 5000
|
||||
# port for openstack internal identity endpoint
|
||||
default['openstack']['endpoints']['internal']['identity']['port'] = 5000
|
||||
# port for openstack admin identity endpoint
|
||||
default['openstack']['endpoints']['admin']['identity']['port'] = 35357
|
||||
|
||||
# address for openstack identity service main endpoint to bind to
|
||||
default['openstack']['bind_service']['main']['identity']['host'] = '127.0.0.1'
|
||||
# port for openstack identity service main endpoint to bind to
|
||||
default['openstack']['bind_service']['main']['identity']['port'] = 5000
|
||||
# address for openstack identity service admin endpoint to bind to
|
||||
default['openstack']['bind_service']['admin']['identity']['host'] = '127.0.0.1'
|
||||
# port for openstack identity service admin endpoint to bind to
|
||||
default['openstack']['bind_service']['admin']['identity']['port'] = 35357
|
||||
|
||||
# identity service catalog backend for service endpoints
|
||||
default['openstack']['identity']['catalog']['backend'] = 'sql'
|
||||
# identity service token backend for user and service tokens
|
||||
default['openstack']['identity']['token']['backend'] = 'sql'
|
||||
# Adding these as blank
|
||||
# this needs to be here for the initial deep-merge to work
|
||||
default['credentials']['EC2']['admin']['access'] = ''
|
||||
default['credentials']['EC2']['admin']['secret'] = ''
|
||||
|
||||
default['openstack']['identity']['verbose'] = 'False'
|
||||
default['openstack']['identity']['debug'] = 'False'
|
||||
|
||||
# Keystone service startup delay, in seconds
|
||||
# identity service startup delay, in seconds
|
||||
default['openstack']['identity']['start_delay'] = 10
|
||||
|
||||
# Specify a location to retrieve keystone-paste.ini from
|
||||
@@ -84,14 +84,19 @@ default['openstack']['identity']['pipeline']['admin_api'] = 'sizelimit url_norma
|
||||
# application. It cannot be a filter.
|
||||
default['openstack']['identity']['pipeline']['api_v3'] = 'sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3'
|
||||
|
||||
# region to be used for endpoint registration
|
||||
default['openstack']['identity']['region'] = node['openstack']['region']
|
||||
|
||||
# Logging stuff
|
||||
# enable or disable the usage of syslog
|
||||
default['openstack']['identity']['syslog']['use'] = false
|
||||
# syslog log facility to log to in case syslog is used
|
||||
default['openstack']['identity']['syslog']['facility'] = 'LOG_LOCAL2'
|
||||
# syslog config facility in case syslog is used
|
||||
default['openstack']['identity']['syslog']['config_facility'] = 'local2'
|
||||
|
||||
# user to be created and used for identity service
|
||||
default['openstack']['identity']['admin_user'] = 'admin'
|
||||
# tenant to be created and used for identity service
|
||||
default['openstack']['identity']['admin_tenant_name'] = 'admin'
|
||||
|
||||
default['openstack']['identity']['users'] = {
|
||||
@@ -104,23 +109,25 @@ default['openstack']['identity']['users'] = {
|
||||
}
|
||||
}
|
||||
|
||||
# SSL Options
|
||||
# Specify whether to enable SSL for Keystone API endpoint
|
||||
# specify whether to enable SSL for Keystone API endpoint
|
||||
default['openstack']['identity']['ssl']['enabled'] = false
|
||||
# Specify server whether to enforce client certificate requirement
|
||||
# specify server whether to enforce client certificate requirement
|
||||
default['openstack']['identity']['ssl']['cert_required'] = false
|
||||
# SSL certificate, keyfile and CA certficate file locations
|
||||
default['openstack']['identity']['ssl']['basedir'] = '/etc/keystone/ssl'
|
||||
# Path of the cert file for SSL.
|
||||
# Protocol for SSL (Apache)
|
||||
default['openstack']['identity']['ssl']['protocol'] = 'All -SSLv2 -SSLv3'
|
||||
# Which ciphers to use with the SSL/TLS protocol (Apache)
|
||||
# Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA'
|
||||
default['openstack']['identity']['ssl']['ciphers'] = nil
|
||||
|
||||
# PKI signing. Corresponds to the [signing] section of keystone.conf
|
||||
# Note this section is only written if node['openstack']['auth']['strategy'] == 'pki'
|
||||
default['openstack']['identity']['signing']['basedir'] = '/etc/keystone/ssl'
|
||||
# path of the cert file for SSL.
|
||||
default['openstack']['identity']['ssl']['certfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslcert.pem"
|
||||
# path of the keyfile for SSL.
|
||||
default['openstack']['identity']['ssl']['keyfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/private/sslkey.pem"
