29 Commits

Author SHA1 Message Date
Ian Cordasco
3f90bae4c3 Add default user role for Keystone & Horizon and tasks to create it
In Keystone v3, the _member_ role is not implicitly created on first
use like it is in v2.

This patch adds variables to define the default role name for users:
 - keystone_default_role_name:
   this is the default role name from Keystone's point of view
 - horizon_default_role_name:
   this is the default user role from Horizon's point of view

Both Keystone and Horizon's tasks ensure that the role they're using
are registered in the Keystone database.

To maintain backwards compatibility the default value for both
variables is '_member_'.

DocImpact
Closes-bug: 1474916
Change-Id: Ie01e1771c0b435815dfe55fc0ba9a6d803ebe958
2015-08-21 12:53:33 +01:00
Jean-Philippe Evrard
e983c15d67 Apache servers will not reporting version anymore
In order to make it more difficult to know which
httpd server is running, here is a change to 
reduce the ServerTokens OS to ServerTokens Prod
and the ServerSignature On to ServerSignature Off.

This removes ServerName and version report
on page footer and reduces the detail of the httpd
server running in the headers to "Apache". 

These options can be overwritten by an user variable

Change-Id: I1aaffaa3b6b7d6574aefac65b6027e62240a702b
Closes-Bug: #1484256
2015-08-19 13:59:02 +00:00
Matt Thompson
5bd7a5540c Allow nova key/partition/password injection
This commit adds the following new variables to customise whether nova
will allow key/partition/password injection:

nova_libvirt_inject_key
nova_libvirt_inject_partition
nova_libvirt_inject_password

Additionally, the following variable has been added to allow setting
password via Horizon:

horizon_can_set_password

Lastly, password injection can now be tested with tempest via:

tempest_compute_change_password

Note that all variables have been defaulted to their current values.

Closes-Bug: #1469238

Change-Id: Iff434ed7c042f7990990485c34d0f35b9a7baa7a
2015-08-13 09:25:17 +00:00
Miguel Grinberg
a7080fdfa2 Keystone Federation Service Provider Configuration
This patch adds the ability to configure Keystone as a Service
Provider (SP) for a Federated Identity Provider (IdP).

* New variables to configure Keystone as a service provider are now
  supported under a root `keystone_sp` variable. Example configurations
  can be seen in Keystone's defaults file. This configuration includes
  the list of identity providers and trusted dashboards. (At this time
  only one identity provider is supported).

* Identity provider configuration includes the remote-to-local user
  mapping and the list of remote attributes the SP can obtain from the
  IdP.

* Shibboleth is installed and configured in the Keystone containers when
  SP configuration is present.

* Horizon is configured for SSO login

DocImpact
UpgradeImpact
Implements: blueprint keystone-federation
Change-Id: I78b3d740434ea4b3ca0bd9f144e4a07026be23c6
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
2015-08-07 08:44:51 +00:00
Jesse Pretorius
1e2c983bd3 Enable Horizon to consume a Keystone v3 API endpoint
This patch enables Horizon to consume a Keystone v3 API endpoint.

This patch also introduces two variables to allow the endpoint to be
specified independently if required:
 - horizon_keystone_host: this defaults to the internal LB IP address
 - horizon_keystone_endpoint: this defaults to the internal Keystone
   endpoint

This patch also does the following:
 - properly consumes the horizon_ssl_no_verify role setting;
 - includes a little comment cleanup which does nothing but clutter
   the local_settings configuration file.

Closes-Bug: #1478996
Change-Id: I5b7ceeecab072ead6fd380dcef7a48f1978a56f2
2015-07-31 08:25:09 +00:00
Jesse Pretorius
271bf64239 Fix Horizon SSL certificate management and distribution
This patch revises the SSL certificate management and
distribution with something that is more consistent with how
it's done everywhere else in the project. It also repairs the
current user provided certificate distribution which was broken.

* The server key/certificate (and optionally a CA cert) are
  distributed to all horizon containers.

* Two new variables have been implemented for a user-provided
  server key and certificate:
  - horizon_user_ssl_cert: <path to cert on deployment host>
  - horizon_user_ssl_key: <path to cert on deployment host>
  If either of these is not defined, then the missing cert/key
  will be self generated on the first Horizon container and
  distributed to the other containers.

* A new variable has been implemented for a user-provided CA
  certificate:
  - horizon_user_ssl_ca_cert: <path to cert on deployment host>

* A new variable called 'horizon_ssl_self_signed_subject' has
  been implemented to allow the user to override the self-signed
  certificate properties, such as the CN and subjectAltName.

Upgrade notes:

* The Apache configuration appropriately implements the
  'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
  directive in order to ensure that the appropriate signing
  certificate is provided to the browser.

