Retire project

Change-Id: I9471d2c2cda98fd13940c4c6f3e4bf482ce6aa6f

.gitignore

@@ -1,4 +0,0 @@
-tests/build/
-*.swp
-*.pyc
-.ropeproject

.gitreview

@@ -1,4 +0,0 @@
-[gerrit]
-host=review.openstack.org
-port=29418
-project=openstack/salt-formula-keystone.git

CHANGELOG.rst

@@ -1,10 +0,0 @@
-keystone formula
-================
-
-2016.4.1 (2016-04-15)
-
-- second release
-
-0.0.1 (2015-08-03)
-
-- Initial formula setup

FORMULA

@@ -1,8 +0,0 @@
-name: keystone
-os: Debian, RedHat
-os_family: Debian, RedHat
-version: 201606
-release: 1
-summary: Formula for installing and configuring keystone
-description: Formula for installing and configuring keystone
-top_level_dir: keystone

LICENSE

@@ -1,201 +0,0 @@
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!) The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

Makefile

@@ -1,26 +0,0 @@
-DESTDIR=/
-SALTENVDIR=/usr/share/salt-formulas/env
-RECLASSDIR=/usr/share/salt-formulas/reclass
-FORMULANAME=$(shell grep name: metadata.yml|head -1|cut -d : -f 2|grep -Eo '[a-z0-9\-]*')
-
-all:
-	@echo "make install - Install into DESTDIR"
-	@echo "make test    - Run tests"
-	@echo "make clean   - Cleanup after tests run"
-
-install:
-	# Formula
-	[ -d $(DESTDIR)/$(SALTENVDIR) ] || mkdir -p $(DESTDIR)/$(SALTENVDIR)
-	cp -a $(FORMULANAME) $(DESTDIR)/$(SALTENVDIR)/
-	[ ! -d _modules ] || cp -a _modules $(DESTDIR)/$(SALTENVDIR)/
-	[ ! -d _states ] || cp -a _states $(DESTDIR)/$(SALTENVDIR)/ || true
-	# Metadata
-	[ -d $(DESTDIR)/$(RECLASSDIR)/service/$(FORMULANAME) ] || mkdir -p $(DESTDIR)/$(RECLASSDIR)/service/$(FORMULANAME)
-	cp -a metadata/service/* $(DESTDIR)/$(RECLASSDIR)/service/$(FORMULANAME)
-
-test:
-	[ ! -d tests ] || (cd tests; ./run_tests.sh)
-
-clean:
-	[ ! -d tests/build ] || rm -rf tests/build
-	[ ! -d build ] || rm -rf build

README.rst

@@ -1,421 +1,9 @@
-==================
+Project moved
-OpenStack Keystone
+=============
-==================
 
-Keystone provides authentication, authorization and service discovery
+This repository as a part of openstack-salt project was moved to join rest of
-mechanisms via HTTP primarily for use by projects in the OpenStack family. It
+salt-formulas ecosystem.
-is most commonly deployed as an HTTP interface to existing identity systems,
-such as LDAP.
 
-From Kilo release Keystone v3 endpoint has definition without version in url
+Github: https://github.com/salt-formulas
-
+Launchpad https://launchpad.net/salt-formulas
-.. code-block:: bash
+IRC: #salt-formulas @ irc.freenode.net
-
-  +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
-  |                id                |   region  |        publicurl         |       internalurl        |          adminurl         |            service_id            |
-  +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
-  | 91663a8db11c487c9253c8c456863494 | RegionOne | http://10.0.150.37:5000/ | http://10.0.150.37:5000/ | http://10.0.150.37:35357/ | 0fd2dba3153d45a1ba7f709cfc2d69c9 |
-  +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
-
-
-Sample pillars
-==============
-
-.. caution::
-
-    When you use localhost as your database host (keystone:server:
-    atabase:host), sqlalchemy will try to connect to /var/run/mysql/
-    mysqld.sock, may cause issues if you located your mysql socket elsewhere
-
-Full stacked keystone
-
-.. code-block:: yaml
-
-    keystone:
-      server:
-        enabled: true
-        version: juno
-        service_token: 'service_tokeen'
-        service_tenant: service
-        service_password: 'servicepwd'
-        admin_tenant: admin
-        admin_name: admin
-        admin_password: 'adminpwd'
-        admin_email: stackmaster@domain.com
-        roles:
-          - admin
-          - Member
-          - image_manager
-        bind:
-          address: 0.0.0.0
-          private_address: 127.0.0.1
-          private_port: 35357
-          public_address: 127.0.0.1
-          public_port: 5000
-        api_version: 2.0
-        region: RegionOne
-        database:
-          engine: mysql
-          host: '127.0.0.1'
-          name: 'keystone'
-          password: 'LfTno5mYdZmRfoPV'
-          user: 'keystone'
-
-Keystone public HTTPS API
-
-.. code-block:: yaml
-
-    keystone:
-      server:
-        enabled: true
-        version: juno
-        ...
-        services:
-        - name: nova
-          type: compute
-          description: OpenStack Compute Service
-          user:
-            name: nova
-            password: password
-          bind:
-            public_address: cloud.domain.com
-            public_protocol: https
-            public_port: 8774
-            internal_address: 10.0.0.20
-            internal_port: 8774
-            admin_address: 10.0.0.20
-            admin_port: 8774
-
-Keystone memcached storage for tokens
-
-.. code-block:: yaml
-
-    keystone:
-      server:
-        enabled: true
-        version: juno
-        ...
-        token_store: cache
-        cache:
-          engine: memcached
-          host: 127.0.0.1
-          port: 11211
-        services:
-        ...
-
-Keystone clustered memcached storage for tokens
-
-.. code-block:: yaml
-
-    keystone:
-      server:
-        enabled: true
-        version: juno
-        ...
-        token_store: cache
-        cache:
-          engine: memcached
-          members:
-          - host: 192.160.0.1
-            port: 11211
-          - host: 192.160.0.2
-            port: 11211
-        services:
-        ...
-
-Keystone client
-
-.. code-block:: yaml
-
-    keystone:
-      client:
-        enabled: true
-        server:
-          host: 10.0.0.2
-          public_port: 5000
-          private_port: 35357
-          service_token: 'token'
-          admin_tenant: admin
-          admin_name: admin
-          admin_password: 'passwd'
-
-Keystone cluster
-
-.. code-block:: yaml
-
-    keystone:
-      control:
-        enabled: true
-        provider:
-          os15_token:
-            host: 10.0.0.2
-            port: 35357
-            token: token
-          os15_tcp_core_stg:
-            host: 10.0.0.5
-            port: 5000
-            tenant: admin
-            name: admin
-            password: password
-
-Keystone fernet tokens for OpenStack Kilo release
-
-.. code-block:: yaml
-
-    keystone:
-      server:
-        ...
-        tokens:
-          engine: fernet
-          max_active_keys: 3
-        ...
-
-Keystone domain with LDAP backend, using SQL for role/project assignment
-
-.. code-block:: yaml
-
-    keystone:
-      server:
-        domain:
-          description: "Testing domain"
-          backend: ldap
-          assignment:
-            backend: sql
-          ldap:
-            url: "ldaps://idm.domain.com"
-            suffix: "dc=cloud,dc=domain,dc=com"
-            # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
-            uid: keystone
-            password: password
-
-Using LDAP backend for default domain
-
-.. code-block:: yaml
-
-    keystone:
-      server:
-        backend: ldap
-        assignment:
-          backend: sql
-        ldap:
-          url: "ldaps://idm.domain.com"
-          suffix: "dc=cloud,dc=domain,dc=com"
-          # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
-          uid: keystone
-          password: password
-
-Simple service endpoint definition (defaults to RegionOne)
-
-.. code-block:: yaml
-
-    keystone:
-      server:
-        service:
-          ceilometer:
-            type: metering
-            description: OpenStack Telemetry Service
-            user:
-              name: ceilometer
-              password: password
-            bind:
-              ...
-
-Region-aware service endpoints definition
-
-.. code-block:: yaml
-
-    keystone:
-      server:
-        service:
-          ceilometer_region01:
-            service: ceilometer
-            type: metering
-            region: region01
-            description: OpenStack Telemetry Service
-            user:
-              name: ceilometer
-              password: password
-            bind:
-              ...
-          ceilometer_region02:
-            service: ceilometer
-            type: metering
-            region: region02
-            description: OpenStack Telemetry Service
-            bind:
-              ...
-
-Enable ceilometer notifications
-
-.. code-block:: yaml
-
-    keystone:
-      server:
-        notification: true
-        message_queue:
-          engine: rabbitmq
-          host: 127.0.0.1
-          port: 5672
-          user: openstack
-          password: password
-          virtual_host: '/openstack'
-          ha_queues: true
-
-Client-side RabbitMQ HA setup
-
-.. code-block:: yaml
-
-    keystone:
-      server:
-        ....
-        message_queue:
-          engine: rabbitmq
-          members:
-            - host: 10.0.16.1
-            - host: 10.0.16.2
-            - host: 10.0.16.3
-          user: openstack
-          password: pwd
-          virtual_host: '/openstack'
-        ....
-
-Enable CADF audit notification
-
-.. code-block:: yaml
-
-    keystone:
-      server:
-        notification: true
-        notification_format: cadf
-
-Run keystone under Apache
-
-.. code-block:: yaml
-
-    keystone:
-      server:
-        service_name: apache2
-    apache:
-      server:
-        enabled: true
-        default_mpm: event
-        site:
-          keystone:
-            enabled: true
-            type: keystone
-            name: wsgi
-            host:
-              name: ${linux:network:fqdn}
-        modules:
-          - wsgi
-
-Enable Federated keystone
-
-.. code-block:: yaml
-
-    keystone:
-      server:
-        websso:
-          protocol: saml2
-          remote_id_attribute: Shib-Identity-Provider
-          federation_driver: keystone.contrib.federation.backends.sql.Federation
-          trusted_dashboard:
-            - http://${_param:proxy_vip_address_public}/horizon/auth/websso/
-    apache:
-      server:
-        pkgs:
-          - apache2
-          - libapache2-mod-shib2
-        modules:
-          - wsgi
-          - shib2
-
-Keystone client
----------------
-
-Service endpoints enforcement with service token
-
-.. code-block:: yaml
-
-    keystone:
-      client:
-        enabled: true
-        server:
-          keystone01:
-            admin:
-              host: 10.0.0.2
-              port: 35357
-              token: 'service_token'
-            service:
-              nova:
-                type: compute
-                description: OpenStack Compute Service
-                endpoints:
-                - region: region01
-                  public_address: 172.16.10.1
-                  public_port: 8773
-                  public_path: '/v2'
-                  internal_address: 172.16.10.1
-                  internal_port: 8773
-                  internal_path: '/v2'
-                  admin_address: 172.16.10.1
-                  admin_port: 8773
-                  admin_path: '/v2'
-
-Project, users, roles enforcement with admin user
-
-.. code-block:: yaml
-
-    keystone:
-      client:
-        enabled: true
-        server:
-          keystone01:
-            admin:
-              host: 10.0.0.2
-              port: 5000
-              project: 'token'
-              user: admin
-              password: 'passwd'
-            roles:
-            - admin
-            - member
-            project:
-              tenant01:
-                description: "test env"
-                user:
-                  user01:
-                    email: jdoe@domain.com
-                    is_admin: true
-                    password: some
-                  user02:
-                    email: jdoe2@domain.com
-                    password: some
-                    roles:
-                    - custom-roles
-
-Documentation and Bugs
-======================
-
-To learn how to deploy OpenStack Salt, consult the documentation available
-online at:
-
-    https://wiki.openstack.org/wiki/OpenStackSalt
-
-In the unfortunate event that bugs are discovered, they should be reported to
-the appropriate bug tracker. If you obtained the software from a 3rd party
-operating system vendor, it is often wise to use their own bug tracker for
-reporting problems. In all other cases use the master OpenStack bug tracker,
-available at:
-
-    http://bugs.launchpad.net/openstack-salt
-
-Developers wishing to work on the OpenStack Salt project should always base
-their work on the latest formulas code, available from the master GIT
-repository at:
-
-    https://git.openstack.org/cgit/openstack/salt-formula-keystone
-
-Developers should also join the discussion on the IRC list, at:
-
-    https://wiki.openstack.org/wiki/Meetings/openstack-salt

VERSION

@@ -1 +0,0 @@
-2016.4.1

bindep.txt

@@ -1,2 +0,0 @@
-python-yaml
-

doc/source/conf.py

@@ -1,73 +0,0 @@
-# -*- coding: utf-8 -*-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-# implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import os
-import sys
-
-sys.path.insert(0, os.path.abspath('../..'))
-# -- General configuration ----------------------------------------------------
-
-# Add any Sphinx extension module names here, as strings. They can be
-# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
-extensions = [
-    'sphinx.ext.autodoc',
-]
-
-# autodoc generation is a bit aggressive and a nuisance when doing heavy
-# text edit cycles.
-# execute "export SPHINX_DEBUG=1" in your terminal to disable
-
-# The suffix of source filenames.
-source_suffix = '.rst'
-
-# The master toctree document.
-master_doc = 'index'
-
-# General information about the project.
-project = u'salt-formula-keystone'
-copyright = u'2015, OpenStack Foundation'
-
-# If true, '()' will be appended to :func: etc. cross-reference text.
-add_function_parentheses = True
-
-# If true, the current module name will be prepended to all description
-# unit titles (such as .. function::).
-add_module_names = True
-
-# The name of the Pygments (syntax highlighting) style to use.
-pygments_style = 'sphinx'
-
-# -- Options for HTML output --------------------------------------------------
-
-# The theme to use for HTML and HTML Help pages.  Major themes that come with
-# Sphinx are currently 'default' and 'sphinxdoc'.
-# html_theme_path = ["."]
-# html_theme = '_theme'
-# html_static_path = ['static']
-
-# Output file base name for HTML help builder.
-htmlhelp_basename = '%sdoc' % project
-
-# Grouping the document tree into LaTeX files. List of tuples
-# (source start file, target name, title, author, documentclass
-# [howto/manual]).
-latex_documents = [
-    ('index',
-     '%s.tex' % project,
-     u'%s Documentation' % project,
-     u'OpenStack Foundation', 'manual'),
-]
-
-# Example configuration for intersphinx: refer to the Python standard library.
-# intersphinx_mapping = {'http://docs.python.org/': None}

doc/source/index.rst

@@ -1 +0,0 @@
-.. include:: ../../README.rst

keystone/client/init.sls

@@ -1,5 +0,0 @@
-
-include:
-- keystone.client.service
-- keystone.client.project
-- keystone.client.server

keystone/client/project.sls

@@ -1,65 +0,0 @@
-{%- from "keystone/map.jinja" import client with context %}
-{%- if client.enabled %}
-
-{%- if client.tenant is defined %}
-
-keystone_salt_config:
-  file.managed:
-    - name: /etc/salt/minion.d/keystone.conf
-    - template: jinja
-    - source: salt://keystone/files/salt-minion.conf
-    - mode: 600
-
-keystone_client_roles:
-  keystone.role_present:
-  - names: {{ client.roles }}
-  - connection_user: {{ client.server.user }}
-  - connection_password: {{ client.server.password }}
-  - connection_tenant: {{ client.server.tenant }}
-  - connection_auth_url: 'http://{{ client.server.host }}:{{ client.server.public_port }}/v2.0/'
-  - require:
-    - file: keystone_salt_config
-
-{%- for tenant_name, tenant in client.get('tenant', {}).iteritems() %}
-
-keystone_tenant_{{ tenant_name }}:
-  keystone.tenant_present:
-  - name: {{ tenant_name }}
-  - connection_user: {{ client.server.user }}
-  - connection_password: {{ client.server.password }}
-  - connection_tenant: {{ client.server.tenant }}
-  - connection_auth_url: 'http://{{ client.server.host }}:{{ client.server.public_port }}/v2.0/'
-  - require:
-    - keystone: keystone_client_roles
-
-{%- for user_name, user in tenant.get('user', {}).iteritems() %}
-
-keystone_{{ tenant_name }}_user_{{ user_name }}:
-  keystone.user_present:
-  - name: {{ user_name }}
-  - password: {{ user.password }}
-  - email: {{ user.get('email', 'root@localhost') }}
-  - tenant: {{ tenant_name }}
-  - roles:
-      "{{ tenant_name }}":
-        {%- if user.get('is_admin', False) %}
-        - admin
-        {%- elif user.get('roles', False) %}
-        {{ user.roles }}
-        {%- else %}
-        - Member
-        {%- endif %}
-  - connection_user: {{ client.server.user }}
-  - connection_password: {{ client.server.password }}
-  - connection_tenant: {{ client.server.tenant }}
-  - connection_auth_url: 'http://{{ client.server.host }}:{{ client.server.public_port }}/v2.0/'
-  - require:
-    - keystone: keystone_tenant_{{ tenant_name }}
-
-{%- endfor %}
-
-{%- endfor %}
-
-{%- endif %}
-
-{%- endif %}