|
||||
# path of the CA cert file for SSL.
|
||||
default['openstack']['identity']['ssl']['ca_certs'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslca.pem"
|
||||
# path of the CA cert files for SSL (Apache)
|
||||
default['openstack']['identity']['ssl']['ca_certs_path'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/"
|
||||
|
||||
# Fernet keys. Note this section is only written if
|
||||
# node['openstack']['auth']['strategy'] == 'fernet'
|
||||
@@ -132,57 +139,46 @@ default['openstack']['identity']['signing']['basedir'] = '/etc/keystone/ssl'
|
||||
# http://docs.openstack.org/admin-guide-cloud/keystone_fernet_token_faq.html
|
||||
default['openstack']['identity']['fernet']['keys'] = [0, 1]
|
||||
|
||||
# The authorization configuration options
|
||||
# The external (REMOTE_USER) auth plugin module. (String value)
|
||||
default['openstack']['identity']['auth']['external'] = 'keystone.auth.plugins.external.DefaultDomain'
|
||||
# Default auth methods. (List value)
|
||||
default['openstack']['identity']['auth']['methods'] = 'external, password, token, oauth1'
|
||||
|
||||
# Token flushing cronjob
|
||||
default['openstack']['identity']['token_flush_cron']['log_file'] = '/var/log/keystone/token-flush.log'
|
||||
default['openstack']['identity']['token_flush_cron']['hour'] = '*'
|
||||
default['openstack']['identity']['token_flush_cron']['minute'] = '0'
|
||||
default['openstack']['identity']['token_flush_cron']['day'] = '*'
|
||||
default['openstack']['identity']['token_flush_cron']['weekday'] = '*'
|
||||
# enable or disable the usage of the token flushing cronjob
|
||||
default['openstack']['identity']['token_flush_cron']['enabled'] = true
|
||||
# log file location for token flushing cronjob
|
||||
default['openstack']['identity']['token_flush_cron']['log_file'] = '/var/log/keystone/token-flush.log'
|
||||
# hour to run token flushing cronjob
|
||||
default['openstack']['identity']['token_flush_cron']['hour'] = '*'
|
||||
# minute to run token flushing cronjob
|
||||
default['openstack']['identity']['token_flush_cron']['minute'] = '0'
|
||||
# day to run token flushing cronjob
|
||||
default['openstack']['identity']['token_flush_cron']['day'] = '*'
|
||||
# weekday to run token flushing cronjob
|
||||
default['openstack']['identity']['token_flush_cron']['weekday'] = '*'
|
||||
|
||||
# configuration directory for keystone domain specific options
|
||||
default['openstack']['identity']['identity']['domain_config_dir'] = '/etc/keystone/domains'
|
||||
|
||||
# PKI signing. Corresponds to the [signing] section of keystone.conf
|
||||
# Note this section is only written if node['openstack']['auth']['strategy'] == 'pki'
|
||||
default['openstack']['identity']['signing']['basedir'] = '/etc/keystone/ssl'
|
||||
|
||||
# certfile used for keystone pki token signing
|
||||
default['openstack']['identity']['signing']['certfile'] = "#{node['openstack']['identity']['signing']['basedir']}/certs/signing_cert.pem"
|
||||
# keyfile used for keystone pki token signing
|
||||
default['openstack']['identity']['signing']['keyfile'] = "#{node['openstack']['identity']['signing']['basedir']}/private/signing_key.pem"
|
||||
# certificate authority used for keystone pki token signing
|
||||
default['openstack']['identity']['signing']['ca_certs'] = "#{node['openstack']['identity']['signing']['basedir']}/certs/ca.pem"
|
||||
# Misc option support
|
||||
# Allow additional strings to be added to keystone.conf
|
||||
# For example: ['# Comment', 'key=value']
|
||||
default['openstack']['identity']['misc_keystone'] = []
|
||||
|
||||
# SSL Options
|
||||
# Specify whether to enable SSL for Keystone API endpoint
|
||||
default['openstack']['identity']['ssl']['enabled'] = false
|
||||
# Specify server whether to enforce client certificate requirement
|
||||
default['openstack']['identity']['ssl']['cert_required'] = false
|
||||
# SSL certificate, keyfile and CA certficate file locations
|
||||
default['openstack']['identity']['ssl']['basedir'] = '/etc/keystone/ssl'
|
||||
# Path of the cert file for SSL.
|
||||
default['openstack']['identity']['ssl']['certfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslcert.pem"
|
||||
# Path of the keyfile for SSL.
|
||||
default['openstack']['identity']['ssl']['keyfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/private/sslkey.pem"