* The variable 'horizon_self_signed' (which defaulted to true)
  has been removed. The decision of whether to generate a
  self-signed certificate has been made based on whether a
  user provided key/cert pair has been provided.

* The 'horizon_self_signed_regen' variable has been renamed
  to 'horizon_ssl_self_signed_regen'.

* The default names for the deployed keys/certificates have been
  changed:
  - /etc/ssl/certs/apache.cert  > /etc/ssl/certs/horizon.pem
  - /etc/ssl/private/apache.key > /etc/ssl/private/horizon.key

DocImpact
UpgradeImpact
Closes-Bug: #1475578

Change-Id: I7089abbd81ce422b21ce65488e8bc32053ba32ca
2015-07-17 13:19:13 +01:00
Jenkins
fdd40bc5cd Merge "Enable all services to use Keystone 'insecurely'" 2015-07-10 16:53:24 +00:00
Jesse Pretorius
1078a4e806 Enable all services to use Keystone 'insecurely'
This patch introduces an insecure flag for the Keystone internal
 and admin endpoints:

* keystone_service_adminuri_insecure
* keystone_service_internaluri_insecure

Both values default to false. If you have setup SSL endpoints
for Keystone using an untrusted certificate then you should
set the appropriate flag to true in your user_variables.

This patch is used to enable testing and development with
Keystone SSL endpoints without having to make use of SSL
certificates signed by a trusted, public CA.

The patch introduces a new optional argument (insecure) to the
keystone, glance and neutron Ansible libraries. This is a
boolean value which, when true, enables these libraries to
access Keystone endpoints 'insecurely'. When these libraries
are used in plays, the appropriate value is set automatically
as per the above conditions.

Implements: blueprint keystone-federation
Change-Id: Ia07e7e201f901042dd06a86efe5c6f6725e9ce13
2015-07-10 14:06:25 +01:00
Bjoern Teipel
016f401463 Fixing protocol for UDP in horizon for master
Closes-Bug: #1472646
Change-Id: Ib5777fcd0f172aa68a99260539187ed9f50f7c98
2015-07-08 15:49:20 +00:00
Steve Lewis
221e525fe1 Clear expired Django sessions regularly from DB
A random minute in the 21st hour UTC, daily, was chosen arbitrarily.
That it is run on a single arbitrary host from the set was done to
prevent unnecessary work being done until Bug #1424705 provides us with
a cleaner solution.

Adjusted to run once per day just to be sure that the operation doesn't
lock the table for a meaningful duration.

Making this configurable or tunable does not seem
to be necessary at this time.

Change-Id: I87164926a4d6a65d3c9f733d625a2d4af91c2597
Closes-Bug: #1466126
2015-06-24 11:16:42 -07:00
Jenkins
3a710c2009 Merge "Correct local_settings when AVAILABLE_REGIONS is set" 2015-06-22 15:02:14 +00:00
kevin
ae906a4838 Added apt update tasks to everything using apt
This change adds a specific update task to all tasks that all the
apt ansible module. This change was done to ensure that the cache
is updated as expected when instructed to do so. The reason that
the cache update is being removed from the grouping is because
there is an upstream bug that is effecting the process by which
the apt cache is updated when there is a package list to process
within the same task. The work around to make this function as
expected is to move the update into its own task without a package
list.

Upstream Ansible bug:
  - https://github.com/ansible/ansible-modules-core/issues/1497

Change-Id: Ic06d89a76d772c12888b4bc4bbf147be58b0c150
Related-Bug: 1464771
2015-06-16 13:13:58 -05:00
Jesse Pretorius
bb9f7cecbb Correct local_settings when AVAILABLE_REGIONS is set
As per the discussion in https://review.openstack.org/190302:

When AVAILABLE_REGIONS is set, OPENSTACK_HOST and
OPENSTACK_KEYSTONE_URL are no longer required in local_settings
as per Horizon developer documentation.

This patch implements this either/or configuration.

Change-Id: Iee9b41c34f770f2e8d76ef0e1e1a974f286ca6a9
Closes-Bug: #1463772
2015-06-12 11:31:10 +01:00
Jenkins
3bb72beb1f Merge "Configure DB addresses for each service" 2015-06-11 20:24:02 +00:00
Jenkins
a94eafcdbc Merge "Allow Horizon to access multiple regions" 2015-06-10 16:56:21 +00:00
Jesse Pretorius
79eb06fddb Allow Horizon to access multiple regions
This patch introduces the capability for Horizon to access
multiple regions.

This only takes effect if horizon_available_regions is defined,
otherwise the current default comment is applied to the
local_settings file.

