From 6ce222af3e5f25c8c1f08172e43621ebab5be929 Mon Sep 17 00:00:00 2001
From: Jeffrey Zhang <zhang.lei.fly@gmail.com>
Date: Mon, 12 Jun 2017 08:59:57 +0800
Subject: [PATCH] Remove keystone-paste.ini file in kolla

keystone-paste.ini file is introduced by
I3a3ca2e74c0ae341105d3481f97956c6da473046 for a security risk of
admin_token_auth middleware. Now this middleware is removed by
I57586ccfa0ad1309cc806d95377dc1ecad015914. So it is safe to use upstream
keystone-paste.ini file.

This patch also keep custom paste file feature. Just put the file to
/etc/kolla/config/keystone/keyston-paste.ini path.

Closes-Bug: #1695023
Partially-Implements: blueprint custom-paste
Change-Id: Ieb983b6a9edb6a156928f6b56a4bd2dbed4281e2
---
 ansible/roles/keystone/tasks/config.yml       | 18 ++--
 .../keystone/templates/keystone-paste.ini.j2  | 83 -------------------
 .../roles/keystone/templates/keystone.json.j2 |  3 +-
 3 files changed, 15 insertions(+), 89 deletions(-)
 delete mode 100644 ansible/roles/keystone/templates/keystone-paste.ini.j2

diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml
index 821b2d0691..38ac9de718 100644
--- a/ansible/roles/keystone/tasks/config.yml
+++ b/ansible/roles/keystone/tasks/config.yml
@@ -116,19 +116,27 @@
   notify:
     - Restart keystone container
 
+- name: Checking whether keystone-paste.ini file exists
+  vars:
+    keystone: "{{ keystone_services.keystone }}"
+  stat:
+    path: "{{ node_custom_config }}/keystone/keystone-paste.ini"
+  register: check_keystone_paste_ini
+  when:
+    - inventory_hostname in groups[keystone.group]
+    - keystone.enabled | bool
+
 - name: Copying over keystone-paste.ini
   vars:
     keystone: "{{ keystone_services.keystone }}"
-  merge_configs:
-    sources:
-      - "{{ role_path }}/templates/keystone-paste.ini.j2"
-      - "{{ node_custom_config }}/keystone/keystone-paste.ini"
-      - "{{ node_custom_config }}/keystone/{{ inventory_hostname }}/keystone-paste.ini"
+  template:
+    src: "{{ node_custom_config }}/keystone/keystone-paste.ini"
     dest: "{{ node_config_directory }}/keystone/keystone-paste.ini"
   register: keystone_paste_ini
   when:
     - inventory_hostname in groups[keystone.group]
     - keystone.enabled | bool
+    - check_keystone_paste_ini.stat.exists | bool
   notify:
     - Restart keystone container
 
diff --git a/ansible/roles/keystone/templates/keystone-paste.ini.j2 b/ansible/roles/keystone/templates/keystone-paste.ini.j2
deleted file mode 100644
index 0e2ee368e2..0000000000
--- a/ansible/roles/keystone/templates/keystone-paste.ini.j2
+++ /dev/null
@@ -1,83 +0,0 @@
-# Keystone PasteDeploy configuration file.
-
-[filter:debug]
-use = egg:oslo.middleware#debug
-
-[filter:request_id]
-use = egg:oslo.middleware#request_id
-
-[filter:build_auth_context]
-use = egg:keystone#build_auth_context
-
-[filter:token_auth]
-use = egg:keystone#token_auth
-
-[filter:json_body]
-use = egg:keystone#json_body
-
-[filter:cors]
-use = egg:oslo.middleware#cors
-oslo_config_project = keystone
-
-[filter:ec2_extension]
-use = egg:keystone#ec2_extension
-
-[filter:ec2_extension_v3]
-use = egg:keystone#ec2_extension_v3
-
-[filter:s3_extension]
-use = egg:keystone#s3_extension
-
-[filter:url_normalize]
-use = egg:keystone#url_normalize
-
-[filter:sizelimit]
-use = egg:oslo.middleware#sizelimit
-
-[app:public_service]
-use = egg:keystone#public_service
-
-[app:service_v3]
-use = egg:keystone#service_v3
-
-[app:admin_service]
-use = egg:keystone#admin_service
-
-[pipeline:public_api]
-# The last item in this pipeline must be public_service or an equivalent
-# application. It cannot be a filter.
-pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
-
-[pipeline:admin_api]
-# The last item in this pipeline must be admin_service or an equivalent
-# application. It cannot be a filter.
-pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
-
-[pipeline:api_v3]
-# The last item in this pipeline must be service_v3 or an equivalent
-# application. It cannot be a filter.
-pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
-
-[app:public_version_service]
-use = egg:keystone#public_version_service
-
-[app:admin_version_service]
-use = egg:keystone#admin_version_service
-
-[pipeline:public_version_api]
-pipeline = cors sizelimit url_normalize public_version_service
-
-[pipeline:admin_version_api]
-pipeline = cors sizelimit url_normalize admin_version_service
-
-[composite:main]
-use = egg:Paste#urlmap
-/v2.0 = public_api
-/v3 = api_v3
-/ = public_version_api
-
-[composite:admin]
-use = egg:Paste#urlmap
-/v2.0 = admin_api
-/v3 = api_v3
-/ = admin_version_api
diff --git a/ansible/roles/keystone/templates/keystone.json.j2 b/ansible/roles/keystone/templates/keystone.json.j2
index 3cd7921116..c94153929e 100644
--- a/ansible/roles/keystone/templates/keystone.json.j2
+++ b/ansible/roles/keystone/templates/keystone.json.j2
@@ -13,7 +13,8 @@
             "source": "{{ container_config_directory }}/keystone-paste.ini",
             "dest": "/etc/keystone/keystone-paste.ini",
             "owner": "keystone",
-            "perm": "0600"
+            "perm": "0600",
+            "optional": true
         },
         {
             "source": "{{ container_config_directory }}/domains",