|
||||
# Path of the CA cert file for SSL.
|
||||
default['openstack']['identity']['ssl']['ca_certs'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslca.pem"
|
||||
# Path of the CA cert files for SSL (Apache)
|
||||
default['openstack']['identity']['ssl']['ca_certs_path'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/"
|
||||
# Protocol for SSL (Apache)
|
||||
default['openstack']['identity']['ssl']['protocol'] = 'All -SSLv2 -SSLv3'
|
||||
# Which ciphers to use with the SSL/TLS protocol (Apache)
|
||||
# Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA'
|
||||
default['openstack']['identity']['ssl']['ciphers'] = nil
|
||||
# keystone service user name
|
||||
default['openstack']['identity']['user'] = 'keystone'
|
||||
# keystone service user group
|
||||
default['openstack']['identity']['group'] = 'keystone'
|
||||
|
||||
# platform defaults
|
||||
case platform_family
|
||||
when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this
|
||||
default['openstack']['identity']['user'] = 'keystone'
|
||||
default['openstack']['identity']['group'] = 'keystone'
|
||||
# platform specific package and service name options
|
||||
default['openstack']['identity']['platform'] = {
|
||||
'memcache_python_packages' => ['python-memcached'],
|
||||
'keystone_packages' => ['openstack-keystone'],
|
||||
@@ -193,8 +189,7 @@ when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this
|
||||
'package_options' => ''
|
||||
}
|
||||
when 'debian'
|
||||
default['openstack']['identity']['user'] = 'keystone'
|
||||
default['openstack']['identity']['group'] = 'keystone'
|
||||
# platform specific package and service name options
|
||||
default['openstack']['identity']['platform'] = {
|
||||
'memcache_python_packages' => ['python-memcache'],
|
||||
'keystone_packages' => ['keystone'],
|
||||
@@ -206,13 +201,18 @@ when 'debian'
|
||||
}
|
||||
end
|
||||
|
||||
# Array of bare options for openrc (e.g. 'option=value')
|
||||
# array of bare options for openrc (e.g. 'option=value')
|
||||
default['openstack']['misc_openrc'] = nil
|
||||
|
||||
# openrc location and owner
|
||||
# openrc path
|
||||
default['openstack']['openrc']['path'] = '/root'
|
||||
default['openstack']['openrc']['file'] = 'openrc'
|
||||
default['openstack']['openrc']['user'] = 'root'
|
||||
default['openstack']['openrc']['group'] = 'root'
|
||||
default['openstack']['openrc']['file_mode'] = '0600'
|
||||
# openrc path mode
|
||||
default['openstack']['openrc']['path_mode'] = '0700'
|
||||
# openrc file name
|
||||
default['openstack']['openrc']['file'] = 'openrc'
|
||||
# openrc file mode
|
||||
default['openstack']['openrc']['file_mode'] = '0600'
|
||||
# openrc file owner
|
||||
default['openstack']['openrc']['user'] = 'root'
|
||||
# openrc file group
|
||||
default['openstack']['openrc']['group'] = 'root'
|
||||
|
@@ -1,29 +1,35 @@
|
||||
# options to add to the keystone.conf as secrets (will not be saved in node
|
||||
# attribute)
|
||||
default['openstack']['identity']['conf_secrets'] = {}
|
||||
default['openstack']['identity']['conf'].tap do |conf|
|
||||
# [DEFAULT]
|
||||
if node['openstack']['identity']['syslog']['use']
|
||||
# [DEFAULT] option in keystone.conf to read additional logging.conf
|
||||
conf['DEFAULT']['log_config_append'] = '/etc/openstack/logging.conf'
|
||||
else
|
||||
# [DEFAULT] option in keystone.conf to set keystone log dir
|
||||
conf['DEFAULT']['log_dir'] = '/var/log/keystone'
|
||||
end
|
||||
if node['openstack']['identity']['notification_driver'] == 'messaging'
|
||||
# [DEFAULT] option in keystone.conf to define mq notification topics
|
||||
conf['DEFAULT']['notification_topics'] = 'notifications'
|
||||
end
|
||||
conf['DEFAULT']['rpc_backend'] = node['openstack']['mq']['service_type']
|
||||
|
||||
# [assignment]
|
||||
# [assignment] option in keystone.conf to set driver
|
||||
conf['assignment']['driver'] = 'keystone.assignment.backends.sql.Assignment'
|
||||
|
||||
# [auth]
|
||||
# [auth] option in keystone.conf to set auth plugins
|
||||
conf['auth']['external'] = 'keystone.auth.plugins.external.DefaultDomain'
|
||||
# [auth] option in keystone.conf to set auth methods
|
||||
conf['auth']['methods'] = 'external, password, token, oauth1'
|
||||
|
||||
# [catalog]
|
||||
# [catalog] option in keystone.conf to set catalog driver
|
||||
conf['catalog']['driver'] = 'keystone.catalog.backends.sql.Catalog'
|
||||
|
||||
# [identity]
|
||||
# [identity] option in keystone.conf to enable domain_specific drivers
|
||||
conf['identity']['domain_specific_drivers_enabled'] = false
|
||||
|
||||
# [policy]
|
||||
# [policy] option in keystone.conf to set policy backend driver
|
||||
conf['policy']['driver'] = 'keystone.policy.backends.sql.Policy'
|
||||
end
|
||||
|
@@ -6,11 +6,6 @@ description 'The OpenStack Identity service Keystone.'