keystone/client/server.sls

@@ -1,144 +0,0 @@
-{%- from "keystone/map.jinja" import client with context %}
-{%- if client.enabled %}
-
-{%- for server_name, server in client.get('server', {}).iteritems() %}
-
-{%- if server.admin.get('api_version', '2') == '3' %}
-{%- set version = "v3" %}
-{%- else %}
-{%- set version = "v2.0" %}
-{%- endif %}
-
-{%- if server.admin.get('protocol', 'http') == 'http' %}
-{%- set protocol = 'http' %}
-{%- else %}
-{%- set protocol = 'https' %}
-{%- endif %}
-
-
-{%- if server.admin.token is defined %}
-{%- set connection_args = {'endpoint': protocol+'://'+server.admin.host+':'+server.admin.port|string+'/'+version,
-                           'token': server.admin.token} %}
-{%- else %}
-{%- set connection_args = {'auth_url': protocol+'://'+server.admin.host+':'+server.admin.port|string+'/'+version,
-                           'tenant': server.admin.project,
-                           'user': server.admin.user,
-                           'password': server.admin.password} %}
-{%- endif %}
-
-{%- if server.roles is defined %}
-
-keystone_{{ server_name }}_roles:
-  keystone.role_present:
-  - names: {{ server.roles }}
-  {%- if server.admin.token is defined %}
-  - connection_token: {{ connection_args.token }}
-  - connection_endpoint: {{ connection_args.endpoint }}
-  {%- else %}
-  - connection_user: {{ connection_args.user }}
-  - connection_password: {{ connection_args.password }}
-  - connection_tenant: {{ connection_args.tenant }}
-  - connection_auth_url: {{ connection_args.auth_url }}
-  {%- endif %}
-
-{%- endif %}
-
-{% for service_name, service in server.get('service', {}).iteritems() %}
-
-keystone_{{ server_name }}_service_{{ service_name }}:
-  keystone.service_present:
-  - name: {{ service_name }}
-  - service_type: {{ service.type }}
-  - description: {{ service.description }}
-  {%- if server.admin.token is defined %}
-  - connection_token: {{ connection_args.token }}
-  - connection_endpoint: {{ connection_args.endpoint }}
-  {%- else %}
-  - connection_user: {{ connection_args.user }}
-  - connection_password: {{ connection_args.password }}
-  - connection_tenant: {{ connection_args.tenant }}
-  - connection_auth_url: {{ connection_args.auth_url }}
-  {%- endif %}
-
-{%- for endpoint in service.get('endpoints', ()) %}
-
-keystone_{{ server_name }}_service_{{ service_name }}_endpoint_{{ endpoint.region }}:
-  keystone.endpoint_present:
-  - name: {{ service_name }}
-  - publicurl: '{{ endpoint.get('public_protocol', 'http') }}://{{ endpoint.public_address }}:{{ endpoint.public_port }}{{ endpoint.public_path }}'
-  - internalurl: '{{ endpoint.get('internal_protocol', 'http') }}://{{ endpoint.internal_address }}:{{ endpoint.internal_port }}{{ endpoint.internal_path }}'
-  - adminurl: '{{ endpoint.get('admin_protocol', 'http') }}://{{ endpoint.admin_address }}:{{ endpoint.admin_port }}{{ endpoint.admin_path }}'
-  - region: {{ endpoint.region }}
-  - require:
-    - keystone: keystone_{{ server_name }}_service_{{ service_name }}
-  {%- if server.admin.token is defined %}
-  - connection_token: {{ connection_args.token }}
-  - connection_endpoint: {{ connection_args.endpoint }}
-  {%- else %}
-  - connection_user: {{ connection_args.user }}
-  - connection_password: {{ connection_args.password }}
-  - connection_tenant: {{ connection_args.tenant }}
-  - connection_auth_url: {{ connection_args.auth_url }}
-  {%- endif %}
-
-{%- endfor %}
-
-{%- endfor %}
-
-{%- for tenant_name, tenant in server.get('project', {}).iteritems() %}
-
-keystone_{{ server_name }}_tenant_{{ tenant_name }}:
-  keystone.tenant_present:
-  - name: {{ tenant_name }}
-  {%- if tenant.description is defined %}
-  - description: {{ tenant.description }}
-  {%- endif %}
-  {%- if server.admin.token is defined %}
-  - connection_token: {{ connection_args.token }}
-  - connection_endpoint: {{ connection_args.endpoint }}
-  {%- else %}
-  - connection_user: {{ connection_args.user }}
-  - connection_password: {{ connection_args.password }}
-  - connection_tenant: {{ connection_args.tenant }}
-  - connection_auth_url: {{ connection_args.auth_url }}
-  {%- endif %}
-
-{%- for user_name, user in tenant.get('user', {}).iteritems() %}
-
-keystone_{{ server_name }}_tenant_{{ tenant_name }}_user_{{ user_name }}:
-  keystone.user_present:
-  - name: {{ user_name }}
-  - password: {{ user.password }}
-  {%- if user.email is defined %}
-  - email: {{ user.email }}
-  {%- endif %}
-  - tenant: {{ tenant_name }}
-  - roles:
-      "{{ tenant_name }}":
-        {%- if user.get('is_admin', False) %}
-        - admin
-        {%- elif user.get('roles', False) %}
-        {{ user.roles }}
-        {%- else %}
-        - Member
-        {%- endif %}
-  - require:
-    - keystone: keystone_{{ server_name }}_tenant_{{ tenant_name }}
-    - keystone: keystone_{{ server_name }}_roles
-  {%- if server.admin.token is defined %}
-  - connection_token: {{ connection_args.token }}
-  - connection_endpoint: {{ connection_args.endpoint }}
-  {%- else %}
-  - connection_user: {{ connection_args.user }}
-  - connection_password: {{ connection_args.password }}
-  - connection_tenant: {{ connection_args.tenant }}
-  - connection_auth_url: {{ connection_args.auth_url }}
-  {%- endif %}
-
-{%- endfor %}
-
-{%- endfor %}
-
-{%- endfor %}
-
-{%- endif %}

keystone/client/service.sls

@@ -1,8 +0,0 @@
-{%- from "keystone/map.jinja" import client with context %}
-{%- if client.enabled %}
-
-keystone_client_packages:
-  pkg.installed:
-  - names: {{ client.pkgs }}
-
-{%- endif %}

keystone/control.sls

@@ -1,11 +0,0 @@
-{%- from "keystone/map.jinja" import control with context %}
-{%- for provider_name, provider in control.get('provider', {}).iteritems() %}
-
-/root/keystonerc_{{ provider_name }}:
-  file.managed:
-  - source: salt://keystone/files/keystonerc_user
-  - template: jinja
-  - defaults:
-      provider_name: "{{ provider_name }}"
-
-{%- endfor %}

keystone/files/_ldap.conf

@@ -1,59 +0,0 @@
-
-[ldap]
-url = {{ ldap.url }}
-user = uid={{ ldap.get("uid", "keystone") }},cn=users,cn=accounts,{{ ldap.suffix }}
-password = {{ ldap.password }}
-suffix = {{ ldap.suffix }}
-
-# User mapping
-user_tree_dn = cn=users,cn=accounts,{{ ldap.suffix }}
-user_objectclass = person
-user_id_attribute = uid
-user_name_attribute = uid
-user_mail_attribute = mail
-{%- if ldap.get('read_only', True) %}
-user_allow_create = false
-user_allow_update = false
-user_allow_delete = false
-{%- endif %}
-user_enabled_attribute = nsAccountLock
-user_enabled_default = False
-user_enabled_invert = true
-{%- if ldap.get('filter', {}).get('user', False) %}
-user_filter = {{ ldap.filter.user }}
-{%- endif %}
-
-# Group mapping
-group_tree_dn = cn=groups,cn=accounts,{{ ldap.suffix }}
-group_objectclass = groupOfNames
-group_id_attribute = cn
-group_name_attribute = cn
-group_member_attribute = member
-group_desc_attribute = description
-{%- if ldap.get('read_only', True) %}
-group_allow_create = false
-group_allow_update = false
-group_allow_delete = false
-{%- endif %}
-
-{%- if ldap.tls is defined %}
-
-{%- if ldap.tls.get("enabled", False) %}
-use_tls = true
-{%- endif %}
-
-{%- if ldap.tls.cacertdir is defined %}
-tls_cacertdir = {{ ldap.tls.cacertdir }}
-{%- endif %}
-
-{%- if ldap.tls.cacert is defined %}
-tls_cacertfile = /etc/keystone/domains/{{ domain_name }}.pem
-{%- elif ldap.tls.cacertfile is defined %}
-tls_cacertfile = {{ ldap.tls.cacertfile }}
-{%- endif %}
-
-{%- if ldap.tls.req_cert is defined %}
-tls_req_cert = {{ ldap.tls.req_cert }}
-{%- endif %}
-
-{%- endif %}

keystone/files/apache.conf

@@ -1,2 +0,0 @@
-{%- from "keystone/map.jinja" import server with context %}
-{%- include "keystone/files/"+server.version+"/wsgi-keystone.conf" %}

keystone/files/collectd_check_openstack_api.conf

@@ -1,10 +0,0 @@
-Import "check_openstack_api"
-
-<Module "check_openstack_api">
-    KeystoneUrl "{{ plugin.url }}"
-    Username "{{ plugin.username }}"
-    Password "{{ plugin.password }}"
-    Tenant "{{ plugin.tenant }}"
-    MaxRetries "2"
-    Timeout "20"
-</Module>

keystone/files/collectd_openstack_keystone.conf

@@ -1,10 +0,0 @@
-Import "openstack_keystone"
-
-<Module "openstack_keystone">
-    KeystoneUrl "{{ plugin.url }}"
-    Username "{{ plugin.username }}"
-    Password "{{ plugin.password }}"
-    Tenant "{{ plugin.tenant }}"
-    MaxRetries "2"
-    Timeout "20"
-</Module>

keystone/files/entrypoint.sh

@@ -1,14 +0,0 @@
-{%- from "keystone/map.jinja" import server with context -%}
-#!/bin/bash -e
-
-cat /srv/salt/pillar/keystone-server.sls | envsubst > /tmp/keystone-server.sls
-mv /tmp/keystone-server.sls /srv/salt/pillar/keystone-server.sls
-
-salt-call --local --retcode-passthrough state.highstate
-service {{ server.service_name }} stop || true
-
-su keystone --shell=/bin/sh -c '/usr/bin/keystone-all --config-file=/etc/keystone/keystone.conf'
-
-{#-
-vim: syntax=jinja
--#}

keystone/files/heka.toml

@@ -1,13 +0,0 @@
-[logstreamer_keystone]
-type = "LogstreamerInput"
-log_directory = "/var/log/keystone"
-file_match = '(?P<Service>.+)\.log\.?(?P<Index>\d*)?(.gz)?'
-differentiator = ['keystone','_','Service']
-priority = ["^Index"]
-decoder = "openstack"
-oldest_duration = "168h"
-
-[openstack]
-type = "SandboxDecoder"
-filename = "lua_modules/decoders/openstack.lua"
-module_directory = "/usr/share/heka/lua_modules;/usr/share/heka/lua_modules/common"

keystone/files/juno/keystone-paste.ini.Debian

@@ -1,121 +0,0 @@
-# Keystone PasteDeploy configuration file.
-
-[filter:debug]
-paste.filter_factory = keystone.common.wsgi:Debug.factory
-
-[filter:build_auth_context]
-paste.filter_factory = keystone.middleware:AuthContextMiddleware.factory
-
-[filter:token_auth]
-paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
-
-[filter:admin_token_auth]
-paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
-
-[filter:xml_body]
-paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
-
-[filter:xml_body_v2]
-paste.filter_factory = keystone.middleware:XmlBodyMiddlewareV2.factory
-
-[filter:xml_body_v3]
-paste.filter_factory = keystone.middleware:XmlBodyMiddlewareV3.factory
-
-[filter:json_body]
-paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
-
-[filter:user_crud_extension]
-paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
-
-[filter:crud_extension]
-paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
-
-[filter:ec2_extension]
-paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
-
-[filter:ec2_extension_v3]
-paste.filter_factory = keystone.contrib.ec2:Ec2ExtensionV3.factory
-
-[filter:federation_extension]
-paste.filter_factory = keystone.contrib.federation.routers:FederationExtension.factory
-
-[filter:oauth1_extension]
-paste.filter_factory = keystone.contrib.oauth1.routers:OAuth1Extension.factory
-
-[filter:s3_extension]
-paste.filter_factory = keystone.contrib.s3:S3Extension.factory
-
-[filter:endpoint_filter_extension]
-paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
-
-[filter:endpoint_policy_extension]
-paste.filter_factory = keystone.contrib.endpoint_policy.routers:EndpointPolicyExtension.factory
-
-[filter:simple_cert_extension]
-paste.filter_factory = keystone.contrib.simple_cert:SimpleCertExtension.factory
-
-[filter:revoke_extension]
-paste.filter_factory = keystone.contrib.revoke.routers:RevokeExtension.factory
-
-[filter:url_normalize]
-paste.filter_factory = keystone.middleware:NormalizingFilter.factory
-
-[filter:sizelimit]
-paste.filter_factory = keystone.middleware:RequestBodySizeLimiter.factory
-
-[filter:stats_monitoring]
-paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
-
-[filter:stats_reporting]
-paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
-
-[filter:access_log]
-paste.filter_factory = keystone.contrib.access:AccessLogMiddleware.factory
-
-[app:public_service]
-paste.app_factory = keystone.service:public_app_factory
-
-[app:service_v3]
-paste.app_factory = keystone.service:v3_app_factory
-
-[app:admin_service]
-paste.app_factory = keystone.service:admin_app_factory
-
-[pipeline:public_api]
-# The last item in this pipeline must be public_service or an equivalent
-# application. It cannot be a filter.
-pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v2 json_body ec2_extension user_crud_extension public_service
-
-[pipeline:admin_api]
-# The last item in this pipeline must be admin_service or an equivalent
-# application. It cannot be a filter.
-pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v2 json_body ec2_extension s3_extension crud_extension admin_service
-
-[pipeline:api_v3]
-# The last item in this pipeline must be service_v3 or an equivalent
-# application. It cannot be a filter.
-pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v3 json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension service_v3
-
-[app:public_version_service]
-paste.app_factory = keystone.service:public_version_app_factory
-
-[app:admin_version_service]
-paste.app_factory = keystone.service:admin_version_app_factory
-
-[pipeline:public_version_api]
-pipeline = sizelimit url_normalize xml_body public_version_service
-
-[pipeline:admin_version_api]
-pipeline = sizelimit url_normalize xml_body admin_version_service
-
-[composite:main]
-use = egg:Paste#urlmap
-/v2.0 = public_api
-/v3 = api_v3
-/ = public_version_api
-
-[composite:admin]
-use = egg:Paste#urlmap
-/v2.0 = admin_api
-/v3 = api_v3
-/ = admin_version_api

