In Keystone v3, the _member_ role is not implicitly created on first
use like it is in v2.
This patch adds variables to define the default role name for users:
- keystone_default_role_name:
this is the default role name from Keystone's point of view
- horizon_default_role_name:
this is the default user role from Horizon's point of view
Both Keystone and Horizon's tasks ensure that the role they're using
are registered in the Keystone database.
To maintain backwards compatibility the default value for both
variables is '_member_'.
DocImpact
Closes-bug: 1474916
Change-Id: Ie01e1771c0b435815dfe55fc0ba9a6d803ebe958
In order to make it more difficult to know which
httpd server is running, here is a change to
reduce the ServerTokens OS to ServerTokens Prod
and the ServerSignature On to ServerSignature Off.
This removes ServerName and version report
on page footer and reduces the detail of the httpd
server running in the headers to "Apache".
These options can be overwritten by an user variable
Change-Id: I1aaffaa3b6b7d6574aefac65b6027e62240a702b
Closes-Bug: #1484256
This commit adds the following new variables to customise whether nova
will allow key/partition/password injection:
nova_libvirt_inject_key
nova_libvirt_inject_partition
nova_libvirt_inject_password
Additionally, the following variable has been added to allow setting
password via Horizon:
horizon_can_set_password
Lastly, password injection can now be tested with tempest via:
tempest_compute_change_password
Note that all variables have been defaulted to their current values.
Closes-Bug: #1469238
Change-Id: Iff434ed7c042f7990990485c34d0f35b9a7baa7a
This patch adds the ability to configure Keystone as a Service
Provider (SP) for a Federated Identity Provider (IdP).
* New variables to configure Keystone as a service provider are now
supported under a root `keystone_sp` variable. Example configurations
can be seen in Keystone's defaults file. This configuration includes
the list of identity providers and trusted dashboards. (At this time
only one identity provider is supported).
* Identity provider configuration includes the remote-to-local user
mapping and the list of remote attributes the SP can obtain from the
IdP.
* Shibboleth is installed and configured in the Keystone containers when
SP configuration is present.
* Horizon is configured for SSO login
DocImpact
UpgradeImpact
Implements: blueprint keystone-federation
Change-Id: I78b3d740434ea4b3ca0bd9f144e4a07026be23c6
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
This patch enables Horizon to consume a Keystone v3 API endpoint.
This patch also introduces two variables to allow the endpoint to be
specified independently if required:
- horizon_keystone_host: this defaults to the internal LB IP address
- horizon_keystone_endpoint: this defaults to the internal Keystone
endpoint
This patch also does the following:
- properly consumes the horizon_ssl_no_verify role setting;
- includes a little comment cleanup which does nothing but clutter
the local_settings configuration file.
Closes-Bug: #1478996
Change-Id: I5b7ceeecab072ead6fd380dcef7a48f1978a56f2
This patch revises the SSL certificate management and
distribution with something that is more consistent with how
it's done everywhere else in the project. It also repairs the
current user provided certificate distribution which was broken.
* The server key/certificate (and optionally a CA cert) are
distributed to all horizon containers.
* Two new variables have been implemented for a user-provided
server key and certificate:
- horizon_user_ssl_cert: <path to cert on deployment host>
- horizon_user_ssl_key: <path to cert on deployment host>
If either of these is not defined, then the missing cert/key
will be self generated on the first Horizon container and
distributed to the other containers.
* A new variable has been implemented for a user-provided CA
certificate:
- horizon_user_ssl_ca_cert: <path to cert on deployment host>
* A new variable called 'horizon_ssl_self_signed_subject' has
been implemented to allow the user to override the self-signed
certificate properties, such as the CN and subjectAltName.
Upgrade notes:
* The Apache configuration appropriately implements the
'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
directive in order to ensure that the appropriate signing
certificate is provided to the browser.
* The variable 'horizon_self_signed' (which defaulted to true)
has been removed. The decision of whether to generate a
self-signed certificate has been made based on whether a
user provided key/cert pair has been provided.
* The 'horizon_self_signed_regen' variable has been renamed
to 'horizon_ssl_self_signed_regen'.
* The default names for the deployed keys/certificates have been
changed:
- /etc/ssl/certs/apache.cert > /etc/ssl/certs/horizon.pem
- /etc/ssl/private/apache.key > /etc/ssl/private/horizon.key
DocImpact
UpgradeImpact
Closes-Bug: #1475578
Change-Id: I7089abbd81ce422b21ce65488e8bc32053ba32ca
This patch introduces an insecure flag for the Keystone internal
and admin endpoints:
* keystone_service_adminuri_insecure
* keystone_service_internaluri_insecure
Both values default to false. If you have setup SSL endpoints
for Keystone using an untrusted certificate then you should
set the appropriate flag to true in your user_variables.