|
||||
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
|
||||
version '13.0.0'
|
||||
|
||||
recipe 'openstack-identity::client', 'Install packages required for keystone client'
|
||||
recipe 'openstack-identity::server-apache', 'Installs and Configures Keystone Service under Apache'
|
||||
recipe 'openstack-identity::registration', 'Adds user, tenant, role and endpoint records to Keystone'
|
||||
recipe 'openstack-identity::openrc', 'Creates openrc file'
|
||||
|
||||
%w(ubuntu redhat centos).each do |os|
|
||||
supports os
|
||||
end
|
||||
|
@@ -19,12 +19,12 @@
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
require 'chef/mixin/shell_out'
|
||||
include Chef::Mixin::ShellOut
|
||||
include ::Openstack
|
||||
|
||||
# creates the defined service as new service for keystone
|
||||
action :create_service do
|
||||
new_resource.updated_by_last_action(false)
|
||||
if node['openstack']['identity']['catalog']['backend'] == 'templated'
|
||||
@@ -57,6 +57,7 @@ action :create_service do
|
||||
end
|
||||
end
|
||||
|
||||
# registers all endpoints for the defined service in keystone
|
||||
action :create_endpoint do
|
||||
new_resource.updated_by_last_action(false)
|
||||
if node['openstack']['identity']['catalog']['backend'] == 'templated'
|
||||
@@ -93,6 +94,7 @@ action :create_endpoint do
|
||||
end
|
||||
end
|
||||
|
||||
# creates the defined tenant in keystone
|
||||
action :create_tenant do
|
||||
begin
|
||||
new_resource.updated_by_last_action(false)
|
||||
@@ -114,6 +116,7 @@ action :create_tenant do
|
||||
end
|
||||
end
|
||||
|
||||
# creates the defined role in keystone
|
||||
action :create_role do
|
||||
begin
|
||||
new_resource.updated_by_last_action(false)
|
||||
@@ -133,6 +136,7 @@ action :create_role do
|
||||
end
|
||||
end
|
||||
|
||||
# creates the defined user in keystone
|
||||
action :create_user do
|
||||
begin
|
||||
new_resource.updated_by_last_action(false)
|
||||
@@ -172,6 +176,7 @@ action :create_user do
|
||||
end
|
||||
end
|
||||
|
||||
# grants the defined role to a given user in a given tenant
|
||||
action :grant_role do
|
||||
begin
|
||||
new_resource.updated_by_last_action(false)
|
||||
@@ -198,6 +203,7 @@ action :grant_role do
|
||||
end
|
||||
end
|
||||
|
||||
# creates ec2_credentials for a given user in a given tenant
|
||||
action :create_ec2_credentials do
|
||||
begin
|
||||
new_resource.updated_by_last_action(false)
|
||||
|
@@ -14,7 +14,11 @@
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
# This recipe is automatically included in openstack-identiy::service-apache
|
||||
# when node['openstack']['auth']['strategy'] is set to 'fernet'. It will add the
|
||||
# needed configuration options to the keystone.conf and create the needed fernet
|
||||
# tokens from predefined secrets (e.g. encrypted data bags or vaults).
|
||||
|
||||
class ::Chef::Recipe
|
||||
include ::Openstack
|
||||
@@ -24,7 +28,8 @@ node.default['openstack']['identity']['conf']['fernet_tokens']['key_repository']
|
||||
'/etc/keystone/fernet-tokens'
|
||||
node.default['openstack']['identity']['conf']['token']['provider'] = 'fernet'
|
||||
|
||||
key_repository = node['openstack']['identity']['conf']['fernet_tokens']['key_repository']
|
||||
key_repository =
|
||||
node['openstack']['identity']['conf']['fernet_tokens']['key_repository']
|
||||
|
||||
directory key_repository do
|
||||
owner node['openstack']['identity']['user']
|
||||
|
@@ -14,7 +14,13 @@
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
# This recipe is automatically included in openstack-identiy::service-apache
|
||||
# when node['openstack']['auth']['strategy'] is set to 'pki'. It will either
|
||||
# create the needed pki secrets or load them as remote files. The usage of
|
||||
# keystone pki tokens is deprecated in favor of fernet tokens and this recipe
|
||||
# might be removed in future releases when the support for pki is removed from
|
||||
# keystone.
|
||||
|
||||
certfile_url = node['openstack']['identity']['signing']['certfile_url']
|
||||
keyfile_url = node['openstack']['identity']['signing']['keyfile_url']