keystone/files/juno/keystone-paste.ini.RedHat

@@ -1 +0,0 @@
-keystone-paste.ini.Debian

keystone/files/juno/keystone.conf.Redhat

@@ -1 +0,0 @@
-keystone.conf.Debian

keystone/files/juno/policy-v2.json

@@ -1,171 +0,0 @@
-{
-    "admin_required": "role:admin or is_admin:1",
-    "service_role": "role:service",
-    "service_or_admin": "rule:admin_required or rule:service_role",
-    "owner" : "user_id:%(user_id)s",
-    "admin_or_owner": "rule:admin_required or rule:owner",
-
-    "default": "rule:admin_required",
-
-    "identity:get_region": "",
-    "identity:list_regions": "",
-    "identity:create_region": "rule:admin_required",
-    "identity:update_region": "rule:admin_required",
-    "identity:delete_region": "rule:admin_required",
-
-    "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
-    "identity:create_service": "rule:admin_required",
-    "identity:update_service": "rule:admin_required",
-    "identity:delete_service": "rule:admin_required",
-
-    "identity:get_endpoint": "rule:admin_required",
-    "identity:list_endpoints": "rule:admin_required",
-    "identity:create_endpoint": "rule:admin_required",
-    "identity:update_endpoint": "rule:admin_required",
-    "identity:delete_endpoint": "rule:admin_required",
-
-    "identity:get_domain": "rule:admin_required",
-    "identity:list_domains": "rule:admin_required",
-    "identity:create_domain": "rule:admin_required",
-    "identity:update_domain": "rule:admin_required",
-    "identity:delete_domain": "rule:admin_required",
-
-    "identity:get_project": "rule:admin_required",
-    "identity:list_projects": "rule:admin_required",
-    "identity:list_user_projects": "rule:admin_or_owner",
-    "identity:create_project": "rule:admin_required",
-    "identity:update_project": "rule:admin_required",
-    "identity:delete_project": "rule:admin_required",
-
-    "identity:get_user": "rule:admin_required",
-    "identity:list_users": "rule:admin_required",
-    "identity:create_user": "rule:admin_required",
-    "identity:update_user": "rule:admin_required",
-    "identity:delete_user": "rule:admin_required",
-    "identity:change_password": "rule:admin_or_owner",
-
-    "identity:get_group": "rule:admin_required",
-    "identity:list_groups": "rule:admin_required",
-    "identity:list_groups_for_user": "rule:admin_or_owner",
-    "identity:create_group": "rule:admin_required",
-    "identity:update_group": "rule:admin_required",
-    "identity:delete_group": "rule:admin_required",
-    "identity:list_users_in_group": "rule:admin_required",
-    "identity:remove_user_from_group": "rule:admin_required",
-    "identity:check_user_in_group": "rule:admin_required",
-    "identity:add_user_to_group": "rule:admin_required",
-
-    "identity:get_credential": "rule:admin_required",
-    "identity:list_credentials": "rule:admin_required",
-    "identity:create_credential": "rule:admin_required",
-    "identity:update_credential": "rule:admin_required",
-    "identity:delete_credential": "rule:admin_required",
-
-    "identity:ec2_get_credential": "rule:admin_or_owner",
-    "identity:ec2_list_credentials": "rule:admin_or_owner",
-    "identity:ec2_create_credential": "rule:admin_or_owner",
-    "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
-    "identity:get_role": "rule:admin_required",
-    "identity:list_roles": "rule:admin_required",
-    "identity:create_role": "rule:admin_required",
-    "identity:update_role": "rule:admin_required",
-    "identity:delete_role": "rule:admin_required",
-
-    "identity:check_grant": "rule:admin_required",
-    "identity:list_grants": "rule:admin_required",
-    "identity:create_grant": "rule:admin_required",
-    "identity:revoke_grant": "rule:admin_required",
-
-    "identity:list_role_assignments": "rule:admin_required",
-
-    "identity:get_policy": "rule:admin_required",
-    "identity:list_policies": "rule:admin_required",
-    "identity:create_policy": "rule:admin_required",
-    "identity:update_policy": "rule:admin_required",
-    "identity:delete_policy": "rule:admin_required",
-
-    "identity:check_token": "rule:admin_required",
-    "identity:validate_token": "rule:service_or_admin",
-    "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_owner",
-
-    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:get_trust": "rule:admin_or_owner",
-    "identity:list_trusts": "",
-    "identity:list_roles_for_trust": "",
-    "identity:check_role_for_trust": "",
-    "identity:get_role_for_trust": "",
-    "identity:delete_trust": "",
-
-    "identity:create_consumer": "rule:admin_required",
-    "identity:get_consumer": "rule:admin_required",
-    "identity:list_consumers": "rule:admin_required",
-    "identity:delete_consumer": "rule:admin_required",
-    "identity:update_consumer": "rule:admin_required",
-
-    "identity:authorize_request_token": "rule:admin_required",
-    "identity:list_access_token_roles": "rule:admin_required",
-    "identity:get_access_token_role": "rule:admin_required",
-    "identity:list_access_tokens": "rule:admin_required",
-    "identity:get_access_token": "rule:admin_required",
-    "identity:delete_access_token": "rule:admin_required",
-
-    "identity:list_projects_for_endpoint": "rule:admin_required",
-    "identity:add_endpoint_to_project": "rule:admin_required",
-    "identity:check_endpoint_in_project": "rule:admin_required",
-    "identity:list_endpoints_for_project": "rule:admin_required",
-    "identity:remove_endpoint_from_project": "rule:admin_required",
-
-    "identity:create_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups": "rule:admin_required",
-    "identity:get_endpoint_group": "rule:admin_required",
-    "identity:update_endpoint_group": "rule:admin_required",
-    "identity:delete_endpoint_group": "rule:admin_required",
-    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
-    "identity:add_endpoint_group_to_project": "rule:admin_required",
-    "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
-    "identity:create_identity_provider": "rule:admin_required",
-    "identity:list_identity_providers": "rule:admin_required",
-    "identity:get_identity_providers": "rule:admin_required",
-    "identity:update_identity_provider": "rule:admin_required",
-    "identity:delete_identity_provider": "rule:admin_required",
-
-    "identity:create_protocol": "rule:admin_required",
-    "identity:update_protocol": "rule:admin_required",
-    "identity:get_protocol": "rule:admin_required",
-    "identity:list_protocols": "rule:admin_required",
-    "identity:delete_protocol": "rule:admin_required",
-
-    "identity:create_mapping": "rule:admin_required",
-    "identity:get_mapping": "rule:admin_required",
-    "identity:list_mappings": "rule:admin_required",
-    "identity:delete_mapping": "rule:admin_required",
-    "identity:update_mapping": "rule:admin_required",
-
-    "identity:get_auth_catalog": "",
-    "identity:get_auth_projects": "",
-    "identity:get_auth_domains": "",
-
-    "identity:list_projects_for_groups": "",
-    "identity:list_domains_for_groups": "",
-
-    "identity:list_revoke_events": "",
-
-    "identity:create_policy_association_for_endpoint": "rule:admin_required",
-    "identity:check_policy_association_for_endpoint": "rule:admin_required",
-    "identity:delete_policy_association_for_endpoint": "rule:admin_required",
-    "identity:create_policy_association_for_service": "rule:admin_required",
-    "identity:check_policy_association_for_service": "rule:admin_required",
-    "identity:delete_policy_association_for_service": "rule:admin_required",
-    "identity:create_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:check_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:get_policy_for_endpoint": "rule:admin_required",
-    "identity:list_endpoints_for_policy": "rule:admin_required"
-}

keystone/files/juno/wsgi-keystone.conf

@@ -1,8 +0,0 @@
-WSGIScriptAlias /keystone/main  /var/www/cgi-bin/keystone/main
-WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin
-
-<Location "/keystone">
- NSSRequireSSL
- Authtype none
-</Location>
-

keystone/files/keystone.domain.conf

@@ -1,21 +0,0 @@
-{% from "keystone/map.jinja" import server with context %}
-{%- set domain = server.domain.get(domain_name) %}
-
-{%- if domain.get("backend", "sql") == "ldap" %}
-{%- set ldap = domain.ldap %}
-{% include "keystone/files/_ldap.conf" %}
-{%- endif %}
-
-[identity]
-{%- if domain.get("backend", "sql") == "ldap" %}
-driver = keystone.identity.backends.ldap.Identity
-{%- else %}
-driver = keystone.identity.backends.sql.Identity
-{%- endif %}
-
-[assignment]
-{%- if domain.get("assignment", {}).get("backend", "sql") == "ldap" %}
-driver = keystone.assignment.backends.ldap.Assignment
-{%- else %}
-driver = keystone.assignment.backends.sql.Assignment
-{%- endif %}

keystone/files/keystonerc

@@ -1,8 +0,0 @@
-{%- set server = pillar.keystone.server %}
-export OS_USERNAME={{ server.admin_name }}
-export OS_PASSWORD={{ server.admin_password }}
-export OS_TENANT_NAME={{ server.admin_tenant }}
-export OS_AUTH_URL=http://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v2.0
-export OS_REGION_NAME={{ server.region }}
-export OS_SERVICE_TOKEN={{ server.service_token }}
-export OS_SERVICE_ENDPOINT="http://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v2.0/"

keystone/files/keystonerc_user

@@ -1,13 +0,0 @@
-{%- set cluster = pillar.keystone.cluster %}
-{%- set provider = salt['pillar.get']('keystone:control:provider:'+provider_name) %}
-{%- if provider.user is defined %}
-export OS_USERNAME={{ provider.user }}
-export OS_PASSWORD={{ provider.password }}
-export OS_TENANT_NAME={{ provider.tenant }}
-export OS_AUTH_URL=http://{{ provider.host }}:{{ provider.port }}/{{ provider.get('version', 'v2.0') }}
-{%- endif %}
-{%- if provider.token is defined %}
-export OS_SERVICE_TOKEN={{ provider.token }}
-export OS_SERVICE_ENDPOINT="http://{{ provider.host }}:{{ provider.port }}/{{ provider.get('version', 'v2.0') }}/"
-{%- endif %}
-export OS_AUTH_STRATEGY=keystone

keystone/files/keystonercv3

@@ -1,10 +0,0 @@
-{%- set server = pillar.keystone.server %}
-export OS_IDENTITY_API_VERSION=3
-export OS_AUTH_URL=http://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v3
-export OS_PROJECT_DOMAIN_NAME=default
-export OS_USER_DOMAIN_NAME=default
-export OS_PROJECT_NAME={{ server.admin_tenant }}
-export OS_TENANT_NAME={{ server.admin_tenant }}
-export OS_USERNAME={{ server.admin_name }}
-export OS_PASSWORD={{ server.admin_password }}
-export OS_REGION_NAME={{ server.region }}

keystone/files/kilo/keystone-paste.ini.Debian

@@ -1,106 +0,0 @@
-# Keystone PasteDeploy configuration file.
-
-[filter:debug]
-paste.filter_factory = keystone.common.wsgi:Debug.factory
-
-[filter:request_id]
-paste.filter_factory = oslo_middleware:RequestId.factory
-
-[filter:build_auth_context]
-paste.filter_factory = keystone.middleware:AuthContextMiddleware.factory
-
-[filter:token_auth]
-paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
-
-[filter:admin_token_auth]
-paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
-
-[filter:json_body]
-paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
-
-[filter:user_crud_extension]
-paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
-
-[filter:crud_extension]
-paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
-
-[filter:ec2_extension]
-paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
-
-[filter:ec2_extension_v3]
-paste.filter_factory = keystone.contrib.ec2:Ec2ExtensionV3.factory
-
-[filter:federation_extension]
-paste.filter_factory = keystone.contrib.federation.routers:FederationExtension.factory
-
-[filter:oauth1_extension]
-paste.filter_factory = keystone.contrib.oauth1.routers:OAuth1Extension.factory
-
-[filter:s3_extension]
-paste.filter_factory = keystone.contrib.s3:S3Extension.factory
-
-[filter:endpoint_filter_extension]
-paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
-
-[filter:endpoint_policy_extension]
-paste.filter_factory = keystone.contrib.endpoint_policy.routers:EndpointPolicyExtension.factory
-
-[filter:simple_cert_extension]
-paste.filter_factory = keystone.contrib.simple_cert:SimpleCertExtension.factory
-
-[filter:revoke_extension]
-paste.filter_factory = keystone.contrib.revoke.routers:RevokeExtension.factory
-
-[filter:url_normalize]
-paste.filter_factory = keystone.middleware:NormalizingFilter.factory
-
-[filter:sizelimit]
-paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
-
-[app:public_service]
-paste.app_factory = keystone.service:public_app_factory
-
-[app:service_v3]
-paste.app_factory = keystone.service:v3_app_factory
-
-[app:admin_service]
-paste.app_factory = keystone.service:admin_app_factory
-
-[pipeline:public_api]
-# The last item in this pipeline must be public_service or an equivalent
-# application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service
-
-[pipeline:admin_api]
-# The last item in this pipeline must be admin_service or an equivalent
-# application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service
-
-[pipeline:api_v3]
-# The last item in this pipeline must be service_v3 or an equivalent
-# application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension endpoint_policy_extension service_v3
-
-[app:public_version_service]
-paste.app_factory = keystone.service:public_version_app_factory
-
-[app:admin_version_service]
-paste.app_factory = keystone.service:admin_version_app_factory
-
-[pipeline:public_version_api]
-pipeline = sizelimit url_normalize public_version_service
-
-[pipeline:admin_version_api]
-pipeline = sizelimit url_normalize admin_version_service
-
-[composite:main]
-use = egg:Paste#urlmap
-/v2.0 = public_api
-/v3 = api_v3
-/ = public_version_api
-
-[composite:admin]
-use = egg:Paste#urlmap
-/v2.0 = admin_api
-/v3 = api_v3
-/ = admin_version_api