This patch is used to enable testing and development with
Keystone SSL endpoints without having to make use of SSL
certificates signed by a trusted, public CA.
The patch introduces a new optional argument (insecure) to the
keystone, glance and neutron Ansible libraries. This is a
boolean value which, when true, enables these libraries to
access Keystone endpoints 'insecurely'. When these libraries
are used in plays, the appropriate value is set automatically
as per the above conditions.
Implements: blueprint keystone-federation
Change-Id: Ia07e7e201f901042dd06a86efe5c6f6725e9ce13
A random minute in the 21st hour UTC, daily, was chosen arbitrarily.
That it is run on a single arbitrary host from the set was done to
prevent unnecessary work being done until Bug #1424705 provides us with
a cleaner solution.
Adjusted to run once per day just to be sure that the operation doesn't
lock the table for a meaningful duration.
Making this configurable or tunable does not seem
to be necessary at this time.
Change-Id: I87164926a4d6a65d3c9f733d625a2d4af91c2597
Closes-Bug: #1466126
This change adds a specific update task to all tasks that all the
apt ansible module. This change was done to ensure that the cache
is updated as expected when instructed to do so. The reason that
the cache update is being removed from the grouping is because
there is an upstream bug that is effecting the process by which
the apt cache is updated when there is a package list to process
within the same task. The work around to make this function as
expected is to move the update into its own task without a package
list.
Upstream Ansible bug:
- https://github.com/ansible/ansible-modules-core/issues/1497
Change-Id: Ic06d89a76d772c12888b4bc4bbf147be58b0c150
Related-Bug: 1464771
As per the discussion in https://review.openstack.org/190302:
When AVAILABLE_REGIONS is set, OPENSTACK_HOST and
OPENSTACK_KEYSTONE_URL are no longer required in local_settings
as per Horizon developer documentation.
This patch implements this either/or configuration.
Change-Id: Iee9b41c34f770f2e8d76ef0e1e1a974f286ca6a9
Closes-Bug: #1463772
This patch introduces the capability for Horizon to access
multiple regions.
This only takes effect if horizon_available_regions is defined,
otherwise the current default comment is applied to the
local_settings file.
Usage is described via comments in the role defaults and in the
etc/openstack_deploy/user_variables.yml file.
Change-Id: Ia8c0b8be67fd0f479c492d9919b542806f9b204f
SHA-1 certificates are being deprecated and browsers are starting to
issue warnings about their use. We should begin generating SHA-2
certificates for Horizon.
Closes-bug: 1461983
Change-Id: I7f1933680e2859e007f6b8be262852b164f90b33
To enable partitioning of DB traffic by-service, each service needs to
use a custom connection string. Defaulting the service address to a
common galera_address makes things continue to work by default.
While the galera_address could be overridden on a container or host
basis this requires repeating that behavior across each infra node in
the inventory. Providing service-specific connection address variables
simplifies the management somewhat for large deployments and may reduce
error rates.
The service install playbooks now default the service-specific variables
instead of galera_address to the internal lb vip from inventory to
maintain the ease-of-use currently available.
Any value for a service-specific variable set in user_variables.yml will
override the value in the playbook's vars to provide selective
customization as needed.
Change-Id: I4c98bf906a0c1cb11ddd41277a855dce22ff646a
Closes-Bug: 1462529
This will only configure the variable if the horizon_session_timeout
user variable is defined.
DocImpact
Closes-bug: #1461623
Change-Id: Idd9eb58651f6e45bfdb5a65c2529c2e2f0b45f09
This new role is now providing the ability for a user to pin apt
packages as they see fit. The idea is to allow someone to implement
pinning in a generic way that can be represented as a global variable
or as a hostvar. The new role has been added to all install roles as
a dependency which will allow it to ensure that packages are pinned
everywhere as would be expected.
Change-Id: I354e8515570fa7174366ba57d57aece3c304568e
Additional feature changes have been made since we last updated our
template file. This brings our configuration file in line with the
example.
During Liberty, one of these changes related to execeptions will
likely need to be revised but for now this is the correct way of
handling them.
Change-Id: I81a0fe7503c4ca93eb13a6001805639649cabdfb
Closes-Bug: 1448241
Related-Bug: 1433395
Related-Bug: 1440903
Related-Bug: 1439905
Related-Bug: 1439906
In I4456bc1a0056da051947977a26dd6d57c549e421 we hardened Keystone's
Apache SSL settings. In order to keep all Apache SSL settings uniformly
configured, we also need to update Horizon's settings and centralize
where we define the cipher suite that the server supports and the
preferred protocol versions.
We also explicitly disable SSLCompression even though we tend to only
test against versions of Apache that have this off by default. If
someone uses a version after 2.2.24 or uses 2.4.3, they would otherwise
have to explicitly turn this off. Preferring security by default, we
disable it explicitly to prevent insecure installations anywhere.