|
||||
|
@@ -16,7 +16,8 @@
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
# This recipe installs the packages require to use keystone client.
|
||||
|
||||
class ::Chef::Recipe
|
||||
include ::Openstack
|
||||
|
@@ -16,9 +16,10 @@
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
# Chef
|
||||
# This recipe create a fully usable openrc file to export the needed environment
|
||||
# variables to use the openstack client.
|
||||
|
||||
class ::Chef::Recipe
|
||||
include ::Openstack
|
||||
end
|
||||
|
@@ -17,26 +17,31 @@
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
# This recipe registers the initial keystone endpoint as well as users, tenants
|
||||
# and roles needed for the initial configuration utilizing the LWRP provided
|
||||
# inside of this cookbook. The recipe is documented in detail with inline
|
||||
# comments inside the recipe.
|
||||
|
||||
require 'uri'
|
||||
|
||||
class ::Chef::Recipe
|
||||
include ::Openstack
|
||||
end
|
||||
|
||||
# define the endpoints to register for the keystone identity service
|
||||
identity_admin_endpoint = admin_endpoint 'identity'
|
||||
identity_internal_endpoint = internal_endpoint 'identity'
|
||||
identity_public_endpoint = public_endpoint 'identity'
|
||||
auth_uri = ::URI.decode identity_admin_endpoint.to_s
|
||||
|
||||
# define the credentials to use for the initial admin user
|
||||
admin_tenant_name = node['openstack']['identity']['admin_tenant_name']
|
||||
admin_user = node['openstack']['identity']['admin_user']
|
||||
admin_pass = get_password 'user', node['openstack']['identity']['admin_user']
|
||||
|
||||
bootstrap_token = get_password 'token', 'openstack_identity_bootstrap_token'
|
||||
|
||||
# Register all the tenants specified in the users hash
|
||||
# register all the tenants specified in the users hash
|
||||
identity_tenants = node['openstack']['identity']['users'].values.map do |user_info|
|
||||
user_info['roles'].values.push(user_info['default_tenant'])
|
||||
end
|
||||
@@ -52,7 +57,7 @@ identity_tenants.flatten.uniq.each do |tenant_name|
|
||||
end
|
||||
end
|
||||
|
||||
# Register all the roles from the users hash
|
||||
# register all the roles and users from the users hash
|
||||
identity_roles = node['openstack']['identity']['users'].values.map do |user_info|
|
||||
user_info['roles'].keys
|
||||
end
|
||||
@@ -95,6 +100,7 @@ node['openstack']['identity']['users'].each do |username, user_info|
|
||||
end
|
||||
end
|
||||
|
||||
# register the identity service itself
|
||||
openstack_identity_register 'Register Identity Service' do
|
||||
auth_uri auth_uri
|
||||
bootstrap_token bootstrap_token
|
||||
@@ -114,6 +120,7 @@ Chef::Log.info "Keystone AdminURL: #{identity_admin_endpoint}"
|
||||
Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}"
|
||||
Chef::Log.info "Keystone PublicURL: #{identity_public_endpoint}"
