25 Commits

Author SHA1 Message Date
Christian Berendt
8f6bd4e735 Enable CADF events in Keystone and introduce enable_cadf_notifications
Change-Id: I0a40867ae65011fbfd53308b9d7f42d10435f5fa
Closes-bug: #1607905
2016-09-16 12:19:53 +00:00
Jenkins
5c5ef797b0 Merge "Correct permissions to /etc/keystone/domains" 2016-09-01 15:05:49 +00:00
Shaun Smekel
1c68ae389b Add full support for fernet
This addresses the ansible aspects of fernet key bootstrapping as
well as distributed key rotation.

- Bootstrapping is handled in the same way as keystone bootstrap.
- A new keystone-fernet and keystone-ssh container is created to allow
  the nodes to communicate with each other (taken from nova-ssh).
- The keystone-fernet is a keystone container with crontab installed.
  This will handle key rotations through keystone-manage and trigger
  an rsync to push new tokens to other nodes.
- Key rotation is setup to be balanced across the keystone nodes using
  a round-robbin style. This ensures that any node failures will not
  stop the keys from rotating. This is configured by a desired token
  expiration time which then determines the cron scheduling for each
  node as well as the number of fernet tokens in rotation.
- Ability for recovered node to resync with the cluster. When a node
  starts it will run sanity checks to ensure that its fernet tokens
  are not stale. If they are it will rsync with other nodes to ensure
  its tokens are up to date.

The Docker component is implemented in:
  https://review.openstack.org/#/c/349366

Change-Id: I15052c25a1d1149d364236f10ced2e2346119738
Implements: blueprint keystone-fernet-token
2016-08-25 20:08:22 +10:00
Ken Wronkiewicz
37b3c8c354 Keystone interface address and memcached override
Note: This should not result in any behavior changes in regular Kolla,
just Kolla-Kubernetes and only when you've overridden stuff in globals.yml

Allows override of interface address and memcached pools, so that
Kubernetes can do the right thing.

There are some significant architectural issues involved in
memcached pooling in the Kolla-kubernetes world.  Avoiding them right
now.

Current working Kolla-Kubernetes globals.yml file, assuming that your
memcached servers are available under the DNS alias "memcached":

api_interface_address: "0.0.0.0"

memcached_servers: "memcached"

keystone_database_address: "mariadb"
keystone_admin_url: "{{ admin_protocol }}://keystone-admin:{{ keystone_admin_port }}/v3"
keystone_internal_url: "{{ internal_protocol }}://keystone-public:{{ keystone_public_port }}/v3"
keystone_public_url: "{{ public_protocol }}://keystone-public:{{ keystone_public_port }}/v3"

Co-authored-by: Ryan Hallisey <rhallise@redhat.com>
Change-Id: I5126f81da7b4d48001b87f73d58bbbfad658209c
Partially-implements: blueprint api-interface-bind-address-override
2016-08-11 05:33:56 -04:00
Mathias Ewald
29d9d6616a Correct permissions to /etc/keystone/domains
Set permission for /etc/keystone/domains/ directory to 0700 instead of
0600 which is required for Keystone to be able to list directory
contents.

Change-Id: I7536cc3f0bcbc8aea298ad76713e45cbb93a4b27
Closes-Bug: #1609319
2016-08-03 09:45:43 +00:00
Nenad Radojevic
b6936383da Configurable policy.json for keystone
Copy custom policy.json into keystone container

Change-Id: I58787c3dd7adbeff47d0898c23db95f5919510d3
Closes-Bug: #1604431
2016-07-19 13:53:44 +00:00
Dave Walker (Daviey)
a5e402f1e8 Support Keystone Domain specific files
Currently, it is not possible to make use of Keystone Domain
specific settings. Such as different domains using different
LDAP servers or SQL.

To enable for example domain ACME - domain settings would be
put into:
{{ node_custom_config }}keystone/domains/keystone.ACME.conf

Change-Id: I23620978c618dd4a3598d7cb74c3e9cf8c2394ac
Closes-Bug: #1599868
Signed-off-by: Dave Walker (Daviey) <email@daviey.com>
2016-07-14 07:53:41 +00:00
Ryan Hallisey
67333e4dd1 Set db connection retry to infinity
Make sure that all the sevices will attempt to
connect to the database an infinite about of times.
If the database ever disappears for some reason we
want the services to try and reconnect more than just
10 times.

Closes-bug: #1505636
Change-Id: I77abbf72ce5bfd68faa451bb9a72bd2544963f4b
2016-04-11 07:22:09 -04:00
Carlos Cesario
493650aa5e Change keystone log dir
Proposed patch to change keystone and heka log dir
from /var/log/kolla/apache2/ to /var/log/kolla/keystone/

Closes-Bug: #1560620
Change-Id: I70c65ceba5a301cc56880313ca86f01bd35676cb
2016-03-28 08:51:35 -03:00
SamYaple
d4535b6dc3 Add memcached_servers to keystone_auth section
The in-process cache for keystone tokens has been deprecated due to
"incosistent results and high memory usage" with the expectation we
switch to memcached_servers if we want to stay performant.

Add memcache_servers [cache] section to the appropriate servers as the
[DEFAULT]\memcache_servers options was deprecated.

TrivialFix
Related-Id: Ied2b88c8cefe5655a88d0c2f334de04e588fa75a

Change-Id: Ic971bdddc0be3338b15924f7cc0f97d4a3ad2440
2016-03-19 21:53:03 +00:00
Dave McCowan
3daded6242 Add TLS protection on external API endpoints
TLS can be used to encrypt and authenticate the connection with
OpenStack endpoints.  This patch provides the necessary
parameters and changes the resulting service configurations to
enable TLS for the Kolla deployed OpenStack cloud.