keystone/files/kilo/keystone-paste.ini.RedHat

@@ -1 +0,0 @@
-keystone-paste.ini.Debian

keystone/files/kilo/keystone.conf.RedHat

@@ -1 +0,0 @@
-keystone.conf.Debian

keystone/files/kilo/policy-v2.json

@@ -1,184 +0,0 @@
-{
-    "admin_required": "role:admin or is_admin:1",
-    "service_role": "role:service",
-    "service_or_admin": "rule:admin_required or rule:service_role",
-    "owner" : "user_id:%(user_id)s",
-    "admin_or_owner": "rule:admin_required or rule:owner",
-    "token_subject": "user_id:%(target.token.user_id)s",
-    "admin_or_token_subject": "rule:admin_required or rule:token_subject",
-    "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
-
-    "default": "rule:admin_required",
-
-    "identity:get_region": "",
-    "identity:list_regions": "",
-    "identity:create_region": "rule:admin_required",
-    "identity:update_region": "rule:admin_required",
-    "identity:delete_region": "rule:admin_required",
-
-    "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
-    "identity:create_service": "rule:admin_required",
-    "identity:update_service": "rule:admin_required",
-    "identity:delete_service": "rule:admin_required",
-
-    "identity:get_endpoint": "rule:admin_required",
-    "identity:list_endpoints": "rule:admin_required",
-    "identity:create_endpoint": "rule:admin_required",
-    "identity:update_endpoint": "rule:admin_required",
-    "identity:delete_endpoint": "rule:admin_required",
-
-    "identity:get_domain": "rule:admin_required",
-    "identity:list_domains": "rule:admin_required",
-    "identity:create_domain": "rule:admin_required",
-    "identity:update_domain": "rule:admin_required",
-    "identity:delete_domain": "rule:admin_required",
-
-    "identity:get_project": "rule:admin_required",
-    "identity:list_projects": "rule:admin_required",
-    "identity:list_user_projects": "rule:admin_or_owner",
-    "identity:create_project": "rule:admin_required",
-    "identity:update_project": "rule:admin_required",
-    "identity:delete_project": "rule:admin_required",
-
-    "identity:get_user": "rule:admin_required",
-    "identity:list_users": "rule:admin_required",
-    "identity:create_user": "rule:admin_required",
-    "identity:update_user": "rule:admin_required",
-    "identity:delete_user": "rule:admin_required",
-    "identity:change_password": "rule:admin_or_owner",
-
-    "identity:get_group": "rule:admin_required",
-    "identity:list_groups": "rule:admin_required",
-    "identity:list_groups_for_user": "rule:admin_or_owner",
-    "identity:create_group": "rule:admin_required",
-    "identity:update_group": "rule:admin_required",
-    "identity:delete_group": "rule:admin_required",
-    "identity:list_users_in_group": "rule:admin_required",
-    "identity:remove_user_from_group": "rule:admin_required",
-    "identity:check_user_in_group": "rule:admin_required",
-    "identity:add_user_to_group": "rule:admin_required",
-
-    "identity:get_credential": "rule:admin_required",
-    "identity:list_credentials": "rule:admin_required",
-    "identity:create_credential": "rule:admin_required",
-    "identity:update_credential": "rule:admin_required",
-    "identity:delete_credential": "rule:admin_required",
-
-    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-    "identity:ec2_list_credentials": "rule:admin_or_owner",
-    "identity:ec2_create_credential": "rule:admin_or_owner",
-    "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
-    "identity:get_role": "rule:admin_required",
-    "identity:list_roles": "rule:admin_required",
-    "identity:create_role": "rule:admin_required",
-    "identity:update_role": "rule:admin_required",
-    "identity:delete_role": "rule:admin_required",
-
-    "identity:check_grant": "rule:admin_required",
-    "identity:list_grants": "rule:admin_required",
-    "identity:create_grant": "rule:admin_required",
-    "identity:revoke_grant": "rule:admin_required",
-
-    "identity:list_role_assignments": "rule:admin_required",
-
-    "identity:get_policy": "rule:admin_required",
-    "identity:list_policies": "rule:admin_required",
-    "identity:create_policy": "rule:admin_required",
-    "identity:update_policy": "rule:admin_required",
-    "identity:delete_policy": "rule:admin_required",
-
-    "identity:check_token": "rule:admin_or_token_subject",
-    "identity:validate_token": "rule:service_admin_or_token_subject",
-    "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_token_subject",
-
-    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:list_trusts": "",
-    "identity:list_roles_for_trust": "",
-    "identity:get_role_for_trust": "",
-    "identity:delete_trust": "",
-
-    "identity:create_consumer": "rule:admin_required",
-    "identity:get_consumer": "rule:admin_required",
-    "identity:list_consumers": "rule:admin_required",
-    "identity:delete_consumer": "rule:admin_required",
-    "identity:update_consumer": "rule:admin_required",
-
-    "identity:authorize_request_token": "rule:admin_required",
-    "identity:list_access_token_roles": "rule:admin_required",
-    "identity:get_access_token_role": "rule:admin_required",
-    "identity:list_access_tokens": "rule:admin_required",
-    "identity:get_access_token": "rule:admin_required",
-    "identity:delete_access_token": "rule:admin_required",
-
-    "identity:list_projects_for_endpoint": "rule:admin_required",
-    "identity:add_endpoint_to_project": "rule:admin_required",
-    "identity:check_endpoint_in_project": "rule:admin_required",
-    "identity:list_endpoints_for_project": "rule:admin_required",
-    "identity:remove_endpoint_from_project": "rule:admin_required",
-
-    "identity:create_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups": "rule:admin_required",
-    "identity:get_endpoint_group": "rule:admin_required",
-    "identity:update_endpoint_group": "rule:admin_required",
-    "identity:delete_endpoint_group": "rule:admin_required",
-    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:get_endpoint_group_in_project": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
-    "identity:add_endpoint_group_to_project": "rule:admin_required",
-    "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
-    "identity:create_identity_provider": "rule:admin_required",
-    "identity:list_identity_providers": "rule:admin_required",
-    "identity:get_identity_providers": "rule:admin_required",
-    "identity:update_identity_provider": "rule:admin_required",
-    "identity:delete_identity_provider": "rule:admin_required",
-
-    "identity:create_protocol": "rule:admin_required",
-    "identity:update_protocol": "rule:admin_required",
-    "identity:get_protocol": "rule:admin_required",
-    "identity:list_protocols": "rule:admin_required",
-    "identity:delete_protocol": "rule:admin_required",
-
-    "identity:create_mapping": "rule:admin_required",
-    "identity:get_mapping": "rule:admin_required",
-    "identity:list_mappings": "rule:admin_required",
-    "identity:delete_mapping": "rule:admin_required",
-    "identity:update_mapping": "rule:admin_required",
-
-    "identity:create_service_provider": "rule:admin_required",
-    "identity:list_service_providers": "rule:admin_required",
-    "identity:get_service_provider": "rule:admin_required",
-    "identity:update_service_provider": "rule:admin_required",
-    "identity:delete_service_provider": "rule:admin_required",
-
-    "identity:get_auth_catalog": "",
-    "identity:get_auth_projects": "",
-    "identity:get_auth_domains": "",
-
-    "identity:list_projects_for_groups": "",
-    "identity:list_domains_for_groups": "",
-
-    "identity:list_revoke_events": "",
-
-    "identity:create_policy_association_for_endpoint": "rule:admin_required",
-    "identity:check_policy_association_for_endpoint": "rule:admin_required",
-    "identity:delete_policy_association_for_endpoint": "rule:admin_required",
-    "identity:create_policy_association_for_service": "rule:admin_required",
-    "identity:check_policy_association_for_service": "rule:admin_required",
-    "identity:delete_policy_association_for_service": "rule:admin_required",
-    "identity:create_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:check_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:get_policy_for_endpoint": "rule:admin_required",
-    "identity:list_endpoints_for_policy": "rule:admin_required",
-
-    "identity:create_domain_config": "rule:admin_required",
-    "identity:get_domain_config": "rule:admin_required",
-    "identity:update_domain_config": "rule:admin_required",
-    "identity:delete_domain_config": "rule:admin_required"
-}

keystone/files/kilo/policy-v3.json

@@ -1,195 +0,0 @@
-{
-    "admin_required": "role:admin",
-    "cloud_admin": "rule:admin_required and domain_id:default",
-    "service_role": "role:service",
-    "service_or_admin": "rule:admin_required or rule:service_role",
-    "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
-    "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
-    "admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
-    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
-    "service_admin_or_owner": "rule:service_or_admin or rule:owner",
-
-    "default": "rule:admin_required",
-
-    "identity:get_region": "",
-    "identity:list_regions": "",
-    "identity:create_region": "rule:cloud_admin",
-    "identity:update_region": "rule:cloud_admin",
-    "identity:delete_region": "rule:cloud_admin",
-
-    "identity:get_service": "rule:admin_or_cloud_admin",
-    "identity:list_services": "rule:admin_or_cloud_admin",
-    "identity:create_service": "rule:cloud_admin",
-    "identity:update_service": "rule:cloud_admin",
-    "identity:delete_service": "rule:cloud_admin",
-
-    "identity:get_endpoint": "rule:admin_or_cloud_admin",
-    "identity:list_endpoints": "rule:admin_or_cloud_admin",
-    "identity:create_endpoint": "rule:cloud_admin",
-    "identity:update_endpoint": "rule:cloud_admin",
-    "identity:delete_endpoint": "rule:cloud_admin",
-
-    "identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id",
-    "identity:list_domains": "rule:cloud_admin",
-    "identity:create_domain": "rule:cloud_admin",
-    "identity:update_domain": "rule:cloud_admin",
-    "identity:delete_domain": "rule:cloud_admin",
-
-    "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
-    "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
-    "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
-    "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
-    "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
-    "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
-    "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
-    "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
-
-    "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
-    "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
-    "identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
-    "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
-    "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
-    "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
-    "identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
-
-    "admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
-    "admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
-    "identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
-    "identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_domain_id",
-    "identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
-    "identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-
-    "identity:get_credential": "rule:admin_required",
-    "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
-    "identity:create_credential": "rule:admin_required",
-    "identity:update_credential": "rule:admin_required",
-    "identity:delete_credential": "rule:admin_required",
-
-    "identity:ec2_get_credential": "rule:admin_or_cloud_admin or (rule:owner and user_id:%(target.credential.user_id)s)",
-    "identity:ec2_list_credentials": "rule:admin_or_cloud_admin or rule:owner",
-    "identity:ec2_create_credential": "rule:admin_or_cloud_admin or rule:owner",
-    "identity:ec2_delete_credential": "rule:admin_or_cloud_admin or (rule:owner and user_id:%(target.credential.user_id)s)",
-
-    "identity:get_role": "rule:admin_or_cloud_admin",
-    "identity:list_roles": "rule:admin_or_cloud_admin",
-    "identity:create_role": "rule:cloud_admin",
-    "identity:update_role": "rule:cloud_admin",
-    "identity:delete_role": "rule:cloud_admin",
-
-    "domain_admin_for_grants": "rule:admin_required and (domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s)",
-    "project_admin_for_grants": "rule:admin_required and project_id:%(project_id)s",
-    "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
-    "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
-    "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
-    "identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
-
-    "admin_on_domain_filter" : "rule:admin_required and domain_id:%(scope.domain.id)s",
-    "admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s",
-    "identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",
-
-    "identity:get_policy": "rule:cloud_admin",
-    "identity:list_policies": "rule:cloud_admin",
-    "identity:create_policy": "rule:cloud_admin",
-    "identity:update_policy": "rule:cloud_admin",
-    "identity:delete_policy": "rule:cloud_admin",
-
-    "identity:change_password": "rule:owner",
-    "identity:check_token": "rule:admin_or_owner",
-    "identity:validate_token": "rule:service_admin_or_owner",
-    "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_owner",
-
-    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:list_trusts": "",
-    "identity:list_roles_for_trust": "",
-    "identity:get_role_for_trust": "",
-    "identity:delete_trust": "",
-
-    "identity:create_consumer": "rule:admin_required",
-    "identity:get_consumer": "rule:admin_required",
-    "identity:list_consumers": "rule:admin_required",
-    "identity:delete_consumer": "rule:admin_required",
-    "identity:update_consumer": "rule:admin_required",
-
-    "identity:authorize_request_token": "rule:admin_required",
-    "identity:list_access_token_roles": "rule:admin_required",
-    "identity:get_access_token_role": "rule:admin_required",
-    "identity:list_access_tokens": "rule:admin_required",
-    "identity:get_access_token": "rule:admin_required",
-    "identity:delete_access_token": "rule:admin_required",
-
-    "identity:list_projects_for_endpoint": "rule:admin_required",
-    "identity:add_endpoint_to_project": "rule:admin_required",
-    "identity:check_endpoint_in_project": "rule:admin_required",
-    "identity:list_endpoints_for_project": "rule:admin_required",
-    "identity:remove_endpoint_from_project": "rule:admin_required",
-
-    "identity:create_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups": "rule:admin_required",
-    "identity:get_endpoint_group": "rule:admin_required",
-    "identity:update_endpoint_group": "rule:admin_required",
-    "identity:delete_endpoint_group": "rule:admin_required",
-    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:get_endpoint_group_in_project": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
-    "identity:add_endpoint_group_to_project": "rule:admin_required",
-    "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
-    "identity:create_identity_provider": "rule:cloud_admin",
-    "identity:list_identity_providers": "rule:cloud_admin",
-    "identity:get_identity_providers": "rule:cloud_admin",
-    "identity:update_identity_provider": "rule:cloud_admin",
-    "identity:delete_identity_provider": "rule:cloud_admin",
-
-    "identity:create_protocol": "rule:cloud_admin",
-    "identity:update_protocol": "rule:cloud_admin",
-    "identity:get_protocol": "rule:cloud_admin",
-    "identity:list_protocols": "rule:cloud_admin",
-    "identity:delete_protocol": "rule:cloud_admin",
-
-    "identity:create_mapping": "rule:cloud_admin",
-    "identity:get_mapping": "rule:cloud_admin",
-    "identity:list_mappings": "rule:cloud_admin",
-    "identity:delete_mapping": "rule:cloud_admin",
-    "identity:update_mapping": "rule:cloud_admin",
-
-    "identity:create_service_provider": "rule:cloud_admin",
-    "identity:list_service_providers": "rule:cloud_admin",
-    "identity:get_service_provider": "rule:cloud_admin",
-    "identity:update_service_provider": "rule:cloud_admin",
-    "identity:delete_service_provider": "rule:cloud_admin",
-
-    "identity:get_auth_catalog": "",
-    "identity:get_auth_projects": "",
-    "identity:get_auth_domains": "",
-
-    "identity:list_projects_for_groups": "",
-    "identity:list_domains_for_groups": "",
-
-    "identity:list_revoke_events": "",
-
-    "identity:create_policy_association_for_endpoint": "rule:cloud_admin",
-    "identity:check_policy_association_for_endpoint": "rule:cloud_admin",
-    "identity:delete_policy_association_for_endpoint": "rule:cloud_admin",
-    "identity:create_policy_association_for_service": "rule:cloud_admin",
-    "identity:check_policy_association_for_service": "rule:cloud_admin",
-    "identity:delete_policy_association_for_service": "rule:cloud_admin",
-    "identity:create_policy_association_for_region_and_service": "rule:cloud_admin",
-    "identity:check_policy_association_for_region_and_service": "rule:cloud_admin",
-    "identity:delete_policy_association_for_region_and_service": "rule:cloud_admin",
-    "identity:get_policy_for_endpoint": "rule:cloud_admin",
-    "identity:list_endpoints_for_policy": "rule:cloud_admin",
-
-    "identity:create_domain_config": "rule:cloud_admin",
-    "identity:get_domain_config": "rule:cloud_admin",
-    "identity:update_domain_config": "rule:cloud_admin",
-    "identity:delete_domain_config": "rule:cloud_admin"
-}

keystone/files/kilo/wsgi-keystone.conf

@@ -1,38 +0,0 @@
-{%- from "keystone/map.jinja" import server with context %}
-{%- set site = salt['pillar.get']('apache:server:site:'+site_name) %}
-Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
-Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357
-
-<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000>
-{%- include "apache/files/_name.conf" %}
-{%- include "apache/files/_ssl.conf" %}
-{%- include "apache/files/_locations.conf" %}
-
-    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}
-    WSGIProcessGroup keystone-public
-    WSGIScriptAlias / /var/www/cgi-bin/keystone/main
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-    <IfVersion >= 2.4>
-      ErrorLogFormat "%{cu}t %M"
-    </IfVersion>
-{%- include "apache/files/_log.conf" %}
-</VirtualHost>
-
-<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357>
-{%- include "apache/files/_name.conf" %}
-{%- include "apache/files/_ssl.conf" %}
-{%- include "apache/files/_locations.conf" %}
-
-    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP}
-    WSGIProcessGroup keystone-admin
-    WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-    <IfVersion >= 2.4>
-      ErrorLogFormat "%{cu}t %M"
-    </IfVersion>
-    ErrorLog /var/log/apache2/keystone.log
-    CustomLog /var/log/apache2/keystone_access.log combined
-{%- include "apache/files/_log.conf" %}
-</VirtualHost>