|
||||
|
||||
# register the identity service endpoints
|
||||
openstack_identity_register 'Register Identity Endpoint' do
|
||||
auth_uri auth_uri
|
||||
bootstrap_token bootstrap_token
|
||||
@@ -127,6 +134,7 @@ openstack_identity_register 'Register Identity Endpoint' do
|
||||
not_if { node['openstack']['identity']['catalog']['backend'] == 'templated' }
|
||||
end
|
||||
|
||||
# create ec2 creadentials for the users from the users hash
|
||||
node['openstack']['identity']['users'].each do |username, user_info|
|
||||
openstack_identity_register "Create EC2 credentials for '#{username}' user" do
|
||||
auth_uri auth_uri
|
||||
|
@@ -16,20 +16,27 @@
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
# This recipe installs and configures the OpenStack Identity Service running
|
||||
# inside of an apache webserver. The recipe is documented in detail with inline
|
||||
# comments inside the recipe.
|
||||
|
||||
require 'uri'
|
||||
|
||||
# load the methods defined in cookbook-openstack-common libraries
|
||||
class ::Chef::Recipe
|
||||
include ::Openstack
|
||||
end
|
||||
|
||||
# include the logging recipe from openstack-common if syslog usage is enbaled
|
||||
if node['openstack']['identity']['syslog']['use']
|
||||
include_recipe 'openstack-common::logging'
|
||||
end
|
||||
|
||||
platform_options = node['openstack']['identity']['platform']
|
||||
|
||||
# install the database python adapter packages for the selected database
|
||||
# service_type
|
||||
db_type = node['openstack']['db']['identity']['service_type']
|
||||
unless db_type == 'sqlite'
|
||||
node['openstack']['db']['python_packages'][db_type].each do |pkg|
|
||||
@@ -41,6 +48,7 @@ unless db_type == 'sqlite'
|
||||
end
|
||||
end
|
||||
|
||||
# install the python memcache adapter packages
|
||||
platform_options['memcache_python_packages'].each do |pkg|
|
||||
package "identity cookbook package #{pkg}" do
|
||||
package_name pkg
|
||||
@@ -49,6 +57,7 @@ platform_options['memcache_python_packages'].each do |pkg|
|
||||
end
|
||||
end
|
||||
|
||||
# install the keystone packages
|
||||
platform_options['keystone_packages'].each do |pkg|
|
||||
package "identity cookbook package #{pkg}" do
|
||||
package_name pkg
|
||||
@@ -57,17 +66,21 @@ platform_options['keystone_packages'].each do |pkg|
|
||||
end
|
||||
end
|
||||
|
||||
# stop and disable the service keystone itself, since it should be run inside
|
||||
# of apache
|
||||
service 'keystone' do
|
||||
service_name platform_options['keystone_service']
|
||||
action [:stop, :disable]
|
||||
end
|
||||
|
||||
# create the keystone config directory and set correct permissions
|
||||
directory '/etc/keystone' do
|
||||
owner node['openstack']['identity']['user']
|
||||
group node['openstack']['identity']['group']
|
||||
mode 00700
|
||||
end
|
||||
|
||||
# create keystone domain config dir if needed
|
||||
directory node['openstack']['identity']['identity']['domain_config_dir'] do
|
||||
owner node['openstack']['identity']['user']
|
||||
group node['openstack']['identity']['group']
|
||||
@@ -75,11 +88,14 @@ directory node['openstack']['identity']['identity']['domain_config_dir'] do
|
||||
only_if { node['openstack']['identity']['identity']['domain_specific_drivers_enabled'] }
|
||||
end
|
||||
|
||||
# delete the keystone.db sqlite file if another db backend is used
|
||||
file '/var/lib/keystone/keystone.db' do
|
||||
action :delete
|
||||
not_if { node['openstack']['db']['identity']['service_type'] == 'sqlite' }
|
||||
end
|
||||
|
||||
# include the recipe to setup the selected keystone auth strategy (pki or
|
||||
# fernet)
|
||||
case node['openstack']['auth']['strategy']
|
||||
when 'pki'
|
||||
include_recipe 'openstack-identity::_pki_tokens'
|
||||
@@ -87,33 +103,36 @@ when 'fernet'
|
||||
include_recipe 'openstack-identity::_fernet_tokens'
|
||||
end
|
||||
|
||||
# define the address to bind the keystone apache main service to
|
||||
main_bind_service = node['openstack']['bind_service']['main']['identity']
|
||||
main_bind_address = bind_address main_bind_service
|
||||
# define the address to bind the keystone apache admin service to
|
||||
admin_bind_service = node['openstack']['bind_service']['admin']['identity']
|
||||
admin_bind_address = bind_address admin_bind_service
|
||||
|
||||
# define the address where the keystone admin endpoint will be reachable
|
||||
identity_admin_endpoint = admin_endpoint 'identity'
|
||||
|
||||
# set the keystone database credentials
|
||||
db_user = node['openstack']['db']['identity']['username']
|
||||
db_pass = get_password 'db', 'keystone'
|
||||
node.default['openstack']['identity']['conf_secrets']
|
||||
.[]('database')['connection'] =
|
||||
db_uri('identity', db_user, db_pass)
|
||||
|
||||
# define the admin keystone bootstrap token
|
||||
bootstrap_token = get_password 'token', 'openstack_identity_bootstrap_token'
|
||||
|
||||
# If the search role is set, we search for memcache
|
||||
# servers via a Chef search. If not, we look at the
|
||||
# memcache.servers attribute.
|
||||
memcache_servers = memcached_servers.join ',' # from openstack-common lib
|
||||
# search for memcache servers using the method from cookbook-openstack-common
|
||||
memcache_servers = memcached_servers.join ','
|
||||
|
||||
# These configuration endpoints must not have the path (v2.0, etc)
|
||||
# added to them, as these values are used in returning the version
|
||||
# listing information from the root / endpoint.
|
||||
# define the address where the keystone public endpoint will be reachable
|
||||
identity_public_endpoint = public_endpoint 'identity'
|
||||
ie = identity_public_endpoint
|
||||
# define the keystone public endpoint full path
|
||||
public_endpoint = "#{ie.scheme}://#{ie.host}:#{ie.port}/"
|
||||
ae = identity_admin_endpoint
|
||||
# define the keystone admin endpoint full path
|
||||
admin_endpoint = "#{ae.scheme}://#{ae.host}:#{ae.port}/"