We also document how users can override specific service SSL settings in
the event one service needs to support older clients that require
certain protocols or ciphers. For example, it's very plausible that an
organization may need to enable RC4 and SSLv3 for Horizon since their
users are still using XP and an old version of Internet Explorer.
Related-Bug: 1437481
Change-Id: I85843452935710083253847d6e11f85e9d6d2e84
This change ensures that apache2 is restarted after the horizon
configuration is changed.
Closes-Bug: #1441110
Change-Id: I7713995b1fa91e42b27a28856cdf21814c037b6f
This change applies a few minor changes to update the local_settings.py
config file for the kilo release.
In Kilo, Horizon's exceptions and configuration around exceptions, was
refactored. This eliminates the need for us to specify which exceptions
are recoverable, not found, and unauthorized. By removing it from the
HORIZON_CONFIG variable in local_settings.py, we defer to the default
list which is rather large already without having to copy it into our
source tree.
Detailed change list:
- Updated comment for CONSOLE_TYPE setting to include the new SERIAL type
- Added the HORIZON_CONFIG['disable_password_reveal'] option
- Added the DROPDOWN_MAX_ITEMS option
- Added the ENFORCE_PASSWORD_CHECK option
- Added the AUTHENTICATION_URLS option
- Added the LAUNCH_INSTANCE options
- Added the SWIFT_FILE_TRANSFER_CHUNK_SIZE option
- Added the OPENSTACK_ENABLE_PASSWORD_RETRIEVE option
- Added the SSO options (stubbed for now)
- Updated the HORIZON_CONFIG option
- Updated the OPENSTACK_NEUTRON_NETWORK option
Co-Authored By: Ian Cordasco <ian.cordasco@rackspace.com>
Partially implements blueprint: master-kilofication
Change-Id: I3cb9054447bf356444f3458935e2ba661f5e7f2c
The default value for OFFLINE_COMPRESS is False, as per the Django
compressor docs. When using offline compression, it seems that different
request contexts may generate different CSS files with different names
by way of the SCSS generator. When the HTML is returned to the browser,
the CSS filename referenced will only exist on the node that received
the initial request and generated the CSS file locally, however in a
load-balanced scenario with multiple Horizon instances, the actual HTTP
request for the CSS file has a n-1/n chance of hitting another node that
may be lacking that file, resulting in an unstyled page.
Changing the OFFLINE_COMPRESS value to True enables Django to use the
pre-generated list of resources -- created via the manage.py compress
command -- which is stored in a manifest.json file and should be the
same name/content across the instances since it's not varying by request
context like during online compression.
Change-Id: Iccb9b8cd30b7a61435f9ccc813c4032a24cbe52a
Closes-Bug: #1423783
The horizon_fqdn var does not appear to be used anywhere anymore and
external_vip_address is no longer defined so just removed both.
Closes-Bug: 1425953
Change-Id: I282c4722a9eb50c6d0ada3736e4d66ef9b825c4c
This change implements the blueprint to convert all roles and plays into
a more generic setup, following upstream ansible best practices.
Items Changed:
* All tasks have tags.
* All roles use namespaced variables.
* All redundant tasks within a given play and role have been removed.
* All of the repetitive plays have been removed in-favor of a more
simplistic approach. This change duplicates code within the roles but
ensures that the roles only ever run within their own scope.
* All roles have been built using an ansible galaxy syntax.
* The `*requirement.txt` files have been reformatted follow upstream
Openstack practices.
* Dynamically generated inventory is now more organized, this should assist
anyone who may want or need to dive into the JSON blob that is created.
In the inventory a properties field is used for items that customize containers
within the inventory.
* The environment map has been modified to support additional host groups to
enable the seperation of infrastructure pieces. While the old infra_hosts group
will still work this change allows for groups to be divided up into seperate
chunks; eg: deployment of a swift only stack.
* The LXC logic now exists within the plays.
* etc/openstack_deploy/user_variables.yml has all password/token
variables extracted into the separate file
etc/openstack_deploy/user_secrets.yml in order to allow seperate
security settings on that file.
Items Excised:
* All of the roles have had the LXC logic removed from within them which
should allow roles to be consumed outside of the `os-ansible-deployment`
reference architecture.
Note:
* the directory rpc_deployment still exists and is presently pointed at plays
containing a deprecation warning instructing the user to move to the standard
playbooks directory.
* While all of the rackspace specific components and variables have been removed
and or were refactored the repository still relies on an upstream mirror of
Openstack built python files and container images. This upstream mirror is hosted
at rackspace at "http://rpc-repo.rackspace.com" though this is
not locked to and or tied to rackspace specific installations. This repository
contains all of the needed code to create and/or clone your own mirror.
DocImpact
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Closes-Bug: #1403676
Implements: blueprint galaxy-roles
Change-Id: I03df3328b7655f0cc9e43ba83b02623d038d214e