keystone/files/liberty/keystone-paste.ini.Debian

@@ -1,103 +0,0 @@
-# Keystone PasteDeploy configuration file.
-
-[filter:debug]
-use = egg:keystone#debug
-
-[filter:request_id]
-use = egg:keystone#request_id
-
-[filter:build_auth_context]
-use = egg:keystone#build_auth_context
-
-[filter:token_auth]
-use = egg:keystone#token_auth
-
-[filter:admin_token_auth]
-use = egg:keystone#admin_token_auth
-
-[filter:json_body]
-use = egg:keystone#json_body
-
-[filter:user_crud_extension]
-use = egg:keystone#user_crud_extension
-
-[filter:crud_extension]
-use = egg:keystone#crud_extension
-
-[filter:ec2_extension]
-use = egg:keystone#ec2_extension
-
-[filter:ec2_extension_v3]
-use = egg:keystone#ec2_extension_v3
-
-[filter:federation_extension]
-use = egg:keystone#federation_extension
-
-[filter:oauth1_extension]
-use = egg:keystone#oauth1_extension
-
-[filter:s3_extension]
-use = egg:keystone#s3_extension
-
-[filter:endpoint_filter_extension]
-use = egg:keystone#endpoint_filter_extension
-
-[filter:simple_cert_extension]
-use = egg:keystone#simple_cert_extension
-
-[filter:revoke_extension]
-use = egg:keystone#revoke_extension
-
-[filter:url_normalize]
-use = egg:keystone#url_normalize
-
-[filter:sizelimit]
-use = egg:keystone#sizelimit
-
-[app:public_service]
-use = egg:keystone#public_service
-
-[app:service_v3]
-use = egg:keystone#service_v3
-
-[app:admin_service]
-use = egg:keystone#admin_service
-
-[pipeline:public_api]
-# The last item in this pipeline must be public_service or an equivalent
-# application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service
-
-[pipeline:admin_api]
-# The last item in this pipeline must be admin_service or an equivalent
-# application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service
-
-[pipeline:api_v3]
-# The last item in this pipeline must be service_v3 or an equivalent
-# application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3
-
-[app:public_version_service]
-use = egg:keystone#public_version_service
-
-[app:admin_version_service]
-use = egg:keystone#admin_version_service
-
-[pipeline:public_version_api]
-pipeline = sizelimit url_normalize public_version_service
-
-[pipeline:admin_version_api]
-pipeline = sizelimit url_normalize admin_version_service
-
-[composite:main]
-use = egg:Paste#urlmap
-/v2.0 = public_api
-/v3 = api_v3
-/ = public_version_api
-
-[composite:admin]
-use = egg:Paste#urlmap
-/v2.0 = admin_api
-/v3 = api_v3
-/ = admin_version_api

keystone/files/liberty/keystone-paste.ini.RedHat

@@ -1 +0,0 @@
-keystone-paste.ini.Debian

keystone/files/liberty/keystone.conf.Redhat

@@ -1 +0,0 @@
-keystone.conf.Debian

keystone/files/liberty/policy-v2.json

@@ -1,184 +0,0 @@
-{
-    "admin_required": "role:admin or is_admin:1",
-    "service_role": "role:service",
-    "service_or_admin": "rule:admin_required or rule:service_role",
-    "owner" : "user_id:%(user_id)s",
-    "admin_or_owner": "rule:admin_required or rule:owner",
-    "token_subject": "user_id:%(target.token.user_id)s",
-    "admin_or_token_subject": "rule:admin_required or rule:token_subject",
-    "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
-
-    "default": "rule:admin_required",
-
-    "identity:get_region": "",
-    "identity:list_regions": "",
-    "identity:create_region": "rule:admin_required",
-    "identity:update_region": "rule:admin_required",
-    "identity:delete_region": "rule:admin_required",
-
-    "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
-    "identity:create_service": "rule:admin_required",
-    "identity:update_service": "rule:admin_required",
-    "identity:delete_service": "rule:admin_required",
-
-    "identity:get_endpoint": "rule:admin_required",
-    "identity:list_endpoints": "rule:admin_required",
-    "identity:create_endpoint": "rule:admin_required",
-    "identity:update_endpoint": "rule:admin_required",
-    "identity:delete_endpoint": "rule:admin_required",
-
-    "identity:get_domain": "rule:admin_required",
-    "identity:list_domains": "rule:admin_required",
-    "identity:create_domain": "rule:admin_required",
-    "identity:update_domain": "rule:admin_required",
-    "identity:delete_domain": "rule:admin_required",
-
-    "identity:get_project": "rule:admin_required",
-    "identity:list_projects": "rule:admin_required",
-    "identity:list_user_projects": "rule:admin_or_owner",
-    "identity:create_project": "rule:admin_required",
-    "identity:update_project": "rule:admin_required",
-    "identity:delete_project": "rule:admin_required",
-
-    "identity:get_user": "rule:admin_required",
-    "identity:list_users": "rule:admin_required",
-    "identity:create_user": "rule:admin_required",
-    "identity:update_user": "rule:admin_required",
-    "identity:delete_user": "rule:admin_required",
-    "identity:change_password": "rule:admin_or_owner",
-
-    "identity:get_group": "rule:admin_required",
-    "identity:list_groups": "rule:admin_required",
-    "identity:list_groups_for_user": "rule:admin_or_owner",
-    "identity:create_group": "rule:admin_required",
-    "identity:update_group": "rule:admin_required",
-    "identity:delete_group": "rule:admin_required",
-    "identity:list_users_in_group": "rule:admin_required",
-    "identity:remove_user_from_group": "rule:admin_required",
-    "identity:check_user_in_group": "rule:admin_required",
-    "identity:add_user_to_group": "rule:admin_required",
-
-    "identity:get_credential": "rule:admin_required",
-    "identity:list_credentials": "rule:admin_required",
-    "identity:create_credential": "rule:admin_required",
-    "identity:update_credential": "rule:admin_required",
-    "identity:delete_credential": "rule:admin_required",
-
-    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-    "identity:ec2_list_credentials": "rule:admin_or_owner",
-    "identity:ec2_create_credential": "rule:admin_or_owner",
-    "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
-    "identity:get_role": "rule:admin_required",
-    "identity:list_roles": "rule:admin_required",
-    "identity:create_role": "rule:admin_required",
-    "identity:update_role": "rule:admin_required",
-    "identity:delete_role": "rule:admin_required",
-
-    "identity:check_grant": "rule:admin_required",
-    "identity:list_grants": "rule:admin_required",
-    "identity:create_grant": "rule:admin_required",
-    "identity:revoke_grant": "rule:admin_required",
-
-    "identity:list_role_assignments": "rule:admin_required",
-
-    "identity:get_policy": "rule:admin_required",
-    "identity:list_policies": "rule:admin_required",
-    "identity:create_policy": "rule:admin_required",
-    "identity:update_policy": "rule:admin_required",
-    "identity:delete_policy": "rule:admin_required",
-
-    "identity:check_token": "rule:admin_or_token_subject",
-    "identity:validate_token": "rule:service_admin_or_token_subject",
-    "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_token_subject",
-
-    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:list_trusts": "",
-    "identity:list_roles_for_trust": "",
-    "identity:get_role_for_trust": "",
-    "identity:delete_trust": "",
-
-    "identity:create_consumer": "rule:admin_required",
-    "identity:get_consumer": "rule:admin_required",
-    "identity:list_consumers": "rule:admin_required",
-    "identity:delete_consumer": "rule:admin_required",
-    "identity:update_consumer": "rule:admin_required",
-
-    "identity:authorize_request_token": "rule:admin_required",
-    "identity:list_access_token_roles": "rule:admin_required",
-    "identity:get_access_token_role": "rule:admin_required",
-    "identity:list_access_tokens": "rule:admin_required",
-    "identity:get_access_token": "rule:admin_required",
-    "identity:delete_access_token": "rule:admin_required",
-
-    "identity:list_projects_for_endpoint": "rule:admin_required",
-    "identity:add_endpoint_to_project": "rule:admin_required",
-    "identity:check_endpoint_in_project": "rule:admin_required",
-    "identity:list_endpoints_for_project": "rule:admin_required",
-    "identity:remove_endpoint_from_project": "rule:admin_required",
-
-    "identity:create_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups": "rule:admin_required",
-    "identity:get_endpoint_group": "rule:admin_required",
-    "identity:update_endpoint_group": "rule:admin_required",
-    "identity:delete_endpoint_group": "rule:admin_required",
-    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:get_endpoint_group_in_project": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
-    "identity:add_endpoint_group_to_project": "rule:admin_required",
-    "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
-    "identity:create_identity_provider": "rule:admin_required",
-    "identity:list_identity_providers": "rule:admin_required",
-    "identity:get_identity_providers": "rule:admin_required",
-    "identity:update_identity_provider": "rule:admin_required",
-    "identity:delete_identity_provider": "rule:admin_required",
-
-    "identity:create_protocol": "rule:admin_required",
-    "identity:update_protocol": "rule:admin_required",
-    "identity:get_protocol": "rule:admin_required",
-    "identity:list_protocols": "rule:admin_required",
-    "identity:delete_protocol": "rule:admin_required",
-
-    "identity:create_mapping": "rule:admin_required",
-    "identity:get_mapping": "rule:admin_required",
-    "identity:list_mappings": "rule:admin_required",
-    "identity:delete_mapping": "rule:admin_required",
-    "identity:update_mapping": "rule:admin_required",
-
-    "identity:create_service_provider": "rule:admin_required",
-    "identity:list_service_providers": "rule:admin_required",
-    "identity:get_service_provider": "rule:admin_required",
-    "identity:update_service_provider": "rule:admin_required",
-    "identity:delete_service_provider": "rule:admin_required",
-
-    "identity:get_auth_catalog": "",
-    "identity:get_auth_projects": "",
-    "identity:get_auth_domains": "",
-
-    "identity:list_projects_for_groups": "",
-    "identity:list_domains_for_groups": "",
-
-    "identity:list_revoke_events": "",
-
-    "identity:create_policy_association_for_endpoint": "rule:admin_required",
-    "identity:check_policy_association_for_endpoint": "rule:admin_required",
-    "identity:delete_policy_association_for_endpoint": "rule:admin_required",
-    "identity:create_policy_association_for_service": "rule:admin_required",
-    "identity:check_policy_association_for_service": "rule:admin_required",
-    "identity:delete_policy_association_for_service": "rule:admin_required",
-    "identity:create_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:check_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:get_policy_for_endpoint": "rule:admin_required",
-    "identity:list_endpoints_for_policy": "rule:admin_required",
-
-    "identity:create_domain_config": "rule:admin_required",
-    "identity:get_domain_config": "rule:admin_required",
-    "identity:update_domain_config": "rule:admin_required",
-    "identity:delete_domain_config": "rule:admin_required"
-}

keystone/files/liberty/wsgi-keystone.conf

@@ -1,92 +0,0 @@
-{%- from "keystone/map.jinja" import server with context %}
-{%- set site = salt['pillar.get']('apache:server:site:'+site_name) %}
-Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
-Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357
-
-<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000>
-{%- include "apache/files/_name.conf" %}
-{%- include "apache/files/_ssl.conf" %}
-{%- include "apache/files/_locations.conf" %}
-
-    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
-    WSGIProcessGroup keystone-public
-    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-    ErrorLogFormat "%{cu}t %M"
-{%- include "apache/files/_log.conf" %}
-
-    <Directory /usr/bin>
-      Require all granted
-    </Directory>
-
-    {% if server.websso is defined %}
-    WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
-    <Location /Shibboleth.sso>
-      SetHandler shib
-    </Location>
-    <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    {%- endif %}
-
-</VirtualHost>
-
-<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357>
-{%- include "apache/files/_name.conf" %}
-{%- include "apache/files/_ssl.conf" %}
-{%- include "apache/files/_locations.conf" %}
-
-    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
-    WSGIProcessGroup keystone-admin
-    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-    ErrorLogFormat "%{cu}t %M"
-{%- include "apache/files/_log.conf" %}
-
-    <Directory /usr/bin>
-      Require all granted
-    </Directory>
-
-    {% if server.websso is defined %}
-    WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
-    <Location /Shibboleth.sso>
-      SetHandler shib
-    </Location>
-    <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    {%- endif %}
-
-</VirtualHost>

keystone/files/mitaka/keystone-paste.ini.Debian

@@ -1,88 +0,0 @@
-# Keystone PasteDeploy configuration file.
-
-[filter:debug]
-use = egg:oslo.middleware#debug
-
-[filter:request_id]
-use = egg:oslo.middleware#request_id
-
-[filter:build_auth_context]
-use = egg:keystone#build_auth_context
-
-[filter:token_auth]
-use = egg:keystone#token_auth
-
-[filter:admin_token_auth]
-# This is deprecated in the M release and will be removed in the O release.
-# Use `keystone-manage bootstrap` and remove this from the pipelines below.
-use = egg:keystone#admin_token_auth
-
-[filter:json_body]
-use = egg:keystone#json_body
-
-[filter:cors]
-use = egg:oslo.middleware#cors
-oslo_config_project = keystone
-
-[filter:ec2_extension]
-use = egg:keystone#ec2_extension
-
-[filter:ec2_extension_v3]
-use = egg:keystone#ec2_extension_v3
-
-[filter:s3_extension]
-use = egg:keystone#s3_extension
-
-[filter:url_normalize]
-use = egg:keystone#url_normalize
-
-[filter:sizelimit]
-use = egg:oslo.middleware#sizelimit
-
-[app:public_service]
-use = egg:keystone#public_service
-
-[app:service_v3]
-use = egg:keystone#service_v3
-
-[app:admin_service]
-use = egg:keystone#admin_service
-
-[pipeline:public_api]
-# The last item in this pipeline must be public_service or an equivalent
-# application. It cannot be a filter.
-pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension public_service
-
-[pipeline:admin_api]
-# The last item in this pipeline must be admin_service or an equivalent
-# application. It cannot be a filter.
-pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service
-
-[pipeline:api_v3]
-# The last item in this pipeline must be service_v3 or an equivalent
-# application. It cannot be a filter.
-pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
-
-[app:public_version_service]
-use = egg:keystone#public_version_service
-
-[app:admin_version_service]
-use = egg:keystone#admin_version_service
-
-[pipeline:public_version_api]
-pipeline = cors sizelimit url_normalize public_version_service
-
-[pipeline:admin_version_api]
-pipeline = cors sizelimit url_normalize admin_version_service
-
-[composite:main]
-use = egg:Paste#urlmap
-/v2.0 = public_api
-/v3 = api_v3
-/ = public_version_api
-
-[composite:admin]
-use = egg:Paste#urlmap
-/v2.0 = admin_api
-/v3 = api_v3
-/ = admin_version_api