|
||||
|
||||
# If a keystone-paste.ini is specified use it.
|
||||
@@ -137,6 +156,7 @@ else
|
||||
end
|
||||
end
|
||||
|
||||
# set keystone config parameter for rabbitmq if rabbit is the rpc_backend
|
||||
if node['openstack']['identity']['conf']['DEFAULT']['rpc_backend'] == 'rabbit'
|
||||
user = node['openstack']['mq']['identity']['rabbit']['userid']
|
||||
node.default['openstack']['identity']['conf_secrets']
|
||||
@@ -146,18 +166,18 @@ if node['openstack']['identity']['conf']['DEFAULT']['rpc_backend'] == 'rabbit'
|
||||
get_password 'user', user
|
||||
end
|
||||
|
||||
# set keystone config parameters for admin_token, endpoints and memcache
|
||||
node.default['openstack']['identity']['conf'].tap do |conf|
|
||||
# [DEFAULT] section
|
||||
conf['DEFAULT']['admin_token'] = bootstrap_token
|
||||
conf['DEFAULT']['public_endpoint'] = public_endpoint
|
||||
conf['DEFAULT']['admin_endpoint'] = admin_endpoint
|
||||
# [memcache] section
|
||||
conf['memcache']['servers'] = memcache_servers if memcache_servers
|
||||
end
|
||||
|
||||
# merge all config options and secrets to be used in the nova.conf.erb
|
||||
keystone_conf_options = merge_config_options 'identity'
|
||||
|
||||
# create the keystone.conf from attributes
|
||||
template '/etc/keystone/keystone.conf' do
|
||||
source 'openstack-service.conf.erb'
|
||||
cookbook 'openstack-common'
|
||||
@@ -179,6 +199,9 @@ end
|
||||
|
||||
# TODO: (jklare) needs to be refactored and filled by the service cookbooks, to
|
||||
# avoid dependencies on unused cookbooks
|
||||
|
||||
# configure the endpoints in keystone_catalog.templates if the catalog backend
|
||||
# is templated
|
||||
if node['openstack']['identity']['catalog']['backend'] == 'templated'
|
||||
# These values are going into the templated catalog and
|
||||
# since they're the endpoints being used by the clients,
|
||||
@@ -189,7 +212,7 @@ if node['openstack']['identity']['catalog']['backend'] == 'templated'
|
||||
network_public_endpoint = public_endpoint 'network'
|
||||
volume_public_endpoint = public_endpoint 'block-storage'
|
||||
|
||||
# populate the templated catlog, if you're using the templated catalog backend
|
||||
# populate the templated catlog
|
||||
# TODO: (jklare) this should be done in a helper method
|
||||
uris = {
|
||||
'identity-admin' => identity_admin_endpoint.to_s.gsub('%25', '%'),
|
||||
@@ -220,7 +243,7 @@ execute 'keystone-manage db_sync' do
|
||||
only_if { node['openstack']['db']['identity']['migrate'] }
|
||||
end
|
||||
|
||||
# Configure the flush tokens cronjob
|
||||
# configure the flush tokens cronjob
|
||||
should_run_cron = node['openstack']['identity']['token_flush_cron']['enabled'] && node['openstack']['identity']['token']['backend'] == 'sql'
|
||||
log_file = node['openstack']['identity']['token_flush_cron']['log_file']
|
||||
|
||||
@@ -237,20 +260,22 @@ end
|
||||
|
||||
#### Start of Apache specific work
|
||||
|
||||
# configure attributes for apache2 cookbook to align with openstack settings
|
||||
apache_listen = Array(node['apache']['listen']) # include already defined listen attributes
|
||||
# Remove the default apache2 cookbook port, as that is also the default for horizon, but with
|
||||
# a different address syntax. *:80 vs 0.0.0.0:80
|
||||
apache_listen -= ['*:80']
|
||||
|
||||
apache_listen += ["#{main_bind_address}:#{main_bind_service.port}"]
|
||||
apache_listen += ["#{admin_bind_address}:#{admin_bind_service.port}"]
|
||||
|
||||
node.normal['apache']['listen'] = apache_listen.uniq
|
||||
|
||||
# include the apache2 default recipe and the recipes for mod_wsgi
|
||||
include_recipe 'apache2'
|
||||
include_recipe 'apache2::mod_wsgi'
|
||||
# include the apache2 mod_ssl recipe if ssl is enabled for identity
|
||||
include_recipe 'apache2::mod_ssl' if node['openstack']['identity']['ssl']['enabled']
|
||||
|
||||
# create the keystone apache directory
|
||||
keystone_apache_dir = "#{node['apache']['docroot_dir']}/keystone"
|
||||
directory keystone_apache_dir do
|
||||
owner 'root'
|
||||
@@ -285,6 +310,8 @@ wsgi_apps = {
|
||||
}
|
||||
}
|
||||
|
||||
# create the keystone apache config using the web_app resource from the apache2
|
||||
# cookbook
|
||||
wsgi_apps.each do |app, opt|
|
||||
web_app "keystone-#{app}" do
|
||||
template 'wsgi-keystone.conf.erb'
|
||||
@@ -306,12 +333,15 @@ wsgi_apps.each do |app, opt|
|
||||
end
|
||||
end
|
||||
|
||||
# wait for apache2 to be fully reloaded and the keystone endpoint to become
|
||||
# available
|
||||
execute 'Keystone: sleep' do
|
||||
command "sleep #{node['openstack']['identity']['start_delay']}"
|
||||
action :nothing
|
||||
end
|
||||
|
||||
# Hack until Apache cookbook has lwrp's for proper use of notify
|
||||
# restart apache2 after keystone if completely configured
|
||||
execute 'Keystone apache restart' do
|
||||
command 'uname'