Usage is described via comments in the role defaults and in the
etc/openstack_deploy/user_variables.yml file.

Change-Id: Ia8c0b8be67fd0f479c492d9919b542806f9b204f
2015-06-10 12:31:57 +01:00
Ian Cordasco
530fa0d569 Generate a SHA-2 certificate for Horizon
SHA-1 certificates are being deprecated and browsers are starting to
issue warnings about their use. We should begin generating SHA-2
certificates for Horizon.

Closes-bug: 1461983
Change-Id: I7f1933680e2859e007f6b8be262852b164f90b33
2015-06-10 04:32:21 +00:00
Steve Lewis
451ca48a26 Configure DB addresses for each service
To enable partitioning of DB traffic by-service, each service needs to
use a custom connection string. Defaulting the service address to a
common galera_address makes things continue to work by default.

While the galera_address could be overridden on a container or host
basis this requires repeating that behavior across each infra node in
the inventory. Providing service-specific connection address variables
simplifies the management somewhat for large deployments and may reduce
error rates.

The service install playbooks now default the service-specific variables
instead of galera_address to the internal lb vip from inventory to
maintain the ease-of-use currently available.

Any value for a service-specific variable set in user_variables.yml will
override the value in the playbook's vars to provide selective
customization as needed.

Change-Id: I4c98bf906a0c1cb11ddd41277a855dce22ff646a
Closes-Bug: 1462529
2015-06-10 02:07:38 +00:00
Jenkins
9b5c4fce86 Merge "Allow the Horizon SESSION_TIMEOUT to be configured" 2015-06-05 09:24:26 +00:00
Ian Cordasco
df800efc38 Allow the Horizon SESSION_TIMEOUT to be configured
This will only configure the variable if the horizon_session_timeout
user variable is defined.

DocImpact
Closes-bug: #1461623
Change-Id: Idd9eb58651f6e45bfdb5a65c2529c2e2f0b45f09
2015-06-03 16:22:10 -05:00
Kevin Carter
eb464a4371 added role to pin packages
This new role is now providing the ability for a user to pin apt
packages as they see fit. The idea is to allow someone to implement
pinning in a generic way that can be represented as a global variable
or as a hostvar. The new role has been added to all install roles as
a dependency which will allow it to ensure that packages are pinned
everywhere as would be expected.

Change-Id: I354e8515570fa7174366ba57d57aece3c304568e
2015-05-08 13:22:42 -05:00
Steve Lewis
93e6e237c5 Update Horizon configuration
Additional feature changes have been made since we last updated our
template file. This brings our configuration file in line with the
example.

During Liberty, one of these changes related to execeptions will
likely need to be revised but for now this is the correct way of
handling them.

Change-Id: I81a0fe7503c4ca93eb13a6001805639649cabdfb
Closes-Bug: 1448241
Related-Bug: 1433395
Related-Bug: 1440903
Related-Bug: 1439905
Related-Bug: 1439906
2015-04-24 12:59:41 -07:00
Ian Cordasco
9ec71a83fe Genericize how we update SSL settings for Apache
In I4456bc1a0056da051947977a26dd6d57c549e421 we hardened Keystone's
Apache SSL settings. In order to keep all Apache SSL settings uniformly
configured, we also need to update Horizon's settings and centralize
where we define the cipher suite that the server supports and the
preferred protocol versions.

We also explicitly disable SSLCompression even though we tend to only
test against versions of Apache that have this off by default. If
someone uses a version after 2.2.24 or uses 2.4.3, they would otherwise
have to explicitly turn this off. Preferring security by default, we
disable it explicitly to prevent insecure installations anywhere.

We also document how users can override specific service SSL settings in
the event one service needs to support older clients that require
certain protocols or ciphers. For example, it's very plausible that an
organization may need to enable RC4 and SSLv3 for Horizon since their
users are still using XP and an old version of Internet Explorer.

Related-Bug: 1437481
Change-Id: I85843452935710083253847d6e11f85e9d6d2e84
2015-04-10 15:02:53 +00:00
Miguel Grinberg
f21638c5c8 Restart apache2 after local_settings.py is changed
This change ensures that apache2 is restarted after the horizon
configuration is changed.

Closes-Bug: #1441110
Change-Id: I7713995b1fa91e42b27a28856cdf21814c037b6f
2015-04-07 11:18:42 +00:00
Miguel Grinberg
c99b1b99fd Horizon config changes for kilo
This change applies a few minor changes to update the local_settings.py
config file for the kilo release.

In Kilo, Horizon's exceptions and configuration around exceptions, was
refactored. This eliminates the need for us to specify which exceptions
are recoverable, not found, and unauthorized. By removing it from the
HORIZON_CONFIG variable in local_settings.py, we defer to the default
list which is rather large already without having to copy it into our
source tree.