keystone/files/mitaka/keystone-paste.ini.RedHat

@@ -1 +0,0 @@
-keystone-paste.ini.Debian

keystone/files/mitaka/keystone.conf.RedHat

@@ -1 +0,0 @@
-keystone.conf.Debian

keystone/files/mitaka/policy-v2.json

@@ -1,198 +0,0 @@
-{
-    "admin_required": "role:admin or is_admin:1",
-    "service_role": "role:service",
-    "service_or_admin": "rule:admin_required or rule:service_role",
-    "owner" : "user_id:%(user_id)s",
-    "admin_or_owner": "rule:admin_required or rule:owner",
-    "token_subject": "user_id:%(target.token.user_id)s",
-    "admin_or_token_subject": "rule:admin_required or rule:token_subject",
-    "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
-
-    "default": "rule:admin_required",
-
-    "identity:get_region": "",
-    "identity:list_regions": "",
-    "identity:create_region": "rule:admin_required",
-    "identity:update_region": "rule:admin_required",
-    "identity:delete_region": "rule:admin_required",
-
-    "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
-    "identity:create_service": "rule:admin_required",
-    "identity:update_service": "rule:admin_required",
-    "identity:delete_service": "rule:admin_required",
-
-    "identity:get_endpoint": "rule:admin_required",
-    "identity:list_endpoints": "rule:admin_required",
-    "identity:create_endpoint": "rule:admin_required",
-    "identity:update_endpoint": "rule:admin_required",
-    "identity:delete_endpoint": "rule:admin_required",
-
-    "identity:get_domain": "rule:admin_required",
-    "identity:list_domains": "rule:admin_required",
-    "identity:create_domain": "rule:admin_required",
-    "identity:update_domain": "rule:admin_required",
-    "identity:delete_domain": "rule:admin_required",
-
-    "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
-    "identity:list_projects": "rule:admin_required",
-    "identity:list_user_projects": "rule:admin_or_owner",
-    "identity:create_project": "rule:admin_required",
-    "identity:update_project": "rule:admin_required",
-    "identity:delete_project": "rule:admin_required",
-
-    "identity:get_user": "rule:admin_required",
-    "identity:list_users": "rule:admin_required",
-    "identity:create_user": "rule:admin_required",
-    "identity:update_user": "rule:admin_required",
-    "identity:delete_user": "rule:admin_required",
-    "identity:change_password": "rule:admin_or_owner",
-
-    "identity:get_group": "rule:admin_required",
-    "identity:list_groups": "rule:admin_required",
-    "identity:list_groups_for_user": "rule:admin_or_owner",
-    "identity:create_group": "rule:admin_required",
-    "identity:update_group": "rule:admin_required",
-    "identity:delete_group": "rule:admin_required",
-    "identity:list_users_in_group": "rule:admin_required",
-    "identity:remove_user_from_group": "rule:admin_required",
-    "identity:check_user_in_group": "rule:admin_required",
-    "identity:add_user_to_group": "rule:admin_required",
-
-    "identity:get_credential": "rule:admin_required",
-    "identity:list_credentials": "rule:admin_required",
-    "identity:create_credential": "rule:admin_required",
-    "identity:update_credential": "rule:admin_required",
-    "identity:delete_credential": "rule:admin_required",
-
-    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-    "identity:ec2_list_credentials": "rule:admin_or_owner",
-    "identity:ec2_create_credential": "rule:admin_or_owner",
-    "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
-    "identity:get_role": "rule:admin_required",
-    "identity:list_roles": "rule:admin_required",
-    "identity:create_role": "rule:admin_required",
-    "identity:update_role": "rule:admin_required",
-    "identity:delete_role": "rule:admin_required",
-    "identity:get_domain_role": "rule:admin_required",
-    "identity:list_domain_roles": "rule:admin_required",
-    "identity:create_domain_role": "rule:admin_required",
-    "identity:update_domain_role": "rule:admin_required",
-    "identity:delete_domain_role": "rule:admin_required",
-
-    "identity:get_implied_role": "rule:admin_required ",
-    "identity:list_implied_roles": "rule:admin_required",
-    "identity:create_implied_role": "rule:admin_required",
-    "identity:delete_implied_role": "rule:admin_required",
-    "identity:list_role_inference_rules": "rule:admin_required",
-    "identity:check_implied_role": "rule:admin_required",
-
-    "identity:check_grant": "rule:admin_required",
-    "identity:list_grants": "rule:admin_required",
-    "identity:create_grant": "rule:admin_required",
-    "identity:revoke_grant": "rule:admin_required",
-
-    "identity:list_role_assignments": "rule:admin_required",
-    "identity:list_role_assignments_for_tree": "rule:admin_required",
-
-    "identity:get_policy": "rule:admin_required",
-    "identity:list_policies": "rule:admin_required",
-    "identity:create_policy": "rule:admin_required",
-    "identity:update_policy": "rule:admin_required",
-    "identity:delete_policy": "rule:admin_required",
-
-    "identity:check_token": "rule:admin_or_token_subject",
-    "identity:validate_token": "rule:service_admin_or_token_subject",
-    "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_token_subject",
-
-    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:list_trusts": "",
-    "identity:list_roles_for_trust": "",
-    "identity:get_role_for_trust": "",
-    "identity:delete_trust": "",
-
-    "identity:create_consumer": "rule:admin_required",
-    "identity:get_consumer": "rule:admin_required",
-    "identity:list_consumers": "rule:admin_required",
-    "identity:delete_consumer": "rule:admin_required",
-    "identity:update_consumer": "rule:admin_required",
-
-    "identity:authorize_request_token": "rule:admin_required",
-    "identity:list_access_token_roles": "rule:admin_required",
-    "identity:get_access_token_role": "rule:admin_required",
-    "identity:list_access_tokens": "rule:admin_required",
-    "identity:get_access_token": "rule:admin_required",
-    "identity:delete_access_token": "rule:admin_required",
-
-    "identity:list_projects_for_endpoint": "rule:admin_required",
-    "identity:add_endpoint_to_project": "rule:admin_required",
-    "identity:check_endpoint_in_project": "rule:admin_required",
-    "identity:list_endpoints_for_project": "rule:admin_required",
-    "identity:remove_endpoint_from_project": "rule:admin_required",
-
-    "identity:create_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups": "rule:admin_required",
-    "identity:get_endpoint_group": "rule:admin_required",
-    "identity:update_endpoint_group": "rule:admin_required",
-    "identity:delete_endpoint_group": "rule:admin_required",
-    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:get_endpoint_group_in_project": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
-    "identity:add_endpoint_group_to_project": "rule:admin_required",
-    "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
-    "identity:create_identity_provider": "rule:admin_required",
-    "identity:list_identity_providers": "rule:admin_required",
-    "identity:get_identity_providers": "rule:admin_required",
-    "identity:update_identity_provider": "rule:admin_required",
-    "identity:delete_identity_provider": "rule:admin_required",
-
-    "identity:create_protocol": "rule:admin_required",
-    "identity:update_protocol": "rule:admin_required",
-    "identity:get_protocol": "rule:admin_required",
-    "identity:list_protocols": "rule:admin_required",
-    "identity:delete_protocol": "rule:admin_required",
-
-    "identity:create_mapping": "rule:admin_required",
-    "identity:get_mapping": "rule:admin_required",
-    "identity:list_mappings": "rule:admin_required",
-    "identity:delete_mapping": "rule:admin_required",
-    "identity:update_mapping": "rule:admin_required",
-
-    "identity:create_service_provider": "rule:admin_required",
-    "identity:list_service_providers": "rule:admin_required",
-    "identity:get_service_provider": "rule:admin_required",
-    "identity:update_service_provider": "rule:admin_required",
-    "identity:delete_service_provider": "rule:admin_required",
-
-    "identity:get_auth_catalog": "",
-    "identity:get_auth_projects": "",
-    "identity:get_auth_domains": "",
-
-    "identity:list_projects_for_groups": "",
-    "identity:list_domains_for_groups": "",
-
-    "identity:list_revoke_events": "",
-
-    "identity:create_policy_association_for_endpoint": "rule:admin_required",
-    "identity:check_policy_association_for_endpoint": "rule:admin_required",
-    "identity:delete_policy_association_for_endpoint": "rule:admin_required",
-    "identity:create_policy_association_for_service": "rule:admin_required",
-    "identity:check_policy_association_for_service": "rule:admin_required",
-    "identity:delete_policy_association_for_service": "rule:admin_required",
-    "identity:create_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:check_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:get_policy_for_endpoint": "rule:admin_required",
-    "identity:list_endpoints_for_policy": "rule:admin_required",
-
-    "identity:create_domain_config": "rule:admin_required",
-    "identity:get_domain_config": "rule:admin_required",
-    "identity:update_domain_config": "rule:admin_required",
-    "identity:delete_domain_config": "rule:admin_required",
-    "identity:get_domain_config_default": "rule:admin_required"
-}

keystone/files/mitaka/wsgi-keystone.conf

@@ -1,130 +0,0 @@
-{%- from "keystone/map.jinja" import server with context %}
-{%- set site = salt['pillar.get']('apache:server:site:'+site_name) %}
-Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
-Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357
-
-<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000>
-{%- include "apache/files/_name.conf" %}
-{%- include "apache/files/_ssl.conf" %}
-{%- include "apache/files/_locations.conf" %}
-
-    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
-    WSGIProcessGroup keystone-public
-    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-    LimitRequestBody 114688
-    <IfVersion >= 2.4>
-      ErrorLogFormat "%{cu}t %M"
-    </IfVersion>
-{%- include "apache/files/_log.conf" %}
-
-    <Directory /usr/bin>
-        <IfVersion >= 2.4>
-            Require all granted
-        </IfVersion>
-        <IfVersion < 2.4>
-            Order allow,deny
-            Allow from all
-        </IfVersion>
-    </Directory>
-
-    {% if server.websso is defined %}
-    WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
-    <Location /Shibboleth.sso>
-      SetHandler shib
-    </Location>
-    <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    {%- endif %}
-
-</VirtualHost>
-
-<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357>
-{%- include "apache/files/_name.conf" %}
-{%- include "apache/files/_ssl.conf" %}
-{%- include "apache/files/_locations.conf" %}
-
-    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
-    WSGIProcessGroup keystone-admin
-    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-    LimitRequestBody 114688
-    <IfVersion >= 2.4>
-      ErrorLogFormat "%{cu}t %M"
-    </IfVersion>
-{%- include "apache/files/_log.conf" %}
-
-    <Directory /usr/bin>
-        <IfVersion >= 2.4>
-            Require all granted
-        </IfVersion>
-        <IfVersion < 2.4>
-            Order allow,deny
-            Allow from all
-        </IfVersion>
-    </Directory>
-
-    {% if server.websso is defined %}
-    WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
-    <Location /Shibboleth.sso>
-      SetHandler shib
-    </Location>
-    <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    {%- endif %}
-
-</VirtualHost>
-
-Alias /identity /usr/bin/keystone-wsgi-public
-<Location /identity>
-    SetHandler wsgi-script
-    Options +ExecCGI
-
-    WSGIProcessGroup keystone-public
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-</Location>
-
-Alias /identity_admin /usr/bin/keystone-wsgi-admin
-<Location /identity_admin>
-    SetHandler wsgi-script
-    Options +ExecCGI
-
-    WSGIProcessGroup keystone-admin
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-</Location>

keystone/files/salt-minion.conf

@@ -1,15 +0,0 @@
-{%- if pillar.keystone.get('server', {'enabled': False}).enabled -%}
-{%- from "keystone/map.jinja" import server with context -%}
-keystone.token: '{{ server.service_token }}'
-keystone.endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
-{%- else -%}
-{%- from "keystone/map.jinja" import client with context -%}
-keystone.user: '{{ client.server.user }}'
-keystone.password: '{{ client.server.password }}'
-keystone.tenant: '{{ client.server.tenant }}'
-keystone.auth_url: 'http://{{ client.server.host }}:{{ client.server.public_port }}/v2.0/'
-{%- endif %}
-
-{#-
-vim: syntax=jinja
--#}

keystone/files/sso_callback_template.html

@@ -1,22 +0,0 @@
-<!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml">
-  <head>
-    <title>Keystone WebSSO redirect</title>
-  </head>
-  <body>
-     <form id="sso" name="sso" action="$host" method="post">
-       Please wait...
-       <br/>
-       <input type="hidden" name="token" id="token" value="$token"/>
-       <noscript>
-         <input type="submit" name="submit_no_javascript" id="submit_no_javascript"
-            value="If your JavaScript is disabled, please click to continue"/>
-       </noscript>
-     </form>
-     <script type="text/javascript">
-       window.onload = function() {
-         document.forms['sso'].submit();
-       }
-     </script>
-  </body>
-</html>

keystone/init.sls

@@ -1,11 +0,0 @@
-
-include:
-{% if pillar.keystone.server is defined %}
-- keystone.server
-{% endif %}
-{% if pillar.keystone.client is defined %}
-- keystone.client
-{% endif %}
-{% if pillar.keystone.control is defined %}
-- keystone.control
-{% endif %}

keystone/map.jinja

@@ -1,48 +0,0 @@
-
-{% set server = salt['grains.filter_by']({
-    'Debian': {
-        'pkgs': ['keystone', 'python-keystone', 'python-keystoneclient', 'python-psycopg2', 'python-mysqldb', 'mysql-client', 'python-six', 'python-memcache', 'python-openstackclient', 'gettext-base', 'python-pycadf'],
-        'service_name': 'keystone',
-        'version': 'icehouse',
-        'api_version': '2',
-        'tokens': {
-          'engine': 'database',
-          'expiration': '86400'
-        },
-        'notification': False,
-        'roles': ['admin', 'Member']
-    },
-    'RedHat': {
-        'pkgs': ['openstack-keystone', 'openstack-utils', 'python-keystone', 'python-keystoneclient', 'python-pycadf'],
-        'service_name': 'openstack-keystone',
-        'api_version': '2',
-        'version': 'icehouse',
-        'tokens': {
-          'engine': 'database',
-          'expiration': '86400'
-        },
-        'notification': False,
-        'roles': ['admin', 'Member']
-    },
-}, merge=pillar.keystone.get('server', {})) %}
-
-{% set client = salt['grains.filter_by']({
-    'Debian': {
-        'pkgs': ['python-keystoneclient', 'python-openstackclient'],
-        'service': 'keystone',
-        'roles': ['admin', 'Member'],
-    },
-    'RedHat': {
-        'pkgs': ['python-keystoneclient'],
-        'roles': ['admin', 'Member'],
-    },
-}, merge=pillar.keystone.get('client', {})) %}
-
-{% set control = salt['grains.filter_by']({
-    'Debian': {
-        'pkgs': [],
-    },
-    'RedHat': {
-        'pkgs': [],
-    },
-}, merge=pillar.keystone.get('control', {})) %}

keystone/meta/collectd.yml

@@ -1,28 +0,0 @@
-{%- from "keystone/map.jinja" import server with context %}
-{%- if server.get('enabled', False) %}
-local_plugin:
-  collectd_check_local_endpoint:
-    endpoint:
-      keystone-public-api:
-        expected_code: 300
-        url: "http://{{ server.bind.address|replace('0.0.0.0', '127.0.0.1') }}:{{ server.bind.public_port }}/"
-      keystone-admin-api:
-        expected_code: 300
-        url: "http://{{ server.bind.address|replace('0.0.0.0', '127.0.0.1') }}:{{ server.bind.private_port }}/"
-
-remote_plugin:
-  openstack_keystone:
-    plugin: python
-    template: keystone/files/collectd_openstack_keystone.conf
-    url: "http://{{ server.bind.public_address }}:{{ server.bind.public_port }}/v{% if server.get('api_version', 2)|int == 2 %}2.0{% else %}3{% endif %}"
-    username: {{ server.admin_name }}
-    password: {{ server.admin_password }}
-    tenant: {{ server.admin_tenant }}
-  check_openstack_api:
-    plugin: python
-    template: keystone/files/collectd_check_openstack_api.conf
-    url: "http://{{ server.bind.public_address }}:{{ server.bind.public_port }}/v{% if server.get('api_version', 2)|int == 2 %}2.0{% else %}3{% endif %}"
-    username: {{ server.admin_name }}
-    password: {{ server.admin_password }}
-    tenant: {{ server.admin_tenant }}
-{%- endif %}

keystone/meta/config.yml

@@ -1,13 +0,0 @@
-config:
-  {%- if pillar.keystone.server is defined %}
-  {%- from "keystone/map.jinja" import server with context %}
-  keystone.conf:
-    source: "salt://keystone/files/{{ server.version }}/keystone.conf.{{ grains.os_family|default('Debian') }}"
-    template: jinja
-  keystone-paste.ini:
-    source: "salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family|default('Debian') }}"
-    template: jinja
-  policy.json:
-    source: "salt://keystone/files/{{ server.version }}/policy-v{{ server.api_version }}.json"
-    template: jinja
-  {%- endif %}

keystone/meta/grafana.yml

@@ -1,4 +0,0 @@
-dashboard:
-  keystone:
-    format: json
-    template: keystone/files/grafana_dashboards/keystone_influxdb.json