|
||||
notifies :restart, 'service[apache2]', :immediately
|
||||
|
@@ -16,7 +16,10 @@
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
# These resources provide an abstraction layer for interacting with the keystone
|
||||
# server's API, allowin for other nodes to register any required users, tenants,
|
||||
# roles, services, or endpoints.
|
||||
|
||||
actions :create_service, :create_endpoint, :create_tenant, :create_user, :create_role, :grant_role, :create_ec2_credentials
|
||||
|
||||
@@ -29,43 +32,48 @@ end
|
||||
|
||||
BOOLEAN = [TrueClass, FalseClass]
|
||||
|
||||
# The uri used to as authentication endpoint for requests
|
||||
attribute :auth_uri, kind_of: String
|
||||
# The admin bootstrap_token used for authentication
|
||||
attribute :bootstrap_token, kind_of: String
|
||||
|
||||
# Used by both :create_service and :create_endpoint
|
||||
# The type of service to create (e.g. 'identity' or 'volume')
|
||||
attribute :service_type, kind_of: String
|
||||
|
||||
# :create_service specific attributes
|
||||
# The name of the service to create (only for action :create_service)
|
||||
attribute :service_name, kind_of: String
|
||||
# The description for the service to create (only for action :create_service)
|
||||
attribute :service_description, kind_of: String
|
||||
|
||||
# :create_endpoint specific attributes
|
||||
# The region to create the endpoint in (only for action :create_endpoint)
|
||||
attribute :endpoint_region, kind_of: String, default: 'RegionOne'
|
||||
# The admin url to register for the endpoint (only for action :create_endpoint)
|
||||
attribute :endpoint_adminurl, kind_of: String
|
||||
# The internal url to register for the endpoint (only for action
|
||||
# :create_endpoint)
|
||||
attribute :endpoint_internalurl, kind_of: String
|
||||
# The public url to register for the endpoint (only for action :create_endpoint)
|
||||
attribute :endpoint_publicurl, kind_of: String
|
||||
|
||||
# Used by both :create_tenant and :create_user
|
||||
# The name of the tenant to create or create the user in (only for action
|
||||
# :create_tenant and :create_user)
|
||||
attribute :tenant_name, kind_of: String
|
||||
|
||||
# :create_tenant specific attributes
|
||||
# The description of the tenant to create (only for action :create_tenant)
|
||||
attribute :tenant_description, kind_of: String
|
||||
# Enable or disable tenant to create (only for action :create_tenant)
|
||||
attribute :tenant_enabled, kind_of: BOOLEAN, default: true
|
||||
|
||||
# :create_user specific attributes
|
||||
# The name of the user to create (only for action :create_user)
|
||||
attribute :user_name, kind_of: String
|
||||
# The passwort of the user to create (only for action :create_user)
|
||||
attribute :user_pass, kind_of: String
|
||||
# attribute :user_email, kind_of: String
|
||||
# Enable or disable user to create (only for action :create_user)
|
||||
attribute :user_enabled, kind_of: BOOLEAN, default: true
|
||||
|
||||
# Used by :create_role and :grant_role specific attributes
|
||||
# The name of the role to create or grant to the user (only for :create_role and
|
||||
# :grant_role)
|
||||
attribute :role_name, kind_of: String
|
||||
|
||||
# Used by create_ec2_credentials
|
||||
# The name of the admin tenant (only for :create_ec2_credentials)
|
||||
attribute :admin_tenant_name, kind_of: String
|
||||
# The name of the admin user (only for :create_ec2_credentials)
|
||||
attribute :admin_user, kind_of: String
|
||||
# The password of the admin user (only for :create_ec2_credentials)
|
||||
attribute :admin_pass, kind_of: String
|
||||
|
||||
# Used by create_ec2_credentials and create_user
|
||||
# If not specified, default endpoint will be used.
|
||||
# The identity endpoint to use for user and ec2 creation. If not specified,
|
||||
# default endpoint will be used. (only for create_ec2_credentials and
|
||||
# create_user)
|
||||
attribute :identity_endpoint, kind_of: String
|
||||
|
Reference in New Issue
Block a user