The new input parameters are:

kolla_enable_tls_external: "yes" or "no" (default is "no")
kolla_external_fqdn_cert: "/etc/kolla/certificates/haproxy.pem"
kolla_external_fqdn_cacert: "/etc/kolla/certificates/haproxy-ca.crt"

Implements: blueprint kolla-ssl

Change-Id: I48ef8a781c3035d58817f9bf6f36d59a488bab41
2016-03-03 14:44:37 -05:00
SamYaple
4edd0baf8d Remove keystone admin token
Admin token has been deprecated upstream. It will be removed in O. We
switch over to the new `keystone-manage bootstrap` method for creating
the initial admin user, role, and project.

Co-Authored-By: Sam Yaple <sam@yaple.net>
Change-Id: I6ca90e8d4c3b71009e24b049b2efbc08c05ebfbf
2016-03-01 00:14:06 +00:00
Dave McCowan
b770339534 Use passed client IP address in various audit logs
HAProxy: change to use option forwardfor to pass origin IP address
to backend via X-Forwarded-For header

Keystone: Apache does the audit logs for keystone.  Change the
LogFormat to display the passed address instead of the connection
address which is that of the load balancer.

Nova, Cinder, Glance: these services can make use of the address
passed in X-Forwarded-For.  With this setting the API logs for
these services include the client IP address.

Change-Id: Ia861ecc11a7c7d463d0366586926d1a842853f69
Closes-Bug: #1548935
2016-02-24 09:51:13 -05:00
Éric Lemoine
684873b89b Make Heka collect Keystone logs
Partially implements: blueprint heka
Change-Id: I940143876981a04464af67aff65c09a06926701d
2016-02-19 21:49:21 +00:00
Allen Gao
3729755da0 remove option verbose from config files
Option "verbose" from group "DEFAULT" is deprecated for removal.
Its value may be silently ignored in the future.

If this option is not set explicitly, there is no such warning.
Furthermore, the default value of verbose is true, so there is
no need to set this value in config files.

TrivialFix

Change-Id: I3ec2a8900c984a64bc0645672ef89a63975f7f4e
2016-01-18 21:29:36 +08:00
SamYaple
026942e9c5 Convert to pymysql
Closes-Bug: #1528432
Change-Id: I6e56f283521b29678964cb655ac3cff2d13b8246
2015-12-22 04:30:32 +00:00
Michal Rostecki
febcb600f1 Source installation in virtualenv
Use virtualenv for installation of OpenStack projects and
dependencies to avoid conflicts with Python libraries installed
by non-OpenStack binary packages.

Change-Id: I21ecd673b2e93335b1d3dd4e279e940c9d694c3c
Implements: blueprint virtualenv
2015-11-27 10:22:17 +01:00
akwasniewska
206455120f Fixed log error messages from keystone to syslog.
Rsyslog adapted to filter keystone error log messages.

Related bug: 1516462

Change-Id: I4d8d4280dc8fef870d56d8466ed466241ee18e64
2015-11-17 20:27:08 +01:00
Sam Yaple
94162bd08f Bring Kolla inline with FHS
This brings Kolla images inline with FHS and should make finding
locations of things more consistent and reliable with the linux world
at large.

Change-Id: Iece5b4da4bace0fb8b1f41a65ab2c852ec73e6f8
Closes-Bug: #1485742
2015-10-06 03:30:53 +00:00
Michal Jastrzebski
f99a27f0c5 Keystone logging to rsyslog
Configure keystone to use rsyslog container as logging mechanism

Change-Id: Id77574fe841e9c2a9d870b712ffd0c26b5463ded
Implements: bp logging-container
2015-09-24 14:08:25 +02:00
rthallisey
180e8c3331 Replace config-external with a JSON file for Keystone
Change-Id: I4c403edb7cd16f587f30a313c1943f070512eda3
Partially-Implements: blueprint replace-config-external
2015-09-18 15:19:06 -04:00
Sam Yaple
17333aed12 Fix keystone for Ubuntu
Due to the differences between Ubuntu and Centos around Apache2 I have
had to copy both start.sh and config-external.sh to be unique files
for Ubuntu so as not to affect Centos either. This can be removed when
we change the way config-external works.

Change-Id: I14dc11e7bb6284b897259a53acc914ae8f254d3c
Partially-Implements: blueprint install-from-ubuntu
2015-08-23 06:07:04 +00:00
Sam Yaple
4c4181d54a Fix permissions on log directory for keystone
Additionally fixed bootstrap issue caused by an ansible bug in some
versions of the docker module.

Closes-Bug: #1472270
Change-Id: Ia5a370db5ab7690854afcd63492ba7dbbea29835
2015-07-08 09:35:33 +00:00
Sam Yaple
11597cc2f4 Updated keystone for wsgi in config-external
This will switch config-external to using wsgi vs evenlet for keystone.

Partially Implements: blueprint ansible-service

Change-Id: I85a88c813ed36d827916796199dad735b2d44b40
2015-07-03 14:17:02 +00:00
Sam Yaple
3ac7da64d1 Add initial config function and keystone support
Add set_configs function that implements the flow from the proposed
ansible-multi spec. Move start.sh to config-internal.sh to preserve existing
behaviour.

config-externall.sh copies the appropriate configs in from the bind'd
location and sets permissions and ownership appropriately.

Partially Implements: blueprint ansible-multi

Change-Id: I53fca0660451087f273fefc3c63e0d8cf1a2c096
2015-06-30 17:26:23 +00:00