Detailed change list:

- Updated comment for CONSOLE_TYPE setting to include the new SERIAL type
- Added the HORIZON_CONFIG['disable_password_reveal'] option
- Added the DROPDOWN_MAX_ITEMS option
- Added the ENFORCE_PASSWORD_CHECK option
- Added the AUTHENTICATION_URLS option
- Added the LAUNCH_INSTANCE options
- Added the SWIFT_FILE_TRANSFER_CHUNK_SIZE option
- Added the OPENSTACK_ENABLE_PASSWORD_RETRIEVE option
- Added the SSO options (stubbed for now)
- Updated the HORIZON_CONFIG option
- Updated the OPENSTACK_NEUTRON_NETWORK option

Co-Authored By: Ian Cordasco <ian.cordasco@rackspace.com>
Partially implements blueprint: master-kilofication
Change-Id: I3cb9054447bf356444f3458935e2ba661f5e7f2c
2015-04-06 16:58:05 -07:00
Jenkins
a2a69c7402 Merge "Enable offline compression for resource files" 2015-03-13 02:44:54 +00:00
Evan Callicoat
21f9175fb0 Enable offline compression for resource files
The default value for OFFLINE_COMPRESS is False, as per the Django
compressor docs. When using offline compression, it seems that different
request contexts may generate different CSS files with different names
by way of the SCSS generator. When the HTML is returned to the browser,
the CSS filename referenced will only exist on the node that received
the initial request and generated the CSS file locally, however in a
load-balanced scenario with multiple Horizon instances, the actual HTTP
request for the CSS file has a n-1/n chance of hitting another node that
may be lacking that file, resulting in an unstyled page.

Changing the OFFLINE_COMPRESS value to True enables Django to use the
pre-generated list of resources -- created via the manage.py compress
command -- which is stored in a manifest.json file and should be the
same name/content across the instances since it's not varying by request
context like during online compression.

Change-Id: Iccb9b8cd30b7a61435f9ccc813c4032a24cbe52a
Closes-Bug: #1423783
2015-03-11 10:55:17 -05:00
Steve Lewis
3b55bbb7e0 Remove unused external_vip_address reference
The horizon_fqdn var does not appear to be used anywhere anymore and
external_vip_address is no longer defined so just removed both.

Closes-Bug: 1425953
Change-Id: I282c4722a9eb50c6d0ada3736e4d66ef9b825c4c
2015-03-10 17:18:14 -07:00
Kevin Carter
787bf47d02 Convert existing roles into galaxy roles
This change implements the blueprint to convert all roles and plays into
a more generic setup, following upstream ansible best practices.

Items Changed:
* All tasks have tags.
* All roles use namespaced variables.
* All redundant tasks within a given play and role have been removed.
* All of the repetitive plays have been removed in-favor of a more
  simplistic approach. This change duplicates code within the roles but
  ensures that the roles only ever run within their own scope.
* All roles have been built using an ansible galaxy syntax.
* The `*requirement.txt` files have been reformatted follow upstream
  Openstack practices.
* Dynamically generated inventory is now more organized, this should assist
  anyone who may want or need to dive into the JSON blob that is created.
  In the inventory a properties field is used for items that customize containers
  within the inventory.
* The environment map has been modified to support additional host groups to
  enable the seperation of infrastructure pieces. While the old infra_hosts group
  will still work this change allows for groups to be divided up into seperate
  chunks; eg: deployment of a swift only stack.
* The LXC logic now exists within the plays.
* etc/openstack_deploy/user_variables.yml has all password/token
  variables extracted into the separate file
  etc/openstack_deploy/user_secrets.yml in order to allow seperate
  security settings on that file.

Items Excised:
* All of the roles have had the LXC logic removed from within them which
  should allow roles to be consumed outside of the `os-ansible-deployment`
  reference architecture.

Note:
* the directory rpc_deployment still exists and is presently pointed at plays
  containing a deprecation warning instructing the user to move to the standard
  playbooks directory.
* While all of the rackspace specific components and variables have been removed
  and or were refactored the repository still relies on an upstream mirror of
  Openstack built python files and container images. This upstream mirror is hosted
  at rackspace at "http://rpc-repo.rackspace.com" though this is
  not locked to and or tied to rackspace specific installations. This repository
  contains all of the needed code to create and/or clone your own mirror.

DocImpact
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Closes-Bug: #1403676
Implements: blueprint galaxy-roles
Change-Id: I03df3328b7655f0cc9e43ba83b02623d038d214e
2015-02-18 10:56:25 +00:00