keystone/meta/heka.yml

@@ -1,163 +0,0 @@
-{%- if pillar.keystone.server is defined %}
-log_collector:
-  decoder:
-    keystone:
-      engine: sandbox
-      module_file: /usr/share/lma_collector/decoders/openstack_log.lua
-      module_dir: /usr/share/lma_collector/common;/usr/share/heka/lua_modules
-      adjust_timezone: true
-  splitter:
-    keystone:
-      engine: token
-      delimiter: '\n'
-  input:
-    keystone_log:
-      engine: logstreamer
-      log_directory: "/var/log"
-      file_match: 'keystone/(?P<Service>.+)\.log\.?(?P<Seq>\d*)$'
-      differentiator: ['keystone', '_', 'Service']
-      priority: ["^Seq"]
-      decoder: "keystone_decoder"
-      splitter: "keystone_splitter"
-metric_collector:
-  trigger:
-    keystone_response_time_duration:
-      description: 'Keystone API is too slow'
-      severity: warning
-      no_data_policy: okay
-      rules:
-      - metric: openstack_keystone_http_response_times
-        field:
-          http_method: '== GET || == POST'
-          http_status: '== 2xx'
-        relational_operator: '>'
-        threshold: 0.3
-        window: 60
-        periods: 0
-        value: upper_90
-        function: max
-    keystone_logs_error:
-      description: 'Too many errors have been detected in Keystone logs'
-      severity: warning
-      no_data_policy: okay
-      rules:
-      - metric: log_messages
-        field:
-          service: keystone
-          level: error
-        relational_operator: '>'
-        threshold: 0.1
-        window: 70
-        periods: 0
-        function: max
-    keystone_public_api_local_endpoint:
-      description: 'Keystone public API is locally down'
-      severity: down
-      rules:
-      - metric: openstack_check_local_api
-        field:
-          service: keystone-public-api
-        relational_operator: '=='
-        threshold: 0
-        window: 60
-        periods: 0
-        function: last
-  alarm:
-    keystone_response_time:
-      alerting: enabled
-      triggers:
-      - keystone_response_time_duration
-      dimension:
-        service: keystone-response-time
-    keystone_logs:
-      alerting: enabled
-      triggers:
-      - keystone_logs_error
-      dimension:
-        service: keystone-logs
-    keystone_public_api_endpoint:
-      alerting: enabled
-      triggers:
-      - keystone_public_api_local_endpoint
-      dimension:
-        service: keystone-public-api-endpoint
-remote_collector:
-  trigger:
-    keystone_public_api_check_failed:
-      description: 'Endpoint check for keystone-public-api is failed'
-      severity: down
-      rules:
-      - metric: openstack_check_api
-        field:
-          service: keystone-public-api
-        relational_operator: '=='
-        threshold: 0
-        window: 60
-        periods: 0
-        function: last
-  alarm:
-    keystone_public_api_check:
-      alerting: enabled
-      triggers:
-      - keystone_public_api_check_failed
-      dimension:
-        service: keystone-public-api-check
-aggregator:
-  alarm_cluster:
-    keystone_response_time:
-      policy: status_of_members
-      alerting: enabled
-      group_by: hostname
-      match:
-        service: keystone-response-time
-      members:
-      - keystone_response_time
-      dimension:
-        service: keystone
-        nagios_host: 01-service-clusters
-    keystone_logs:
-      policy: status_of_members
-      alerting: enabled
-      group_by: hostname
-      match:
-        service: keystone-logs
-      members:
-      - keystone_logs
-      dimension:
-        service: keystone
-        nagios_host: 01-service-clusters
-    keystone_public_api_endpoint:
-      policy: availability_of_members
-      alerting: enabled
-      group_by: hostname
-      match:
-        service: keystone-public-api-endpoint
-      members:
-      - keystone_public_api_endpoint
-      dimension:
-        service: keystone
-        nagios_host: 01-service-clusters
-    keystone_public_api_check:
-      policy: highest_severity
-      alerting: enabled
-      match:
-        service: keystone-public-api-check
-      members:
-      - keystone_public_api_check
-      dimension:
-        service: keystone
-        nagios_host: 01-service-clusters
-    keystone:
-      policy: highest_severity
-      alerting: enabled_with_notification
-      match:
-        service: keystone
-      members:
-      - keystone_response_time
-      - keystone_logs
-      - keystone_public_api_endpoint
-      - keystone_public_api_check
-      dimension:
-        cluster_name: keystone
-        nagios_host: 00-top-clusters
-{%- endif %}

keystone/meta/salt.yml

@@ -1,9 +0,0 @@
-orchestrate:
-  server:
-    priority: 500
-    batch: 1
-  client:
-    priority: 510
-  control:
-    priority: 520
-

keystone/meta/sensu.yml

@@ -1,13 +0,0 @@
-check:
-  local_keystone_server_proc:
-    command: "PATH=$PATH:/usr/lib64/nagios/plugins:/usr/lib/nagios/plugins check_procs -C keystone-all -u keystone -c 1:1024"
-    interval: 60
-    occurrences: 1
-    subscribers:
-    - local-keystone-server
-  remote_keystone_server_api:
-    command: "PATH=$PATH:/usr/local/bin oschecks-check_keystone_api --os-auth-url='http://:::openstack.host:::::::openstack.port:::/v2.0' --os-username :::openstack.user::: --os-password :::openstack.password::: --tenant :::openstack.tenant:::"
-    interval: 300
-    occurrences: 1
-    subscribers:
-    - remote-network

keystone/meta/sphinx.yml

@@ -1,58 +0,0 @@
-doc:
-  name: Keystone
-  description: Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family.
-  role:
-  {%- if pillar.keystone.client is defined %}
-    client:
-      name: client
-      param: {}
-  {%- endif %}
-  {%- if pillar.keystone.server is defined %}
-  {%- from "keystone/map.jinja" import server with context %}
-    server:
-      name: server
-      endpoint:
-        keystone_api_admin:
-          name: keystone-api-admin
-          type: keystone-api-admin
-          address: http://{{ server.bind.address }}:{{ server.bind.private_port }}
-          protocol: http
-        keystone_api_public:
-          name: keystone-api-public
-          type: keystone-api-public
-          address: http://{{ server.bind.address }}:{{ server.bind.public_port }}
-          protocol: http
-      param:
-        bind:
-          value: {{ server.bind.address }}:{{ server.bind.private_port }}
-          value: {{ server.bind.address }}:{{ server.bind.public_port }}
-        token_engine:
-          value: {{ server.tokens.engine }}
-        region:
-          name: "Region"
-          value: {{ server.region }}
-        service_tenant:
-          value: {{ server.service_tenant }}
-        version:
-          name: "Version"
-          value: {{ server.version }}
-        database_host:
-          name: "Database"
-          value: {{ server.database.user }}@{{ server.database.host }}:3306/{{ server.database.name }}
-        services:
-          value: |
-            {%- for service_name, service in server.get('service', {}).iteritems() %}
-            * {{ service_name }}: {{ service.type }}, publicurl '{{ service.bind.get('public_protocol', 'http') }}://{{ service.bind.public_address }}:{{ service.bind.public_port }}{{ service.bind.public_path }}'
-            {%- endfor %}
-        packages:
-          value: |
-            {%- for pkg in server.pkgs %}
-            {%- set pkg_version = "dpkg -l "+pkg+" | grep "+pkg+" | awk '{print $3}'" %}
-            * {{ pkg }}: {{ salt['cmd.run'](pkg_version) }}
-            {%- endfor %}
-  {%- endif %}
-  {%- if pillar.keystone.control is defined %}
-    control:
-      name: control
-      param: {}
-  {%- endif %}

keystone/server.sls

@@ -1,355 +0,0 @@
-{%- from "keystone/map.jinja" import server with context %}
-{%- if server.enabled %}
-
-keystone_packages:
-  pkg.installed:
-  - names: {{ server.pkgs }}
-
-{%- if server.service_name in ['apache2', 'httpd'] %}
-include:
-- apache
-
-{%- if grains.os_family == "Debian" %}
-keystone:
-{%- endif %}
-{%- if grains.os_family == "RedHat" %}
-openstack-keystone:
-{%- endif %}
-  service.dead:
-    - enable: False
-    - watch:
-      - pkg: keystone_packages
-
-{%- endif %}
-
-keystone_salt_config:
-  file.managed:
-    - name: /etc/salt/minion.d/keystone.conf
-    - template: jinja
-    - source: salt://keystone/files/salt-minion.conf
-    - mode: 600
-
-{%- if not salt['user.info']('keystone') %}
-
-keystone_user:
-  user.present:
-    - name: keystone
-    - home: /var/lib/keystone
-    - uid: 301
-    - gid: 301
-    - shell: /bin/false
-    - system: True
-    - require_in:
-      - pkg: keystone_packages
-
-keystone_group:
-  group.present:
-    - name: keystone
-    - gid: 301
-    - system: True
-    - require_in:
-      - pkg: keystone_packages
-      - user: keystone_user
-
-{%- endif %}
-
-/etc/keystone/keystone.conf:
-  file.managed:
-  - source: salt://keystone/files/{{ server.version }}/keystone.conf.{{ grains.os_family }}
-  - template: jinja
-  - require:
-    - pkg: keystone_packages
-  - watch_in:
-    - service: keystone_service
-
-{% if server.websso is defined %}
-
-/etc/keystone/sso_callback_template.html:
-  file.managed:
-  - source: salt://keystone/files/sso_callback_template.html
-  - require:
-    - pkg: keystone_packages
-  - watch_in:
-    - service: keystone_service
-
-{%- endif %}
-
-/etc/keystone/keystone-paste.ini:
-  file.managed:
-  - source: salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family }}
-  - template: jinja
-  - require:
-    - pkg: keystone_packages
-  {%- if not grains.get('noservices', False) %}
-  - watch_in:
-    - service: keystone_service
-  {%- endif %}
-
-/etc/keystone/policy.json:
-  file.managed:
-  - source: salt://keystone/files/{{ server.version }}/policy-v{{ server.api_version }}.json
-  - require:
-    - pkg: keystone_packages
-  {%- if not grains.get('noservices', False) %}
-  - watch_in:
-    - service: keystone_service
-  {%- endif %}
-
-{%- if server.get("domain", {}) %}
-
-/etc/keystone/domains:
-  file.directory:
-    - mode: 0755
-    - require:
-      - pkg: keystone_packages
-
-{%- for domain_name, domain in server.domain.iteritems() %}
-
-/etc/keystone/domains/keystone.{{ domain_name }}.conf:
-  file.managed:
-    - source: salt://keystone/files/keystone.domain.conf
-    - template: jinja
-    - require:
-      - file: /etc/keystone/domains
-    {%- if not grains.get('noservices', False) %}
-    - watch_in:
-      - service: keystone_service
-    {%- endif %}
-    - defaults:
-        domain_name: {{ domain_name }}
-
-{%- if domain.get('ldap', {}).get('tls', {}).get('cacert', False) %}
-
-keystone_domain_{{ domain_name }}_cacert:
-  file.managed:
-    - name: /etc/keystone/domains/{{ domain_name }}.pem
-    - contents_pillar: keystone:server:domain:{{ domain_name }}:ldap:tls:cacert
-    - require:
-      - file: /etc/keystone/domains
-    {%- if not grains.get('noservices', False) %}
-    - watch_in:
-      - service: keystone_service
-    {%- endif %}
-
-{%- endif %}
-
-{%- if not grains.get('noservices', False) %}
-keystone_domain_{{ domain_name }}:
-  cmd.run:
-    - name: source /root/keystonercv3 && openstack domain create --description "{{ domain.description }}" {{ domain_name }}
-    - unless: source /root/keystonercv3 && openstack domain list | grep " {{ domain_name }}"
-    - require:
-      - file: /root/keystonercv3
-      - service: keystone_service
-{%- endif %}
-
-{%- endfor %}
-
-{%- endif %}
-
-{%- if server.get('ldap', {}).get('tls', {}).get('cacert', False) %}
-
-keystone_ldap_default_cacert:
-  file.managed:
-    - name: {{ server.ldap.tls.cacertfile }}
-    - contents_pillar: keystone:server:ldap:tls:cacert
-    - require:
-      - pkg: keystone_packages
-    {%- if not grains.get('noservices', False) %}
-    - watch_in:
-      - service: keystone_service
-    {%- endif %}
-
-{%- endif %}
-
-{%- if not grains.get('noservices', False) %}
-keystone_service:
-  service.running:
-  - name: {{ server.service_name }}
-  - enable: True
-  - watch:
-    - file: /etc/keystone/keystone.conf
-{%- endif %}
-
-{%- if grains.get('virtual_subtype', None) == "Docker" %}
-keystone_entrypoint:
-  file.managed:
-  - name: /entrypoint.sh
-  - template: jinja
-  - source: salt://keystone/files/entrypoint.sh
-  - mode: 755
-{%- endif %}
-
-/root/keystonerc:
-  file.managed:
-  - source: salt://keystone/files/keystonerc
-  - template: jinja
-  - require:
-    - pkg: keystone_packages
-
-/root/keystonercv3:
-  file.managed:
-  - source: salt://keystone/files/keystonercv3
-  - template: jinja
-  - require:
-    - pkg: keystone_packages
-
-{%- if not grains.get('noservices', False) %}
-keystone_syncdb:
-  cmd.run:
-  - name: keystone-manage db_sync; sleep 1
-  - require:
-    - service: keystone_service
-{%- endif %}
-
-{% if server.tokens.engine == 'fernet' %}
-
-keystone_fernet_keys:
-  file.directory:
-  - name: {{ server.tokens.location }}
-  - mode: 750
-  - user: keystone
-  - group: keystone
-  - require:
-    - pkg: keystone_packages
-  - require_in:
-    - service: keystone_fernet_setup
-
-{%- if not grains.get('noservices', False) %}
-keystone_fernet_setup:
-  cmd.run:
-  - name: keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
-  - require:
-    - service: keystone_service
-    - file: keystone_fernet_keys
-{%- endif %}
-
-{% endif %}
-
-{%- if not grains.get('noservices', False) %}
-
-{%- if not salt['pillar.get']('linux:system:repo:mirantis_openstack', False) %}
-
-keystone_service_tenant:
-  keystone.tenant_present:
-  - name: {{ server.service_tenant }}
-  - connection_token: {{ server.service_token }}
-  - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
-  - require:
-    - cmd: keystone_syncdb
-    - file: keystone_salt_config
-
-keystone_admin_tenant:
-  keystone.tenant_present:
-  - name: {{ server.admin_tenant }}
-  - connection_token: {{ server.service_token }}
-  - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
-  - require:
-    - keystone: keystone_service_tenant
-
-keystone_roles:
-  keystone.role_present:
-  - names: {{ server.roles }}
-  - connection_token: {{ server.service_token }}
-  - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
-  - require:
-    - keystone: keystone_service_tenant
-
-keystone_admin_user:
-  keystone.user_present:
-  - name: {{ server.admin_name }}
-  - password: {{ server.admin_password }}
-  - email: {{ server.admin_email }}
-  - tenant: {{ server.admin_tenant }}
-  - roles:
-      {{ server.admin_tenant }}:
-      - admin
-  - connection_token: {{ server.service_token }}
-  - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
-  - require:
-    - keystone: keystone_admin_tenant
-    - keystone: keystone_roles
-
-{%- endif %}
-
-{%- for service_name, service in server.get('service', {}).iteritems() %}
-
-keystone_{{ service_name }}_service:
-  keystone.service_present:
-  - name: {{ service_name }}
-  - service_type: {{ service.type }}
-  - description: {{ service.description }}
-  - connection_token: {{ server.service_token }}
-  - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
-  - require:
-    - keystone: keystone_roles
-
-keystone_{{ service_name }}_endpoint:
-  keystone.endpoint_present:
-  - name: {{ service.get('service', service_name) }}
-  - publicurl: '{{ service.bind.get('public_protocol', 'http') }}://{{ service.bind.public_address }}:{{ service.bind.public_port }}{{ service.bind.public_path }}'
-  - internalurl: '{{ service.bind.get('internal_protocol', 'http') }}://{{ service.bind.internal_address }}:{{ service.bind.internal_port }}{{ service.bind.internal_path }}'
-  - adminurl: '{{ service.bind.get('admin_protocol', 'http') }}://{{ service.bind.admin_address }}:{{ service.bind.admin_port }}{{ service.bind.admin_path }}'
-  - region: {{ service.get('region', 'RegionOne') }}
-  - connection_token: {{ server.service_token }}
-  - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
-  - require:
-    - keystone: keystone_{{ service_name }}_service
-    - file: keystone_salt_config
-
-{% if service.user is defined %}
-
-keystone_user_{{ service.user.name }}:
-  keystone.user_present:
-  - name: {{ service.user.name }}
-  - password: {{ service.user.password }}
-  - email: {{ server.admin_email }}
-  - tenant: {{ server.service_tenant }}
-  - roles:
-      {{ server.service_tenant }}:
-      - admin
-  - connection_token: {{ server.service_token }}
-  - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
-  - require:
-    - keystone: keystone_roles
-
-{% endif %}
-
-{%- endfor %}
-
-{%- for tenant_name, tenant in server.get('tenant', {}).iteritems() %}
-
-keystone_tenant_{{ tenant_name }}:
-  keystone.tenant_present:
-  - name: {{ tenant_name }}
-  - connection_token: {{ server.service_token }}
-  - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
-  - require:
-    - keystone: keystone_roles
-
-{%- for user_name, user in tenant.get('user', {}).iteritems() %}
-
-keystone_user_{{ user_name }}:
-  keystone.user_present:
-  - name: {{ user_name }}
-  - password: {{ user.password }}
-  - email: {{ user.get('email', 'root@localhost') }}
-  - tenant: {{ tenant_name }}
-  - roles:
-      {{ tenant_name }}:
-      {%- if user.get('roles', False) %}
-      {{ user.roles }}
-      {%- else %}
-      - Member
-      {%- endif %}
-  - connection_token: {{ server.service_token }}
-  - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
-  - require:
-    - keystone: keystone_tenant_{{ tenant_name }}
-
-{%- endfor %}
-
-{%- endfor %}
-{%- endif %} {# end noservices #}
-
-{%- endif %}

