openstack/puppet-openstack-integration
Code Issues Proposed changes

disabling the admin_token after bootstrap

Browse Source 
The keystone documentation highly recommends disabling the admin_token
authentication after the initial bootstrap because it exposes a major
attack vector.

A patch in puppet-keystone [1] added the support to remove
admin_token_auth keyword from the pipeline lists.

This patch aims to use this new class when deploying Keystone.

[1] https://review.openstack.org/#/c/256248

Change-Id: Ic545005122a0f7b92b8a9d3f1e4978b397bfc9c2
This commit is contained in:
Emilien Macchi 2016-02-15 13:16:09 -05:00
parent e75159f71c
commit becca2e139
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
manifests/keystone.pp
View File

@ -43,5 +43,16 @@ class openstack_integration::keystone (
class { '::keystone::endpoint': class { '::keystone::endpoint':
default_domain => $default_domain, default_domain => $default_domain,
} }
class { '::keystone::disable_admin_token_auth': }
if $default_domain {
$default_domain_real = $default_domain
} else {
$default_domain_real = 'default'
}
class { '::openstack_extras::auth_file':
password => 'a_big_secret',
project_domain => $default_domain_real,
user_domain => $default_domain_real,
}
} }

1
manifests/provision.pp
View File

@ -88,4 +88,5 @@ class openstack_integration::provision {
# source => '/home/jenkins/cache/files/cirros-0.3.4-x86_64-disk.img', # source => '/home/jenkins/cache/files/cirros-0.3.4-x86_64-disk.img',
source => 'http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img', source => 'http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img',
} }
Keystone_user_role['admin@openstack'] -> Glance_image<||>
} }