metadata.yml

@@ -1,3 +0,0 @@
-name: "keystone"
-version: "2016.4.1"
-source: "https://github.com/openstack/salt-formula-keystone"

metadata/service/client/init.yml

@@ -1,2 +0,0 @@
-classes:
-- service.keystone.support

metadata/service/server/cluster.yml

@@ -1,49 +0,0 @@
-applications:
-- keystone
-classes:
-- service.keystone.support
-parameters:
-  keystone:
-    server:
-      enabled: true
-      version: ${_param:keystone_version}
-      service_token: ${_param:keystone_service_token}
-      service_tenant: service
-      admin_tenant: admin
-      admin_name: admin
-      admin_password: ${_param:keystone_admin_password}
-      admin_email: root@domain.com
-      bind:
-        address: ${_param:cluster_local_address}
-        private_address: ${_param:cluster_vip_address}
-        private_port: 35357
-        public_address: ${_param:cluster_vip_address}
-        public_port: 5000
-      region: RegionOne
-      database:
-        engine: mysql
-        host: ${_param:cluster_vip_address}
-        name: keystone
-        password: ${_param:mysql_keystone_password}
-        user: keystone
-      tokens:
-        engine: cache
-        expiration: 43200
-        location: /etc/keystone/fernet-keys/
-      message_queue:
-        engine: rabbitmq
-        host: ${_param:cluster_vip_address}
-        port: 5672
-        user: openstack
-        password: ${_param:rabbitmq_openstack_password}
-        virtual_host: '/openstack'
-        ha_queues: true
-      cache:
-        engine: memcached
-        members:
-        - host: ${_param:cluster_node01_address}
-          port: 11211
-        - host: ${_param:cluster_node02_address}
-          port: 11211
-        - host: ${_param:cluster_node03_address}
-          port: 11211

metadata/service/server/container.yml

@@ -1,44 +0,0 @@
-parameters:
-  kubernetes:
-    control:
-      configmap:
-        keystone-server:
-          grains:
-            os_family: Debian
-          pillar:
-            keystone:
-              server:
-                enabled: true
-                version: ${_param:keystone_version}
-                service_token: ${_param:keystone_service_token}
-                service_tenant: service
-                admin_tenant: admin
-                admin_name: admin
-                admin_password: ${_param:keystone_admin_password}
-                admin_email: root@localhost
-                bind:
-                  address: 0.0.0.0
-                  private_address: ${_param:keystone_service_host}
-                  private_port: 35357
-                  public_address: ${_param:keystone_service_host}
-                  public_port: 5000
-                region: RegionOne
-                database:
-                  engine: mysql
-                  host: ${_param:mysql_service_host}
-                  port: 3306
-                  name: 'keystone'
-                  password: '${_param:mysql_keystone_password}'
-                  user: 'keystone'
-                tokens:
-                  engine: fernet
-                  expiration: 43200
-                  location: /var/lib/keystone/fernet-keys/
-                message_queue:
-                  engine: rabbitmq
-                  host: ${_param:rabbitmq_service_host}
-                  port: 5672
-                  user: openstack
-                  password: ${_param:rabbitmq_openstack_password}
-                  virtual_host: '/openstack'
-                  ha_queues: true

metadata/service/server/single.yml

@@ -1,45 +0,0 @@
-applications:
-- keystone
-classes:
-- service.keystone.support
-parameters:
-  keystone:
-    server:
-      enabled: true
-      version: ${_param:keystone_version}
-      service_token: ${_param:keystone_service_token}
-      service_tenant: service
-      admin_tenant: admin
-      admin_name: admin
-      admin_password: ${_param:keystone_admin_password}
-      admin_email: root@localhost
-      bind:
-        address: 0.0.0.0
-        private_address: ${_param:keystone_service_host}
-        private_port: 35357
-        public_address: ${_param:keystone_service_host}
-        public_port: 5000
-      region: RegionOne
-      database:
-        engine: mysql
-        host: 'localhost'
-        name: 'keystone'
-        password: '${_param:mysql_keystone_password}'
-        user: 'keystone'
-      tokens:
-        engine: cache
-        expiration: 43200
-        location: /etc/keystone/fernet-keys/
-      message_queue:
-        engine: rabbitmq
-        host: ${_param:single_address}
-        port: 5672
-        user: openstack
-        password: ${_param:rabbitmq_openstack_password}
-        virtual_host: '/openstack'
-        ha_queues: true
-      cache:
-        engine: memcached
-        members:
-        - host: localhost
-          port: 11211

metadata/service/support.yml

@@ -1,15 +0,0 @@
-parameters:
-  keystone:
-    _support:
-      collectd:
-        enabled: true
-      heka:
-        enabled: true
-      sensu:
-        enabled: true
-      sphinx:
-        enabled: true
-      config:
-        enabled: true
-      grafana:
-        enabled: true

tests/pillar/cluster.sls

@@ -1,46 +0,0 @@
-keystone:
-  server:
-    enabled: true
-    version: liberty
-    service_token: token
-    service_tenant: service
-    admin_tenant: admin
-    admin_name: admin
-    admin_password: password
-    admin_email: root@domain.com
-    bind:
-      address: 127.0.0.1
-      private_address: 127.0.0.1
-      private_port: 35357
-      public_address: 127.0.0.1
-      public_port: 5000
-    region: RegionOne
-    database:
-      engine: mysql
-      host: 127.0.0.1
-      name: keystone
-      password: password
-      user: keystone
-    tokens:
-      engine: cache
-      expiration: 86400
-      location: /etc/keystone/fernet-keys/
-    notification: true
-    notification_format: cadf
-    message_queue:
-      engine: rabbitmq
-      host: 127.0.0.1
-      port: 5672
-      user: openstack
-      password: password
-      virtual_host: '/openstack'
-      ha_queues: true
-    cache:
-      engine: memcached
-      members:
-      - host: 127.0.0.1
-        port: 11211
-      - host: 127.0.0.1
-        port: 11211
-      - host: 127.0.0.1
-        port: 11211

tests/pillar/single.sls

@@ -1,41 +0,0 @@
-keystone:
-  server:
-    enabled: true
-    version: liberty
-    service_token: token
-    service_tenant: service
-    admin_tenant: admin
-    admin_name: admin
-    admin_password: password
-    admin_email: root@localhost
-    bind:
-      address: 0.0.0.0
-      private_address: 127.0.0.1
-      private_port: 35357
-      public_address: 127.0.0.1
-      public_port: 5000
-    region: RegionOne
-    database:
-      engine: mysql
-      host: 'localhost'
-      name: 'keystone'
-      password: 'password'
-      user: 'keystone'
-    notification: true
-    message_queue:
-      engine: rabbitmq
-      host: 127.0.0.1
-      port: 5672
-      user: openstack
-      password: password
-      virtual_host: '/openstack'
-      ha_queues: true
-    tokens:
-      engine: cache
-      expiration: 86400
-      location: /etc/keystone/fernet-keys/
-    cache:
-      engine: memcached
-      members:
-      - host: localhost
-        port: 11211

tests/pillar/single_fernet.sls

@@ -1,33 +0,0 @@
-keystone:
-  server:
-    enabled: true
-    version: liberty
-    service_token: token
-    service_tenant: service
-    admin_tenant: admin
-    admin_name: admin
-    admin_password: password
-    admin_email: root@localhost
-    bind:
-      address: 0.0.0.0
-      private_address: 127.0.0.1
-      private_port: 35357
-      public_address: 127.0.0.1
-      public_port: 5000
-    region: RegionOne
-    database:
-      engine: mysql
-      host: 'localhost'
-      name: 'keystone'
-      password: 'password'
-      user: 'keystone'
-    tokens:
-      engine: fernet
-      expiration: 86400
-      location: /etc/keystone/fernet-keys/
-      max_active_keys: 4
-    cache:
-      engine: memcached
-      members:
-      - host: localhost
-        port: 11211

tests/run_tests.sh

@@ -1,163 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-[ -n "$DEBUG" ] && set -x
-
-CURDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-METADATA=${CURDIR}/../metadata.yml
-FORMULA_NAME=$(cat $METADATA | python -c "import sys,yaml; print yaml.load(sys.stdin)['name']")
-
-## Overrideable parameters
-PILLARDIR=${PILLARDIR:-${CURDIR}/pillar}
-BUILDDIR=${BUILDDIR:-${CURDIR}/build}
-VENV_DIR=${VENV_DIR:-${BUILDDIR}/virtualenv}
-DEPSDIR=${BUILDDIR}/deps
-
-SALT_FILE_DIR=${SALT_FILE_DIR:-${BUILDDIR}/file_root}
-SALT_PILLAR_DIR=${SALT_PILLAR_DIR:-${BUILDDIR}/pillar_root}
-SALT_CONFIG_DIR=${SALT_CONFIG_DIR:-${BUILDDIR}/salt}
-SALT_CACHE_DIR=${SALT_CACHE_DIR:-${SALT_CONFIG_DIR}/cache}
-
-SALT_OPTS="${SALT_OPTS} --retcode-passthrough --local -c ${SALT_CONFIG_DIR} --log-file=/dev/null"
-
-if [ "x${SALT_VERSION}" != "x" ]; then
-    PIP_SALT_VERSION="==${SALT_VERSION}"
-fi
-
-## Functions
-log_info() {
-    echo "[INFO] $*"
-}
-
-log_err() {
-    echo "[ERROR] $*" >&2
-}
-
-setup_virtualenv() {
-    log_info "Setting up Python virtualenv"
-    virtualenv $VENV_DIR
-    source ${VENV_DIR}/bin/activate
-    pip install salt${PIP_SALT_VERSION}
-}
-
-setup_pillar() {
-    [ ! -d ${SALT_PILLAR_DIR} ] && mkdir -p ${SALT_PILLAR_DIR}
-    echo "base:" > ${SALT_PILLAR_DIR}/top.sls
-    for pillar in ${PILLARDIR}/*; do
-        state_name=$(basename ${pillar%.sls})
-        echo -e "  ${state_name}:\n    - ${state_name}" >> ${SALT_PILLAR_DIR}/top.sls
-    done
-}
-
-setup_salt() {
-    [ ! -d ${SALT_FILE_DIR} ] && mkdir -p ${SALT_FILE_DIR}
-    [ ! -d ${SALT_CONFIG_DIR} ] && mkdir -p ${SALT_CONFIG_DIR}
-    [ ! -d ${SALT_CACHE_DIR} ] && mkdir -p ${SALT_CACHE_DIR}
-
-    echo "base:" > ${SALT_FILE_DIR}/top.sls
-    for pillar in ${PILLARDIR}/*.sls; do
-        state_name=$(basename ${pillar%.sls})
-        echo -e "  ${state_name}:\n    - ${FORMULA_NAME}" >> ${SALT_FILE_DIR}/top.sls
-    done
-
-    cat << EOF > ${SALT_CONFIG_DIR}/minion
-file_client: local
-cachedir: ${SALT_CACHE_DIR}
-verify_env: False
-minion_id_caching: False
-
-file_roots:
-  base:
-  - ${SALT_FILE_DIR}
-  - ${CURDIR}/..
-  - /usr/share/salt-formulas/env
-
-pillar_roots:
-  base:
-  - ${SALT_PILLAR_DIR}
-  - ${PILLARDIR}
-EOF
-}
-
-fetch_dependency() {
-    dep_name="$(echo $1|cut -d : -f 1)"
-    dep_source="$(echo $1|cut -d : -f 2-)"
-    dep_root="${DEPSDIR}/$(basename $dep_source .git)"
-    dep_metadata="${dep_root}/metadata.yml"
-
-    [ -d /usr/share/salt-formulas/env/${dep_name} ] && log_info "Dependency $dep_name already present in system-wide salt env" && return 0
-    [ -d $dep_root ] && log_info "Dependency $dep_name already fetched" && return 0
-
-    log_info "Fetching dependency $dep_name"
-    [ ! -d ${DEPSDIR} ] && mkdir -p ${DEPSDIR}
-    git clone $dep_source ${DEPSDIR}/$(basename $dep_source .git)
-    ln -s ${dep_root}/${dep_name} ${SALT_FILE_DIR}/${dep_name}
-
-    METADATA="${dep_metadata}" install_dependencies
-}
-
-install_dependencies() {
-    grep -E "^dependencies:" ${METADATA} >/dev/null || return 0
-    (python - | while read dep; do fetch_dependency "$dep"; done) << EOF
-import sys,yaml
-for dep in yaml.load(open('${METADATA}', 'ro'))['dependencies']:
-    print '%s:%s' % (dep["name"], dep["source"])
-EOF
-}
-
-clean() {
-    log_info "Cleaning up ${BUILDDIR}"
-    [ -d ${BUILDDIR} ] && rm -rf ${BUILDDIR} || exit 0
-}
-
-salt_run() {
-    [ -e ${VEN_DIR}/bin/activate ] && source ${VENV_DIR}/bin/activate
-    salt-call ${SALT_OPTS} $*
-}
-
-prepare() {
-    [ -d ${BUILDDIR} ] && mkdir -p ${BUILDDIR}
-
-    which salt-call || setup_virtualenv
-    setup_pillar
-    setup_salt
-    install_dependencies
-}
-
-run() {
-    for pillar in ${PILLARDIR}/*.sls; do
-        state_name=$(basename ${pillar%.sls})
-        salt_run --id=${state_name} state.show_sls ${FORMULA_NAME} || (log_err "Execution of ${FORMULA_NAME}.${state_name} failed"; exit 1)
-    done
-}
-
-_atexit() {
-    RETVAL=$?
-    trap true INT TERM EXIT
-
-    if [ $RETVAL -ne 0 ]; then
-        log_err "Execution failed"
-    else
-        log_info "Execution successful"
-    fi
-    return $RETVAL
-}
-
-## Main
-trap _atexit INT TERM EXIT
-
-case $1 in
-    clean)
-        clean
-        ;;
-    prepare)
-        prepare
-        ;;
-    run)
-        run
-        ;;
-    *)
-        prepare
-        run
-        ;;
-esac